Re: [Full-Disclosure] ICMP Covert channels question

From: Kevin (kkadow_at_gmail.com)
Date: 02/02/05

  • Next message: Volker Tanger: "Re: [Full-Disclosure] UNIX Tar Security Advisory from TEAM PWN4GE"
    Date: Wed, 2 Feb 2005 16:32:15 -0600
    To: full-disclosure@lists.netsys.com
    
    

    cyberpixl wrote:
    > Well, what i meant was what if i use the networks router as a bounce
    > host in order to get the packets into the network?
    >
    > If an icmp packet arrives at routers wan port with a source ip of an
    > internal host will it send the echoreply to its lan port?

    Yes. Lacking proper anti-spoof ingress filtering, this will work.

    > I currently haven't got the chance to test this, but i will as soon as
    > i can. Then, in order to receive replyes from the host behind the
    > firewall all I'd have to do is make it send packets to a bounce server
    > outsede the network, like google.com with source set to my ip
    > (assuming then that the router freely allows icmp traffic out
    > of the network).

    Yes, lacking proper anti-spoof egress filtering, this will work. A
    correctly configured firewall should reject such packets on several
    grounds, even if ICMP is permitted by policy.

    On Wed, 02 Feb 2005 13:02:07 -0500, Valdis.Kletnieks@vt.edu
    <Valdis.Kletnieks@vt.edu> wrote:
    > > Also, packet filtering is based on router configuration. More and more
    > > administrators are filtering packets with unexpected source and/or
    > > destination addresses ( ingress and egress filtering ).

    Proper ingress and egress filtering at all edge routers is critical
    for security.
    Rarely do I find a small site blocking outbound traffic based on the source IP.
    While "non-routable" *destination* addresses should not make it across the
    Internet, it is common for unroutable source addresses to be seen on inbound
    packets coming from the Internet.

    > The number of sites doing proper filtering may be growing, but it's certainly
    > still low enough that the attack still has a fairly high chance of working.

    With the a growing number of ISPs implementing Reverse Path Forwarding
    (aka "Unicast RPF") on all customer connections, it should become more
    difficult to inject spoofed traffic through reputable providers.

    Kevin
    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html


  • Next message: Volker Tanger: "Re: [Full-Disclosure] UNIX Tar Security Advisory from TEAM PWN4GE"