|
|
Before getting sky I had a normal router (Netgear DG834G) and had the pc and router mtu set to 1458.
So got sky and set their router mtu to 1458...
A week later the router updates its firmware from 1.11 to 2.04 and am now connected to mer instead of pppoa. the mtu on the router can no longer be changed and is hard set to 1500.
Ok, so I try setting the pc mtu to 1500, it says ok but on a reset it goes back to 1458.
I set it by running cmd as admin and paste this ... netsh interface ipv4 set subinterface "Local Area Connection" mtu=1500 store=persistent
But it just keeps going back to 1458
And why do the doughnuts at sky enable 'respond to pings' by default, this is a security risk.
EPIC FAIL ... Ping Reply: RECEIVED (FAILED) � Your system REPLIED to our Ping (ICMP Echo) requests, making it visible on the Internet. Most personal firewalls can be configured to block, drop, and ignore such ping requests in order to better hide systems from hackers. This is highly recommended since "Ping" is among the oldest and most common methods used to locate systems prior to further exploitation.
Edited by deleted (Fri 10-Jun-11 10:56:59)
|
|
|
|
If you're on Vista or 7 the MTU should set automatically.
I think Sky set the option for responding to ping on by default to allow them to query to the router as to whether it is on-line or not.
|
|
|
|
Yeah win7, thx for info.
Will not allowing my router to respond to pings affect service?
|
|
Register (or login) on our website and you will not see this ad.
|
|
|
Yeah win7, thx for info.
Will not allowing my router to respond to pings affect service?
Things like TBB's ping test (BQM) will not work.
|
|
|
Been messing around with mtu, if you set to 1400 it stays at 1400, but setting to 1500 it goes to 1458.
I know a while back it used to be 1500 and you could set to 1500, there must of been a ms update to stop it going higher than 1458, which is probably a good thing.
After digging up my old posts I found I had quite a unstable connection with MTU on ROUTER 1458, MTU on PC 1500.
Respond to pings should be off by default really, firewall test ... https://www.grc.com/x/ne.dll?bh0bkyd2
|
|
|
I know a while back it used to be 1500 and you could set to 1500, there must of been a ms update to stop it going higher than 1458, which is probably a good thing.
I use Windows Vista and there's definitely no problem having an MTU of 1500. I think it's unlikely Windows 7 is any different.
C:\>ping -f -l 1472 bbc.co.uk
Pinging bbc.co.uk [212.58.254.251] with 1472 bytes of data:
Reply from 212.58.254.251: bytes=1472 time=40ms TTL=248
Reply from 212.58.254.251: bytes=1472 time=39ms TTL=248
Reply from 212.58.254.251: bytes=1472 time=39ms TTL=248
Reply from 212.58.254.251: bytes=1472 time=39ms TTL=248
Ping statistics for 212.58.254.251:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 39ms, Maximum = 40ms, Average = 39ms
Oliver.
|
|
|
If your MTU is changing itself then I'd first check your security software.
On Windows Vista, Windows 7, and Mac OS X, there is not normally any reason to change the MTU as these operating systems "self adjust" as they monitor the path of the current connection.
If your router is at 1400 but your PC is at 1500 you're giving the router a lot of work to do in splitting every packet, which many routers don't have a very fast CPU so the effect is your connection seems "slow".
Being pingable means servers you connect to can ping your router to determine path-mtu; some mistaken security organisations (including Steve Gibson at GRC) seem to think that ignoring pings is a security feature. Nope; "hackers" / malicious intruders can still port scan you. (your router).
James - be* pro - on THFB - sync about 17.2mbps - BQM
|
|
|
|
Ethernet runs best at 1500 and I think MER is a type of routed Ethernet so 1500 is correct.
If sky want to be able to ping their router, why not?
|
|
|
|
Dr TCP fixed the mtu, the problem was probably in the registry, and windows 7 does not set the mtu automatically.
As for letting your router respond to ping requests, when playing hide and seek is it best to answer if the seeker calls out, or is it better to keep quiet?
|
|
|
Ethernet runs best at 1500 and I think MER is a type of routed Ethernet so 1500 is correct.
Ethernet runs at any MTU. Yes if you have a single switch (or hub) segment, then 1500 is the biggest a regular network runs at. (Unless its a newer one with jumbo frames).
But on a WAN using lots of different networking technologies, the MTU can rise and fall, as a packet passes through switches and routers and/or firewalls.
James - be* pro - on THFB - sync about 17.2mbps - BQM
|
|
|
Dr TCP fixed the mtu, the problem was probably in the registry, and windows 7 does not set the mtu automatically.
Dr TCP shouldn't be used on Win Vista or 7 as it says in the documentation - also not on 64bit of either.
As for letting your router respond to ping requests, when playing hide and seek is it best to answer if the seeker calls out, or is it better to keep quiet?
You're not playing hide and seek. There are thousands or IPs on ISP accounts, all of which are known to be allocated to the ISPs customer user base and made publicly available at RIPE (for Europe).
Any malicious attacker looking for a target is going to scan IPs using proper tools, not just with ICMP echo. Thats what 5 years olds do playing hide and seek, and your router can keep out pretty much everything (unless you have port forwarding).
Adults use TCP and UDP pings and other tools.
So basically blocking ICMP echo is hurting you more than its hurting the attacker or "hacker" as the press calls them.
James - be* pro - on THFB - sync about 17.2mbps - BQM
|
|
|
Dr TCP fixed the mtu, the problem was probably in the registry, and windows 7 does not set the mtu automatically.
Dr TCP shouldn't be used on Win Vista or 7 as it says in the documentation - also not on 64bit of either.
As for letting your router respond to ping requests, when playing hide and seek is it best to answer if the seeker calls out, or is it better to keep quiet?
You're not playing hide and seek. There are thousands or IPs on ISP accounts, all of which are known to be allocated to the ISPs customer user base and made publicly available at RIPE (for Europe).
Any malicious attacker looking for a target is going to scan IPs using proper tools, not just with ICMP echo. Thats what 5 years olds do playing hide and seek, and your router can keep out pretty much everything (unless you have port forwarding).
Adults use TCP and UDP pings and other tools.
So basically blocking ICMP echo is hurting you more than its hurting the attacker or "hacker" as the press calls them.
Dr tcp gave me a extra 0.4MB
Can you explain how being stealth is hurting me?
|
|
|
Can you explain how being stealth is hurting me? Can you explain how it's helping you?
|
|
|
Can you explain how being stealth is hurting me? Can you explain how it's helping you?
I'll paste some test results....
Your Internet port 139 does not appear to exist!
One or more ports on this system are operating in FULL STEALTH MODE! Standard Internet behavior requires port connection attempts to be answered with a success or refusal response. Therefore, only an attempt to connect to a nonexistent computer results in no response of either kind. But YOUR computer has DELIBERATELY CHOSEN NOT TO RESPOND (that's very cool!) which represents advanced computer and port stealthing capabilities. A machine configured in this fashion is well hardened to Internet NetBIOS attack and intrusion.
Unable to connect with NetBIOS to your computer.
All attempts to get any information from your computer have FAILED. (This is very uncommon for a Windows networking-based PC.) Relative to vulnerabilities from Windows networking, this computer appears to be VERY SECURE since it is NOT exposing ANY of its internal NetBIOS networking protocol over the Internet.
Its a waste of time running system hogging security suites on my pc, I haven't for years, just a manual virus scan every week or so and I never get any problems, but what I do get is raw speed as some of these AV's can put quite a big dent in performance.
So a lot of people don't know about this and broadcast their presence, this makes it even better for me 
|
|
|
Thanks for that Mr Gibson. It's all nonsense of course. I bet the IMF had stealthed ports too 
|
|
|
|
Who are you talking too, and what are you going on about?
|
|
|
Who are you talking too, and what are you going on about? You quoted from Steve Gibson's site. If you're happy, that's fine.
|
|
|
Who are you talking too, and what are you going on about? You quoted from Steve Gibson's site. If you're happy, that's fine.
He seems to know what he's talking about, but there might be a way into sky's routers though the upgrade process.
|
|
|
Who are you talking too, and what are you going on about? You quoted from Steve Gibson's site. If you're happy, that's fine.
He seems to know what he's talking about, but there might be a way into sky's routers though the upgrade process.
He is nothing more than a snake oil salesman, who is quite happy to talk absolute 'sphericals' if it suits him.
If you want your connection to work correctly, don't disable 'respond to ping'.
Any ISP that thinks that selling my click traffic is acceptable is MisinPHORMed
|
|
|
So a lot of people don't know about this and broadcast their presence, this makes it even better for me
Not really. Steve Gibson's site was designed for the US where both cable and DSL providers give modems with ethernet sockets (sometimes USB). Many people just plugged in their PC without configuring anything (back in the Windows 98 and ME days) and never knew about security.
In the UK generally people moved to routers pretty quickly.
Steve's tests are testing your router on Sky, and since your router has no NETBIOS functionality (the legacy windows way of sharing files/printers) then its not really a valid test anymore...
James - be* pro - on THFB - sync about 17.2mbps - BQM
|
|
|
|
My connection seems fine, what difference does doing this make?
|
|
|
|
If you login to a sky router, click advanced>wan setup and read the help text on the right side it says...
Respond To Ping On Internet Port
If you want the Sky Router to respond to a 'Ping' from the Internet, click this check box. This can be used as a diagnostic tool. This can be a security problem. You shouldn't check this box unless you have a specific reason to do so.
My bro who services servers for a living said 'I tend to switch pinging off at the router to stop script kiddies finding a live IP they can port scan, there are no effects from switching this setting off.'
Some bad advice is spewing from this thread, there can be no good reason for someone advising this to be enabled.
|
|
|
My bro who services servers for a living said 'I tend to switch pinging off at the router to stop script kiddies finding a live IP they can port scan, there are no effects from switching this setting off.'
Some bad advice is spewing from this thread, there can be no good reason for someone advising this to be enabled. I won't be bothering him for any of my repairs. Without ping enabled TBB BQM won't work.
|
|
|
My bro who services servers for a living said 'I tend to switch pinging off at the router to stop script kiddies finding a live IP they can port scan, there are no effects from switching this setting off.'
Some bad advice is spewing from this thread, there can be no good reason for someone advising this to be enabled. I won't be bothering him for any of my repairs. Without ping enabled TBB BQM won't work.
I would like to advise you to make regular backups.
|
|
|
My bro who services servers for a living said 'I tend to switch pinging off at the router to stop script kiddies finding a live IP they can port scan, there are no effects from switching this setting off.'
Some bad advice is spewing from this thread, there can be no good reason for someone advising this to be enabled. I won't be bothering him for any of my repairs. Without ping enabled TBB BQM won't work.
I would like to advise you to make regular backups.
I would like to advise you that data falls into 2 categories:
Data that has been backed up.
Data that hasn't been lost yet.
|
|
|
My bro who services servers for a living said 'I tend to switch pinging off at the router to stop script kiddies finding a live IP they can port scan, there are no effects from switching this setting off.'
Some bad advice is spewing from this thread, there can be no good reason for someone advising this to be enabled. I won't be bothering him for any of my repairs. Without ping enabled TBB BQM won't work.
I would like to advise you to make regular backups.
I've already backed up the router
|
|
|
If you login to a sky router, click advanced>wan setup and read the help text on the right side it says...
Text written by the marketing department and generally copying the first Netgear router with the option.
My bro who services servers for a living said 'I tend to switch pinging off at the router to stop script kiddies finding a live IP they can port scan, there are no effects from switching this setting off.'
Ask your bro if he's used unix/linux nmap to scan a range of IPs through a firewall blocking ICMP and see if it slowed him down even 10%.
Some bad advice is spewing from this thread, there can be no good reason for someone advising this to be enabled.
I advise you go and read about Path-MTU and how servers (that you probably want the best performance from) use ICMP echo to the destination (your router) to determine the optimal MTU to use.
None of this is secret or guessing or even security. Its understanding how TCP/IP works on a large network of networks.
James - be* pro - on THFB - sync about 17.2mbps - BQM
|
|
|
I advise you go and read about Path-MTU and how servers (that you probably want the best performance from) use ICMP echo to the destination (your router) to determine the optimal MTU to use.
Path MTU Discovery uses ICMP Fragmentation Required, not ICMP Echo, so ping responses are not required from the router for this function to work.
Oliver.
|
|
|
Path MTU Discovery uses ICMP Fragmentation Required, not ICMP Echo, so ping responses are not required from the router for this function to work. That's not what it says here http://www.netheaven.com/pmtu.html
|
|
|
That's not what it says here http://www.netheaven.com/pmtu.html
From that page: "notifications arrive as ICMP (Internet Control Message Protocol) packets known as "fragmentation needed" ICMPs (ICMP type 3, subtype 4)".
ICMP Echo is ICMP type 0 and 8, Reply and Request, completely separate to ICMP type 3 used for Path MTU Discovery.
Oliver.
|
|
|
That's not what it says here http://www.netheaven.com/pmtu.html
From that page: "notifications arrive as ICMP (Internet Control Message Protocol) packets known as "fragmentation needed" ICMPs (ICMP type 3, subtype 4)".
