RE: ICMP (Ping)

["Jay Woody" <jay_woody () tnb com>]

> > What purpose would seeing a response from a ping serve to a 
> > kiddy looking to deface web sites?  If they are going to attack 
> > you randomly, why do you assume that they would stop to 
> > think when they are blindly attacking networks/ips anyway?

Here is how it works again.  They scan a range and then go back and run
a port scan/vuln scan against what replies.  They don't run vuln scans
randomly against ranges, they run ping sweeps randomly against ranges,
those that reply get more attention.  So how would not replying help? 
Well by getting less attention obviously.  They aren't "blindly
attacking networks/ips anyway".  They are blindly scanning or sweeping
networks/ips through the use of pings.  They are not so blindly (but
almost) running a port scan those that reply.  Then they are running a
vuln scan against the boxes that just told them they were a certain OS,
etc.

> > Running a scanner to look for open ports of vulnerabilities 
> > in services, as not going to change because you don't reply 
> > to ping requests.  Those scans will check the ports and 
> > services on said IP--not give up if it can't get a ping 
> > response.

Man, dude, where do I start on this one?  :)  Yes, running something
like that would behave exactly as you describe (I think).  However, that
isn't at all what anyone has said.  Again, they "scan" the ADDRESSES in
a range for a simple reply and then run a port scan/vuln scan against
those that reply.  Your point is that if they don't respond to pings,
they likely won't respond to vuln scans.  The script kiddies say the
same thing in reverse.  If you respond to a ping you likely will give up
more information if asked.  Again, they scan the range for replies and
then run a port scan/vuln scan against the replies for more info.  They
don't blindly run a vuln scan against a range.  That would be even more
stupid and waste time.

> > And that doesn't relate to the type of attacks being 
> > discussed.  That's another, less serious issue anyway.

Uh, OK.  The question was should your devices reply.  There is not an
ATTACK there.  The statement was that no, they shouldn't because then
you get more interest from the kiddies.  You said no you don't and I
said yes you do.  Haven't heard about any attack mentioned at all. 
Also, if you think having your web page defaced is not serious, then ask
Nike how much the press hurt them and ask Microsoft how much money they
spend on making sure it doesn't happen to them.  If you are a seller,
then having your web page defaced and pointing people to a site that
gathers their credit card numbers would be decently serious I would
think.

> > No, they'd probe for vulnerabilities by domain or IP, the 
> > ping response plays no role in that situation.

If they are probing for vulnerabilities by domain (and I am not 100%
sure what you mean there), then they are retarded.  I said that they
deface the web page and move on and you reply that they scan for vulns
by domain.  Again, the ping response plays a HUGE role.  They ping a
group of addresses, if you don't respond they move the FREAK ON.  If you
do, they run a port scan, then a vuln scan against you.  By not
replying, you stop the kiddies from looking (in addition to many of the
other DDoS issues mentioned already).  "[T]hey'd probe for
vulnerabilities . . . IP", yep, exactly and where did they get the IP
address?  By the freaking ping reply.  No reply, less attempts.  I am
just not saying it right or something, so help me see where we are
missing it.

> > That is irrelevant.

Then your point is irrelevant, because I was agreeing with your point. 
Sure, some people see a site and say, "I want to hack that particular
company."  99% don't.  They say, I want to hack 40 sites in a week.  I
don't give a crap who, so let's see who replies.

> > True.  You're either vulnerable or not.  But it depends on the 
> > type of attack and on what service or protocol.

And if you don't reply to pings then 90% of the kiddies never even try
to find out what will work against you.

> > No it doesn't.  Skripties are stupid by nature.  They hit 
> > blindly with the scanners, the scanners don't give up if 
> > there's no ping response, 

See, here is where you keep missing it.  They DO NOT blindly run vuln
scans.  They blindly run Ping sweeps.  They scan a range and see who
replies and then they run the port scan that you describe against just
those areas that replied.  Then they run the vuln scan against just
those addressed that replied and that have a certain OS, etc.  That is
well known.  So either you are saying they run vuln scans against huge
ranges, which isn't true or you are saying that ping sweeps or scans
will still document you when you don't reply, which is also not true. 
They don't run an in depth scan until they see if you are alive or not. 
If you are not alive, why waste their time, there are plenty of people
that are.  I run Zone Alarm at home.  They ping me and I don't reply,
now they could run a suite of vuln scans against me and an hour or more
to see what is turned up OR they could move to next door neighbors PC
where the password is password.  They just move on.  They are looking
for the slow, stupid ones on the fringe to gobble up.  If you don't
reply to a ping, most script kiddies will simply move on.  That has been
the opinion espoused by a great majority of responders to this thread,
so I am obviously not the only one that feels this way.

> > they are busy checking to see what's running on the various 
> > ports that particular scanner scans.  It's almost contradictive 
> > to use script kiddie and 'dig deeper' in the same sentence.

Not if you didn't reply to a ping they don't.  Think about it man.  If
you ping sweep a range of 255 addresses and 20 respond and you are a
little kiddie, you are going to focus on those 20, crack 5 quickly and
go brag about it.  You are not going to kick off your favorite little
vuln scanner against addresses that "aren't up" in the hopes that maybe
one is, spend all night dicking with that one and then having nothing to
brag about.  It is a numbers game.  They want to be able to say they
cracked X number last night.  Not that they spent all night scanning a
range and then finding out that indeed there really were no other boxes
there.

