* P. Kallakuri ([EMAIL PROTECTED]) [030826 11:06]: > by default ICMP traffic is disabled and when i setup a firewall in our > research lab about 3 years back, thats how i left it. our research > machines were open on the internet when we got a series of nasty > infiltration attempts. i could not figure out why someone would do that > with research computers in the university system. anyways we had years > of valuable research data on the machines that were being compromised, > so i (having got nothing to do with networking or administration) read > about and setup this gateway/firewall. i was aware that disabling ICMP > would keep outside machines wondering whatever happened to their > traffic. but if thats what it takes to keep out some guy who runs a > "find-all-live-hosts" discovery script (thats how most of the machines > in our university system were hacked into), then we have to do it. our > tech guys really don't bother about research networks. but really if > there is a more effective mechanizm to keep intruders from knowing > whether a hack-candidate exists, i would be more than willing to do that.
This practice of trying to become invisible is known as "security through obscurity". There is no inherent danger in being pingable, and there is no inherent security in not being pingable. There are myriad other ways to tell if a host is up on a given address. (An ICMP ping just happens to be a very convenient way to do it. It's one of the first things everyone checks when they're experiencing connectivity problems. Disabling this just makes the troubleshooting process awkward and more difficult.) I highly doubt that ping had anything to do with the intrusion you experienced. The right tactic is to find the security hole and plug it, not to hide and hope that your security holes go unnoticed. You're correct; you probably weren't being targeted specifically by an enemy. More likely, you were the victim of a "script kiddie" who was scanning as many hosts as possible and trying a known exploit against them. Generally, though, disabling icmp isn't going to help you in this situation. A script kiddie isn't going to ping a bunch of hosts and then decide which ones to try the exploit on; he'll just try the exploit on the hosts in the first pass. Some will work, some won't. Whether or not you've disabled icmp, if you're vulnerable, you're vulnerable. good times, Vineet -- http://www.doorstop.net/ -- http://www.aclu.org/ It's all about Freedom.
pgp00000.pgp
Description: PGP signature
