Visible Intro: In this simulation, you will analyze network traffic to identify active reconnaissance attempts. Understanding how attackers use malformed or unusual ICMP requests for OS fingerprinting is critical for writing effective IDS rules and Wireshark filters.
CND (312-38) Network Defense Simulation
Network Scenario
Your organization's DMZ firewall has logged an increase in ICMP traffic directed at a public-facing web server (10.10.50.25). As a Network Security Analyst, you pull the associated packet capture (PCAP) to investigate. You suspect an attacker is using an automated scanning tool (like Xprobe2 or Nmap) to perform active OS fingerprinting by sending non-standard ICMP Type and Code combinations to observe how the target's TCP/IP stack replies. You need to apply a display filter to isolate these malicious probes.
Traffic & Logs
[**] [1:483:5] ICMP PING NMAP [**]
[Priority: 2] {ICMP} 203.0.113.45 -> 10.10.50.25
1 0.00000 203.0.113.45 -> 10.10.50.25 ICMP 60 Echo (ping) request id=0x1234, seq=1/256, ttl=64
2 0.01250 10.10.50.25 -> 203.0.113.45 ICMP 60 Echo (ping) reply id=0x1234, seq=1/256, ttl=128
3 0.02400 203.0.113.45 -> 10.10.50.25 ICMP 60 Echo (ping) request id=0x1234, seq=2/512, ttl=64 (Code=8) [ANOMALY]
4 0.04500 203.0.113.45 -> 10.10.50.25 ICMP 60 Echo (ping) request id=0x1234, seq=3/768, ttl=64 (Code=4) [ANOMALY]
Question
Which filter to locate unusual ICMP request an Analyst can use in order to detect a ICMP probes from the attacker to a target OS looking for the response to perform ICMP based fingerprinting?
An ICMP Echo Request is normally Type 8 with a Code of 0. Attackers manipulate the Code field on Type 8 packets to elicit unique error responses from different operating systems.
Expert Analysis
1. What is happening in the network: An external threat actor is sending ICMP Echo Requests with intentionally malformed or non-standard code fields. Because different Operating Systems implement the TCP/IP stack differently (RFC variations), they will drop, reply, or send a specific error message back when they receive these anomalies.
2. Identify attack or behavior: Active Reconnaissance via ICMP-based OS Fingerprinting. Tools like Nmap and Xprobe2 rely heavily on this technique to silently identify the target OS before launching an exploit.
3. Why correct answer is correct (B): ICMP Echo Requests are defined as icmp.type==8. Under standard RFC specifications, the only valid code for an Echo Request is 0. By using a filter like icmp.type==8 && (!(icmp.code==X)), an analyst explicitly searches for Echo Requests containing irregular codes, which are a strong indicator of fingerprinting probes.
4. Why others are wrong:
- Option A: ICMP Type 9 is for Router Advertisements, not the primary vehicle for Echo-based OS fingerprinting.
- Options C & D: These search for parameter problems, information requests, or subnet mask requests (Types 12, 14, 15, 17). While sometimes used for recon, filtering exclusively for Type 8 with aberrant codes is the standard method for catching modern OS fingerprint tools.
5. Defensive Action: Configure edge firewalls and IPS to strictly validate ICMP traffic. Drop any ICMP Type 8 packets where the code does not strictly equal 0. Furthermore, rate-limit ICMP to prevent scanning and DoS conditions.
MINI LESSON: Protocol Behavior & Anomaly Detection
Network defense requires intimate knowledge of RFC standards. A standard ping is simply ICMP Type 8, Code 0. When an attacker manipulates standard protocols—such as changing the Code field on an Echo Request—they force the target OS to make a decision outside normal parameters. A Windows server might silently drop it, while a Linux kernel might reply with an ICMP Parameter Problem. Detection vs Prevention: Detecting it helps map the attacker's intent; preventing it requires strict protocol validation at the network boundary.
Explore more CND simulations
Practice More at ExamRange