Enable ICMP (ECHO) PING on WAN

Enable ICMP (ECHO) PING on WAN
Enable ICMP (ECHO) PING on WAN
2020-06-11 22:08:27 - last edited 2020-06-12 14:53:49
Model: Deco M5
Hardware Version: V2
Firmware Version: 1.4.4 Build 20200221 Rel. 65392

There seems to have been discussion of a need to hide the device by blocking ping (remove ICMP echo-reply response) in various threads over the last year, and in a recent version of the firmware the device appears to default deny on all inbound ICMP responses.

 

I am speaking as a credentialed Certified Information Systems Security Professional (CISSP) and I am not aware of security research or best practices which indicates blocking WAN Ping on routers.

 

While I understand denying ICMP means network scanners have to work a little bit harder to find "active" devices, blackholing ICMP is a practice typically recommended for network hosts (not routers).

 

Denying ICMP actually results in breaking security functionality in some important ways:

 

Security Availability Vulnerability (fundamental security concept):

- In the case of port forwarding, denying ICMP breaks PMTU scans from clients outside the local network damaging window scaling and ultimately breaking network connectivity when an MTU of 1500 is not compatible with the local loop.

 

Network Access Control Vulnerability (security control category):

- In the case of an enterprise network administrator, the fact the device does not respond to pings makes it more difficult for a cyber asset inventory scan to determine whether there may be a rogue device on the network.

 

Security Availability Vulnerability (fundamental security concept):

- Blocking ping makes it difficult for a WAN-side DHCP host to perform IP deconflict checks.

 

What is the value of this feature?

 

ICMP processing stacks (whether commercial or open source) have been stable and basically unbreakable (from a security standpoint) for decades. Malformed packets sometimes root routers, but as Cisco will tell you, a firewall rule never protected the L3 stack from breakage.

 

The only possible justification I can think of is a user has placed a totally insecure protocol on a random port (of which there are only 30-60k available -- so not very random) -- and is hoping the fact their device doesn't respond to ICMP will somehow make up for the fact RDP is regularly rooted, free VNC software is the security equivelant of a speed bump, and the webserver on their multi-function NAS is riddled known vulnerabilities.

 

My case? I'd simply like to place a network monitor (outside) on the internet on my Deco so I can monitor availability (a security concept). It appears my only option is to forward a port inside breaking the security perimeter so I can do a TCP PING?

 

Someone please tell me there's a hidden configuration option to enable ping?

 

ps .. Apparently port 22 is running an ssh server and the firmware has a hardcoded root password (yes! root login enabled!) that can provide access to the ash shell. Default remote login passwords would be a "Critical" CVSS score I believe.

1
1
#1
Options
6 Replies
Re:Enable ICMP (ECHO) PING on WAN
2020-06-12 15:57:38

@mfisch 

 

The Deco system is mainly aimed at being a system that is simple to use. On the other end of the spectrum, you do not have those features that a typical router has that one would expect. For example, you can only manage the system on a smartphone. 

 

I can certainly forward that feature request to respond to ICMP ping.

 

With respect to the SSH port that is for the Deco devices and Deco app to communicate only. Should you be aware of or find any vulnerability please reach out to our security team here: https://www.tp-link.com/us/press/security-advisory/

0
0
#2
Options
Re:Enable ICMP (ECHO) PING on WAN
2020-06-12 20:15:26 - last edited 2020-06-12 20:16:46

Thanks Tony do put in that request.

 

User requests enabling WAN ping advising there are several good security and usability reasons (see community topic https://community.tp-link.com/us/home/forum/topic/211916 ).

 

WAN ping can be enabled via config global settings:

 

/etc/config/basic_security

  Line 1: config global 'settings'

  Line 3: option wan_ping 'off'

 

The Luci web interface and Deco app do not give the user a toggle for this useful setting that already exists in the firmware.

1
1
#3
Options
Re:Enable ICMP (ECHO) PING on WAN
2020-10-20 15:12:08

@mfisch hi, how do you access those settings to enable wan ping?

0
0
#4
Options
Re:Enable ICMP (ECHO) PING on WAN
2020-11-19 07:39:20

I would also need this feature, for monitoring the system from the outside. It's a common feature in all other routers (low to high end), I'm surprised that I couldn't find it on the Deco.

0
0
#5
Options
Re:Enable ICMP (ECHO) PING on WAN
2020-12-09 03:11:42

This needs to be resolved as well on the M9Plus.

 

I see they removed WAN pinging with a firmware update but didn't think that such a basic feature should be togglable. Not impressed with TP LINK.

0
0
#6
Options
Re:Enable ICMP (ECHO) PING on WAN
2 weeks ago

+1 vote from me too for WAN ping allow. I monitor my home broadband connection remotely and unable to do so since switched to DecoS4. 

0
0
#7
Options