FW: ICMP (Ping)

[check <check () wescom org>]

-----Original Message-----
From: Jay Woody [mailto:jay_woody () tnb com] 
Sent: Friday, September 05, 2003 2:30 PM
To: chatmaster () charter net
Cc: security-basics () securityfocus com
Subject: RE: ICMP (Ping)


> > What purpose would seeing a response from a ping serve to a
> > kiddy looking to deface web sites?  If they are going to attack 
> > you randomly, why do you assume that they would stop to 
> > think when they are blindly attacking networks/ips anyway?

Here is how it works again.  They scan a range and then go back and run a
port scan/vuln scan against what replies.  They don't run vuln scans
randomly against ranges, they run ping sweeps randomly against ranges, those
that reply get more attention.  So how would not replying help? 
Well by getting less attention obviously.  They aren't "blindly attacking
networks/ips anyway".  They are blindly scanning or sweeping networks/ips
through the use of pings.  They are not so blindly (but
almost) running a port scan those that reply.  Then they are running a vuln
scan against the boxes that just told them they were a certain OS, etc.

> > Running a scanner to look for open ports of vulnerabilities
> > in services, as not going to change because you don't reply 
> > to ping requests.  Those scans will check the ports and 
> > services on said IP--not give up if it can't get a ping 
> > response.

Man, dude, where do I start on this one?  :)  Yes, running something like
that would behave exactly as you describe (I think).  However, that isn't at
all what anyone has said.  Again, they "scan" the ADDRESSES in a range for a
simple reply and then run a port scan/vuln scan against those that reply.
Your point is that if they don't respond to pings, they likely won't respond
to vuln scans.  The script kiddies say the same thing in reverse.  If you
respond to a ping you likely will give up more information if asked.  Again,
they scan the range for replies and then run a port scan/vuln scan against
the replies for more info.  They don't blindly run a vuln scan against a
range.  That would be even more stupid and waste time.

> > And that doesn't relate to the type of attacks being
> > discussed.  That's another, less serious issue anyway.

Uh, OK.  The question was should your devices reply.  There is not an ATTACK
there.  The statement was that no, they shouldn't because then you get more
interest from the kiddies.  You said no you don't and I said yes you do.
Haven't heard about any attack mentioned at all. 
Also, if you think having your web page defaced is not serious, then ask
Nike how much the press hurt them and ask Microsoft how much money they
spend on making sure it doesn't happen to them.  If you are a seller, then
having your web page defaced and pointing people to a site that gathers
their credit card numbers would be decently serious I would think.

> > No, they'd probe for vulnerabilities by domain or IP, the
> > ping response plays no role in that situation.

If they are probing for vulnerabilities by domain (and I am not 100% sure
what you mean there), then they are retarded.  I said that they deface the
web page and move on and you reply that they scan for vulns by domain.
Again, the ping response plays a HUGE role.  They ping a group of addresses,
if you don't respond they move the FREAK ON.  If you do, they run a port
scan, then a vuln scan against you.  By not replying, you stop the kiddies
from looking (in addition to many of the other DDoS issues mentioned
already).  "[T]hey'd probe for vulnerabilities . . . IP", yep, exactly and
where did they get the IP address?  By the freaking ping reply.  No reply,
less attempts.  I am just not saying it right or something, so help me see
where we are missing it.

> > That is irrelevant.

Then your point is irrelevant, because I was agreeing with your point. 
Sure, some people see a site and say, "I want to hack that particular
company."  99% don't.  They say, I want to hack 40 sites in a week.  I don't
give a crap who, so let's see who replies.

> > True.  You're either vulnerable or not.  But it depends on the
> > type of attack and on what service or protocol.

And if you don't reply to pings then 90% of the kiddies never even try to
find out what will work against you.

> > No it doesn't.  Skripties are stupid by nature.  They hit
> > blindly with the scanners, the scanners don't give up if 
> > there's no ping response, 

See, here is where you keep missing it.  They DO NOT blindly run vuln scans.
They blindly run Ping sweeps.  They scan a range and see who replies and
then they run the port scan that you describe against just those areas that
replied.  Then they run the vuln scan against just those addressed that
replied and that have a certain OS, etc.  That is well known.  So either you
are saying they run vuln scans against huge ranges, which isn't true or you
are saying that ping sweeps or scans will still document you when you don't
reply, which is also not true. 
They don't run an in depth scan until they see if you are alive or not. 
If you are not alive, why waste their time, there are plenty of people that
are.  I run Zone Alarm at home.  They ping me and I don't reply, now they
could run a suite of vuln scans against me and an hour or more to see what
is turned up OR they could move to next door neighbors PC where the password
is password.  They just move on.  They are looking for the slow, stupid ones
on the fringe to gobble up.  If you don't reply to a ping, most script
kiddies will simply move on.  That has been the opinion espoused by a great
majority of responders to this thread, so I am obviously not the only one
that feels this way.

> > they are busy checking to see what's running on the various
> > ports that particular scanner scans.  It's almost contradictive 
> > to use script kiddie and 'dig deeper' in the same sentence.

Not if you didn't reply to a ping they don't.  Think about it man.  If you
ping sweep a range of 255 addresses and 20 respond and you are a little
kiddie, you are going to focus on those 20, crack 5 quickly and go brag
about it.  You are not going to kick off your favorite little vuln scanner
against addresses that "aren't up" in the hopes that maybe one is, spend all
night dicking with that one and then having nothing to brag about.  It is a
numbers game.  They want to be able to say they cracked X number last night.
Not that they spent all night scanning a range and then finding out that
indeed there really were no other boxes there.

> > But they aren't looking for boxes that reply to ping requests,
> > they hit the IP on various ports to check to see if that port/
> > service responds and with what.

I am beginning to think you are screwing with me now.  Surely you have
downloaded one of these things.  They don't do that at all.  They first
sweep a range and gather addresses.  Then they compile that in a list. 
Then they run their port scan/vuln scan against each of those IPs and THAT
scanner is what looks for ports, weak passwords, etc.  The point being made
here, over and over, is that if you are not one of the addresses on the
list, then the scanner isn't run against you.  How do you stay off of the
list?  Well, how did you get on it?  You responded to a ping.  No response
equals less kiddie attacks.  Period.  Less script kiddie attacks means more
time to get the vulns patched and less of a chance that a bonehead move gets
you compromised.

> > Like I said, a dumb ass script kiddie will hit the ports
> > checking the services for vulnerable services.  Ping 
> > response or not makes absolutely no difference.  

And like I said, it absolutely does.  They are not doing random port scans.
They are doing random PING SWEEPS and then doing semi-random port scans on
those that REPLY.  Then running specific vuln scans on boxes that replied as
needed to the port scans.  You seem to think they just jump right into the
port scanning world and they just don't.  Why run a port scan against a
non-existent box?  It is just a waste of your time.  They don't.


> > It's either going to happen or not, random or targeted.
> > If it's random, you'll be hit and probed anyway (being an 
> > attach or probe).  If it's not random, well, we all know the 
> > answer.

If they were running port scans, you might be right, but again, they don't
until you first let them know there is a box there to run one against.  No
box, no port scan.  No ping, no box to them.  On to the next range.

> > I don't see the point to that side of this debate.

Cause you aren't trying.  You are just insisting that the process starts in
the middle.  It doesn't.  It starts at the beginning and that is the ping
sweep.  If I were you, I would try to understand that side seeing as how a
great majority of the posters have thus far espoused the same idea.  You
seem to be under the impression that a kiddie's first tool is his port
scanner and it isn't.  It is his ping sweeper.  THAT produces the list that
he uses for everything else.  Again, not 100% of the time, but 90-95% of it.
My 2 cents.  Maybe that clarifies it.

JayW

> > > Tim Greer <chatmaster () charter net> 09/05/03 03:18PM >>>
On Fri, 2003-09-05 at 07:42, Jay Woody wrote:
> See, now I have to disagree here.  I'll use web page defacements as
an
> example.  Script Kiddies showed that they did not care who or what
they
> were targeting 90% of the time.

What purpose would seeing a response from a ping serve to a kiddy looking to
deface web sites?  If they are going to attack you randomly, why do you
assume that they would stop to think when they are blindly attacking
networks/ips anyway?

>   They just scan a range and whoever
> replied they ran a vuln scanner against.


Running a scanner to look for open ports of vulnerabilities in services, as
not going to change because you don't reply to ping requests. 
Those
scans will check the ports and services on said IP--not give up if it can't
get a ping response.

>   If they could get in and
> "hack" the web page, they would.

And that doesn't relate to the type of attacks being discussed. 
That's
another, less serious issue anyway.

>   They'd get their "message" out and
> move on.

No, they'd probe for vulnerabilities by domain or IP, the ping response
plays no role in that situation.

>   Did some target pro-Israeli sites, etc.?  Of course, but many more 
> were just companies that replied and then had a vuln scan ran against 
> them.

That is irrelevant.

> Here is what it boils down to in my opinion, in the case of a 
> determined hacker that wants you and no one else, then obviously 
> blocking pings ain't gonna cut it.

True.  You're either vulnerable or not.  But it depends on the type of
attack and on what service or protocol.

>   However, in the case of script
> kiddies that just scan a range and hit who replies, then blocking
pings
> stops about 95% of them from even going any deeper.

No it doesn't.  Skripties are stupid by nature.  They hit blindly with the
scanners, the scanners don't give up if there's no ping response, they are
busy checking to see what's running on the various ports that particular
scanner scans.  It's almost contradictive to use script kiddie and 'dig
deeper' in the same sentence.

>   I heard one say (I
> think it was Hackweiser) that if someone didn't reply, why keep
looking
> at them, there were plenty of other boxes that would reply.

But they aren't looking for boxes that reply to ping requests, they hit the
IP on various ports to check to see if that port/service responds and with
what.

>   If all you
> care is to try and hack 400 boxes, then why waste time?  Just hit
the
> ones that are easy and come back to the hard ones.

Like I said, a dumb ass script kiddie will hit the ports checking the
services for vulnerable services.  Ping response or not makes absolutely no
difference.  It's either going to happen or not, random or targeted.

If it's random, you'll be hit and probed anyway (being an attach or probe).
If it's not random, well, we all know the answer.  I don't see the point to
that side of this debate.
-- 
Tim Greer <chatmaster () charter net>


---------------------------------------------------------------------------
Attend Black Hat Briefings & Training Federal, September 29-30 (Training), 
October 1-2 (Briefings) in Tysons Corner, VA; the world's premier 
technical IT security event.  Modeled after the famous Black Hat event in 
Las Vegas! 6 tracks, 12 training sessions, top speakers and sponsors.  
Symantec is the Diamond sponsor.  Early-bird registration ends September
6.Visit us: www.blackhat.com
----------------------------------------------------------------------------


**********************************************************************
This email and any files transmitted with it are confidential 
and intended solely for the use of the individual or entity to 
whom they are addressed.  If you have received this email 
in error, please delete it immediately and advise the sender.
WESCOM CREDIT UNION (626) 535-1000
**********************************************************************


---------------------------------------------------------------------------
Captus Networks 
Are you prepared for the next Sobig & Blaster? 
 - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans 
 - Precisely Define and Implement Network Security 
 - Automatically Control P2P, IM and Spam Traffic 
FIND OUT NOW -  FREE Vulnerability Assessment Toolkit 
http://www.captusnetworks.com/ads/42.htm
----------------------------------------------------------------------------