shotgun shotgun
ICMP 的全名是Internet Control and Message Protocal即因特网控制消息/错误报文协议,这个协议主要是用来进行错误信息和控制信息的传递,例如著名的Ping和Tracert工具都是利用 ICMP协议中的ECHO request报文进行的(请求报文ICMP ECHO类型8代码0,应答报文ICMP ECHOREPLY类型0代码0)。 ICMP's full name is the Internet Control and Message Protocal the Internet Control Message / error message protocol, which is mainly used for error messages and control information transmission, such as the famous Ping and Tracert tools are used in the ICMP protocol ECHO request packet to the (ICMP ECHO request packet type 8 code 0, the response packet ICMP ECHOREPLY type 0 code 0).
ICMP 协议有一个特点---它是无连结的,也就是说只要发送端完成ICMP报文的封装并传递给路由器,这个报文将会象邮包一样自己去寻找目的地址,这个特点使得 ICMP协议非常灵活快捷,但是同时也带来一个致命的缺陷---易伪造(邮包上的寄信人地址是可以随便写的),任何人都可以伪造一个ICMP报文并发送出去,伪造者可以利用SOCK_RAW编程直接改写报文的ICMP首部和IP首部,这样的报文携带的源地址是伪造的,在目的端根本无法追查,(攻击者不怕被抓那还不有恃无恐?)根据这个原理,外面出现了不少基于ICMP的攻击软件,有通过网络架构缺陷制造ICMP风暴的,有使用非常大的报文堵塞网络的,有利用ICMP碎片攻击消耗服务器CPU的,甚至如果将ICMP协议用来进行通讯,可以制作出不需要任何TCP/UDP端口的木马(参见相关文章)......既然ICMP协议这么危险,我们为什么不关掉它呢? ICMP protocol has a feature --- it is no link, that as long as the ICMP message sender to complete the package and passed to the router, the packet will be the same as the parcels to find their destination address, this feature makes the ICMP protocol very flexible and fast, but it also brings a fatal flaw --- easy to fake (the return address on the packets can be easily written), anyone can forge an ICMP packet and send out, the forger can use SOCK_RAW programming directly to rewrite packets ICMP header and IP header, such as packets with source address is forged, the destination can not be traced, (attacker not afraid of being caught that is not nothing to fear?) According to this principle, out there Many ICMP-based attack software, network architecture with manufacturing defects ICMP storm has a very large message clogging the network, there is fragmentation attack using ICMP server CPU consumption, even if the ICMP protocol used for communication, can do not create any TCP / UDP port Trojan (see related article )...... since ICMP protocol so dangerous, why do not we turn off it?
我们都知道,Win2000在网络属性中自带了一个TCP/IP过滤器,我们来看看能不能通过这里关掉ICMP协议,桌面上右击网上邻居->属性 ->右击你要配置的网卡->属性->TCP/IP->高级->选项->TCP/IP过滤,这里有三个过滤器,分别为:TCP端口、UDP端口和IP协议,我们先允许TCP/IP过滤,然后一个一个来配置,先是TCP端口,点击"只允许",然后在下面加上你需要开的端口,一般来说WEB服务器只需要开80(www),FTP服务器需要开20(FTP Data),21(FTP Control),邮件服务器可能需要打开25(SMTP),110(POP3),以此类推......接着是UDP,UDP协议和ICMP协议一样是基于无连结的,一样容易伪造,所以如果不是必要(例如要从UDP提供DNS服务之类)应该选择全部不允许,避免受到洪水(Flood)或碎片(Fragment)攻击。 We all know, Win2000 comes in the network properties in a TCP / IP filter, we can look through here, turn off the ICMP protocol, right-click My Network Places on the desktop -> Properties -> Right-click your network card to configure -> Properties -> TCP/IP-> Advanced -> Options -> TCP / IP filtering, there are three filters, namely: TCP ports, UDP ports and IP protocols, we first allow TCP / IP filtering, and then a a to configure, first TCP port, click on the "only", then add the following to open the ports you need, in general WEB server only needs to open 80 (www), FTP server needs to open 20 (FTP Data), 21 ( FTP Control), the mail server may need to open 25 (SMTP), 110 (POP3), and so on ...... followed by UDP, UDP and ICMP protocols are based on the same link-free, and as easy to forge, so if is not necessary (for example, provide DNS services from the UDP and the like) should be allowed to select all, to avoid flooding (Flood) or fragments (Fragment) attacks. 