Discussion:
[GTALUG] Ubuntu -- Disabling Ping
Howard Gibson via talk
2018-08-30 01:44:51 UTC
Permalink
I am playing with my hack Ubuntu machine, and I am sorting out
security. I want to disable ping. This is a laptop, and I want to
document the application of aluminium foil.

The standard ping disabler is the following line...

# echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all

This works fine on my Fedora laptop. On Ubuntu, I get...

$ sudo echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all
-bash: /proc/sys/net/ipv4/icmp_echo_ignore_all: Permission denied

The file exists. I can print it with "cat" (it prints "0". Why can
I not change it?
--
Howard Gibson
***@eol.ca
***@gmail.com
http://home.eol.ca/~hgibson
---
Talk Mailing List
***@gtalug.o
Jamon Camisso via talk
2018-08-30 01:54:15 UTC
Permalink
Post by Howard Gibson via talk
I am playing with my hack Ubuntu machine, and I am sorting out
security. I want to disable ping. This is a laptop, and I want to
document the application of aluminium foil.
The standard ping disabler is the following line...
# echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all
This works fine on my Fedora laptop. On Ubuntu, I get...
The # makes me think you are root on the Fedora laptop.
Post by Howard Gibson via talk
$ sudo echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all
-bash: /proc/sys/net/ipv4/icmp_echo_ignore_all: Permission denied
That's expected with a sudo echo > redirect invocation. The shell is
doing redirection. sudo is invoking echo, the output of which is being
redirected in your normal user's shell to a file that you do not have
permission to write to.

Try this if you want to go the sudo route:

echo 1 |sudo tee /proc/sys/net/ipv4/icmp_echo_ignore_all

That way tee is invoked with elevated privileges and writes its output
to the file.

Or you can become root like on your Fedora system and use echo 1 >...

Cheers, Jamon
---
Talk Mailing List
***@gtalug.
Alvin Starr via talk
2018-08-30 02:03:52 UTC
Permalink
Post by Jamon Camisso via talk
Post by Howard Gibson via talk
I am playing with my hack Ubuntu machine, and I am sorting out
security. I want to disable ping. This is a laptop, and I want to
document the application of aluminium foil.
The standard ping disabler is the following line...
# echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all
This works fine on my Fedora laptop. On Ubuntu, I get...
The # makes me think you are root on the Fedora laptop.
Post by Howard Gibson via talk
$ sudo echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all
-bash: /proc/sys/net/ipv4/icmp_echo_ignore_all: Permission denied
That's expected with a sudo echo > redirect invocation. The shell is
doing redirection. sudo is invoking echo, the output of which is being
redirected in your normal user's shell to a file that you do not have
permission to write to.
echo 1 |sudo tee /proc/sys/net/ipv4/icmp_echo_ignore_all
That way tee is invoked with elevated privileges and writes its output
to the file.
Or you can become root like on your Fedora system and use echo 1 >...
you could also do the following:

sudo sysctl net.ipv4.icmp_echo_ignore_all=1
--
Alvin Starr || land: (905)513-7688
Netvel Inc. || Cell: (416)806-0133
***@netvel.net ||

---
Talk Mailing List
***@gtalug.org
https://gtalug.org/mailman/listi
Howard Gibson via talk
2018-08-30 03:58:02 UTC
Permalink
On Wed, 29 Aug 2018 22:03:52 -0400
Post by Alvin Starr via talk
sudo sysctl net.ipv4.icmp_echo_ignore_all=1
Alvin,

That's it. I saw instructions on the internet to update /etc/sysctl.conf, but they did it wrong. Your command line works!

Thank you.

I will be updating my website to show easy install methods for Ubuntu and Fedora.
--
Howard Gibson
***@eol.ca
***@gmail.com
http://home.eol.ca/~hgibson
---
Talk Mailing List
t
o1bigtenor via talk
2018-08-30 10:11:07 UTC
Permalink
On Wed, Aug 29, 2018 at 10:58 PM, Howard Gibson via talk
Post by Howard Gibson via talk
On Wed, 29 Aug 2018 22:03:52 -0400
Post by Alvin Starr via talk
sudo sysctl net.ipv4.icmp_echo_ignore_all=1
Alvin,
That's it. I saw instructions on the internet to update /etc/sysctl.conf, but they did it wrong. Your command line works!
Thank you.
I will be updating my website to show easy install methods for Ubuntu and Fedora.
Greetings

I have ping disabled directly on my router so none of the machines
behind it can be accessed from outside.

