Re: ICMP (Ping)

[Fyodor <fyodor () insecure org>]

On Mon, Sep 08, 2003 at 12:38:10PM -0400, Chris Ess wrote:
> * Saved by blocking pings: nmap
>
> Yes, nmap.  Everyone on this list has used nmap or is hopefully familiar
> with what it does.  For those of you who don't know, nmap is a
> portscanning utility.
>
> The first thing nmap appears to do before it actually runs a scan is ping
> the host.

Nmap calls this a "ping scan", but it uses that term more generally to
include any type of host enumeration probe in addition to the plain
ICMP echo request.  By default, Nmap will send an ICMP echo request as
well as an ACK packet to port 80.  So blocking ICMP echo requests
alone won't help you much.  Of course if you block the ACK probe too,
you will be less visible to a default run of Nmap.  However, any
marginally competent attacker (and I realize that many aren't) will
not rely on the 2-probe default.  Nmap offers many other host
enumeration checks, including TCP SYN packets to multiple ports, ACK
packets to multiple ports, ICMP timestamp request, multi-port UDP
packets, etc.  Here is an example from my Defcon talk last month:

nmap -sP -PS22,25,53,80,113,31338 -PA80,113,21000 -PU53,19000 -PE -PM -g 53 -oA [logfile] [netblocks]

This command sends a normal ping, an ICMP netmask request, SYN packets
to ports 22,25,53,80,113,31338, ACK packets to 80,113,21000, and UDP
packets to ports 53,19000.  The TCP & UDP probes are all sent from a
source port of 53 just in case masquerading as DNS replies helps.  If
ANY of these probes elicit a response, Nmap considers the host
available.  The ping scan above took about 12 minutes to scan 5000 IPs
over the Internet.  It would have been faster with more aggressive
timing (-T4 option) or if you disable DNS resolution (-n option).

I am not taking a position on whether pings should be blocked.  I just
hope people don't overestimate the value this brings.  Obviously you
shouldn't delay patch installation just because you think you are
"stealthed" by the ping blocking.  ICMP ping blocking alone won't even
stop the default Nmap probes, and using a much more comprehensive set
of probes is only as hard as adding options like those above.  Or you
can add -P0 and skip ping testing altogether.

What do I do on my own networks?

> ping www.insecure.org
PING www.insecure.org (205.217.153.53) from 67.124.116.141 : 56(84) bytes of data.
64 bytes from www.insecure.org (205.217.153.53): icmp_seq=0 ttl=51 time=21.575 msec
64 bytes from www.insecure.org (205.217.153.53): icmp_seq=1 ttl=51 time=20.746 msec
64 bytes from www.insecure.org (205.217.153.53): icmp_seq=2 ttl=51 time=21.790 msec

But at the same time, I can understand and appreciate the arguments
from people who do block ICMP pings.  When I do vulnerability
assessments for clients, I list ping responses on the report as a
minor risk they should evaluate.

Cheers,
Fyodor
http://www.insecure.org/
















































---------------------------------------------------------------------------
Captus Networks 
Are you prepared for the next Sobig & Blaster? 
 - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans 
 - Precisely Define and Implement Network Security 
 - Automatically Control P2P, IM and Spam Traffic 
FIND OUT NOW -  FREE Vulnerability Assessment Toolkit 
http://www.captusnetworks.com/ads/42.htm
----------------------------------------------------------------------------