FortiGate Syn Flood Protection & ICMP Sweep Attack Detection | Fortinet IPS Guide


ICMP sweep attacks	What is an ICMP sweep?

ICMP sweep attacks

This section describes:

•What is an ICMP sweep?

•How ICMP sweep attacks work

•The FortiGate IPS response to ICMP sweep attacks

•Configuring ICMP sweep protection

•Suggested settings for different network conditions

What is an ICMP sweep?

ICMP (Internet Control Message Protocol) is a part of the IP protocol and is generally used to send error messages describing packet routing problems. ICMP sweeps are not really considered attacks but are used to scan a target network to discover vulnerable hosts for further probing and possible attacks.

Attackers use automated tools that scan all possible IP addresses in the range of the target network to create a map which they can use to plan an attack.

How ICMP sweep attacks work

An ICMP sweep is performed by sending ICMP echo requests - or other ICMP messages that require a reply - to multiple addresses on the target network. Live hosts will reply with an ICMP echo or other reply message. An ICMP sweep basically works the same as sending multiple pings. Live hosts accessible on the network must send a reply. This enables the attacker to determine which hosts are live and connected to the target network so further attacks and probing can be planned.

There are several ways of doing an ICMP sweep depending on the source operating system, and there are many automated tools for network scanning that attackers use to probe target networks.

The FortiGate IPS response to ICMP sweep attacks

The FortiGate IPS provides predefined signatures to detect a variety of ICMP sweep methods. Each signature can be configured to pass, drop, or clear the session. Each signature can be configured to log when the signature is triggered.

Create custom signatures to block attacks specific to the network that are not included in the predefined signature list.

The FortiGate IPS also has an ICMP sweep anomaly setting with a configurable threshold.

FortiGate IPS User Guide Version 3.0 MR7
01-30007-0080-20080916	55

Image 55

Fortinet manual What is an Icmp sweep?, How Icmp sweep attacks work, FortiGate IPS response to Icmp sweep attacks

Contents

E R G U I D E Trademarks Contents SYN flood attacks Protocol decodersIPS sensors DoS sensors FortiGate IPS Introduction Typographic conventions About this documentFortinet documentation Document conventions FortiGate Pptp VPN User Guide Fortinet Knowledge Center Customer service and technical supportComments on Fortinet technical documentation IPS settings and controls IPS overview and general configurationThis section contains the following topics Config ips global Set fail-open enable disable end When to use IPSDefault signature and anomaly settings Default fail open setting Controlling sessions Setting the buffer sizeConfiguring logging and alert email Monitoring the network and dealing with attacks Attack log messages Signature FortiGuard Center Anomaly Select Create New Using IPS sensors in a protection profileCreating a protection profile that uses IPS sensors Adding protection profiles to firewall policies Adding protection profiles to user groups Using IPS sensors in a protection profile IPS predefined signatures Predefined signaturesViewing the predefined signature list Clear All Filters SettingsEnable Column Create a sensor and add IPS filters to it Viewing the predefined signature list IPS custom signatures Custom signaturesViewing the custom signature list Command syntax pattern Custom signature configurationAdding custom signatures using the web-based manager Adding custom signatures using the CLI Custom signature fields Creating custom signaturesShows the valid characters for custom signature fields Srcport Custom signature syntaxAttackid Name BufferOverflow Content keywords Keyword and value Description Deprecated, see pattern and context keywords Context host Pattern GETContext uri Pattern yahoo.com Uri !uristr PcreRegex/mdelim RegexdelimismxAEGRU IP header keywords Keyword and Value Description Protocol tcp TCP header keywords Keyword and Value Description Tcpflags S,12 Tcpflags AP Icmp keywords Keyword and Value Usage UDP header keywords Keyword and Value DescriptionOther keywords Keyword and Value Description Example custom signatures Example 1 signature to block access to example.comSbid --name Block.example.com Sbid --name Block.example.com Sbid --name Block.SMTP.VRFY.CMD Example 2 signature to block the Smtp ‘vrfy’ commandSbid --name Block.SMTP.VRFY.CMD --pattern vrfy Creating custom signatures Protocol decoders Protocol decodersUpgrading the IPS protocol decoder list Protocol decoder list Protocols Protocol decoder names Port Viewing the protocol decoder list Viewing the IPS sensor list AlldefaultAlldefaultpass IPS sensors Protectemailserver Configuring IPS sensorsAdding an IPS sensor Protectclient IPS sensor filters IPS sensor attributes Delete and Edit Delete or edit the filter Icons Configuring filtersReset IPS sensor overrides Application Configuring pre-defined and custom overrides Source Exempt IP DoS sensors Appears, and select OK Configuring DoS sensorsViewing the DoS sensor list Sequence in which the sensors examine network traffic Will appear in the DoS sensor list Anomaly configurationDoS sensor attributes Name Enter or change the DoS sensor name Comments Understanding the anomalies Udpsrcsession Anomaly Description TcpdstsessionUdpflood Udpscan Understanding the anomalies SYN flood attacks What is a SYN flood attack?How SYN floods work How IPS works to prevent SYN floods What is SYN threshold?What is SYN proxy? FortiGate IPS Response to SYN flood attacks IPS operation before synflood threshold is reached Suggested settings for different network conditions Configuring SYN flood protectionConfigure the options for tcpsynflood Select OK FortiGate IPS response to Icmp sweep attacks What is an Icmp sweep?Icmp sweep attacks How Icmp sweep attacks work Predefined Icmp signatures Icmp sweep anomalies Configuring Icmp sweep protection FortiGate Version 3.0 MR7 IPS User Guide Index Technical support