Ping Blocking: How to do? How to break?

How to Break

To answer your question about 'how to break' - the easiest way is to use a 'ping' program that uses other protocols than ICMP and/or other options.

hping3 is in Backtrack/Kali (you said you used Backtrack/Kali, but hping3 is available for download), and it allows you to use TCP and UDP pings, and it allows you to use other ICMP types for pings.

TCP ping to port 80:

> hping3 -S xxx.xxx.xxx.xxx -p 80 -c 1

UDP ping to port 53:

> hping3 -2 xxx.xxx.xxx.xxx -p 53 -c 1

ICMP ping using the 'timestamp' type:

> hping3 -1 xxx.xxx.xxx.xxx -C 13 -c 1

Other tutorials for hping here.

Why it works

The typical 'ping' program uses a predefined ICMP echo request. This is very useful for diagnostics, but it is also easy to predict and block. As you can see, there are other ways to get the same functionality of ping by using other protocols and ICMP types.

How do you block?

If you want to block the normal ping program, you block ICMP echo requests at the firewall. But, hping3 uses valid processes in the protocols you need to serve webpages, which means that you can't block it. If you want block even hping, then you would have to block hosts from your firewall, which is likely not something you want to do with a website you want to be publicly accessible. (Actually, there is a way to block the use of hping, but the user of hping would have to use the stock or invalid protocol settings of hping. With more networking knowledge, it would be impossible to block.)

What you need to know

It is important to understand that the issue here was not with your understanding of the tools available, but with your understanding of networking protocols. You will be a better network security person by reading things like TCP/IP Illustrated. By knowing what ping did, and what protocols it used, you would have been able to answer your own question.


Ping uses Internet Control Message Protocol, this also is used for other errors and stuff like preventing a packet ending up in an infinite loop around a group of routers. By blocking ICMP Echo Request packets or just not responding to them you can block a ping without blocking all other control codes.

Traceroute usually uses an echo request but sets the TTL (a number on all IP packets that is decreased each hop 'till 0 where router replies with an error) and awaits the error increasing the TTL by one to get the next hop 'till it gets a successful response or hits 30 hops (by default), to block this one has to be careful not to break the net by blocking legitimate errors.

TCP (with HTTP on top) is what one uses for and talking to websites, the only time ICMP would come into it is if a legitimate error happens like it ends up on a loop path and the packet TTL hits 0. Past that if all is working one would not even notice there is an issue by blocking all ICMP at the end point.


As explained by other members, for best results you need to try other protocols over possible open doors and try firewall/ids evasion (e.g fragment packets).

This 'search' can be most effective using tools such as nmap eg:

nmap -sP -PE -PP -PS21,23,25,80,113,31339 -PA80,113,443,1042 -T4

where

-PE echo request

-PP timestamp request

-PS n tcp syn ping

-PA n tcp ack ping

-T3 normal -T4 agressive -T5 insane (danger)

If you want, you can execute a traceroute too, just add --traceroute. :)

Tags:

Ip

Routing

Ping