How secure are we?

Is there a firewall on the server at all? The firewall should be blocking unsolicited ICMP pings.
Take a look at this:

Ping to www.wilderssecurity.com
Generated by www.DNSstuff.com at 15:04:44 GMT on 26 Oct 2004.

Pinging www.wilderssecurity.com:

Ping #1: Got reply from www.wilderssecurity.com in 21ms [TTL=51]
Ping #2: Got reply from www.wilderssecurity.com in 20ms [TTL=51]
Ping #3: Got reply from www.wilderssecurity.com in 30ms [TTL=51]
Ping #4: Got reply from www.wilderssecurity.com in 22ms [TTL=51]

Done pinging www.wilderssecurity.com!

(to do an IPv6 ping for a domain name, add a ':' before the domain name)


(C) Copyright 2000-2004 R. Scott Perry

 

If you are running a web server, don't you have to allow pings?

 

No. Ping uses ICMP, web servers use port 80. You can turn off ICMP packet support on most firewalls. It adds a level of security...not much of one, though since port 80 is so common on even unsecured machines (e.g. PWS) that it will be the second thing tested after ping to see if something is there to be exploited.

 

Servers should stay pingable - how else is anyone to identify whether they have a network connection problem if they cannot access a website? Also the main reason for personal firewalls blocking pings is to obscure people's online presence - a website on the other hand has to be visible and available. This does not rule out having a firewall, but does make proper security more of a challenge (like running a P2P program on a PC, you leave a door open to attackers).

There's plenty of other information available about Wilderssecurity.com also. I dare say Paul and the other admins keep abreast of Apache security issues though another upgrade is due...

 

Just an idea but.

Have you contacted admins or mods. If not maybe you should instead of running around like headless chickens.

Also, you make out your worried and you post the problem in a public forum.

 

FunnyMonkey and Paranoid2000,

Thank you for the helpful responses!

 

Tell me, was the alert sent before or after I stepped in?

Jimbob

 

No alert necessary.
As mentioned, web servers are normally pingable.

 

How secure are we? Not very secure really. In fact we are vulnerable to any one with the right script...

Scan the address with Asmodeus 2.0 (super fast but rather noisy) or nmap (stealth scanner) and you'll know what I mean...

The problem with this site is not whether it is pingable or not but rather whether the 3 open ports are exploitable. Add to this the fact that there are at least 3 existing Bugtraqs as well (all high risk levels) that have not been patched todate and there is the potential of being blown off the air.

The danger of being pingable is if an illegal value is pinged, received and assembled by the server which will then cause the server to hang and dump its core.

The website can only withstand a syn flood attack computed at roughly 1,100 syn packets /second (128 bits/packet; 512,000 bandwidth) which is not much considering that there are attack platforms that can generate as much as 22,000 packets/sec and more on a distributed basis. Though not readily available to the average script kiddie, this attack capability can be assembled through coordination among a group with like motives (and the simple transmission of spoofed syn packets throgh a batch file transmission), or the utilization of zombie units and utilized in a reflected distributed attack.

Even if we assume that the server can turn off ports reserved for fin packets at a rate equal to the attack, this will render the site virtually useless.

The question was "how secure are we?" and IMO we are vulnerable!

 

Let us approach this with the perspective of an attacker... the first question we have to ask ourselves is... "If I attack WSF, what's the profit?"
Profits...
1. Fame - WSF comes always in top 3 results when you search for ANY security query... partly because its wilders' SECURITY forum, partly beacuse the members and their posts here are so amazing (hats off to you, guys), and partly because people TRUST the forum enough to link to it (and maybe also because the mods here are so handsome/beautiful and charming, but that works only on Yahoo search)
2. Money - Not much of it available on any forum... you can't have cash on a PS, no one submits credit card numbers here, and even if there's some saleable info here, you wouldn't know where Paul keeps it.
3. Kicks - the world believs this to be the #1 reason hackers hack, but its NOT... Money is. this is a reason only for so-called "script kiddies" (those who simply download and execute utils meant for exploiting one particular flaw).
4. Education - No one is stupid enough to go after a famous (reputed) website (see no.1 above) just because they wanna "learn".
5. To make sure I never get to post again - the ONLY valid reason known to mankind why WSF (or any other board) should be hacked.
The threat, personally, I feel is more that from, say, a worm or virus exploiting wide spread flaws (that can be solved only by patching).
Like they say, just my 2 cents....

 

Some people develop viruses for sheer vandalism... (65,000 and counting). People attack sites to deface them or simply to write "Kilroy was here" on the server's HDD. Motivation could range from a feather in one's cap to preventing no13 from posting. Murphy's law and the best defense can come up with is wishful thinking and a dozen Hail Marys??

Please...! Jeesiz! Is this how threats are assessed these days?