RE: ICMP (Ping)

["Jay Woody" <jay_woody () tnb com>]

Thanks john.  We covered this one ad nauseam.  I think nmap actually
does a ping sweep unless you tell it not to, but that is from memory and
I am not at the PC that this is loaded on right now.  We've covered this
one past the point of being useful now, but thanks for the tip.  I hope
everyone on the list has indeed checked nmap out by now.

JayW

> > > <jfastabe () up edu> 09/08/03 06:34PM >>>
Jay,

I think you should check out a security tool known as nmap "network
mapper" at www.insecure.org.  I believe it is fairly popular as far as
scanners go and it doesn't just do a ping sweep unless you ask it to.
If I was looking for something to break into I would go this route why
bother checking for ping replies  when you can just send out syn
packets
to port
80 or 21 or whatever you are looking for?

by the way I allow ping request/replies but that is just my preference.
I
would think, though i am not an expert, that the only dangerous icmp
types
to allow would be any of the redirects.

john


> On Mon, 2003-09-08 at 07:29, Jay Woody wrote:
> > > > How what works?  How you assume they will attack the network
> > > > or probe it?
> >
> > How I and everyone that has replied to this thread other than you
seems
> > to think it works.
>
> No, just you have said this is _how_ it works.  We all _know_ this
is
> 'one way" it _could_ work... but you say that it's 'unlikely' or
that
> "no, that's not correct" when I stated people will just probe and
not
> care about a ping response.  Deal with it.
>
> >   Take a look at alldas or attrition.  Those guys have
> > been gathering that info for years.  It is not an assumption but
rather
> > how the industry has reported it for years now.
>
> So what!?
>
> > > > Most just simply run them.  If they are up, they are up.
> >
> > Again, not really how it works,
>
> Like I said "It really is".
>
>
> >  but if it makes you feel better fine.
>
> "I know you are, but what am I?".  Get real.
>
> > They ping first, compile a list and then run a port scan against
that
> > list and compile another list.
>
> Some might.  All do not.  Many do not.
>
> >   They then run a vuln scan against that
> > list.
>
> Yes, yes, you keep saying that...  I know, I know, you won't listen.
>
> >   There a several pre-made tools that do this for you.  Their
> > source code is available.  Please feel free to find them and take
a
> > look.
>
> I recommend you look into tools I mentioned.  Get out in that 'big
> world', it's true!
>
>
> >   To go straight to running a vuln scan against a box that isn't
up
> > would just fill your logs up with crap that would require them to
parse
> > it, etc.
>
> Yes and no.  It depends on the tool and hot it reacts, just like it
does
> for a ping.  Is port 80 alive and responsive?  Yes?  Okay, add that
to a
> 'list', apparently.
>
>
> >   They just simply don't care enough to take the time.
>
> Yeah, script kiddies are rrreeeeaaal smart.
>
> >   If you
> > think they do fine,
>
> If I _think_ they do?  What don't you GET here?
>
> >  but many people have seemingly responded along the
> > same lines that I have, so obviously I am not alone in my
"assumption".
> I've repeated several times that people may do this in the way you
> outline.  MY point was that many do NOT.  How is that not sinking
in?
> > > > Yes, actually, 'they' do.
> >
> > We could do this all day man, pull the tools down and look at
them.
> > They don't.
>
> So _freaking_ what!?  _Many do_, is the point.
>
> >   Aside from the mindless worms that go out and do this, when
> > a kiddie is doing it, he narrows it down first and then runs as
needed.
> Oh sure, because they are really 'skilled', right?  Geez.
>
> > Obviously not 100% of the time, but a great huge majority.
>
> Says you.  So many do not rely on ping responses, that I'd doubt the
> majority were using this method you outline and seem to have trouble
> imagining any other way.
>
> >   That is what
> > most if not all of the people that have responded thus far have
said
> > also.
>
> Yes, you have to keep reassuring yourself.  However, this is
irrelevant
> and untrue even at that.  People said it won't make any difference. 
Go
> on, count how many of the responses agree that disabling ping
responses
> will protect your system from script kiddies.
>
> > > > Not really.  Some people may do that, but experience
> > > > dictates otherwise.
> >
> > Not seemingly from all the replies that I have seen.
>
> Yes, you keep saying that.  Do you not respond based on knowledge
and
> experience?  Do you need to keep reassuring yourself this way?
>
