Fortinet IPS manual Predefined Icmp signatures

Page 56

The FortiGate IPS response to ICMP sweep attacks

ICMP sweep attacks

Predefined ICMP signatures

Table 11 describes all the ICMP-related predefined signatures and the default settings for each.

Note: The predefined signature descriptions in Table 11 are accurate as of the IPS Guide publication date. Predefined signatures may be added or changed with each Attack Definition update.

Table 11: Predefined ICMP sweep signatures

Signature

Description

Default settings

 

 

 

AddressMask.

AddressMask detects broadcast address mask

Signature enabled

Request

request messages from a host pretending to be

Logging enabled

 

part of the network. The default action is to

Action: Pass

 

pass but log this traffic because it could be

 

 

 

legitimate network traffic on some networks.

 

 

 

 

Broadscan.Smurf.

Broadscan is a hacking tool used to generate

Signature enabled

Echo.Request

and broadcast ICMP requests in a smurf

Logging enabled

 

attack. In a smurf attack, an attacker

Action: Drop

 

broadcasts ICMP requests on Network A using

 

a spoofed source IP address belonging to

 

 

Network B. All hosts on Network A send

 

 

multiple replies to Network B, which becomes

 

 

flooded.

 

 

 

 

Communication.

This signature detects network packets that

Signature enabled

Administratively.

have been blocked by some kind of filter. The

Logging enabled

Prohibited.Reply

host that blocked the packet sends an ICMP

Action: Pass

(code 13) Destination Unreachable message

 

 

 

notifying the source or apparent source of the

 

 

filtered packet. Since this signature may be

 

 

triggered by legitimate traffic, the default action

 

 

is to pass but log the traffic, so it can be

 

 

monitored.

 

 

 

 

CyberKit.2.2.

CyberKit 2.2 is Windows-based software used

Signature enabled

Echo.Request

to scan networks. ICMP echo request

Logging enabled

 

messages sent using this software contain

Action: Pass

 

special characters that identify Cyberkit as the

 

 

 

source.

 

 

 

 

DigitalIsland.

Digital Island is a provider of content delivery

Signature enabled

Bandwidth.Query

networks. This company sends ICMP pings so

Logging enabled

 

they can better map routes for their customers.

Action: Drop

 

Use this signature to block their probes.

 

Echo.Reply

This signature detects ICMP echo reply

Signature disabled

 

messages responding to ICMP echo request

 

 

messages.

 

 

 

 

ISS.Pinger.Echo.

ISS is Internet Security Scanner software that

Signature enabled

Request

can be used to send ICMP echo request

Logging enabled

 

messages and other network probes. While

Action: Drop

 

this software can be legitimately used to scan

 

 

 

for security holes, use the signature to block

 

 

unwanted scans.

 

 

 

 

Nemesis.V1.1.

Nemesis v1.1 is a Windows- or Unix-based

Signature enabled

Echo.Request

scanning tool. ICMP echo request messages

Logging enabled

 

sent using this software contain special

Action: Drop

 

characters that identify Nemesis as the source.

 

 

 

Oversized.Echo.

This signature detects ICMP packets larger

Signature enabled

Request.Packet

than 32 000 bytes, which can crash a server or

Logging enabled

 

cause it to hang.

Action: Pass

 

 

 

 

 

 

FortiGate IPS User Guide Version 3.0 MR7

56

01-30007-0080-20080916

Page 55 Page 57
Image 56
Page 55 Page 57
Contents E R G U I D E Trademarks Contents Protocol decoders IPS sensorsDoS sensors SYN flood attacksIntroduction FortiGate IPSAbout this document Fortinet documentationDocument conventions Typographic conventionsFortiGate Pptp VPN User Guide Comments on Fortinet technical documentation Customer service and technical supportFortinet Knowledge Center This section contains the following topics IPS overview and general configurationIPS settings and controls When to use IPS Default signature and anomaly settingsDefault fail open setting Config ips global Set fail-open enable disable endSetting the buffer size Configuring logging and alert emailMonitoring the network and dealing with attacks Controlling sessionsAttack log messages Signature Anomaly FortiGuard CenterUsing IPS sensors in a protection profile Creating a protection profile that uses IPS sensorsAdding protection profiles to firewall policies Select Create NewAdding protection profiles to user groups Using IPS sensors in a protection profile Viewing the predefined signature list Predefined signaturesIPS predefined signatures Settings EnableColumn Clear All FiltersCreate a sensor and add IPS filters to it Viewing the predefined signature list Viewing the custom signature list Custom signaturesIPS custom signatures Custom signature configuration Adding custom signatures using the web-based managerAdding custom signatures using the CLI Command syntax patternShows the valid characters for custom signature fields Creating custom signaturesCustom signature fields Custom signature syntax AttackidName BufferOverflow SrcportContent keywords Keyword and value Description Deprecated, see pattern and context keywords Pattern GET Context uriPattern yahoo.com Context hostPcre Regex/mdelimRegexdelimismxAEGRU Uri !uristrProtocol tcp IP header keywords Keyword and Value DescriptionTCP header keywords Keyword and Value Description Tcpflags AP Tcpflags S,12Other keywords Keyword and Value Description UDP header keywords Keyword and Value DescriptionIcmp keywords Keyword and Value Usage Sbid --name Block.example.com Example 1 signature to block access to example.comExample custom signatures Sbid --name Block.example.com Sbid --name Block.SMTP.VRFY.CMD --pattern vrfy Example 2 signature to block the Smtp ‘vrfy’ commandSbid --name Block.SMTP.VRFY.CMD Creating custom signatures Upgrading the IPS protocol decoder list Protocol decodersProtocol decoders Viewing the protocol decoder list Protocol decoder list Protocols Protocol decoder names PortAlldefault AlldefaultpassIPS sensors Viewing the IPS sensor listConfiguring IPS sensors Adding an IPS sensorProtectclient ProtectemailserverIPS sensor attributes IPS sensor filtersConfiguring filters ResetIPS sensor overrides Delete and Edit Delete or edit the filter IconsConfiguring pre-defined and custom overrides ApplicationExempt IP SourceDoS sensors Configuring DoS sensors Viewing the DoS sensor listSequence in which the sensors examine network traffic Appears, and select OKAnomaly configuration DoS sensor attributesName Enter or change the DoS sensor name Comments Will appear in the DoS sensor listUnderstanding the anomalies Anomaly Description Tcpdstsession UdpfloodUdpscan UdpsrcsessionUnderstanding the anomalies How SYN floods work What is a SYN flood attack?SYN flood attacks What is SYN threshold? What is SYN proxy?FortiGate IPS Response to SYN flood attacks How IPS works to prevent SYN floodsIPS operation before synflood threshold is reached Configure the options for tcpsynflood Select OK Configuring SYN flood protectionSuggested settings for different network conditions What is an Icmp sweep? Icmp sweep attacksHow Icmp sweep attacks work FortiGate IPS response to Icmp sweep attacksPredefined Icmp signatures Icmp sweep anomalies Configuring Icmp sweep protection Index FortiGate Version 3.0 MR7 IPS User GuideTechnical support
Top Page Image Contents