Discussion:
[IPCop-user] Turning off ICMP/pings
Jeff Childs
2004-03-22 02:31:05 UTC
Permalink
I just installed IPCop, and it looks great. However, it appears that my
firewall now responds to pings! Why is this the default? This seems to only
open the box to further probe and attack (as evidenced by the IPCop logs I
just reviewed).

How can ICMP be shut off? I don't see anything in the web administration
tool for this. Will it be necessary to log into the box and insert a rule
directly into iptables?

I am still rather amazed that this is left turned on by default.

Any advice is welcome. Thanks.

Jeff

_________________________________________________________________
Free up your inbox with MSN Hotmail Extra Storage. Multiple plans available.
http://click.atdmt.com/AVE/go/onm00200362ave/direct/01/
Ken Robertson
2004-03-22 02:48:00 UTC
Permalink
Post by Jeff Childs
I just installed IPCop, and it looks great. However, it appears that my
firewall now responds to pings! Why is this the default? This seems to
only open the box to further probe and attack (as evidenced by the
IPCop logs I just reviewed).
How can ICMP be shut off? I don't see anything in the web administration
tool for this. Will it be necessary to log into the box and insert a
rule directly into iptables?
I am still rather amazed that this is left turned on by default.
Any advice is welcome. Thanks.
G'day Jeff,
Yes, pings are allowed by default. To change that behaviour you'll have
to manually edit /etc/rc.d/rc.local to look something like this:
--begin--
#!/bin/sh

# Define the Red Interface IP
RED_IF=`/bin/cat /var/ipcop/red/iface | /usr/bin/tr -d '\012'`

# Flush any existing CustomInput chain rules to start afresh
/sbin/iptables -F CUSTOMINPUT

# Block ICMP echo-request (Pings) on RED
/sbin/iptables -A CUSTOMINPUT -i $RED_IF -p icmp --icmp-type
echo-request -j DROP
--end--

rc.local is run automatically at the end of startup. If you make changes
you'll have to run it manually to apply the change(s).
--
Regards
Ken

Top post? http://www.dickalba.demon.co.uk/usenet/guide/faq_topp.html



---
Outgoing mail is certified Virus Free, the outgoing mail writer is not...
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.637 / Virus Database: 408 - Release Date: 20/03/2004
Robert Kerr
2004-03-26 16:45:25 UTC
Permalink
Post by Jeff Childs
I just installed IPCop, and it looks great. However, it appears that my
firewall now responds to pings! Why is this the default? This seems to only
open the box to further probe and attack (as evidenced by the IPCop logs I
just reviewed).
I'm very sceptical about this, it's simply not worth the effort for most
attackers to bother pinging a host. An attacker will be after a handful of
exploitable services, and the time taken to scan a couple of ports on each
host is so small that pinging first is not really worth the time it takes.
Relying just on an ICMP ping to decide whether or not to scan a host also
misses out on a lot of potential targets. So much so that several popular
port scanners actually use TCP based pings to discover hosts regardless of
whether they respond to ICMP pings (nmap defaults to trying both TCP & ICMP
for example).

There are certainly some windows based worms that try an ICMP ping before
attempting an exploit, but these are a relative minority and of course don't
affect IPCop in any way.
Post by Jeff Childs
How can ICMP be shut off? I don't see anything in the web administration
tool for this. Will it be necessary to log into the box and insert a rule
directly into iptables?
There's a big difference between shutting off ICMP and shutting off ICMP
pings - blocking all ICMP will break a lot of things and is something you
really don't want to do. Just blocking pings requires a relatively simple
iptables rule which someone else has already shared.
Post by Jeff Childs
I am still rather amazed that this is left turned on by default.
Allowing ping is very useful to help with debugging connections, so much so
that there is an RFC that says all hosts MUST respond to pings. Admittedly
this RFC is rather old and possibly obsolete, but it makes a lot of sense.
Think of any big website you know - it's almost guaranteed that you can quite
happily ping them.
--
Robert Kerr
Phil Barnett
2004-03-27 04:28:00 UTC
Permalink
Post by Robert Kerr
I'm very sceptical about this, it's simply not worth the effort for most
attackers to bother pinging a host.
Ya know what? I was skeptical about this as well. However, after I started
dropping ping packets, my firewall logs shrunk by more than half.

