Re: ICMP (Ping)

["Jay Woody" <jay_woody () tnb com>]

There, this one is actually productive, so I'll pop one on here and we
can see if that get's it resolved.

> > Clearly we disagree about the semantics here.  

I don't think it is really semantics as much as we just believe the
process starts at a different area.

> > While you are married to the idea that no one will bother 
> > scanning your server unless it responds to pings, 

Now, that's pretty silly.  I have gone through several times and said
that this is not rue 100% of the time.  I have also said that worms will
still hit you, etc.  Responding to pings is not the end all, be all of
security and no one here ever said that it was.  People block pings for
primarily two different reasons.  DoS (or DDoS) attacks and because most
people have seen that many of the script kiddie tools do exactly what I
have said they do.  They ping sweep, then run a port scan against those
that reply, then run a vuln scan against those that have the "correct"
OS, services, etc.  To do otherwise would fill up their logs, etc.  They
just want to click a button and get told who is vulnerable.  All of the
tools that I have seen or heard of do some sort of defining before
running the vuln scan.  The vuln scan is what takes a while, so you want
to do this on as few boxes as possible.  The ping sweeps and port scans
are relatively quick. so that is how you do it.  Write to a guy like
Hackweiser or any of the groups and ask them what tools they use.  I am
no longer into this scene, so I can't give you the new ones, but I am
sure these guys have plenty to tell you.

> > I am of the opinion and experience on my part dictates, that
> > many people will cut out the middle man and just scan to see 
> > if it responds to the specific or general services they are 
> > targeting and move on if it doesn't respond to those common 
> > services.

Again, all I can say is that if you are responding to pings, then this
is exactly what you would see.  Meanwhile I see a huge number of ping
sweeps and a relatively small number of port and vuln scans.  Apparently
our experience is different, which is why I said to block pings to begin
with.  :)

> > I simply said that it will only save you from being scanned 
> > if someone actually used that method.

I agree 100%.  I simply believe that many of them do and you don't.  No
hard feelings, just we have seen different things.  I might suggest
though that if you block pings, you might see something more like what I
see.

> > If your system is vulnerable enough to be hit from such a 
> > person, you have more to worry about than ping 
> > responses or not.  A skilled enough attacker will not use 
> > that method to determine what systems are alive or not.

Again 100% agreement.  If you are counting on non-pings as your
security, then you probably didn't make it through Code Red, much less
Nimda, Slammer, Blaster, etc.  I don't claim it to be ALL that you need.
 :)  My statement is just that it stops a great amount of the chatter
from the kiddies.  If you disagree, great, keep accepting them and
watching the other scans.  Obviously, we do more than just drop pings
and I would assume that most do also.

I got to say, I enjoyed this note a lot more than your last (you
probably like my response more too huh? :).  Hopefully, we have each
made our case and people can decide how they wish to proceed from there.
 Good luck man.

JayW

> > > Tim Greer <chatmaster () charter net> 09/05/03 05:45PM >>>
On Fri, 2003-09-05 at 13:35, Jay Woody wrote:
> Not really, they will randomly scan and the RETURN to the ones that
> replied and run a vuln scan against it.  If you didn't reply to
begin
> with then they won't be RETURNING.

Clearly we disagree about the semantics here.  While you are married
to
the idea that no one will bother scanning your server unless it
responds
to pings, I am of the opinion and experience on my part dictates, that
many people will cut out the middle man and just scan to see if it
responds to the specific or general services they are targeting and
move
on if it doesn't respond to those common services.

There's no reason to go on arguing about this or insisting it's one
way
or another--that is not what I personally meant nor claimed. I simply
said that it will only save you from being scanned if someone actually
used that method.  I've rarely seen people not just randomly scan, if
they're going to randomly collect IPs.  If your system is vulnerable
enough to be hit from such a person, you have more to worry about than
ping responses or not.  A skilled enough attacker will not use that
method to determine what systems are alive or not.
-- 
Tim Greer <chatmaster () charter net>




---------------------------------------------------------------------------
Captus Networks 
Are you prepared for the next Sobig & Blaster? 
 - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans 
 - Precisely Define and Implement Network Security 
 - Automatically Control P2P, IM and Spam Traffic 
FIND OUT NOW -  FREE Vulnerability Assessment Toolkit 
http://www.captusnetworks.com/ads/42.htm
----------------------------------------------------------------------------