Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Full Disclosure: Re: ICMP Covert channels question

Re: ICMP Covert channels question

From: Kevin <kkadow_at_gmail.com>
Date: Wed, 2 Feb 2005 16:32:15 -0600

cyberpixl wrote:
> Well, what i meant was what if i use the networks router as a bounce
> host in order to get the packets into the network?
>
> If an icmp packet arrives at routers wan port with a source ip of an
> internal host will it send the echoreply to its lan port?

Yes. Lacking proper anti-spoof ingress filtering, this will work.

> I currently haven't got the chance to test this, but i will as soon as
> i can. Then, in order to receive replyes from the host behind the
> firewall all I'd have to do is make it send packets to a bounce server
> outsede the network, like google.com with source set to my ip
> (assuming then that the router freely allows icmp traffic out
> of the network).

Yes, lacking proper anti-spoof egress filtering, this will work. A
correctly configured firewall should reject such packets on several
grounds, even if ICMP is permitted by policy.

On Wed, 02 Feb 2005 13:02:07 -0500, Valdis.Kletnieks_at_vt.edu
<Valdis.Kletnieks_at_vt.edu> wrote:
> > Also, packet filtering is based on router configuration. More and more
> > administrators are filtering packets with unexpected source and/or
> > destination addresses ( ingress and egress filtering ).

Proper ingress and egress filtering at all edge routers is critical
for security.
Rarely do I find a small site blocking outbound traffic based on the source IP.
While "non-routable" *destination* addresses should not make it across the
Internet, it is common for unroutable source addresses to be seen on inbound
packets coming from the Internet.

> The number of sites doing proper filtering may be growing, but it's certainly
> still low enough that the attack still has a fairly high chance of working.

With the a growing number of ISPs implementing Reverse Path Forwarding
(aka "Unicast RPF") on all customer connections, it should become more
difficult to inject spoofed traffic through reputable providers.

Kevin
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Received on Feb 03 2005

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]