Security Basics mailing list archives

Re: ICMP (Ping)

From: Tim Greer <chatmaster () charter net>
Date: 06 Sep 2003 15:11:12 -0700

On Sat, 2003-09-06 at 20:54, Tomas Wolf wrote:

I understand, that there are many ways to find out that machine is there 
(by just seeing the response if it is "destination unreachable" or 
"connection reset" or none at all). But I would like to say that there 
are many students running scripts that sweep IP ranges by ping and 
"candidates" try for automatic exploitation of pre-defined holes (ie. 
look for open 25, sendmail, run exploit for linux, types of unixes, 
windows, report success....). But of course, a person with some 
knowledge about the topic will find out if the host is there without the 
need of ICMP echoes.

And yes, as much as we want to pretend there is nothing, trying to get 
around by fooling fingerprinting tools, there is always a way... But 
these ways are a bit harder than just ping, fingerprint OS, run 
exploit... And if the quantity-oriented kiddie sees problems it will 
discourage some of them to move several IPs down to two or three servers 
with the lack of security... So by filtering icmps 8&0 one just slightly 
narrows down the number of potential penetrators...


I suppose it's all about how they hit you and why... and who.  I'd
assume anyone skilled enough to have any chance at all, would at least
just check to see if port 80 or 25 was responsive (that sort of thing). 
It can be done just as easily as a ping check and will show that the
system is also running a service to target.  I'm sure there's many
people that first ping an IP, but there's also many that do not.  I
would assume that the people that scan for IPs with port 80, 25, etc. to
compile a list from, would be the one's with the skills to worry about,
if any... maybe I'm wrong--it just doesn't take any longer to do more
accurate checks than ping responses would offer.
-- 
Tim Greer <chatmaster () charter net>


---------------------------------------------------------------------------
Captus Networks 
Are you prepared for the next Sobig & Blaster? 
 - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans 
 - Precisely Define and Implement Network Security 
 - Automatically Control P2P, IM and Spam Traffic 
FIND OUT NOW -  FREE Vulnerability Assessment Toolkit 
http://www.captusnetworks.com/ads/42.htm
----------------------------------------------------------------------------

Current thread:

RE: ICMP (Ping), (continued)
- RE: ICMP (Ping) Jay Woody (Sep 04)
- RE: ICMP (Ping) SMiller (Sep 04)
  - RE: ICMP (Ping) Tim Greer (Sep 04)
    - RE: ICMP (Ping) Gerard Marshall Vignes (Sep 05)
    - RE: ICMP (Ping) Tim Greer (Sep 05)
    - Re: ICMP (Ping) gregh (Sep 05)
    - Re: ICMP (Ping) Tim Greer (Sep 05)
    - Message not available
    - Re: ICMP (Ping) Tim Greer (Sep 08)
    - Re: ICMP (Ping) gregh (Sep 08)
    - Re: ICMP (Ping) Tomas Wolf (Sep 08)
    - Re: ICMP (Ping) Tim Greer (Sep 08)
- RE: ICMP (Ping) segmentation fault (Sep 04)
  - RE: ICMP (Ping) Aditya (Sep 05)
- RE: ICMP (Ping) Tony Kava (Sep 04)
  - RE: ICMP (Ping) Christos Gioran (Sep 05)
- RE: ICMP (Ping) Jay Woody (Sep 05)
  - RE: ICMP (Ping) Tim Greer (Sep 05)
    - RE: ICMP (Ping) Vineet Mehta (Sep 08)
    - RE: ICMP (Ping) Tim Greer (Sep 08)
- RE: ICMP (Ping) Tony Kava (Sep 05)
- RE: ICMP (Ping) Tony Kava (Sep 05)

(Thread continues...)