Why wouldn't you do it there?

A possible answer is that you are using the laptop truly mobile but
that would be the only need for such a mod imo.
For those that 'know' is there any other scenario where you might want
to disable ping access on a machine basis?

Regards

Dee
---
Talk Mailing List
***@gtalug.org
https://gtalug.org/mailman/listi
Alvin Starr via talk
2018-08-30 12:09:59 UTC
Permalink
Post by o1bigtenor via talk
On Wed, Aug 29, 2018 at 10:58 PM, Howard Gibson via talk
Post by Howard Gibson via talk
On Wed, 29 Aug 2018 22:03:52 -0400
Post by Alvin Starr via talk
sudo sysctl net.ipv4.icmp_echo_ignore_all=1
Alvin,
That's it. I saw instructions on the internet to update /etc/sysctl.conf, but they did it wrong. Your command line works!
Thank you.
I will be updating my website to show easy install methods for Ubuntu and Fedora.
Greetings
I have ping disabled directly on my router so none of the machines
behind it can be accessed from outside.
Why wouldn't you do it there?
A possible answer is that you are using the laptop truly mobile but
that would be the only need for such a mod imo.
For those that 'know' is there any other scenario where you might want
to disable ping access on a machine basis?
Regards
I am not a big fan of disabling pings.

When ping is disabled it makes it extremity hard to diagnose network
problems.
I operated an ISP and it would be very hard to diagnose network problems
on systems with ping disabled.
There are other tools but most of them require software on both systems
where ping is simple and easy to setup

It is possible to limit ping both in size and frequency.

Disabling ping is of very limited value to stop hackers because port
scanning software will just try the well known ports and will find you
if you have the ports open.

Incoming ping floods will still suck up all your incoming bandwidth even
if you have pings disabled.
Also ping floods have fallen out of vogue as a DOS attack vector.
--
Alvin Starr || land: (905)513-7688
Netvel Inc. || Cell: (416)806-0133
***@netvel.net ||

---
Talk Mailing List
***@gtalug.org
https://gtalug.org/mailm
James Knott via talk
2018-08-30 12:48:56 UTC
Permalink
Post by o1bigtenor via talk
I have ping disabled directly on my router so none of the machines
behind it can be accessed from outside.
How does disabling ping on a router prevent access to what's behind it? 
Ping has nothing to do with routing.

---
Talk Mailing List
***@gtalug.org
https://gtalug.org/mailman/li
o1bigtenor via talk
2018-08-30 13:46:32 UTC
Permalink
Post by o1bigtenor via talk
I have ping disabled directly on my router so none of the machines
My router software asks me if I want to allow or disallow pings from the www.
I have that box marked 'disallow'.

Regards

Dee
---
Talk Mailing List
***@gtalug.org
https://gtalug.org/mailman/list
D. Hugh Redelmeier via talk
2018-08-30 15:31:33 UTC
Permalink
| From: James Knott via talk <***@gtalug.org>

| On 08/30/2018 06:11 AM, o1bigtenor via talk wrote:
| > I have ping disabled directly on my router so none of the machines
| > behind it can be accessed from outside.
|
| How does disabling ping on a router prevent access to what's behind it? 
| Ping has nothing to do with routing.

1) OP's question was asking about a solution without stating a real
problem that needed solving. (See 2).

2) almost everyone's LAN is behind NAT so pings from the outside world
cannot even address LAN nodes. In other words, no problem exists.

3) obligtenor might have:

a) assumed the only place pings could be a problem would be on the
router itself (because it alone has a globally routable address)
and so addressed that problem

b) assumed that since the router is a gateway, it can filter pings
destined for LAN.

