Security Basics mailing list archives
RE: ICMP (Ping)
From: Tim Greer <chatmaster () charter net>
Date: 05 Sep 2003 15:39:56 -0700
On Fri, 2003-09-05 at 14:29, Jay Woody wrote:
What purpose would seeing a response from a ping serve to a kiddy looking to deface web sites? If they are going to attack you randomly, why do you assume that they would stop to think when they are blindly attacking networks/ips anyway?Here is how it works again.
How what works? How you assume they will attack the network or probe it?
They scan a range and then go back and run a port scan/vuln scan against what replies.
Most just simply run them. If they are up, they are up.
They don't run vuln scans randomly against ranges,
Yes, actually, 'they' do.
they run ping sweeps randomly against ranges, those that reply get more attention.
Not really. Some people may do that, but experience dictates otherwise. The people that randomly probe just do it, they don't make a list to spend a lot of time on unless it's an intentional, known target they have some desire to break into.
So how would not replying help? Well by getting less attention obviously.
Why do you assume that out of millions of Ips that respond, one will get more attention than another? If you are correct and someone collects a list of "I'm live, I'm here" responding Ips are to later be targeted, that's one thing, but I've never seen that.
They aren't "blindly attacking networks/ips anyway". They are blindly scanning or sweeping networks/ips through the use of pings.
You assume so, but it's more likely a blind probing.
They are not so blindly (but almost) running a port scan those that reply. Then they are running a vuln scan against the boxes that just told them they were a certain OS, etc.
Almost all scanners and worms even, will hit the range of IPs and not care if it responds to pings.
Running a scanner to look for open ports of vulnerabilities in services, as not going to change because you don't reply to ping requests. Those scans will check the ports and services on said IP--not give up if it can't get a ping response.Man, dude, where do I start on this one? :) Yes, running something like that would behave exactly as you describe (I think). However, that isn't at all what anyone has said. Again, they "scan" the ADDRESSES in a range for a simple reply and then run a port scan/vuln scan against those that reply.
From what I've seen, that's not the case. They don't first check to see
that it's alive, they can see it's alive without waiting for a ping response. They will most likely initially scan for common services to see if it's alive. Not only is it more accurate, but it's also telling them that the service they want to test is up.
Your point is that if they don't respond to pings, they likely won't respond to vuln scans.
No, I didn't say that.
The script kiddies say the same thing in reverse.
Huh? That's what I said. I said that will scan it, not caring if it replies from a ping request.
If you respond to a ping you likely will give up more information if asked.
But less helpful information than you would getting a response from a service you are looking for being up. Hence, ping is irrelevant, they will hit the ports/services to see if they should "come back".
Again, they scan the range for replies and then run a port scan/vuln scan against the replies for more info.
They do? How do you know this? How do you know that's what most or all of the script kiddies do?
They don't blindly run a vuln scan against a range. That would be even more stupid and waste time.
Uh, we're talking about random scans/probing and script kiddies and you think that's unlikely because it would be 'stupid'? This is why script kiddies are a joke and why ping responses are not going to make a difference.
And that doesn't relate to the type of attacks being discussed. That's another, less serious issue anyway.Uh, OK.
Indeed.
The question was should your devices reply.
Yes, that was the question.
There is not an ATTACK there.
No, there's certainly not.
The statement was that no, they shouldn't because then you get more interest from the kiddies.
Not really, but you don't have to share my opinion nor belief.
You said no you don't and I said yes you do.
Yes, that's correct.. that appears to be what we said.
Haven't heard about any attack mentioned at all.
Haven't you been reading what I said?
Also, if you think having your web page defaced is not serious, then ask Nike how much the press hurt them and ask Microsoft how much money they spend on making sure it doesn't happen to them.
Who is their lack of security an issue when it comes to how much 'attention' a ping response will get you or not? I don't believe it will, because random scans will randomly scan you anyway. I've disabled ICMP for ping requests on different networks and I see the same amount of probing/scanning activity on them as one's with it enabled. As for Nike and MS, they are targets, it has no bearing on them responding to ping requests.
