Security Basics mailing list archives
RE: ICMP (Ping)
From: "Jay Woody" <jay_woody () tnb com>
Date: Mon, 08 Sep 2003 09:29:53 -0500
How what works? How you assume they will attack the network or probe it?
How I and everyone that has replied to this thread other than you seems to think it works. Take a look at alldas or attrition. Those guys have been gathering that info for years. It is not an assumption but rather how the industry has reported it for years now.
Most just simply run them. If they are up, they are up.
Again, not really how it works, but if it makes you feel better fine. They ping first, compile a list and then run a port scan against that list and compile another list. They then run a vuln scan against that list. There a several pre-made tools that do this for you. Their source code is available. Please feel free to find them and take a look. To go straight to running a vuln scan against a box that isn't up would just fill your logs up with crap that would require them to parse it, etc. They just simply don't care enough to take the time. If you think they do fine, but many people have seemingly responded along the same lines that I have, so obviously I am not alone in my "assumption".
Yes, actually, 'they' do.
We could do this all day man, pull the tools down and look at them. They don't. Aside from the mindless worms that go out and do this, when a kiddie is doing it, he narrows it down first and then runs as needed. Obviously not 100% of the time, but a great huge majority. That is what most if not all of the people that have responded thus far have said also.
Not really. Some people may do that, but experience dictates otherwise.
Not seemingly from all the replies that I have seen. Experience dictates that most do that and that is why many people block pings.
The people that randomly probe just do it, they don't make a list to spend a lot of time on unless it's an intentional, known target they have some desire to break into.
This is correct and that probe starts with a ping sweep.
If you are correct and someone collects a list of "I'm live, I'm here" responding Ips are to later be targeted, that's one thing, but I've never seen that.
Then feel free to go download a couple of the tools and source codes. I can go as far as to say that I have never seen a tool that didn't whittle it down before running the vuln scan. I'm sorry that you have never apparently seen this. Perhaps this is because you are replying to pings and therefore see a lot of port scans and vuln scans that many of the rest of us don't. I never said that all you have to do is block pings and you are secure. You asked how does it help and I have explained it now in detail. If you don't agree, cool. Don't block them. You asked I answered and now you want to get petty. Again, please just download the tools. This is getting old with me saying, yes they do and you saying no they don't. You know my and a majority of the posters opinion. I offered you an option of consulting known gatherers of defacements, looking at the tools they use and looking at the replies from a majority of people that say they do it for DoS reason and the ones that I have said in here several times. If you would like to write to me off-list to continue mindless arguing of Yes they do, No they don't, feel free. If not, you know how I and a great many people feel. You asked, I explained. Your choice follows that one. Peace. JayW --------------------------------------------------------------------------- Captus Networks Are you prepared for the next Sobig & Blaster? - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans - Precisely Define and Implement Network Security - Automatically Control P2P, IM and Spam Traffic FIND OUT NOW - FREE Vulnerability Assessment Toolkit http://www.captusnetworks.com/ads/42.htm ----------------------------------------------------------------------------
Current thread:
- Re: ICMP (Ping), (continued)
- Re: ICMP (Ping) Tim Greer (Sep 08)
- Re: ICMP (Ping) Ansgar Wiechers (Sep 08)
- RE: ICMP (Ping) Tim Greer (Sep 08)
- RE: ICMP (Ping) Chris Ess (Sep 08)
- RE: ICMP (Ping) Tim Greer (Sep 08)
- RE: ICMP (Ping) Preston Newton (Sep 08)
- Re: ICMP (Ping) Fyodor (Sep 09)
- RE: ICMP (Ping) Chris Ess (Sep 08)
- FW: ICMP (Ping) check (Sep 08)
- Re: ICMP (Ping) Jay Woody (Sep 08)
- RE: ICMP (Ping) Halverson, Chris (Sep 08)
- RE: ICMP (Ping) Jay Woody (Sep 08)
- RE: ICMP (Ping) Tim Greer (Sep 08)
- RE: ICMP (Ping) jfastabe (Sep 08)
- Re: ICMP (Ping) Tim Greer (Sep 08)
- Re: ICMP (Ping) Lee Rich (Sep 08)
- RE: ICMP (Ping) Jay Woody (Sep 08)
- RE: ICMP (Ping) Tim Greer (Sep 08)
- Re: ICMP (Ping) Jay Woody (Sep 08)
- RE: ICMP (Ping) Jay Woody (Sep 08)
- RE: ICMP (Ping) Jay Woody (Sep 08)
- RE: ICMP (Ping) Halverson, Chris (Sep 08)