> >   Experience
> > dictates that most do that and that is why many people block
pings.
> No, you state this out of what you think others have said.  This is
> _not_ why most people block ping responses.  If they are, they are
doing
> so out of ignorance.
>
> > > > The people that randomly probe just do it, they don't
> > > > make a list to spend a lot of time on unless it's an
intentional,
> > > > known target they have some desire to break into.
> >
> > This is correct and that probe starts with a ping sweep.
>
> Enough already!  This is getting really old.  If you don't know,
just
> say so.  Educate yourself, but stop whining this same thing each
time,
> it's not the facts because you simply SAY SO!  It DOES NOT (i.e.,
DOES
> NOT) *always* have to start this way and very often does NOT start
this
> way--they WILL probe the servers without HAVING to compile a list of
> systems that only just respond to ping requests!  Obviously you're
new
> at this to act this way and simply mindlessly INSIST that this is
_the
> way_ it works.
>
> > > > If you are correct and someone collects a list of
> > > > "I'm live, I'm here" responding Ips are to later be
> > > > targeted, that's one thing, but I've never seen that.
> >
> > Then feel free to go download a couple of the tools and source
codes.
> Why should *I* do this because *you* don't know how it works?
>
> > I can go as far as to say that I have never seen a tool that
didn't
> > whittle it down before running the vuln scan.
>
> So?  Because you don't know, this is my problem?  You continue to
insist
> it must work a specific way only.  You aren't even listening, at
all.
> >   I'm sorry that you have
> > never apparently seen this.
>
> Why are you sorry?  Who said I've not seen these tools?  I stated
that,
> yes, people can and do first ping... I then stated that many do not
and
> just to go to source and check for a web service instead of
> pings--basically accomplishing the same thing, but with more
accurate
> and specific results.  Again, you're going to have to deal with
that.
> >   Perhaps this is because you are replying to
> > pings and therefore see a lot of port scans and vuln scans that
many of
> > the rest of us don't.
>
> If you say so... You just can't possibly accept any reality that
> contradicts your uneducated opinion that you insist has to be the way
it
> is.  In fact, this appears to he the cornerstone of your knowledge
in
> this area--ignorance is bliss, I guess.
>
> > I never said that all you have to do is block pings and you are
secure.
> You seem to think that you won't be hit unless you either respond to
> pings or are already a target.  After all, just above, you again have
to
> try and justify your claims by saying "You're probably being probed
> because you respond to pings", when I clearly explained that many
> systems and networks that did not still were probed just as much as
> systems and networks they do.  This doesn't reflect well on you or
your
> argument.  Why, in fact, is it even an argument?  Can't you simply
> accept the fact that this is the reality of it?  Maybe imagine how
you
> look to people that know better, when you insist that it _must be_
this
> certain way, when it's not?
>
> >  You asked how does it help and I have explained it now in detail.
>
> Now, actually the OP asked, you said, I said "No".  You didn't listen
to
> what I was saying.  I asked how you _think_ that will help and you
> offered the answer I expected.  Live in bliss if you want.
>
> >   If
> > you don't agree, cool.
>
> Apparently it's not "cool", when you refuse to acknowledge anything
> someone says that obviously knows a lot more about this subject and
the
> technicalities than you.  Fine, this is security-basis, after all,
but I
> will call you on it if you give out wrong, bad/dangerous or ignorant
> advice, for others will be at risk as you are living in this
ignorant
> bliss.  You can insist all you like, but I will call you on it.
>
> >   Don't block them.
>
> I don't need your permission.
>
> >   You asked I answered and now
> > you want to get petty.
>
> You mean sort of like insisting that I either "don't know" or what I
say
> isn't true, based on what I explained about how every system and
network
> I've seen that disabled ping responses gets the same amount of
probes
> and attacks as networks that do respond?  Yeah, don't let me get
petty,
> you keep acting like a maniac and insisting that you know best about
> something you obviously don't know best about.  Perhaps you don't
know
> enough about it, but it's your job to educate yourself if you intend
to
