Re: How to prevent system from replying to Ping (ICMP Echo) requests?

From: Kaptain Krunch (captainkrunch_at_comcast.net)
Date: 09/28/04 

Date: Mon, 27 Sep 2004 20:48:16 -0400

"Copelandia Cyanescens" <synesthesia@ix02x67invalid.net> wrote in message
news:1btpo0ru7h6tz$@x02x67invalid.net...
> Leythos wrote...
>
> >> The actual, real life and modern threat of either aside, would you
> >> refuse to accept all emails simply because there might be the odd virus
> >> infected message among them?
> >
> > We remove attachments types that can carry a virus and for the ones not
> > removed we scan then before letting them into the network - if they
> > can't be scanned they are deleted.
>
> Why not drop POD and fragged packets likewise, rather than refusing all
> email? :) Actually, that's pretty much the way such things are handled
> now in most environments, where "pings" are typically allowed.
>
> > There is no reason to let ping inbound or to be replied to by the
>
> Yes, there is. It's normal net traffic as specified by RFC. That
> principal alone is enough to thrash the "no reason to allow" argument in
> my book.
>
> And that doesn't even consider the possibility that some software may be
> broken by dropping echo requests. P2P and VPN applications would seem
> the most likely suspects, although I'm not aware of any specific
> scenarios off hand. And I'm too lazy to research it at the moment. ;)
> However, from what little I know of such things it's almost guaranteed
> those scenarios exist.
>
> > firewall. While security through obscurity is not a valid method, it's
>
> Tell that to an under cover police officer or a soldier wearing
> camouflage. <grin>
>
> > nice to see people move on when they can't get a response from your
> > IP's.
>
> I'll agree that the average inexperienced nmapper might be thwarted, but
> is this guy really threat anyway unless you have other vulnerabilities?
> And will it reliably thwart them to begin with?? Not meant as an insult
> at all, but this would seem to be more of a personal satisfaction or
> "vanity" reason than anything related to actual security.
>
> I suppose there's valid arguments on both sides really, and the ultimate
> choice depends on your basic "up bringing" and specific situation. I was
> just raised to believe that crippling something to solve a problem that
> isn't a real major concern to begin with is sorta "snake oily".
>
> Just my 2 centavos worth... take it with a grain. ;)
>
> --
> The illegal we do immediately. The unconstitutional takes a bit
> longer.
>
> -- Henry Kissinger
>

GRINNING..My 2½ cents guess it is my right to not answer the phone when I am
not expecting a call? If I un plug my answering machine and turn off my
ringer, guess that IS my constitutional right, eh, LOL we know you like the
constitution...

KK