mailing list archives
Re: ICMP Covert channels question
From: Valdis.Kletnieks () vt edu
Date: Wed, 02 Feb 2005 13:02:07 -0500
On Wed, 02 Feb 2005 18:12:50 +0100, =?ISO-8859-1?Q?Stian_=D8vrev=E5ge?= said:
Don't you think it's a little strange if packets with source address
126.96.36.199 was leaving your 10.0.0.0 network? Or packets from
10.0.0.33 was comming in on the WAN interface?
Also, packet filtering is based on router configuration. More and more
administrators are filtering packets with unexpected source and/or
destination addresses ( ingress and egress filtering ).
The number of sites doing proper filtering may be growing, but it's certainly
still low enough that the attack still has a fairly high chance of working.
Also, there's another benefit to the attack - if the site isn't clued enough
to do basic bogon filtering, it's even *more* likely to throw any investigation
off in the wrong direction.
You're also missing another point - an inbound packet from 10/8 would certainly
look fishy. But would you question a packet that came in from 64.236/16
or 64.12/16 or anywhere in akadns.net's address space? (cnn.com lives in the
first, AOL's mail servers in the second, and google is an akadns beast...)
Full-Disclosure - We believe in it.