background image

FortiGate IPS User Guide Version 3.0 MR7

56

01-30007-0080-20080916

The FortiGate IPS response to ICMP sweep attacks

ICMP sweep attacks

Predefined ICMP signatures

Table 11

 describes all the ICMP-related predefined signatures and the default 

settings for each. 

Note: 

The predefined signature descriptions in 

Table 11

 are accurate as of the IPS Guide 

publication date. Predefined signatures may be added or changed with each Attack Definition 
update.

Table 11: Predefined ICMP sweep signatures

Signature

Description

Default settings

AddressMask.
Request

AddressMask detects broadcast address mask 

request messages from a host pretending to be 

part of the network. The default action is to 

pass but log this traffic because it could be 

legitimate network traffic on some networks.

Signature enabled
Logging enabled
Action: Pass

Broadscan.Smurf.
Echo.Request

Broadscan is a hacking tool used to generate 

and broadcast ICMP requests in a smurf 

attack. In a smurf attack, an attacker 

broadcasts ICMP requests on Network A using 

a spoofed source IP address belonging to 

Network B. All hosts on Network A send 

multiple replies to Network B, which becomes 

flooded.

Signature enabled
Logging enabled
Action: Drop

Communication.
Administratively.
Prohibited.Reply

This signature detects network packets that 

have been blocked by some kind of filter. The 

host that blocked the packet sends an ICMP 

(code 13) Destination Unreachable message 

notifying the source or apparent source of the 

filtered packet. Since this signature may be 

triggered by legitimate traffic, the default action 

is to pass but log the traffic, so it can be 

monitored.

Signature enabled
Logging enabled
Action: Pass

CyberKit.2.2.
Echo.Request

CyberKit 2.2 is Windows-based software used 

to scan networks. ICMP echo request 

messages sent using this software contain 

special characters that identify Cyberkit as the 

source.

Signature enabled
Logging enabled
Action: Pass

DigitalIsland.
Bandwidth.Query

Digital Island is a provider of content delivery 

networks. This company sends ICMP pings so 

they can better map routes for their customers. 

Use this signature to block their probes.

Signature enabled
Logging enabled
Action: Drop

Echo.Reply

This signature detects ICMP echo reply 

messages responding to ICMP echo request 

messages. 

Signature disabled

ISS.Pinger.Echo.
Request

ISS is Internet Security Scanner software that 

can be used to send ICMP echo request 

messages and other network probes. While 

this software can be legitimately used to scan 

for security holes, use the signature to block 

unwanted scans.

Signature enabled
Logging enabled
Action: Drop

Nemesis.V1.1.
Echo.Request

Nemesis v1.1 is a Windows- or Unix-based 

scanning tool. ICMP echo request messages 

sent using this software contain special 

characters that identify Nemesis as the source.

Signature enabled
Logging enabled
Action: Drop

Oversized.Echo.
Request.Packet

This signature detects ICMP packets larger 

than 32 000 bytes, which can crash a server or 

cause it to hang. 

Signature enabled
Logging enabled
Action: Pass

Summary of Contents for FortiGate 3.0 MR7

Page 1: ...www fortinet com FortiGate IPS User Guide Version 3 0 MR7 U S E R G U I D E...

Page 2: ...Fortinet Inc Trademarks Dynamic Threat Prevention System DTPS APSecure FortiASIC FortiBIOS FortiBridge FortiClient FortiGate FortiGate Unified Threat Management System FortiGuard FortiGuard Antispam F...

Page 3: ...g the buffer size 11 Monitoring the network and dealing with attacks 11 Configuring logging and alert email 11 Attack log messages 12 The FortiGuard Center 13 Using IPS sensors in a protection profile...

Page 4: ...s 45 Viewing the DoS sensor list 46 Configuring DoS sensors 46 Understanding the anomalies 48 SYN flood attacks 51 What is a SYN flood attack 51 How SYN floods work 51 The FortiGate IPS Response to SY...

Page 5: ...g corporate networks An attack or intrusion can be launched to steal confidential information force a costly web site crash or use network resources to launch other attacks The FortiGate IPS detects i...

Page 6: ...FortiGate QuickStart Guide Provides basic information about connecting and installing a FortiGate unit Note Highlights useful additional information Caution Warns you about commands or procedures tha...

Page 7: ...nformation about the log messages that are generated by FortiGate units FortiGate High Availability User Guide Contains in depth information about the FortiGate high availability feature and the Forti...

Page 8: ...nter at http kc forticare com Comments on Fortinet technical documentation Please send information about any errors or omissions in this document or any Fortinet technical documentation to techdoc for...