If you hook up the notebook to a hostile LAN or WAN, then the
solutions are different. But I think that pings are the least of your
worries. I guess your notebook could be an unwitting accomplice of a
DDOS attack.

Many people do think that depending solely on a firewall for network
security is a bad model. "Crunchy on the outside, soft on the
inside." Every node should be hardened. But what are you going to do
to harden you IoT devices (light bulbs, fridges, settop boxes,
thermostats, watches, ....)?
James Knott via talk
2018-08-30 15:46:42 UTC
Permalink
Post by D. Hugh Redelmeier via talk
| > I have ping disabled directly on my router so none of the machines
| > behind it can be accessed from outside.
|
| How does disabling ping on a router prevent access to what's behind it? 
| Ping has nothing to do with routing.
1) OP's question was asking about a solution without stating a real
problem that needed solving. (See 2).
People often do that and wind up creating problems trying to fix the one
that doesn't exist.
Post by D. Hugh Redelmeier via talk
2) almost everyone's LAN is behind NAT so pings from the outside world
cannot even address LAN nodes. In other words, no problem exists.
Not anymore.  In fact there have long been LANs that aren't behind NAT. 
Any network that has a lot of public servers would be one example. 
Also, back in the late 90s, when I was at IBM, on Steeles, the entire
LAN had public addresses (mine was 9.29.146.147), as those networks were
set up before NAT became necessary to get around the IPv4 address shortage.

Also, IPv6 is now being used by many and NAT is discouraged on it.  This
means that, for example, Rogers customers will have public IPv6
addresses.  However, given that they have a minimum of 18.4 billion,
billion addresses to choose from, they're a bit harder to find.
Post by D. Hugh Redelmeier via talk
Many people do think that depending solely on a firewall for network
security is a bad model. "Crunchy on the outside, soft on the
inside." Every node should be hardened. But what are you going to do
to harden you IoT devices (light bulbs, fridges, settop boxes,
thermostats, watches, ....)?
Also, relying on NAT for security is a bad idea.  It does nothing that a
properly configured firewall can't do.

---
Talk Mailing List
***@gtalug.org
https://gtalug.org/mai
Howard Gibson via talk
2018-08-30 16:04:13 UTC
Permalink
On Thu, 30 Aug 2018 11:46:42 -0400
Post by James Knott via talk
Also, IPv6 is now being used by many and NAT is discouraged on it.  This
means that, for example, Rogers customers will have public IPv6
addresses.  However, given that they have a minimum of 18.4 billion,
billion addresses to choose from, they're a bit harder to find.
Post by D. Hugh Redelmeier via talk
Many people do think that depending solely on a firewall for network
security is a bad model. "Crunchy on the outside, soft on the
inside." Every node should be hardened. But what are you going to do
to harden you IoT devices (light bulbs, fridges, settop boxes,
thermostats, watches, ....)?
Also, relying on NAT for security is a bad idea.  It does nothing that a
properly configured firewall can't do.
James,

My regular laptop is a home computer that sits behind a commerical
router most (not all) of the time. My Ubuntu machine is a generic
computer that could be taken to a coffee shop or more likely a bar, or it
may be plugged directly into a DSL or cable modem. I am writing up my
instructions on the assumption that the person following them is not a
computer expert.
--
Howard Gibson
***@eol.ca
***@gmail.com
http://home.eol.ca/~hgibson
---
Talk Mailing List
***@gtalug.org
https
James Knott via talk
2018-08-30 16:10:08 UTC
Permalink
Post by Howard Gibson via talk
Post by James Knott via talk
Also, relying on NAT for security is a bad idea.  It does nothing that a
properly configured firewall can't do.
James,
My regular laptop is a home computer that sits behind a commerical
router most (not all) of the time. My Ubuntu machine is a generic
computer that could be taken to a coffee shop or more likely a bar, or it
may be plugged directly into a DSL or cable modem. I am writing up my
instructions on the assumption that the person following them is not a
computer expert.
How much security do you think you'll get in that coffee shop?  I also
have a notebook computer that has a firewall running, even when on my
home network, behind a firewall.

