Re: [Full-Disclosure] ICMP Covert channels question

From: Kevin (kkadow_at_gmail.com)
Date: 02/02/05

  • Next message: Volker Tanger: "Re: [Full-Disclosure] UNIX Tar Security Advisory from TEAM PWN4GE"
    Date: Wed, 2 Feb 2005 16:32:15 -0600
    To: full-disclosure@lists.netsys.com
    
    

    cyberpixl wrote:
    > Well, what i meant was what if i use the networks router as a bounce
    > host in order to get the packets into the network?
    >
    > If an icmp packet arrives at routers wan port with a source ip of an
    > internal host will it send the echoreply to its lan port?

    Yes. Lacking proper anti-spoof ingress filtering, this will work.

    > I currently haven't got the chance to test this, but i will as soon as
    > i can. Then, in order to receive replyes from the host behind the
    > firewall all I'd have to do is make it send packets to a bounce server
    > outsede the network, like google.com with source set to my ip
    > (assuming then that the router freely allows icmp traffic out
    > of the network).

    Yes, lacking proper anti-spoof egress filtering, this will work. A
    correctly configured firewall should reject such packets on several
    grounds, even if ICMP is permitted by policy.

    On Wed, 02 Feb 2005 13:02:07 -0500, Valdis.Kletnieks@vt.edu
    <Valdis.Kletnieks@vt.edu> wrote:
    > > Also, packet filtering is based on router configuration. More and more
    > > administrators are filtering packets with unexpected source and/or
    > > destination addresses ( ingress and egress filtering ).

    Proper ingress and egress filtering at all edge routers is critical
    for security.
    Rarely do I find a small site blocking outbound traffic based on the source IP.
    While "non-routable" *destination* addresses should not make it across the
    Internet, it is common for unroutable source addresses to be seen on inbound
    packets coming from the Internet.

    > The number of sites doing proper filtering may be growing, but it's certainly
    > still low enough that the attack still has a fairly high chance of working.

    With the a growing number of ISPs implementing Reverse Path Forwarding
    (aka "Unicast RPF") on all customer connections, it should become more
    difficult to inject spoofed traffic through reputable providers.

    Kevin
    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html


  • Next message: Volker Tanger: "Re: [Full-Disclosure] UNIX Tar Security Advisory from TEAM PWN4GE"

    Relevant Pages

    • Re: Do I Have A Firewalled LAN Run By ISP In Between?
      ... from that host while at host ... running a layer within a layer, with a complex network address translation ... application called "Internet Connection Sharing". ... what those packets are for, ...
      (comp.security.firewalls)
    • 2wire router configuration
      ... firewall on this router and to configure my network ... Go to Home Network -> Advanced Settings ... X Default DHCP Pool ... Configure host to use DHCP with host name sent ...
      (comp.unix.bsd.freebsd.misc)
    • Re: Weird net connection problem
      ... across the Internet) to throttle or not the traffic). ... Depends how many packets in your connection are lost. ... you connect to some ISP via a router (not a home ADSL one, I should add, ... be advertising to the rest of the Internet, the address of your network, ...
      (uk.comp.sys.mac)
    • Re: Networking Questions
      ... The DNS address is sent as a secondary element, mostly because there's no point for nearly all internet connections without DNS. ... The PC asks for an address by sending a DHCP request out the route to the DSL device which is either a modem or a router. ... No need for DNS until host names get involved and those hosts are on a different network segment. ... DNS is mostly just a very glorified hosts table that includes addresses in all network address ranges. ...
      (comp.sys.ibm.as400.misc)
    • Re: Duplicate Echo Replies with Channel Bonding
      ... In this mode both interfaces receive packets, ... >When both eth0 and eth1 are up and I ping from Host C to Host A I get ... >The destination network 192.168.120.0/24 exists on both Router A and ... Switch B does not have the MAC address in its MAC address table ...
      (RedHat)