Security Basics mailing list archives
RE: ICMP (Ping)
From: Christos Gioran <himicos () freemail gr>
Date: 05 Sep 2003 17:13:20 +0300
IMHO, Even though it will not solve all your problems, blocking ICMP echo replies (ICMP type 8) from leaving the server is a good idea. Anyone who might want to scan your machine using just a ping sweep will not see you. All other kinds of ping should be available for normal operation as it has been stated at a previous post. Your box will *not* be invinsible, just a litle harder to find. Still there are Syn scans, NULL, Ack and many more goodies that may tell you off. That also is a good alternative to ICMP pinging a machine for administrating purposes. A syn ping (using, for instance, nmap) will be enough to see if the machine is alive. PS. As for RFC compliance, does anyone still support the proxy feature on FTP servers?? No (i hope so) since it poses a great security risk. RFC's were written for a friendly Internet, where hosts would trust each other. That is no longer the case. Times change, so should ther practices we use ;-) my 0.02 euro worth :-) On Thu, 2003-09-04 at 21:07, Tony Kava wrote:
I do like your reasoning that others do not generally have a business need to ping your hosts, however I still prefer to allow this service not simply to conform to standards, but rather as an easy indicator that our network link is up. In my previous work at a broadband ISP I was often annoyed at how many hosts do not respond to ICMP echo. On a LAN that uses DHCP it can be a true pain because hosts can use an IP address in the dynamic range and when the DHCP server double-checks that the IP is available with a ping it finds that the IP is not in use and allocates it to the DHCP client. The DHCP server should be able to assume that if the IP were in use a host would respond to ICMP echo. Of course, we're talking about public IP addresses on the internet. The DHCP example does not apply, however it is still a useful service to other administrators out there. When your users are unable to reach a certain destination it is a quick check for connectivity. Of course there are numerous other methods to determine whether a host is up or not, but ping is designed for this purpose. There are steps that can be taken to prevent the misuse of the protocol, and those should be preferred to simply dropping the packets. Others on the internet do share your opinion, and I can see why. However, there are still many of us who do accept ICMP echoes. Including yahoo.com and google.com. Yes, I know, microsoft.com and ebay.com do not. If you keep watch on your network and you have taken reasonable steps to diminish the success of a DoS attack then you should be able to safely accept ICMP echoes. ... my two cents, of course. -- Tony Kava Network Administrator Pottawattamie County, Iowa
____________________________________________________________________ http://www.freemail.gr - äùñåÜí õðçñåóßá çëåêôñïíéêïý ôá÷õäñïìåßïõ. http://www.freemail.gr - free email service for the Greek-speaking. --------------------------------------------------------------------------- Attend Black Hat Briefings & Training Federal, September 29-30 (Training), October 1-2 (Briefings) in Tysons Corner, VA; the world's premier technical IT security event. Modeled after the famous Black Hat event in Las Vegas! 6 tracks, 12 training sessions, top speakers and sponsors. Symantec is the Diamond sponsor. Early-bird registration ends September 6.Visit us: www.blackhat.com ----------------------------------------------------------------------------
Current thread:
- RE: ICMP (Ping), (continued)
- RE: ICMP (Ping) Tim Greer (Sep 05)
- Re: ICMP (Ping) gregh (Sep 05)
- Re: ICMP (Ping) Tim Greer (Sep 05)
- Message not available
- Re: ICMP (Ping) Tim Greer (Sep 08)
- Re: ICMP (Ping) gregh (Sep 08)
- Re: ICMP (Ping) Tomas Wolf (Sep 08)
- Re: ICMP (Ping) Tim Greer (Sep 08)
- RE: ICMP (Ping) Aditya (Sep 05)
- RE: ICMP (Ping) Christos Gioran (Sep 05)
- RE: ICMP (Ping) Tim Greer (Sep 05)
- RE: ICMP (Ping) Vineet Mehta (Sep 08)
- RE: ICMP (Ping) Tim Greer (Sep 08)
- Re: ICMP (Ping) gregh (Sep 08)
- Re: ICMP (Ping) Joe Bryan NSA (Sep 08)