background image

FortiGate IPS User Guide Version 3.0 MR7

56

01-30007-0080-20080916

The FortiGate IPS response to ICMP sweep attacks

ICMP sweep attacks

Predefined ICMP signatures

Table 11

 describes all the ICMP-related predefined signatures and the default 

settings for each. 

Note: 

The predefined signature descriptions in 

Table 11

 are accurate as of the IPS Guide 

publication date. Predefined signatures may be added or changed with each Attack Definition 
update.

Table 11: Predefined ICMP sweep signatures

Signature

Description

Default settings

AddressMask.
Request

AddressMask detects broadcast address mask 

request messages from a host pretending to be 

part of the network. The default action is to 

pass but log this traffic because it could be 

legitimate network traffic on some networks.

Signature enabled
Logging enabled
Action: Pass

Broadscan.Smurf.
Echo.Request

Broadscan is a hacking tool used to generate 

and broadcast ICMP requests in a smurf 

attack. In a smurf attack, an attacker 

broadcasts ICMP requests on Network A using 

a spoofed source IP address belonging to 

Network B. All hosts on Network A send 

multiple replies to Network B, which becomes 

flooded.

Signature enabled
Logging enabled
Action: Drop

Communication.
Administratively.
Prohibited.Reply

This signature detects network packets that 

have been blocked by some kind of filter. The 

host that blocked the packet sends an ICMP 

(code 13) Destination Unreachable message 

notifying the source or apparent source of the 

filtered packet. Since this signature may be 

triggered by legitimate traffic, the default action 

is to pass but log the traffic, so it can be 

monitored.

Signature enabled
Logging enabled
Action: Pass

CyberKit.2.2.
Echo.Request

CyberKit 2.2 is Windows-based software used 

to scan networks. ICMP echo request 

messages sent using this software contain 

special characters that identify Cyberkit as the 

source.

Signature enabled
Logging enabled
Action: Pass

DigitalIsland.
Bandwidth.Query

Digital Island is a provider of content delivery 

networks. This company sends ICMP pings so 

they can better map routes for their customers. 

Use this signature to block their probes.

Signature enabled
Logging enabled
Action: Drop

Echo.Reply

This signature detects ICMP echo reply 

messages responding to ICMP echo request 

messages. 

Signature disabled

ISS.Pinger.Echo.
Request

ISS is Internet Security Scanner software that 

can be used to send ICMP echo request 

messages and other network probes. While 

this software can be legitimately used to scan 

for security holes, use the signature to block 

unwanted scans.

Signature enabled
Logging enabled
Action: Drop

Nemesis.V1.1.
Echo.Request

Nemesis v1.1 is a Windows- or Unix-based 

scanning tool. ICMP echo request messages 

sent using this software contain special 

characters that identify Nemesis as the source.

Signature enabled
Logging enabled
Action: Drop

Oversized.Echo.
Request.Packet

This signature detects ICMP packets larger 

than 32 000 bytes, which can crash a server or 

cause it to hang. 

Signature enabled
Logging enabled
Action: Pass

Содержание FortiGate 3.0 MR7

Страница 1: ...www fortinet com FortiGate IPS User Guide Version 3 0 MR7 U S E R G U I D E...

Страница 2: ...Fortinet Inc Trademarks Dynamic Threat Prevention System DTPS APSecure FortiASIC FortiBIOS FortiBridge FortiClient FortiGate FortiGate Unified Threat Management System FortiGuard FortiGuard Antispam F...

Страница 3: ...g the buffer size 11 Monitoring the network and dealing with attacks 11 Configuring logging and alert email 11 Attack log messages 12 The FortiGuard Center 13 Using IPS sensors in a protection profile...

Страница 4: ...s 45 Viewing the DoS sensor list 46 Configuring DoS sensors 46 Understanding the anomalies 48 SYN flood attacks 51 What is a SYN flood attack 51 How SYN floods work 51 The FortiGate IPS Response to SY...

Страница 5: ...g corporate networks An attack or intrusion can be launched to steal confidential information force a costly web site crash or use network resources to launch other attacks The FortiGate IPS detects i...

Страница 6: ...FortiGate QuickStart Guide Provides basic information about connecting and installing a FortiGate unit Note Highlights useful additional information Caution Warns you about commands or procedures tha...

Страница 7: ...nformation about the log messages that are generated by FortiGate units FortiGate High Availability User Guide Contains in depth information about the FortiGate high availability feature and the Forti...

Страница 8: ...nter at http kc forticare com Comments on Fortinet technical documentation Please send information about any errors or omissions in this document or any Fortinet technical documentation to techdoc for...