最右边的一个编辑框是定义IP协议过滤的,我们选择只允许TCP协议通过,添加一个6(6是TCP在IP协议中的代码,IPPROTO_TCP=6),从道理上来说,只允许TCP协议通过时无论UDP还是ICMP都不应该能通过,可惜的是这里的IP协议过滤指的是狭义的IP协议,从架构上来说虽然ICMP协议和IGMP协议都是IP协议的附属协议,但是从网络7层结构上ICMP/IGMP协议与IP协议同属一层,所以微软在这里的IP协议过滤是不包括 ICMP协议的,也就是说即使你设置了“只允许TCP协议通过”,ICMP报文仍然可以正常通过,所以如果我们要过滤ICMP协议还需要另想办法。 An edit box to the far right is defined in the IP protocol filtering, we choose to only allow TCP protocol, add a 6 (6 is the TCP in the IP protocol code, IPPROTO_TCP = 6), from the principles, it only allows TCP protocol when either UDP or ICMP should not pass, unfortunately, the IP protocol filtering here refers to the IP protocol is narrow, though the structure from the ICMP protocol and the IGMP protocol IP protocol is a subsidiary agreement, but from the 7-layer network structure ICMP / IGMP protocol and IP protocol layer belong to, so here's Microsoft IP protocol filtering does not include ICMP protocol, meaning that even if you set the "allow only TCP protocol", ICMP packets can still be normal by So if we want to filter ICMP protocol also need to think of other ways.
刚刚在我们进行TCP/IP过滤时,还有另外一个选项:IP安全机制(IP Security),我们过滤ICMP的想法就要着落在它身上。 We just make TCP / IP filtering, there is another option: IP security (IP Security), we thought we should filter ICMP landed on it.
打开本地安全策略,选择IP安全策略,在这里我们可以定义自己的IP安全策略。 Open the Local Security Policy, select IP Security Policy, where we can define their own IP security policy.
一个IP安全过滤器由两个部分组成:过滤策略和过滤操作,过滤策略决定哪些报文应当引起过滤器的关注,过滤操作决定过滤器是“允许”还是“拒绝”报文的通过。 An IP security filter consists of two parts: filtering strategy and filtering, packet filtering policies to determine which should be the concern caused by the filter, the filter is filtering decision to "allow" or "reject" message through. 要新建IP安全过滤器,必须新建自己的过滤策略和过滤操作:右击本机的IP安全策略,选择管理IP过滤器,在IP过滤器管理列表中建立一个新的过滤规则:ICMP_ANY_IN,源地址选任意IP,目标地址选本机,协议类型是ICMP,切换到管理过滤器操作,增加一个名为Deny的操作,操作类型为" 阻止"(Block)。 To create a new IP security filters, you must create your own filtering policies and filters: Right-click IP Security Policies on the machine, select Manage IP filter, IP filter list of management to create a new filter rule: ICMP_ANY_IN, the source address choose any IP, destination address selection unit, the protocol type is ICMP, switching to the management filter operation, adding a named Deny operation, the operation is "stop" (Block). 这样我们就有了一个关注所有进入ICMP报文的过滤策略和丢弃所有报文的过滤操作了。 So we have a concern all incoming ICMP packet filtering policy and drop all packet filtering operation. 需要注意的是,在地址选项中有一个镜像选择,如果选中镜像,那么将会建立一个对称的过滤策略,也就是说当你关注any IP->my IP的时候,由于镜像的作用,实际上你也同时关注了my IP->any IP,你可以根据自己的需要选择或者放弃镜像。 Note that, in the address selection options in a mirror, if you select the image, then the filter will create a symmetrical strategy, that is when you look at any IP-> my IP, because of the role of the mirror, You also concerned about the fact my IP-> any IP, you can choose according to their needs or to give up the mirror.
