[NTLUG:Discuss] SSH

Chris Cox cjcox at acm.org
Wed Oct 15 13:26:40 CDT 2003 

MadHat wrote:
> On Tue, 2003-10-14 at 22:20, Chris Cox wrote:
> 
>>Eric Schnoebelen wrote:
>>
>>>Chris Cox writes:
>>
>>...
>>
>>>- Just echo.. and this is SOP.
>>>
>>>	Interesting.. I've never heard of it being SOP
>>>anywhere..
>>>
>>>	What is the goal of turning off ICMP echo?
>>
>>Detection of hosts is usually done via simple pings.  If I'm looking
>>for a live host, the rudimentary hacker will ping.  Too many sites
>>respond to simple pings... the others are not worth pursuing (unless
>>something leads the hacker to believe there's a site out there... in
>>which case the hacker does a more robust scan).  Just turning
>>off ICMP echo is not a complete solution.. you still need something
>>like a firewall... but turning off ICMP echo will probably reduce
>>the number of suspicious hits by at least an order of magnitude.
> 
> 
> 
> nmap, the most common scanning tool, does not use ICMP by default.
> <sarcasm>And security through obscurity always works</sarcasm>

Actually, unless you target a specific port, nmap takes way to
long as a general scanner (unless you use multiple hosts, which
of course is quite possible for the sophisticated hacker)... again,
I'm talking about the majority of people collecting active IP addresses.
I'm speaking from experience moving from a "hacked" site to a new IP
with better security measures.

Security through obscurity is better than sending out free
invitations throughout the internet.  I agree that security
through obscurity is not sufficient policy, but should be
a part of policy just to keep out the general masses (noise).


> 
>>From my experience, turning it off does not reward me with enough
> security as compared to the added cost of maintenance and monitoring and
> the security risks associated with what has to be done to make up for
> ICMP to be gone.
> 

Not my experience at all.  Our company gets literally thousands of
attack every day (well into the 10's of thousands).  One of the sites
I managed (different from my company) got thousands a day and eventually
was hacked (before my time as its administrator)... it's now stealth and
has had 0 attempts. Unfortunately, I don't administer our company's
external IPs... else I would have set them up similarly.  The "cat is
out of the bag" with regards to our corporate IP addresses... a bit late
to deploy stealth tactics (but can't hurt and might reduce attempts
over time).

ICMP echo is not required for successful monitoring of networks.

I'm not going to argue the point... but I'm going to have to
assume that you've tried this with a publicly routable IP and your
experience has shown that the number of suspicious hits was no
different than a routable IP that had echo enabled.  My results
have been exactly the opposite of this.

Perhaps some others here can relay their experiences.

More information about the Discuss mailing list