Страница 9: ...common attacks Both the IPS predefined signatures and the IPS engine are upgraded through the FortiGuard Distribution Network FDN These upgrades provide the latest protection against IM P2P and other...

Страница 10: ...und required to configure the thresholds and other IPS settings In addition the other protection features in the FortiGate unit such as antivirus including grayware spam filters and web filters offer...

Страница 11: ...comprehensive Attack Encyclopedia to help decide what actions to take to further protect the network This section describes Configuring logging and alert email Attack log messages The FortiGuard Cent...

Страница 12: ...erval is reached the messages are combined and sent out as one alert email Message ID 70000 Severity Alert Message attack_id value_attack_id src ip_address dst ip_address src_port port_num dst_port po...

Страница 13: ...lert Message attack_id value_attack_id src ip_address dst ip_address src_port port_num dst_port port_num interface interface_name src_int interface_name dst_int interface_name status clear_session det...

Страница 14: ...eating a protection profile that uses IPS sensors To create a protection profile using the web based manager 1 Go to Firewall Protection Profile 2 Select Create New Figure 2 New Protection Profile 3 E...

Страница 15: ...to user groups When creating a user group select a protection profile that applies to that group Then when configuring a firewall policy that includes user authentication select one or more user group...

Страница 16: ...FortiGate IPS User Guide Version 3 0 MR7 16 01 30007 0080 20080916 Using IPS sensors in a protection profile IPS overview and general configuration...

Страница 17: ...define which signatures are included in your IPS sensors The signature list also displays the default action the default logging status and whether the signature is enabled by default To view the pred...

Страница 18: ...re Severity The severity rating of the signature The severity levels from lowest to highest are Information Low Medium High and Critical Target The target of the signature Servers clients or both Prot...

Страница 19: ...uld also review exactly how you use the information provided by the logging feature If you find that you do not review the information it is best to turn off IPS logging Logging is best used to provid...

Страница 20: ...FortiGate IPS User Guide Version 3 0 MR7 20 01 30007 0080 20080916 Viewing the predefined signature list Predefined signatures...

Страница 21: ...he custom signature list Custom signature configuration Creating custom signatures IPS custom signatures The FortiGate predefined signatures cover common attacks If an unusual or specialized applicati...

Страница 22: ...Edit icon to edit a custom signature Figure 5 Edit Custom Signature 3 Enter a name for the custom signature 4 Enter the Signature 5 Select OK Adding custom signatures using the CLI After adding the c...

Страница 23: ...uired within the 512 character limit Custom signature fields Table 1shows the valid characters for custom signature fields Table 1 Valid characters for custom signature fields Field Valid Characters U...

Страница 24: ...ffer_Overflow Table 3 Session keywords Keyword and value Description flow from_client from_server bi_direction Specify the traffic direction and state to be inspected They can be used for all IP traff...

Страница 25: ...rn matches to take into account numerical values found in network data The available keyword options include bytes_to_convert The number of bytes to examine from the packet offset The number of bytes...

Страница 26: ...ents within the specified number of bytes after the starting point defined by the offset keyword If no offset is specified the offset is assumed to be equal to 0 If the value of the depth keyword is s...

Страница 27: ...atch offset offset_int The FortiGate unit starts looking for the contents the specified number of bytes into the payload The specified number of bytes is an absolute value in the payload Follow the of...

Страница 28: ...e as E Set to match only at the end of the subject string Without E also matches immediately before the final character if it is a newline but not before any other newlines G Invert the greediness of...

Страница 29: ...Check if IP NOP no op option is present ts Check if IP TS time stamp option is present sec Check if IP SEC IP security option is present lsrr Check if IP LSRR loose source routing option is present ss...

Страница 30: ...e specified port and all lower numbered ports port_int includes the specified port and all higher numbered ports port_int port_int includes the two specified ports and all ports in between seq seq_int...

Страница 31: ...nes the bits that must present for a successful match For example tcp_flags AP only matches the case where both A and P bits are set The second part FSRPAU120 is optional and defines the additional bi...

Страница 32: ...er numbered ports port_int port_int includes the two specified ports and all ports in between Table 8 ICMP keywords Keyword and Value Usage icmp_code code_int Specify the ICMP code to match icmp_id id...

Страница 33: ...e name value in double quotes F SBID name Block example com The signature as it appears here will not do anything if used It has a name but doesn t look for any patterns in network traffic You must sp...

Страница 34: ...pattern example com service HTTP no_case Unlike all of the other keywords in this example the no_case keyword has no value Only the keyword is required 7 Limiting pattern scans to only traffic sent f...

Страница 35: ...Use the name keyword to assign the custom signature a name The name value follows the keyword after a space Enclose the name value in double quotes F SBID name Block SMTP VRFY CMD The signature as it...

