Predefined Icmp Signatures - Fortinet Network Device IPS User Manual

The FortiGate IPS response to ICMP sweep attacks

Predefined ICMP signatures

56
Table 11 describes all the ICMP-related predefined signatures and the default
settings for each.
Note: The predefined signature descriptions in
publication date. Predefined signatures may be added or changed with each Attack Definition
update.
Table 11: Predefined ICMP sweep signatures
Signature Description
AddressMask. AddressMask detects broadcast address mask
request messages from a host pretending to be
Request
part of the network. The default action is to
pass but log this traffic because it could be
legitimate network traffic on some networks.
Broadscan.Smurf. Broadscan is a hacking tool used to generate
and broadcast ICMP requests in a smurf
Echo.Request
attack. In a smurf attack, an attacker
broadcasts ICMP requests on Network A using
a spoofed source IP address belonging to
Network B. All hosts on Network A send
multiple replies to Network B, which becomes
flooded.
Communication. This signature detects network packets that
have been blocked by some kind of filter. The
Administratively.
host that blocked the packet sends an ICMP
Prohibited.Reply
(code 13) Destination Unreachable message
notifying the source or apparent source of the
filtered packet. Since this signature may be
triggered by legitimate traffic, the default action
is to pass but log the traffic, so it can be
monitored.
CyberKit.2.2. CyberKit 2.2 is Windows-based software used
to scan networks. ICMP echo request
Echo.Request
messages sent using this software contain
special characters that identify Cyberkit as the
source.
DigitalIsland. Digital Island is a provider of content delivery
networks. This company sends ICMP pings so
Bandwidth.Query
they can better map routes for their customers.
Use this signature to block their probes.
Echo.Reply This signature detects ICMP echo reply
messages responding to ICMP echo request
messages.
ISS.Pinger.Echo. ISS is Internet Security Scanner software that
can be used to send ICMP echo request
Request
messages and other network probes. While
this software can be legitimately used to scan
for security holes, use the signature to block
unwanted scans.
Nemesis.V1.1. Nemesis v1.1 is a Windows- or Unix-based
scanning tool. ICMP echo request messages
Echo.Request
sent using this software contain special
characters that identify Nemesis as the source.
Oversized.Echo. This signature detects ICMP packets larger
than 32 000 bytes, which can crash a server or
Request.Packet
cause it to hang.
ICMP sweep attacks
Table 11 are accurate as of the IPS Guide
Default settings
Signature enabled
Logging enabled
Action: Pass
Signature enabled
Logging enabled
Action: Drop
Signature enabled
Logging enabled
Action: Pass
Signature enabled
Logging enabled
Action: Pass
Signature enabled
Logging enabled
Action: Drop
Signature disabled
Signature enabled
Logging enabled
Action: Drop
Signature enabled
Logging enabled
Action: Drop
Signature enabled
Logging enabled
Action: Pass
FortiGate IPS User Guide Version 3.0 MR7
01-30007-0080-20080916