GEN:SID 1:388
Message ICMP Address Mask Request
Summary This event is generated when an ICMP Address Mask Request message is found on the network.  ICMP Address Mask Requests are used for automatically determining the 32-bit subnet mask for the network.
Impact Attacks may use an ICMP address Mask Request to determine the subnet mask of the network.  This information can be used to help develope a network diagram in lue of more focused attacks.
Detailed Information ICMP Address Mask Requests are defined in RFC 950 as the third method hosts may support for determing the address mask correspoding to its IP address.  In most implementations this method is not supported, and should not be normal traffic on most networks.  
Affected Systems  
Attack Scenarios Attackers may use this ICMP Type to gather information about the subnet masks of a given network.
Ease of Attack Numerous tools and scripts can generate ICMP Address Mask Requests.
Corrective Action ICMP Type 17 should be blocked at the upstream firewall.  This type of ICMP request should never originate from a host outside of the protected network.
Additional References None