Disabling ping provides nothing more than a false sense of security. 
Getting back to the physical example, it amounts to nothing more than
removing the house numbers from your home.  The house is still there and
can be found by other means.

---
Talk Mailing List
***@gtalug.org
https://g
Howard Gibson via talk
2018-08-30 16:15:02 UTC
Permalink
On Thu, 30 Aug 2018 12:10:08 -0400
Post by James Knott via talk
How much security do you think you'll get in that coffee shop?  I also
have a notebook computer that has a firewall running, even when on my
home network, behind a firewall.
James,

I expect no security at a coffee shop. This is not a case of disable ping OR run the firewall. I am running the firewall. All the ports I can close are closed.
--
Howard Gibson
***@eol.ca
***@gmail.com
http://home.eol.ca/~hgibson
---
Talk Mailing List
***@gtalug.org
https:/
William Park via talk
2018-08-30 02:54:57 UTC
Permalink
Post by Jamon Camisso via talk
Post by Howard Gibson via talk
$ sudo echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all
-bash: /proc/sys/net/ipv4/icmp_echo_ignore_all: Permission denied
'echo' is run as root, but '/proc/sys/net/ipv4/icmp_echo_ignore_all' is
written to as normal user. Try
sudo sh -c 'echo 1 > ...'
Post by Jamon Camisso via talk
echo 1 |sudo tee /proc/sys/net/ipv4/icmp_echo_ignore_all
I could've used this 'tee' solution today!
--
William Park <***@yahoo.ca>
---
Talk Mailing List
***@gtalug.org
Howard Gibson via talk
2018-08-30 03:23:08 UTC
Permalink
On Wed, 29 Aug 2018 21:54:15 -0400
Post by Jamon Camisso via talk
Post by Howard Gibson via talk
I am playing with my hack Ubuntu machine, and I am sorting out
security. I want to disable ping. This is a laptop, and I want to
document the application of aluminium foil.
The standard ping disabler is the following line...
# echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all
This works fine on my Fedora laptop. On Ubuntu, I get...
The # makes me think you are root on the Fedora laptop.
Yes, I have a Fedora laptop, and that is how I disable ping.
Post by Jamon Camisso via talk
Post by Howard Gibson via talk
$ sudo echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all
-bash: /proc/sys/net/ipv4/icmp_echo_ignore_all: Permission denied
That's expected with a sudo echo > redirect invocation. The shell is
doing redirection. sudo is invoking echo, the output of which is being
redirected in your normal user's shell to a file that you do not have
permission to write to.
echo 1 |sudo tee /proc/sys/net/ipv4/icmp_echo_ignore_all
It works!

Thank you.

Now all I have to do is stick it in a boot script.
--
Howard Gibson
***@eol.ca
***@gmail.com
http://home.eol.ca/~hgibson
---
Talk Mailing List
***@gtalug.org
https://gtalug.org/mailman/
Jamon Camisso via talk
2018-08-30 03:53:51 UTC
Permalink
Post by Howard Gibson via talk
Post by Jamon Camisso via talk
echo 1 |sudo tee /proc/sys/net/ipv4/icmp_echo_ignore_all
It works!
Thank you.
Now all I have to do is stick it in a boot script.
As Alvin Starr pointed out, if you want this to persist, the best way
would be via sysctl. Try putting 'net.ipv4.icmp_echo_ignore_all=1' in a
file in /etc/sysctl.d, or in /etc/sysctl.conf itself.

Cheers, Jamon
---
Talk Mailing List
***@gtalug.org
https://gtalug.o
Jamon Camisso via talk
2018-08-30 12:20:21 UTC
Permalink
Post by Howard Gibson via talk
I am playing with my hack Ubuntu machine, and I am sorting out
security. I want to disable ping. This is a laptop, and I want to
document the application of aluminium foil.
Could you elaborate a bit about how disabling ICMP enhances security of
this system? I'm curious what kind of information you're trying to
control with it off.

Cheers, Jamon
---
Talk Mailing List
***@gtalug.org
https://gt
Howard Gibson via talk
2018-08-30 15:00:41 UTC
Permalink
Jamon,

I am assuming that someone will use ping to search a network for interesting stuff. If the IP address does not respond to ping, the cracker will keep searching. All the other ports are closed too. The security is not perfect, but I am hoping to have escalated things beyond the capabilities of some script kiddies.

