RE: ICMP (Ping)

From: Jay Woody (jay_woody_at_tnb.com)
Date: 09/08/03

  • Next message: MARZIOU,GAEL (HP-France,ex1): "RE: Fake Sites" 
    Date: Mon, 08 Sep 2003 12:32:52 -0500
To: <security-basics@securityfocus.com>, <azarin@tokimi.net>

    Nicely put. Wish I had worded it like that to begin with. Thanks!

    JayW

    >>> Chris Ess <azarin@tokimi.net> 09/08/03 11:38AM >>>
    Okay. We've probably gotten slightly off-topic, but I figured I'd
    throw
    my two copper pieces in anyway. I'll provide one example for why
    blocking
    pings might be a good idea... and one where it doesn't matter if you
    block them or not. However, I'm no expert.

    * Saved by blocking pings: nmap

    Yes, nmap. Everyone on this list has used nmap or is hopefully
    familiar
    with what it does. For those of you who don't know, nmap is a
    portscanning utility.

    The first thing nmap appears to do before it actually runs a scan is
    ping
    the host. If it cannot ping the host, it returns:

    Note: Host seems down. If it is really up, but blocking our ping
    probes,
    try -P0

    nmap can be used to scan a host or a network. It's not a very nice or
    graceful way but it works. And, hey, Joe Q. Script-Kiddie doesn't
    care
    if it's graceful as long as it works.

    In this case, if you block pings, nmap won't bother to scan your
    machine
    unless the person running it has specified '-P0' on the command line.
    In
    which case, he'd better not be expecting results anytime soon.

    He can still come back later and run another scan, but if we assume
    that
    he's running nmap as his opening move, a machine that does not ping
    will
    be that much less likely to be targeted.

    But... if his opening move is different, how much safer will you be?

    This takes us to...

    * W32.Blaster.Worm et al

    Why am I bothering to include a worm here, you may wonder.

    To really oversimplify things, what is a worm other than a
    vulnerability
    scanner that then exploits said vulnerability? (As I said, to really
    oversimplify things.)

    Worms, and many vulnerability scanners, do not necessarily ping a host
    before they try to connect. In fact, I do not know of a worm that
    does
    ping the host whose IP it randomly generates before it tries to test
    (and
    then possibly exploit) the host. Some vulnerability scanners may not
    bother to ping because people have been blocking pings or other ICMP
    traffic from their machines -- or maybe just because it's too much
    bother.
    (If the machine isn't running a service, you'll just timeout after
    five
    minutes or so and keep going.)

    Blocking pings or other ICMP traffic not the magic piece of armor that
    will protect you from being attacked. It's a deterrent, nothing more.
    Think of it like barbed wire on the top of a fence -- some people will
    stay away from it and decide not to mess with whatever's inside, while
    those who really want to get in will continue to attempt different
    measures to gain entry. However, the barbed wire is no replacement
    for
    other, stronger measures, like electrifying the fence, employing armed
    guards and vicious dogs, and, for the extremely paranoid, land mines.

    Blocking pings is ultimately the decision of the administrators
    running
    the machine or network. For the paranoid, dropping pings is probably
    best
    for them. For my personal machine at home, though, I don't think the
    risk
    from responding to pings is high enough to cause concern. And, for
    the
    moment, having it respond to pings is useful to me.

    Sincerely,

    Chris Ess
    System Administrator / CDTT (Certified Duct Tape Technician)

    ---------------------------------------------------------------------------
    Captus Networks
    Are you prepared for the next Sobig & Blaster?
     - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans
     - Precisely Define and Implement Network Security
     - Automatically Control P2P, IM and Spam Traffic
    FIND OUT NOW - FREE Vulnerability Assessment Toolkit
    http://www.captusnetworks.com/ads/42.htm
    ----------------------------------------------------------------------------

    ---------------------------------------------------------------------------
    Captus Networks
    Are you prepared for the next Sobig & Blaster?
     - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans
     - Precisely Define and Implement Network Security
     - Automatically Control P2P, IM and Spam Traffic
    FIND OUT NOW - FREE Vulnerability Assessment Toolkit
    http://www.captusnetworks.com/ads/42.htm
    ----------------------------------------------------------------------------

  • Next message: MARZIOU,GAEL (HP-France,ex1): "RE: Fake Sites"

    Relevant Pages

    • Linux Security Problem
      ... I use both at home and work (home via a cable router, work via a PIX ... I seem to be getting pings as follows ... Any attempts to nmap my host result in the scanner receiving a "host seems ...
      (comp.security.unix)
    • RE: ICMP (Ping)
      ... I'll provide one example for why blocking ... pings might be a good idea... ... Yes, nmap. ... If it cannot ping the host, ...
      (Security-Basics)
    • RE: NMapWin v1.3.1
      ... -P0 - in case host in not responding to pings ... This info can all be found just by running the nmap command. ...
      (Security-Basics)
    • Re: Linux zero IP ID vulnerability?
      ... to perform an idle scan with nmap, ... packets tramitted, 1 packets received, 0% packet loss ... Many people use -P0 w/Idlescan to prevent pings from their true ... from the Linux kernel developers nor from Cisco (other vendors may also be ...
      (Bugtraq)
    • RE: ICMP (Ping)
      ... We must also remember that the variant of the Blaster worm: Nachi used ICMP pings to determine the next host to infect. ... Blocking ICMP in this instance would have been an effective deterrant. ...
      (Security-Basics)