Re: ICMP (Ping)

[Tim Greer <chatmaster () charter net>]

On Mon, 2003-09-08 at 07:46, Jay Woody wrote:
> There, this one is actually productive,

While this is a good way to start off to evade accepting anything else I
said in any of the other responses I made as good points, I said nothing
different in this one.  Also, we are all well aware by now how you
insist it must be a specific way.

>  so I'll pop one on here and we
> can see if that get's it resolved.

I don't believe so, given your responses only repeat more of your own
personal opinion about it, rather than presenting facts or accepting
that this other method can work and is used by many people.

> > > Clearly we disagree about the semantics here.  
>
> I don't think it is really semantics as much as we just believe the
> process starts at a different area.

That is a fine conclusion, so why more to your response?  And, why then
has the entire argument we've had thus far been based on your insistence
that what I outlined is simply _not_ the case no matter how many times I
explained it was?  This is not a discussion, it's mindless berating.  Do
you see the problem I have with that, given your insistence ends up
being incorrect as a result?

> > > While you are married to the idea that no one will bother 
> > > scanning your server unless it responds to pings, 
>
> Now, that's pretty silly.

Not really, you don't get it, again.  You can't come to terms that
people will probe without pinging, even if many may ping first.

>   I have gone through several times and said
> that this is not rue 100% of the time.

Yes, you did, but you also continued to deny that my statements about
witnessing this happen just as much on systems without ping responses
are the facts of the matter in what I said.  It is, deal with it.  You
then denied that this is how it will work, you said that they _must_
ping first.  Get a clue, they don't have to and they don't.  This is the
attitude you have shown throughout this nonsense you're spouted out.

>   I have also said that worms will
> still hit you, etc.

Yes, we agree, but so do probes--YES THEY DO!

>   Responding to pings is not the end all,

No, of course not.  Even the fools that think that's the best method to
see if a server is up to even target later, going by your claims (which
does happen enough, but like I said, many go right to the source), know
this.

>  be all of
> security

Oh, of security...?  Well, no kidding!

>  and no one here ever said that it was.


No, probably not.  However, you insist that this is pretty much a
significant improvement upon the security of the system or network
simply for dropping ping responses--and that is not true.  It doesn't
help at all, other than in regards to some very specific attacks--not
the lame excuse of if they will probe your system or more on.  However,
we've covered that.

>   People block pings for
> primarily two different reasons.

Well, what you claim are the reasons.  Did you ever consider that maybe
there's a lot of people doing futile things because they aren't educated
enough to know this is not going to make any difference?  How can I
convince you of this, when you insist what you do?  Well, I can't, so
why debate about it?

>   DoS (or DDoS) attacks

Yes, some very specific attacks.

>  and because most
> people have seen that many of the script kiddie tools do exactly what I
> have said they do.

If that's their experience, fine.  My experience in this field for many
years and many audits show that this makes no difference.  And, like I
said, who gives a damn about a script kiddie that's this unskilled to
use that method to test if a server is up, when a skilled on will
actually just go to the source and see if a web service is up?  Like I
said, any system with minimal security will not have to worry about the
first of those two.

>   They ping sweep,
>  then run a port scan against those
> that reply,

They can and do do this, yes.  And, again, many just test for a response
on port 80--which will be just as fast, more accurate, and usually let
them know the web server type, version, the OS type and version, and
many components of the web service as well.

>  then run a vuln scan against those that have the "correct"
> OS, services, etc.

Or they can just make one GET request on port 80 and see it output all
this information they can use or skip the system in the first place,
which saves the hassle, time and resources of looking just to see what
systems are up, only to do the same thing (and possibly more) later.

>   To do otherwise would fill up their logs, etc.

Why would it?  Huh?  I mean, if the ping responds, it's appended to a
list of IPs... if a web server responds, its IP is appended to a list of
IPs.  What's the difference again, besides the method I outlined is
faster and more specific and useful to an attacker?

>   They
> just want to click a button and get told who is vulnerable.

Right, and a ping response isn't going to tell them that.  And, why
would it be any more helpful then actually knowing there's a web server
there, where the banner will likely let them know the web server
software, version, OS type, any modules on the web server, etc.?

>   All of the
> tools that I have seen or heard of do some sort of defining before
> running the vuln scan.

That's fair... okay, so find better tools, or just learn a scripting
language and actually take maybe 2 to 5 minutes to code up a script to
probe just for the specific service and check for port 80 or maybe 25,
etc, rather than rely on unhelpful pings?

>   The vuln scan is what takes a while,

Yes, that is probably true.

>  so you want
> to do this on as few boxes as possible.

Now, perhaps this is where you failed to understand me.  Listen
c-a-r-e-f-u-l-l-y..... I will say it again.  When I said that script
kiddies just probe, not only do that (and yes, waste their time doing it
because it takes so long), but I also clearly said (many times), that
they will check for one or two specific services--this does NOT take a
lot of time.. this is basically just as fast as a ping and you get a lot
more information and if they drop ping responses, it won't matter--hence
this 'debate'.


