ICMP (was: daily internet traffic report)

[Frank de Wit <frankdewit () home nl>]

I thought I asked a question ; the answer 'yes' should have been 
sufficient ;-)
Just joking, let's ask two other questions:
-when you read about ICMP fingerprinting (see Ofir Arkin's great articles)
-and you see tools like Xprobe and a lot of other OS-fingerprinting tools
I might be wrong, but:
a) do you still think ICMP is a good thing in relation to security (by 
obscurity)?
b) why would you need ICMP from the internet to your perimeter/DMZ-devices?

Hojje, Frank

Willem Koenings wrote:

>  
>
> > are they? 
> > do you remember 'firewalking'? 
> >    
>
> sorry, but firewalking is not icmp-only technique and don't
> use full range of icmp types/codes.
> by firewalking you use tcp or udp packets (depends, which
> protocol acl you want to study) with one bigger TTL than
> target and monitor results via icmp type 11.
>
> if you really afraid firewalking, then instead of closing
> down all icmp you can close down only type 11. and nat
> firewall protects you from firewalking anyway.
>
> what i want to say? blindly closing down things is easiest
> thing to do. but doing so you are not on the top of the problem
> and you don't control things. get down to the problem and fix
> things. there's one too many black hole routers in the world
> and availability is also an security attribute.
>
> al the best,
>
> W.
>  

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html