|
|
|
ICMP sweep attacks | What is an ICMP sweep? |
ICMP sweep attacks
This section describes:
•What is an ICMP sweep?
•How ICMP sweep attacks work
•The FortiGate IPS response to ICMP sweep attacks
•Configuring ICMP sweep protection
•Suggested settings for different network conditions
What is an ICMP sweep?
ICMP (Internet Control Message Protocol) is a part of the IP protocol and is generally used to send error messages describing packet routing problems. ICMP sweeps are not really considered attacks but are used to scan a target network to discover vulnerable hosts for further probing and possible attacks.
Attackers use automated tools that scan all possible IP addresses in the range of the target network to create a map which they can use to plan an attack.
How ICMP sweep attacks work
An ICMP sweep is performed by sending ICMP echo requests - or other ICMP messages that require a reply - to multiple addresses on the target network. Live hosts will reply with an ICMP echo or other reply message. An ICMP sweep basically works the same as sending multiple pings. Live hosts accessible on the network must send a reply. This enables the attacker to determine which hosts are live and connected to the target network so further attacks and probing can be planned.
There are several ways of doing an ICMP sweep depending on the source operating system, and there are many automated tools for network scanning that attackers use to probe target networks.
The FortiGate IPS response to ICMP sweep attacks
The FortiGate IPS provides predefined signatures to detect a variety of ICMP sweep methods. Each signature can be configured to pass, drop, or clear the session. Each signature can be configured to log when the signature is triggered.
Create custom signatures to block attacks specific to the network that are not included in the predefined signature list.
The FortiGate IPS also has an ICMP sweep anomaly setting with a configurable threshold.
FortiGate IPS User Guide Version 3.0 MR7 |
|
55 |
