Security Basics mailing list archives
RE: ICMP (Ping)
From: "Jay Woody" <jay_woody () tnb com>
Date: Mon, 08 Sep 2003 18:11:20 -0500
Thanks john. We covered this one ad nauseam. I think nmap actually does a ping sweep unless you tell it not to, but that is from memory and I am not at the PC that this is loaded on right now. We've covered this one past the point of being useful now, but thanks for the tip. I hope everyone on the list has indeed checked nmap out by now. JayW
<jfastabe () up edu> 09/08/03 06:34PM >>>
Jay, I think you should check out a security tool known as nmap "network mapper" at www.insecure.org. I believe it is fairly popular as far as scanners go and it doesn't just do a ping sweep unless you ask it to. If I was looking for something to break into I would go this route why bother checking for ping replies when you can just send out syn packets to port 80 or 21 or whatever you are looking for? by the way I allow ping request/replies but that is just my preference. I would think, though i am not an expert, that the only dangerous icmp types to allow would be any of the redirects. john
On Mon, 2003-09-08 at 07:29, Jay Woody wrote:How what works? How you assume they will attack the network or probe it?How I and everyone that has replied to this thread other than you
seems
to think it works.No, just you have said this is _how_ it works. We all _know_ this
is
'one way" it _could_ work... but you say that it's 'unlikely' or
that
"no, that's not correct" when I stated people will just probe and
not
care about a ping response. Deal with it.Take a look at alldas or attrition. Those guys have been gathering that info for years. It is not an assumption but
rather
how the industry has reported it for years now.So what!?Most just simply run them. If they are up, they are up.Again, not really how it works,Like I said "It really is".but if it makes you feel better fine."I know you are, but what am I?". Get real.They ping first, compile a list and then run a port scan against
that
list and compile another list.Some might. All do not. Many do not.They then run a vuln scan against that list.Yes, yes, you keep saying that... I know, I know, you won't listen.There a several pre-made tools that do this for you. Their source code is available. Please feel free to find them and take
a
look.I recommend you look into tools I mentioned. Get out in that 'big world', it's true!To go straight to running a vuln scan against a box that isn't
up
would just fill your logs up with crap that would require them to
parse
it, etc.Yes and no. It depends on the tool and hot it reacts, just like it
does
for a ping. Is port 80 alive and responsive? Yes? Okay, add that
to a
'list', apparently.They just simply don't care enough to take the time.Yeah, script kiddies are rrreeeeaaal smart.If you think they do fine,If I _think_ they do? What don't you GET here?but many people have seemingly responded along the same lines that I have, so obviously I am not alone in my
"assumption".
I've repeated several times that people may do this in the way you outline. MY point was that many do NOT. How is that not sinking
in?
Yes, actually, 'they' do.We could do this all day man, pull the tools down and look at
them.
They don't.So _freaking_ what!? _Many do_, is the point.Aside from the mindless worms that go out and do this, when a kiddie is doing it, he narrows it down first and then runs as
needed.
Oh sure, because they are really 'skilled', right? Geez.Obviously not 100% of the time, but a great huge majority.Says you. So many do not rely on ping responses, that I'd doubt the majority were using this method you outline and seem to have trouble imagining any other way.That is what most if not all of the people that have responded thus far have
said
also.Yes, you have to keep reassuring yourself. However, this is
irrelevant
and untrue even at that. People said it won't make any difference.
Go
on, count how many of the responses agree that disabling ping
responses
will protect your system from script kiddies.Not really. Some people may do that, but experience dictates otherwise.Not seemingly from all the replies that I have seen.Yes, you keep saying that. Do you not respond based on knowledge
and
experience? Do you need to keep reassuring yourself this way?Experience dictates that most do that and that is why many people block
pings.
No, you state this out of what you think others have said. This is _not_ why most people block ping responses. If they are, they are
doing
so out of ignorance.The people that randomly probe just do it, they don't make a list to spend a lot of time on unless it's an
intentional,
known target they have some desire to break into.This is correct and that probe starts with a ping sweep.Enough already! This is getting really old. If you don't know,
just
say so. Educate yourself, but stop whining this same thing each
time,
it's not the facts because you simply SAY SO! It DOES NOT (i.e.,
DOES
NOT) *always* have to start this way and very often does NOT start
this
way--they WILL probe the servers without HAVING to compile a list of systems that only just respond to ping requests! Obviously you're
new
at this to act this way and simply mindlessly INSIST that this is
_the
way_ it works.If you are correct and someone collects a list of "I'm live, I'm here" responding Ips are to later be targeted, that's one thing, but I've never seen that.Then feel free to go download a couple of the tools and source
codes.
Why should *I* do this because *you* don't know how it works?I can go as far as to say that I have never seen a tool that
didn't
whittle it down before running the vuln scan.So? Because you don't know, this is my problem? You continue to
insist
it must work a specific way only. You aren't even listening, at
all.
I'm sorry that you have never apparently seen this.Why are you sorry? Who said I've not seen these tools? I stated
that,
yes, people can and do first ping... I then stated that many do not
and
just to go to source and check for a web service instead of pings--basically accomplishing the same thing, but with more
accurate
and specific results. Again, you're going to have to deal with
that.
Perhaps this is because you are replying to pings and therefore see a lot of port scans and vuln scans that
many of
the rest of us don't.If you say so... You just can't possibly accept any reality that contradicts your uneducated opinion that you insist has to be the way
it
is. In fact, this appears to he the cornerstone of your knowledge
in
this area--ignorance is bliss, I guess.I never said that all you have to do is block pings and you are
secure.
