RE: ICMP (Ping)

[Tony Kava <securityfocus () pottcounty com>]

I do like your reasoning that others do not generally have a business need
to ping your hosts, however I still prefer to allow this service not simply
to conform to standards, but rather as an easy indicator that our network
link is up.  In my previous work at a broadband ISP I was often annoyed at
how many hosts do not respond to ICMP echo.  On a LAN that uses DHCP it can
be a true pain because hosts can use an IP address in the dynamic range and
when the DHCP server double-checks that the IP is available with a ping it
finds that the IP is not in use and allocates it to the DHCP client.  The
DHCP server should be able to assume that if the IP were in use a host would
respond to ICMP echo.

Of course, we're talking about public IP addresses on the internet.  The
DHCP example does not apply, however it is still a useful service to other
administrators out there.  When your users are unable to reach a certain
destination it is a quick check for connectivity.  Of course there are
numerous other methods to determine whether a host is up or not, but ping is
designed for this purpose.  There are steps that can be taken to prevent the
misuse of the protocol, and those should be preferred to simply dropping the
packets.

Others on the internet do share your opinion, and I can see why.  However,
there are still many of us who do accept ICMP echoes.  Including yahoo.com
and google.com.  Yes, I know, microsoft.com and ebay.com do not.  If you
keep watch on your network and you have taken reasonable steps to diminish
the success of a DoS attack then you should be able to safely accept ICMP
echoes.

... my two cents, of course.

--
Tony Kava
Network Administrator
Pottawattamie County, Iowa



-----Original Message-----
From: Jay Woody [mailto:jay_woody () tnb com]
Sent: Thursday, 04 September, 2003 11:06
To: security-basics () securityfocus com
Subject: RE: ICMP (Ping)


I don't think that maintaining a RFC standard for the sake of
maintaining the standard is necessarily worth your company experiencing
an outage.  Those standards are exactly that, a standard.  They are what
should be done.  They are put in place mainly so that everyone knows how
to interact with each other.  If you changed something and made yourself
non-RFC compliant in something like SMTP, that would be one thing,
because everyone NEEDS to know that everyone is doing it a certain way. 
Everyone doesn't NEED to ping me.  In a perfect world, you should always
maintain standards obviously.  However, in this world, you make changes
based upon your needs and requirements and you tell your business
partners, "This is how you need to do it to do business with me."

My business could care less if the entire world can ping me and know I
am up.  I want my customers to know and my partners.  Everyone else can
go take a leap.  All we needed was one denial of service attack hitting
us and they determined that the amount of time it took to trouble-shoot
it and fix it were not worth what they got by allowing random people
around the world to "test" and see if we were up.

Certain RFC's matter to the world.  Certain ones don't.  This is one
that the world has determined it is acceptable to violate.  The
"Security through Obscurity" that most people rag on is trying to mask
or mislead your attacker into believing that you are running something
different (different OS, etc.) and most people blast that because there
are 15 different ways to tell an OS, so you block one, big deal.  If you
are patched then you shouldn't need to obscure it.  In this case I am
hiding the existence of a box because even if I am patched and proper I
am still vulnerable to being pinged out of existence.  The time it takes
me to daily enter 15 people to drop packets from just isn't worth it.

Until I have a real business reason for NEEDING a ping (other than just
to maintain a RFC Standard), then I drop them.  If I NEEDED the ping
then I would worry about trying to manage the settings, etc.  My 2
cents.

JayW

> > > Tony Kava <securityfocus () pottcounty com> 09/03/03 11:20AM >>>
What about compliance with standards? ICMP echo is a useful diagnostic
tool,
and not responding to ICMP echo is not an effective means of
protecting
yourself.  I believe members of this list have often cited the lack of
value
found in 'security by obscurity'.  I do not wish to suggest that
allowing
all types of ICMP traffic is a safe practice, but ICMP echoes should
be
accepted and replies should be sent unless you have blocked them in
order to
mitigate a denial of service attack or because you believe the source
of the
request is malicious in nature.

== RFC 1122 snippet ==

3.2.2.6  Echo Request/Reply: RFC-792
 
Every host MUST implement an ICMP Echo server function that
receives Echo Requests and sends corresponding Echo Replies.
A host SHOULD also implement an application-layer interface
for sending an Echo Request and receiving an Echo Reply, for
diagnostic purposes.
 
An ICMP Echo Request destined to an IP broadcast or IP
multicast address MAY be silently discarded.

== end of snippet ==

Just my two cents, as it were.

--
Tony Kava
Network Administrator
Pottawattamie County, Iowa



-----Original Message-----
From: freeasabird_13 () gmx net [mailto:freeasabird_13 () gmx net] 
Sent: Tuesday, 02 September, 2003 21:12
To: Paul Kurczaba; security-basics () securityfocus com 
Subject: Re: ICMP (Ping)


> Are there any security issues for allowing a firewall/router to
respond to
> Ping from the internet?
>
> -Paul Kurczaba

Yes.  It would not be preferable for you to allow your firewall/router
to
respond to pings from the internet.  Someone running a wide-scale scan
of
internet computers for possible attack targets would quickly be made
aware
of your obvious internet presence and you could become a target for
attack.
This wouldn't be such a big problem provided your firewall/router was
well-configured with security in mind.  If there is no overwhelming
reason
for allowing your device to respond to pings then it shouldn't be
configured
to do so.  It is simply calling too much attention to your systems and
their
possible vulnerabilities.  Well anyway, that's my quick 2 cents on the
matter.  I'm sure others will share theirs too.

Best Wishes,

~Nathaniel Hasenfus


---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.515 / Virus Database: 313 - Release Date: 9/1/2003


---------------------------------------------------------------------------
Attend Black Hat Briefings & Training Federal, September 29-30
(Training), 
October 1-2 (Briefings) in Tysons Corner, VA; the world's premier 
technical IT security event.  Modeled after the famous Black Hat event
in 
Las Vegas! 6 tracks, 12 training sessions, top speakers and sponsors. 

Symantec is the Diamond sponsor.  Early-bird registration ends
September
6.Visit us: www.blackhat.com 
----------------------------------------------------------------------------

---------------------------------------------------------------------------
Attend Black Hat Briefings & Training Federal, September 29-30
(Training), 
October 1-2 (Briefings) in Tysons Corner, VA; the world's premier 
technical IT security event.  Modeled after the famous Black Hat event
in 
Las Vegas! 6 tracks, 12 training sessions, top speakers and sponsors. 

Symantec is the Diamond sponsor.  Early-bird registration ends
September 6.Visit us: www.blackhat.com 
----------------------------------------------------------------------------




---------------------------------------------------------------------------
Attend Black Hat Briefings & Training Federal, September 29-30 (Training), 
October 1-2 (Briefings) in Tysons Corner, VA; the world's premier 
technical IT security event.  Modeled after the famous Black Hat event in 
Las Vegas! 6 tracks, 12 training sessions, top speakers and sponsors.  
Symantec is the Diamond sponsor.  Early-bird registration ends September
6.Visit us: www.blackhat.com
----------------------------------------------------------------------------

---------------------------------------------------------------------------
Attend Black Hat Briefings & Training Federal, September 29-30 (Training), 
October 1-2 (Briefings) in Tysons Corner, VA; the world's premier 
technical IT security event.  Modeled after the famous Black Hat event in 
Las Vegas! 6 tracks, 12 training sessions, top speakers and sponsors.  
Symantec is the Diamond sponsor.  Early-bird registration ends September 6.Visit us: www.blackhat.com
----------------------------------------------------------------------------