Security Basics mailing list archives
Re: ICMP (Ping)
From: Tim Greer <chatmaster () charter net>
Date: 06 Sep 2003 15:11:12 -0700
On Sat, 2003-09-06 at 20:54, Tomas Wolf wrote:
I understand, that there are many ways to find out that machine is there (by just seeing the response if it is "destination unreachable" or "connection reset" or none at all). But I would like to say that there are many students running scripts that sweep IP ranges by ping and "candidates" try for automatic exploitation of pre-defined holes (ie. look for open 25, sendmail, run exploit for linux, types of unixes, windows, report success....). But of course, a person with some knowledge about the topic will find out if the host is there without the need of ICMP echoes. And yes, as much as we want to pretend there is nothing, trying to get around by fooling fingerprinting tools, there is always a way... But these ways are a bit harder than just ping, fingerprint OS, run exploit... And if the quantity-oriented kiddie sees problems it will discourage some of them to move several IPs down to two or three servers with the lack of security... So by filtering icmps 8&0 one just slightly narrows down the number of potential penetrators...
I suppose it's all about how they hit you and why... and who. I'd assume anyone skilled enough to have any chance at all, would at least just check to see if port 80 or 25 was responsive (that sort of thing). It can be done just as easily as a ping check and will show that the system is also running a service to target. I'm sure there's many people that first ping an IP, but there's also many that do not. I would assume that the people that scan for IPs with port 80, 25, etc. to compile a list from, would be the one's with the skills to worry about, if any... maybe I'm wrong--it just doesn't take any longer to do more accurate checks than ping responses would offer. -- Tim Greer <chatmaster () charter net> --------------------------------------------------------------------------- Captus Networks Are you prepared for the next Sobig & Blaster? - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans - Precisely Define and Implement Network Security - Automatically Control P2P, IM and Spam Traffic FIND OUT NOW - FREE Vulnerability Assessment Toolkit http://www.captusnetworks.com/ads/42.htm ----------------------------------------------------------------------------
Current thread:
- RE: ICMP (Ping), (continued)
- RE: ICMP (Ping) Jay Woody (Sep 04)
- RE: ICMP (Ping) SMiller (Sep 04)
- RE: ICMP (Ping) Tim Greer (Sep 04)
- RE: ICMP (Ping) Gerard Marshall Vignes (Sep 05)
- RE: ICMP (Ping) Tim Greer (Sep 05)
- Re: ICMP (Ping) gregh (Sep 05)
- Re: ICMP (Ping) Tim Greer (Sep 05)
- Message not available
- Re: ICMP (Ping) Tim Greer (Sep 08)
- Re: ICMP (Ping) gregh (Sep 08)
- RE: ICMP (Ping) Tim Greer (Sep 04)
- Re: ICMP (Ping) Tomas Wolf (Sep 08)
- Re: ICMP (Ping) Tim Greer (Sep 08)
- RE: ICMP (Ping) Aditya (Sep 05)
- RE: ICMP (Ping) Christos Gioran (Sep 05)
- RE: ICMP (Ping) Tim Greer (Sep 05)
- RE: ICMP (Ping) Vineet Mehta (Sep 08)
- RE: ICMP (Ping) Tim Greer (Sep 08)