RE: ICMP Covert channels question

[Paul Schmehl <pauls () utdallas edu>]

--On Saturday, January 29, 2005 12:37 AM -0800 
lists-security () nettracers com wrote:
> Paul Schmehl Said:
> > No, because non-routeable addresses are...well....non-routeable.
>
> But Paul, I route non-routable addresses all the time.  It is only
> internet routers that are usually configured to not route certain
> addresses.  I go into many nets where the router is attempting to send
> out 192.168's 172.'s and 10's out the external interface.  Now they don't
> get far since the ISP won't take them or just sinks them, but the routers
> will try to handle them.
>
> Some routers (plenty won't) will probably try to "return" those ICMP's to
> the internal interface, thus providing your covert channel.  Furthermore,
> you may be able to do some interesting things with the type and code
> fields to encode further information.
I guess it all depends if you consider configuration errors "bugs". 
Assuming a router is correctly configured, non-routeable addresses should 
never leave *or* enter a network, but of course they can be routed 
internally.

As an attacker, I would not design an exploit that *depended* upon private 
addresses being routed external to the victim's router unless I first 
verified that they were.

Paul Schmehl (pauls () utdallas edu)
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html