"a good admin will allow ICMP traffic through, *unless* they believe it to be a specific security risk"
Sorry, disagree there. A *good* admin will recognize that ICMP *IS* a security risk. It allows remote computers to build a map of your network and find out what IP addresses are valid. While "security through obscurity" is not enough by itself, blocking ICMP traffic is pretty standard practice these days. ICMP is also used for many DOS attacks. Here is a quote from HACKING EXPOSED (which should be required reading for all network admins, IMO): "As discussed throughout this book, we reiterate that ICMP traffic is dangerous. While ICMP serves a valuable diagnostic purpose, ICMP is easily abused and is often the 'bullet' used for bandwidth consumption attacks." And another: "Ping sweeps (or ICMP ECHO packets) are only the tip of the iceberg when it comes to ICMP information about a system. You can gather all kinds of valuable information about a system by simply sending an ICMP packet to it." Now, in my configuration, I am able to block only incoming ICMP packets while allowing outgoing, so I was able to install without a problem. Many admins do not have that option, though. -Dan Horne -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of R. Scott Perry Sent: Friday, July 09, 2004 1:43 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] Fw: New Multiple Threat Lookup Database test for Declude JunkMail [Responding to two posts] >So - if some dial-up/dynamic PC gets infected, that IP address will >likely be assigned to someone else who happens to connect tomorrow? Is >your test eliminating any "dial-up/dynamic" IPs, since by definition >the infected/spam workstation will change IPs? But, by definition, those IPs are guaranteed to be dynamic -- and therefore shouldn't be sending E-mail directly, without the assistance of an MTA. >How do you account for businesses using Internet gateways, firewalls, >NAT routers etc where one IP address could feasible represent a large >number of different workstations? If a business has infected computers, and the business allows those infected computers to send out viruses through the firewall on the same IP that outgoing legitimate E-mail goes on, they have serious problems. They would need to fix the problems, and request removal of their IP. > Considering that most administrators will block ANY TCP/IP traffic from/to a > server and only open exactly those 2 or 3 ports that are needed for its > primary function, you can assume that trying to "ping" will not be permitted > - thus preventing install. Not true -- a good admin will allow ICMP traffic through, *unless* they believe it to be a specific security risk. As a rule of thumb, when people ask me for assistance regarding troubles reaching a computer and I can't ping it, I tell them that it can't be pinged, and they have to take care of it from there. If you disable a vital networking tool, you need to accept the consequences. On the other hand, I don't believe an install program should need to use ICMP traffic, and I have passed this information on to the developer of the install program. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
