Fortinet IPS manual Icmp sweep anomalies

Page 57


ICMP sweep attacks	The FortiGate IPS response to ICMP sweep attacks

Table 11: Predefined ICMP sweep signatures

Signature	Description	Default settings

NMAP.Echo.	NMAP is a free open source network	Signature disabled
Request	mapping/security tool that is available for most
	operating systems. NMAP could be used
	maliciously to perform an ICMP sweep. ICMP
	echo request messages sent using this
	software contain special characters that identify
	NMAP as the source.

Redirect.Code4.	This signature detects ICMP type 5 code 4	Signature enabled
Echo.Request	redirect messages. An ICMP redirect message	Logging enabled
	describes an alternate route for traffic to take.	Action: Pass
	An attacker may use ICMP redirect messages	Action: Pass
	An attacker may use ICMP redirect messages
	to alter the routing table or cause traffic to
	follow an unintended route.

Sniffer.Pro.	Sniffer Pro and NetXRay are scanning tools.	Signature enabled
NetXRay.Echo.	ICMP echo request messages sent using this	Logging enabled
Request	software contain special characters that identify	Action: Drop
	them as the source.
Superscan.Echo.	Superscan is a free network scanning tool for	Signature enabled
Request	Windows from Foundstone Inc. Superscan	Logging enabled
	could be used maliciously to perform an ICMP	Action: Drop
	sweep. ICMP echo request messages sent	Action: Drop
	sweep. ICMP echo request messages sent
	using this software contain special characters
	that identify Superscan as the source.

TimeStamp.	TimeStamp detects timestamp request	Signature enabled
Request	messages from a host pretending to be part of	Logging enabled
	the network.	Action: Pass
		Action: Pass

TJPingPro1.1.	TJPingPro1.1 is a widely-used network tool for	Signature enabled
Echo.Request	older versions of Windows. TJPingPro could be	Logging enabled
	used maliciously to perform an ICMP sweep.	Action: Drop
	ICMP echo request messages sent using this	Action: Drop
	ICMP echo request messages sent using this
	software contain special characters that identify
	TJPingPro as the source.

Traceroute.Traffic	Traceroute is a very common network tool	Signature enabled
	available on almost any operating system. This	Logging enabled
	tool could be sued maliciously to perform an	Action: Pass
	ICMP sweep. ICMP echo request messages	Action: Pass
	ICMP sweep. ICMP echo request messages
	sent using this software contain special
	characters that identify traceroute as the
	source.

Whatsup.Echo.	WhatsUp Gold is a network scanning tool for	Signature enabled
Request	Windows from IPswitch. WhatsUp could be	Logging enabled
	used maliciously to perform an ICMP sweep.	Action: Drop
	ICMP echo request messages sent using this	Action: Drop
	ICMP echo request messages sent using this
	software contain special characters that identify
	WhatsUpGold as the source.

ICMP sweep anomalies

The FortiGate unit also detects ICMP sweeps that do not have a predefined signature to block them. The FortiGate IPS monitors traffic to ensure that ICMP messages do not exceed the default or user-defined threshold.

FortiGate IPS User Guide Version 3.0 MR7
01-30007-0080-20080916	57

Image 57

Contents E R G U I D E Trademarks Contents IPS sensors Protocol decodersDoS sensors SYN flood attacksFortiGate IPS IntroductionFortinet documentation About this documentDocument conventions Typographic conventionsFortiGate Pptp VPN User Guide Customer service and technical support Fortinet Knowledge CenterComments on Fortinet technical documentation IPS overview and general configuration IPS settings and controlsThis section contains the following topics Default signature and anomaly settings When to use IPSDefault fail open setting Config ips global Set fail-open enable disable endConfiguring logging and alert email Setting the buffer sizeMonitoring the network and dealing with attacks Controlling sessionsAttack log messages Signature FortiGuard Center AnomalyCreating a protection profile that uses IPS sensors Using IPS sensors in a protection profileAdding protection profiles to firewall policies Select Create NewAdding protection profiles to user groups Using IPS sensors in a protection profile Predefined signatures IPS predefined signaturesViewing the predefined signature list Enable SettingsColumn Clear All FiltersCreate a sensor and add IPS filters to it Viewing the predefined signature list Custom signatures IPS custom signaturesViewing the custom signature list Adding custom signatures using the web-based manager Custom signature configurationAdding custom signatures using the CLI Command syntax patternCreating custom signatures Custom signature fieldsShows the valid characters for custom signature fields Attackid Custom signature syntaxName BufferOverflow SrcportContent keywords Keyword and value Description Deprecated, see pattern and context keywords Context uri Pattern GETPattern yahoo.com Context hostRegex/mdelim PcreRegexdelimismxAEGRU Uri !uristrIP header keywords Keyword and Value Description Protocol tcpTCP header keywords Keyword and Value Description Tcpflags S,12 Tcpflags APUDP header keywords Keyword and Value Description Icmp keywords Keyword and Value UsageOther keywords Keyword and Value Description Example 1 signature to block access to example.com Example custom signaturesSbid --name Block.example.com Sbid --name Block.example.com Example 2 signature to block the Smtp ‘vrfy’ command Sbid --name Block.SMTP.VRFY.CMDSbid --name Block.SMTP.VRFY.CMD --pattern vrfy Creating custom signatures Protocol decoders Protocol decodersUpgrading the IPS protocol decoder list Protocol decoder list Protocols Protocol decoder names Port Viewing the protocol decoder listAlldefaultpass AlldefaultIPS sensors Viewing the IPS sensor listAdding an IPS sensor Configuring IPS sensorsProtectclient ProtectemailserverIPS sensor filters IPS sensor attributesReset Configuring filtersIPS sensor overrides Delete and Edit Delete or edit the filter IconsApplication Configuring pre-defined and custom overridesSource Exempt IPDoS sensors Viewing the DoS sensor list Configuring DoS sensorsSequence in which the sensors examine network traffic Appears, and select OKDoS sensor attributes Anomaly configurationName Enter or change the DoS sensor name Comments Will appear in the DoS sensor listUnderstanding the anomalies Udpflood Anomaly Description TcpdstsessionUdpscan UdpsrcsessionUnderstanding the anomalies What is a SYN flood attack? SYN flood attacksHow SYN floods work What is SYN proxy? What is SYN threshold?FortiGate IPS Response to SYN flood attacks How IPS works to prevent SYN floodsIPS operation before synflood threshold is reached Configuring SYN flood protection Suggested settings for different network conditionsConfigure the options for tcpsynflood Select OK Icmp sweep attacks What is an Icmp sweep?How Icmp sweep attacks work FortiGate IPS response to Icmp sweep attacksPredefined Icmp signatures Icmp sweep anomalies Configuring Icmp sweep protection FortiGate Version 3.0 MR7 IPS User Guide IndexTechnical support