Re: ICMP (Ping)
From: Tomas Wolf (tomas_at_skip.cz)
Date: 09/07/03
- Previous message: Phillip McCollum: "Re: handling log files"
- In reply to: Tim Greer: "RE: ICMP (Ping)"
- Next in thread: Tim Greer: "Re: ICMP (Ping)"
- Reply: Tim Greer: "Re: ICMP (Ping)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Sat, 06 Sep 2003 23:54:49 -0400 To: Tim Greer <chatmaster@charter.net>
I understand, that there are many ways to find out that machine is there
(by just seeing the response if it is "destination unreachable" or
"connection reset" or none at all). But I would like to say that there
are many students running scripts that sweep IP ranges by ping and
"candidates" try for automatic exploitation of pre-defined holes (ie.
look for open 25, sendmail, run exploit for linux, types of unixes,
windows, report success....). But of course, a person with some
knowledge about the topic will find out if the host is there without the
need of ICMP echoes.
And yes, as much as we want to pretend there is nothing, trying to get
around by fooling fingerprinting tools, there is always a way... But
these ways are a bit harder than just ping, fingerprint OS, run
exploit... And if the quantity-oriented kiddie sees problems it will
discourage some of them to move several IPs down to two or three servers
with the lack of security... So by filtering icmps 8&0 one just slightly
narrows down the number of potential penetrators...
Tomas
Tim Greer wrote:
>On Thu, 2003-09-04 at 10:23, SMiller@unimin.com wrote:
>
>
>>Regarding the oft cited admonition against "security by obscurity":
>>according to Bruce Schneier this is "Kerckhoffs' Principle", formulated in
>>1883 by Auguste Kerckhoffs, and as such is narrowly applicable only to
>>algorithms used for cryptography. It may or may not apply to other and
>>more generalized security issues, those cases must be evaluated
>>individually. Regarding ICMP:
>>
>>
>
>Fun stuff... what some people seem to fail to understand, is that it's
>unlikely someone's going to randomly probe for IP's to just randomly
>attack. The type of attacks that people launch are going to be from
>people that know you're there anyway.... otherwise if they are mindless
>enough, they will apparently attack the IP they didn't check to see if
>it's there.
>
>A network is going to be attacked if it's a target... if it is, you can
>toss any responses you like and pretend there's nothing but a big, black
>hole in cyberspace... they'll still hit your network. If they are doing
>it blindly, they will do it blindly anyway. I don't see this as much of
>a benefit, unless you are going to be targeted and you can somehow
>minimize the damage done by disabling this.
>
>Overall, I don't think it's a good or bad thing, I do it on some and not
>on others, depending on what I'm thinking or doing at the time. However,
>I wouldn't really say it's going to do much one way or another, unless
>you just want to prevent very specific type of attacks where this would
>actually help prevent or minimize damage. But just to hide, well, good
>luck. :-)
>
>
---------------------------------------------------------------------------
Captus Networks
Are you prepared for the next Sobig & Blaster?
- Instantly Stop DoS/DDoS Attacks, Worms & Port Scans
- Precisely Define and Implement Network Security
- Automatically Control P2P, IM and Spam Traffic
FIND OUT NOW - FREE Vulnerability Assessment Toolkit
http://www.captusnetworks.com/ads/42.htm
----------------------------------------------------------------------------
- Previous message: Phillip McCollum: "Re: handling log files"
- In reply to: Tim Greer: "RE: ICMP (Ping)"
- Next in thread: Tim Greer: "Re: ICMP (Ping)"
- Reply: Tim Greer: "Re: ICMP (Ping)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
