lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <1098044466.3746.10.camel@je.nets.com>
From: hackerwacker at cybermesa.com (James Edwards)
Subject: ICMP (was: daily internet traffic report)

On Sun, 2004-10-17 at 12:55, Frank de Wit wrote:
> I thought I asked a question ; the answer 'yes' should have been 
> sufficient ;-)
> Just joking, let's ask two other questions:
> -when you read about ICMP fingerprinting (see Ofir Arkin's great articles)
> -and you see tools like Xprobe and a lot of other OS-fingerprinting tools
> I might be wrong, but:
> a) do you still think ICMP is a good thing in relation to security (by 
> obscurity)?

It gains little, there are other ways to tell if you are there. Those
who only use ping to identify hosts are on the low end of the skill
curve and it is those on the upper end of the skill curve that may have
to skills to compromise your firewall/hosts.


> b) why would you need ICMP from the internet to your perimeter/DMZ-devices?
> 

PathMTU. You will not move any packets unless your host can negotiate MTU
along the path. 

So, blocking ***all*** ICMP ***types*** is bad but you can block some ***types***
without getting into trouble. Till you understand that all the types do in relation
to networking I would leave the alone.

j
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20041017/8812da43/attachment.bin

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