再次右击本机的IP安全策略,选择新建IP过滤策略,建立一个名称为ICMP Filter的过滤器,通过增加过滤规则向导,我们把刚刚定义的ICMP_ANY_IN过滤策略指定给ICMP Filter,然后在操作选框中选择我们刚刚定义的Deny操作,退出向导窗口,右击ICMP Filter并启用它,现在任何地址进入的ICMP报文都会被丢弃了。 Again right-click IP Security Policies on the machine, choose New IP filtering policies, to establish a name for the ICMP Filter filter, by adding filtering rules wizard, we have just defined ICMP_ANY_IN filtering policies assigned to the ICMP Filter, and then box in operation Select the Deny action we have just defined, exit the wizard window, right-click ICMP Filter and enable it, and now any address incoming ICMP packets will be discarded.
虽然用IP sec能够对ICMP报文进行过滤,不过操作起来太麻烦,而且如果你只需要过滤特定的ICMP报文,还要保留一些常用报文(如主机不可达、网络不可达等),IP sec策略就力不从心了,我们可以利用Win2000的另一个强大工具路由与远程访问控制(Routing & Remote Access)来完成这些复杂的过滤操作。 Although able to use IP sec ICMP packet filtering, but too cumbersome to operate, and if you only need to filter certain ICMP packets, but also to retain some common messages (such as host unreachable, network unreachable, etc.), IP sec strategy on the powerless, and we can use another powerful tool for Win2000 Routing and Remote Access Control (Routing & Remote Access) to complete these complex filtering operations.
路由与远程访问控制是Win2000用来管理路由表、配置VPN、控制远程访问、进行IP报文过滤的工具,默认情况下并没有安装,所以首先你需要启用它,打开"管理工具"->"路由与远程访问",右击服务器(如果没有则需要添加本机)选择"配置并启用路由及远程访问",这时配置向导会让你选择是什么样的服务器,一般来说,如果你不需要配置VPN服务器,那么选择"手动配置"就可以了,配置完成后,主机下将出现一个IP路由的选项,在"常规"中选择你想配置的网卡(如果你有多块网卡,你可以选择关闭某一块的ICMP),在网卡属性中点击"输入筛选器",添加一条过滤策略"from:ANY to:ANY 协议:ICMP 类型:8 :编码:0 丢弃"就可以了(类型8编码0就是Ping使用的ICMP_ECHO报文,如果要过滤所有的ICMP报文只需要将类型和编码都设置为255) Routing and Remote Access control is used to manage Win2000 routing table, configure VPN, remote access control, the IP packet filtering tool, by default, not installed, so first you need to enable it, open "Administrative Tools" -> " Routing and Remote Access ", right-click the server (if not you need to add the machine) to select" Configure and Enable Routing and Remote Access ", then the configuration wizard will let you choose what kind of server, in general, if you do not need to configure the VPN server, then select "Manual Configuration" on it, the configuration is complete, the next there will be a host IP routing option in the "General", select the card you want to configure (if you have multiple network cards, you You can choose to turn off a piece of ICMP), the network card properties, click "input filter", add a filtering strategy "from: ANY to: ANY Protocol: ICMP Type: 8: Code: 0 dropped" on it (type 8 code 0 is used ICMP_ECHO Ping message, if you want to filter all ICMP packets only need to type and encoding are set to 255)
细心的朋友刚才可能已经发现,在输入、输出过滤器的下面,还有一个"碎片检查"功能,这个功能使用来应付IP碎片攻击的,这已经超出了本文所讨论的范围,我会在以后的拒绝服务攻击的文章中继续和大家一起探讨的。 Careful friend just may have found in the input and output filters below, there is a "debris check" function, this function uses to deal with IP fragmentation attacks, this is beyond the scope of this discussion, I will in the future denial of service attacks to continue the article with everyone to explore. Win2000的路由及远程访问是一个功能非常强大的工具集,如果你好好地研究,一定能发现更多的功能和技巧,如果你有什么心得体会,也请不吝告诉我,我的Email地址是:Shotgun@xici.net。 Win2000 Routing and Remote Access is a very powerful set of tools, if you have a good study, will be able to find more features and techniques, if you have any feelings and experiences, please feel free to tell me, my Email address is: Shotgun@xici.net.
Tidak ada komentar:
Posting Komentar