Security Basics mailing list archives
RE: ICMP (Ping)
From: Tim Greer <chatmaster () charter net>
Date: 08 Sep 2003 09:20:03 -0700
On Mon, 2003-09-08 at 07:29, Jay Woody wrote:
How what works? How you assume they will attack the network or probe it?How I and everyone that has replied to this thread other than you seems to think it works.
No, just you have said this is _how_ it works. We all _know_ this is 'one way" it _could_ work... but you say that it's 'unlikely' or that "no, that's not correct" when I stated people will just probe and not care about a ping response. Deal with it.
Take a look at alldas or attrition. Those guys have been gathering that info for years. It is not an assumption but rather how the industry has reported it for years now.
So what!?
Most just simply run them. If they are up, they are up.Again, not really how it works,
Like I said "It really is".
but if it makes you feel better fine.
"I know you are, but what am I?". Get real.
They ping first, compile a list and then run a port scan against that list and compile another list.
Some might. All do not. Many do not.
They then run a vuln scan against that list.
Yes, yes, you keep saying that... I know, I know, you won't listen.
There a several pre-made tools that do this for you. Their source code is available. Please feel free to find them and take a look.
I recommend you look into tools I mentioned. Get out in that 'big world', it's true!
To go straight to running a vuln scan against a box that isn't up would just fill your logs up with crap that would require them to parse it, etc.
Yes and no. It depends on the tool and hot it reacts, just like it does for a ping. Is port 80 alive and responsive? Yes? Okay, add that to a 'list', apparently.
They just simply don't care enough to take the time.
Yeah, script kiddies are rrreeeeaaal smart.
If you think they do fine,
If I _think_ they do? What don't you GET here?
but many people have seemingly responded along the same lines that I have, so obviously I am not alone in my "assumption".
I've repeated several times that people may do this in the way you outline. MY point was that many do NOT. How is that not sinking in?
Yes, actually, 'they' do.We could do this all day man, pull the tools down and look at them. They don't.
So _freaking_ what!? _Many do_, is the point.
Aside from the mindless worms that go out and do this, when a kiddie is doing it, he narrows it down first and then runs as needed.
Oh sure, because they are really 'skilled', right? Geez.
Obviously not 100% of the time, but a great huge majority.
Says you. So many do not rely on ping responses, that I'd doubt the majority were using this method you outline and seem to have trouble imagining any other way.
That is what most if not all of the people that have responded thus far have said also.
Yes, you have to keep reassuring yourself. However, this is irrelevant and untrue even at that. People said it won't make any difference. Go on, count how many of the responses agree that disabling ping responses will protect your system from script kiddies.
Not really. Some people may do that, but experience dictates otherwise.Not seemingly from all the replies that I have seen.
Yes, you keep saying that. Do you not respond based on knowledge and experience? Do you need to keep reassuring yourself this way?
Experience dictates that most do that and that is why many people block pings.
No, you state this out of what you think others have said. This is _not_ why most people block ping responses. If they are, they are doing so out of ignorance.
The people that randomly probe just do it, they don't make a list to spend a lot of time on unless it's an intentional, known target they have some desire to break into.This is correct and that probe starts with a ping sweep.
Enough already! This is getting really old. If you don't know, just say so. Educate yourself, but stop whining this same thing each time, it's not the facts because you simply SAY SO! It DOES NOT (i.e., DOES NOT) *always* have to start this way and very often does NOT start this way--they WILL probe the servers without HAVING to compile a list of systems that only just respond to ping requests! Obviously you're new at this to act this way and simply mindlessly INSIST that this is _the way_ it works.
If you are correct and someone collects a list of "I'm live, I'm here" responding Ips are to later be targeted, that's one thing, but I've never seen that.Then feel free to go download a couple of the tools and source codes.
Why should *I* do this because *you* don't know how it works?
I can go as far as to say that I have never seen a tool that didn't whittle it down before running the vuln scan.
So? Because you don't know, this is my problem? You continue to insist it must work a specific way only. You aren't even listening, at all.
I'm sorry that you have never apparently seen this.
Why are you sorry? Who said I've not seen these tools? I stated that, yes, people can and do first ping... I then stated that many do not and just to go to source and check for a web service instead of pings--basically accomplishing the same thing, but with more accurate and specific results. Again, you're going to have to deal with that.
Perhaps this is because you are replying to pings and therefore see a lot of port scans and vuln scans that many of the rest of us don't.
If you say so... You just can't possibly accept any reality that contradicts your uneducated opinion that you insist has to be the way it is. In fact, this appears to he the cornerstone of your knowledge in this area--ignorance is bliss, I guess.
I never said that all you have to do is block pings and you are secure.
You seem to think that you won't be hit unless you either respond to pings or are already a target. After all, just above, you again have to try and justify your claims by saying "You're probably being probed because you respond to pings", when I clearly explained that many systems and networks that did not still were probed just as much as systems and networks they do. This doesn't reflect well on you or your argument. Why, in fact, is it even an argument? Can't you simply accept the fact that this is the reality of it? Maybe imagine how you look to people that know better, when you insist that it _must be_ this certain way, when it's not?
You asked how does it help and I have explained it now in detail.
Now, actually the OP asked, you said, I said "No". You didn't listen to what I was saying. I asked how you _think_ that will help and you offered the answer I expected. Live in bliss if you want.
