Security Basics mailing list archives

Previous By Date Next
Previous By Thread Next

Re: ICMP (Ping)

From: Tomas Wolf <tomas () skip cz>
Date: Sat, 06 Sep 2003 23:54:49 -0400
I understand, that there are many ways to find out that machine is there (by just seeing the response if it is "destination unreachable" or "connection reset" or none at all). But I would like to say that there are many students running scripts that sweep IP ranges by ping and "candidates" try for automatic exploitation of pre-defined holes (ie. look for open 25, sendmail, run exploit for linux, types of unixes, windows, report success....). But of course, a person with some knowledge about the topic will find out if the host is there without the need of ICMP echoes.
And yes, as much as we want to pretend there is nothing, trying to get around by fooling fingerprinting tools, there is always a way... But these ways are a bit harder than just ping, fingerprint OS, run exploit... And if the quantity-oriented kiddie sees problems it will discourage some of them to move several IPs down to two or three servers with the lack of security... So by filtering icmps 8&0 one just slightly narrows down the number of potential penetrators... 

Tomas

Tim Greer wrote:


On Thu, 2003-09-04 at 10:23, SMiller () unimin com wrote:

Regarding the oft cited admonition against "security by obscurity":
according to Bruce Schneier this is "Kerckhoffs' Principle", formulated in
1883 by Auguste Kerckhoffs, and as such is narrowly applicable only to
algorithms used for cryptography.  It may or may not apply to other and
more generalized security issues, those cases must be evaluated
individually. Regarding ICMP: 

Fun stuff... what some people seem to fail to understand, is that it's
unlikely someone's going to randomly probe for IP's to just randomly
attack.  The type of attacks that people launch are going to be from
people that know you're there anyway.... otherwise if they are mindless
enough, they will apparently attack the IP they didn't check to see if
it's there.

A network is going to be attacked if it's a target... if it is, you can
toss any responses you like and pretend there's nothing but a big, black
hole in cyberspace... they'll still hit your network.  If they are doing
it blindly, they will do it blindly anyway.  I don't see this as much of
a benefit, unless you are going to be targeted and you can somehow
minimize the damage done by disabling this.

Overall, I don't think it's a good or bad thing, I do it on some and not
on others, depending on what I'm thinking or doing at the time. However,
I wouldn't really say it's going to do much one way or another, unless
you just want to prevent very specific type of attacks where this would
actually help prevent or minimize damage.  But just to hide, well, good
luck. :-)




---------------------------------------------------------------------------
Captus Networks Are you prepared for the next Sobig & Blaster? - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans - Precisely Define and Implement Network Security - Automatically Control P2P, IM and Spam Traffic FIND OUT NOW - FREE Vulnerability Assessment Toolkit http://www.captusnetworks.com/ads/42.htm 
----------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: