Best way to allow ICMP and be safe doing so

durango1 · 24 Jun 2015

Hi, I was told awhile back that its best to turn off ICMP on the modem/router because it is a huge safety issue and so it has been that way for a long time now.

But sometimes i play games like BF4 (battlefield 4) and they send a ICMP request to show ping. Since i have ICMP blocked it shows "-" for my ping. And i get called a hacker or other names because they think im trying to hide something, which i am not.

So i went into my modem just now and i allowed ICMP on both traffic in and traffic out and now the ping works.

However now i am worred about security. What is the best way to do this to satisfy both needs?

thanks :)

UPDATE: did some googling and i guess the good news is that the modem/router appears to only allow 8 ICMP, 0 ICMP, 11/0 ICMP, 11/1 ICMP, 30 ICMP

0 - Echo Reply (ping response)
8 - Echo Request (ping request)
11 - Time Exceeded

I dont know what 30 is... i guess its traceroute

so is that better and safer to leave it on?

1PW · 24 Jun 2015

One of the major cornerstones of personal computer security is Attack Surface Reduction.

When an attacker's ping receives a reply, a live potential target has been revealed. Forget the blatherings of the ignorant and let your common sense prevail.

Cheers :)

Alejandro85 · 28 Jun 2015

Nowadays having ping enabled is not that huge security risk as it was one day. The security function it fulfills is making it a little harder for an attacker to know that an host is at that address, but that can be known by other means. For home use, the normal presence of a NAT router in front of the network plus the fact that there is rarely anything listening makes an attack unlikely.

It's all about a tradeoff, security vs convenience. I don't find it to be great risk to be enabled, but there are reasons to worry.
Have a look here for a better explanation of the implication of each option: network - Security risk of PING? - Information Security Stack Exchange