Security Basics mailing list archives
Re: ICMP (Ping)
From: Tim Greer <chatmaster () charter net>
Date: 08 Sep 2003 09:52:49 -0700
On Mon, 2003-09-08 at 07:46, Jay Woody wrote:
There, this one is actually productive,
While this is a good way to start off to evade accepting anything else I said in any of the other responses I made as good points, I said nothing different in this one. Also, we are all well aware by now how you insist it must be a specific way.
so I'll pop one on here and we can see if that get's it resolved.
I don't believe so, given your responses only repeat more of your own personal opinion about it, rather than presenting facts or accepting that this other method can work and is used by many people.
Clearly we disagree about the semantics here.I don't think it is really semantics as much as we just believe the process starts at a different area.
That is a fine conclusion, so why more to your response? And, why then has the entire argument we've had thus far been based on your insistence that what I outlined is simply _not_ the case no matter how many times I explained it was? This is not a discussion, it's mindless berating. Do you see the problem I have with that, given your insistence ends up being incorrect as a result?
While you are married to the idea that no one will bother scanning your server unless it responds to pings,Now, that's pretty silly.
Not really, you don't get it, again. You can't come to terms that people will probe without pinging, even if many may ping first.
I have gone through several times and said that this is not rue 100% of the time.
Yes, you did, but you also continued to deny that my statements about witnessing this happen just as much on systems without ping responses are the facts of the matter in what I said. It is, deal with it. You then denied that this is how it will work, you said that they _must_ ping first. Get a clue, they don't have to and they don't. This is the attitude you have shown throughout this nonsense you're spouted out.
I have also said that worms will still hit you, etc.
Yes, we agree, but so do probes--YES THEY DO!
Responding to pings is not the end all,
No, of course not. Even the fools that think that's the best method to see if a server is up to even target later, going by your claims (which does happen enough, but like I said, many go right to the source), know this.
be all of security
Oh, of security...? Well, no kidding!
and no one here ever said that it was.
No, probably not. However, you insist that this is pretty much a significant improvement upon the security of the system or network simply for dropping ping responses--and that is not true. It doesn't help at all, other than in regards to some very specific attacks--not the lame excuse of if they will probe your system or more on. However, we've covered that.
People block pings for primarily two different reasons.
Well, what you claim are the reasons. Did you ever consider that maybe there's a lot of people doing futile things because they aren't educated enough to know this is not going to make any difference? How can I convince you of this, when you insist what you do? Well, I can't, so why debate about it?
DoS (or DDoS) attacks
Yes, some very specific attacks.
and because most people have seen that many of the script kiddie tools do exactly what I have said they do.
If that's their experience, fine. My experience in this field for many years and many audits show that this makes no difference. And, like I said, who gives a damn about a script kiddie that's this unskilled to use that method to test if a server is up, when a skilled on will actually just go to the source and see if a web service is up? Like I said, any system with minimal security will not have to worry about the first of those two.
They ping sweep, then run a port scan against those that reply,
They can and do do this, yes. And, again, many just test for a response on port 80--which will be just as fast, more accurate, and usually let them know the web server type, version, the OS type and version, and many components of the web service as well.
then run a vuln scan against those that have the "correct" OS, services, etc.
Or they can just make one GET request on port 80 and see it output all this information they can use or skip the system in the first place, which saves the hassle, time and resources of looking just to see what systems are up, only to do the same thing (and possibly more) later.
To do otherwise would fill up their logs, etc.
Why would it? Huh? I mean, if the ping responds, it's appended to a list of IPs... if a web server responds, its IP is appended to a list of IPs. What's the difference again, besides the method I outlined is faster and more specific and useful to an attacker?
They just want to click a button and get told who is vulnerable.
Right, and a ping response isn't going to tell them that. And, why would it be any more helpful then actually knowing there's a web server there, where the banner will likely let them know the web server software, version, OS type, any modules on the web server, etc.?
All of the tools that I have seen or heard of do some sort of defining before running the vuln scan.
That's fair... okay, so find better tools, or just learn a scripting language and actually take maybe 2 to 5 minutes to code up a script to probe just for the specific service and check for port 80 or maybe 25, etc, rather than rely on unhelpful pings?
The vuln scan is what takes a while,
Yes, that is probably true.
so you want to do this on as few boxes as possible.
Now, perhaps this is where you failed to understand me. Listen c-a-r-e-f-u-l-l-y..... I will say it again. When I said that script kiddies just probe, not only do that (and yes, waste their time doing it because it takes so long), but I also clearly said (many times), that they will check for one or two specific services--this does NOT take a lot of time.. this is basically just as fast as a ping and you get a lot more information and if they drop ping responses, it won't matter--hence this 'debate'.
The ping sweeps and port scans are relatively quick.
Okay, perhaps then you failed to understand what I said when I specifically SAID that they can instead of pinging only, check for an open port--did you miss me saying "they check port 80 or 25" in the last several responses I sent you? I didn't say the more skilled attackers will probe the system, I said they'll check for a specific service because it's more accurate than pings. Hence, why disabling ping responses may save you from the most ignorant script kiddie out there--and why care about them anyway? It will make no difference, since the skilled one's will not use the method you outline to determine if a system is up or a potential target.
so that is how you do it.
That is one way.
Write to a guy like Hackweiser or any of the groups and ask them what tools they use.
