Security Basics mailing list archives
RE: ICMP (Ping)
From: Tim Greer <chatmaster () charter net>
Date: 08 Sep 2003 10:39:32 -0700
On Mon, 2003-09-08 at 10:11, Jay Woody wrote:
Guys again, I am not saying that you disable pings and walk away, job done. If you do that, you are a moron. My point is that if you disable pings, that is ONE STEP in a myriad of stuff to do. Let's look at it this way, if disabling pings stops one person and you have no need for pings, then why not make it a step?
There's no reason other than perhaps annoyances when you're trying to simply do tests/checks yourself on a network or system, to keep it on. I don't think there's anything wrong with disabling it, but just do it for the right reasons.
Of course my argument is that it stops way more than one person. Tim's argument is that it stops very few. However, if it stops any, then some people would say it was worth it.
That's fair. I personally don't worry, but it's your network and system, you have the right. It may reduce the annoyances you see in your logs, I don't deny that.
As an aside, Foundstone's tool is incredible. It zips up to around 300K and you guys are right, it port scans like a freaking demon. Still not as fast as pinging, but you guys are right the time is getting smaller and smaller.
Right, but I meant just check to see if few ports are open, not an entire port scan on an IP... so it's purposeful to a would-be cracker more than a ping response would be. I mean, that method is sort of dated. But again, it may keep the uneducated defacers away and not fill up your system logs so much. However, again, my experience is that systems and networks with this disabled get hit just as much. As with anything, your mileage may vary.
I still believe that if someone was scanning an entire C range (or God forbid a B range), that they would prefer to whittle out the addresses that don't respond and not have to wait for the timeouts.
Sure, but again, they can do the same by just checking for port 80 and 25, for example. It's just as fast and if those aren't there, they likely have no reason to target it anyway--that is, especially if they are some script kiddie looking to deface web sites (that would be on port 80).
You claim it did it all in 30 minutes, but maybe it would have timed out in 5 (just a wild guess).
Right, so just check as the above.
If you are scanning 255 addresses, that is over 21 hours of timeouts. All I am saying is that most of the tools will simply whittle out the ones that don't respond that way they don't have to wait for a timeout and then run something like this against them.
<snip> -- Tim Greer <chatmaster () charter net> --------------------------------------------------------------------------- Captus Networks Are you prepared for the next Sobig & Blaster? - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans - Precisely Define and Implement Network Security - Automatically Control P2P, IM and Spam Traffic FIND OUT NOW - FREE Vulnerability Assessment Toolkit http://www.captusnetworks.com/ads/42.htm ----------------------------------------------------------------------------
Current thread:
- Re: ICMP (Ping), (continued)
- Re: ICMP (Ping) Fyodor (Sep 09)
- FW: ICMP (Ping) check (Sep 08)
- Re: ICMP (Ping) Jay Woody (Sep 08)
- RE: ICMP (Ping) Halverson, Chris (Sep 08)
- RE: ICMP (Ping) Jay Woody (Sep 08)
- RE: ICMP (Ping) Tim Greer (Sep 08)
- RE: ICMP (Ping) jfastabe (Sep 08)
- Re: ICMP (Ping) Tim Greer (Sep 08)
- Re: ICMP (Ping) Lee Rich (Sep 08)
- RE: ICMP (Ping) Jay Woody (Sep 08)
- RE: ICMP (Ping) Tim Greer (Sep 08)
- Re: ICMP (Ping) Jay Woody (Sep 08)
- RE: ICMP (Ping) Jay Woody (Sep 08)
- RE: ICMP (Ping) Jay Woody (Sep 08)
- RE: ICMP (Ping) Halverson, Chris (Sep 08)
- RE: ICMP (Ping) Jay Woody (Sep 08)
- Re: ICMP (Ping) Jay Woody (Sep 08)
- Re: ICMP (Ping) Tim Greer (Sep 08)
- RE: ICMP (Ping) Schouten, Diederik (Diederik) (Sep 08)
- RE: ICMP (Ping) Tony Kava (Sep 08)
- RE: ICMP (Ping) McGill, Lachlan (Sep 08)
(Thread continues...)