On Thu, 30 Aug 2018 08:20:21 -0400
Post by Jamon Camisso via talk
Post by Howard Gibson via talk
I am playing with my hack Ubuntu machine, and I am sorting out
security. I want to disable ping. This is a laptop, and I want to
document the application of aluminium foil.
Could you elaborate a bit about how disabling ICMP enhances security of
this system? I'm curious what kind of information you're trying to
control with it off.
Cheers, Jamon
---
Talk Mailing List
https://gtalug.org/mailman/listinfo/talk
--
Howard Gibson
***@eol.ca
***@gmail.com
http://home.eol.ca/~hgibson
---
Talk Mailing List
***@gtalug.org
https://gtalug.org/mailman
Alvin Starr via talk
2018-08-30 15:17:48 UTC
Permalink
Post by Howard Gibson via talk
Jamon,
I am assuming that someone will use ping to search a network for interesting stuff. If the IP address does not respond to ping, the cracker will keep searching. All the other ports are closed too. The security is not perfect, but I am hoping to have escalated things beyond the capabilities of some script kiddies.
Closing the ports is sufficient.

I know someone is at 1234 Bloor St. but that does not help much with
breaking in.
I still need a way to get past the front door.
Post by Howard Gibson via talk
On Thu, 30 Aug 2018 08:20:21 -0400
Post by Jamon Camisso via talk
Post by Howard Gibson via talk
I am playing with my hack Ubuntu machine, and I am sorting out
security. I want to disable ping. This is a laptop, and I want to
document the application of aluminium foil.
Could you elaborate a bit about how disabling ICMP enhances security of
this system? I'm curious what kind of information you're trying to
control with it off.
Cheers, Jamon
---
Talk Mailing List
https://gtalug.org/mailman/listinfo/talk
--
Alvin Starr || land: (905)513-7688
Netvel Inc. || Cell: (416)806-0133
***@netvel.net ||

---
Talk Mailing List
***@gtalug.org
https://g
James Knott via talk
2018-08-30 15:23:26 UTC
Permalink
Post by Alvin Starr via talk
I know someone is at 1234 Bloor St. but that does not help much with
breaking in.
I still need a way to get past the front door.
Also, security through obscurity is not security.

---
Talk Mailing List
***@gtalug.org
https://
Mauro Souza via talk
2018-08-30 15:24:31 UTC
Permalink
You don't need to disable ping on your internal network, only at the
router. Because of NAT, nobody can really ping your internal system.

Try this. Keep ping enabled on your Linux, and in your router, run this on
Linux:

sudo tcpdump -i any icmp

Now go to any "online ping service" and ping your address. I will not spoil
the result for you.
Post by Howard Gibson via talk
Post by Howard Gibson via talk
Jamon,
I am assuming that someone will use ping to search a network for
interesting stuff. If the IP address does not respond to ping, the cracker
will keep searching. All the other ports are closed too. The security is
not perfect, but I am hoping to have escalated things beyond the
capabilities of some script kiddies.
Closing the ports is sufficient.
I know someone is at 1234 Bloor St. but that does not help much with
breaking in.
I still need a way to get past the front door.
Post by Howard Gibson via talk
On Thu, 30 Aug 2018 08:20:21 -0400
Post by Jamon Camisso via talk
Post by Howard Gibson via talk
I am playing with my hack Ubuntu machine, and I am sorting out
security. I want to disable ping. This is a laptop, and I want to
document the application of aluminium foil.
Could you elaborate a bit about how disabling ICMP enhances security of
this system? I'm curious what kind of information you're trying to
control with it off.
Cheers, Jamon
---
Talk Mailing List
https://gtalug.org/mailman/listinfo/talk
--
Alvin Starr || land: (905)513-7688
Netvel Inc. || Cell: (416)806-0133
---
Talk Mailing List
https://gtalug.org/mailman/listinfo/talk
James Knott via talk
2018-08-30 15:35:48 UTC
Permalink
Post by Mauro Souza via talk
Because of NAT, nobody can really ping your internal system.
There are many networks that do not use NAT.  In fact, it's rarely used
on IPv6.  Regardless, there are other ways of finding a router or
computer that do not use ping.  Blocking ping provides a false sense of
security.