Страница 36: ...ic 6 Ignoring case sensitivity By default patterns are case sensitive If a user directed his or her browser to Example com the custom signature would not recognize the URL as a match Use the no_case k...

Страница 37: ...nitors the HTTP traffic to identify any HTTP packets that do not meet the HTTP protocol standards On the Intrusion Protection Signature Protocol Decoder page you can view the decoders and the port num...

Страница 38: ...ol decoder list Protocol decoders Viewing the protocol decoder list To view the decoder list go to Intrusion Protection Signature Protocol Decoder Figure 6 The protocol decoder list Protocols The prot...

Страница 39: ...ifications will automatically be included in those filters For example if you have a filter that includes all signatures for the Windows operating system your filter will automatically incorporate new...

Страница 40: ...ignature specified in a filter A signature override can also add a signature not specified in the sensor s filters Custom signatures are included in an IPS sensor using overrides The signatures in the...

Страница 41: ...the attack The targets are client and server Protocol The protocols to which the signatures apply Examples include HTTP POP3 H323 and DNS OS The operating systems to which the signatures apply Applica...

Страница 42: ...the window that appears and select OK View Rules icon Open a window listing all of the signatures included in the filter Add Pre defined Override Select to create an override based on a pre defined si...

Страница 43: ...d as info pose a much smaller threat Target Select All or select Specify and then the type of systems targeted by the attack The choices are server or client OS Select All or Select Specify and then s...

Страница 44: ...K Enable Select to enable the signature override Action Select one of Pass Block or Reset When the override is enabled the action determines what the FortiGate will do with traffic containing the spec...

Страница 45: ...ach sensor examines the network traffic in sequence from top to bottom When a sensor detects an anomaly it applies the configured action Multiple sensors allow great granularity in detecting anomalies...

Страница 46: ...to create a new DoS sensor Create New Add a new DoS sensor to the bottom of the list ID A unique identifier for each DoS sensor The ID does not indicate the sequence in which the sensors examine netw...

Страница 47: ...n the header row will enable sensing of all anomalies Logging Select the check box to enable the DoS sensor to log when the anomaly occurs Selecting the check box in the header row will enable logging...

Страница 48: ...ination address destination port and source address select Add to add protected address to the Protected Addresses list The DoS sensor will be invoked only on traffic matching all three of the entered...

Страница 49: ...s the configured threshold value the action is executed udp_dst_session If the number of concurrent UDP connections to one destination IP address exceeds the configured threshold value the action is e...

Страница 50: ...FortiGate IPS User Guide Version 3 0 MR7 50 01 30007 0080 20080916 Understanding the anomalies DoS sensors...

Страница 51: ...full it is not possible to establish any new connections and the web site on the server becomes inaccessible This section provides information about SYN flood attacks and the FortiGate IPS methods of...

Страница 52: ...PS proxy device synthesizes and sends the SYN ACK packet back to the originator and waits for the final ACK packet After the proxy device receives the ACK packet from the originator the IPS device the...

Страница 53: ...d detection Since the pseudo SYN proxy in the IPS uses a best effect algorithm to determine whether a TCP connection is legitimate or not some legitimate connections may be falsely detected as incompl...

Страница 54: ...the syn_flood anomaly Suggested settings for different network conditions The main setting that impacts the efficiency of the pseudo SYN proxy in detecting SYN floods is the threshold value The defaul...

Страница 55: ...uests or other ICMP messages that require a reply to multiple addresses on the target network Live hosts will reply with an ICMP echo or other reply message An ICMP sweep basically works the same as s...

Страница 56: ...message notifying the source or apparent source of the filtered packet Since this signature may be triggered by legitimate traffic the default action is to pass but log the traffic so it can be monito...

Страница 57: ...network scanning tool for Windows from Foundstone Inc Superscan could be used maliciously to perform an ICMP sweep ICMP echo request messages sent using this software contain special characters that...

Страница 58: ...3 Configure the options for icmp_sweep icmp_src_session and icmp_dst_session 4 Select OK Suggested settings for different network conditions Enable or disable the ICMP predefined signatures depending...

Страница 59: ...rvice 8 Fortinet documentation 6 Fortinet Knowledge Center 8 FortiProtect Attack Encyclopedia 13 FortiProtect center 13 I ICMP attack signatures 56 ICMP sweep anomalies 57 configuring protection 58 in...

Страница 60: ...FortiGate Version 3 0 MR7 IPS User Guide 60 01 30007 0080 20080916 Index T technical support 8...

Страница 61: ...www fortinet com...

Страница 62: ...www fortinet com...

Отзывы: