Security Basics mailing list archives
RE: ICMP (Ping)
From: "McGill, Lachlan" <mcgilll1 () anz com>
Date: Tue, 9 Sep 2003 08:34:07 +1000
We must also remember that the variant of the Blaster worm: Nachi used ICMP pings to determine the next host to infect. Blocking ICMP in this instance would have been an effective deterrant. -----Original Message----- From: Chris Ess [mailto:azarin () tokimi net] Sent: Tuesday, 9 September 2003 2:38 AM To: security-basics () securityfocus com Subject: RE: ICMP (Ping) Okay. We've probably gotten slightly off-topic, but I figured I'd throw my two copper pieces in anyway. I'll provide one example for why blocking pings might be a good idea... and one where it doesn't matter if you block them or not. However, I'm no expert. * Saved by blocking pings: nmap Yes, nmap. Everyone on this list has used nmap or is hopefully familiar with what it does. For those of you who don't know, nmap is a portscanning utility. The first thing nmap appears to do before it actually runs a scan is ping the host. If it cannot ping the host, it returns: Note: Host seems down. If it is really up, but blocking our ping probes, try -P0 nmap can be used to scan a host or a network. It's not a very nice or graceful way but it works. And, hey, Joe Q. Script-Kiddie doesn't care if it's graceful as long as it works. In this case, if you block pings, nmap won't bother to scan your machine unless the person running it has specified '-P0' on the command line. In which case, he'd better not be expecting results anytime soon. He can still come back later and run another scan, but if we assume that he's running nmap as his opening move, a machine that does not ping will be that much less likely to be targeted. But... if his opening move is different, how much safer will you be? This takes us to... * W32.Blaster.Worm et al Why am I bothering to include a worm here, you may wonder. To really oversimplify things, what is a worm other than a vulnerability scanner that then exploits said vulnerability? (As I said, to really oversimplify things.) Worms, and many vulnerability scanners, do not necessarily ping a host before they try to connect. In fact, I do not know of a worm that does ping the host whose IP it randomly generates before it tries to test (and then possibly exploit) the host. Some vulnerability scanners may not bother to ping because people have been blocking pings or other ICMP traffic from their machines -- or maybe just because it's too much bother. (If the machine isn't running a service, you'll just timeout after five minutes or so and keep going.) Blocking pings or other ICMP traffic not the magic piece of armor that will protect you from being attacked. It's a deterrent, nothing more. Think of it like barbed wire on the top of a fence -- some people will stay away from it and decide not to mess with whatever's inside, while those who really want to get in will continue to attempt different measures to gain entry. However, the barbed wire is no replacement for other, stronger measures, like electrifying the fence, employing armed guards and vicious dogs, and, for the extremely paranoid, land mines. Blocking pings is ultimately the decision of the administrators running the machine or network. For the paranoid, dropping pings is probably best for them. For my personal machine at home, though, I don't think the risk from responding to pings is high enough to cause concern. And, for the moment, having it respond to pings is useful to me. Sincerely, Chris Ess System Administrator / CDTT (Certified Duct Tape Technician) --------------------------------------------------------------------------- Captus Networks Are you prepared for the next Sobig & Blaster? - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans - Precisely Define and Implement Network Security - Automatically Control P2P, IM and Spam Traffic FIND OUT NOW - FREE Vulnerability Assessment Toolkit http://www.captusnetworks.com/ads/42.htm ---------------------------------------------------------------------------- --------------------------------------------------------------------------- Captus Networks Are you prepared for the next Sobig & Blaster? - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans - Precisely Define and Implement Network Security - Automatically Control P2P, IM and Spam Traffic FIND OUT NOW - FREE Vulnerability Assessment Toolkit http://www.captusnetworks.com/ads/42.htm ----------------------------------------------------------------------------
Current thread:
- RE: ICMP (Ping), (continued)
- RE: ICMP (Ping) Tim Greer (Sep 08)
- Re: ICMP (Ping) Jay Woody (Sep 08)
- RE: ICMP (Ping) Jay Woody (Sep 08)
- RE: ICMP (Ping) Jay Woody (Sep 08)
- RE: ICMP (Ping) Halverson, Chris (Sep 08)
- RE: ICMP (Ping) Jay Woody (Sep 08)
- Re: ICMP (Ping) Jay Woody (Sep 08)
- Re: ICMP (Ping) Tim Greer (Sep 08)
- RE: ICMP (Ping) Schouten, Diederik (Diederik) (Sep 08)
- RE: ICMP (Ping) Tony Kava (Sep 08)
- RE: ICMP (Ping) McGill, Lachlan (Sep 08)
- Re: ICMP (Ping) Paul Farag (Sep 08)
- RE: ICMP (Ping) Jay Woody (Sep 08)