---
Talk Mailing List
***@gtalug.org
https://gtalug.org/ma
Howard Gibson via talk
2018-08-30 15:43:59 UTC
Permalink
On Thu, 30 Aug 2018 12:24:31 -0300
Post by Mauro Souza via talk
You don't need to disable ping on your internal network, only at the
router. Because of NAT, nobody can really ping your internal system.
Try this. Keep ping enabled on your Linux, and in your router, run this on
sudo tcpdump -i any icmp
Now go to any "online ping service" and ping your address. I will not spoil
the result for you.
Mauro,

I go to http://www.grc.com (Steve Gibson is not a relation as far as I can tell) and I run their True Stealth analysis. My first 1056 ports are closed, but it responds to ping. This is my router. My desktop behind the router is not particularly well locked down.

Yes, tcpdump has an interesting output.
--
Howard Gibson
***@eol.ca
***@gmail.com
http://home.eol.ca/~hgibson
---
Talk Mailing List
***@gtalug.org
https://gtalug.o
James Knott via talk
2018-08-30 15:49:26 UTC
Permalink
Post by Howard Gibson via talk
My first 1056 ports are closed, but it responds to ping. This is my router. My desktop behind the router is not particularly well locked down.
Those would be TCP ports.  I'm not sure they even test UDP.  Ping is
ICMP, which doesn't even have port numbers and so wouldn't be found in
any port scan.

---
Talk Mailing List
***@gtalug.org
Scott Allen via talk
2018-08-30 15:45:17 UTC
Permalink
Post by Alvin Starr via talk
I know someone is at 1234 Bloor St. but that does not help much with
breaking in.
But what if you *don't* know someone lives at 1234 Bloor St. (and most
of the residences on Bloor St. are vacant)? Breaking into one that's
vacant (equivalent to blindly attacking a non-existent machine) is a
worthless waste of time. If you knock on one of the doors (ping), you
may get an answer, telling you that breaking into that residence at a
later time may be of some value, thus worth more effort.

I'm not saying that ignoring pings is of much benefit, but this is a
better analogy.
--
Scott
James Knott via talk
2018-08-30 15:56:55 UTC
Permalink
Post by Scott Allen via talk
But what if you *don't* know someone lives at 1234 Bloor St. (and most
of the residences on Bloor St. are vacant)?
That doesn't stop many burglars or squatters.
Post by Scott Allen via talk
If you knock on one of the doors (ping), you
may get an answer, telling you that breaking into that residence at a
later time may be of some value, thus worth more effort.
There are other ways to determine if there's a computer or router
there.  For example traceroute will simply time out if the device
doesn't respond, but there is a route to it.  If there is no route to
it, you get a different error message.  That difference will tell you
whether there's likely something at that address.
Alvin Starr via talk
2018-08-30 16:04:34 UTC
Permalink
Post by James Knott via talk
Post by Scott Allen via talk
But what if you *don't* know someone lives at 1234 Bloor St. (and most
of the residences on Bloor St. are vacant)?
That doesn't stop many burglars or squatters.
Post by Scott Allen via talk
If you knock on one of the doors (ping), you
may get an answer, telling you that breaking into that residence at a
later time may be of some value, thus worth more effort.
There are other ways to determine if there's a computer or router
there.  For example traceroute will simply time out if the device
doesn't respond, but there is a route to it.  If there is no route to
it, you get a different error message.  That difference will tell you
whether there's likely something at that address.
There are other ICMP messages that can be used for probing like
timestamp(msg-13).
All around all disabling ping does for you is to make it harder for your
ISP or IT support people to see if you are having network problems and
the really really stupid script kiddies trying to probe you.
--
Alvin Starr || land: (905)513-7688
Netvel Inc. || Cell: (416)806-0133
***@netvel.net ||
James Knott via talk
2018-08-30 16:12:22 UTC
Permalink
Post by Alvin Starr via talk
There are other ICMP messages that can be used for probing like
timestamp(msg-13).
All around all disabling ping does for you is to make it harder for
your ISP or IT support people to see if you are having network
problems and the really really stupid script kiddies trying to probe you.
There are some who advocate blocking ICMP entirely.  As mentioned, it
can cause problems for legitimate testing and, on IPv6, cause failures.
David Collier-Brown via talk
2018-08-30 16:23:04 UTC
Permalink
Post by James Knott via talk
Post by Alvin Starr via talk
There are other ICMP messages that can be used for probing like
timestamp(msg-13).
All around all disabling ping does for you is to make it harder for
your ISP or IT support people to see if you are having network
problems and the really really stupid script kiddies trying to probe you.
There are some who advocate blocking ICMP entirely.  As mentioned, it
can cause problems for legitimate testing and, on IPv6, cause failures.
At one time, a maliciously crafted packet could be used to do
buffer-overflow attacks. It hit Windows most recently, and many sites
turned off ICMP. This merely made it harder, and the script kiddies
promptly came up with new variants. To this day, Windows sites often
turn off ICMP, thinking the problem was with ping.

