Security Basics mailing list archives

RE: ICMP (Ping)

From: "McGill, Lachlan" <mcgilll1 () anz com>
Date: Tue, 9 Sep 2003 08:34:07 +1000

We must also remember that the variant of the Blaster worm: Nachi used ICMP pings to determine the next host to infect. 
Blocking ICMP in this instance would have been an effective deterrant.

-----Original Message-----
From: Chris Ess [mailto:azarin () tokimi net]
Sent: Tuesday, 9 September 2003 2:38 AM
To: security-basics () securityfocus com
Subject: RE: ICMP (Ping)

Okay.  We've probably gotten slightly off-topic, but I figured I'd throw
my two copper pieces in anyway.  I'll provide one example for why blocking
pings might be a good idea...  and one where it doesn't matter if you
block them or not.  However, I'm no expert.

* Saved by blocking pings: nmap

Yes, nmap.  Everyone on this list has used nmap or is hopefully familiar
with what it does.  For those of you who don't know, nmap is a
portscanning utility.

The first thing nmap appears to do before it actually runs a scan is ping
the host.  If it cannot ping the host, it returns:

Note: Host seems down. If it is really up, but blocking our ping probes,
try -P0

nmap can be used to scan a host or a network.  It's not a very nice or
graceful way but it works.  And, hey, Joe Q. Script-Kiddie doesn't care
if it's graceful as long as it works.

In this case, if you block pings, nmap won't bother to scan your machine
unless the person running it has specified '-P0' on the command line.  In
which case, he'd better not be expecting results anytime soon.

He can still come back later and run another scan, but if we assume that
he's running nmap as his opening move, a machine that does not ping will
be that much less likely to be targeted.

But... if his opening move is different, how much safer will you be?

This takes us to...

* W32.Blaster.Worm et al

Why am I bothering to include a worm here, you may wonder.

To really oversimplify things, what is a worm other than a vulnerability
scanner that then exploits said vulnerability?  (As I said, to really
oversimplify things.)

Worms, and many vulnerability scanners, do not necessarily ping a host
before they try to connect.  In fact, I do not know of a worm that does
ping the host whose IP it randomly generates before it tries to test (and
then possibly exploit) the host.  Some vulnerability scanners may not
bother to ping because people have been blocking pings or other ICMP
traffic from their machines -- or maybe just because it's too much bother.
(If the machine isn't running a service, you'll just timeout after five
minutes or so and keep going.)

Blocking pings or other ICMP traffic not the magic piece of armor that
will protect you from being attacked.  It's a deterrent, nothing more.
Think of it like barbed wire on the top of a fence -- some people will
stay away from it and decide not to mess with whatever's inside, while
those who really want to get in will continue to attempt different
measures to gain entry.  However, the barbed wire is no replacement for
other, stronger measures, like electrifying the fence, employing armed
guards and vicious dogs, and, for the extremely paranoid, land mines.

Blocking pings is ultimately the decision of the administrators running
the machine or network.  For the paranoid, dropping pings is probably best
for them.  For my personal machine at home, though, I don't think the risk
from responding to pings is high enough to cause concern.  And, for the
moment, having it respond to pings is useful to me.

Sincerely,

Chris Ess
System Administrator / CDTT (Certified Duct Tape Technician)

---------------------------------------------------------------------------
Captus Networks 
Are you prepared for the next Sobig & Blaster? 
 - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans 
 - Precisely Define and Implement Network Security 
 - Automatically Control P2P, IM and Spam Traffic 
FIND OUT NOW -  FREE Vulnerability Assessment Toolkit 
http://www.captusnetworks.com/ads/42.htm
----------------------------------------------------------------------------

---------------------------------------------------------------------------
Captus Networks
Are you prepared for the next Sobig & Blaster?
 - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans
 - Precisely Define and Implement Network Security
 - Automatically Control P2P, IM and Spam Traffic
FIND OUT NOW -  FREE Vulnerability Assessment Toolkit
http://www.captusnetworks.com/ads/42.htm
----------------------------------------------------------------------------

Current thread:

RE: ICMP (Ping), (continued)
- RE: ICMP (Ping) Tim Greer (Sep 08)
- Re: ICMP (Ping) Jay Woody (Sep 08)
- RE: ICMP (Ping) Jay Woody (Sep 08)
- RE: ICMP (Ping) Jay Woody (Sep 08)
- RE: ICMP (Ping) Halverson, Chris (Sep 08)
- RE: ICMP (Ping) Jay Woody (Sep 08)
- Re: ICMP (Ping) Jay Woody (Sep 08)
  - Re: ICMP (Ping) Tim Greer (Sep 08)
- RE: ICMP (Ping) Schouten, Diederik (Diederik) (Sep 08)
- RE: ICMP (Ping) Tony Kava (Sep 08)
- RE: ICMP (Ping) McGill, Lachlan (Sep 08)
  - Re: ICMP (Ping) Paul Farag (Sep 08)
- RE: ICMP (Ping) Jay Woody (Sep 08)