If you are a seller, then having your web page defaced and pointing people to a site that gathers their credit card numbers would be decently serious I would think.
Ping responses have absolutely no bearing on the security of your server/web site. It's either secure or it's not. You have the opinion that someone's going to randomly ping Ip's looking for responses, rather than simply seeing if a service is running, is going to save some people from being compromised. I disagree. If your security is so slack that a script kiddie can later come back simply from seeing the IP was pingable, then you have bigger concerns than ping responses to worry about. Also, consider this; if you have someone skilled enough to have any chance of getting into most servers, those will not likely be the type of people that will think a ping response means anything and, instead, they will be scanning for open ports/services. No, ping doesn't hide you.
No, they'd probe for vulnerabilities by domain or IP, the ping response plays no role in that situation.If they are probing for vulnerabilities by domain (and I am not 100% sure what you mean there), then they are retarded.
That depends on how you look at it. They may have specific types of sites that they want to compromise. Grabbing a list of domains (ie., from an old whois db) would serve up all the domains with 'shop' in them, for example. Either way, someone's that's going to randomly scan IP ranges with no target in mind, is retarded anyway. I don't know about you, but I don't worry about those type.
I said that they deface the web page and move on and you reply that they scan for vulns by domain.
Pings have nothing to do with web site defacement. Poor security does. How someone finds them, is irrelevant. Lack of a ping response doesn't hide you.
Again, the ping response plays a HUGE role.
I disagree.
They ping a group of addresses, if you don't respond they move the FREAK ON.
Unless they just happen to test for more accurate results, which a skilled enough cracker to be a threat would be doing anyway.
If you do, they run a port scan, then a vuln scan against you.
Or they just do anyway, since we're talking about retards.
By not replying, you stop the kiddies from looking (in addition to many of the other DDoS issues mentioned already).
You're living in a dream world if you really think you saying this makes it true. As for some types of attacks, I stated, depending on what protocol, it couldn't hurt and may help minimize damage. As for site defacers and people looking to crack your box, forget it, it makes absolutely no difference.
"[T]hey'd probe for vulnerabilities . . . IP", yep, exactly and where did they get the IP address?
Where exactly do you think they get the IP to ping in the first place? They hit it and see. Instead of hitting it for an unhelpful ping response, they hit services or ports and see if it's up and a potential target. Responding to pings doesn't make you a target.
By the freaking ping reply.
Like I said, how do you imagine they get those IP's to try and get a ping response from? What is this, a joke?
No reply, less attempts.
In your opinion.
I am just not saying it right or something, so help me see where we are missing it.
I've been trying.
That is irrelevant.Then your point is irrelevant,
No.
because I was agreeing with your point.
No, you weren't. Read the responses.
Sure, some people see a site and say, "I want to hack that particular company." 99% don't.
And those 99% will scan for services being up, not give up on a lack of a ping response--that means nothing.
They say, I want to hack 40 sites in a week. I don't give a crap who, so let's see who replies.
And they'll start scanning ports/services.
True. You're either vulnerable or not. But it depends on the type of attack and on what service or protocol.And if you don't reply to pings then 90% of the kiddies never even try to find out what will work against you.
No. Refer to above.
No it doesn't. Skripties are stupid by nature. They hit blindly with the scanners, the scanners don't give up if there's no ping response,See, here is where you keep missing it.
This is ironic. Do I need to explain?
They DO NOT blindly run vuln scans.
Says who? Says you? Why are you so certain people will check for a measly, means nothing ping response, instead of just testing fir a response on a common port, like port 80--after all, they _are_ after web servers. Just because you say it, doesn't make it so.
They blindly run Ping sweeps.
