ICMP sweep attacks

What is an ICMP sweep?

ICMP sweep attacks

This section describes:

What is an ICMP sweep?

How ICMP sweep attacks work

The FortiGate IPS response to ICMP sweep attacks

Configuring ICMP sweep protection

Suggested settings for different network conditions

What is an ICMP sweep?

ICMP (Internet Control Message Protocol) is a part of the IP protocol and is generally used to send error messages describing packet routing problems. ICMP sweeps are not really considered attacks but are used to scan a target network to discover vulnerable hosts for further probing and possible attacks.

Attackers use automated tools that scan all possible IP addresses in the range of the target network to create a map which they can use to plan an attack.

How ICMP sweep attacks work

An ICMP sweep is performed by sending ICMP echo requests - or other ICMP messages that require a reply - to multiple addresses on the target network. Live hosts will reply with an ICMP echo or other reply message. An ICMP sweep basically works the same as sending multiple pings. Live hosts accessible on the network must send a reply. This enables the attacker to determine which hosts are live and connected to the target network so further attacks and probing can be planned.

There are several ways of doing an ICMP sweep depending on the source operating system, and there are many automated tools for network scanning that attackers use to probe target networks.

The FortiGate IPS response to ICMP sweep attacks

The FortiGate IPS provides predefined signatures to detect a variety of ICMP sweep methods. Each signature can be configured to pass, drop, or clear the session. Each signature can be configured to log when the signature is triggered.

Create custom signatures to block attacks specific to the network that are not included in the predefined signature list.

The FortiGate IPS also has an ICMP sweep anomaly setting with a configurable threshold.

FortiGate IPS User Guide Version 3.0 MR7

 

01-30007-0080-20080916

55

Page 55
Image 55
Fortinet manual What is an Icmp sweep?, How Icmp sweep attacks work, FortiGate IPS response to Icmp sweep attacks