FortiGate IPS User Guide Version 3.0 MR7
56
01-30007-0080-20080916
The FortiGate IPS response to ICMP sweep attacks
ICMP sweep attacks
Predefined ICMP signatures
Table 11
describes all the ICMP-related predefined signatures and the default
settings for each.
Note:
The predefined signature descriptions in
Table 11
are accurate as of the IPS Guide
publication date. Predefined signatures may be added or changed with each Attack Definition
update.
Table 11: Predefined ICMP sweep signatures
Signature
Description
Default settings
AddressMask.
Request
AddressMask detects broadcast address mask
request messages from a host pretending to be
part of the network. The default action is to
pass but log this traffic because it could be
legitimate network traffic on some networks.
Signature enabled
Logging enabled
Action: Pass
Broadscan.Smurf.
Echo.Request
Broadscan is a hacking tool used to generate
and broadcast ICMP requests in a smurf
attack. In a smurf attack, an attacker
broadcasts ICMP requests on Network A using
a spoofed source IP address belonging to
Network B. All hosts on Network A send
multiple replies to Network B, which becomes
flooded.
Signature enabled
Logging enabled
Action: Drop
Communication.
Administratively.
Prohibited.Reply
This signature detects network packets that
have been blocked by some kind of filter. The
host that blocked the packet sends an ICMP
(code 13) Destination Unreachable message
notifying the source or apparent source of the
filtered packet. Since this signature may be
triggered by legitimate traffic, the default action
is to pass but log the traffic, so it can be
monitored.
Signature enabled
Logging enabled
Action: Pass
CyberKit.2.2.
Echo.Request
CyberKit 2.2 is Windows-based software used
to scan networks. ICMP echo request
messages sent using this software contain
special characters that identify Cyberkit as the
source.
Signature enabled
Logging enabled
Action: Pass
DigitalIsland.
Bandwidth.Query
Digital Island is a provider of content delivery
networks. This company sends ICMP pings so
they can better map routes for their customers.
Use this signature to block their probes.
Signature enabled
Logging enabled
Action: Drop
Echo.Reply
This signature detects ICMP echo reply
messages responding to ICMP echo request
messages.
Signature disabled
ISS.Pinger.Echo.
Request
ISS is Internet Security Scanner software that
can be used to send ICMP echo request
messages and other network probes. While
this software can be legitimately used to scan
for security holes, use the signature to block
unwanted scans.
Signature enabled
Logging enabled
Action: Drop
Nemesis.V1.1.
Echo.Request
Nemesis v1.1 is a Windows- or Unix-based
scanning tool. ICMP echo request messages
sent using this software contain special
characters that identify Nemesis as the source.
Signature enabled
Logging enabled
Action: Drop
Oversized.Echo.
Request.Packet
This signature detects ICMP packets larger
than 32 000 bytes, which can crash a server or
cause it to hang.
Signature enabled
Logging enabled
Action: Pass