ICMP: Echo Reply Resent w/Different Length

This protocol anomaly triggers when it detects an ICMP echo reply retransmission (for example, with the same ID and sequence numbers) with different data length. This can indicate data tunneling over ICMP.

Extended Description

An ECHO RESPONSE message received by a client that matches the ID and sequence number of a transmitted ECHO datagram, but contains a different size payload, constitutes a protocol anomaly. This condition could indicate a network configuration error, or that unauthorized "tunneling" activity is occurring.

Short Name
ICMP:EXPLOIT:DIFF-LEN-IN-RESP
Severity
Major
Recommended
False
Recommended Action
None
Category
ICMP
Release Date
04/22/2003
Supported Platforms

srx-branch-12.3

srx-19.3

srx-branch-19.3

vsrx3bsd-19.2

srx-branch-19.4

vsrx-19.4

mx-12.3

mx-19.4

vmx-19.4

mx-19.3

vsrx3bsd-19.4

srx-19.4

vsrx-12.3

vmx-19.3

vsrx-19.2

srx-12.3

Sigpack Version
3324
False Positive
Unknown

Found a potential security threat?