ICMPANOM - ICMP Anomaly

Method description

This detection method identifies suspicious communication in ICMP traffic. The method reports an increased number of ICMP type 3 messages, which could signal the spread of a worm. It monitors the long-term behavior of a node in the network and compares the current observation with the statistics of the node and also the global statistics of the network. Additionally, it can detect ICMP scans, ICMP smurf, ping flood attacks, and excessive payload of ICMP packets.

The TimeWindow parameter specifies the time window (in hours) for collecting and processing long-term statistics. The ICMPThreshold parameter specifies the maximum allowed increase of observed ICMP type 3 messages and the Type3MsgThreshold parameter is used to set the lower boundry of the ICMP type 3 messages for a single IP address (minimum number of messages that could be considered anomalous traffic). The part of the detection method that focuses on the ICMP scans can also be limited by the minimum number of scanned devices (the ScannedDevices parameter).

The ICMP echo request flood detection is limited by the PingFloodThreshold parameter. Its value defines a minimum number of sent packets of the echo request.

The excessive payload of ICMP packet detection is limited by the MinimalPackets and MinimalPayload parameters that correspond to a minimum number of the respective ICMP type packets and their minimum average payload.

This method consists of the following submethods:

• DestinationUnreachIP: Reports if the number of ICMP type 3 (destination unreachable) messages received by a device exceeds a long-term average of this device.

• DestinationUnreachNetwork: Reports if the number of ICMP type 3 (destination unreachable) messages received by a device exceeds a long-term average of the entire monitored network.

• SmurfAttack: Reports the Denial of Service (DoS) attacks that are using the ICMP Smurf technique.

• ICMPScan: Reports scanning of the live devices in the network using the ICMP protocol.

• PingFlood: Reports the Denial of Service (DoS) attacks that are using the Ping flood technique.

• LargePayload: Reports the ICMP echo request packets with large payload (potential data transmission or malicious exfiltration of sensitive data using an unusual protocol).

Method configuration

It is recommended to apply this method for all IP addresses. The right place for traffic monitoring is the central switch and the Internet connection line.

Method parameters

DestinationUnreach

• TimeWindow: Number of hours (the length of the moving time window) for which the statistics of the ICMP traffic is stored.

• ICMPThreshold: Threshold of increase of the number of the ICMP type 3 messages (in percentage). It is used for comparison to the previous statistics and to the network average.

• Type3MsgThreshold: Threshold of the minimum number of the ICMP type 3 messages.

ICMPScan

• ScannedDevices: Threshold of the minimal number of scanned devices.

PingFlood

• PingFloodThreshold: Threshold of the number of ICMP echo request messages.

LargePayload

• MinimalPackets: Threshold of the minimum number of the ICMP type packets used for the detection of high transfers using the ICMP protocol.

• MinimalPayload: Threshold of the minimum bytes per packet number used for the detection of high transfers using the ICMP protocol.

Assigned filter

The filter is used for the restriction of the source or destination IP addresses.

Interpretation of results

The method can detect the increase of ICMP type 3 messages (Unreachable). This could happen during the spread of a worm, especially if the UDP protocol is used and when the hosts with closed ports send back ICMP Port Unreachable messages. It can also mean a misconfigured device trying to access unavailable UDP services. The ICMP scans are used to identify live hosts in the network - they can also be used by malware. The aim of an ICMP smurf attack is to flood the network and especially connection link to the victim with a large number of ICMP Echo replies.