Security Basics mailing list archives
RE: ICMP (Ping)
From: Tony Kava <securityfocus () pottcounty com>
Date: Mon, 8 Sep 2003 15:50:12 -0500
Possible summary: Q: Should ICMP echo requests be dropped? A: Maybe. Stance 1: Drop ICMP echo requests. Responding to the requests tells script kiddies and other lesser life forms that you're up and a possible target. You can avoid wasting your time avoiding common attacks that shouldn't be successful anyway. Stance 2: Respond to ICMP echo requests. Responding provides a simple test of the link, and complies to aging standards. You will definitely appear on script kiddy radar. You may open yourself up to possible DoS attacks. If you don't have a strong reason to respond to ICMP echo requests you can drop those packets. You may be better off that way. Die-hard optimists will continue to respond out of nostalgia for the friendly network the internet once was. The majority opinion seems to be that responding to ICMP echo requests is no longer necessary and may be harmful. There is no zero or one answer to this in my opinion. There may be other factors that you should weigh. Is your internet connection so vital that a DoS attack of any kind will harm you? Do you have enough bandwidth to swim with a DoS attack? Is your ISP's customer service good enough that you can rely on their help to mitigate a DoS attack (without waiting 24 hours for a callback)? -- Tony Kava Network Administrator Pottawattamie County, Iowa -----Original Message----- From: Preston Newton [mailto:preston.newton () equipnetworks com] Sent: Monday, 08 September, 2003 14:22 To: security-basics () securityfocus com Subject: RE: ICMP (Ping) 2 more cents to add to the million dollars that we've accumulated on this topic. hping can "ping" a tcp port to ICMP blocks are null and void against this type of "ping". So any person with basic shell skills could write a script to utilize hping and compile a list of open ports into a file about systems... http://www.hping.org/ On Mon, 2003-09-08 at 12:56, Tim Greer wrote:
On Mon, 2003-09-08 at 09:38, Chris Ess wrote:Okay. We've probably gotten slightly off-topic, but I figured I'd throw my two copper pieces in anyway. I'll provide one example for why
blocking
pings might be a good idea... and one where it doesn't matter if you block them or not. However, I'm no expert. * Saved by blocking pings: nmap Yes, nmap. Everyone on this list has used nmap or is hopefully familiar with what it does. For those of you who don't know, nmap is a portscanning utility. The first thing nmap appears to do before it actually runs a scan is
ping
the host. If it cannot ping the host, it returns: Note: Host seems down. If it is really up, but blocking our ping probes, try -P0This is a fair point, and I don't disagree with it. As I said, this method can be used, and it depends on the tool. There's no reason to use nmap, etc., when you can just have a script connect to port 80 or 25 on an IP and see if there's a response. Most of this discussion encompasses the tools used, as with pretty much any debate about what will help or not. No doubt lots of people use the above method, but many do not. I certainly agree it may cut down on the noise, but my experience has been little to none.
--------------------------------------------------------------------------- Captus Networks Are you prepared for the next Sobig & Blaster? - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans - Precisely Define and Implement Network Security - Automatically Control P2P, IM and Spam Traffic FIND OUT NOW - FREE Vulnerability Assessment Toolkit http://www.captusnetworks.com/ads/42.htm ----------------------------------------------------------------------------
Current thread:
- RE: ICMP (Ping), (continued)
- RE: ICMP (Ping) Jay Woody (Sep 08)
- RE: ICMP (Ping) Tim Greer (Sep 08)
- Re: ICMP (Ping) Jay Woody (Sep 08)
- RE: ICMP (Ping) Jay Woody (Sep 08)
- RE: ICMP (Ping) Jay Woody (Sep 08)
- RE: ICMP (Ping) Halverson, Chris (Sep 08)
- RE: ICMP (Ping) Jay Woody (Sep 08)
- Re: ICMP (Ping) Jay Woody (Sep 08)
- Re: ICMP (Ping) Tim Greer (Sep 08)
- RE: ICMP (Ping) Schouten, Diederik (Diederik) (Sep 08)
- RE: ICMP (Ping) Tony Kava (Sep 08)
- RE: ICMP (Ping) McGill, Lachlan (Sep 08)
- Re: ICMP (Ping) Paul Farag (Sep 08)
- RE: ICMP (Ping) Jay Woody (Sep 08)