
Advanced Ping: httping, dnsping, smtpping - jonbaer
http://blog.webernetz.net/2016/05/10/advanced-ping-httping-dnsping-smtpping/
======
INTPenis
I have an sshping in my ~/bin because I often found myself waiting to log back
into a rebooting server and ping starts responding much earlier than ssh.

    
    
       #!/bin/bash
       
       while sleep 0.5; do
         nc -vv -w 1 -z ${1:-localhost} ${2:-22}
       done

~~~
hk__2
Why don’t you wait for ssh to respond if you need it to log back?

~~~
SteveNuts
That's what the script is doing, waiting until ssh is available so he can
login as soon as it's back responding.

------
chip_rosenthal
Why not just use nmap?

    
    
      $ nmap -Pn -p domain e.gtld-servers.net
    
      Starting Nmap 7.01 ( https://nmap.org ) at 2016-05-15 13:32 CDT
      Nmap scan report for e.gtld-servers.net (192.12.94.30)
      Host is up (0.072s latency).
      PORT   STATE SERVICE
      53/tcp open  domain
    
      Nmap done: 1 IP address (1 host up) scanned in 0.22 seconds
    

The repeated ping function -- which is intended to display packet loss or
delay -- isn't useful for TCP services.

------
kyberias
Why the inconsistent naming? Why is it httping and smtpping? Why not httpping?

~~~
merb
actually the naming is bad anyway. the initial implementation only was used to
check if a host is reachable (routing etc) inside a network. then later other
stuff came in like RTT. however a ping on a higher layer is mostly not a
"real" ping. since it tests way more than just reachability. i.e. a http also
checks connectivity and when it comes to domains it even includes a dns check.

~~~
Programmatic
Ping has confounding factors as well (firewall blocks, DNS, etc). If it works
then you know that it's IP reachable, reachable on that TCP port, and that
there's a responsive daemon on the other end. If it doesn't, you know that you
need to troubleshoot. A device could not ICMP echo request ping, but respond
to httping. Neither is perfect.

------
reader_1000
There is also paping [1] that lets you "ping" to arbitrary port, although it
only works for TCP.

[1]
[https://code.google.com/archive/p/paping/](https://code.google.com/archive/p/paping/)

------
ape4
It bugs me a bit that "ping" has got into general use. eg "Ping me with an
email later".

~~~
bramblerose
'Ping' (the word) is older (as in: 1835 old) than the 'ICMP Ping'.

~~~
13of40
I always thought it came from old fashioned submarine sonar. What would it
have meant in 1835?

~~~
accounthere
I thought it came from ping pong. As in you send a "ping" and it responds with
a "pong".

~~~
awqrre
reminds me of mIRC's "Ping? Pong!" events...

------
sbierwagen
I usually just curl -I a host to see if it's accessible.

------
dkopi
TLDR: A lot of companies block ICMP for security reasons. OP thinks you
shouldn't and provides links explaining why. That said, if ICMP is still
blocked, you might be able to use httping, dnsping and smtpping as tools that
provide similar information based on a server's responses to higher layered
protocols.

~~~
INTPenis
I'm not a network architect but I like it when ICMP is blocked because I know
it can be used to tunnel traffic in penetration situations.

~~~
dkopi
Any type of traffic can be used to tunnel other types of traffic.

You can tunnel over DNS as well: [https://zeltser.com/c2-dns-
tunneling/](https://zeltser.com/c2-dns-tunneling/)

~~~
INTPenis
Of course but security is multi layered and blocking ICMP is one layer, while
using internal DNS is another. It's mitigation that costs nothing.

~~~
scurvy
What does blocking ICMP get you? (other than a broken network) Blocking ICMP
fragments is fine if you are worried about DDoS attacks, but don't blanket
block everything ICMP (especially ICMPv6).

Just curious as to what problem you are solving by blocking ICMP.

~~~
dkopi
ICMP ECHO has an additional payload field thay we often ignore. Some malware
is known to use the ICMP payload as a C&C channel, or to tunnel out stolen
information:
[https://en.wikipedia.org/wiki/ICMP_tunnel](https://en.wikipedia.org/wiki/ICMP_tunnel)

~~~
scurvy
You can tunnel inside almost any protocol. That's not a great reason. Valid,
sure; good, no.

~~~
dkopi
While true - ICMP is a ubiquitous protocol used all over the internet, but
computers and network devices a like.

It also often gets overlooked, so while "you can tunnel inside almost any
protocol", it is very common for malware to use ICMP for C&C.

This isn't to say ICMP should be blocked completely. But limiting the size and
the value of the payload in ICMP ECHO requests and replies can definitely
help.

~~~
ryanlol
> it is very common for malware to use ICMP for C&C.

This is not true in the slightest.

And it'd only be realistic on windows as all other prevalent platforms require
administrative privileges for such.

~~~
dkopi
Good thing malware doesn't have administrative privileges.

~~~
ryanlol
Unless you're a member of ac1db1tch3z and happen to be sitting on a
particularly big pile of local 0days, as a malware developer you wouldn't
_rely_ on having such privileges.

Lets be real here, ICMP is a particularly bad protocol for malware and that's
why nobody uses it.

