All Cisco-Network Study Notes: ICMP Signatures 2000 Series

ICMP Signatures 2000 Series

The 2000 signature series applies to all, or most of, the traffic that is ICMP. ICMP is used for troubleshooting purposes. Although they are of use to administrators they pose a threat to the network if not monitored closely. Inbound ICMP traffic should be scrutinized and disabled if not specificially required.

2000-ICMP Echo Reply: This signature fires when a IP datagram is received with the protocol field of the IP header set to 1 (ICMP) and the type field in the ICMP header set to 0 (Echo Reply).
2001-ICMP Host Unreachable: This signature fires when an IP datagram is received with the protocol field of the IP header set to 1 (ICMP) and the type field in the ICMP header set to 3 (Host Unreachable).
2002-ICMP Source Quench: This signature fires when an IP datagram is received with the protocol field of the IP header set to 1 (ICMP) and the type field in the ICMP header set to 4 (Source Quench).
2003-ICMP Redirect: This signature fires when a IP datagram is received with the protocol field of the IP header set to 1 (ICMP) and the type field in the ICMP header set to 5 (Redirect).
2004-ICMP Echo Request: This signature fires when a IP datagram is received with the protocol field of the IP header set to 1 (ICMP) and the type field in the ICMP header set to 8 (Echo Request).
2007-ICMP Timestamp Request: This signature fires when a IP datagram is received with the protocol field of the IP header set to 1 (ICMP) and the type field in the ICMP header set to 13 (Timestamp Request).
2008-ICMP Timestamp Reply: This signature fires when a IP datagram is received with the protocol field of the IP header set to 1 (ICMP) and the type field in the ICMP header set to 14 (Timestamp Reply).
2011-ICMP Address Mask Request This signature fires when a IP datagram is received with the protocol field of the IP header set to 1 (ICMP) and the type field in the ICMP header set to 17 (Address Mask Request).
2012-ICMP Address Mask Reply: This signature fires when a IP datagram is received with the protocol field of the IP header set to 1 (ICMP) and the type field in the ICMP header set to 18 (Address Mask Reply).
2100-ICMP Network Sweep with Echo: This signature fires when IP datagrams are received directed at multiple hosts on the network with the protocol field of the IP header set to 1 (ICMP) and the type field in the ICMP header set to 8 (Echo Request).
2101-ICMP Network Sweep with Timestamp: This signature fires when IP datagrams are received directed at multiple hosts on the network with the protocol field of the IP header set to 1 (ICMP) and the type field in the ICMP header set to 13 (Timestamp Request).
2102-ICMP Network Sweep with Address Mask: This signature fires when IP datagrams are received directed at multiple hosts on the network with the protocol field of the IP header set to 1 (ICMP) and the type field in the ICMP header set to 17 (Address Mask Request).
2150-Fragmented ICMP Traffic: This signature fires when a IP datagram is received with the protocol field of the IP header set to 1 (ICMP) and either the more fragments flag is set to 1 (ICMP) or there is an offset indicated in the offset field.
2151-Large ICMP Traffic: This signature fires when a IP datagram is received with the protocol field of the IP header set to 1(ICMP) and the IP length is less than 1024.
2152-ICMP Flood: This signature fires when multiple IP datagrams are received directed at a single host on the network with the protocol field of the IP header set to 1 (ICMP).
2153-Smurf: This fires when a large number of ICMP Echo Replies are targeted at a machine.
2154-Ping of Death Attack: This signature fires when a IP datagram is received with the protocol field of the IP header set to 1(ICMP), the Last Fragment bit is set, and ( IP offset * 8 ) + ( IP data length) > 65535 that is to say, the IP offset (which represents the starting position of this fragment in the original packet, and which is in 8 byte units) plus the rest of the packet is greater than the maximum size for an IP packet. This indicates a DOS attack.
2155-Modem DoS: This signature fires when a series of three pluses (+) in an ICMP packet.