Something is sure going on. (or not)

- --

"The choices we make dictate the life we lead. To thine ownself be true." --
William Shakespeare
KI4DPT
e***@mirage.org
2004-03-27 04:53:12 UTC
Permalink
look at nmap, the first thing a default run does it try to ping
the remote host, if it doesnt reply, what does it do? exits and warns. go
figure, if
your dropping icmp/echo's at the firewall, chances are less likely that
your network will be scanned by random scanners, unless someone is
directly targetting you. than of course, the attacker should be smart
enough to use -P0.

<just some thoughts cause im tired of reading this argument>

bottom line: imo, dropping icmp echos/requests is a good thing, unless
your specifically using them for other things.
-dave
--[PinePGP]--------------------------------------------------[begin]--
Post by Robert Kerr
I'm very sceptical about this, it's simply not worth the effort for most
attackers to bother pinging a host.
Ya know what? I was skeptical about this as well. However, after I started
dropping ping packets, my firewall logs shrunk by more than half.
Something is sure going on. (or not)
--
"The choices we make dictate the life we lead. To thine ownself be true." --
William Shakespeare
KI4DPT
--[PinePGP]-----------------------------------------------------------
gpg: Signature made Sat Mar 27 00:27:03 2004 CST using DSA key ID 8779F29C
gpg: Can't check signature: public key not found
PinePGP: Encryption backend encountered error.
--[PinePGP]----------------------------------------------------[end]--
Phil Barnett
2004-03-27 05:48:19 UTC
Permalink
Post by e***@mirage.org
look at nmap, the first thing a default run does it try to ping
the remote host, if it doesnt reply, what does it do? exits and warns. go
figure, if
your dropping icmp/echo's at the firewall, chances are less likely that
your network will be scanned by random scanners, unless someone is
directly targetting you. than of course, the attacker should be smart
enough to use -P0.
<just some thoughts cause im tired of reading this argument>
bottom line: imo, dropping icmp echos/requests is a good thing, unless
your specifically using them for other things.
-dave
So, for others benefit, here is my rc.local... (watch for line wraps) I keep
445 alive for external access. If you don't need external web access to
IPCop, uncomment those lines too.

#!/bin/sh

# Define the Red Interface IP
RED_IF=`/bin/cat /var/ipcop/red/iface | /usr/bin/tr -d '\012'`

# Flush any existing CustomInput chain rules to start afresh
/sbin/iptables -F CUSTOMINPUT

# Block ICMP echo-request (Pings) on RED
/sbin/iptables -A CUSTOMINPUT -i $RED_IF -p icmp --icmp-type echo-request -j
DROP

# We dont need any of this MS stuff beyond here
/sbin/iptables -A CUSTOMINPUT -p udp --dport 69 -j DROP
/sbin/iptables -A CUSTOMINPUT -p tcp --dport 80 -j DROP
/sbin/iptables -A CUSTOMINPUT -p tcp --dport 135 -j DROP
/sbin/iptables -A CUSTOMINPUT -p udp --dport 135 -j DROP
/sbin/iptables -A CUSTOMINPUT -p tcp --dport 137 -j DROP
/sbin/iptables -A CUSTOMINPUT -p udp --dport 137 -j DROP
/sbin/iptables -A CUSTOMINPUT -p tcp --dport 139 -j DROP
/sbin/iptables -A CUSTOMINPUT -p udp --dport 139 -j DROP
#/sbin/iptables -A CUSTOMINPUT -p tcp --dport 445 -j DROP
#/sbin/iptables -A CUSTOMINPUT -p udp --dport 445 -j DROP
/sbin/iptables -A CUSTOMINPUT -p tcp --dport 1434 -j DROP
/sbin/iptables -A CUSTOMINPUT -p udp --dport 1434 -j DROP
/sbin/iptables -A CUSTOMINPUT -p tcp --dport 3127 -j DROP
/sbin/iptables -A CUSTOMINPUT -p udp --dport 3127 -j DROP
/sbin/iptables -A CUSTOMINPUT -p tcp --dport 4444 -j DROP


