Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Re: ICMP Covert channels question
From: Valdis.Kletnieks () vt edu
Date: Wed, 02 Feb 2005 13:02:07 -0500

On Wed, 02 Feb 2005 18:12:50 +0100, =?ISO-8859-1?Q?Stian_=D8vrev=E5ge?= said:

Don't you think it's a little strange if packets with source address was leaving your network? Or packets from was comming in on the WAN interface?

Also, packet filtering is based on router configuration. More and more
administrators are filtering packets with unexpected source and/or
destination addresses ( ingress and egress filtering ).

The number of sites doing proper filtering may be growing, but it's certainly
still low enough that the attack still has a fairly high chance of working.

Also, there's another benefit to the attack - if the site isn't clued enough
to do basic bogon filtering, it's even *more* likely to throw any investigation
off in the wrong direction.

You're also missing another point - an inbound packet from 10/8 would certainly
look fishy.  But would you question a packet that came in from 64.236/16
or 64.12/16 or anywhere in akadns.net's address space?  (cnn.com lives in the
first, AOL's mail servers in the second, and google is an akadns beast...)

Attachment: _bin

Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]