> argue about it--let alone, to give out advice that's incorrect. 
Yeah,
> how petty of me to point that out and not put up with your flack
where
> you try and insist that people giving out real, correct information
are
> wrong.  Good for you...
>
> >   Again, please just download the tools.
>
> You again miss the entire point.  I don't need to download any tools
> specific to the method you outline, you need to download tools
specific
> to the method that *I* have.  If you can't find one, it would take a
> minute to write one.
>
> >   This is
> > getting old with me saying, yes they do and you saying no they
don't.
> Exactly, so base your claims on facts, not what you want to insist
upon
> without any actual basis for the claims you male.
>
> > You know my and a majority of the posters opinion.
>
> I know you claim to share the majority of the poster's opinions,
based
> on maybe 2 others agreeing with this assumption you have.  If you
think
> that means something or you have to reassure yourself that way, so
be
> it.  The facts are simply, pings are not the only way attackers rely
on
> when compiling a list of targets.
>
> >   I offered you an
> > option of consulting known gatherers of defacements,
>
> Why exactly would I need to do this?  This is irrelevant what some
> people may or may not do.  You may do the same, why don't _you_?  Or
> maybe consult some people that know better what they are doing than
the
> people you consult to see the use real, useful tools for their
tasks?
> >  looking at the
> > tools they use and looking at the replies from a majority of people
that
> There you go again with the "Majority of people".  And, wrong again.
> You are not the majority of the people here.  Two others, I believe
said
> this same claim you did, also based on the same ignorance.  They
perhaps
> have educated themselves rather than refused to listen and insist
this
> nonsense you are.  The majority of people have outlined ways to
prevent
> attacks, not web site defacers.  This is all kids stuff you're
talking
> about and even serious (e.g., the actual threats in that field)
one's
> are going to use more specific and accurate methods to accomplish
their
> task.
>
> > say they do it for DoS reason
>
> Right, and not for the *reason* you claim.
>
> >  and the ones that I have said in here
> > several times.
>
> No, that was just you.
>
> >   If you would like to write to me off-list to continue
> > mindless arguing of Yes they do, No they don't, feel free.
>
> I will respond here, I have no desire to correct you in private to
> yourself. I do so only for the purpose of helping to prevent others
that
> don't know better, from believing what you claim, based on you not
> knowing better.  If you're too arrogant or clueless to get it still,
so
> be it.
>
> >   If not, you
> > know how I and a great many people feel.
>
> Like I said, you can keep adding to the number of the masses you
claim
> agree with you, but I count two, and I saw more disagree anyway. 
And,
> who cares?  Don't let that dictate what you know--that is to say, if
you
> actually knew... which you don't.  So, stop this immature behavior.
>
> >   You asked,
>
> No, I didn't ask.  Don't try and make this out to look as if I asked
you
> because I didn't know.  I asked how you think it'll help, because it
> will not.  I explained why it won't and the facts, and you still
insist
> otherwise.  So, you had no intention or ability to discuss this.
>
> >  I explained.
>
> No, you insisted based on your incorrect opinion.
>
> >   Your
> > choice follows that one.
>
> As does yours, young Skywalker.
>
> >   Peace.
>
> Yeah, I'm sure...
>
>
> --
> Tim Greer <chatmaster () charter net>
---------------------------------------------------------------------------
> Captus Networks
> Are you prepared for the next Sobig & Blaster?
>  - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans
>  - Precisely Define and Implement Network Security
>  - Automatically Control P2P, IM and Spam Traffic
> FIND OUT NOW -  FREE Vulnerability Assessment Toolkit
> http://www.captusnetworks.com/ads/42.htm 
----------------------------------------------------------------------------
>




---------------------------------------------------------------------------
Captus Networks 
Are you prepared for the next Sobig & Blaster? 
 - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans 
 - Precisely Define and Implement Network Security 
 - Automatically Control P2P, IM and Spam Traffic 
FIND OUT NOW -  FREE Vulnerability Assessment Toolkit 
http://www.captusnetworks.com/ads/42.htm
----------------------------------------------------------------------------