Re: [Full-Disclosure] ICMP Covert channels question
From: Kevin (kkadow_at_gmail.com)
Date: Wed, 2 Feb 2005 16:32:15 -0600 To: firstname.lastname@example.org
> Well, what i meant was what if i use the networks router as a bounce
> host in order to get the packets into the network?
> If an icmp packet arrives at routers wan port with a source ip of an
> internal host will it send the echoreply to its lan port?
Yes. Lacking proper anti-spoof ingress filtering, this will work.
> I currently haven't got the chance to test this, but i will as soon as
> i can. Then, in order to receive replyes from the host behind the
> firewall all I'd have to do is make it send packets to a bounce server
> outsede the network, like google.com with source set to my ip
> (assuming then that the router freely allows icmp traffic out
> of the network).
Yes, lacking proper anti-spoof egress filtering, this will work. A
correctly configured firewall should reject such packets on several
grounds, even if ICMP is permitted by policy.
On Wed, 02 Feb 2005 13:02:07 -0500, Valdis.Kletnieks@vt.edu
> > Also, packet filtering is based on router configuration. More and more
> > administrators are filtering packets with unexpected source and/or
> > destination addresses ( ingress and egress filtering ).
Proper ingress and egress filtering at all edge routers is critical
Rarely do I find a small site blocking outbound traffic based on the source IP.
While "non-routable" *destination* addresses should not make it across the
Internet, it is common for unroutable source addresses to be seen on inbound
packets coming from the Internet.
> The number of sites doing proper filtering may be growing, but it's certainly
> still low enough that the attack still has a fairly high chance of working.
With the a growing number of ISPs implementing Reverse Path Forwarding
(aka "Unicast RPF") on all customer connections, it should become more
difficult to inject spoofed traffic through reputable providers.
Full-Disclosure - We believe in it.