[NTLUG:Discuss] SSH

MadHat madhat at unspecific.com
Wed Oct 15 10:19:30 CDT 2003 

On Tue, 2003-10-14 at 22:20, Chris Cox wrote:
> Eric Schnoebelen wrote:
> > Chris Cox writes:
> ...
> > - Just echo.. and this is SOP.
> > 
> > 	Interesting.. I've never heard of it being SOP
> > anywhere..
> > 
> > 	What is the goal of turning off ICMP echo?
> 
> Detection of hosts is usually done via simple pings.  If I'm looking
> for a live host, the rudimentary hacker will ping.  Too many sites
> respond to simple pings... the others are not worth pursuing (unless
> something leads the hacker to believe there's a site out there... in
> which case the hacker does a more robust scan).  Just turning
> off ICMP echo is not a complete solution.. you still need something
> like a firewall... but turning off ICMP echo will probably reduce
> the number of suspicious hits by at least an order of magnitude.


nmap, the most common scanning tool, does not use ICMP by default.
<sarcasm>And security through obscurity always works</sarcasm>

Most "hackers" are going to use scripts that scan for specific ports,
not for ICMP.  They are looking for vulnerable servers, not live hosts.

> 
> Even on networks where echo is allowed, often times it is the
> firewall returning the echo on behalf of the requested host instead
> of the actual host doing it.  I don't know of any good reason
> for echo though. 

Not on any major network I know of.  And ICMP is often used to determine
if a host is up by the maintainers of a host/network.  If you are
looking at the healthiness of a host, you can check ports for services,
but it is often easiest to check a ping to see if the host is up.  If it
is behind a firewall, and don't want to give access to the devices
behind the firewall, but want to make sure the host is up, you can allow
ICMP through and you don't open any _real_ risks (perceived risks,
possibly).

>  If you need some kind of "ping" for internal reasons,
> it can usually be simulated using some other kind of request,
> usually involving an open service port (one that's supposed
> to be there by one's design).

ICMP is supposed to be there by design.  I don't have all my hosts
listening on one port, but they all listen for ICMP.  Maybe I can turn
on echo... ;^)

> 
> There are some other ICMP messages that are safe to disable
> (like the related broadcast icmp request... most Unix allow
> that to be disabled, but very few allow you do stop icmp
> echo.... 

Define "very few".  Modern *BSD and Linux are easy to do.

> the good news is that the firewall can do that for
> you... of course with Linux you can do both at the host if
> you want).  As you mentioned though, don't just turn off
> all ICMP... or you'll screw up things like routing.
> 
> Leave ICMP echo enabled and it's kind of like listing your
> host in the Yellow Pages (with a large print ad!).  People
> still have to thumb through the pages... but they'll see
> your ad eventually!

This is true of anything if you are connected to the Internet.

>   Look up smurf DOS attack... and you'll
> see info on an old attack that used the fact that many
> IP's responded to echo requests (though in the case of
> the smurf attack, it was the broadcast echo).
> 

A smurf attack is not based on ICMP, but on the design of the IP
protocol itself.  ICMP was most commonly used, but any TCP port could be
used as well, as long as it is open.  Port 80 for instance is open a lot
of times on the Internet and could be used (and has been used).  Turning
off ICMP does not mitigate smurf attacks.

> If anyone knows of a "necessary" application that requires
> "pinging" (ICMP echo)... let us know here on the list.
> Until then... I prefer stealth (it really does help).

Personally I think it is a great tool for testing the network.  Can't
use mtr without it.  I would prefer to let ICMP though to be able and do
a traceroute -I than have to open all the UDP ports necessary to do a
UDP traceroute.


I am by no means saying it is necessary, but I think it is not an evil
tool and can be very useful if you are actually wanting to manage your
network remotely.  I also use it as a tool to look for network anomalies
that would be almost impossible to find without ICMP.

>From my experience, turning it off does not reward me with enough
security as compared to the added cost of maintenance and monitoring and
the security risks associated with what has to be done to make up for
ICMP to be gone.

-- 
MadHat at Unspecific.com
`But I don't want to go among mad people,' Alice remarked.
`Oh, you can't help that,' said the Cat: `we're all mad here...'
   -- Lewis Carroll - _Alice's_Adventures_in_Wonderland_

More information about the Discuss mailing list