Linux: Disable Ping / ICMP Replies

Objective: Disable ping replies or drop ICMP packets of type 0 (echo reply) on Linux.

“Packet InterNet Groper” or ping is a computer network administration utility to test the reachability of a host on an IP network. ping sends ICMP (Internet Control Message Protocol) echo request packets to a target host and the target host will reply with an echo reply. Since ICMP can be used to identify and profile networks, ICMP services are considered as a security risk by some and are disabled by default.

To ignore ping responses (ICMP type 0 – echo reply) on Linux, set the kernel parameter net.ipv4.icmp_echo_ignore_all to ‘1’. There are two methods to accomplish this. The first method is to modify the parameter using /proc and the second method is to modify the parameter using sysctl. Either one of the methods will work.

# echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all
# sysctl -w net.ipv4.icmp_echo_ignore_all=1

To enable back ping replies, set the parameter to ‘0’. Again, the first method is using /proc and the second method is using sysctl.

# echo 0 > /proc/sys/net/ipv4/icmp_echo_ignore_all
# sysctl -w net.ipv4.icmp_echo_ignore_all=0

The above settings will be set to default after a system reboot. To disable ping replies across system reboots, edit the /etc/sysctl.conf file and add the following line.

net.ipv4.icmp_echo_ignore_all = 1

Once the file has been modified, enforce the setting immediately by running the following command.

# sysctl -p

This method is only applicable for IPv4 and not for IPv6. Also, this method will only block the Linux system from responding with ping replies. It will not block it from originating ping requests or receiving ping replies. In other words, once the ping replies are blocked, it will no longer send ping replies, but it can send ping requests or receive ping replies.

ibrahim = { interested_in(unix, linux, android, open_source, reverse_engineering); coding(c, shell, php, python, java, javascript, nodejs, react, vuejs); plays_on(xbox, ps4); linux_desktop_user(true); }