Bugtraq mailing list archives
Re: ICMP spoofed source tunneling
From: sin <lists () innocence-lost net>
Date: Thu, 23 Sep 2004 00:50:35 -0700 (MST)
I am reposting my reply just because I noticed I originally replied with an email address that is not on the list. I could be wrong here-but I was under the impression that not all (?most?) OS's did not comply w/ rfc 792 in that they do not reply with the full data- in fact I thought part of that was the basis for OS detection via icmp (The same reply w/ the whole message, some reply with part, some mangle the reply, etc). So I thought in the end you may find that it doesn't work very well on live network's, however I could be wrong here. I briefly checked the rfc's as I couldn't remember if a host was required to respond with the full data or not. Either way it's still interesting, however I think overall many routers would just silently drop your packets, and some hosts would mangle them. just my four peso's. On Tue, 21 Sep 2004, Max Tulyev wrote:
Date: Tue, 21 Sep 2004 20:55:04 +0400 (MSD) From: Max Tulyev <maxtul () titan parkline ru> To: bugtraq () securityfocus com Subject: ICMP spoofed source tunneling ICMP spoofed source payload tunneling I. ABSTRACT Almost any device having IP stack with enabled ICMP can be used to be a tunnel redirector. II. DESCRIPTION Let's imagine in Net a hacker having his source server(S), destination server(D), and a ip-capable device - victim(V). S sends to V spoofed ICMP echo request packet containing IP source address of D, and the data in Payload. When V receiving that packet, it sends ICMP echo-reply packet to D, AND FORWARDS TO D ALL DATA IN PAYLOAD! Backward is the same. I spent an only hour to write working exploit attaching this to Linux tuntap device... III. ANALYSIS Where it can be used? 1. Hacker have a victim traffic to that one cost lesser than to the World. That way Victim will pay for traffic with other hacker's server. 2. Hacker have no access to the world at all, but have external server (D). For Victim can be used any neighbour device (I tried IP phone - it works!) or even firewall or gateway! This can make a tunnel through a server with completely disabled IP forwarding at all. Very high probability of their attacks is in ISPs that gives a free access to some networks (I know that situation exists in Ukraine - to UA Internet Exchange access often is free and/or at higher speed, and in home Ethernet networks almost all ISPs provides free access to their clients and local resources). IV. DETECTION This can be detected by observing an anomally ICMP activity, and if you have more than one network interfaces - by presence of spoofed packets that can't be in certain interfaces. Or maybe by viewing your Internet bill ;-) V. WORKAROUND Turning On reverse-path filtering and other antispoofed mechanisms. Limiting rates or even denying ICMP type 8 at all.
Current thread:
- ICMP spoofed source tunneling Max Tulyev (Sep 21)
- Re: ICMP spoofed source tunneling fenfire (Sep 22)
- Re: ICMP spoofed source tunneling Tim Newsham (Sep 22)
- Re: ICMP spoofed source tunneling fenfire (Sep 23)
- Re: ICMP spoofed source tunneling Calum (Sep 28)
- Re: ICMP spoofed source tunneling Tim Newsham (Sep 22)
- Re: ICMP spoofed source tunneling sin (Sep 23)
- <Possible follow-ups>
- Re: ICMP spoofed source tunneling Dave Paris (Sep 23)
- Re: ICMP spoofed source tunneling raiblehugo (Sep 25)
- Re: ICMP spoofed source tunneling fenfire (Sep 22)