Security Basics mailing list archives
Re: ICMP (Ping)
From: Fyodor <fyodor () insecure org>
Date: Mon, 8 Sep 2003 20:10:10 -0700
On Mon, Sep 08, 2003 at 12:38:10PM -0400, Chris Ess wrote:
* Saved by blocking pings: nmap Yes, nmap. Everyone on this list has used nmap or is hopefully familiar with what it does. For those of you who don't know, nmap is a portscanning utility. The first thing nmap appears to do before it actually runs a scan is ping the host.
Nmap calls this a "ping scan", but it uses that term more generally to include any type of host enumeration probe in addition to the plain ICMP echo request. By default, Nmap will send an ICMP echo request as well as an ACK packet to port 80. So blocking ICMP echo requests alone won't help you much. Of course if you block the ACK probe too, you will be less visible to a default run of Nmap. However, any marginally competent attacker (and I realize that many aren't) will not rely on the 2-probe default. Nmap offers many other host enumeration checks, including TCP SYN packets to multiple ports, ACK packets to multiple ports, ICMP timestamp request, multi-port UDP packets, etc. Here is an example from my Defcon talk last month: nmap -sP -PS22,25,53,80,113,31338 -PA80,113,21000 -PU53,19000 -PE -PM -g 53 -oA [logfile] [netblocks] This command sends a normal ping, an ICMP netmask request, SYN packets to ports 22,25,53,80,113,31338, ACK packets to 80,113,21000, and UDP packets to ports 53,19000. The TCP & UDP probes are all sent from a source port of 53 just in case masquerading as DNS replies helps. If ANY of these probes elicit a response, Nmap considers the host available. The ping scan above took about 12 minutes to scan 5000 IPs over the Internet. It would have been faster with more aggressive timing (-T4 option) or if you disable DNS resolution (-n option). I am not taking a position on whether pings should be blocked. I just hope people don't overestimate the value this brings. Obviously you shouldn't delay patch installation just because you think you are "stealthed" by the ping blocking. ICMP ping blocking alone won't even stop the default Nmap probes, and using a much more comprehensive set of probes is only as hard as adding options like those above. Or you can add -P0 and skip ping testing altogether. What do I do on my own networks?
ping www.insecure.org
PING www.insecure.org (205.217.153.53) from 67.124.116.141 : 56(84) bytes of data. 64 bytes from www.insecure.org (205.217.153.53): icmp_seq=0 ttl=51 time=21.575 msec 64 bytes from www.insecure.org (205.217.153.53): icmp_seq=1 ttl=51 time=20.746 msec 64 bytes from www.insecure.org (205.217.153.53): icmp_seq=2 ttl=51 time=21.790 msec But at the same time, I can understand and appreciate the arguments from people who do block ICMP pings. When I do vulnerability assessments for clients, I list ping responses on the report as a minor risk they should evaluate. Cheers, Fyodor http://www.insecure.org/ --------------------------------------------------------------------------- Captus Networks Are you prepared for the next Sobig & Blaster? - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans - Precisely Define and Implement Network Security - Automatically Control P2P, IM and Spam Traffic FIND OUT NOW - FREE Vulnerability Assessment Toolkit http://www.captusnetworks.com/ads/42.htm ----------------------------------------------------------------------------
Current thread:
- RE: ICMP (Ping), (continued)
- RE: ICMP (Ping) Jay Woody (Sep 05)
- Re: ICMP (Ping) gregh (Sep 08)
- Re: ICMP (Ping) Joe Bryan NSA (Sep 08)
- Re: ICMP (Ping) gregh (Sep 08)
- Re: ICMP (Ping) Jay Woody (Sep 05)
- Re: ICMP (Ping) Tim Greer (Sep 08)
- Re: ICMP (Ping) Ansgar Wiechers (Sep 08)
- RE: ICMP (Ping) Tim Greer (Sep 08)
- RE: ICMP (Ping) Chris Ess (Sep 08)
- RE: ICMP (Ping) Tim Greer (Sep 08)
- RE: ICMP (Ping) Preston Newton (Sep 08)
- Re: ICMP (Ping) Fyodor (Sep 09)
- RE: ICMP (Ping) Chris Ess (Sep 08)
- RE: ICMP (Ping) Jay Woody (Sep 05)
- FW: ICMP (Ping) check (Sep 08)
- Re: ICMP (Ping) Jay Woody (Sep 08)
- RE: ICMP (Ping) Halverson, Chris (Sep 08)
- RE: ICMP (Ping) Jay Woody (Sep 08)
- RE: ICMP (Ping) Tim Greer (Sep 08)
- RE: ICMP (Ping) jfastabe (Sep 08)
- Re: ICMP (Ping) Tim Greer (Sep 08)
- Re: ICMP (Ping) Lee Rich (Sep 08)
- RE: ICMP (Ping) Jay Woody (Sep 08)
- RE: ICMP (Ping) Tim Greer (Sep 08)