RE: ICMP (Ping)

From: Vineet Mehta (vineet_at_linux.com.kw)
Date: 09/07/03

  • Next message: QLindstr=F6m_Carl-Erich=2C__Polarteknik=22?=: "VS: AV removal malware" 
    To: security-basics@securityfocus.com
Date: Sun, 07 Sep 2003 08:28:18 +0300

    i think its just a personal/company policy. hackers who want to hack
    your system will do so from not only ICMP attack but from many others
    available. So blocking ICMP is just a assurance that some of the hackers
    are kept at bay.

    If a company needs icmp for administrative purposes and this needs go
    far then stopping icmp then its also right. Coz its all about needs and
    fullfilling the business needs.

    If a company is blocking ICMP then its his policy if its not then its
    his policy, both policies are right from there perspective. We have seen
    so many responses on this topic and they all highlight that.

    For a real security person, he would definately block ICMP, coz his
    systems are dear to him.

    this is all i can say.
    i hope it was not so bad to digest :(

    On Fri, 2003-09-05 at 23:18, Tim Greer wrote:
    > On Fri, 2003-09-05 at 07:42, Jay Woody wrote:
    > > See, now I have to disagree here. I'll use web page defacements as an
    > > example. Script Kiddies showed that they did not care who or what they
    > > were targeting 90% of the time.
    >
    > What purpose would seeing a response from a ping serve to a kiddy
    > looking to deface web sites? If they are going to attack you randomly,
    > why do you assume that they would stop to think when they are blindly
    > attacking networks/ips anyway?
    >
    > > They just scan a range and whoever
    > > replied they ran a vuln scanner against.
    >
    >
    > Running a scanner to look for open ports of vulnerabilities in services,
    > as not going to change because you don't reply to ping requests. Those
    > scans will check the ports and services on said IP--not give up if it
    > can't get a ping response.
    >
    > > If they could get in and
    > > "hack" the web page, they would.
    >
    > And that doesn't relate to the type of attacks being discussed. That's
    > another, less serious issue anyway.
    >
    > > They'd get their "message" out and
    > > move on.
    >
    > No, they'd probe for vulnerabilities by domain or IP, the ping response
    > plays no role in that situation.
    >
    > > Did some target pro-Israeli sites, etc.? Of course, but many
    > > more were just companies that replied and then had a vuln scan ran
    > > against them.
    >
    > That is irrelevant.
    >
    > > Here is what it boils down to in my opinion, in the case of a
    > > determined hacker that wants you and no one else, then obviously
    > > blocking pings ain't gonna cut it.
    >
    > True. You're either vulnerable or not. But it depends on the type of
    > attack and on what service or protocol.
    >
    > > However, in the case of script
    > > kiddies that just scan a range and hit who replies, then blocking pings
    > > stops about 95% of them from even going any deeper.
    >
    > No it doesn't. Skripties are stupid by nature. They hit blindly with
    > the scanners, the scanners don't give up if there's no ping response,
    > they are busy checking to see what's running on the various ports that
    > particular scanner scans. It's almost contradictive to use script
    > kiddie and 'dig deeper' in the same sentence.
    >
    > > I heard one say (I
    > > think it was Hackweiser) that if someone didn't reply, why keep looking
    > > at them, there were plenty of other boxes that would reply.
    >
    > But they aren't looking for boxes that reply to ping requests, they hit
    > the IP on various ports to check to see if that port/service responds
    > and with what.
    >
    > > If all you
    > > care is to try and hack 400 boxes, then why waste time? Just hit the
    > > ones that are easy and come back to the hard ones.
    >
    > Like I said, a dumb ass script kiddie will hit the ports checking the
    > services for vulnerable services. Ping response or not makes absolutely
    > no difference. It's either going to happen or not, random or targeted.
    > If it's random, you'll be hit and probed anyway (being an attach or
    > probe). If it's not random, well, we all know the answer. I don't see
    > the point to that side of this debate. 

    -- 
Vineet Mehta
Network Security Consultant
Kuwait Linux Company
Kuwait
Ph-2412552/2463633
<vineet [at] linux [dot] com [dot] kw>
www.linux.com.kw

  • Next message: QLindstr=F6m_Carl-Erich=2C__Polarteknik=22?=: "VS: AV removal malware"

    Relevant Pages

    • AW: ICMP (Ping)
      ... > someone's going to randomly probe for IP's to just randomly attack. ... radar if someone is just ping sweeping net blocks. ... > annoyed at how many hosts do not respond to ICMP echo. ...
      (Security-Basics)
    • Re: Removing ping/icmp from a network
      ... A ping sweep isn't the only way to do network exploration. ... ICMP is a protocol, not a service. ... Security by design is always best, but hiding the presence of a device ...
      (Security-Basics)
    • RE: ICMP (Ping)
      ... No determining a target based upon hatred or zero day exploits. ... As far as the ping sweep stuff, to be honest, I wouldn't ever have ... How you assume they will attack the network or probe ... Almost all scanners and worms even, will hit the range of IPs and not ...
      (Security-Basics)
    • RE: ICMP (Ping)
      ... You are correct about the kinder and gentler internet. ... network to deal with I might share your opinion. ... I believe you meant ICMP echo ... Subject: ICMP (Ping) ...
      (Security-Basics)
    • Re: help with network problem
      ... I can browser the site using http in all the other computers. ... >While ping serves to test tcp/ip connectivity, ... ICMP messages, delivered in ... >> (Only that website so far). ...
      (Security-Basics)