beautypg.com

Predefined icmp signatures – Fortinet Network Device IPS User Manual

Page 56

background image

FortiGate IPS User Guide Version 3.0 MR7

56

01-30007-0080-20080916

The FortiGate IPS response to ICMP sweep attacks

ICMP sweep attacks

Predefined ICMP signatures

Table 11

describes all the ICMP-related predefined signatures and the default

settings for each.

Note: The predefined signature descriptions in

Table 11

are accurate as of the IPS Guide

publication date. Predefined signatures may be added or changed with each Attack Definition
update.

Table 11: Predefined ICMP sweep signatures

Signature

Description

Default settings

AddressMask.
Request

AddressMask detects broadcast address mask

request messages from a host pretending to be

part of the network. The default action is to

pass but log this traffic because it could be

legitimate network traffic on some networks.

Signature enabled
Logging enabled
Action: Pass

Broadscan.Smurf.
Echo.Request

Broadscan is a hacking tool used to generate

and broadcast ICMP requests in a smurf

attack. In a smurf attack, an attacker

broadcasts ICMP requests on Network A using

a spoofed source IP address belonging to

Network B. All hosts on Network A send

multiple replies to Network B, which becomes

flooded.

Signature enabled
Logging enabled
Action: Drop

Communication.
Administratively.
Prohibited.Reply

This signature detects network packets that

have been blocked by some kind of filter. The

host that blocked the packet sends an ICMP

(code 13) Destination Unreachable message

notifying the source or apparent source of the

filtered packet. Since this signature may be

triggered by legitimate traffic, the default action

is to pass but log the traffic, so it can be

monitored.

Signature enabled
Logging enabled
Action: Pass

CyberKit.2.2.
Echo.Request

CyberKit 2.2 is Windows-based software used

to scan networks. ICMP echo request

messages sent using this software contain

special characters that identify Cyberkit as the

source.

Signature enabled
Logging enabled
Action: Pass

DigitalIsland.
Bandwidth.Query

Digital Island is a provider of content delivery

networks. This company sends ICMP pings so

they can better map routes for their customers.

Use this signature to block their probes.

Signature enabled
Logging enabled
Action: Drop

Echo.Reply

This signature detects ICMP echo reply

messages responding to ICMP echo request

messages.

Signature disabled

ISS.Pinger.Echo.
Request

ISS is Internet Security Scanner software that

can be used to send ICMP echo request

messages and other network probes. While

this software can be legitimately used to scan

for security holes, use the signature to block

unwanted scans.

Signature enabled
Logging enabled
Action: Drop

Nemesis.V1.1.
Echo.Request

Nemesis v1.1 is a Windows- or Unix-based

scanning tool. ICMP echo request messages

sent using this software contain special

characters that identify Nemesis as the source.

Signature enabled
Logging enabled
Action: Drop

Oversized.Echo.
Request.Packet

This signature detects ICMP packets larger

than 32 000 bytes, which can crash a server or

cause it to hang.

Signature enabled
Logging enabled
Action: Pass

See also other documents in the category Fortinet Hardware: