ICMP Echo Reply without Echo

icmp-unsolicited-echo-reply (8014) The risk level is classified as LowLow Risk

Description:

This computer received an ICMP echo reply (commonly called a ping) without having first sent a ping request. This event may occur for one or more reasons:

  • Firewall scanning: Any administrator or intruder may use this technique to scan systems behind a corporate firewall. Most corporate firewalls allow ping/echo repsonses to pass through. Otherwise, ping programs won't work correctly. However, when a router within the corporation attempts to forward the packet to a nonexistent host, it sends back an "unreachable" message to the sender. In this manner, somebody can map the structure of the network behind a corporate firewall.
  • Trojan communication: ICMP traffic is a common way of communicating with Trojan horse programs. This method is effective because it passes through firewalls.
  • Denial of Service (DoS) attacks: Ping floods are also used as a direct DoS mechanism. The goal is to flood you with traffic (especially traffic that pierces firewalls) to slow down the Internet connection.
  • Spoof by-products: An attacker could be spoofing your IP address. They could be sending pings to a target claiming that these pings are from you. You would then see these replies. There is no reliable method to determine who is doing this.

Consequences:

Data Manipulation

Remedy:

Verfiy the source of the traffic and that no rogue applications are running.

References:

  • CVE-1999-0454: A remote attacker can sometimes identify the operating system of a host based on how it reacts to some IP or ICMP packets, using a tool such as nmap or queso.

Platforms Affected:

  • Microsoft Windows
  • Unix Unix

Reported:

Not available

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

For corrections or additions please email xforce@iss.net

Return to the main page