Security Basics mailing list archives
AW: ICMP (Ping)
From: Meidinger Chris <chris.meidinger () badenit de>
Date: Fri, 5 Sep 2003 17:04:37 +0100
Just to clear things up, here are three responses to three emails. -----Ursprüngliche Nachricht----- Von: Tim Greer [mailto:chatmaster () charter net] Gesendet: Freitag, 5. September 2003 00:53 On Thu, 2003-09-04 at 10:23, SMiller () unimin com wrote:
Regarding the oft cited admonition against "security by obscurity": according to Bruce Schneier this is "Kerckhoffs' Principle", formulated in 1883 by Auguste Kerckhoffs, and as such is narrowly applicable only to algorithms used for cryptography. It may or may not apply to other and more generalized security issues, those cases must be evaluated individually. Regarding ICMP:
Fun stuff... what some people seem to fail to understand, is that it's
unlikely
someone's going to randomly probe for IP's to just randomly attack. The type of attacks that people launch are going to be from people that
know you're
there anyway.... otherwise if they are mindless enough, they will apparently attack the IP they didn't check to see if it's there.
Actually, people do this all the time. Ping sweeps are constantly going on to map live hosts for further analysis. This is one of the main reasons that people like to block icmp 8. If someone is targetting you, they can find your address range quickly enough, but it can be nice to slip under the radar if someone is just ping sweeping net blocks. -----Ursprüngliche Nachricht----- Von: Tony Kava [mailto:securityfocus () pottcounty com] Gesendet: Donnerstag, 4. September 2003 20:07
I do like your reasoning that others do not generally have a business need
to ping your hosts, however I still prefer to allow this service not simply to conform to standards, but rather as an easy indicator that our
network
link is up. In my previous work at a broadband ISP I was often annoyed at how many hosts do not respond to ICMP echo. On a LAN that uses
DHCP it
can be a true pain because hosts can use an IP address in the dynamic range and when the DHCP server double-checks that the IP is
available with a
ping it finds that the IP is not in use and allocates it to the DHCP client. The DHCP server should be able to assume that if the IP were
in use a
host would respond to ICMP echo.
Well, internal hosts should certainly respond to pings, and not just for DHCP. There is, however, absolutely no reason that a firewall should respond to a ping on the public interface. You will know if it is down, because you will have no TX across it. But the world does not need to know ist IP, or if there are teamed and/or cascaded firewalls working together, you definately don't want to let them respond to pings so that people can learn about your infrastructure. -----Ursprüngliche Nachricht----- Von: Ansgar Wiechers [mailto:bugtraq () planetcobalt net] Gesendet: Donnerstag, 4. September 2003 22:36 An: security-basics () securityfocus com Betreff: Re: ICMP (Ping)
On 2003-09-02 freeasabird_13 () gmx net wrote:Are there any security issues for allowing a firewall/router to respond to Ping from the internet?Yes. It would not be preferable for you to allow your firewall/router to respond to pings from the internet. Someone running a wide-scale scan of internet computers for possible attack targets would quickly be made aware of your obvious internet presence and you could become a target for attack.I don't think so. Not responding to ICMP echo-requests won't make you
invisible.
Whenever a ping does not return "host unreachable" you know there *is* something with that address. Dropping ICMP packets might be useful
though,
to protect the firewall or router from being DoS'ed through ICMP, but > it
won't hide your host. It's all about slipping under the radar. You don't want to be the low hanging script kiddie fruit. An attacker can still enumerate you, but there is no reason it has to be too easy. If you block ICMP, or send back host-unreachables, you are at least not responding to a ping sweep, which is a start. Port scans will get you anyway, depending on how you have things set up. So this isn't about total invisibility. There is no ICMP filter that you make you into Mr. Invisble. The question was about best practices. SO, Mr. Original Poster. I believe you now have heard that the best practice is definately not to allow the Firewall to respond to pings (or, in my opinion, not to allow ANY egress traffic to contain echo-reply) Any further questions, couselor? -cmeid Chris Meidinger badenIT GmbH System Support Tel. +49 761 279 2280 Fax. +49 761 279 2200 Tullastrasse 70 79108 Freiburg Deutschland --------------------------------------------------------------------------- Attend Black Hat Briefings & Training Federal, September 29-30 (Training), October 1-2 (Briefings) in Tysons Corner, VA; the world's premier technical IT security event. Modeled after the famous Black Hat event in Las Vegas! 6 tracks, 12 training sessions, top speakers and sponsors. Symantec is the Diamond sponsor. Early-bird registration ends September 6.Visit us: www.blackhat.com ----------------------------------------------------------------------------
Current thread:
- AW: ICMP (Ping) Meidinger Chris (Sep 03)
- <Possible follow-ups>
- AW: ICMP (Ping) Meidinger Chris (Sep 05)
- Re: AW: ICMP (Ping) Tim Greer (Sep 05)
- AW: ICMP (Ping) Meidinger Chris (Sep 08)
- Re: AW: ICMP (Ping) Tim Greer (Sep 08)
- Re: AW: ICMP (Ping) jfastabe (Sep 08)