There's no rule to say that's what they _must_ do and, again, in my experience, that's not the case. Are you more worried about the people that think they need to ping a server to think something's there, or the more thoughtful cracker whom checks to see if you have services running, because they know pings don't matter? So, your entire point and reasoning therefore, is that you can do this to prevent the most clueless script kiddies that use the most suckiest tool/scanner, from trying to deface your web site? Does that really worry you... at all?
They scan a range and see who replies
I'm sure you're familiar with the term "middle man" and 'cutting them out'? Why would they do this, when they can simply check to see if you have a specific service listening on its port?
and then they run the port scan that you describe against just those areas that replied.
I suppose that they could. Sounds like double the work. I'm not worried about the people that are literally that stupid--to be doing double the work. You should be worried about the more skilled people, if any.
Then they run the vuln scan against just those addressed that replied and that have a certain OS, etc.
And they can do this without the delay.
That is well known.
And my examples of why this doesn't matter are valid.
So either you are saying they run vuln scans against huge ranges,
Yes, the idiots that think a ping response means anything useful, will indeed be stupid enough to just let it rip and scan ip ranges. It has the same effect anyway--if something is there, it's there. If it's not, it's not and their scan will skip it or move on. They randomly scan ip ranges to compile a list of servers that are running certain services, not just see what IP's respond. That's pointless.
which isn't true
It is true. Try and deal with it.
or you are saying that ping sweeps or scans will still document you when you don't reply, which is also not true.
Okay, so you're claiming that it's not true that scans on port 80 to see if there's a web server aren't purpseful (or even more so) than just seeing if the IP responds?
They don't run an in depth scan until they see if you are alive or not.
Who said it had to be in-depth? They can check for even only one relevant service, like a web server--since they are defacing web sites (or intending to). Which is more valuable? A response saying the server is up, or the server is up and running a web server? Why is this so difficult to fathom?
If you are not alive, why waste their time,
But that's just it, no one cares if the IP responds saying it's alive or not. It is just as quick and more logical and efficient to just straight out check and see if a service is up.
there are plenty of people that are.
Yes, that's right. Script kiddies likely waste a lot of time... like compiling a list of IPs that are alive at that very time, which means nothing.
I run Zone Alarm at home.
Okay, I won't ask why you do.
They ping me and I don't reply,
So?
now they could run a suite of vuln scans against me and an hour or more to see what is turned up OR they could move to next door neighbors PC where the password is password.
Or, they can see if you're a server running a web service and mock you about how you thought they'd have moved on because you didn't respond to silly little ping requests. I'm honestly not saying this to insult you, but I don't see how you can argue the point... perhaps you just think the same about me and my points. Oh well.
They just move on.
Or so you assume.
They are looking for the slow, stupid ones on the fringe to gobble up.
So, you're saying people that don't drop ping responses are stupid? Odd, I've only disabled responses on maybe 5 servers in the last 8 years and I've never been compromised... it must not be the ping factor at play.
If you don't reply to a ping, most script kiddies will simply move on.
I think the better question is, who would worry about such script kiddies that use those tactics anyway? I mean, you do secure your servers and network, right?
That has been the opinion espoused by a great majority of responders to this thread, so I am obviously not the only one that feels this way.
Hey, there's nothing wrong with doing this in my opinion, I just don't see the point to use it in any way at all to prevent being attacked or your system compromised.
they are busy checking to see what's running on the various ports that particular scanner scans. It's almost contradictive to use script kiddie and 'dig deeper' in the same sentence.Not if you didn't reply to a ping they don't.
Fine, don't read any single thing I said. I am tired of repeating myself.
Think about it man.
Irony...
If you ping sweep a range of 255 addresses and 20 respond and you are a little kiddie, you are going to focus on those 20, crack 5 quickly and go brag about it.
Maybe those 20 servers should have been secured at some point, would be my question? I'd demand to know how someone could be so incompetent to get cracked by a script kiddie.
