RE: ICMP (Ping)

[Tony Kava <securityfocus () pottcounty com>]

Possible summary:

Q: Should ICMP echo requests be dropped?
A: Maybe.

Stance 1: Drop ICMP echo requests.  Responding to the requests tells script
kiddies and other lesser life forms that you're up and a possible target.
You can avoid wasting your time avoiding common attacks that shouldn't be
successful anyway.

Stance 2: Respond to ICMP echo requests.  Responding provides a simple test
of the link, and complies to aging standards.  You will definitely appear on
script kiddy radar.  You may open yourself up to possible DoS attacks.

If you don't have a strong reason to respond to ICMP echo requests you can
drop those packets.  You may be better off that way.  Die-hard optimists
will continue to respond out of nostalgia for the friendly network the
internet once was.  The majority opinion seems to be that responding to ICMP
echo requests is no longer necessary and may be harmful.

There is no zero or one answer to this in my opinion.  There may be other
factors that you should weigh.  Is your internet connection so vital that a
DoS attack of any kind will harm you? Do you have enough bandwidth to swim
with a DoS attack? Is your ISP's customer service good enough that you can
rely on their help to mitigate a DoS attack (without waiting 24 hours for a
callback)?

--
Tony Kava
Network Administrator
Pottawattamie County, Iowa



-----Original Message-----
From: Preston Newton [mailto:preston.newton () equipnetworks com]
Sent: Monday, 08 September, 2003 14:22
To: security-basics () securityfocus com
Subject: RE: ICMP (Ping)


2 more cents to add to the million dollars that we've accumulated on
this topic.

hping can "ping" a tcp port to ICMP blocks are null and void against
this type of "ping".  So any person with basic shell skills could write
a script to utilize hping and compile a list of open ports into a file
about systems...


http://www.hping.org/


On Mon, 2003-09-08 at 12:56, Tim Greer wrote:
> On Mon, 2003-09-08 at 09:38, Chris Ess wrote:
> > Okay.  We've probably gotten slightly off-topic, but I figured I'd throw
> > my two copper pieces in anyway.  I'll provide one example for why
blocking
> > pings might be a good idea...  and one where it doesn't matter if you
> > block them or not.  However, I'm no expert.
> >
> > * Saved by blocking pings: nmap
> >
> > Yes, nmap.  Everyone on this list has used nmap or is hopefully familiar
> > with what it does.  For those of you who don't know, nmap is a
> > portscanning utility.
> >
> > The first thing nmap appears to do before it actually runs a scan is
ping
> > the host.  If it cannot ping the host, it returns:
> >
> > Note: Host seems down. If it is really up, but blocking our ping probes,
> > try -P0
>
> This is a fair point, and I don't disagree with it.  As I said, this
> method can be used, and it depends on the tool.  There's no reason to
> use nmap, etc., when you can just have a script connect to port 80 or 25
> on an IP and see if there's a response.
>
> Most of this discussion encompasses the tools used, as with pretty much
> any debate about what will help or not.  No doubt lots of people use the
> above method, but many do not.  I certainly agree it may cut down on the
> noise, but my experience has been little to none.

---------------------------------------------------------------------------
Captus Networks 
Are you prepared for the next Sobig & Blaster? 
 - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans 
 - Precisely Define and Implement Network Security 
 - Automatically Control P2P, IM and Spam Traffic 
FIND OUT NOW -  FREE Vulnerability Assessment Toolkit 
http://www.captusnetworks.com/ads/42.htm
----------------------------------------------------------------------------