One—not uncontroversial—way to increase security is to hide the router according to the motto: "If you can’t see me, you won’t attack me ..". Many attacks start by looking for computers and/or open ports with the help of harmless requests, e.g. with the ping command or a port scan. Any response to these requests, including the "I am not here" response, informs the attacker about a potential target. Because if you answer, you're there. To prevent this, the device can suppress the responses to these requests.
It does this by simply not responding to ICMP echo requests. At the same time, the TTL-exceeded messages used with a traceroute are suppressed, so that the device cannot be found by a ping or a traceroute.
The available settings are:
- Off: ICMP responses are not blocked
- Always: ICMP responses are always blocked
- WAN only: ICMP responses are blocked on all WAN connections
- Default route only: ICMP responses are blocked on the default route (usually Internet)