You are not going to kick off your favorite little vuln scanner against addresses that "aren't up"
Sure you are... maybe you aren't, but enough do.
in the hopes that maybe one is, spend all night dicking with that one and then having nothing to brag about.
Or, like I said, they actually look for one's that are targets, seeing if they are running a service, not just alive. Oh, I've explained this to death.
It is a numbers game. They want to be able to say they cracked X number last night.
So having the middle man, rather than just checking to see if a service is up makes their task faster somehow? How's that?
Not that they spent all night scanning a range and then finding out that indeed there really were no other boxes there.
And the scanner moves on if there's no service they are targeting, just as it would if there was no ping response--but is more accurate.
But they aren't looking for boxes that reply to ping requests, they hit the IP on various ports to check to see if that port/ service responds and with what.I am beginning to think you are screwing with me now.
I know the feeling.
Surely you have downloaded one of these things.
How is that relevant? I could code a script to check for the 5 common services on a server and iterate through however large of an ip range I wanted and just collect a list to hit... why the heck would I care about pings responding?
They don't do that at all.
You should find a better source for your script kiddie tools then.
They first sweep a range and gather addresses.
Perhaps if they are using the most lame tool around?
Then they compile that in a list.
Why not compile a list of systems actually running a service you are targeting?
Then they run their port scan/vuln scan against each of those IPs and THAT scanner is what looks for ports, weak passwords, etc.
I know what you're saying.. you're saying "You can waste all night on one server that may not be there, so they first check for a response." As logical as that may sound to you, the method of scanning for the relevant services is just as quick as checking for a ping response. If there's no services up that you're targeting, you move on...
The point being made here, over and over, is that if you are not one of the addresses on the list, then the scanner isn't run against you.
My point being; If they use that sort of scanner and strategy. Most don't from my years of experience auditing logs. Also, the fact that who cares about these fools, secure your system and don't worry about it. And, finally, that the one's skilled enough to even have a chance will have either targeted you to be interested in the first place, OR, they will use a more accurate method to compile a list of IPs that are running actual relevant services. Random scans for live IPs doesn't equate to the person wasting their time trying every possible exploit on the IP--they will still check for the common services and vulnerabilities. As you said yourself, the goofs want to move on, they aren't going to do an in-depth scan of a server that isn't going to give up root soon anyway by your logic. And, with a secured server, who cares about these idiots?
How do you stay off of the list?
Why do I care if I'm on it?
Well, how did you get on it?
By not worrying about irrelevant things and feeling safe about something so trivial?
You responded to a ping.
Okay, I'm not worried, why are you?
No response equals less kiddie attacks.
So? These are the people you'd be worried about?
Period.
In your opinion, my experience dictates differently. Perhaps yours is not the same.
Less script kiddie attacks means more time to get the vulns patched and less of a chance that a bonehead move gets you compromised.
No script kiddie that lame is going to get into a server anyway. That's all there is to it. A script kiddie smart enough to try with a 0-day exploit wouldn't have a chance if they were tat random about it anyway. They'd try the exploit through IPs, not make a lost to try... it would have the same result. If they can't figure that out, they aren't a threat.
Like I said, a dumb ass script kiddie will hit the ports checking the services for vulnerable services. Ping response or not makes absolutely no difference.And like I said, it absolutely does.
Fine, we can disagree.
They are not doing random port scans.
They are, they will and they do.
They are doing random PING SWEEPS and then doing semi-random port scans on those that REPLY.
I'm sure that _some_ are, sure.
Then running specific vuln scans on boxes that replied as needed to the port scans.
If they think it's a viable target, sure. However, a ping response or not, will not be what determines how much time they want to waste. So, a ping response or just cutting the middle man out of the picture and checking for relevant services... either way, it makes no difference. If you're vulnerable, you get 'got'. End of story.
You seem to think they just jump right into the port scanning world and they just don't.
I tend to think they do, because that's the nature of the script kiddie. If they use the method you outlined, so be it... either way, there's enough out there that do, so this makes no difference and will only matter if you are vulnerable anyway.
