Sadie
Sat May 22 16:49:40 CDT 2004
Many thanks,for such an informative response.I appreciate=20
it very much.
Sadie
>-----Original Message-----
>"Sadie" <anonymous@discussions.microsoft.com> a =C3=A9crit=20
dans le message de
>news:109e801c4402b$2e8165a0$a401280a@phx.gbl...
>> Please do correct me if I am mistaken,but isn't such a
>> ping the most commonly used prelude to a hacking=20
attempt?
>
>Well, you could see it like that, in the sense that a=20
hacker
>will probably check whether you computer answers to some
>kind of connexion. But a ping only checks whether your
>computer gives _an_ answer. It doesn't give any more
>information.
>
>Consider a legitimate use of ping. I want ot see whether
>laila.dnsalias.org is working. Well:
>
>C:\>ping laila.dnsalias.org
>
>Envoi d'une requ=C3=AAte 'ping' sur laila.dnsalias.org=20
[80.8.134.187] avec 32
>octets de donn=C3=A9es :
>
>R=C3=A9ponse de 80.8.134.187 : octets=3D32 temps=3D117 ms TTL=3D247
>R=C3=A9ponse de 80.8.134.187 : octets=3D32 temps=3D57 ms TTL=3D247
>R=C3=A9ponse de 80.8.134.187 : octets=3D32 temps=3D51 ms TTL=3D247
>R=C3=A9ponse de 80.8.134.187 : octets=3D32 temps=3D59 ms TTL=3D247
>
>Statistiques Ping pour 80.8.134.187:
> Paquets : envoy=C3=A9s =3D 4, re=C3=A7us =3D 4, perdus =3D 0=20
(perte 0%),
>Dur=C3=A9e approximative des boucles en millisecondes :
> Minimum =3D 51ms, Maximum =3D 117ms, Moyenne =3D 71ms
>
>
>It look like it does.
>
>If you want to check whether your connexion is working,
>this can be _very_ useful.
>
>If you block ping requests, you'll lose the possibility=20
to check
>whether _your_ computer is reachable. For a private=20
computer,
>most likely it doesn't matter. But if everybody start=20
blocking
>ping for no reason, a very useful tool will be lost.
>
>If your computer doesn't answer to any unrequested
>information-carrying packet, but does answer to "ping"
>packets, there is no security risk in this. Again, and
>ICMP echo reply packet (i.e. an answer to "ping") is
>simply an IP packet with no content.
>
>You can see that microsoft.com does block ICMP echo
>requests. This is probably a protection agains anyone
>trying to flood them with useless ping requests. In=20
their case,
>I understand that it could happen (as well as more=20
sophisticated
>attacks).
>
>FYI, I don't block ICMP echo on my computer.
>
>> Isn't it preferrable to have a "passive" firewall that
>> silently drops packets without responding?
>
>Well, this is a bigger question, and more of a matter
>of taste. You can look at it this way: if a program tries
>to connect to your computer, it can either:
> * ignore it completly, and discard the IP packets
> * answer "there is nothing here for you, so you can stop
>trying".
>In a way, the second answer is more polite, and the
>remote computer can abort the connection attempt
>instead of retrying several times.
>
>On the other hand, it is a kind of (uninformative)=20
answer,
>and some people are afraid of _any_ answer.
>
>Note that identifying an operation system by the=20
behaviour
>of its network stack (e.g. using nmap) require a closed=20
port
>_and_ an open port to work reasonably well.
>
>If the tools I use allowed it, I'd prefer to make all=20
the ports I don't
>need appear as closed, instead of discarding packets=20
silently.
>However, I fully understand that you can prefer to avoid=20
giving
>any answer, as an added precaution. It's a kind of trade-
off
>between security and normal networking behaviour.
>
>> I only ask since I have never gained such a result from
>> Sygate.My connectivity is fine.
>
>You will probably never have any problem, except if you=20
try
>to set up some kind of VPN connection. In this case,=20
blocking
>ICMP fragmentation needed packets can prevent if from
>working. (IPSec VPN often send large encrypted packets,=20
and
>ICMP fragmentation needed is used to tell "it's too big,=20
send it
>again as several smaller pieces"). I've had problems=20
with this.
>
>.
>