RE: ICMP (Ping)

[Vineet Mehta <vineet () linux com kw>]

i think its just a personal/company policy. hackers who want to hack
your system will do so from not only ICMP attack but from many others
available. So blocking ICMP is just a assurance that some of the hackers
are kept at bay. 

If a company needs icmp for administrative purposes and this needs go
far then stopping icmp then its also right. Coz its all about needs and
fullfilling the business needs.

If a company is blocking ICMP then its his policy if its not then its
his policy, both policies are right from there perspective. We have seen
so many responses on this topic and they all highlight that.

For a real security person, he would definately block ICMP, coz his
systems are dear to him.

this is all i can say.
i hope it was not so bad to digest :(

On Fri, 2003-09-05 at 23:18, Tim Greer wrote:
> On Fri, 2003-09-05 at 07:42, Jay Woody wrote:
> > See, now I have to disagree here.  I'll use web page defacements as an
> > example.  Script Kiddies showed that they did not care who or what they
> > were targeting 90% of the time.
>
> What purpose would seeing a response from a ping serve to a kiddy
> looking to deface web sites?  If they are going to attack you randomly,
> why do you assume that they would stop to think when they are blindly
> attacking networks/ips anyway?
>
> >   They just scan a range and whoever
> > replied they ran a vuln scanner against.
>
>
> Running a scanner to look for open ports of vulnerabilities in services,
> as not going to change because you don't reply to ping requests.  Those
> scans will check the ports and services on said IP--not give up if it
> can't get a ping response.
>
> >   If they could get in and
> > "hack" the web page, they would.
>
> And that doesn't relate to the type of attacks being discussed.  That's
> another, less serious issue anyway.
>
> >   They'd get their "message" out and
> > move on.
>
> No, they'd probe for vulnerabilities by domain or IP, the ping response
> plays no role in that situation.
>
> >   Did some target pro-Israeli sites, etc.?  Of course, but many
> > more were just companies that replied and then had a vuln scan ran
> > against them.
>
> That is irrelevant.
>
> > Here is what it boils down to in my opinion, in the case of a
> > determined hacker that wants you and no one else, then obviously
> > blocking pings ain't gonna cut it.
>
> True.  You're either vulnerable or not.  But it depends on the type of
> attack and on what service or protocol.
>
> >   However, in the case of script
> > kiddies that just scan a range and hit who replies, then blocking pings
> > stops about 95% of them from even going any deeper.
>
> No it doesn't.  Skripties are stupid by nature.  They hit blindly with
> the scanners, the scanners don't give up if there's no ping response,
> they are busy checking to see what's running on the various ports that
> particular scanner scans.  It's almost contradictive to use script
> kiddie and 'dig deeper' in the same sentence.
>
> >   I heard one say (I
> > think it was Hackweiser) that if someone didn't reply, why keep looking
> > at them, there were plenty of other boxes that would reply.
>
> But they aren't looking for boxes that reply to ping requests, they hit
> the IP on various ports to check to see if that port/service responds
> and with what.
>
> >   If all you
> > care is to try and hack 400 boxes, then why waste time?  Just hit the
> > ones that are easy and come back to the hard ones.
>
> Like I said, a dumb ass script kiddie will hit the ports checking the
> services for vulnerable services.  Ping response or not makes absolutely
> no difference.  It's either going to happen or not, random or targeted. 
> If it's random, you'll be hit and probed anyway (being an attach or
> probe).  If it's not random, well, we all know the answer.  I don't see
> the point to that side of this debate.
-- 
Vineet Mehta
Network Security Consultant
Kuwait Linux Company
Kuwait
Ph-2412552/2463633
<vineet [at] linux [dot] com [dot] kw>
www.linux.com.kw

Attachment: signature.asc
Description: This is a digitally signed message part