[NTLUG:Discuss] SSH

Chris Cox cjcox at acm.org
Tue Oct 14 22:20:53 CDT 2003 

Eric Schnoebelen wrote:
> Chris Cox writes:
...
> - Just echo.. and this is SOP.
> 
> 	Interesting.. I've never heard of it being SOP
> anywhere..
> 
> 	What is the goal of turning off ICMP echo?

Detection of hosts is usually done via simple pings.  If I'm looking
for a live host, the rudimentary hacker will ping.  Too many sites
respond to simple pings... the others are not worth pursuing (unless
something leads the hacker to believe there's a site out there... in
which case the hacker does a more robust scan).  Just turning
off ICMP echo is not a complete solution.. you still need something
like a firewall... but turning off ICMP echo will probably reduce
the number of suspicious hits by at least an order of magnitude.

Even on networks where echo is allowed, often times it is the
firewall returning the echo on behalf of the requested host instead
of the actual host doing it.  I don't know of any good reason
for echo though.  If you need some kind of "ping" for internal reasons,
it can usually be simulated using some other kind of request,
usually involving an open service port (one that's supposed
to be there by one's design).

There are some other ICMP messages that are safe to disable
(like the related broadcast icmp request... most Unix allow
that to be disabled, but very few allow you do stop icmp
echo.... the good news is that the firewall can do that for
you... of course with Linux you can do both at the host if
you want).  As you mentioned though, don't just turn off
all ICMP... or you'll screw up things like routing.

Leave ICMP echo enabled and it's kind of like listing your
host in the Yellow Pages (with a large print ad!).  People
still have to thumb through the pages... but they'll see
your ad eventually!  Look up smurf DOS attack... and you'll
see info on an old attack that used the fact that many
IP's responded to echo requests (though in the case of
the smurf attack, it was the broadcast echo).

If anyone knows of a "necessary" application that requires
"pinging" (ICMP echo)... let us know here on the list.
Until then... I prefer stealth (it really does help).

More information about the Discuss mailing list