Win2000 self-configured anti-ICMP attack and Denial-of-Service

Author: Yi shoulong

The full name of ICMP is Internet Control and Message Protocal, which is the Internet Control Message/error Message protocol. It works at the network layer and is a communication protocol for IP addresses, the main purpose is to report errors and status messages between hosts and devices on the network. The most common ICMP application is ICMP response request, that is, PING. Here we will discuss ICMP attacks in detail. For more information about ICMP, see RFC 792.

Next let's get to the point. The best way to prevent ICMP attacks is to turn off ICMP. Here, we recommend using "Routing and Remote Access" and "IP Security filter ", instead of using the advanced settings of TCP/IP, this is because ICMP will not be blocked even if you have already specified the interface in the advanced settings of TCP/IP. Here you can try it. If you set to allow only the TCP protocol to pass (that is, UDP and ICMP are not allowed), the ICMP message can still pass normally.

The "Routing and Remote Access" service is relatively simple. By default, the "Routing and Remote Access" service is not started. Therefore, you must first start it, click "Routing and Remote Access" in "Administrative Tools" to start the setting wizard. Select "manually configure Server" and click the [next] button. The system prompts "the Routing and Remote Access Services are now installed. Start service ?", Click [Yes] to start the service. After the service is started, an "IP Route Selection" appears under the branch of the computer name. Click it to expand the branch, and then click "General ", the network connection (NIC) in the server appears on the right ). Double-click the network connection you want to configure and click "properties" in the pop-up menu. A network connection attribute window is displayed, with two buttons on it, one is "input filter" (filtering the packets accepted by this server) and the other is "output filter" (filtering the packets sent by this server ), click "Enter filter". A "Add filter" window is displayed. Click "Add filter" to add a filter condition. Select "ICMP" from the drop-down list on the right of "protocol ", in the "ICMP type" and "ICMP encoding" that appear subsequently, enter "255" (255 indicates all ICMP types and their encodings) and click "OK" to return to the "input filter" window, in this case, one more filter item is displayed in the filter list. All the way to confirm, the filter will take effect, and the Ping from other computers will fail.

Because multiple ICMP attack methods can implement address spoofing, denial of service, penetration _ blank "> firewall, anti-tracking, and many other effects, therefore, it is necessary for users connected to the Internet to Disable ICMP to prevent ICMP attacks.

VBR is a very effective method for DOS, but here we will focus on some countermeasures of V5.0. Currently, there are two types of denial of service (DoS) attacks and distributed denial of service (DDoS) attacks ). Due to the large number of resource machines required for DDoS attacks, they are not uncommon. They often work with some worms. In addition, they all face "big targets ", therefore, we are rare for common network users, and those who appear on the network users around us are common denial-of-service attacks, it can be mitigated or avoided by setting 2000.

First, the 2000 system needs to install patches in a timely manner. Many denial-of-service attacks are caused by system vulnerabilities. Patching will not give people the opportunity to refuse services. Here, we need to emphasize that machines in the LAN must also install patches in a timely manner, this is because NETBIOS is the cornerstone of the WINDOWS internal network and does not require authentication, which is very unreliable in the face of DoS attacks on LAN. Second, you can reduce the DOS attack risk by configuring TCP/IP parameters.

Registry location

[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesTcpipParameters]

Key Value recommendation settings

"SynAttackProtect" 2

"Tcpmaxhalfopen" 100

"TcpMaxHalfOpenRetried" 80

"TCPMaxPortsExhausted" 1

"TcpMaxDataRetransmissions" 3

"TcpMaxConnectResponseRetransmissions" 2

"EnableDeadGWDetect" 0

"EnablePMTUDiscovery" 0

"EnableICMPRedirects" 0

"KeepAliveTime" 300 000

The above configurations are used to protect high-intensity 2000 systems, which may be too conservative for common users.

Parameters of other primary keys in the Registry can help defend against DOS attacks,

[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesAfdParameters]

"EnableDynamicBacklog" dword = 1

"MinimumDynamicBacklog" dword = 20

"MaximumDynamicBacklog" dword = 20000

"DynamicBacklogGrowthDelta" dword = 10

I think denial of service is more like a kind of endless madness. As long as we stick to the two principles mentioned above, patch them in time and reasonably Configure TCP/IP parameters, it can resist most crazy behaviors on the Internet.