RE: ICMP (Ping)
From: Tony Kava (securityfocus_at_pottcounty.com)
Date: 09/04/03
- Previous message: Mike Peppard: "RE: Remotely manage Zone Alarm"
- Maybe in reply to: Paul Kurczaba: "ICMP (Ping)"
- Next in thread: Christos Gioran: "RE: ICMP (Ping)"
- Reply: Christos Gioran: "RE: ICMP (Ping)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: "'security-basics@securityfocus.com'" <security-basics@securityfocus.com> Date: Thu, 4 Sep 2003 13:07:07 -0500
I do like your reasoning that others do not generally have a business need
to ping your hosts, however I still prefer to allow this service not simply
to conform to standards, but rather as an easy indicator that our network
link is up. In my previous work at a broadband ISP I was often annoyed at
how many hosts do not respond to ICMP echo. On a LAN that uses DHCP it can
be a true pain because hosts can use an IP address in the dynamic range and
when the DHCP server double-checks that the IP is available with a ping it
finds that the IP is not in use and allocates it to the DHCP client. The
DHCP server should be able to assume that if the IP were in use a host would
respond to ICMP echo.
Of course, we're talking about public IP addresses on the internet. The
DHCP example does not apply, however it is still a useful service to other
administrators out there. When your users are unable to reach a certain
destination it is a quick check for connectivity. Of course there are
numerous other methods to determine whether a host is up or not, but ping is
designed for this purpose. There are steps that can be taken to prevent the
misuse of the protocol, and those should be preferred to simply dropping the
packets.
Others on the internet do share your opinion, and I can see why. However,
there are still many of us who do accept ICMP echoes. Including yahoo.com
and google.com. Yes, I know, microsoft.com and ebay.com do not. If you
keep watch on your network and you have taken reasonable steps to diminish
the success of a DoS attack then you should be able to safely accept ICMP
echoes.
... my two cents, of course.
-- Tony Kava Network Administrator Pottawattamie County, Iowa -----Original Message----- From: Jay Woody [mailto:jay_woody@tnb.com] Sent: Thursday, 04 September, 2003 11:06 To: security-basics@securityfocus.com Subject: RE: ICMP (Ping) I don't think that maintaining a RFC standard for the sake of maintaining the standard is necessarily worth your company experiencing an outage. Those standards are exactly that, a standard. They are what should be done. They are put in place mainly so that everyone knows how to interact with each other. If you changed something and made yourself non-RFC compliant in something like SMTP, that would be one thing, because everyone NEEDS to know that everyone is doing it a certain way. Everyone doesn't NEED to ping me. In a perfect world, you should always maintain standards obviously. However, in this world, you make changes based upon your needs and requirements and you tell your business partners, "This is how you need to do it to do business with me." My business could care less if the entire world can ping me and know I am up. I want my customers to know and my partners. Everyone else can go take a leap. All we needed was one denial of service attack hitting us and they determined that the amount of time it took to trouble-shoot it and fix it were not worth what they got by allowing random people around the world to "test" and see if we were up. Certain RFC's matter to the world. Certain ones don't. This is one that the world has determined it is acceptable to violate. The "Security through Obscurity" that most people rag on is trying to mask or mislead your attacker into believing that you are running something different (different OS, etc.) and most people blast that because there are 15 different ways to tell an OS, so you block one, big deal. If you are patched then you shouldn't need to obscure it. In this case I am hiding the existence of a box because even if I am patched and proper I am still vulnerable to being pinged out of existence. The time it takes me to daily enter 15 people to drop packets from just isn't worth it. Until I have a real business reason for NEEDING a ping (other than just to maintain a RFC Standard), then I drop them. If I NEEDED the ping then I would worry about trying to manage the settings, etc. My 2 cents. JayW >>> Tony Kava <securityfocus@pottcounty.com> 09/03/03 11:20AM >>> What about compliance with standards? ICMP echo is a useful diagnostic tool, and not responding to ICMP echo