TC failed the Ping Reply

Calistoga · Dec 10, 2010

I went over to security experts Steve Gibson GRC website and ran Shields up! All of my ports are Stealth. However, I did fail the Ping Reply. I am using Time Capsule router with a 500 GB hard drive. I believe it is the first generation. I am also using Apple AirPort Extreme in bridge mode. TC is the primary router. I did a firmware upgrade about two years ago.

From GRC:

Ping Reply: RECEIVED (FAILED) — Your system REPLIED to our Ping (ICMP Echo) requests, making it visible on the Internet. Most personal firewalls can be configured to block, drop, and ignore such ping requests in order to better hide systems from hackers. This is highly recommended since "Ping" is among the oldest and most common methods used to locate systems prior to further exploitation.

IvanLasston · Dec 11, 2010

Do you have Enable NAT Port Mapping Protocol checked? Do you have anything setup in default host? I believe either of these allows the ping to go through to your computer and have it reply.

From the help pages

Setting NAT options for your base station or Time Capsule
To set up Network Address Translation (NAT) options for your AirPort wireless device, open the device’s configuration, click Internet, and make sure the device is set up to share a public IP address in the Connection Sharing pop-up menu, and then click NAT.

NAT options include:

Enable default host: A default host is a computer on your network that is exposed to the Internet and receives all inbound traffic. A default host may be useful if you use a computer on your AirPort network to play network games, or want to route all Internet traffic through a single computer.

Enable NAT Port Mapping Protocol: NAT Port Mapping Protocol (NAT-PMP) is an Internet Engineering Task Force Internet Draft, an alternative to the more common Universal Plug and Play (UPnP) protocol implemented in many NAT routers. NAT-PMP allows a computer in a private network (behind a NAT router) to automatically configure the router to allow clients outside the private network to contact this computer.

Included in the protocol is a method for retrieving the public IP address of a NAT gateway, allowing a client to make this public IP address and port number known to peers that may wish to communicate with it. This protocol is implemented in current Apple products, including Mac OS X10.4 Tiger, AirPort Extreme and AirPort Express networking products, Time Capsule, and Bonjour for Windows.

To set NAT options, your base station or Time Capsule must be set up to share its Internet connection using DHCP and NAT.

Calistoga · Dec 11, 2010

Thanks for the reply. At the present time I am not able to get to my Intel iMac. I do know that Universal Plug and Play is a security hazard. I will need to make sure that UPnP is turned off. There is no need for any of my computers on my network to be a default host. Geez, networking is not my forte. I did turn on the built-in Snow Leopard firewall, but that did not change the result. All my ports are Stealth. My ISP says the problem is on my and. However, they fail the "Ping" when it comes to the DNS Spoofability Test.

You really need to get your "nerd on" for this one.

DaFlake · Dec 12, 2010

This has nothing to do with a computer on your network replying. What has happened is that their web site pinged your router and it responded. This means that if someone was sweeping the network looking for active nodes yours will say "here I am". I looked on my TC and I don't see a way to disable ICMP.

I wouldn't worry about it too much. Even if someone gets a response, they still have to get through the firewall and if all your ports are blocked then you are pretty secure. Steve has always liked to make people feel like their stuff is insecure. He is smart, but way over the top.

IvanLasston · Dec 12, 2010

DaFlake said:
This has nothing to do with a computer on your network replying. What has happened is that their web site pinged your router and it responded. This means that if someone was sweeping the network looking for active nodes yours will say "here I am". I looked on my TC and I don't see a way to disable ICMP.

I wouldn't worry about it too much. Even if someone gets a response, they still have to get through the firewall and if all your ports are blocked then you are pretty secure. Steve has always liked to make people feel like their stuff is insecure. He is smart, but way over the top.

That is not necessarily true. If you have port forwarding on or a machine in the DMZ then it isn't your router - it is that computer responding. I just tested it on my network. My linux server responds to a dynamic dns ping as I have ssh port forwarded. My router is set to not to respond to a ping. So the router isn't responding to the ping - a port forwarded computer is responding. That is why I asked the question on what is set on NAT and port forwarding. It is also why I caution against port forwarding unless you fully understand the ramifications.

DaFlake · Dec 12, 2010

If and only if the ping is assigned to that port will that happen and even then, it is still the router that is responding in lieu of the computer, that is how NAT functions. Your computer responds but that ping hits the router and the router responds for your computer, even with port forwarding. Either way, it is ICMP that is the culprit here... If you had port forwarding on and ICMP disabled a ping should still get no response. If it does, there is something wrong with your router.

DMZ is a little different and there isn't one on an Airport Extreme TC that I can find.

Calistoga · Dec 12, 2010

Sorry for my late reply. It looks to me that Port Mapping Protocol is not checked. I would have no reason to turn on port forwarding. I have looked, but I can't find where to enable or turn off Universal Plug and Play. I would think it would be turned off by default. I am not playing any games, I don't have an Xbox, Sony PlayStation, etc. if you tell me where to look, I will try to find Universal Plug and Play. Otherwise, this is a bit of a puzzlement.

