mailing list archives
Re: ICMP Covert channels question
From: Kevin <kkadow () gmail com>
Date: Wed, 2 Feb 2005 16:32:15 -0600
Well, what i meant was what if i use the networks router as a bounce
host in order to get the packets into the network?
If an icmp packet arrives at routers wan port with a source ip of an
internal host will it send the echoreply to its lan port?
Yes. Lacking proper anti-spoof ingress filtering, this will work.
I currently haven't got the chance to test this, but i will as soon as
i can. Then, in order to receive replyes from the host behind the
firewall all I'd have to do is make it send packets to a bounce server
outsede the network, like google.com with source set to my ip
(assuming then that the router freely allows icmp traffic out
of the network).
Yes, lacking proper anti-spoof egress filtering, this will work. A
correctly configured firewall should reject such packets on several
grounds, even if ICMP is permitted by policy.
On Wed, 02 Feb 2005 13:02:07 -0500, Valdis.Kletnieks () vt edu
<Valdis.Kletnieks () vt edu> wrote:
Also, packet filtering is based on router configuration. More and more
administrators are filtering packets with unexpected source and/or
destination addresses ( ingress and egress filtering ).
Proper ingress and egress filtering at all edge routers is critical
Rarely do I find a small site blocking outbound traffic based on the source IP.
While "non-routable" *destination* addresses should not make it across the
Internet, it is common for unroutable source addresses to be seen on inbound
packets coming from the Internet.
The number of sites doing proper filtering may be growing, but it's certainly
still low enough that the attack still has a fairly high chance of working.
With the a growing number of ISPs implementing Reverse Path Forwarding
(aka "Unicast RPF") on all customer connections, it should become more
difficult to inject spoofed traffic through reputable providers.
Full-Disclosure - We believe in it.