RE: ICMP (Ping)

["Jay Woody" <jay_woody () tnb com>]

Nicely put.  Wish I had worded it like that to begin with.  Thanks!

JayW

> > > Chris Ess <azarin () tokimi net> 09/08/03 11:38AM >>>
Okay.  We've probably gotten slightly off-topic, but I figured I'd
throw
my two copper pieces in anyway.  I'll provide one example for why
blocking
pings might be a good idea...  and one where it doesn't matter if you
block them or not.  However, I'm no expert.

* Saved by blocking pings: nmap

Yes, nmap.  Everyone on this list has used nmap or is hopefully
familiar
with what it does.  For those of you who don't know, nmap is a
portscanning utility.

The first thing nmap appears to do before it actually runs a scan is
ping
the host.  If it cannot ping the host, it returns:

Note: Host seems down. If it is really up, but blocking our ping
probes,
try -P0

nmap can be used to scan a host or a network.  It's not a very nice or
graceful way but it works.  And, hey, Joe Q. Script-Kiddie doesn't
care
if it's graceful as long as it works.

In this case, if you block pings, nmap won't bother to scan your
machine
unless the person running it has specified '-P0' on the command line. 
In
which case, he'd better not be expecting results anytime soon.

He can still come back later and run another scan, but if we assume
that
he's running nmap as his opening move, a machine that does not ping
will
be that much less likely to be targeted.

But... if his opening move is different, how much safer will you be?

This takes us to...

* W32.Blaster.Worm et al

Why am I bothering to include a worm here, you may wonder.

To really oversimplify things, what is a worm other than a
vulnerability
scanner that then exploits said vulnerability?  (As I said, to really
oversimplify things.)

Worms, and many vulnerability scanners, do not necessarily ping a host
before they try to connect.  In fact, I do not know of a worm that
does
ping the host whose IP it randomly generates before it tries to test
(and
then possibly exploit) the host.  Some vulnerability scanners may not
bother to ping because people have been blocking pings or other ICMP
traffic from their machines -- or maybe just because it's too much
bother.
(If the machine isn't running a service, you'll just timeout after
five
minutes or so and keep going.)


Blocking pings or other ICMP traffic not the magic piece of armor that
will protect you from being attacked.  It's a deterrent, nothing more.
Think of it like barbed wire on the top of a fence -- some people will
stay away from it and decide not to mess with whatever's inside, while
those who really want to get in will continue to attempt different
measures to gain entry.  However, the barbed wire is no replacement
for
other, stronger measures, like electrifying the fence, employing armed
guards and vicious dogs, and, for the extremely paranoid, land mines.

Blocking pings is ultimately the decision of the administrators
running
the machine or network.  For the paranoid, dropping pings is probably
best
for them.  For my personal machine at home, though, I don't think the
risk
from responding to pings is high enough to cause concern.  And, for
the
moment, having it respond to pings is useful to me.

Sincerely,


Chris Ess
System Administrator / CDTT (Certified Duct Tape Technician)

---------------------------------------------------------------------------
Captus Networks 
Are you prepared for the next Sobig & Blaster? 
 - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans 
 - Precisely Define and Implement Network Security 
 - Automatically Control P2P, IM and Spam Traffic 
FIND OUT NOW -  FREE Vulnerability Assessment Toolkit 
http://www.captusnetworks.com/ads/42.htm 
----------------------------------------------------------------------------




---------------------------------------------------------------------------
Captus Networks 
Are you prepared for the next Sobig & Blaster? 
 - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans 
 - Precisely Define and Implement Network Security 
 - Automatically Control P2P, IM and Spam Traffic 
FIND OUT NOW -  FREE Vulnerability Assessment Toolkit 
http://www.captusnetworks.com/ads/42.htm
----------------------------------------------------------------------------