Sonic.net

Hello all,

I set up the Pace4111N for the new fusion connection here at the house and I am having trouble finding a security feature on the router.

When I run 'Shields Up' at GRC.com all the ports are invisible to outside probing which is what I want but the router is still susceptible to ping. Here is what 'Shields Up' says after I run the test:

"Ping Reply: RECEIVED (FAILED) — Your system REPLIED to our Ping (ICMP Echo) requests, making it visible on the Internet. Most personal firewalls can be configured to block, drop, and ignore such ping requests in order to better hide systems from hackers. This is highly recommended since "Ping" is among the oldest and most common methods used to locate systems prior to further exploitation."

I drilled down through all the menus on the router but couldn't find where to set the router not to respond to ping. Does anyone know where I can find that feature in the firmware?

Thanks,
Steve

Replying to pings is a good thing. Actively locating a system before attempting to compromise it is terribly old-fashioned.

Thank you for your response John.

I'm afraid I don't understand John's response to the original question. Why is responding to pings a good thing (or, conversely, why is not responding to them a bad thing)? And how can an attacker compromise a system that s/he can't locate? And how can an attacker locate a system that doesn't respond to pings and doesn't expose any ports?

I admit to being behind the times. But I have relied on Gibson's approach to security for home networks for many years, with good results. I don't feel like changing now.

Hiding ping makes certain diagnostics harder, at very very minimal benefit in terms of hiding your computers. Anyone still scanning for an attack using ICMP ping is probably not good enough to get in anyway.

Relax about it.
Shields up makes itself seem more important by pointing out minor things as major problems.

Now if ports 137, 138 or 139 are open, that's something to get excited about.

Okay, but I would understand this better if you could point me to a layperson's explanation of how attackers find their prey these days. And what is the current best practice for preventing attacks that do not rely on open ports.

There's no need to do an ICMP ping before just trying to connect to the port you have an exploit for. Sending a SYN instead of an ICMP gives you just as much information.

Okay, that's helpful. Can (some/most/all) routers be configured to ignore unsolicited SYN requests? Or does that also interfere with diagnostics? Or is ignoring SYN requests what it means for a port to be "closed" in the first place?

Thanks for your help.

closed usually means a SYN request gets a RST reply. nmap calls a port that's dropping SYNs; I've also seen this referred to as stealth. (although if it's a remote host and all of the ports are filtered and icmp is dropped or skipped, it's not distinguishable from a dead host; if it's on the local network, you may get an ARP response to tell it's alive but ignoring the world).

I think it's ok to filter all the ports you don't care about (I certainly do), I would imagine most routers can be configured that way too.

It is more important to make sure the ports are closed rather than cloaked.
Your computer can and will be found: I see it often within seconds of firing up a new box.
Hackers will go directly to known ports at random IP addresses.
You can't cloak anything. Put your effort somewhere productive instead.