- --

"The choices we make dictate the life we lead. To thine ownself be true." --
William Shakespeare
KI4DPT
e***@mirage.org
2004-03-27 06:35:05 UTC
Permalink
--[PinePGP]--------------------------------------------------[begin]--
So, for others benefit, here is my rc.local... (watch for line wraps) I keep
445 alive for external access. If you don't need external web access to
IPCop, uncomment those lines too.
#!/bin/sh
# Define the Red Interface IP
RED_IF=`/bin/cat /var/ipcop/red/iface | /usr/bin/tr -d '\012'`
<quick snip>

also an FYI incase anyone doesnt know<though i do believe its been
discussed here before>... you can echo a '1' to
/proc/sys/net/ipv4/icmp_echo_ignore_all or icmp_broadcasts depending on
which you want to ignore... just sort of easier for me to do that than
setup a rule for it.
<back to hibernation> =]


-dave
Robert Kerr
2004-03-27 11:44:16 UTC
Permalink
Post by e***@mirage.org
look at nmap, the first thing a default run does it try to ping
the remote host, if it doesnt reply, what does it do? exits and warns. go
figure, if your dropping icmp/echo's at the firewall, chances are less
likely that your network will be scanned by random scanners, unless someone
is directly targetting you. than of course, the attacker should be smart
enough to use -P0.
Whilst nmap does ping first, recent versions don't just use ICMP and ICMP
pings being blocked alone aren't enough to make it skip the host.
Robert Kerr
2004-03-27 11:03:57 UTC
Permalink
Post by Phil Barnett
Post by Robert Kerr
I'm very sceptical about this, it's simply not worth the effort for most
attackers to bother pinging a host.
Ya know what? I was skeptical about this as well. However, after I started
dropping ping packets, my firewall logs shrunk by more than half.
Using IPCop's default logging settings then yes, dropping pings will cut down
your logs substantially. This all depends what you log of course... there are
still variants of welchia floating round that ping before attempting an
exploit. However, if your firewall is set not to log common worm ports and
you just consider the more typical attacks I think you'd see a different
trend. It probably depends whether you're logging the blocked pings or just
dropping them too.

Of course every corner of the net is different, here I don't see that many
attacks that ping first (it's certainly nowhere near half). Maybe global
trends are rather different... it would be nice to see some research on this
topic.
Post by Phil Barnett
Post by Robert Kerr
Think of any big website you know - it's almost guaranteed that you can
quite happily ping them.
Have you pinged redhat.com in the last year?
I must admit I haven't.. have you tried pinging sourceforge, google or yahoo?
There are probably a ton of examples and counterexamples to this. Having
tried pinging a whole bunch of hosts just now it seems that about 50% of them
do in fact block pings. I'm quite surprised.. it used to be more like 10%,
maybe I'm just getting old.

Ultimately if your system is insecure someone will get in eventually
regardless of whether you're pingable or not, and if you're not insecure then
you have nothing to worry about. If it cuts down your firewall logs it can't
hurt, but personally I prefer to have an easy way to check whether my servers
are up. Your mileage may vary.
--
Robert Kerr
Phil Barnett
2004-03-27 16:07:06 UTC
Permalink
Post by Robert Kerr
If it cuts down your firewall logs it can't
hurt, but personally I prefer to have an easy way to check whether my
servers are up. Your mileage may vary.
Yeah, I don't think I'd do that to a firewall that had a server behind it.

