Справочник Пользователя для Fortinet IPS

This section describes:

•

•

•

•

•

ICMP (Internet Control Message Protocol) is a part of the IP protocol and is 
generally used to send error messages describing packet routing problems. ICMP 
sweeps are not really considered attacks but are used to scan a target network to 
discover vulnerable hosts for further probing and possible attacks.

Attackers use automated tools that scan all possible IP addresses in the range of 
the target network to create a map which they can use to plan an attack.

An ICMP sweep is performed by sending ICMP echo requests - or other ICMP 
messages that require a reply - to multiple addresses on the target network. Live 
hosts will reply with an ICMP echo or other reply message. An ICMP sweep 
basically works the same as sending multiple pings. Live hosts accessible on the 
network must send a reply. This enables the attacker to determine which hosts are 
live and connected to the target network so further attacks and probing can be 
planned. 

There are several ways of doing an ICMP sweep depending on the source 
operating system, and there are many automated tools for network scanning that 
attackers use to probe target networks.

The FortiGate IPS provides predefined signatures to detect a variety of ICMP 
sweep methods. Each signature can be configured to pass, drop, or clear the 
session. Each signature can be configured to log when the signature is triggered. 

Create custom signatures to block attacks specific to the network that are not 
included in the predefined signature list.

The FortiGate IPS also has an ICMP sweep anomaly setting with a configurable 
threshold.