Ping command is not accepted if firewall is on at remote system

Question

I am using ping command to know whether remote machine is on or not. But problem is that ping command (ICMP Packect) is not accepted at remote machine if firewall is on and it assumed that remote machine is off because ping status returns false. Is there any alternative way to know that remote machine is on or not assuming firewall is on.

I find it strange that this question is tagged 'c++'. – chmeee Jun 18 '09 at 09:49 — chmeee, Jun 18 '09 at 09:49

score 6 · Answer 1 · answered Jun 18 '09 at 08:56

6

Depending on the firewall configuration you may be able to use a TCP SYN ping.

Effectively you will either get an ACK back if it's listening on the port, or a RST if it's not.

Various tools exist that do this, notably NMAP

answered Jun 18 '09 at 08:56

dart

61
2

score 4 · Answer 2 · answered Jun 18 '09 at 08:59

4

If the other computer is on the same local area network, it should still answer to ARP requests even though it's blocking ping. In this case, you could try to use something like arping. More information on Wikipedia.

Over a larger network, I can't think of a reliable way of telling whether a host is on or not without its cooperation.

answered Jun 18 '09 at 08:59

Tiberiu Ana

256
2
5

The questions states that its on a remote network, so I dont think ARP will help much here. – pauska Jun 18 '09 at 12:10
1

It says remote machine. It makes no comment as to whether it is on the same subnet or not. – David Pashley Jun 18 '09 at 12:28

score 3 · Answer 3 · answered Jun 18 '09 at 08:16

If the firewall is any good, there is no way to check for this. The whole point of a firewall is that, if the packet you send is rejected, you don't get any clues at all as to the state of the receiving server: the core idea is that you don't get to tell between the case of

1) the server isn't there, and

2) the firewall blocked you.

In order to tell if the remote server is on, you have to decide on some port on which the server will respond, and make an appropriate hole in the firewall.

score 2 · Answer 4 · answered Jun 18 '09 at 11:59

(not enough reputation yet to comment so I'm adding this as an answer)

This is a reason that I usually encourage allowing at least a few icmp types (echo request, echo reply and time exceeded come to mind) on all machines, because dropping ICMP is not really hiding the existence of the machine anyway (it might for machines behind it, though), but mostly hinders monitoring and network debugging.

If you're really paranoid about pingflood attacks, some sort of rate limiting might do (or filters only on the border side of the network).

Take note that not answering to an echo request is not a sign of the machine not being there, that is usually signalled by the last router replying with an ICMP packet type 3, code 1 (host unreachable), so making a machine really invisible is more complicated than it appears.

As for the original question, one of the nmap scans usually does the job (more than often a so-called "tcp ping" scan).

score 0 · Answer 5 · answered Jun 18 '09 at 11:29

The way that I do this is to initiate a TCP connection to a known open port. If it's a web server, it will respond on port 80 (or 443). A positive response indicates that the machine is alive. A negative response indicates one of many possible problems, such as connectivity through the network, incorrect firewall configuration, service outage, or the machine being down.

If you're setting up monitoring and just want to know when to pay attention to the machine, just rely on a known-open port. At least if it stops responding, you'll know something is up.

score 0 · Answer 6 · answered Jun 18 '09 at 11:37

Most modern firewalls may also intercept the initial SYN-SYN/ACK-ACK to hep prevent resource exhaustion type attacks (i.e. send a lot of SYNs forcing the server to put a entry in its connection table and then never continue the connection -- to make this type of attack more aggressive, these connections can be from spoofed IP addresses).

You may need to open a connection and actually request data to have more assurance that the server is actually up (of course caching servers and other things could foil even this).

What type of server is it? The connection type can be geared to the service offered by the server. Tools like nmap (http://nmap.org/) can request the http header for instance.

score 0 · Answer 7 · answered Jun 18 '09 at 13:18

0

Isn't this a Windows question? Windows is the only OS that's retarded enough to block ping by default.

I really hate this. I wonder how many man-years have been wasted by people troubleshooting the network just because ping didn't work.

answered Jun 18 '09 at 13:18

Thomas

1,476
11
16

I doubt that very much, I imagine it's just the most common one :) I agree blocking pings is not especially useful. Lots of consumer-grade routers block pings with their default ACLs. – MarkR Jun 21 '09 at 20:45

score -1 · Answer 8 · answered Jun 18 '09 at 08:58

-1

You can do an ARP Ping. Even if the firewall is preventing ICMP pings from occurring, ARP Ping basically asks if anyone is using the specific IP. ARP is used to make sure there's not IP collisions, so the machine has to respond. Once such tool is here.

answered Jun 18 '09 at 08:58

Knox

2,463
2
26
34

1

ARP ping will work only if you are in the same LAN (local network). – bortzmeyer Jun 18 '09 at 09:10
Hmmm. Even though he said it was remote, I assumed he was vpn'ed into its LAN. – Knox Jun 18 '09 at 10:12

Ping command is not accepted if firewall is on at remote system

8 Answers8