DaFlake · Dec 12, 2010

As I said, the reason for your failing is that there is no way to disable ICMP on an Airport Extreme and TC. So, you are not ever going to be able to "pass" it. Also, just because your router doesn't respond does not mean that it is invisible. Basically, don't waste your time trying to pass it.

IvanLasston · Dec 13, 2010

DMZ is available in Airport Utility under Internet -> NAT -> "Enable Default host at" - if you put a ip address there then you have a machine in the DMZ.

ICMP is doing the pinging but that isn't my point - the point is even on a router that looks like it shouldn't respond - will respond to a ICMP ping if you have port forwarding on or if a machine is on the DMZ and you don't have it fully configured to be invisible. I don't use the TC as a router - so I cannot speak for it but on my netgear router there is a specific checkbox that says respond to ICMP ping - that is unchecked. Once I add a port forward config and have dyndns configured - something on my network responds to a ICMP ping.

All I was suggesting was - to check if either port forwarding or dmz was enabled as those will respond to a ping. The answer was no - so I am with you TC probably responds to ICMP ping and I didn't see a specific checkbox to turn that off under TC.

I also agree with you - there are more ways to find a computer other than ping and responding to a ping isn't that big a deal.

Calistoga · Dec 13, 2010

Thanks guys! I still have one more idea up my sleeve. However, it will be with a Windows machine on my network. I will post my results/findings if it works.

DaFlake · Dec 13, 2010

IvanLasston said:
DMZ is available in Airport Utility under Internet -> NAT -> "Enable Default host at" - if you put a ip address there then you have a machine in the DMZ.

ICMP is doing the pinging but that isn't my point - the point is even on a router that looks like it shouldn't respond - will respond to a ICMP ping if you have port forwarding on or if a machine is on the DMZ and you don't have it fully configured to be invisible. I don't use the TC as a router - so I cannot speak for it but on my netgear router there is a specific checkbox that says respond to ICMP ping - that is unchecked. Once I add a port forward config and have dyndns configured - something on my network responds to a ICMP ping.

All I was suggesting was - to check if either port forwarding or dmz was enabled as those will respond to a ping. The answer was no - so I am with you TC probably responds to ICMP ping and I didn't see a specific checkbox to turn that off under TC.

I also agree with you - there are more ways to find a computer other than ping and responding to a ping isn't that big a deal.

Interesting on the DMZ, I didn't know that, thanks! Apple has a habit of not calling things what they are.....

I understand and I think that we are thinking the same way but if you have ICMP disabled on your router it really shouldn't respond, even with port forwarding. On the GRC test, an open port would have show up in the grid. What can you say, they are small home routers with basic firewall not industrial strength stuff. It is possible that netgear enables port forwarding automatically when you have port forwarding enabled; perhaps to ensure the service can actually communicate across it.

Either way, I think that we covered the OPs question.

Calistoga · Dec 13, 2010

DaFlake said:
Either way, I think that we covered the OPs question.

Yeah, you guys are pretty geeky(I mean that in the nicest way).

Good stuff.

DaFlake · Dec 13, 2010

Calistoga said:
Yeah, you guys are pretty geeky(I mean that in the nicest way).

Good stuff.

LOL, I am a former network engineer turned programmer. I accept geek...

IvanLasston · Dec 13, 2010

I think we are all in agreement too.

DaFlake - you are right I do have a big red blotch when I run the test because my ssh server responds. I deleted that port forward and it still responded to ping but no red on the ports. So it leads me to believe that it is another setting on my router. It may be a requirement of dyndns as that is setup too. I don't want to turn that off as that is a little touchy. All that being said - if my setting says do not respond to ICMP ping I expect that to be true, or a warning that turning on some service (like dyndns) will enable it. Again this is a netgear router so that info does not apply to the OP's problem just an observation.

Anyway just because it responds to a ping and ssh port is open - it does not mean I have a security issue. I know what I am doing and there is a bunch of stuff I did to lock down ssh. That being said - I do see attempts every day to try to brute force ssh. Same story I guess - don't worry too hard about the ping failure - but whatever happens with the Windows machine please report back.

Slydude · Dec 14, 2010

When the TC was my primary router I failed the same test. AFAIK I don't have port forwarding or any of the things that normally respond to pings running.

I solved the problem by putting the TC behind another router and let it handle routing functions. I was going to do that anyway since the TC was only being used as a router until I replaced my original router which had failed. With both a router and TC I can assign all my 802.11n devices to one network segment and the rest to a different segment.

TC failed the Ping Reply

Calistoga

IvanLasston

Calistoga

DaFlake

IvanLasston

DaFlake

Calistoga

DaFlake

IvanLasston

Calistoga

DaFlake

Calistoga

DaFlake

IvanLasston

Slydude

Well-known member

Shop Amazon