Getting Linux to ignore pings

Ping commands are very useful, but would-be attackers often use them to identify systems. To prevent that, we show you how to get your system to ignore these requests.

The ping command sends one or more requests to a system asking for a response. It's typically used to check that a system is up and running, verify an IP address, or prove that the sending system can reach the remote one (i.e., verify the route).

The ping command is also one that network intruders often use as a first step in identifying systems on a network that they might next want to attack. In this post, we're going to take a quick look at how ping works and then examine options for configuring systems to ignore these requests.

How ping works

The name "ping" came about because the ping command works in a way that is similar to sonar echo-location, which used sound propogation for navigation. The sound pulses were called "pings." The ping command on Unix and other systems sends an ICMP ECHO_REQUEST to a specified computer, which is then expected to send an ECHO_REPLY. The requests and replies are very small packets.

On many systems, the default is to send four such packets and display the result of each request and each reply with a summary at the end. Others continue sending pings until the person issuing the command enters control-C to stop the process.

$ ping 192.168.0.22
PING 192.168.0.22 (192.168.0.22) 56(84) bytes of data.
64 bytes from 192.168.0.22: icmp_seq=2 ttl=128 time=2.52 ms
64 bytes from 192.168.0.22: icmp_seq=3 ttl=128 time=1.89 ms
64 bytes from 192.168.0.22: icmp_seq=4 ttl=128 time=2.58 ms
64 bytes from 192.168.0.22: icmp_seq=5 ttl=128 time=2.42 ms
64 bytes from 192.168.0.22: icmp_seq=6 ttl=128 time=9.29 ms
64 bytes from 192.168.0.22: icmp_seq=7 ttl=128 time=3.07 ms
64 bytes from 192.168.0.22: icmp_seq=8 ttl=128 time=1.88 ms
64 bytes from 192.168.0.22: icmp_seq=9 ttl=128 time=5.34 ms
^C
--- 192.168.0.22 ping statistics ---
9 packets transmitted, 8 received, 11% packet loss, time 8018ms
rtt min/avg/max/mdev = 1.884/3.628/9.295/2.376 ms

The ping command also provides some insight into how well the network is performing. In the example above, you can see that 11 percent of the requests (one of the nine sent) failed to receive a response. It also provides some timing statistics that provide an indication of the route speed and quality.

You can also specify the number of packets you want the ping command to send using the -c option.

$ ping -c 1 192.168.0.22
PING 192.168.0.22 (192.168.0.22) 56(84) bytes of data.
64 bytes from 192.168.0.22: icmp_seq=1 ttl=128 time=3.83 ms

--- 192.168.0.22 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 3.834/3.834/3.834/0.000 ms

Ignoring ping requests

To get a system to ignore ping requests, you could make use of sysctl — a tool for examining and changing kernel parameters at run time. This command changes the default value for the kernel setting that controls whether systems respond to pings:

$ sudo sysctl -w net.ipv4.icmp_echo_ignore_all=1

A person sending ping requests would then see something like this:

ping 192.168.0.23

Pinging 192.168.0.23 with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Request timed out.

Ping statistics for 192.168.0.23:
    Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

This setting can be put back to its original value using the same command, but with 0 instead of 1.

$ sudo sysctl -w net.ipv4.icmp_echo_ignore_all=0
net.ipv4.icmp_echo_ignore_all = 0

You can also make the same change this way:

echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all

It's important to note that this change (using either of the two commands shown) affects the system immediately, but it doesn't survive a reboot. You can also make the change by adding these lines to your /etc/sysctl.conf file:

# ignore ping requests
net.ipv4.icmp_echo_ignore_all = 1

And then run this command so that the change takes effect without rebooting:

sysctl -p

Verify that the changes take effect when your system reboots, or you may have to run the sysctl -p command after booting the system or as part of the booting process.

Suppressing pings using iptables

If you use iptables to control connections on your system, a firewall command like this should block ping requests.

# iptables -I INPUT -p icmp --icmp-type 8 -j DROP

If you use iptables, it's a good idea to also install iptables-persistent to help keep your iptables rules up to date. You can do that with this command:

$ sudo apt-get install iptables-persistent

When you make changes to the rules, run the following commands so they survive system reboots.

$ sudo netfilter-persistent save
$ sudo netfilter-persistent reload

Cautions against ignoring ping requests

While giving your Linux systems a more stealthy posture may be help in making them less accessible to hackers, there are some reasons why you might not want to do this. The ping command might be used by network administration services and for network troubleshooting. Fortunately, it's easy to turn ping responses back on should you need to whether you use the sysctl setting or the firewall rules.

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.
Related:
Must read: 10 new UI features coming to Windows 10