As we all know, the Ping command is a very useful network command, which is often used to test network connectivity. But at the same time, it is also a double-edged sword, especially in today's rapid development of the network, some "malicious" people use it in the Internet to detect other people's machines, to achieve ulterior motives. To ensure the security of machines on the network, many people now attach great importance to anti-Ping. Of course, there are many anti-Ping methods and methods, such as using IPSec security policies, Windows built-in firewalls, third-party firewall tools, routes, and remote access components. Is the anti-Ping method suitable for you, let me take you here!
I. Use the IPSec Security Policy "Ping protection" with caution
Using the IPSec Security Policy "Ping protection" is a common method. After a few simple steps of configuring the IPSec Security Policy, the Ping protection effect can be achieved. This method is easy to configure, And the IPSec Security Policy is a built-in function component in Windows, which does not require additional installation, so it is favored by many users. However, I would like to remind you that you should be cautious when using the IPSec Security Policy "anti-Ping.
Why? First, let's take a look at how the IPSec Security Policy "prevents Ping". The principle is to filter out all ICMP packets on the local machine by creating an IPSec Policy. This is indeed an effective "anti-Ping" option, but it also leaves sequelae.
Because the Ping command is closely related to the ICMP protocol (Internet Control and Message Protocal), there are 11 packet formats in ICMP protocol applications, the Ping command uses the "Echo Request" packet in the ICMP protocol to work. However, the IPSec Security Policy uses the "Do Not" method to prevent Ping. All ICMP packets are filtered out, especially many useful messages in other formats. Therefore, some LAN environments with special applications are prone to packet loss, which affects users' normal office work. Therefore, we suggest you use the IPSec Security Policy "Ping protection" with caution ".
Ii. Use third-party firewall tools
We already know the shortcomings of the IPSec Security Policy "Ping protection". To ensure that packets sent by local machines are correctly transmitted to the target host through the network, you can use other more effective methods, such as using the network firewall "anti-Ping ".
For Internet users, using the personal network firewall "Ping protection" is the simplest method. Using this method to prevent Ping does not require complex settings. As long as you correctly configure the firewall's built-in "anti-Ping" rules, you can easily implement "anti-Ping. There are many types of personal network firewalls, and almost all of them can effectively implement "Ping Protection", such as Skynet personal firewall, rising personal network firewall, and Windows Firewall (or ICF, next, I will take Rising's personal network firewall as an example to introduce how to configure the firewall to achieve the goal of "anti-Ping.
After running the main program of Rising's personal network firewall, click "Settings> set rules" in the main window to bring up the "Rising's personal network firewall rule Settings" window, in the rule list, select the "Default ICMP inbound" rule, and double-click the rule to bring up the "rule attributes" dialog box (1). You can set detailed parameters here, select the System option in the "category" box, select the "receive" option in the "direction" box, and select the "ICMP" protocol used by the Ping command in the "protocol" box, select the "Disable" option in the Operation box. Pay attention to the selection of ICMP message types. Switch to the "ICMP Type" tab, select "Echo Request" in the "type" drop-down list box, and click "modify, save settings. In this way, Rising's personal network firewall can filter out the ICMP packet "Echo Request" used by the Ping command, while other useful ICMP packets can pass safely. After completing the preceding settings, the personal network firewall is used to effectively prevent Ping attacks.
Figure 1 setting up the rising Firewall
3. Use the "Routing and Remote Access" component
For LAN users, the personal network firewall is difficult to meet their needs. In this case, you need to use the enterprise-level network firewall to "Prevent Ping", such as ISA 2004, however, for some small LAN, these enterprise-level firewalls are too expensive and unacceptable. In fact, they can be solved by using the "Routing and Remote Access" component of the Windows 2000/Server 2003 Server operating system, this component is built into the Windows system and does not need to be purchased.
The following uses Windows Server 2003 as an example to describe how to use the "route and remote access" component "anti-Ping ". As we all know, the "Routing and Remote Access" component has built-in functions such as route table management, VPN service, and IP packet filtering. By default, in Windows Server 2003, Routing and Remote Access Services are not enabled. On the Windows Server 2003 gateway Server, go to the "Control Panel> Management Tools" window and run the "Routing and Remote Access" tool. In the "Routing and Remote Access" main window, right-click "local" server and choose "configure and enable Routing and Remote Access" from the shortcut menu, in the "route and Remote Access Server Installation Wizard" dialog box, click "Next", select the "custom configuration" option, and then click "Next ", in the following window, select the "LAN Router" option and click "finish.
In the "route and remote access" Main Window, expand the "IP Route Selection> General" option, right-click the network adapter connected to the Internet in the "General" box (2 ), select the "attribute" option and click the "inbound filter" button in the Properties dialog box. After the "inbound filter" dialog box is displayed, select the "receive all data packets that meet the following conditions" option, click the "new" button below to bring up the "add IP Filter" dialog box (3 ), select "ICMP" from the Protocol drop-down list box, enter "8" and "0" in the "ICMP type" and "ICMP code" columns, and click "OK. The ICMP message of the "8" type and ICMP code of the "0" type is the "Echo Request" packet used by the Ping command, and then click "OK, complete the Ping protection settings.
Figure 2 network adapter
Figure 3 add an IP Filter
I have introduced several different anti-Ping methods for different network environments. If you are interested, try them.