Security Basics mailing list archives
Re: ICMP (Ping)
From: "Jay Woody" <jay_woody () tnb com>
Date: Mon, 08 Sep 2003 12:51:02 -0500
Yeah again, I have said that with the advent of some of the newer stuff it is getting quicker and quicker to start out with the port or even the vuln scan. I also have already said that I have put in there several times that not 100% of the time do they start with a ping scan. I simply have stated since the start that a great majority of the tools that I have used, the tools that have known others to use, the tools that have been discussed on most of the pages, etc, all seem to do a process of whittling the number down before launch into the vuln scan. This was due to the vuln scan taking so long and it is obviously shorter now, but the timeout is still longer than a ping response. So there you have it. Does stopping pings stop 100% of the scans? Of course not. Does it stop at least .0000001%? Of course. Is the number somewhere in between there somewhere? Yep. So your milage may vary. My logs show lots of pings and very little (relatively speaking) port scans and vuln scans. Tim says that his show the opposite. You have to decide how many will be blocked and if it worth it to not be able to tell your customers, "Go to a prompt and try to ping my site." For me it is. For others, perhaps not. I am not as worried about being able to ping my site. So I drop pings to stop the silly, easy crap and then focus on trying to stop the people in the coven. :) JayW
"gregh" <chows () ozemail com au> 09/06/03 07:00PM >>>
----- Original Message ----- From: Jay Woody To: chatmaster () charter net Cc: security-basics () securityfocus com Sent: Saturday, September 06, 2003 7:29 AM Subject: RE: ICMP (Ping)
What purpose would seeing a response from a ping serve to a kiddy looking to deface web sites? If they are going to attack you randomly, why do you assume that they would stop to think when they are blindly attacking networks/ips anyway?
Here is how it works again. They scan a range and then go back and
run
a port scan/vuln scan against what replies. They don't run vuln
scans No even that isnt 100% correct. If they have a new toy they will do it. Dont forget that new toys come out all the time and the only way they can prove their theories is to go on randoma attacks to see if what they have works or not. In short, yes most of the time they attack depending on what a port scan shows them but quite a lot of the time they will also be randomly attacking depending on their association with other scripties and what their own level of understanding is plus what they think they have in their hands. Eg, if they are deep in a coven and have been given a new toy and arent that up to scratch with scripting themselves, they will test as they see fit by attacking anything they can. It's just plain logic. What do you do when you build yourself a new computer but test it to the limits first off? Well, same thing with a enw script. Greg. --------------------------------------------------------------------------- Captus Networks Are you prepared for the next Sobig & Blaster? - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans - Precisely Define and Implement Network Security - Automatically Control P2P, IM and Spam Traffic FIND OUT NOW - FREE Vulnerability Assessment Toolkit http://www.captusnetworks.com/ads/42.htm ---------------------------------------------------------------------------- --------------------------------------------------------------------------- Captus Networks Are you prepared for the next Sobig & Blaster? - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans - Precisely Define and Implement Network Security - Automatically Control P2P, IM and Spam Traffic FIND OUT NOW - FREE Vulnerability Assessment Toolkit http://www.captusnetworks.com/ads/42.htm ----------------------------------------------------------------------------
Current thread:
- FW: ICMP (Ping), (continued)
- FW: ICMP (Ping) check (Sep 08)
- Re: ICMP (Ping) Jay Woody (Sep 08)
- RE: ICMP (Ping) Halverson, Chris (Sep 08)
- RE: ICMP (Ping) Jay Woody (Sep 08)
- RE: ICMP (Ping) Tim Greer (Sep 08)
- RE: ICMP (Ping) jfastabe (Sep 08)
- Re: ICMP (Ping) Tim Greer (Sep 08)
- Re: ICMP (Ping) Lee Rich (Sep 08)
- RE: ICMP (Ping) Jay Woody (Sep 08)
- RE: ICMP (Ping) Tim Greer (Sep 08)
- Re: ICMP (Ping) Jay Woody (Sep 08)
- RE: ICMP (Ping) Jay Woody (Sep 08)
- RE: ICMP (Ping) Jay Woody (Sep 08)
- RE: ICMP (Ping) Halverson, Chris (Sep 08)
- RE: ICMP (Ping) Jay Woody (Sep 08)
- Re: ICMP (Ping) Jay Woody (Sep 08)
- Re: ICMP (Ping) Tim Greer (Sep 08)
- RE: ICMP (Ping) Schouten, Diederik (Diederik) (Sep 08)
- RE: ICMP (Ping) Tony Kava (Sep 08)
- RE: ICMP (Ping) McGill, Lachlan (Sep 08)
- Re: ICMP (Ping) Paul Farag (Sep 08)
(Thread continues...)