Common Name:
Sample Trace:
None at this moment.
Description:
ICMP Type 0, has only the sub-code 0, also known as the ICMP Echo Reply, is the response ICMP type for ICMP echo requests, or pings. You should not see these coming in bound without corresponding outbound traffic. As well the data received under this, should close to the same amount of data sent by the ICMP echo request. Also this should only have a sub-code of 0, as there is no other sub-code assigned to ICMP Type 0.
This at one point was used by malware, TFN, TFN2K and Stacheldraht. These used ICMP Echo requests and replies, to transfer commands between the clients and deamons. These programs may also create a great deal of traffic that does not have a source address from your internal network.
Causes:
Normally it’s seen as in day to day traffic, for troubleshooting.
Suggestions:
-
If you can do it, block this protocol inbound and outbound. If this is not a possibility limit who can do it. Some stateful firewalls, will monitor outbound traffic and allow for corresponding inbound traffic, including ICMP echo request to ICMP echo reply.
-
If your firewall has the capability limit the size and the ICMP codes that are considered valid, and drop the rest of the echo reply requests.
-
In general, your router and firewall should disallow traffic outbound that is not from your internal network to be sent.
-
Run an IDS on the network to allow you to detect these strange traffic, many can now detect this type of malware.
