Any service you open is vulnerable to a (D)DoS attack. Ping is a legitimate ICMP protocol used to check whether the destination host is alive. If miused, one can send a large amount of data from a number of different hosts to a single target in attempt to crash it. Generally, it is always a good idea to restrict inbound ICMP echo-request to your site, to minimize the risk of attack. Now, HPing is a tool that can do a lot more than a normal ICMP ping, it can do a TCP (with any artbitrary flags set) ping to any port on a target server. It also has a capability to spoof source address, set TTL, fragment packets, etc ,etc.. Again, If this tool is misused, one can do a lot more damage than a traditional PING command. One way to circumvent this problem is to do a session /threshold limits on your firewall to prevent an enormously large and continuous PING requests being directed towards your site. Nawapong Nakjang IT Security Specialist Security Team, Network Operation Center KSC Commercial Internet Co, Ltd. E-Mail: [EMAIL PROTECTED]
-----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Thursday, July 03, 2003 2:07 PM To: Chad Cc: [EMAIL PROTECTED] Subject: Re: HPing? To error is human -- to blame the computer is even more so. On Wed, 2 Jul 2003, Chad wrote: > We received a notification today, from a company that checks our network for > vulnerabilities, that the web servers we host are vulnerable to HPing > (http://www.hping.org/). The company stated that using this tool it is > possible to ping the box via port 80 and thus open to service denial > attacks(?!). Even do trace routes etc. Has anybody had any experience with > this, and more importantly, how would one go about blocking this type of > "ping"? Chad, First of all ICMP, which ping is part of, does not have a src or dst port so if the company that checks your network actually said "it is possibe to ping your box via port 80" i would ask them to clarify themselves and if they still persist that you are being pinged (aka. echo request, icmp type 8) on port 80 I would suggest you give your money to someone else. maybe me if you want? :) I dont know how hping works but what they might mean is that they can scan port 80 with a syn tcp/ip packet and see if the box has a web server. This basicly means that they can see if your web server is there by partially connecting to it. I dont see how you can stop this from happening though. It seems like an inate part of having a service for the public to view. Maybe somebody on the list can let me know why this is a denial of service problem? syn flooding is the only thing i can think of, but i believe most modern kernels at least for linux i dont know about windows have the ability to see these and try to stop them. To solve your ping problem, block type 8 (echo requests) icmp packets at your firewall. This will stop people from being able to ping you whether this is a good or bad thing is up for debate. I personaly dont like to disable echo requests, but i dont run a company either just a 4 computer network. You should also block type 5 icmp which are redirections at your firewall just for good policy. I do block these. There might be a few more also. Good luck hope i didnt confuse you more. john fastabend ------------------------------------------------------------------------ --- Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts! The Gartner Group just put Neoteris in the top of its Magic Quadrant, while InStat has confirmed Neoteris as the leader in marketshare. Find out why, and see how you can get plug-n-play secure remote access in about an hour, with no client, server changes, or ongoing maintenance. Visit us at: http://www.neoteris.com/promos/sf-6-9.htm ------------------------------------------------------------------------ ---- --------------------------------------------------------------------------- Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts! The Gartner Group just put Neoteris in the top of its Magic Quadrant, while InStat has confirmed Neoteris as the leader in marketshare. Find out why, and see how you can get plug-n-play secure remote access in about an hour, with no client, server changes, or ongoing maintenance. Visit us at: http://www.neoteris.com/promos/sf-6-9.htm ----------------------------------------------------------------------------
