Bugtraq mailing list archives
Re: ICMP spoofed source tunneling
From: Dave Paris <dparis () w3works com>
Date: Wed, 22 Sep 2004 15:24:02 -0400
At the risk of possibly sinking my foot firmly into my mouth, it appears that you've implemented an unimplemented feature of LOKI2 (circa 1997). ref: http://www.phrack.org/show.php?p=51&a=6If you look in the source at the link referenced, specifically the help() function, you'll find:
%s dest\t- redirect to another client [ UNIMPLIMENTED ]\n", Nifty none-the-less. Kind Regards, -dsp Max Tulyev wrote:
ICMP spoofed source payload tunneling I. ABSTRACTAlmost any device having IP stack with enabled ICMP can be used to be a tunnel redirector.II. DESCRIPTION Let's imagine in Net a hacker having his source server(S), destination server(D), and a ip-capable device - victim(V). S sends to V spoofed ICMP echo request packet containing IP source address of D, and the data in Payload. When V receiving that packet, it sends ICMP echo-reply packet to D, AND FORWARDS TO D ALL DATA IN PAYLOAD! Backward is the same. I spent an only hour to write working exploit attaching this to Linux tuntap device... III. ANALYSIS Where it can be used? 1. Hacker have a victim traffic to that one cost lesser than to the World. That way Victim will pay for traffic with other hacker's server.2. Hacker have no access to the world at all, but have external server (D). For Victim can be used any neighbour device (I tried IP phone - itworks!) or even firewall or gateway! This can make a tunnel through a server with completely disabled IP forwarding at all. Very high probability of their attacks is in ISPs that gives a free access to some networks (I know that situation exists in Ukraine - to UA Internet Exchange access often is free and/or at higher speed, and in home Ethernet networks almost all ISPs provides free access to their clients and local resources). IV. DETECTION This can be detected by observing an anomally ICMP activity, and if you have more than one network interfaces - by presence of spoofed packets that can't be in certain interfaces. Or maybe by viewing your Internet bill ;-) V. WORKAROUNDTurning On reverse-path filtering and other antispoofed mechanisms. Limiting rates or even denying ICMP type 8 at all.
Current thread:
- ICMP spoofed source tunneling Max Tulyev (Sep 21)
- Re: ICMP spoofed source tunneling fenfire (Sep 22)
- Re: ICMP spoofed source tunneling Tim Newsham (Sep 22)
- Re: ICMP spoofed source tunneling fenfire (Sep 23)
- Re: ICMP spoofed source tunneling Calum (Sep 28)
- Re: ICMP spoofed source tunneling Tim Newsham (Sep 22)
- Re: ICMP spoofed source tunneling sin (Sep 23)
- <Possible follow-ups>
- Re: ICMP spoofed source tunneling Dave Paris (Sep 23)
- Re: ICMP spoofed source tunneling raiblehugo (Sep 25)
- Re: ICMP spoofed source tunneling fenfire (Sep 22)