Why run a port scan against a non-existent box?
Why check for a ping response from a non existent box?
It is just a waste of your time.
Sort of like compiling a list of live IPs for no damn good reason.
They don't.
They do.
It's either going to happen or not, random or targeted. If it's random, you'll be hit and probed anyway (being an attach or probe). If it's not random, well, we all know the answer.If they were running port scans, you might be right,
They do, they are, they will. Of course some don't, some will use the strategy you outlined. Those would be the less skilled, why worry.
but again, they don't until
No, that's a condition you added. Many do. Speak specifically in terms of the one's that don't to make your point, don't act like none do or would--it happens all day, all the time, on tens of thousands of networks, in fact.
you first let them know there is a box there to run one against.
If they use the method you outlined, sure. If they don, all bets are off.
No box, no port scan.
In your mind.
No ping, no box to them. On to the next range.
In your mind.
I don't see the point to that side of this debate.Cause you aren't trying.
Oh, if you say so. :-)
You are just insisting that the process starts in the middle.
No, I'm insisting that people don't have any reason to have a middle man, so they don't.
It doesn't.
It "do".
It starts at the beginning and that is the ping sweep.
You are instant about that, for what reason, I can't imagine. Wake up.
If I were you, I would try to understand that side seeing as how a great majority of the posters have thus far espoused the same idea.
No, they stated they disable it for other reasons, not because they think it's a good rock to hide under. My points are true and valid. Some script kiddies may use that method, sure, but a lot do not. The more skilled one's are the one's that do not.
You seem to be under the impression that a kiddie's first tool is his port scanner and it isn't.
Well, I guess I wouldn't know, I won't argue with your experience. I simple outlined mine.
It is his ping sweeper.
Well, if you say so... you have, and continue to... even though it makes no difference.
THAT produces the list that he uses for everything else.
Sure, whatever.
Again, not 100% of the time, but 90-95% of it.
I'm not sure what you mean by that, sounds like you're saying even that doesn't matter to the people that use that method, which seems silly.
My 2 cents. Maybe that clarifies it.
Not really. But it doesn't matter. -- Tim Greer <chatmaster () charter net> --------------------------------------------------------------------------- Attend Black Hat Briefings & Training Federal, September 29-30 (Training), October 1-2 (Briefings) in Tysons Corner, VA; the world's premier technical IT security event. Modeled after the famous Black Hat event in Las Vegas! 6 tracks, 12 training sessions, top speakers and sponsors. Symantec is the Diamond sponsor. Early-bird registration ends September 6.Visit us: www.blackhat.com ----------------------------------------------------------------------------
Current thread:
- RE: ICMP (Ping), (continued)
- RE: ICMP (Ping) Vineet Mehta (Sep 08)
- RE: ICMP (Ping) Tim Greer (Sep 08)
- RE: ICMP (Ping) Tony Kava (Sep 05)
- RE: ICMP (Ping) Tony Kava (Sep 05)
- RE: ICMP (Ping) Jay Woody (Sep 05)
- Re: ICMP (Ping) gregh (Sep 08)
- Re: ICMP (Ping) Joe Bryan NSA (Sep 08)
- Re: ICMP (Ping) gregh (Sep 08)
- Re: ICMP (Ping) Jay Woody (Sep 05)
- Re: ICMP (Ping) Tim Greer (Sep 08)
- Re: ICMP (Ping) Ansgar Wiechers (Sep 08)
- RE: ICMP (Ping) Tim Greer (Sep 08)
- RE: ICMP (Ping) Chris Ess (Sep 08)
- RE: ICMP (Ping) Tim Greer (Sep 08)
- RE: ICMP (Ping) Preston Newton (Sep 08)
- Re: ICMP (Ping) Fyodor (Sep 09)
- RE: ICMP (Ping) Chris Ess (Sep 08)
- RE: ICMP (Ping) jfastabe (Sep 08)