RE: ICMP (Ping)

[Christos Gioran <himicos () freemail gr>]

IMHO,

Even though it will not solve all your problems, blocking ICMP echo
replies (ICMP type 8) from leaving the server is a good idea. Anyone who
might want to scan your machine using just a ping sweep will not see
you. All other kinds of ping should be available for normal operation as
it has been stated at a previous post. Your box will *not* be
invinsible, just a litle harder to find. Still there are Syn scans,
NULL, Ack and many more goodies that may tell you off.
That also is a good alternative to ICMP pinging a machine for
administrating purposes. A syn ping (using, for instance, nmap) will be
enough to see if the machine is alive.


PS. As for RFC compliance, does anyone still support the proxy feature
on FTP servers?? No (i hope so) since it poses a great security risk.
RFC's were written for a friendly Internet, where hosts would trust each
other. That is no longer the case. Times change, so should ther
practices we use ;-)

my 0.02 euro worth :-)


On Thu, 2003-09-04 at 21:07, Tony Kava wrote:
> I do like your reasoning that others do not generally have a business need
> to ping your hosts, however I still prefer to allow this service not simply
> to conform to standards, but rather as an easy indicator that our network
> link is up.  In my previous work at a broadband ISP I was often annoyed at
> how many hosts do not respond to ICMP echo.  On a LAN that uses DHCP it can
> be a true pain because hosts can use an IP address in the dynamic range and
> when the DHCP server double-checks that the IP is available with a ping it
> finds that the IP is not in use and allocates it to the DHCP client.  The
> DHCP server should be able to assume that if the IP were in use a host would
> respond to ICMP echo.
>
> Of course, we're talking about public IP addresses on the internet.  The
> DHCP example does not apply, however it is still a useful service to other
> administrators out there.  When your users are unable to reach a certain
> destination it is a quick check for connectivity.  Of course there are
> numerous other methods to determine whether a host is up or not, but ping is
> designed for this purpose.  There are steps that can be taken to prevent the
> misuse of the protocol, and those should be preferred to simply dropping the
> packets.
>
> Others on the internet do share your opinion, and I can see why.  However,
> there are still many of us who do accept ICMP echoes.  Including yahoo.com
> and google.com.  Yes, I know, microsoft.com and ebay.com do not.  If you
> keep watch on your network and you have taken reasonable steps to diminish
> the success of a DoS attack then you should be able to safely accept ICMP
> echoes.
>
> ... my two cents, of course.
>
> --
> Tony Kava
> Network Administrator
> Pottawattamie County, Iowa



____________________________________________________________________
http://www.freemail.gr - äùñåÜí õðçñåóßá çëåêôñïíéêïý ôá÷õäñïìåßïõ.
http://www.freemail.gr - free email service for the Greek-speaking.

---------------------------------------------------------------------------
Attend Black Hat Briefings & Training Federal, September 29-30 (Training), 
October 1-2 (Briefings) in Tysons Corner, VA; the world's premier 
technical IT security event.  Modeled after the famous Black Hat event in 
Las Vegas! 6 tracks, 12 training sessions, top speakers and sponsors.  
Symantec is the Diamond sponsor.  Early-bird registration ends September 6.Visit us: www.blackhat.com
----------------------------------------------------------------------------