TMS zl Module IPS/IDS Signature Reference Guide RLX.10.2.2.94
ProCurve TMS zl Module IPS/IDS Signature
Reference Guide Version RLX.10.2.2.94
472
Signature ID: 12255
ICMP Source Quench message with undefined ICMP code
Threat Level: Information
Signature Description: This rule gets hit when an ICMP "Source Quench" message is detected that has a non-zero
ICMP code. An ICMP "Source Quench" message is issued by a network device that cannot handle the current volume
of traffic. The ICMP code value for this message should be 0. If a non-zero ICMP code is observed, it may be an
indication that the packet was crafted with an invalid value. ICMP Source Quench messages may be normally sent by
either a gateway or a host as a congestion control mechanism. A gateway would send them if it is running out of buffer
space (needed to queue datagrams for output to the next hop) or by a host that is receiving datagrams too fast to
process. Maliciously crafted ICMP Source Quench Messages may be used to force a remote host to slow down its
transmission rate and causing a Denial of Service. An attacker may craft an ICMP "Source Quench" message with an
invalid ICMP code. A single packet itself is not harmful, but the unusual ICMP code may indicate that this packet was
abnormally generated.Sending a ICMP message with undefined ICMP Code values should be considered as a nefarious
activity on the network.
Signature ID: 12256
ICMP Time-To-Live Exceeded message in Transit
Threat Level: Information
Signature Description: This rule gets hit when a valid icmp "Time Exceeded" message is detected. An ICMP "Time
Exceeded" message is issued by a router when either the maximum number of hops has been exceeded or a timer has
expired before all fragments have been received. Each packet is assigned an initial Time To Live (TTL) value before
being sent. This value is usually determined by the operating system of the given TCP/IP stack. The TTL value
represents the maximum number of hops a packet may take before being expired by a routing device. This is done to
banish lost or misguided packets from the network. The “traceroute” utility assigns its own TTL values
to dictate the number of hops a packet takes, to discover all the routing devices that are traversed by a packet. During
the process, an ICMP "Time Exceeded in Transit" message may be observed. If a router in your network sends this
message, it may be an indication that an attacker is attempting a trace route of a host in your network.
Signature ID: 12257
ICMP Time-To-Live Exceeded message in Transit with undefined code
Threat Level: Information
Signature Description: This rule gets hit when an ICMP "Time Exceeded" message is generated that has an invalid
ICMP code. An ICMP "Time Exceeded" message is issued when either the maximum number of hops has been
exceeded or a timer has expired before all fragments have been received. The ICMP code value for this message should
be 0 or 1. If a value of greater than 1 for the ICMP code is observed, it may be an indication that the packet was crafted
with an invalid value. An attacker may craft an ICMP "Time Exceeded" message with an invalid ICMP code. A single
packet itself is not harmful, but the unusual ICMP code may indicate that this packet was abnormally
generated.Sending a ICMP message with undefined ICMP Code values should be considered as a nefarious activity on
the network.
Signature ID: 12258
ICMP Timestamp Request with undefined code
Threat Level: Information
Signature Description: This rule gets hit when an ICMP Timestamp request is made with an invalid or undefined ICMP
Code. An ICMP Timestamp request is used by the ping command to elicit an ICMP Timestamp reply from a listening
live host. This rule alerts on a generic ICMP request where no payload is included in the message or the payload does
not match more specific rules. If ICMP type 8 (echo) traffic is filtered at a firewall, an attacker may try to use type 13
(timestamp) as an alternative.Sending a ICMP message with undefined ICMP Code values should be considered as a
nefarious activity on the network.