[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-Disclosure] ICMP Covert channels question

To: full-disclosure@xxxxxxxxxxxxxxxx
Subject: Re: [Full-Disclosure] ICMP Covert channels question
From: Kevin <kkadow@xxxxxxxxx>
Date: Wed, 2 Feb 2005 16:32:15 -0600

cyberpixl wrote:
> Well, what i meant was what if i use the networks router as a bounce
> host in order to get the packets into the network?
>
> If an icmp packet arrives at routers wan port with a source ip of an
> internal host will it send the echoreply to its lan port?

Yes.  Lacking proper anti-spoof ingress filtering, this will work.

> I currently haven't got the chance to test this, but i will as soon as
> i can. Then, in order to receive replyes from the host behind the
> firewall all I'd have to do is make it send packets to a bounce server
> outsede the network, like google.com with source set to my ip
> (assuming then that the router freely allows icmp traffic out 
> of the network).

Yes, lacking proper anti-spoof egress filtering, this will work.  A
correctly configured firewall should reject such packets on several
grounds, even if ICMP is permitted by policy.

On Wed, 02 Feb 2005 13:02:07 -0500, Valdis.Kletnieks@xxxxxx
<Valdis.Kletnieks@xxxxxx> wrote:
> > Also, packet filtering is based on router configuration. More and more
> > administrators are filtering packets with unexpected source and/or
> > destination addresses ( ingress and egress filtering ).

Proper ingress and egress filtering at all edge routers is critical
for security.
Rarely do I find a small site blocking outbound traffic based on the source IP.
While "non-routable" *destination* addresses should not make it across the
Internet, it is common for unroutable source addresses to be seen on inbound
packets coming from the Internet.

> The number of sites doing proper filtering may be growing, but it's certainly
> still low enough that the attack still has a fairly high chance of working.

With the a growing number of ISPs implementing Reverse Path Forwarding 
(aka "Unicast RPF") on all customer connections, it should become more
difficult to inject spoofed traffic through reputable providers.

Kevin
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

References:
- Re: [Full-Disclosure] ICMP Covert channels question
  - From: Stian Øvrevåge
- Re: [Full-Disclosure] ICMP Covert channels question
  - From: Valdis . Kletnieks

Prev by Date: Re: [Full-Disclosure] UNIX Tar Security Advisory from TEAM PWN4GE
Next by Date: Re: [Full-Disclosure] UNIX Tar Security Advisory from TEAM PWN4GE
Previous by thread: Re: [Full-Disclosure] ICMP Covert channels question
Next by thread: [Full-Disclosure] MSN search down
Index(es):
- Date
- Thread