Ping on working site says Destination Unreachable

Question

I am pinging a working site from my cmd and I get this:

ping site.com

Pinging site.com [x.x.x.x] with 32 bytes of data:
Reply from x.x.x.x: Destination host unreachable.
Reply from x.x.x.x: Destination host unreachable.
Reply from x.x.x.x: Destination host unreachable.
Reply from x.x.x.x: Destination host unreachable.

Ping statistics for x.x.x.x:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),

I have censored the IP and domain for obvious reasons. The site is accessible from my browser in this machine.

My question is, how/why would they do this?

Answer 1

ping is an ICMP command request which companies/organisations can block using their firewall for security reasons/purposes. It has nothing to do with website's accessibility using browser.

They are receiving your request and not taking any action further; so it says that destination host is unreachable!

So even though you can visit the organisation's website on the web-browser, your ping request can be blocked for the afore-mentioned reason.

Answer 2

The next diagnostic step is traceroute. To get even more hard-core, use a more complicated tool like nmap or hping2 that lets you send a variety of packets.

Assuming nothing out-of-the-box strange is going on, some intermediate host (or even the destination host) is dropping your ICMP echo packet and responding with ICMP destination unreachable.

This is confusing, because that's not really the problem. However, one big reason this happens is that some routers, even high-end ones, have limits on the kinds of ICMP errors that they can generate, and sometimes an administrator will configure it in an annoying way like this. Another common manifestation of the same issue is intermediate routers dropping TCP packets with RST, making ports look closed instead of just blocked by a firewall.

If it's on your network, consider asking the administrator to switch it to a less confusing message, such as administratively prohibited.

If you still want to ping, consider using a ping utility that uses an alternate packet type, such as hping2, as mentioned above.

Given the foregoing, blocking ping is pretty much a TSA-style security measure. It's tremendously annoying in practice for anyone trying to troubleshoot the site, but it doesn't actually prevent pinging using some other packet type. Hypothetically, it might defeat the dumbest of host up/down scanners, but if port 80 is open, any real scan is still going to find it.

As an alternative explanation, it is possible that the host actually is unreachable using your current routing table, and the browser is finding it some other way. For instance, your network might have no default route to the Internet, but the browser is using a proxy server, that does have access. This kind of configuration is used by some sites, generally to prevent rogue malware or hackers on your network from being able to trivially call out.