ICMP Timestamp or Information Request from the Internet
This brief identifies inbound ICMP Timestamp (type 13) or Information (type 15) requests originating from external IP addresses and targeting internal RFC1918 destinations, a legacy diagnostic activity commonly associated with host and path fingerprinting during reconnaissance, active scanning, or OS fingerprinting efforts by an unidentified actor, indicating a potential prelude to more severe attacks.
This detection brief highlights the observation of inbound ICMP Timestamp (type 13) or Information (type 15) requests originating from external IP addresses and targeting internal RFC1918 IP space. These particular ICMP message types are considered legacy diagnostic messages and are rarely used in modern production networks. Their presence, especially from external sources directed towards internal assets, is a strong indicator of reconnaissance activity. This activity often involves host and path fingerprinting, active scanning, or operating system (OS) fingerprinting as an initial step in an attack chain. While the direct impact of these requests is low, they signify that an attacker is actively probing the network perimeter, seeking vulnerabilities or gathering intelligence for subsequent exploitation. The observed behavior began to be monitored as of June 2026, with the Elastic network_traffic integration being key to detecting these activities.
Attack Chain
This brief describes a specific reconnaissance technique rather than a multi-stage attack chain. The detection focuses on the initial probing phase where an attacker attempts to gather information about network topology and host characteristics.
Impact
While ICMP Timestamp or Information requests themselves do not directly compromise systems, their successful execution grants an attacker valuable reconnaissance data. This information can include host existence, network path details, and potentially OS characteristics, which are crucial for tailoring subsequent, more targeted attacks. If these requests are observed targeting unintentionally exposed internal hosts or misconfigured NAT devices, it indicates a significant security misconfiguration that an attacker could leverage. The ultimate impact could range from network mapping and service enumeration to preparing for credential access, privilege escalation, or data exfiltration, depending on the information gathered and the attacker's objectives.
Recommendation
- Deploy the Sigma rule "ICMP Timestamp or Information Request from the Internet" to your SIEM and tune for your environment to detect suspicious reconnaissance activity.
- Review
source.ipaddresses from detections generated by the Sigma rule against threat intelligence feeds and historical scan activity. - Determine whether the
destination.ipaddresses targeted by these requests are intentionally exposed (e.g., VPN concentrators) or if they represent misconfigured internal assets. - Investigate for adjacent port scans, SYN sweeps, or exploit attempts from the same source IP around the time of the detected ICMP requests.
- Block or rate-limit the external source IP addresses observed in detections at the perimeter firewall if the activity is unauthorized.
- Verify that any targeted internal hosts are not unintentionally exposed to the Internet, rectifying misconfigurations as needed.
Detection coverage 1
ICMP Timestamp or Information Request from the Internet
lowDetects inbound ICMP Timestamp (type 13) or Information (type 15) requests from external addresses to internal RFC1918 destinations, commonly associated with host and path fingerprinting during reconnaissance.
Detection queries are available on the platform. Get full rules →