How to turn off ICMP (Ping) in Win2000
The full name of ICMP is the Internet control and messaging protocal, the Internet-controlled message/error message protocol, which is used primarily for the transmission of error messages and control information. For example, the well-known ping and tracert tools are all made using the Echo request message in the ICMP Protocol (Request message ICMP echo type 8 code 0, reply packet icmp echoreply type 0 code 0).
ICMP protocol has a feature---it is not connected, that is, as long as the sender to complete the package of ICMP packets and pass to the router, this message will be like a parcel to find the destination address, this feature makes the ICMP protocol is very flexible and fast, But it also brings a fatal flaw---easy to forge (the return address on the parcel can be written casually), anyone can forge an ICMP message and send out, the forger can use SOCK_RAW programming directly rewrite the ICMP header and IP header of the message, Such messages carry the source address is forged, at the end of the target can not be traced, (the attackers are not afraid to be caught that is not fearless?) According to this principle, there is a lot of ICMP based attack software, there is a network architecture defects to create ICMP storm, there are use of very large packets blocking the network, the use of ICMP fragmentation attacks consume server CPU, and even if the ICMP protocol used for communication, Can be made to do not need any TCP/UDP port of the Trojan (see "Uncover the mysterious veil of the Trojan") ... Since the ICMP protocol is so dangerous, why don't we turn it off?
As we all know, Win2000 has a TCP/IP filter in the network properties, let's see if we can turn the ICMP protocol off here, right-click the Network Neighborhood-> Properties-> right click on the NIC-> attribute you want to configure->tcp/ip-> Advanced-> Option->TCP/IP Filter, here are three filters, respectively: TCP port, UDP port and IP protocol, we first allow TCP/IP filtering, and then one to configure, first TCP port, click "Allow only", and then add the following you need to open the port, Generally speaking, the Web server only needs to open (WWW), the FTP server needs to open (FTP Data), (FTP control), mail server may need to open (SMTP), POP3, and so on ... Then the UDP,UDP protocol, like the ICMP protocol, is based on no links and is as easy to forge, so if it is not necessary (for example, to provide DNS services from UDP), you should choose not to allow all of them to avoid flooding (Flood) or fragmentation (Fragment) attacks. The rightmost edit box is the definition of IP protocol filtering, we choose to allow only TCP protocol through, add a 6 (6 is TCP in the IP Protocol Code, IPPROTO_TCP=6), from the point of view, only allow TCP protocol to pass, whether UDP or ICMP should not be able to pass, Unfortunately, the IP protocol filtering here refers to the narrow-sense IP protocol, from the architecture, although the ICMP protocol and the IGMP protocol are all subordinate protocols of IP Protocol, the ICMP/IGMP protocol is one layer from the IP protocol on the network 7-layer structure. So Microsoft IP protocol filtering here does not include ICMP protocol, which means that even if you set the "Allow TCP protocol only", the ICMP message can still pass normally, so if we want to filter ICMP protocol, we need to find another way.
Just when we were doing TCP/IP filtering, there was another option: IP Security (IP), and the idea of filtering ICMP was going to be landed on it.
Open the Local Security policy and select IP Security Policy, where we can define our own IP Security policy.
An IP Security filter consists of two parts: filtering strategy and filtering operation, filtering strategy determines which packets should cause the attention of the filter, and the filtering operation determines whether the filter is "Allow" or "reject" message. To create a new IP Security filter, you must create your own filtering policies and filtering actions: Right-click the local IP Security policy, select Management IP filter, set up a new filtering rule in the IP filter management list: Icmp_any_in, the source address select any IP, the target address anthology machine, the protocol type is ICMP , switch to the Admin filter action, and add an action called Deny, the action type is block. So we have a filter that focuses on all incoming ICMP packets and discards all messages. Note that there is a mirrored selection in the Address option, and if the mirror is selected, a symmetric filtering policy is established, which means that when you are concerned about any ip->my IP
People familiar with the network know that ping,ping is the primary TCP/IP command for detecting network connectivity, accessibility, and name resolution problems. The main use of ping is to detect whether the target host is connected.
Hackers to invade, you have to lock the target, generally through the use of ping command to detect the host, get the relevant information, and then the vulnerability scan. How to be protected from others ' attacks? That is to prevent people from ping their computers, so that the attack is impossible to start. The author introduces four kinds of common methods to block ping, for everyone's reference:
First, use the advanced setting method to prevent ping
By default, all Internet Control Message Protocol (ICMP) options are disabled. If you enable the ICMP option, your network will be visible on the Internet and therefore vulnerable to attack.
If you want to enable ICMP, you must be logged on to the computer as an administrator or Administrators group member, right-click My Network Places, select Properties on the pop-up shortcut menu, turn on networking, choose the connection that has Internet Connection Firewall enabled, and open its Properties window. and switch to the Advanced Options page, click "Settings" below, so that the Advanced Settings dialog window appears, on the ICMP tab, tick the type of request information you want your computer to respond to, and the check box next to the table to enable this type of request, and if you want to disable, clear the appropriate request information type.
Second, the use of network firewall blocking ping
Using firewalls to block Ping is the easiest and most effective way to do this, and now basically all firewalls have ICMP filtering enabled by default. In this, to Jinshan Network Dart 2003 and Skynet Firewall 2.50 version for the blueprint to illustrate.
For the use of Jinshan Net Dart 2003 netizens, please use the mouse right click on the system tray in the Jinshan Dart 2003 icon, in the shortcut menu pop-up select "Utility" in "Custom IP Rule Editor", in the window that appears select "Defense ICMP type attack" rule, eliminate " Allow others to ping command to detect the local "rule, save the application after the effect."
If you are using a skynet firewall, click on the "Custom IP rule" in its main interface, and then uncheck the "Prevent others from ping command" rule, tick the "defend ICMP attack" rule, and click "Save/Apply" to make the IP rule effective.
Iii. Enable IP Security policy anti-ping
IP Security, the IPSec policy, is used to configure IPSec security services. These policies provide various levels of protection for most communication types in most existing networks. You can configure IPSEC policies to meet the security needs of your computer, application, organizational unit, domain, site, or global enterprise. You can use the IP security policy snap-in provided in Windows XP to define IPSEC policies for computers in Active Directory (for domain members) or for local computers (for computers that do not belong to a domain).