ICMP Echo is ICMP type 0 and 8, Reply and Request, completely separate to ICMP type 3 used for Path MTU Discovery.
From that page Administrators who want to block all ICMPs should disable path MTU discovery on their computers, especially on their servers. It makes no sense to ask for ICMP notifications and then refuse to accept them. In addition, doing so opens the server to a special type of distributed denial of service attack based on resource exhaustion from a large number of fully-open connections.
|
|
|
From that page Administrators who want to block all ICMPs should disable path MTU discovery on their computers, especially on their servers. It makes no sense to ask for ICMP notifications and then refuse to accept them. In addition, doing so opens the server to a special type of distributed denial of service attack based on resource exhaustion from a large number of fully-open connections.
Yes, but disabling ping replies on routers does not disable all type of ICMP, just the ones dealing with ICMP Echo.
Oliver.
|
|
|
Yes, but disabling ping replies on routers does not disable all type of ICMP, just the ones dealing with ICMP Echo. The OP wants to disable all type of ICMP.
|
|
|
The OP wants to disable all type of ICMP.
If you say so, BatBoy.
Oliver.
|
|
|
He wants to be invisible on the net to stop script kiddies hacking his computer 
|
|
|
Yes, but disabling ping replies on routers does not disable all type of ICMP, just the ones dealing with ICMP Echo.
That's what you'd hope. Without actually testing, I've seen some routers (remotely, so not sure what they were) that ignored ALL ICMP when the owner told me they'd "blocked ping". Including all the useful ones :-/
James - be* pro - on THFB - sync about 17.2mbps - BQM
|
|
|
I suppose to test this you could run 1 week with pings on and 1 week off, and then see how many intrusions from china you get in the logs.
BTW. syslog is borked on the sky d-link and probably the sagem, plus I already know what the results will be
Battyboy can test this, he likes intrusions 
Edited by deleted (Fri 17-Jun-11 21:45:09)
|
|
|
|
Everything here seems a lot more settled with pings enabled and a static ip. It just works, but I'm on BE. I moved from Sky to BE due to problems with loss of routing.
|
|
|
BTW. syslog is borked on the sky d-link and probably the sagem, plus I already know what the results will be
No, you have an untested hypothesis.
I just suggested you try it. You've argued you don't want it. Its no skin off my nose at all, it doesn't affect me in the slightest. End of topic.
James - be* pro - on THFB - sync about 17.2mbps - BQM
Edited by jchamier (Sat 18-Jun-11 00:25:24)
|
|
|
|
Theres one born every minute, so why do they have to post in my thread?
|
|
|
Theres one born every minute, so why do they have to post in my thread? It's a discussion. You don't own the thread.
|
|
|
My bro who services servers for a living said 'I tend to switch pinging off at the router to stop script kiddies finding a live IP they can port scan, there are no effects from switching this setting off.'
What a load of [censored].
______________
Zen 8000 Active
|
|
|
An ancient chinese proverb comes to mind.
'He who has retards dribbling on his window can not send a clear message out'
Pings off is more secure, anyone who say other wise is a [censored] retread...
Edited by deleted (Sat 18-Jun-11 21:55:00)
|
|
|
I was more referring to his "there are no effects from switching this setting off".
______________
Zen 8000 Active
|
|
|
Pings off is more secure, anyone who say other wise is a [censored] retread... That must be very tyring.
|
|
|
Yes, but disabling ping replies on routers does not disable all type of ICMP, just the ones dealing with ICMP Echo.
That's what you'd hope. Without actually testing, I've seen some routers (remotely, so not sure what they were) that ignored ALL ICMP when the owner told me they'd "blocked ping". Including all the useful ones :-/
Apparently, it's quite common for domestic routers to disable all ICMP when ping is disabled.
With the amount of open ports due to msn, yahoo, auto software updates etc, I don't think preventing a router responding to pings gives even the sightest improvement in stealth.
John.
|
|
|
With the amount of open ports due to msn, yahoo, auto software updates etc, I don't think preventing a router responding to pings gives even the sightest improvement in stealth.
Thanks
If you're Steve Gibson (of GRC fame) then he thinks disabling ping is important - but then he is in the US - where is very common to NOT use a router at all, and plug your only computer directly into your cable or DSL modem. Which is another thing all together
James - be* pro - on THFB - sync about 17.2mbps - BQM
|
Pages in this thread: 
Print Thread