If you don't agree, cool.
Apparently it's not "cool", when you refuse to acknowledge anything someone says that obviously knows a lot more about this subject and the technicalities than you. Fine, this is security-basis, after all, but I will call you on it if you give out wrong, bad/dangerous or ignorant advice, for others will be at risk as you are living in this ignorant bliss. You can insist all you like, but I will call you on it.
Don't block them.
I don't need your permission.
You asked I answered and now you want to get petty.
You mean sort of like insisting that I either "don't know" or what I say isn't true, based on what I explained about how every system and network I've seen that disabled ping responses gets the same amount of probes and attacks as networks that do respond? Yeah, don't let me get petty, you keep acting like a maniac and insisting that you know best about something you obviously don't know best about. Perhaps you don't know enough about it, but it's your job to educate yourself if you intend to argue about it--let alone, to give out advice that's incorrect. Yeah, how petty of me to point that out and not put up with your flack where you try and insist that people giving out real, correct information are wrong. Good for you...
Again, please just download the tools.
You again miss the entire point. I don't need to download any tools specific to the method you outline, you need to download tools specific to the method that *I* have. If you can't find one, it would take a minute to write one.
This is getting old with me saying, yes they do and you saying no they don't.
Exactly, so base your claims on facts, not what you want to insist upon without any actual basis for the claims you male.
You know my and a majority of the posters opinion.
I know you claim to share the majority of the poster's opinions, based on maybe 2 others agreeing with this assumption you have. If you think that means something or you have to reassure yourself that way, so be it. The facts are simply, pings are not the only way attackers rely on when compiling a list of targets.
I offered you an option of consulting known gatherers of defacements,
Why exactly would I need to do this? This is irrelevant what some people may or may not do. You may do the same, why don't _you_? Or maybe consult some people that know better what they are doing than the people you consult to see the use real, useful tools for their tasks?
looking at the tools they use and looking at the replies from a majority of people that
There you go again with the "Majority of people". And, wrong again. You are not the majority of the people here. Two others, I believe said this same claim you did, also based on the same ignorance. They perhaps have educated themselves rather than refused to listen and insist this nonsense you are. The majority of people have outlined ways to prevent attacks, not web site defacers. This is all kids stuff you're talking about and even serious (e.g., the actual threats in that field) one's are going to use more specific and accurate methods to accomplish their task.
say they do it for DoS reason
Right, and not for the *reason* you claim.
and the ones that I have said in here several times.
No, that was just you.
If you would like to write to me off-list to continue mindless arguing of Yes they do, No they don't, feel free.
I will respond here, I have no desire to correct you in private to yourself. I do so only for the purpose of helping to prevent others that don't know better, from believing what you claim, based on you not knowing better. If you're too arrogant or clueless to get it still, so be it.
If not, you know how I and a great many people feel.
Like I said, you can keep adding to the number of the masses you claim agree with you, but I count two, and I saw more disagree anyway. And, who cares? Don't let that dictate what you know--that is to say, if you actually knew... which you don't. So, stop this immature behavior.
You asked,
No, I didn't ask. Don't try and make this out to look as if I asked you because I didn't know. I asked how you think it'll help, because it will not. I explained why it won't and the facts, and you still insist otherwise. So, you had no intention or ability to discuss this.
I explained.
No, you insisted based on your incorrect opinion.
Your choice follows that one.
As does yours, young Skywalker.
Peace.
Yeah, I'm sure... -- Tim Greer <chatmaster () charter net> --------------------------------------------------------------------------- Captus Networks Are you prepared for the next Sobig & Blaster? - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans - Precisely Define and Implement Network Security - Automatically Control P2P, IM and Spam Traffic FIND OUT NOW - FREE Vulnerability Assessment Toolkit http://www.captusnetworks.com/ads/42.htm ----------------------------------------------------------------------------
Current thread:
- Re: ICMP (Ping), (continued)
- Re: ICMP (Ping) Ansgar Wiechers (Sep 08)
- RE: ICMP (Ping) Tim Greer (Sep 08)
- RE: ICMP (Ping) Chris Ess (Sep 08)
- RE: ICMP (Ping) Tim Greer (Sep 08)
- RE: ICMP (Ping) Preston Newton (Sep 08)
- Re: ICMP (Ping) Fyodor (Sep 09)
- RE: ICMP (Ping) Chris Ess (Sep 08)
- FW: ICMP (Ping) check (Sep 08)
- Re: ICMP (Ping) Jay Woody (Sep 08)
- RE: ICMP (Ping) Halverson, Chris (Sep 08)
- RE: ICMP (Ping) Jay Woody (Sep 08)
- RE: ICMP (Ping) Tim Greer (Sep 08)
- RE: ICMP (Ping) jfastabe (Sep 08)
- Re: ICMP (Ping) Tim Greer (Sep 08)
- Re: ICMP (Ping) Lee Rich (Sep 08)
- RE: ICMP (Ping) Jay Woody (Sep 08)
- RE: ICMP (Ping) Tim Greer (Sep 08)
- Re: ICMP (Ping) Jay Woody (Sep 08)
- RE: ICMP (Ping) Jay Woody (Sep 08)
- RE: ICMP (Ping) Jay Woody (Sep 08)
- RE: ICMP (Ping) Halverson, Chris (Sep 08)
- RE: ICMP (Ping) Jay Woody (Sep 08)