RE: ICMP (Ping)

[Tim Greer <chatmaster () charter net>]

On Fri, 2003-09-05 at 07:42, Jay Woody wrote:
> See, now I have to disagree here.  I'll use web page defacements as an
> example.  Script Kiddies showed that they did not care who or what they
> were targeting 90% of the time.

What purpose would seeing a response from a ping serve to a kiddy
looking to deface web sites?  If they are going to attack you randomly,
why do you assume that they would stop to think when they are blindly
attacking networks/ips anyway?

>   They just scan a range and whoever
> replied they ran a vuln scanner against.


Running a scanner to look for open ports of vulnerabilities in services,
as not going to change because you don't reply to ping requests.  Those
scans will check the ports and services on said IP--not give up if it
can't get a ping response.

>   If they could get in and
> "hack" the web page, they would.

And that doesn't relate to the type of attacks being discussed.  That's
another, less serious issue anyway.

>   They'd get their "message" out and
> move on.

No, they'd probe for vulnerabilities by domain or IP, the ping response
plays no role in that situation.

>   Did some target pro-Israeli sites, etc.?  Of course, but many
> more were just companies that replied and then had a vuln scan ran
> against them.

That is irrelevant.

> Here is what it boils down to in my opinion, in the case of a
> determined hacker that wants you and no one else, then obviously
> blocking pings ain't gonna cut it.

True.  You're either vulnerable or not.  But it depends on the type of
attack and on what service or protocol.

>   However, in the case of script
> kiddies that just scan a range and hit who replies, then blocking pings
> stops about 95% of them from even going any deeper.

No it doesn't.  Skripties are stupid by nature.  They hit blindly with
the scanners, the scanners don't give up if there's no ping response,
they are busy checking to see what's running on the various ports that
particular scanner scans.  It's almost contradictive to use script
kiddie and 'dig deeper' in the same sentence.

>   I heard one say (I
> think it was Hackweiser) that if someone didn't reply, why keep looking
> at them, there were plenty of other boxes that would reply.

But they aren't looking for boxes that reply to ping requests, they hit
the IP on various ports to check to see if that port/service responds
and with what.

>   If all you
> care is to try and hack 400 boxes, then why waste time?  Just hit the
> ones that are easy and come back to the hard ones.

Like I said, a dumb ass script kiddie will hit the ports checking the
services for vulnerable services.  Ping response or not makes absolutely
no difference.  It's either going to happen or not, random or targeted. 
If it's random, you'll be hit and probed anyway (being an attach or
probe).  If it's not random, well, we all know the answer.  I don't see
the point to that side of this debate.
-- 
Tim Greer <chatmaster () charter net>


---------------------------------------------------------------------------
Attend Black Hat Briefings & Training Federal, September 29-30 (Training), 
October 1-2 (Briefings) in Tysons Corner, VA; the world's premier 
technical IT security event.  Modeled after the famous Black Hat event in 
Las Vegas! 6 tracks, 12 training sessions, top speakers and sponsors.  
Symantec is the Diamond sponsor.  Early-bird registration ends September 6.Visit us: www.blackhat.com
----------------------------------------------------------------------------