> > But they aren't looking for boxes that reply to ping requests, 
> > they hit the IP on various ports to check to see if that port/
> > service responds and with what.

I am beginning to think you are screwing with me now.  Surely you have
downloaded one of these things.  They don't do that at all.  They first
sweep a range and gather addresses.  Then they compile that in a list. 
Then they run their port scan/vuln scan against each of those IPs and
THAT scanner is what looks for ports, weak passwords, etc.  The point
being made here, over and over, is that if you are not one of the
addresses on the list, then the scanner isn't run against you.  How do
you stay off of the list?  Well, how did you get on it?  You responded
to a ping.  No response equals less kiddie attacks.  Period.  Less
script kiddie attacks means more time to get the vulns patched and less
of a chance that a bonehead move gets you compromised.

> > Like I said, a dumb ass script kiddie will hit the ports 
> > checking the services for vulnerable services.  Ping 
> > response or not makes absolutely no difference.  

And like I said, it absolutely does.  They are not doing random port
scans.  They are doing random PING SWEEPS and then doing semi-random
port scans on those that REPLY.  Then running specific vuln scans on
boxes that replied as needed to the port scans.  You seem to think they
just jump right into the port scanning world and they just don't.  Why
run a port scan against a non-existent box?  It is just a waste of your
time.  They don't.


> > It's either going to happen or not, random or targeted. 
> > If it's random, you'll be hit and probed anyway (being an 
> > attach or probe).  If it's not random, well, we all know the 
> > answer.

If they were running port scans, you might be right, but again, they
don't until you first let them know there is a box there to run one
against.  No box, no port scan.  No ping, no box to them.  On to the
next range.

> > I don't see the point to that side of this debate.

Cause you aren't trying.  You are just insisting that the process
starts in the middle.  It doesn't.  It starts at the beginning and that
is the ping sweep.  If I were you, I would try to understand that side
seeing as how a great majority of the posters have thus far espoused the
same idea.  You seem to be under the impression that a kiddie's first
tool is his port scanner and it isn't.  It is his ping sweeper.  THAT
produces the list that he uses for everything else.  Again, not 100% of
the time, but 90-95% of it.  My 2 cents.  Maybe that clarifies it.

JayW

> > > Tim Greer <chatmaster () charter net> 09/05/03 03:18PM >>>
On Fri, 2003-09-05 at 07:42, Jay Woody wrote:
> See, now I have to disagree here.  I'll use web page defacements as
an
> example.  Script Kiddies showed that they did not care who or what
they
> were targeting 90% of the time.

What purpose would seeing a response from a ping serve to a kiddy
looking to deface web sites?  If they are going to attack you
randomly,
why do you assume that they would stop to think when they are blindly
attacking networks/ips anyway?

>   They just scan a range and whoever
> replied they ran a vuln scanner against.


Running a scanner to look for open ports of vulnerabilities in
services,
as not going to change because you don't reply to ping requests. 
Those
scans will check the ports and services on said IP--not give up if it
can't get a ping response.

>   If they could get in and
> "hack" the web page, they would.

And that doesn't relate to the type of attacks being discussed. 
That's
another, less serious issue anyway.

>   They'd get their "message" out and
> move on.

No, they'd probe for vulnerabilities by domain or IP, the ping
response
plays no role in that situation.

>   Did some target pro-Israeli sites, etc.?  Of course, but many
> more were just companies that replied and then had a vuln scan ran
> against them.

That is irrelevant.

> Here is what it boils down to in my opinion, in the case of a
> determined hacker that wants you and no one else, then obviously
> blocking pings ain't gonna cut it.

True.  You're either vulnerable or not.  But it depends on the type of
attack and on what service or protocol.

>   However, in the case of script
> kiddies that just scan a range and hit who replies, then blocking
pings
> stops about 95% of them from even going any deeper.

No it doesn't.  Skripties are stupid by nature.  They hit blindly with
the scanners, the scanners don't give up if there's no ping response,
they are busy checking to see what's running on the various ports that
particular scanner scans.  It's almost contradictive to use script
kiddie and 'dig deeper' in the same sentence.

>   I heard one say (I
> think it was Hackweiser) that if someone didn't reply, why keep
looking
> at them, there were plenty of other boxes that would reply.

But they aren't looking for boxes that reply to ping requests, they
hit
the IP on various ports to check to see if that port/service responds
and with what.

>   If all you
> care is to try and hack 400 boxes, then why waste time?  Just hit
the
> ones that are easy and come back to the hard ones.

Like I said, a dumb ass script kiddie will hit the ports checking the
services for vulnerable services.  Ping response or not makes
absolutely
no difference.  It's either going to happen or not, random or targeted.

If it's random, you'll be hit and probed anyway (being an attach or
probe).  If it's not random, well, we all know the answer.  I don't
see
the point to that side of this debate.
-- 
Tim Greer <chatmaster () charter net>


---------------------------------------------------------------------------
Attend Black Hat Briefings & Training Federal, September 29-30 (Training), 
October 1-2 (Briefings) in Tysons Corner, VA; the world's premier 
technical IT security event.  Modeled after the famous Black Hat event in 
Las Vegas! 6 tracks, 12 training sessions, top speakers and sponsors.  
Symantec is the Diamond sponsor.  Early-bird registration ends September 6.Visit us: www.blackhat.com
----------------------------------------------------------------------------