Ping AttacK Defense Experience Summary

Author; Sai glacier
========================================================== ============================================
(Reprinted please note, Author: Sai glacier contact QQ 18184412, e-mail anmeihong@sina.com)
In addition, this article is suitable for cainiao. If you want to review it, You can (speechless). There are not many new ideas.
Personal Summary
========================================================== ============================================

The Ping Command is a common basic command. You can ignore it, but it has many functions.
I found the relevant information and summarized it. However, I only use this command in combination with my experiences.
If there are too many, I will not talk about them. Ping uses an ICMP ECHO packet to detect the host, and then
Based on the returned information, we can extract the information we are interested in and learn about attack and defense. As
What is its basic command format and what parameters are available? Please refer to the documents for help. I am mainly talking about the common ones here.

Well, let's talk about how to use it in terms of attacks:

1. Obtain the IP address of the attack target. Because we primarily scan the IP address in the attack preparation stage
To get the IP address of a website, use:
C:/> Ping www.xxx.com
Based on its return, we can see its IP address.

2. The conversion between an IP address and its domain name. If you have an IP address and port 80 is enabled, if you want to see its domain name
This is available:
C:/> Ping-A 202. 115 .***.***
You can also see the domain name based on its return.

3. Use the TTL value to determine the operating system. If we use the ping command, we will see the TTL value (same
The TTL indicates the time to live)

For example:
C:/> Ping 192.168.0.1 with 32 bytes of data:

Reply from 192.168.0.1: bytes = 32 time <10 ms TTL = 128
Reply from 192.168.0.1: bytes = 32 time <10 ms TTL = 128
Reply from 192.168.0.1: bytes = 32 time <10 ms TTL = 128
Reply from 192.168.0.1: bytes = 32 time <10 ms TTL = 128

Ping statistics for 192.168.0.1:
Packets: Sent = 4, stored ED = 4, lost = 0 (0% loss ),
Approximate round trip times in Milli-seconds:
Minimum = 0 ms, maximum = 0 ms, average = 0 ms

Here we can make a simple determination that it may be a Microsoft Windows NT/2 k Operating System (just maybe yo). Below is a common
See the system TTL return value.
---------------------------------------------------------------------------
The TTL value of the ICMP echo response in UNIX and UNIX operating systems is 255

Compaq Tru64 5.0 the TTL field value of the ICMP echo response is 64

The TTL value of the ICMP echo response in Microsoft Windows NT/2 k operating system is 128.

The TTL field value of the ICMP echo response in Microsoft Windows 95 is 32.

The TTL field value of Linux kernel 2.2.x & 2.4.x ICMP echo response is 64.

The TTL field for the ICMP echo response in Microsoft Windows XP is 128.
---------------------------------------------------------------------------

4. Use ping to initiate a Denial-of-Service attack. By default, the data packet size sent by Windows Ping is 32 BYT.
However, we can send a larger package by ourselves. When the number of data packets sent to each other is greater than or equal to 65535
It is very likely to block the machine. We can use the-t parameter to implement an aggressive command.
C: \> Ping-l 65500-T 192.168.1.21

Well, the above are generally common attacks by hackers. So how can we prevent it? Next we will
Let's take a look at how to prevent and detect such attacks:

1. The simplest and most practical method is to install a firewall, because all firewalls can block ICMP packets. By default
You do not need to configure a firewall to implement blocking, so it is easy to solve, such as Skynet.

2. Find the Internet Protocol (TCP/IP) → properties → advanced → options-TCP/IP filtering-properties. You can see a window
For "TCP/IP filtering", add the port you want to use. In this way, the unused ones are filtered out and then opened.
"Control Panel> Administrative Tools> Local Security Policy", right-click "IP Security Policy", and select "manage IP filtering" on the local machine.
And IP Filter Operations, add a "ICMP attack prevention", and then press add to select any IP address in the source address, Target
Select My IP address. The protocol type is ICMP. The setting is complete. In "manage Filter Operations", deselect "use add
Add wizard, add, enter the name "Do Not ping me" in general, and set the security measure to "Block ". In this way, we have
A filtering operation that focuses on all incoming ICMP packets and discards all packets.
Click "IP Security Policy, on the local machine", and select "create IP Security Policy-next-Enter" ICMP filter ",
In the Add filter rule wizard, specify the "ICMP attack prevention" filter policy that you just defined to the ICMP filter, and then
Select "Do Not ping me" as defined, right-click "Prevent ICMP attack", and enable it.

 

3. If you have not filtered out, you can play a hide-and-seek game with the hacker, and change your TTL value so that the hacker can use it.
The operating system. Windows:
[HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Services \ Tcpip \ Parameters]
"Defaultttl" = DWORD: 000000ff
It is represented in hexadecimal notation, corresponding to: 255---ff, 128---80, 64----40, 32----20
Let his judgment go to hell