>   The ping sweeps and port scans
> are relatively quick.

Okay, perhaps then you failed to understand what I said when I
specifically SAID that they can instead of pinging only, check for an
open port--did you miss me saying "they check port 80 or 25" in the last
several responses I sent you?  I didn't say the more skilled attackers
will probe the system, I said they'll check for a specific service
because it's more accurate than pings.  Hence, why disabling ping
responses may save you from the most ignorant script kiddie out
there--and why care about them anyway?  It will make no difference,
since the skilled one's will not use the method you outline to determine
if a system is up or a potential target.

>  so that is how you do it.

That is one way.

>   Write to a guy like
> Hackweiser or any of the groups and ask them what tools they use.

I don't need to ask someone about something I already know.  I know what
can be done, how it can be done and how people do it.  If you do not,
which you don't seem to, I recommend you look into it further.

>   I am
> no longer into this scene,

No longer into _what_ 'scene'?  Were you a script kiddie that used these
tools to try and attack servers, or are you saying you're not longer
into this area of the field, or this field at all?  In which case, I
have to ask, how you can be so sure and insist about things when I've
outlined clearly how they work,. can work and do work--and outlined the
reasons why.  Does this mean you just enjoy arguing, or do you have any
actual reason to refuse to accept what I said?

>  so I can't give you the new ones, but I am
> sure these guys have plenty to tell you.

Please just listen to what I've said.  I hope you do more than rely on
what some group of people tell you about.

> > > I am of the opinion and experience on my part dictates, that
> > > many people will cut out the middle man and just scan to see 
> > > if it responds to the specific or general services they are 
> > > targeting and move on if it doesn't respond to those common 
> > > services.
>
> Again, all I can say is that if you are responding to pings, then this
> is exactly what you would see.

And you're wrong.  I've explained why... to death...  I reiterate, I see
this on systems that are not... and they don't need to... because of the
reasons I've repeatedly outlined.

>   Meanwhile I see a huge number of ping
> sweeps and a relatively small number of port and vuln scans.

So?

>   Apparently
> our experience is different, which is why I said to block pings to begin
> with.  :)

But, like I said, it doesn't make any difference... and, even if it does
deter the most ignorant script kiddie, it will not help you at all,
since more skilled one's will not be using that method, and the more
skilled one's are the only one's that have a chance.  This is akin to
blocking off a street so you don't have to worry about the local
kindergarden kids robbing you, when the people that will have a chance
will just walk around that block anyway.  Me, I just make sure my home
is secure from any actual, real threat, and don't worry about the kids
on the street, except when I'm driving.

> > > I simply said that it will only save you from being scanned 
> > > if someone actually used that method.
>
> I agree 100%.  I simply believe that many of them do and you don't.  No
> hard feelings, just we have seen different things.

I'm confused, you basically argued in every single response saying that
I'm wrong, now to say that we just feel different?  Isn't that what I
said before it turned into this argument?

>   I might suggest
> though that if you block pings, you might see something more like what I
> see.

But, you see, like I said, I see this on servers and networks that do
have ping responses blocked.

> > > If your system is vulnerable enough to be hit from such a 
> > > person, you have more to worry about than ping 
> > > responses or not.  A skilled enough attacker will not use 
> > > that method to determine what systems are alive or not.
>
> Again 100% agreement.  If you are counting on non-pings as your
> security, then you probably didn't make it through Code Red, much less
> Nimda, Slammer, Blaster, etc.  I don't claim it to be ALL that you need.
>  :)  My statement is just that it stops a great amount of the chatter
> from the kiddies.

Yes, stops chatter from the worst of them... I can agree.  But why worry
about those type?

>   If you disagree, great, keep accepting them and
> watching the other scans.

I don't disagree it may reduce some scans/probes from some script
kiddies--I don't see that myself, but sure, if they use the tools you
claim... but, like I said, it doesn't matter since those type are not a
threat.


>   Obviously, we do more than just drop pings
> and I would assume that most do also.

yes.

> I got to say, I enjoyed this note a lot more than your last (you
> probably like my response more too huh? :).

yes, towards the end here, I think it's more civil and agreeable and
sensible.  That is all I was saying.. and look at the last several
arguing posts.  I'm not bothered, I think we can both look past that,
this was sure a lot of line noise to get to this point--I thought I was
clear.  It seems unnecessary.

>   Hopefully, we have each
> made our case and people can decide how they wish to proceed from there.
>  Good luck man.

Yes, that's the main point.  My intention, even if I bluntly make the
point, is to push people in the right direction in regards to usefulness
and why.  It's nothing personal, even if I may comment in a manner to
lead you to believe otherwise.
-- 
Tim Greer <chatmaster () charter net>


---------------------------------------------------------------------------
Captus Networks 
Are you prepared for the next Sobig & Blaster? 
 - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans 
 - Precisely Define and Implement Network Security 
 - Automatically Control P2P, IM and Spam Traffic 
FIND OUT NOW -  FREE Vulnerability Assessment Toolkit 
http://www.captusnetworks.com/ads/42.htm
----------------------------------------------------------------------------