WebApp Sec mailing list archives
Re: Should or shouldn't block public ping to a website
From: Clement Dupuis <clement.dupuis () gmail com>
Date: Sun, 11 Sep 2011 23:39:56 +0100
Good day to all, The problem is that people do not selectively allow ping types. They allow ICMP or they don`t. A tool like LOKI could be used as a client server tool to leak data in an out of your servers. ICMP Timestaps queries could be used to find out how long a server has been up and running which could indicate which critical path requiring a reboot has been or has not been installed on the remote server. Netmask queries can be done to further identify specific range of IP's being used. ICMP redirect could be used. ICMP offers limited benefits, pingning a server only tell you the stack is configured and working, it does not tell you anything about the specific services on the device itself. It host can respond to pings but it does not mean the services running on top of it are working properly. Other than ICMP Type 3 error messages, there is little benefit in allowing ICMP. Take care Clement Clement Dupuis, CD Chief Learning Officer (CLO) and Security Evangelist SecureNinja An Insyte Company Phone : +1 407 479 3903 Mobile: +1 407 433 6444 Fax: +1 407 264 8396 Skype: clementdupuis Email: clement () secureninja com Web: www.secureninja.com 901 N. Pitt Street, Suite 105 Alexandria, VA 22314 In Cyberspace: Clement Dupuis, CD President/Founder/Chief Security Evangelist The CCCure Family of Portals ---------------------------------------------------------------------------------------------- Maintainer of : The CCCure Family of Portals http://www.cccure.org The Professional Security Testers Warehouse http://www.professionalsecuritytesters.org Knowledge sharing and giving back to the community -------------------------------------------------------------------------------------------------------
Call me to get the best CISSP, Security+, or other Security related training <<
------------------------------------------------------------------------------------------------------- On Fri, Sep 9, 2011 at 11:46, Sandeep Cheema <51l3n7 () live in> wrote:
Why are you not allowing ICMP? Is the server itself exposed or behind a netscaler or some routing device? Even if it's not covered behind, you can allow ping. The only exploit with ping is the ping of death, which is obsolete now. Use a software IDS\IPS? Regards, Sandeep Sent from BlackBerry® on Airtel -----Original Message----- From: ShiYih Lye <shiyih.lye () my offgamers com> Date: Mon, 5 Sep 2011 06:03:57 To: <webappsec () securityfocus com>; <pen-test () securityfocus com> Subject: Should or shouldn't block public ping to a website Hi, All this while I'm not allowing any public ping to the website I'm maintaining, but it's making me tougher to troubleshoot should any user from the globe having trouble to access our website, as I can't make them to send a proper traceroute report. To your opinion, is it necessary to block public ping to a public website ? Is this security practice still relevant in today exploit technology ? And if you think it's still necessary, how do I make sure my user's traceroute still work when all ICMP is dropped from public ? Thanks for any input, appreciated that. Regards, Lye This list is sponsored by Cenzic -------------------------------------- Let Us Hack You. Before Hackers Do! It's Finally Here - The Cenzic Website HealthCheck. FREE. Request Yours Now! http://www.cenzic.com/2009HClaunch_Securityfocus -------------------------------------- This list is sponsored by Cenzic -------------------------------------- Let Us Hack You. Before Hackers Do! It's Finally Here - The Cenzic Website HealthCheck. FREE. Request Yours Now! http://www.cenzic.com/2009HClaunch_Securityfocus --------------------------------------
This list is sponsored by Cenzic -------------------------------------- Let Us Hack You. Before Hackers Do! It's Finally Here - The Cenzic Website HealthCheck. FREE. Request Yours Now! http://www.cenzic.com/2009HClaunch_Securityfocus --------------------------------------
Current thread:
- Should or shouldn't block public ping to a website ShiYih Lye (Sep 09)
- Message not available
- Re: Should or shouldn't block public ping to a website ShiYih Lye (Sep 09)
- Re: Should or shouldn't block public ping to a website Andre Correa (Sep 11)
- Re: Should or shouldn't block public ping to a website John Hall (Sep 11)
- Re: Should or shouldn't block public ping to a website ShiYih Lye (Sep 09)
- Message not available
- Re: Should or shouldn't block public ping to a website MATHDATER (Sep 11)
- <Possible follow-ups>
- Re: Should or shouldn't block public ping to a website Sandeep Cheema (Sep 11)
- Re: Should or shouldn't block public ping to a website Clement Dupuis (Sep 12)
- RE: Should or shouldn't block public ping to a website Martin O'Neal (Sep 13)
- RE: Should or shouldn't block public ping to a website Martin O'Neal (Sep 14)