Re: ICMP Covert channels question

[Valdis.Kletnieks () vt edu]

On Wed, 02 Feb 2005 18:12:50 +0100, =?ISO-8859-1?Q?Stian_=D8vrev=E5ge?= said:

> Don't you think it's a little strange if packets with source address
> 88.88.88.88 was leaving your 10.0.0.0 network? Or packets from
> 10.0.0.33 was comming in on the WAN interface?
>
> Also, packet filtering is based on router configuration. More and more
> administrators are filtering packets with unexpected source and/or
> destination addresses ( ingress and egress filtering ).

The number of sites doing proper filtering may be growing, but it's certainly
still low enough that the attack still has a fairly high chance of working.

Also, there's another benefit to the attack - if the site isn't clued enough
to do basic bogon filtering, it's even *more* likely to throw any investigation
off in the wrong direction.

You're also missing another point - an inbound packet from 10/8 would certainly
look fishy.  But would you question a packet that came in from 64.236/16
or 64.12/16 or anywhere in akadns.net's address space?  (cnn.com lives in the
first, AOL's mail servers in the second, and google is an akadns beast...)

Attachment: _bin
Description:

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html