Page 9: ...common attacks Both the IPS predefined signatures and the IPS engine are upgraded through the FortiGuard Distribution Network FDN These upgrades provide the latest protection against IM P2P and other...

Page 10: ...und required to configure the thresholds and other IPS settings In addition the other protection features in the FortiGate unit such as antivirus including grayware spam filters and web filters offer...

Page 11: ...comprehensive Attack Encyclopedia to help decide what actions to take to further protect the network This section describes Configuring logging and alert email Attack log messages The FortiGuard Cent...

Page 12: ...erval is reached the messages are combined and sent out as one alert email Message ID 70000 Severity Alert Message attack_id value_attack_id src ip_address dst ip_address src_port port_num dst_port po...

Page 13: ...lert Message attack_id value_attack_id src ip_address dst ip_address src_port port_num dst_port port_num interface interface_name src_int interface_name dst_int interface_name status clear_session det...

Page 14: ...eating a protection profile that uses IPS sensors To create a protection profile using the web based manager 1 Go to Firewall Protection Profile 2 Select Create New Figure 2 New Protection Profile 3 E...

Page 15: ...to user groups When creating a user group select a protection profile that applies to that group Then when configuring a firewall policy that includes user authentication select one or more user group...

Page 16: ...FortiGate IPS User Guide Version 3 0 MR7 16 01 30007 0080 20080916 Using IPS sensors in a protection profile IPS overview and general configuration...

Page 17: ...define which signatures are included in your IPS sensors The signature list also displays the default action the default logging status and whether the signature is enabled by default To view the pred...

Page 18: ...re Severity The severity rating of the signature The severity levels from lowest to highest are Information Low Medium High and Critical Target The target of the signature Servers clients or both Prot...

Page 19: ...uld also review exactly how you use the information provided by the logging feature If you find that you do not review the information it is best to turn off IPS logging Logging is best used to provid...

Page 20: ...FortiGate IPS User Guide Version 3 0 MR7 20 01 30007 0080 20080916 Viewing the predefined signature list Predefined signatures...

Page 21: ...he custom signature list Custom signature configuration Creating custom signatures IPS custom signatures The FortiGate predefined signatures cover common attacks If an unusual or specialized applicati...

Page 22: ...Edit icon to edit a custom signature Figure 5 Edit Custom Signature 3 Enter a name for the custom signature 4 Enter the Signature 5 Select OK Adding custom signatures using the CLI After adding the c...

Page 23: ...uired within the 512 character limit Custom signature fields Table 1shows the valid characters for custom signature fields Table 1 Valid characters for custom signature fields Field Valid Characters U...

Page 24: ...ffer_Overflow Table 3 Session keywords Keyword and value Description flow from_client from_server bi_direction Specify the traffic direction and state to be inspected They can be used for all IP traff...

Page 25: ...rn matches to take into account numerical values found in network data The available keyword options include bytes_to_convert The number of bytes to examine from the packet offset The number of bytes...

Page 26: ...ents within the specified number of bytes after the starting point defined by the offset keyword If no offset is specified the offset is assumed to be equal to 0 If the value of the depth keyword is s...

Page 27: ...atch offset offset_int The FortiGate unit starts looking for the contents the specified number of bytes into the payload The specified number of bytes is an absolute value in the payload Follow the of...

Page 28: ...e as E Set to match only at the end of the subject string Without E also matches immediately before the final character if it is a newline but not before any other newlines G Invert the greediness of...

Page 29: ...Check if IP NOP no op option is present ts Check if IP TS time stamp option is present sec Check if IP SEC IP security option is present lsrr Check if IP LSRR loose source routing option is present ss...

Page 30: ...e specified port and all lower numbered ports port_int includes the specified port and all higher numbered ports port_int port_int includes the two specified ports and all ports in between seq seq_int...

Page 31: ...nes the bits that must present for a successful match For example tcp_flags AP only matches the case where both A and P bits are set The second part FSRPAU120 is optional and defines the additional bi...

Page 32: ...er numbered ports port_int port_int includes the two specified ports and all ports in between Table 8 ICMP keywords Keyword and Value Usage icmp_code code_int Specify the ICMP code to match icmp_id id...

Page 33: ...e name value in double quotes F SBID name Block example com The signature as it appears here will not do anything if used It has a name but doesn t look for any patterns in network traffic You must sp...

Page 34: ...pattern example com service HTTP no_case Unlike all of the other keywords in this example the no_case keyword has no value Only the keyword is required 7 Limiting pattern scans to only traffic sent f...

Page 35: ...Use the name keyword to assign the custom signature a name The name value follows the keyword after a space Enclose the name value in double quotes F SBID name Block SMTP VRFY CMD The signature as it...

