Ping, scanning, ping sweep
Ping is a widely used technique that can help an attacker in detecting whether your system is active, which is often the first step an attacker will do, in order to identify possible targets. Once the ping operation has identified your computer as being active and connected to the internet, the attacker will likely proceed further to using additional techniques in order to identify security breaches in your computer system, that can be exploited in order to gain control over your computer.
The ping operation consists of sending a special network packet to a target computer and awaiting a response that will actually let the attacker know if the target computer is active. It is to be mentioned that there are other types of packets that can be used as well, however the most common operation performed is to send an ICMP ECHO (type 8) packet towards the target computer, and then the remote machine responds with an ICMP ECHO_REPLY (type 0) packet. The software residing on the attacket computer usually has a ping timeout setting, which can be usually set somewhere within a few hundred miliseconds up to a few seconds. The software awaits for the ICMP ECHO_REPLY packet to be sent within the chosen timeout, and if a reply packet is received, the target computer is now known to be active.
Before launching an attack over a remote network, an attacker will likely start by scanning the network and gathering as much information as possible about the network. One of the common operations used is ping sweep. During a ping sweep, an attacker uses a large number of ping operations which are sent to a particular network, usually one per IP address. In order to efficiently scan hundreds or thousands of remote addresses, the attacker will probably use a multithreaded ping sweep tool, which allows not only customizing timeout setting in order to improve efficiency, but also allows multiple ping operations to be initialized and running at the same time, and therefore maximizing the number of remote addresses that will be scanned.
Perhaps the most simple protection measure against identifying your computer as active through the Ping operation, is to disable the ICMP protocol. There are two types of common configurations that can be found, first is when your computer is directly connected to the internet (for example if you are using dialup and a regular modem, and no routers, you are likely to be connected to the internet directly) and in such situation you need to block the ICMP protocol by configuring the software firewall you are using on your computer. If you are not using a software firewall in such a situation, then you should absolutely get and install one as soon as possible, otherwise you are exposed to a large number of risks - it may take only minutes until an attacker or worm may get into your computer. Finally, if you are using a gateway computer or router to connect to the internet, you can disable the ICMP protocol on the gateway/router to protect your public IP address from being tested via a ping operation.
It is to be mentioned though that the ping operation is an useful one and there are situations where it should remain active, and therefore ICMP should not be disabled in such cases. For example, many ISP's are using automated ping operations to monitor their connections, and if you disable ICMP, your ISP may take measures to correct what they may believe to be a non-functional connection, like disconnecting the connection, or in some cases they may even call in to ask what happened because their monitoring software tells them that the connection is down. There are also cases when certain software make use of ping operations for their normal functioning and these may believe that your computer is no longer responding. In such cases, it is advised not to disable ICMP. Alternatively you may permit ICMP only to a given computer or IP range, for example in the situation where your ISP needs to monitor your connection via ping operations, you can call them and ask what are the IP addresses of the monitoring machine(s) they are using, and then use the IP address or IP range provided to create an allow rule in your firewall for the ICMP protocol, which should solve the problem as your computer will respond to ICMP ECHO commands for your ISP, but not for everyone else.
The ping operation consists of sending a special network packet to a target computer and awaiting a response that will actually let the attacker know if the target computer is active. It is to be mentioned that there are other types of packets that can be used as well, however the most common operation performed is to send an ICMP ECHO (type 8) packet towards the target computer, and then the remote machine responds with an ICMP ECHO_REPLY (type 0) packet. The software residing on the attacket computer usually has a ping timeout setting, which can be usually set somewhere within a few hundred miliseconds up to a few seconds. The software awaits for the ICMP ECHO_REPLY packet to be sent within the chosen timeout, and if a reply packet is received, the target computer is now known to be active.
Before launching an attack over a remote network, an attacker will likely start by scanning the network and gathering as much information as possible about the network. One of the common operations used is ping sweep. During a ping sweep, an attacker uses a large number of ping operations which are sent to a particular network, usually one per IP address. In order to efficiently scan hundreds or thousands of remote addresses, the attacker will probably use a multithreaded ping sweep tool, which allows not only customizing timeout setting in order to improve efficiency, but also allows multiple ping operations to be initialized and running at the same time, and therefore maximizing the number of remote addresses that will be scanned.
Perhaps the most simple protection measure against identifying your computer as active through the Ping operation, is to disable the ICMP protocol. There are two types of common configurations that can be found, first is when your computer is directly connected to the internet (for example if you are using dialup and a regular modem, and no routers, you are likely to be connected to the internet directly) and in such situation you need to block the ICMP protocol by configuring the software firewall you are using on your computer. If you are not using a software firewall in such a situation, then you should absolutely get and install one as soon as possible, otherwise you are exposed to a large number of risks - it may take only minutes until an attacker or worm may get into your computer. Finally, if you are using a gateway computer or router to connect to the internet, you can disable the ICMP protocol on the gateway/router to protect your public IP address from being tested via a ping operation.
It is to be mentioned though that the ping operation is an useful one and there are situations where it should remain active, and therefore ICMP should not be disabled in such cases. For example, many ISP's are using automated ping operations to monitor their connections, and if you disable ICMP, your ISP may take measures to correct what they may believe to be a non-functional connection, like disconnecting the connection, or in some cases they may even call in to ask what happened because their monitoring software tells them that the connection is down. There are also cases when certain software make use of ping operations for their normal functioning and these may believe that your computer is no longer responding. In such cases, it is advised not to disable ICMP. Alternatively you may permit ICMP only to a given computer or IP range, for example in the situation where your ISP needs to monitor your connection via ping operations, you can call them and ask what are the IP addresses of the monitoring machine(s) they are using, and then use the IP address or IP range provided to create an allow rule in your firewall for the ICMP protocol, which should solve the problem as your computer will respond to ICMP ECHO commands for your ISP, but not for everyone else.
This information is provided without any warranties of any kind. Use it at your own risk. Terms and conditions