Verizon DSL is blocking outbound traffic

Recently, someone at a small business with a Verizon DSL Internet connection couldn't connect to my computer with NetMeeting. I've done this often enough to know that NetMeeting wasn't the problem, so I asked them to ping my computer - and it failed (timed out).

The TCP/IP ping command is a network debugging tool available on any operating system with TCP/IP (which is just about every operating system). It sends a simple command to the target computer which answers with a small amount of data. As the name implies, ping is just a tap on the shoulder to see if the networking is working between two computers on a TCP/IP network. Because pings are so simple, any problem is a networking problem.

In this case, the ping should not have failed. The target computer was one of mine and it was naked on the Internet, without a firewall protecting it. It seemed that Verizon was blocking it at the source, but I couldn't be sure.

A few days later, while working at another small business with a Verizon DSL connection, I couldn't establish a remote control connection using Real VNC. This was a bit more complicated, as it involved port forwarding on the target router and poking a hole in the firewall on the target computer. But here too, my first step in debugging was a ping of the target public IP address - and it failed. The target was a router under my control and it was configured to respond to public pings. Again, it seemed like Verizon was blocking the ping at the source.

To be sure, I tried a more advanced network debugging tool, traceroute. Long story short, traceroute proved that Verizon was blocking things. The trace was able to get from my computer on the LAN to the Verizon Westell 7500 modem/router that connected the LAN to the outside world, but could not get any farther.

A third test provided strike three. Someone I know with a Verizon DSL account, when told about this problem, also tried to ping some public websites and couldn't. The box used in this case was a Westell Wirespeed C90.

Verizon DSL is blocking outgoing ping, traceroute, NetMeeting, Real VNC and probably more.

This is bad. The blocking of outbound remote control software was a real problem to the first businesses as it prevented me from helping them with another problem.

Update August 5, 2008: Pings to websites don't always work. This has nothing to do with an ISP, rather it is an attribute of the website, or more specifically, the routers fronting the site. A website may simply choose not to respond to pings. The examples in this posting do respond to pings. Many consumer grade routers have a configuration option governing whether they respond to pings. However, even if a website opts to not respond to pings, a traceroute (in Windows the command is tracert) should at least show that the request got out to the Internet and bounced around a bit before failing. This was not the case with Verizon DSL.

Update August 5, 2008: I spoke to Verizon tech support and the technician said this is not by design. In fact, the person said they had never had a complaint that a DSL customer couldn't do something as simple as pinging yahoo.com. If this is true, the problem must lie in the configuration of the Westell modem/router. To be continued.

Update August 7, 2008: Verizon's press relations office made it clear they do not block traffic. And, it seems they don't - at least not on purpose. The problem has been resolved with one of the three customers, the issue was with the firewall in the router. More to come soon...

Update August 11, 2008: To see how this played out, see Verizon DSL traffic blocking explained

See a summary of all my Defensive Computing postings.

[twiny1]

Pings to the servers you mentioned, cnet.com, cbs.com, news.com & yahoo.com were all successful.

Pings to ebay.com, apple.com, msnbc.com, easynews.com and, oddly enough, verizon.com all failed multiple times.

From my iMac in Burlington, Vt.

[tekwiz4u]

Micheal,

Stop freaking out. Newer routers block traffic known as ICMP, which blocks PING traffic. It's nothing new, and some routers actually have this feature in their settings. Maybe some routers have it turned on by default, you can check there. And sometimes companies like to have it blocked to prevent flooding. Last resort will be checking the ISP.

[mhinnewyork]

See the update to the above posting. Also, I had problems with NetMeeting and Real VNC, which are not pings and are not ICMP. Michael Horowitz

[minu21]

[minu21]

i read from cnet.
i have same problem as like you
my dsl service for security camera.
it access with remote control but,i can not access for my camera from home
and can not see other store with verizon DSL....
i want know is it problem by ping or not.... i think, ping is very simple test for network why they can not service for this
and they want to pay for helping remote access....
technician can not explain about this problem and can not help for remote access
my security camera system is so simple... if internet connection is OK,camera is OK from other DSL provider..

[rengel]

I have a AT&T DSL account and I had no problem pinging any of the domains listed. I know in the past, some ISPs that I have dealt with when they hosted some of my client websites, have blocked pinging however.

[mhinnewyork]

See the update to the posting dated August 5th. Also, the problem was not limited to ping, it also happened with NetMeeting, Real VNC and traceroute.

[kimikaze]

I have a Verizon DSL account at home. No problems pinging cnet.com, yahoo.com, or verizon.net.

[daveberstein]

Dave Burstein here. I'm a Time Warner cable customer.
I pinged cnet.com and apple.com successfully, but not ebay.com, verizon.com or nytimes.com
I have no idea what's going on.

[ikramerica--2008]

Same for me with Time Warner.

[coreythrower]

First of I am using Verizon DSL and I am able to ping anywhere that I want including ip addresses. Second of all I used to work for Verizon Online as a Supervisor in the DSL Tech support department and having customers ping and trace route is tool that we would use to test connectivity and also latency. As far as using these applications like the security camera, and Netmeeting, often you have to open up port forwarding in the router with the correct ports. Don't call Verizon for help with this as they do not support it. I use netmeeting as well and it is not a problem for me. I had to put the correct setting in the port forwarding on the router. If you dont beleive me, you can set your router up to be just a modem and put on a linksys router that handles the routing. Best of luck to ya and stop bashing companies and coming to conclusions that an ISP is doing something without extensive testing.

[mhinnewyork]

You didn't read the posting carefully. In the case of NetMeeting there was no router to forward ports on. The machine being connected to was naked on the Internet. And, I have done the same many times. The problem was on the sending side not the receiving side. And, you ignored the problem with Real VNC and traceroute. With RealVNC too, the problem was getting out from Verizon not past the receiving firewall/router. And because it works for you it should work for every of the thousand and thousand Verizon DSL customers? That's not great logic. I'm not bashing, I'm stating observed facts. Your prejudice seems obvious. Michael Horowitz

[bigswole17]

I agree with coreythrower. Not being able to ping an IP address does not mean much; you have to take it for what it's worth. If I'm the hosting company, I want as little information about my network being available to the general public. Something as simple as ping is sometimes too much.. From my experience with ISP's, the ISP's do not block outgoing ports, only incoming ports. Let's say for example, I have a Verizon DSL account and I want to host a web server at my house, Verizon wants you to pay for their upgraded service. If you are trying to VNC into another network and can't, more than likely, the router on the hosts end needs to be configured to allow this type of connection, which is beyond the scope of this post and ISP customer support. Unfortunately, you have to find someone who knows how to configure networks to get this corrected. P.S to the owner of this post, if traceroute gets out to the internet and stops at the router of the other network, your problem is with the other network. Networks are fun, but complicated.

[mhinnewyork]

Read the posting again. Your responses don't fit the facts I presented. Michael Horowitz

[The_Decider]

Why does CNET hire people with little technical knowledge? Oh yeah, it is cheaper.

Your headline is "Verizon is blocking outbound traffic". Nothing you wrote even comes close to being able to conclude that.

Like others have mentioned it is likely a configuration problem on the other end. How about you wait until you have proof before accusing an ISP of damaging policies?

[The_Decider]

It is also not a bad thing that traceroute and ping are blocked. That is network security 101.