ICMP Inspection
ICMP has been used in many different exploits and DoS attacks. One such exploit that has
been termed a “smurf attack” is a command attack used throughout the Internet. A
malicious host sends a stream of ICMP echo request packets to a network broadcast address.
The source of the packets is spoofed to appear as though the packets originate from the
intended target. Because the broadcast segment may have several hundred hosts, the replies
to the echo request overwhelm the target of the attack with echo replies that were never
requested. Using ICMP stateful inspection, the Security Appliance can restrict these attacks.
ICMP inspection enables the Security Appliance to track ICMP traffic and inspect each
packet like TCP and UDP traffic. The Security Appliance will only send a single replay to any
one ICMP request received, using this inspect icmp command. ICMP inspection allows
replies only when the ICMP reply session information matches a request by scanning the
ICMP payload for pertinent information, specifically the source IP address, destination IP
address, protocol, identification number, and sequence number. It will then attempt to match
the information with each ICMP request and response pair. The inspect icmp command is
enabled by default in the inspection_default class-map.