Re: ICMP (Ping)

["Jay Woody" <jay_woody () tnb com>]

Yeah again, I have said that with the advent of some of the newer stuff
it is getting quicker and quicker to start out with the port or even the
vuln scan.  I also have already said that I have put in there several
times that not 100% of the time do they start with a ping scan.  I
simply have stated since the start that a great majority of the tools
that I have used, the tools that have known others to use, the tools
that have been discussed on most of the pages, etc, all seem to do a
process of whittling the number down before launch into the vuln scan. 
This was due to the vuln scan taking so long and it is obviously shorter
now, but the timeout is still longer than a ping response.  

So there you have it.  Does stopping pings stop 100% of the scans?  Of
course not.  Does it stop at least .0000001%?  Of course.  Is the number
somewhere in between there somewhere?  Yep.  So your milage may vary. 
My logs show lots of pings and very little (relatively speaking) port
scans and vuln scans.  Tim says that his show the opposite.  You have to
decide how many will be blocked and if it worth it to not be able to
tell your customers, "Go to a prompt and try to ping my site."  For me
it is.  For others, perhaps not.  I am not as worried about being able
to ping my site.  So I drop pings to stop the silly, easy crap and then
focus on trying to stop the people in the coven.  :)

JayW

> > > "gregh" <chows () ozemail com au> 09/06/03 07:00PM >>>

> ----- Original Message ----- 
> From: Jay Woody 
> To: chatmaster () charter net 
> Cc: security-basics () securityfocus com 
> Sent: Saturday, September 06, 2003 7:29 AM
> Subject: RE: ICMP (Ping)


> > > What purpose would seeing a response from a ping serve to a 
> > > kiddy looking to deface web sites?  If they are going to attack 
> > > you randomly, why do you assume that they would stop to 
> > > think when they are blindly attacking networks/ips anyway?

> Here is how it works again.  They scan a range and then go back and
run
> a port scan/vuln scan against what replies.  They don't run vuln
scans

No even that isnt 100% correct. If they have a new toy they will do it.
Dont forget that new toys come out all the time and the only way they
can prove their theories is to go on randoma attacks to see if what they
have works or not.

In short, yes most of the time they attack depending on what a port
scan shows them but quite a lot of the time they will also be randomly
attacking depending on their association with other scripties and what
their own level of understanding is plus what they think they have in
their hands. Eg, if they are deep in a coven and have been given a new
toy and arent that up to scratch with scripting themselves, they will
test as they see fit by attacking anything they can. It's just plain
logic. What do you do when you build yourself a new computer but test it
to the limits first off? Well, same thing with a enw script.

Greg.

---------------------------------------------------------------------------
Captus Networks
Are you prepared for the next Sobig & Blaster?
 - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans
 - Precisely Define and Implement Network Security
 - Automatically Control P2P, IM and Spam Traffic
FIND OUT NOW -  FREE Vulnerability Assessment Toolkit
http://www.captusnetworks.com/ads/42.htm 
----------------------------------------------------------------------------




---------------------------------------------------------------------------
Captus Networks 
Are you prepared for the next Sobig & Blaster? 
 - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans 
 - Precisely Define and Implement Network Security 
 - Automatically Control P2P, IM and Spam Traffic 
FIND OUT NOW -  FREE Vulnerability Assessment Toolkit 
http://www.captusnetworks.com/ads/42.htm
----------------------------------------------------------------------------