Full Disclosure mailing list archives
Re: ICMP Covert channels question
From: Kevin <kkadow () gmail com>
Date: Wed, 2 Feb 2005 16:32:15 -0600
cyberpixl wrote:
Well, what i meant was what if i use the networks router as a bounce host in order to get the packets into the network? If an icmp packet arrives at routers wan port with a source ip of an internal host will it send the echoreply to its lan port?
Yes. Lacking proper anti-spoof ingress filtering, this will work.
I currently haven't got the chance to test this, but i will as soon as i can. Then, in order to receive replyes from the host behind the firewall all I'd have to do is make it send packets to a bounce server outsede the network, like google.com with source set to my ip (assuming then that the router freely allows icmp traffic out of the network).
Yes, lacking proper anti-spoof egress filtering, this will work. A correctly configured firewall should reject such packets on several grounds, even if ICMP is permitted by policy. On Wed, 02 Feb 2005 13:02:07 -0500, Valdis.Kletnieks () vt edu <Valdis.Kletnieks () vt edu> wrote:
Also, packet filtering is based on router configuration. More and more administrators are filtering packets with unexpected source and/or destination addresses ( ingress and egress filtering ).
Proper ingress and egress filtering at all edge routers is critical for security. Rarely do I find a small site blocking outbound traffic based on the source IP. While "non-routable" *destination* addresses should not make it across the Internet, it is common for unroutable source addresses to be seen on inbound packets coming from the Internet.
The number of sites doing proper filtering may be growing, but it's certainly still low enough that the attack still has a fairly high chance of working.
With the a growing number of ISPs implementing Reverse Path Forwarding (aka "Unicast RPF") on all customer connections, it should become more difficult to inject spoofed traffic through reputable providers. Kevin _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Re: ICMP Covert channels question Stian Øvrevåge (Feb 02)
- Re: ICMP Covert channels question Valdis . Kletnieks (Feb 02)
- Re: ICMP Covert channels question Kevin (Feb 02)
- Re: ICMP Covert channels question Valdis . Kletnieks (Feb 02)