AW: ICMP (Ping)

[Meidinger Chris <chris.meidinger () badenit de>]

Just to clear things up, here are three responses to three emails.

-----Ursprüngliche Nachricht-----
Von: Tim Greer [mailto:chatmaster () charter net] 
Gesendet: Freitag, 5. September 2003 00:53

On Thu, 2003-09-04 at 10:23, SMiller () unimin com wrote:
> > Regarding the oft cited admonition against "security by obscurity": 
> > according to Bruce Schneier this is "Kerckhoffs' Principle", 
> > formulated in 1883 by Auguste Kerckhoffs, and as such is narrowly 
> > applicable only to algorithms used for cryptography.  It may or may 
> > not apply to other and more generalized security issues, those cases 
> > must be evaluated individually.  Regarding ICMP:

> Fun stuff... what some people seem to fail to understand, is that it's
unlikely 
> someone's going to randomly probe for IP's to just randomly attack. 
> The type of attacks that people launch are going to be from people that
know you're 
> there anyway.... otherwise if they are mindless enough, they will
> apparently attack the IP they didn't check to see if it's there.

Actually, people do this all the time. Ping sweeps are constantly going on
to map live hosts for further analysis. This is one of the main reasons that
people like to block icmp 8. If someone is targetting you, they can find
your address range quickly enough, but it can be nice to slip under the
radar if someone is just ping sweeping net blocks.

-----Ursprüngliche Nachricht-----
Von: Tony Kava [mailto:securityfocus () pottcounty com] 
Gesendet: Donnerstag, 4. September 2003 20:07

> I do like your reasoning that others do not generally have a business need

> to ping your hosts, however I still prefer to allow this service not
> simply to conform to standards, but rather as an easy indicator that our
network
> link is up.  In my previous work at a broadband ISP I was often
> annoyed at how many hosts do not respond to ICMP echo.  On a LAN that uses
DHCP it 
> can be a true pain because hosts can use an IP address in the
> dynamic range and when the DHCP server double-checks that the IP is
available with a 
> ping it finds that the IP is not in use and allocates it to the
> DHCP client.  The DHCP server should be able to assume that if the IP were
in use a 
> host would respond to ICMP echo.

Well, internal hosts should certainly respond to pings, and not just for
DHCP. There is, however, absolutely no reason that a firewall should respond
to a ping on the public interface. You will know if it is down, because you
will have no TX across it. But the world does not need to know ist IP, or if
there are teamed and/or cascaded firewalls working together, you definately
don't want to let them respond to pings so that people can learn about your
infrastructure. 

-----Ursprüngliche Nachricht-----
Von: Ansgar Wiechers [mailto:bugtraq () planetcobalt net] 
Gesendet: Donnerstag, 4. September 2003 22:36
An: security-basics () securityfocus com
Betreff: Re: ICMP (Ping)


> On 2003-09-02 freeasabird_13 () gmx net wrote:
> > > Are there any security issues for allowing a firewall/router to 
> > > respond to Ping from the internet?
> >
> > Yes.  It would not be preferable for you to allow your firewall/router 
> > to respond to pings from the internet.  Someone running a wide-scale 
> > scan of internet computers for possible attack targets would quickly 
> > be made aware of your obvious internet presence and you could become a 
> > target for attack.
>
> I don't think so. Not responding to ICMP echo-requests won't make you
invisible. 
> Whenever a ping does not return "host unreachable" you know there 
> *is* something with that address. Dropping ICMP packets might be useful
though, 
> to protect the firewall or router from being DoS'ed through ICMP, but > it
won't hide your host.

It's all about slipping under the radar. You don't want to be the low
hanging script kiddie fruit. An attacker can still enumerate you, but there
is no reason it has to be too easy. If you block ICMP, or send back
host-unreachables, you are at least not responding to a ping sweep, which is
a start. 

Port scans will get you anyway, depending on how you have things set up. So
this isn't about total invisibility. There is no ICMP filter that you make
you into Mr. Invisble. The question was about best practices.

SO, Mr. Original Poster. I believe you now have heard that the best practice
is definately not to allow the Firewall to respond to pings (or, in my
opinion, not to allow ANY egress traffic to contain echo-reply)

Any further questions, couselor?

-cmeid 

Chris Meidinger

badenIT GmbH
System Support

Tel. +49 761 279 2280
Fax. +49 761 279 2200

Tullastrasse 70
79108 Freiburg
Deutschland 

---------------------------------------------------------------------------
Attend Black Hat Briefings & Training Federal, September 29-30 (Training),
October 1-2 (Briefings) in Tysons Corner, VA; the world's premier
technical IT security event.  Modeled after the famous Black Hat event in
Las Vegas! 6 tracks, 12 training sessions, top speakers and sponsors.
Symantec is the Diamond sponsor.  Early-bird registration ends September 6.Visit us: www.blackhat.com
----------------------------------------------------------------------------