ICMP sweep attacks
What is an ICMP sweep?
FortiGate IPS User Guide Version 3.0 MR7
01-30007-0080-20080916
55
ICMP sweep attacks
This section describes:
•
What is an ICMP sweep?
•
How ICMP sweep attacks work
•
The FortiGate IPS response to ICMP sweep attacks
•
Configuring ICMP sweep protection
•
Suggested settings for different network conditions
What is an ICMP sweep?
ICMP (Internet Control Message Protocol) is a part of the IP protocol and is
generally used to send error messages describing packet routing problems. ICMP
sweeps are not really considered attacks but are used to scan a target network to
discover vulnerable hosts for further probing and possible attacks.
Attackers use automated tools that scan all possible IP addresses in the range of
the target network to create a map which they can use to plan an attack.
How ICMP sweep attacks work
An ICMP sweep is performed by sending ICMP echo requests - or other ICMP
messages that require a reply - to multiple addresses on the target network. Live
hosts will reply with an ICMP echo or other reply message. An ICMP sweep
basically works the same as sending multiple pings. Live hosts accessible on the
network must send a reply. This enables the attacker to determine which hosts are
live and connected to the target network so further attacks and probing can be
planned.
There are several ways of doing an ICMP sweep depending on the source
operating system, and there are many automated tools for network scanning that
attackers use to probe target networks.
The FortiGate IPS response to ICMP sweep attacks
The FortiGate IPS provides predefined signatures to detect a variety of ICMP
sweep methods. Each signature can be configured to pass, drop, or clear the
session. Each signature can be configured to log when the signature is triggered.
Create custom signatures to block attacks specific to the network that are not
included in the predefined signature list.
The FortiGate IPS also has an ICMP sweep anomaly setting with a configurable
threshold.