the smallest MTU along the path arrive at the destination, but larger ones do not. So, if you choose to block ICMP, make sure that you make an exclusion to allow "host unreachable - need to frag" ICMP messages into your network.

Summary

ICMP is a protocol that is supposed to be used to alert hosts of problem conditions or to exchange simple messages. It can be transmitted between two hosts exclusively, or it can be transmitted to multiple hosts using the broadcast address.

Regard ICMP as a potential threat. This chapter has identified some of the current known malicious uses of ICMP. No doubt, many more will come, with many new flavors of unknown subversions.

Block inbound ICMP, but do so wisely and selectively. Although you will prevent potentially malicious traffic from entering your network, make sure that you understand the adverse consequences to your own network of blocking inbound ICMP traffic.

Chapter 5. Stimulus and Response

Up until this chapter, you have been exposed to mostly stimulus activity. Not much time or discussion has been invested presenting the unique responses from different stimuli. This served you well when new theories and concepts were introduced so as not to add layers of complexity to new material. Hopefully, now that you understand the basic theory, you are ready to diversify your exposure.

Most current network intrusion detection systems have very high rates of false positives. In other words, they cannot yet make wise decisions on whether traffic coming across a given network is harmful or innocuous. So, the network intrusion-detection system (NIDS) often errs on the side of caution, and alarms when there is no problem. There are many reasons for this, but the short explanation is that most times the signatures or rule set that the NIDS uses to determine suspicious traffic are too generic. If these signatures cannot be or are not more precisely customized, the NIDS will often alert when no problem exists.

Therefore, the analyst must make the distinction between false positive and valid alarms. You examine the traffic associated with the alarm and determine whether it is a false alarm. To make such a determination, you need to have a foundation in what seemingly normal or abnormal traffic looks like. Common sense dictates that all aspects of standard stimuli and responses cannot be covered in this chapter. The intention is to impart some general knowledge, however, so that you can make a more intelligent determination of the kind of traffic you observe on different networks.

This chapter first exposes you to the expected behavior of typical applications and protocols. Next, you learn about a category of activity that manifests expected, yet uncommon behavior.