How Ping Detects Packet Filtering: A Technical Analysis of ISP-Level ICMP Blocking


2 views

When your ISP implements network-level filtering, the TCP/IP stack reveals specific behaviors through ICMP responses. In your case with eircom's TPB block, the key evidence is the Packet filtered message originating from 159.134.124.176 - which is likely a firewall device in eircom's infrastructure.

The critical technical detail is the From [IP] icmp_seq=[X] Packet filtered pattern. This indicates:

1. Your ping reaches eircom's network boundary
2. Their firewall processes the ICMP Echo Request
3. Instead of silently dropping (common practice), it sends ICMP Type 3 Code 13 
   (Communication Administratively Prohibited)

Beyond basic ping, these techniques provide deeper insight:

Traceroute Analysis

traceroute -I 194.71.107.15  # Use ICMP instead of UDP
traceroute -T 194.71.107.15  # TCP SYN traceroute

Nmap Firewall Detection

nmap -sS -Pn -PS -PA -T4 --reason 194.71.107.15
nmap --script firewall-bypass 194.71.107.15

Using tcpdump to inspect the actual ICMP responses:

sudo tcpdump -ni any icmp and host 194.71.107.15
# Expected output showing filtered packets:
# 12:34:56.789 IP 159.134.124.176 > your.ip: ICMP 194.71.107.15 \
#   unreachable - admin prohibited filter, length 36

From a network engineering perspective (not endorsement), these methods sometimes work:

# DNS over HTTPS/TLS testing
curl -v 'https://cloudflare-dns.com/dns-query?name=thepiratebay.com&type=A'

# VPN detection testing
nmap -sV --script vpn-detection 159.134.124.176

# TCP SYN stealth ping
hping3 -S -p 80 -c 3 194.71.107.15

Modern ISP filtering typically involves:

  • Deep Packet Inspection (DPI) appliances
  • BGP route poisoning
  • Transparent TCP resets
  • DNS hijacking

Your case shows a relatively "polite" implementation that explicitly informs clients about filtering through ICMP messages.

When you see Packet filtered in ping responses, it indicates an intermediate network device (likely your ISP's firewall) is actively blocking ICMP packets to the target IP. This differs from:

  • Request timed out (no response received)
  • Destination unreachable (route exists but host isn't responding)

The filtering device (159.134.124.176 in your case) is sending ICMP Type 3 Code 13 packets ("Communication Administratively Prohibited"). This is RFC-compliant behavior for firewalls:

IP Header:
    Source: 159.134.124.176 (ISP's filter)
    Destination: Your IP
ICMP Header:
    Type: 3 (Destination Unreachable)
    Code: 13 (Communication Administratively Prohibited)
    Original Packet: Contains the first 64 bits of your original ICMP request

To gather more evidence of filtering:

Traceroute Analysis

traceroute -n -I 194.71.107.15  # Uses ICMP like ping
traceroute -n -T 194.71.107.15  # Uses TCP SYN (bypasses some filters)

Nmap TCP Probing

nmap -Pn -sS -p 80,443 194.71.107.15
# -Pn: Treat host as online (skip ping)
# -sS: TCP SYN scan

Packet Capture

Using tcpdump to see raw packets:

sudo tcpdump -ni any host 194.71.107.15

For developers needing to test connectivity:

# Try alternative protocols
ping -U 194.71.107.15  # UDP ping
ping -T 194.71.107.15 -p 443  # TCP ping

# Check DNS-level blocking
dig +short thepiratebay.com @8.8.8.8

Common ISP blocking techniques:

  • Deep Packet Inspection (DPI): Looks at packet contents beyond headers
  • IP Blackholing: Drops all packets to target IPs
  • TCP Reset Injection: Sends fake RST packets