Security Basics mailing list archives
Re: ICMP (Ping)
From: "Jay Woody" <jay_woody () tnb com>
Date: Mon, 08 Sep 2003 09:46:15 -0500
There, this one is actually productive, so I'll pop one on here and we can see if that get's it resolved.
Clearly we disagree about the semantics here.
I don't think it is really semantics as much as we just believe the process starts at a different area.
While you are married to the idea that no one will bother scanning your server unless it responds to pings,
Now, that's pretty silly. I have gone through several times and said that this is not rue 100% of the time. I have also said that worms will still hit you, etc. Responding to pings is not the end all, be all of security and no one here ever said that it was. People block pings for primarily two different reasons. DoS (or DDoS) attacks and because most people have seen that many of the script kiddie tools do exactly what I have said they do. They ping sweep, then run a port scan against those that reply, then run a vuln scan against those that have the "correct" OS, services, etc. To do otherwise would fill up their logs, etc. They just want to click a button and get told who is vulnerable. All of the tools that I have seen or heard of do some sort of defining before running the vuln scan. The vuln scan is what takes a while, so you want to do this on as few boxes as possible. The ping sweeps and port scans are relatively quick. so that is how you do it. Write to a guy like Hackweiser or any of the groups and ask them what tools they use. I am no longer into this scene, so I can't give you the new ones, but I am sure these guys have plenty to tell you.
I am of the opinion and experience on my part dictates, that many people will cut out the middle man and just scan to see if it responds to the specific or general services they are targeting and move on if it doesn't respond to those common services.
Again, all I can say is that if you are responding to pings, then this is exactly what you would see. Meanwhile I see a huge number of ping sweeps and a relatively small number of port and vuln scans. Apparently our experience is different, which is why I said to block pings to begin with. :)
I simply said that it will only save you from being scanned if someone actually used that method.
I agree 100%. I simply believe that many of them do and you don't. No hard feelings, just we have seen different things. I might suggest though that if you block pings, you might see something more like what I see.
If your system is vulnerable enough to be hit from such a person, you have more to worry about than ping responses or not. A skilled enough attacker will not use that method to determine what systems are alive or not.
Again 100% agreement. If you are counting on non-pings as your security, then you probably didn't make it through Code Red, much less Nimda, Slammer, Blaster, etc. I don't claim it to be ALL that you need. :) My statement is just that it stops a great amount of the chatter from the kiddies. If you disagree, great, keep accepting them and watching the other scans. Obviously, we do more than just drop pings and I would assume that most do also. I got to say, I enjoyed this note a lot more than your last (you probably like my response more too huh? :). Hopefully, we have each made our case and people can decide how they wish to proceed from there. Good luck man. JayW
Tim Greer <chatmaster () charter net> 09/05/03 05:45PM >>>
On Fri, 2003-09-05 at 13:35, Jay Woody wrote:
Not really, they will randomly scan and the RETURN to the ones that replied and run a vuln scan against it. If you didn't reply to
begin
with then they won't be RETURNING.
Clearly we disagree about the semantics here. While you are married to the idea that no one will bother scanning your server unless it responds to pings, I am of the opinion and experience on my part dictates, that many people will cut out the middle man and just scan to see if it responds to the specific or general services they are targeting and move on if it doesn't respond to those common services. There's no reason to go on arguing about this or insisting it's one way or another--that is not what I personally meant nor claimed. I simply said that it will only save you from being scanned if someone actually used that method. I've rarely seen people not just randomly scan, if they're going to randomly collect IPs. If your system is vulnerable enough to be hit from such a person, you have more to worry about than ping responses or not. A skilled enough attacker will not use that method to determine what systems are alive or not. -- Tim Greer <chatmaster () charter net> --------------------------------------------------------------------------- Captus Networks Are you prepared for the next Sobig & Blaster? - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans - Precisely Define and Implement Network Security - Automatically Control P2P, IM and Spam Traffic FIND OUT NOW - FREE Vulnerability Assessment Toolkit http://www.captusnetworks.com/ads/42.htm ----------------------------------------------------------------------------
Current thread:
- Re: ICMP (Ping), (continued)
- Re: ICMP (Ping) Joe Bryan NSA (Sep 08)
- Re: ICMP (Ping) Jay Woody (Sep 05)
- Re: ICMP (Ping) Tim Greer (Sep 08)
- Re: ICMP (Ping) Ansgar Wiechers (Sep 08)
- RE: ICMP (Ping) Tim Greer (Sep 08)
- RE: ICMP (Ping) Chris Ess (Sep 08)
- RE: ICMP (Ping) Tim Greer (Sep 08)
- RE: ICMP (Ping) Preston Newton (Sep 08)
- Re: ICMP (Ping) Fyodor (Sep 09)
- RE: ICMP (Ping) Chris Ess (Sep 08)
- FW: ICMP (Ping) check (Sep 08)
- Re: ICMP (Ping) Jay Woody (Sep 08)
- RE: ICMP (Ping) Halverson, Chris (Sep 08)
- RE: ICMP (Ping) Jay Woody (Sep 08)
- RE: ICMP (Ping) Tim Greer (Sep 08)
- RE: ICMP (Ping) jfastabe (Sep 08)
- Re: ICMP (Ping) Tim Greer (Sep 08)
- Re: ICMP (Ping) Lee Rich (Sep 08)
- RE: ICMP (Ping) Jay Woody (Sep 08)
- RE: ICMP (Ping) Tim Greer (Sep 08)
- Re: ICMP (Ping) Jay Woody (Sep 08)
- RE: ICMP (Ping) Jay Woody (Sep 08)