You seem to think that you won't be hit unless you either respond to pings or are already a target. After all, just above, you again have
to
try and justify your claims by saying "You're probably being probed because you respond to pings", when I clearly explained that many systems and networks that did not still were probed just as much as systems and networks they do. This doesn't reflect well on you or
your
argument. Why, in fact, is it even an argument? Can't you simply accept the fact that this is the reality of it? Maybe imagine how
you
look to people that know better, when you insist that it _must be_
this
certain way, when it's not?You asked how does it help and I have explained it now in detail.Now, actually the OP asked, you said, I said "No". You didn't listen
to
what I was saying. I asked how you _think_ that will help and you offered the answer I expected. Live in bliss if you want.If you don't agree, cool.Apparently it's not "cool", when you refuse to acknowledge anything someone says that obviously knows a lot more about this subject and
the
technicalities than you. Fine, this is security-basis, after all,
but I
will call you on it if you give out wrong, bad/dangerous or ignorant advice, for others will be at risk as you are living in this
ignorant
bliss. You can insist all you like, but I will call you on it.Don't block them.I don't need your permission.You asked I answered and now you want to get petty.You mean sort of like insisting that I either "don't know" or what I
say
isn't true, based on what I explained about how every system and
network
I've seen that disabled ping responses gets the same amount of
probes
and attacks as networks that do respond? Yeah, don't let me get
petty,
you keep acting like a maniac and insisting that you know best about something you obviously don't know best about. Perhaps you don't
know
enough about it, but it's your job to educate yourself if you intend
to
argue about it--let alone, to give out advice that's incorrect.
Yeah,
how petty of me to point that out and not put up with your flack
where
you try and insist that people giving out real, correct information
are
wrong. Good for you...Again, please just download the tools.You again miss the entire point. I don't need to download any tools specific to the method you outline, you need to download tools
specific
to the method that *I* have. If you can't find one, it would take a minute to write one.This is getting old with me saying, yes they do and you saying no they
don't.
Exactly, so base your claims on facts, not what you want to insist
upon
without any actual basis for the claims you male.You know my and a majority of the posters opinion.I know you claim to share the majority of the poster's opinions,
based
on maybe 2 others agreeing with this assumption you have. If you
think
that means something or you have to reassure yourself that way, so
be
it. The facts are simply, pings are not the only way attackers rely
on
when compiling a list of targets.I offered you an option of consulting known gatherers of defacements,Why exactly would I need to do this? This is irrelevant what some people may or may not do. You may do the same, why don't _you_? Or maybe consult some people that know better what they are doing than
the
people you consult to see the use real, useful tools for their
tasks?
looking at the tools they use and looking at the replies from a majority of people
that
There you go again with the "Majority of people". And, wrong again. You are not the majority of the people here. Two others, I believe
said
this same claim you did, also based on the same ignorance. They
perhaps
have educated themselves rather than refused to listen and insist
this
nonsense you are. The majority of people have outlined ways to
prevent
attacks, not web site defacers. This is all kids stuff you're
talking
about and even serious (e.g., the actual threats in that field)
one's
are going to use more specific and accurate methods to accomplish
their
task.say they do it for DoS reasonRight, and not for the *reason* you claim.and the ones that I have said in here several times.No, that was just you.If you would like to write to me off-list to continue mindless arguing of Yes they do, No they don't, feel free.I will respond here, I have no desire to correct you in private to yourself. I do so only for the purpose of helping to prevent others
that
don't know better, from believing what you claim, based on you not knowing better. If you're too arrogant or clueless to get it still,
so
be it.If not, you know how I and a great many people feel.Like I said, you can keep adding to the number of the masses you
claim
agree with you, but I count two, and I saw more disagree anyway.
And,
who cares? Don't let that dictate what you know--that is to say, if
you
actually knew... which you don't. So, stop this immature behavior.You asked,No, I didn't ask. Don't try and make this out to look as if I asked
you
because I didn't know. I asked how you think it'll help, because it will not. I explained why it won't and the facts, and you still
insist
otherwise. So, you had no intention or ability to discuss this.I explained.No, you insisted based on your incorrect opinion.Your choice follows that one.As does yours, young Skywalker.Peace.Yeah, I'm sure... -- Tim Greer <chatmaster () charter net>
---------------------------------------------------------------------------
Captus Networks Are you prepared for the next Sobig & Blaster? - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans - Precisely Define and Implement Network Security - Automatically Control P2P, IM and Spam Traffic FIND OUT NOW - FREE Vulnerability Assessment Toolkit http://www.captusnetworks.com/ads/42.htm
----------------------------------------------------------------------------
--------------------------------------------------------------------------- Captus Networks Are you prepared for the next Sobig & Blaster? - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans - Precisely Define and Implement Network Security - Automatically Control P2P, IM and Spam Traffic FIND OUT NOW - FREE Vulnerability Assessment Toolkit http://www.captusnetworks.com/ads/42.htm ----------------------------------------------------------------------------
Current thread:
- RE: ICMP (Ping), (continued)
- RE: ICMP (Ping) Jay Woody (Sep 08)
- RE: ICMP (Ping) Jay Woody (Sep 08)
- RE: ICMP (Ping) Halverson, Chris (Sep 08)
- RE: ICMP (Ping) Jay Woody (Sep 08)
- Re: ICMP (Ping) Jay Woody (Sep 08)
- Re: ICMP (Ping) Tim Greer (Sep 08)
- RE: ICMP (Ping) Schouten, Diederik (Diederik) (Sep 08)
- RE: ICMP (Ping) Tony Kava (Sep 08)
- RE: ICMP (Ping) McGill, Lachlan (Sep 08)
- Re: ICMP (Ping) Paul Farag (Sep 08)
- RE: ICMP (Ping) Jay Woody (Sep 08)