Hi there. So as part of our engagement when deploying Rapid7 we were advised to have ICMP turned on as part of asset discovery. What we are seeing however is that we are getting thousands of assets added that when I look in the logs the only thing that exists for them is DEAD (reason=host-unreach). It seems like Rapid7 is logging ICMP Host Unreachable responses as live assets. As an example in one day we had 16k such assets added. I have a support case open for this issue and it seems that the only solution would be to disable ICMP on discovery.
Has anyone on here run into a similar situation? If so what was your solution? I’ve talked with our networking staff and while they could possibly disable that ICMP Host Unreachable reply they are unsure of what else could be impacted.
I’ve run into similar things with TCP reset responses from SYN requests, but i’ve never had that issue with ICMP. I’d recommend checking out this blog, and maybe check out the section on tcp reset response options and how to ignore those: Scan Template Best Practices in InsightVM | Rapid7 Blog
You are not alone, I have also seen this. I do not think that this is common to set devices to reset ICMP. My guess is that it was set for troubleshooting and then not taken off. I have seen what you are describing and the way I dealt with it was to take ICMP out of the template. Most likely the devices that you are going after will respond to one of the well known ports in the template and you can continue on with doing other work along side squashing vulns on your network. This is the very reason why these setting are exposed to us so we can change them to fit our environment. Every environment is a little different. Rapid7 has an option that is passed to the nmap they distribute as part of nexpose/insighvm to ignore the TCP resets as mentioned by @landon_dalke. However ICMP resets, are not accounted for and an ICMP reset will trigger an asset to be identified as alive. It is like you knocked on a door and then you hear someone shout “nobody is home, go away now!”. Then you get out your notepad and note, they said nobody is home, so wait a minute they are home…you almost got me. 16k times per scan.
If you only had a few networks like this, you could just modify a template for that section of the network. Dealing with 16k, you need to isolate that either from the template or have the network firewall rules adjusted.
Thoughts to deal with this and 16k assets:
1> Remove ICMP from your template. (Most likely the bulk of your assets are responding on something more than ICMP anyway.)
2> Ask the network team to allow ICMP from your scanner. If you explain to them that this will help you manage your license and if they could allow ICMP, then you can get a better asset list.
3> Ask the network team to remove the deny. (Maybe it was set for testing and not disabled after.)
4> Stop doing a discovery and pipe in the assets to your sites using automation.
5> Ask R7, in the nicest way possible, to add an ignore ICMP rest option.