is not an effective means of protecting yourself. I believe members of this list have often cited the lack of value found in 'security by obscurity'. I do not wish to suggest that allowing all types of ICMP traffic is a safe practice, but ICMP echoes should be accepted and replies should be sent unless you have blocked them in order to mitigate a denial of service attack or because you believe the source of the request is malicious in nature. == RFC 1122 snippet == 3.2.2.6 Echo Request/Reply: RFC-792 Every host MUST implement an ICMP Echo server function that receives Echo Requests and sends corresponding Echo Replies. A host SHOULD also implement an application-layer interface for sending an Echo Request and receiving an Echo Reply, for diagnostic purposes. An ICMP Echo Request destined to an IP broadcast or IP multicast address MAY be silently discarded. == end of snippet == Just my two cents, as it were. -- Tony Kava Network Administrator Pottawattamie County, Iowa -----Original Message----- From: freeasabird_13@gmx.net [mailto:freeasabird_13@gmx.net] Sent: Tuesday, 02 September, 2003 21:12 To: Paul Kurczaba; security-basics@securityfocus.com Subject: Re: ICMP (Ping) > Are there any security issues for allowing a firewall/router to respond to > Ping from the internet? > > -Paul Kurczaba Yes. It would not be preferable for you to allow your firewall/router to respond to pings from the internet. Someone running a wide-scale scan of internet computers for possible attack targets would quickly be made aware of your obvious internet presence and you could become a target for attack. This wouldn't be such a big problem provided your firewall/router was well-configured with security in mind. If there is no overwhelming reason for allowing your device to respond to pings then it shouldn't be configured to do so. It is simply calling too much attention to your systems and their possible vulnerabilities. Well anyway, that's my quick 2 cents on the matter. I'm sure others will share theirs too. Best Wishes, ~Nathaniel Hasenfus --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.515 / Virus Database: 313 - Release Date: 9/1/2003 --------------------------------------------------------------------------- Attend Black Hat Briefings & Training Federal, September 29-30 (Training), October 1-2 (Briefings) in Tysons Corner, VA; the world's premier technical IT security event. Modeled after the famous Black Hat event in Las Vegas! 6 tracks, 12 training sessions, top speakers and sponsors. Symantec is the Diamond sponsor. Early-bird registration ends September 6.Visit us: www.blackhat.com ---------------------------------------------------------------------------- --------------------------------------------------------------------------- Attend Black Hat Briefings & Training Federal, September 29-30 (Training), October 1-2 (Briefings) in Tysons Corner, VA; the world's premier technical IT security event. Modeled after the famous Black Hat event in Las Vegas! 6 tracks, 12 training sessions, top speakers and sponsors. Symantec is the Diamond sponsor. Early-bird registration ends September 6.Visit us: www.blackhat.com ---------------------------------------------------------------------------- --------------------------------------------------------------------------- Attend Black Hat Briefings & Training Federal, September 29-30 (Training), October 1-2 (Briefings) in Tysons Corner, VA; the world's premier technical IT security event. Modeled after the famous Black Hat event in Las Vegas! 6 tracks, 12 training sessions, top speakers and sponsors. Symantec is the Diamond sponsor. Early-bird registration ends September 6.Visit us: www.blackhat.com ---------------------------------------------------------------------------- --------------------------------------------------------------------------- Attend Black Hat Briefings & Training Federal, September 29-30 (Training), October 1-2 (Briefings) in Tysons Corner, VA; the world's premier technical IT security event. Modeled after the famous Black Hat event in Las Vegas! 6 tracks, 12 training sessions, top speakers and sponsors. Symantec is the Diamond sponsor. Early-bird registration ends September 6.Visit us: www.blackhat.com ----------------------------------------------------------------------------
- Previous message: Mike Peppard: "RE: Remotely manage Zone Alarm"
- Maybe in reply to: Paul Kurczaba: "ICMP (Ping)"
- Next in thread: Christos Gioran: "RE: ICMP (Ping)"
- Reply: Christos Gioran: "RE: ICMP (Ping)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
