RE: ICMP (Ping)

["Jay Woody" <jay_woody () tnb com>]

See, now I have to disagree here.  I'll use web page defacements as an
example.  Script Kiddies showed that they did not care who or what they
were targeting 90% of the time.  They just scan a range and whoever
replied they ran a vuln scanner against.  If they could get in and
"hack" the web page, they would.  They'd get their "message" out and
move on.  Did some target pro-Israeli sites, etc.?  Of course, but many
more were just companies that replied and then had a vuln scan ran
against them.

Here is what it boils down to in my opinion, in the case of a
determined hacker that wants you and no one else, then obviously
blocking pings ain't gonna cut it.  However, in the case of script
kiddies that just scan a range and hit who replies, then blocking pings
stops about 95% of them from even going any deeper.  I heard one say (I
think it was Hackweiser) that if someone didn't reply, why keep looking
at them, there were plenty of other boxes that would reply.  If all you
care is to try and hack 400 boxes, then why waste time?  Just hit the
ones that are easy and come back to the hard ones.

JayW

> > > Tim Greer <chatmaster () charter net> 09/04/03 05:52PM >>>
On Thu, 2003-09-04 at 10:23, SMiller () unimin com wrote:
> Regarding the oft cited admonition against "security by obscurity":
> according to Bruce Schneier this is "Kerckhoffs' Principle",
formulated in
> 1883 by Auguste Kerckhoffs, and as such is narrowly applicable only
to
> algorithms used for cryptography.  It may or may not apply to other
and
> more generalized security issues, those cases must be evaluated
> individually.  Regarding ICMP: 

Fun stuff... what some people seem to fail to understand, is that it's
unlikely someone's going to randomly probe for IP's to just randomly
attack.  The type of attacks that people launch are going to be from
people that know you're there anyway.... otherwise if they are
mindless
enough, they will apparently attack the IP they didn't check to see if
it's there.

A network is going to be attacked if it's a target... if it is, you
can
toss any responses you like and pretend there's nothing but a big,
black
hole in cyberspace... they'll still hit your network.  If they are
doing
it blindly, they will do it blindly anyway.  I don't see this as much
of
a benefit, unless you are going to be targeted and you can somehow
minimize the damage done by disabling this.

Overall, I don't think it's a good or bad thing, I do it on some and
not
on others, depending on what I'm thinking or doing at the time.
However,
I wouldn't really say it's going to do much one way or another, unless
you just want to prevent very specific type of attacks where this
would
actually help prevent or minimize damage.  But just to hide, well,
good
luck. :-)
-- 
Tim Greer <chatmaster () charter net>


---------------------------------------------------------------------------
Attend Black Hat Briefings & Training Federal, September 29-30
(Training), 
October 1-2 (Briefings) in Tysons Corner, VA; the world's premier 
technical IT security event.  Modeled after the famous Black Hat event
in 
Las Vegas! 6 tracks, 12 training sessions, top speakers and sponsors. 

Symantec is the Diamond sponsor.  Early-bird registration ends
September 6.Visit us: www.blackhat.com 
----------------------------------------------------------------------------




---------------------------------------------------------------------------
Attend Black Hat Briefings & Training Federal, September 29-30 (Training), 
October 1-2 (Briefings) in Tysons Corner, VA; the world's premier 
technical IT security event.  Modeled after the famous Black Hat event in 
Las Vegas! 6 tracks, 12 training sessions, top speakers and sponsors.  
Symantec is the Diamond sponsor.  Early-bird registration ends September 6.Visit us: www.blackhat.com
----------------------------------------------------------------------------