I don't need to ask someone about something I already know. I know what can be done, how it can be done and how people do it. If you do not, which you don't seem to, I recommend you look into it further.
I am no longer into this scene,
No longer into _what_ 'scene'? Were you a script kiddie that used these tools to try and attack servers, or are you saying you're not longer into this area of the field, or this field at all? In which case, I have to ask, how you can be so sure and insist about things when I've outlined clearly how they work,. can work and do work--and outlined the reasons why. Does this mean you just enjoy arguing, or do you have any actual reason to refuse to accept what I said?
so I can't give you the new ones, but I am sure these guys have plenty to tell you.
Please just listen to what I've said. I hope you do more than rely on what some group of people tell you about.
I am of the opinion and experience on my part dictates, that many people will cut out the middle man and just scan to see if it responds to the specific or general services they are targeting and move on if it doesn't respond to those common services.Again, all I can say is that if you are responding to pings, then this is exactly what you would see.
And you're wrong. I've explained why... to death... I reiterate, I see this on systems that are not... and they don't need to... because of the reasons I've repeatedly outlined.
Meanwhile I see a huge number of ping sweeps and a relatively small number of port and vuln scans.
So?
Apparently our experience is different, which is why I said to block pings to begin with. :)
But, like I said, it doesn't make any difference... and, even if it does deter the most ignorant script kiddie, it will not help you at all, since more skilled one's will not be using that method, and the more skilled one's are the only one's that have a chance. This is akin to blocking off a street so you don't have to worry about the local kindergarden kids robbing you, when the people that will have a chance will just walk around that block anyway. Me, I just make sure my home is secure from any actual, real threat, and don't worry about the kids on the street, except when I'm driving.
I simply said that it will only save you from being scanned if someone actually used that method.I agree 100%. I simply believe that many of them do and you don't. No hard feelings, just we have seen different things.
I'm confused, you basically argued in every single response saying that I'm wrong, now to say that we just feel different? Isn't that what I said before it turned into this argument?
I might suggest though that if you block pings, you might see something more like what I see.
But, you see, like I said, I see this on servers and networks that do have ping responses blocked.
If your system is vulnerable enough to be hit from such a person, you have more to worry about than ping responses or not. A skilled enough attacker will not use that method to determine what systems are alive or not.Again 100% agreement. If you are counting on non-pings as your security, then you probably didn't make it through Code Red, much less Nimda, Slammer, Blaster, etc. I don't claim it to be ALL that you need. :) My statement is just that it stops a great amount of the chatter from the kiddies.
Yes, stops chatter from the worst of them... I can agree. But why worry about those type?
If you disagree, great, keep accepting them and watching the other scans.
I don't disagree it may reduce some scans/probes from some script kiddies--I don't see that myself, but sure, if they use the tools you claim... but, like I said, it doesn't matter since those type are not a threat.
Obviously, we do more than just drop pings and I would assume that most do also.
yes.
I got to say, I enjoyed this note a lot more than your last (you probably like my response more too huh? :).
yes, towards the end here, I think it's more civil and agreeable and sensible. That is all I was saying.. and look at the last several arguing posts. I'm not bothered, I think we can both look past that, this was sure a lot of line noise to get to this point--I thought I was clear. It seems unnecessary.
Hopefully, we have each made our case and people can decide how they wish to proceed from there. Good luck man.
Yes, that's the main point. My intention, even if I bluntly make the point, is to push people in the right direction in regards to usefulness and why. It's nothing personal, even if I may comment in a manner to lead you to believe otherwise. -- Tim Greer <chatmaster () charter net> --------------------------------------------------------------------------- Captus Networks Are you prepared for the next Sobig & Blaster? - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans - Precisely Define and Implement Network Security - Automatically Control P2P, IM and Spam Traffic FIND OUT NOW - FREE Vulnerability Assessment Toolkit http://www.captusnetworks.com/ads/42.htm ----------------------------------------------------------------------------
Current thread:
- RE: ICMP (Ping), (continued)
- RE: ICMP (Ping) Chris Ess (Sep 08)
- RE: ICMP (Ping) Tim Greer (Sep 08)
- RE: ICMP (Ping) Preston Newton (Sep 08)
- Re: ICMP (Ping) Fyodor (Sep 09)
- RE: ICMP (Ping) Chris Ess (Sep 08)
- FW: ICMP (Ping) check (Sep 08)
- Re: ICMP (Ping) Jay Woody (Sep 08)
- RE: ICMP (Ping) Halverson, Chris (Sep 08)
- RE: ICMP (Ping) Jay Woody (Sep 08)
- RE: ICMP (Ping) Tim Greer (Sep 08)
- RE: ICMP (Ping) jfastabe (Sep 08)
- Re: ICMP (Ping) Tim Greer (Sep 08)
- Re: ICMP (Ping) Lee Rich (Sep 08)
- RE: ICMP (Ping) Jay Woody (Sep 08)
- RE: ICMP (Ping) Tim Greer (Sep 08)
- Re: ICMP (Ping) Jay Woody (Sep 08)
- RE: ICMP (Ping) Jay Woody (Sep 08)
- RE: ICMP (Ping) Jay Woody (Sep 08)
- RE: ICMP (Ping) Halverson, Chris (Sep 08)
- RE: ICMP (Ping) Jay Woody (Sep 08)
- Re: ICMP (Ping) Jay Woody (Sep 08)
- Re: ICMP (Ping) Tim Greer (Sep 08)