Ping reply failed/Security concern

antares · 27 Jul 2023

Yes, that's probably it, I remember in this country I used to rent in another building and it was exactly the same: no local firewall in each apartment, and an external router that controlled the whole building. Seems to be the way the ISP works here. Too bad.

Malneb · 27 Jul 2023

Here is someone describing cgnat with no firewall.
Reddit - Dive into anything

- - - Updated - - -

Sorry i forget this is a factor now its fairly a new thing and i always forget about it because its lackluster for these very reason and i have always had a dedicated line.

antares · 27 Jul 2023

Malneb said:

Here is someone describing cgnat with no firewall.
Reddit - Dive into anything

- - - Updated - - -
.

Thanks

User2468 · 27 Jul 2023

Try3 said:

Yes but a ping response by the router will provide the hacker with a useful stepping stone.

I thought you were moving somewhere else with a decent network.

Denis

There are lot of ways....

User2468 · 27 Jul 2023

Malneb said:

Again becasue its layer 3. Host IP is still grounds when talking about layer 3 so it does not matter if its lan or public but the test is not inside the lan. To send ICMP like OP was initially thinking it would need access lan side unless its going to do some hacking. You can ping any computer on your network of course but can you explain to me how exactly they would ping a computer inside an internal lan from the outside?

I never said that you cannot ICMP or ping another computer on your network because you can again layer 3 and host ip data type. For starters the computer from outside the network would need to know the devices local IP which it won't know unless it is hacking with 256 possible outcome.

I don't know the full extent of it because i don't do this sort of stuff on that sort of level but i know that its not as simple as just sending some ICMP packets to someones router and then the endpoint/s are going to receive that just because, because it won't, if this was the case the the test would of came back as PASS becasue they blocked it locally.

I think there's something lost in translation here. 404 message not sent...

antares · 28 Jul 2023

F22 Simpilot said:

There are lot of ways....

Could you elaborate? I mean, what level of difficulty does it have to sneak into a secure Windows system (all updates installed, firewall properly configured, etc etc) without the end user opening any phishing/scam/malware file?

Malneb · 29 Jul 2023

Ping reply failed/Security concern-untitled122.png

No i am not confused ICMP is a host ip data type which means it needs to know the host IP to send its information to in this case it is sending to the router.

it is a connection less IP packet which mean that it does not need permission to send data which is the whole point people want to block ICMP because it is a vulnerable type combined with that it can be used to send payloads and spoof stuff and hacking. Connection less also means that the firewall has no bearing because it does not need to connect first before sending.
I keep asking about the firewall previously though because usually the ICMP related stuff will be close to this area of the router like in the same tab or subsequent tabs around it.

None of this means that it is going to get to the Pink local hosts just because, because again host data type so it needs to send to its known source first which is the public facing router. The exploits start there so yes it is good to block ICMP on the router but its not a magic wand that is going to start causing havoc just because.
The person would need to intentionally be looking to hack that host.

- - - Updated - - -

Seeing as its layer 3 then network address and host address are also in play.

- - - Updated - - -

Yes computer A can ping computer B or any which configuration including pining the router because they are all relative to each other and again host IP we are starting to talk about network address space like subnets here so the computer from the outside would need to know all this information to make it to the pink hosts its not automatically just going to send the ICMP packet to any pink endpoint by default because it can't.

antares · 30 Jul 2023

Thanks Malneb, nice chart!