Skip to main content
Version: 7.5

ICMP Scan

ICMP Scan

Identifying an ICMP (Internet Control Message Protocol) Scan is a critical aspect of network reconnaissance detection and overall cybersecurity. An ICMP scan, often used in the initial stages of network reconnaissance, involves sending ICMP echo request packets ("pings") to various hosts on a network to determine which ones are active. While ICMP is a standard network tool for diagnosing and managing network issues, its use in scanning can signal the preliminary phase of a more targeted attack, where attackers seek to identify potential vulnerabilities in active hosts. Detecting ICMP scans promptly is essential as it can be an early warning of an impending cyber attack, allowing network administrators to tighten security measures, monitor suspicious activities more closely, and protect vulnerable systems before they can be exploited.

ElastiFlow provides a collection of anomaly detection jobs designed to identify ICMP scans comprising a series of monitoring strategies and analytics techniques, focused on detecting unusual ICMP traffic patterns that are indicative of scanning activities.

Attributes

AttributeInformation
Analysis Typetemporal
MITRE ATT&CK TechniqueNetwork Denial of Service (T1498)
MITRE ATT&CK Sub-TechniqueReflection Amplification (T1498.002)
MITRE ATT&CK TacticImpact (TA0040)

Downloads

SchemaPerspectiveWindowLink
CODEXedgefastelastiflow_codex_netsec_icmp_scan_direct_edge_fast
CODEXedgeslowelastiflow_codex_netsec_icmp_scan_direct_edge_slow
CODEXinboundfastelastiflow_codex_netsec_icmp_scan_direct_in_fast
CODEXinboundslowelastiflow_codex_netsec_icmp_scan_direct_in_slow
CODEXoutboundfastelastiflow_codex_netsec_icmp_scan_direct_out_fast
CODEXoutboundslowelastiflow_codex_netsec_icmp_scan_direct_out_slow
CODEXprivatefastelastiflow_codex_netsec_icmp_scan_direct_priv_fast
CODEXprivateslowelastiflow_codex_netsec_icmp_scan_direct_priv_slow
ECSedgefastelastiflow_ecs_netsec_icmp_scan_direct_edge_fast
ECSedgeslowelastiflow_ecs_netsec_icmp_scan_direct_edge_slow
ECSinboundfastelastiflow_ecs_netsec_icmp_scan_direct_in_fast
ECSinboundslowelastiflow_ecs_netsec_icmp_scan_direct_in_slow
ECSoutboundfastelastiflow_ecs_netsec_icmp_scan_direct_out_fast
ECSoutboundslowelastiflow_ecs_netsec_icmp_scan_direct_out_slow
ECSprivatefastelastiflow_ecs_netsec_icmp_scan_direct_priv_fast
ECSprivateslowelastiflow_ecs_netsec_icmp_scan_direct_priv_slow

By implementing this suite of anomaly detection jobs, organizations can effectively monitor and swiftly identify ICMP scanning activities. Early detection of such reconnaissance activities is crucial in pre-emptively addressing potential cybersecurity threats, allowing for timely and appropriate defensive actions to protect the network infrastructure.