RE: ICMP (Ping)

[Tim Greer <chatmaster () charter net>]

On Mon, 2003-09-08 at 10:11, Jay Woody wrote:
> Guys again, I am not saying that you disable pings and walk away, job
> done.  If you do that, you are a moron.  My point is that if you disable
> pings, that is ONE STEP in a myriad of stuff to do.  Let's look at it
> this way, if disabling pings stops one person and you have no need for
> pings, then why not make it a step? 

There's no reason other than perhaps annoyances when you're trying to
simply do tests/checks yourself on a network or system, to keep it on. 
I don't think there's anything wrong with disabling it, but just do it
for the right reasons.

>  Of course my argument is that it
> stops way more than one person.  Tim's argument is that it stops very
> few.  However, if it stops any, then some people would say it was worth
> it.

That's fair.  I personally don't worry, but it's your network and
system, you have the right.  It may reduce the annoyances you see in
your logs, I don't deny that.

> As an aside, Foundstone's tool is incredible.  It zips up to around
> 300K and you guys are right, it port scans like a freaking demon.  Still
> not as fast as pinging, but you guys are right the time is getting
> smaller and smaller.  

Right, but I meant just check to see if few ports are open, not an
entire port scan on an IP... so it's purposeful to a would-be cracker
more than a ping response would be.  I mean, that method is sort of
dated.  But again, it may keep the uneducated defacers away and not fill
up your system logs so much.  However, again, my experience is that
systems and networks with this disabled get hit just as much.  As with
anything, your mileage may vary.

> I still believe that if someone was scanning an entire C range (or God
> forbid a B range), that they would prefer to whittle out the addresses
> that don't respond and not have to wait for the timeouts.

Sure, but again, they can do the same by just checking for port 80 and
25, for example.  It's just as fast and if those aren't there, they
likely have no reason to target it anyway--that is, especially if they
are some script kiddie looking to deface web sites (that would be on
port 80).

>   You claim it
> did it all in 30 minutes, but maybe it would have timed out in 5 (just a
> wild guess).

Right, so just check as the above.

>   If you are scanning 255 addresses, that is over 21 hours
> of timeouts.  All I am saying is that most of the tools will simply
> whittle out the ones that don't respond that way they don't have to wait
> for a timeout and then run something like this against them.

<snip>
-- 
Tim Greer <chatmaster () charter net>


---------------------------------------------------------------------------
Captus Networks 
Are you prepared for the next Sobig & Blaster? 
 - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans 
 - Precisely Define and Implement Network Security 
 - Automatically Control P2P, IM and Spam Traffic 
FIND OUT NOW -  FREE Vulnerability Assessment Toolkit 
http://www.captusnetworks.com/ads/42.htm
----------------------------------------------------------------------------