Results 1 to 10 of 11
This is a discussion on Security options? within the Sky Router forums, part of the Sky Broadband help category; Please don't disable ping! Without this, MTU autodiscovery can't work and you're going to suffer from bad speeds on many ...
- 31-08-06, 03:37 PM #1
Please don't disable ping! Without this, MTU autodiscovery can't work and you're going to suffer from bad speeds on many routes. It's enabled for a reason -- there is utterly no reason to shut it off.
See less ads - Join SkyUser today
- 31-08-06, 04:46 PM #2
Do you have any links to back up this claim?
Taken from the Netgear router page itself:
Respond To Ping On Internet Port
If you want the DG834GT to respond to a 'Ping' from the Internet, click this check box. This can be used as a diagnostic tool. This can be a security problem. You shouldn't check this box unless you have a specific reason to do so.
- 31-08-06, 07:07 PM #3
Well, netgears wrong in so much its a security problem, because it isn't. http://en.wikipedia.org/wiki/Maximum_transmission_unit says "RFC 1191 describes "Path MTU discovery", a technique for determining the path MTU between two IP hosts with a view to avoiding IP fragmentation. Path MTU discovery works by setting the DF (Don't Fragment) option in the IP headers of outgoing packets—any device along the path whose MTU is smaller than the packet will drop it, and send back an ICMP "Destination Unreachable (Datagram Too Big)" message containing its MTU, allowing the source host to reduce its assumed path MTU appropriately. The process repeats until the MTU is small enough to traverse the entire path without fragmentation."
If you are blocking ICMP (which will be what it's doing when you block pings) then you've got no chance of getting the message to turn your MTU size down.
- 31-08-06, 08:48 PM #4
Ok thanks I'll investigate, the default MTU sent by this router is 1500 and can br easily changed, I suggest a value of 1458. There are plenty of routers out there with the ping option deselected by default.
Also if you read a bit further down the wikipedia page you'll see why its a security issue.
- 31-08-06, 08:54 PM #5Site FounderExchange: Marshalls CrossBroadband ISP: Sky Broadband UnlimitedRouter: Sagem F@ST 2504nSky TV: Sky+HD box
- Join Date
- Aug 2006
- St Helens
- Thanked 359 Times in 296 Posts
- Blog Entries
moved till we can find out for definite
~ Never, ever, argue with an idiot. They'll drag you down to their level and beat you with experience ~
Follow us on Twitter @skyuser
- 01-09-06, 02:14 AM #6
- 01-09-06, 09:15 AM #7
It will be quite rare/infrequent when you have serious MTU related problems when routers on the internet will not accept the default 1500 size MTU. When this happens you will know that there is a problem as you will have problems accessing the site/service.
At that point you can try and enable the ping option and see if that fixes your problem or set a lower default MTU, 1410 maybe?
There is some info on MTU problems with the BT network back in 2003 which I believe has been sorted now:
PS In case your wondering how I came to the conclusion in the first paragraph, I asked a CCNA/MCSE expert at my workplace. Whether he is right or wrong I'll let you decide.
Also when a PC is pinged by a hacker to see if it responds chances are he'll think there may be more weakspots and scan further. However the chance of finding you in the first place is like looking for a needle in a haystack, however its still a risk.
- 01-09-06, 06:46 PM #8
Oh well, I give up. ICMP is there for a reason and blocking it is stupid. Even if you disable ping the chances are that anyone with nmap will still be able to find even more important services on you. I have never heard of a hacker using ping when they can issue a proper nmap tcp scan and sort it out.
So what you're basically saying is that to save yourself an absolutely inconsequantal security risk you should get rid of a good feature which will avoid headaches in the future. .
- 01-09-06, 06:58 PM #9
It would be good if other people put their input on this.
I have had this option disabled on my previous router for 3 years and never noticed any problems.
But people can read what you have said and can decide if they want to turn that option off or not.
- 01-09-06, 09:01 PM #10Site FounderExchange: Gravesend, NDGRABroadband ISP: Virgin XXL 100Router: Non Sky RouterSky TV: Yes
- Join Date
- Aug 2006
- Kent, UK
- Thanked 30 Times in 21 Posts
- Blog Entries