Web Application Security
Re: Should or shouldn't block public ping to a website Sep 09 2011 10:46AM
Sandeep Cheema (51l3n7 live in) (1 replies)
Re: Should or shouldn't block public ping to a website Sep 11 2011 10:39PM
Clement Dupuis (clement dupuis gmail com)
Good day to all,

The problem is that people do not selectively allow ping types.  They
allow ICMP or they don`t.

A tool like LOKI could be used as a client server tool to leak data in
an out of your servers.

ICMP Timestaps queries could be used to find out how long a server has
been up and running which could indicate which critical path requiring
a reboot has been or has not been installed on the remote server.

Netmask queries can be done to further identify specific range of IP's
being used.

ICMP redirect could be used.

ICMP offers limited benefits, pingning a server only tell you the
stack is configured and working, it does not tell you anything about
the specific services on the device itself. It host can respond to
pings but it does not mean the services running on top of it are
working properly.

Other than ICMP Type 3 error messages, there is little benefit in allowing ICMP.

Take care

Clement

Clement Dupuis, CD
Chief Learning Officer (CLO) and Security Evangelist

SecureNinja
An Insyte Company

Phone : +1 407 479 3903
Mobile: +1 407 433 6444
Fax: +1 407 264 8396

Skype: clementdupuis

Email: clement (at) secureninja (dot) com [email concealed]

Web: www.secureninja.com

901 N. Pitt Street, Suite 105
Alexandria, VA  22314

In Cyberspace:
Clement Dupuis, CD
President/Founder/Chief Security Evangelist
The CCCure Family of Portals
------------------------------------------------------------------------
----------------------
Maintainer of :
The CCCure Family of Portals
http://www.cccure.org

The Professional Security Testers Warehouse
http://www.professionalsecuritytesters.org

Knowledge sharing and giving back to the community

------------------------------------------------------------------------
-------------------------------
>>  Call me to get the best CISSP, Security+, or other Security related training  <<
------------------------------------------------------------------------
-------------------------------

On Fri, Sep 9, 2011 at 11:46, Sandeep Cheema <51l3n7 (at) live (dot) in [email concealed]> wrote:
>
> Why are you not allowing ICMP? Is the server itself exposed or behind a netscaler or some routing device? Even if it's not covered behind, you can allow ping. The only exploit with ping is the ping of death, which is obsolete now. Use a software IDS\IPS?
>
> Regards, Sandeep
>
> Sent from BlackBerry® on Airtel
>
> -----Original Message-----
> From: ShiYih Lye <shiyih.lye (at) my.offgamers (dot) com [email concealed]>
> Date: Mon, 5 Sep 2011 06:03:57
> To: <webappsec (at) securityfocus (dot) com [email concealed]>; <pen-test (at) securityfocus (dot) com [email concealed]>
> Subject: Should or shouldn't block public ping to a website
>
> Hi,
>
> All this while I'm not allowing any public ping to the website I'm
> maintaining, but it's making me tougher to troubleshoot should any
> user from the globe having trouble to access our website, as I can't
> make them to send a proper traceroute report.
>
> To your opinion, is it necessary to block public ping to a public
> website ? Is this security practice still relevant in today exploit
> technology ?
>
> And if you think it's still necessary, how do I make sure my user's
> traceroute still work when all ICMP is dropped from public ?
>
> Thanks for any input, appreciated that.
>
> Regards,
> Lye
>
>
>
> This list is sponsored by Cenzic
> --------------------------------------
> Let Us Hack You. Before Hackers Do!
> It's Finally Here - The Cenzic Website HealthCheck. FREE.
> Request Yours Now!
> http://www.cenzic.com/2009HClaunch_Securityfocus
> --------------------------------------
>
>
>
> This list is sponsored by Cenzic
> --------------------------------------
> Let Us Hack You. Before Hackers Do!
> It's Finally Here - The Cenzic Website HealthCheck. FREE.
> Request Yours Now!
> http://www.cenzic.com/2009HClaunch_Securityfocus
> --------------------------------------
>

This list is sponsored by Cenzic
--------------------------------------
Let Us Hack You. Before Hackers Do!
It's Finally Here - The Cenzic Website HealthCheck. FREE.
Request Yours Now!
http://www.cenzic.com/2009HClaunch_Securityfocus
--------------------------------------

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus