Frequent use of PING commands can cause network congestion, reduce transmission efficiency, and generally deny users ping servers in order to avoid malicious network attacks. For this to happen, not only can you set it up in a firewall, you can set it up on a router, but you can also take advantage of the capabilities of the Windows 2000/2003 system itself. Either way, the deny ping action is implemented by prohibiting the use of the ICMP protocol.
For example, to set IP policy in Windows Server 2003 to deny users ping servers, take the following steps:
1. Add IP Filter
Step 1th, click Start/admin tools/Local Security policy, and then open the Local Security Settings window. Right-click the IP Security Policy, local computer option in the left pane to perform the Manage IP filter table and filter actions shortcut commands. In the Manage IP filter lists option, click the Add button to name this filter as "No ping", the description language can be "ping my host on any other computer", and then click the Add button, as shown in the figure.
The 2nd step, click Next, and then the Next button, select IP Traffic source address as my IP address, click Next button, select IP address destination as any IP addresses, click Next, select IP protocol type as ICMP, and click Next to move to this button. Click the finish → OK button to finish adding, as shown in the figure.
Step 3rd, switch to the Manage Filter Actions tab, click the Add → Next button, and the named filter action name is block all connections, the description language can be block all network connections, click Next, and select the Block option as the action behavior for this filter. Finally click next → finish → close to complete all additions, as shown in the figure.
To set the behavior of a filter action
2. Create an IP Security policy.
Right-click the IP Security Policy, local computer option in the console tree, perform the Create IP Security Policy Shortcut command, and then click Next. Name this IP security policy to "Prohibit Ping hosts", describing the language as "rejecting ping requests from any other computer" and clicking the Next button. Then click the Next button if you check the "Activate Default response rule" option. In the default Response Rule Authentication Method dialog box, select the use this string to protect key exchange option, and in the text box below, type a string such as "NO PING" and click Next. Finally, click the Finish button to finish creating the edit properties, as shown in the figure.
Setting authentication Methods
3. Configure IP Security policy.
In the open Prohibit Ping Host Properties dialog box, click the Add/Next button in the Rules tab, select "This rule does not specify a tunnel" by default and click Next button; Click "All network Connections" to ensure that all computers are not pinging the host and clicking the Next button. In the IP Filter list box, select "No ping". Click the Next button, select Block all connections in the Filter action list box, click Next, and then cancel the Edit Properties option and click Finish to end the configuration, as shown in the figure.
4. Assign an IP security policy.
After the security policy has been created, it does not take effect immediately, but it also needs to be "assigned" to make it work. Right-click the "Prohibit Ping host" policy in the right pane of the Local Security Settings window to enable the policy by executing the Assign command, as shown in the figure.
assigning IP Security Policies
After such a setup, the server has the ability to deny any other computer a ping of its own IP address, but the local ping itself is still available.
prohibit the use of PING commands under Linux
Enter the Linux system with root and edit the file Icmp_echo_ignore_all
Vi/proc/sys/net/ipv4/icmp_echo_ignore_all
To disable ping after changing its value to 1
To unblock ping after changing its value to 0
Direct modification prompts an error:
Warning:the file has been changed since reading it!!!
Do your really want to write to it (y/n)? y
"Icmp_echo_ignore_all" E667:fsync failed
Hit ENTER or type command to continue
This is because Proc/sys/net/ipv4/icmp_echo_ignore_all
This is not a real file.
If you want to change his value, echo 0 or 1 to this file.
(that is, echo 0 >/proc/sys/net/ipv4/icmp_echo_ignore_all). Add a line if you want to make permanent changes
Net.ipv4.icmp_echo_ignore_all=1
To the configuration file/etc/sysctl.conf
