icmp filtering (was: ssh tunneling)

To: debian-user@lists.debian.org
Subject: icmp filtering (was: ssh tunneling)
From: Vineet Kumar <debian-user@virtual.doorstop.net>
Date: Tue, 26 Aug 2003 11:40:32 -0700
Message-id: <[🔎] 20030826184032.GA26910@doorstop.net>
Mail-followup-to: debian-user@lists.debian.org
In-reply-to: <[🔎] big059$5s7$1@sea.gmane.org>
References: <[🔎] C49522BBA18FD6118D7900A0C92BB5917B49B9@CCIA_PDC> <[🔎] big059$5s7$1@sea.gmane.org>

* P. Kallakuri (praveen@unlserve.unl.edu) [030826 11:06]:
> by default ICMP traffic is disabled and when i setup a firewall in our 
> research lab about 3 years back, thats how i left it. our research 
> machines were open on the internet when we got a series of nasty 
> infiltration attempts. i could not figure out why someone would do that 
> with research computers in the university system. anyways we had years 
> of valuable research data on the machines that were being compromised, 
> so i (having got nothing to do with networking or administration) read 
> about and setup this gateway/firewall. i was aware that disabling ICMP 
> would keep outside machines wondering whatever happened to their 
> traffic. but if thats what it takes to keep out some guy who runs a 
> "find-all-live-hosts" discovery script (thats how most of the machines 
> in our university system were hacked into), then we have to do it. our 
> tech guys really don't bother about research networks. but really if 
> there is a more effective mechanizm to keep intruders from knowing 
> whether a hack-candidate exists, i would be more than willing to do that.

This practice of trying to become invisible is known as "security
through obscurity".  There is no inherent danger in being pingable, and
there is no inherent security in not being pingable.  There are myriad
other ways to tell if a host is up on a given address.  (An ICMP ping
just happens to be a very convenient way to do it.  It's one of the
first things everyone checks when they're experiencing connectivity
problems.  Disabling this just makes the troubleshooting process awkward
and more difficult.)  I highly doubt that ping had anything to do with
the intrusion you experienced.  The right tactic is to find the security
hole and plug it, not to hide and hope that your security holes go
unnoticed.

You're correct; you probably weren't being targeted specifically by an
enemy.  More likely, you were the victim of a "script kiddie" who was
scanning as many hosts as possible and trying a known exploit against
them.  Generally, though, disabling icmp isn't going to help you in this
situation.  A script kiddie isn't going to ping a bunch of hosts and
then decide which ones to try the exploit on; he'll just try the
exploit on the hosts in the first pass.  Some will work, some won't.
Whether or not you've disabled icmp, if you're vulnerable, you're
vulnerable.

good times,
Vineet
-- 
http://www.doorstop.net/
-- 
http://www.aclu.org/		It's all about Freedom.

Attachment: pgpyxemgayu9A.pgp
Description: PGP signature

Reply to:

Follow-Ups:
- Re: icmp filtering (was: ssh tunneling)
  - From: Derrick 'dman' Hudson <dman@dman13.dyndns.org>

References:
- RE: ssh tunneling
  - From: "Joyce, Matthew" <MJoyce@ccia.org.au>
- Re: ssh tunneling
  - From: "P. Kallakuri" <praveen@unlserve.unl.edu>

Prev by Date: netenv configuration
Next by Date: Re: cloning Debian hard drive
Previous by thread: Re: ssh tunneling
Next by thread: Re: icmp filtering (was: ssh tunneling)
Index(es):
- Date
- Thread