--dave
--
David Collier-Brown, | Always do right. This will gratify
System Programmer and Author | some people and astonish the rest
***@spamcop.net | -- Mark Twain

---
Talk Mailing List
***@gtalug.org
https:/
Howard Gibson via talk
2018-08-30 16:13:23 UTC
Permalink
On Thu, 30 Aug 2018 12:04:34 -0400
Post by Alvin Starr via talk
There are other ICMP messages that can be used for probing like
timestamp(msg-13).
All around all disabling ping does for you is to make it harder for your
ISP or IT support people to see if you are having network problems and
the really really stupid script kiddies trying to probe you.
Alvin,

I am my ISP and IT support person. My Fedora laptop cannot be
remotely administered. I am inconvenienced by this. If I want to do
something with it, I have to get up and walk to where I have it
stored. From the laptop, I can administer my desktop, because I have
ssh set up. My desktop stays behind my firewall. My laptop gets
exposed.

I have been on a commercial site where the Windows laptops were
administered remotely, from somewhere in the USA, I think. I don't
know how secure they were. The company did not have particularly nasty
security requirements, i.e. they were not managing people's personal
data, or military secrets.
--
Howard Gibson
***@eol.ca
***@gmail.com
http://home.eol.ca/~hgibson
---
Talk Mailing List
***@gtalug.org
https://gtalug.org/mailman/li
James Knott via talk
2018-08-30 16:19:38 UTC
Permalink
Post by Howard Gibson via talk
I have been on a commercial site where the Windows laptops were
administered remotely, from somewhere in the USA, I think. I don't
know how secure they were. The company did not have particularly nasty
security requirements, i.e. they were not managing people's personal
data, or military secrets.
I have remotely administered computers for an IBM customer over Citrix. 
The customer, a major U.S. telecom, was very security conscious.

---
Talk Mailing List
***@gtalug.org
https://gtalug.org/mailm
Scott Allen via talk
2018-08-30 16:09:20 UTC
Permalink
Post by James Knott via talk
For example traceroute will simply time out if the device
doesn't respond, but there is a route to it.
For a device that doesn't respond, traceroute only tells you that you
can get to the network that the device is on (you can determine that
Bloor St. exists). There could be many addresses on that network
(especially for IPV6), many of which may be vacant.

But again, I was only trying to give a better analogy, not defend
ignoring pings.
--
Scott
---
Talk Mailing List
***@gtalug.or
James Knott via talk
2018-08-30 15:21:03 UTC
Permalink
Post by Howard Gibson via talk
I am assuming that someone will use ping to search a network for interesting stuff. If the IP address does not respond to ping, the cracker will keep searching.
What happens if they ping an address behind the router.  There are many
networks that don't use NAT, so other devices will also have a reachable
address.  In fact, on IPv6, NAT is generally not used.

---
Talk Mailing List
***@gtalug.
Loading...