But, I would venture a guess that a typical IPCop installation doesn't have a
server behind it. Probably by a staggering percentage.

- --

"The choices we make dictate the life we lead. To thine ownself be true." --
William Shakespeare
KI4DPT
Phil Barnett
2004-03-27 04:29:01 UTC
Permalink
Post by Robert Kerr
Think of any big website you know - it's almost guaranteed that you can
quite happily ping them.
Have you pinged redhat.com in the last year?

- --

"The choices we make dictate the life we lead. To thine ownself be true." --
William Shakespeare
KI4DPT
Trevor Benson
2004-03-28 18:06:07 UTC
Permalink
Post by Robert Kerr
Post by e***@mirage.org
look at nmap, the first thing a default run does it try to ping
the remote host, if it doesnt reply, what does it do? exits and
warns.
Post by Robert Kerr
go
Post by e***@mirage.org
figure, if your dropping icmp/echo's at the firewall, chances are
less
Post by Robert Kerr
Post by e***@mirage.org
likely that your network will be scanned by random scanners, unless
someone
Post by e***@mirage.org
is directly targetting you. than of course, the attacker should be
smart
Post by Robert Kerr
Post by e***@mirage.org
enough to use -P0.
Whilst nmap does ping first, recent versions don't just use ICMP and
ICMP
Post by Robert Kerr
pings being blocked alone aren't enough to make it skip the host. From
the
Post by Robert Kerr
-PB This is the default ping type. It uses both the ACK ( -PT
)
Post by Robert Kerr
and
ICMP echo request ( -PE ) sweeps in parallel. This way
you
Post by Robert Kerr
can
get firewalls that filter either one (but not both). The
TCP
probe destination port can be set in the same manner as
with -
Post by Robert Kerr
PT
above. Note that this flag is now deprecated as pingtype
flags
can now be used in combination. So you should use both
"PE"
Post by Robert Kerr
and
"PT" to achieve this same effect.
IPCop 1.3 doesn't block the ACK based probing method so nmap will
detect
Post by Robert Kerr
it
fine even if you have ICMP pings blocked. The IPCop 1.4 betas on the
otherhand will block the ACK based probes.
In general I'd dispute that an attacker has to be targetting you
directly
Post by Robert Kerr
to
use -P0. Pinging is usually only advantageous if the time a ping takes
to
Post by Robert Kerr
determine a host is up or down is less than the time taken to scan the
ports
in question on that host. As most attackers will be scanning for a
small
Post by Robert Kerr
number of exploitable services this doesn't necessarily hold true. If
you're
only scanning for a single port the time taken to do the TCP ACK ping
will
Post by Robert Kerr
be
as long as the time taken to scan the port. It's not like nmap is the
only
Post by Robert Kerr
port scanner out there either, scanrand it probably a better choice
for
Post by Robert Kerr
scanning large netblocks (and doesn't ping at all). It does all depend
on
Post by Robert Kerr
the
intelligence of the attacker though... you're average script kiddie
probably
doesn't know -P0 exists at all.
True, but many people out there (even script kiddies using scanners)
will just sweep a large block of addresses as not to raise the alarm on
the specific ports. If an ISP or managed service provider notices that
someone is ping sweeping a network, they are less likely to raise alarm
or block traffic, then if one of the kiddies are scanning a whole
network on exact service ports they are trying to compromise.

As much as script kiddies are just that, script kiddies, even they are
starting to develop basic techniques. Low level administrators also use
nmap to pingsweep their networks, so it tends to be an ignored way of
finding live machines.

Security by obscurity is not the best method, but not allowing someone
to fingerprint your OS with simple analysis of a ping sweep helps
prevent pinpointing the exploits that could compromise your system. So
there are definite security bonus's for doing such things, but it is a
trade off.

Trevor

Continue reading on narkive:
Loading...