Sites that see incoming echo replies when there are no echo requests may be seeing an advanced probe. Another possibility is that your address space is being used (spoofed) in a smurf style denial of service attack against the source address. Sites that see outgoing echo replies w/o echo requests would do well to investigate. Sites that see outgoing ICMP broadcast packets with the source IP address not part of their own internal address space may well be launching a smurf attack.
ICMP in particular "ping" traffic was once considered to be benign. These days many firewall administrators block ping traffic (but few block echo replies) to their internal sites from an external site. There are a variety of problems that have been noted with respect to echo requests and replies, they include smurf, network mapping and loki or an inverse mapping technique.
Smurf is broadcast ICMP from a spoofed address and is a well documented attack. Incoming smurf might have a pattern similar to this:
00:00:05 spoofed.net > 192.168.15.255: icmp: echo requestNote the timestamps in the above probe. This is indicative of a flood attack on the target. Blocking incoming echo requests can help prevent smurf attacks.
For further information about smurf, click here.
Network mapping can use ICMP echo requests for reconnaissance purposes. By sending a few packets with broadcast and legacy broadcast addresses, probers can find active hosts in your network. This is a very common practice for attackers. Blocking incoming echo requests can help prevent this type of probe but it will affect ping traffic. Network mapping might look similar to this:
00:00:05 non-spoofed.net > 192.168.14.255: icmp: echo requestOne of network mapping's goals is to map the net in a manner that won't arouse suspicion. Packets are sent infrequently or at longer intervals . The timestamps in the above example provide a clue that the probe is a network map and not a Smurf attack.
Covert Channel Communication
ICMP_ECHO traffic can be used to construct covert communications channels through networks. Several members of the SANS community have discovered evidence of this happening on a widespread scale.
The normal "ping" protocol states that one site (the pinger) sends an ICMP_ECHO packet to the target (the pingee). The pingee then sends an ICMP_ECHOREPLY back. ICMP_ECHO packets have an option to include a data section that usually stores timing information to determine round-trip packet times. Firewalls and filtering routers do not check the data content, so it is possible to transmit malicious information in this packet. This is a covert channel. Most network routers pass, drop or return ICMP traffic. Since they don't filter the data content, it is possible to masquerade Trojan packets as valid ICMP_ECHO packets. One example of this type of attack is described in Phrack Magazine and is called Project Loki. A loki packet might look like this:
04:19:31.800000 126.96.36.199 > 192.168.5.5: icmp: echo reply (DF)
Inverse mapping makes it possible to map an internal network that is protected by a firewall using this technique. An unsolicited ICMP_ECHOREPLY packet is a fake packet that will pass through most firewalls. Most routers will send a HOST_UNREACHABLE packet back to the pinger if they receive an unsolicited ICMP_ECHOREPLY packet sent to a nonexistent host system. If the host exists, the router drops the packet and sends nothing back to the pinger. The hacker can use these responses or lack of response to map active IP addresses on the inside by seeing which HOST_UNREACHABLE packets are returned. That pattern might look like this:
00:58:16 prober> 172.20.179.41: icmp: echo reply
Once a hacker knows which internal IP addresses are valid, it is much easier for them to target their efforts on specific hosts. Evidence suggests that once compromised, these hosts may use covert channels to tunnel information from the outside into the internal net and vice versa. The covert channel currently being employed uses the data portion of ICMP echo request packets. This technique is described in Phrack 49 and Phrack 51.
It should be emphasized that this probe is very similar to a Smurf attack. You need to examine the data packets carefully.
Solutions and Countermeasures
There are a number of solutions that appear to help stop this probe and the potential subsequent attack.
Sample Filter Code
Here is some code to check for unsolictied ICMP echo requests. You run it like one_day_pat.pl. Need a site (-l) and need a date(-d).