Page 36: ...ic 6 Ignoring case sensitivity By default patterns are case sensitive If a user directed his or her browser to Example com the custom signature would not recognize the URL as a match Use the no_case k...

Page 37: ...nitors the HTTP traffic to identify any HTTP packets that do not meet the HTTP protocol standards On the Intrusion Protection Signature Protocol Decoder page you can view the decoders and the port num...

Page 38: ...ol decoder list Protocol decoders Viewing the protocol decoder list To view the decoder list go to Intrusion Protection Signature Protocol Decoder Figure 6 The protocol decoder list Protocols The prot...

Page 39: ...ifications will automatically be included in those filters For example if you have a filter that includes all signatures for the Windows operating system your filter will automatically incorporate new...

Page 40: ...ignature specified in a filter A signature override can also add a signature not specified in the sensor s filters Custom signatures are included in an IPS sensor using overrides The signatures in the...

Page 41: ...the attack The targets are client and server Protocol The protocols to which the signatures apply Examples include HTTP POP3 H323 and DNS OS The operating systems to which the signatures apply Applica...

Page 42: ...the window that appears and select OK View Rules icon Open a window listing all of the signatures included in the filter Add Pre defined Override Select to create an override based on a pre defined si...

Page 43: ...d as info pose a much smaller threat Target Select All or select Specify and then the type of systems targeted by the attack The choices are server or client OS Select All or Select Specify and then s...

Page 44: ...K Enable Select to enable the signature override Action Select one of Pass Block or Reset When the override is enabled the action determines what the FortiGate will do with traffic containing the spec...

Page 45: ...ach sensor examines the network traffic in sequence from top to bottom When a sensor detects an anomaly it applies the configured action Multiple sensors allow great granularity in detecting anomalies...

Page 46: ...to create a new DoS sensor Create New Add a new DoS sensor to the bottom of the list ID A unique identifier for each DoS sensor The ID does not indicate the sequence in which the sensors examine netw...

Page 47: ...n the header row will enable sensing of all anomalies Logging Select the check box to enable the DoS sensor to log when the anomaly occurs Selecting the check box in the header row will enable logging...

Page 48: ...ination address destination port and source address select Add to add protected address to the Protected Addresses list The DoS sensor will be invoked only on traffic matching all three of the entered...

Page 49: ...s the configured threshold value the action is executed udp_dst_session If the number of concurrent UDP connections to one destination IP address exceeds the configured threshold value the action is e...

Page 50: ...FortiGate IPS User Guide Version 3 0 MR7 50 01 30007 0080 20080916 Understanding the anomalies DoS sensors...

Page 51: ...full it is not possible to establish any new connections and the web site on the server becomes inaccessible This section provides information about SYN flood attacks and the FortiGate IPS methods of...

Page 52: ...PS proxy device synthesizes and sends the SYN ACK packet back to the originator and waits for the final ACK packet After the proxy device receives the ACK packet from the originator the IPS device the...

Page 53: ...d detection Since the pseudo SYN proxy in the IPS uses a best effect algorithm to determine whether a TCP connection is legitimate or not some legitimate connections may be falsely detected as incompl...

Page 54: ...the syn_flood anomaly Suggested settings for different network conditions The main setting that impacts the efficiency of the pseudo SYN proxy in detecting SYN floods is the threshold value The defaul...

Page 55: ...uests or other ICMP messages that require a reply to multiple addresses on the target network Live hosts will reply with an ICMP echo or other reply message An ICMP sweep basically works the same as s...

Page 56: ...message notifying the source or apparent source of the filtered packet Since this signature may be triggered by legitimate traffic the default action is to pass but log the traffic so it can be monito...

Page 57: ...network scanning tool for Windows from Foundstone Inc Superscan could be used maliciously to perform an ICMP sweep ICMP echo request messages sent using this software contain special characters that...

Page 58: ...3 Configure the options for icmp_sweep icmp_src_session and icmp_dst_session 4 Select OK Suggested settings for different network conditions Enable or disable the ICMP predefined signatures depending...

Page 59: ...rvice 8 Fortinet documentation 6 Fortinet Knowledge Center 8 FortiProtect Attack Encyclopedia 13 FortiProtect center 13 I ICMP attack signatures 56 ICMP sweep anomalies 57 configuring protection 58 in...

Page 60: ...FortiGate Version 3 0 MR7 IPS User Guide 60 01 30007 0080 20080916 Index T technical support 8...

Page 61: ...www fortinet com...

Page 62: ...www fortinet com...

Reviews: