RE: ICMP (Ping)

["Jay Woody" <jay_woody () tnb com>]

> > How what works?  How you assume they will attack the network 
> > or probe it?

How I and everyone that has replied to this thread other than you seems
to think it works.  Take a look at alldas or attrition.  Those guys have
been gathering that info for years.  It is not an assumption but rather
how the industry has reported it for years now.

> > Most just simply run them.  If they are up, they are up.

Again, not really how it works, but if it makes you feel better fine. 
They ping first, compile a list and then run a port scan against that
list and compile another list.  They then run a vuln scan against that
list.  There a several pre-made tools that do this for you.  Their
source code is available.  Please feel free to find them and take a
look.  To go straight to running a vuln scan against a box that isn't up
would just fill your logs up with crap that would require them to parse
it, etc.  They just simply don't care enough to take the time.  If you
think they do fine, but many people have seemingly responded along the
same lines that I have, so obviously I am not alone in my "assumption".

> > Yes, actually, 'they' do.

We could do this all day man, pull the tools down and look at them. 
They don't.  Aside from the mindless worms that go out and do this, when
a kiddie is doing it, he narrows it down first and then runs as needed. 
Obviously not 100% of the time, but a great huge majority.  That is what
most if not all of the people that have responded thus far have said
also.

> > Not really.  Some people may do that, but experience 
> > dictates otherwise.  

Not seemingly from all the replies that I have seen.  Experience
dictates that most do that and that is why many people block pings.

> > The people that randomly probe just do it, they don't 
> > make a list to spend a lot of time on unless it's an intentional, 
> > known target they have some desire to break into.

This is correct and that probe starts with a ping sweep.

> > If you are correct and someone collects a list of 
> > "I'm live, I'm here" responding Ips are to later be 
> > targeted, that's one thing, but I've never seen that.

Then feel free to go download a couple of the tools and source codes. 
I can go as far as to say that I have never seen a tool that didn't
whittle it down before running the vuln scan.  I'm sorry that you have
never apparently seen this.  Perhaps this is because you are replying to
pings and therefore see a lot of port scans and vuln scans that many of
the rest of us don't.  

I never said that all you have to do is block pings and you are secure.
 You asked how does it help and I have explained it now in detail.  If
you don't agree, cool.  Don't block them.  You asked I answered and now
you want to get petty.  Again, please just download the tools.  This is
getting old with me saying, yes they do and you saying no they don't. 
You know my and a majority of the posters opinion.  I offered you an
option of consulting known gatherers of defacements, looking at the
tools they use and looking at the replies from a majority of people that
say they do it for DoS reason and the ones that I have said in here
several times.  If you would like to write to me off-list to continue
mindless arguing of Yes they do, No they don't, feel free.  If not, you
know how I and a great many people feel.  You asked, I explained.  Your
choice follows that one.  Peace.

JayW


---------------------------------------------------------------------------
Captus Networks 
Are you prepared for the next Sobig & Blaster? 
 - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans 
 - Precisely Define and Implement Network Security 
 - Automatically Control P2P, IM and Spam Traffic 
FIND OUT NOW -  FREE Vulnerability Assessment Toolkit 
http://www.captusnetworks.com/ads/42.htm
----------------------------------------------------------------------------