ICMP tunnel
Encyclopedia
An ICMP tunnel establishes a covert
connection between two remote computers (a client and proxy), using ICMP
echo requests and reply packets. An example of this technique is tunneling
complete TCP
traffic over ping requests and replies.
In theory, it is possible to have the proxy use echo request packets (which makes implementation much easier), but these packets are not necessarily forwarded to the client, as the client could be behind a translated address (NAT
). This bidirectional data flow can be abstracted with an ordinary serial line.
This vulnerability exists because RFC 792, which is IETF's rules governing ICMP packets, allows for an arbitrary data length for any type 0 (echo reply) or 8 (echo message) ICMP packets.
of the actual traffic. Depending on the implementation of the ICMP tunneling software, but this type of connection can also be categorized as an encrypted communication channel between two computers. Without proper deep packet inspection
or log review, network administrators will not be able to detect this type of traffic through their network.
Covert channel
In computer security, a covert channel is a type of computer security attack that creates a capability to transfer information objects between processes that are not supposed to be allowed to communicate by the computer security policy...
connection between two remote computers (a client and proxy), using ICMP
Internet Control Message Protocol
The Internet Control Message Protocol is one of the core protocols of the Internet Protocol Suite. It is chiefly used by the operating systems of networked computers to send error messages indicating, for example, that a requested service is not available or that a host or router could not be...
echo requests and reply packets. An example of this technique is tunneling
Tunneling protocol
Computer networks use a tunneling protocol when one network protocol encapsulates a different payload protocol...
complete TCP
Transmission Control Protocol
The Transmission Control Protocol is one of the core protocols of the Internet Protocol Suite. TCP is one of the two original components of the suite, complementing the Internet Protocol , and therefore the entire suite is commonly referred to as TCP/IP...
traffic over ping requests and replies.
Technical details
ICMP tunneling works by injecting arbitrary data into an echo packet sent to a remote computer. The remote computer replies in the same manner, injecting an answer into another ICMP packet and sending it back. The client performs all communication using ICMP echo request packets, while the proxy uses echo reply packets.In theory, it is possible to have the proxy use echo request packets (which makes implementation much easier), but these packets are not necessarily forwarded to the client, as the client could be behind a translated address (NAT
Network address translation
In computer networking, network address translation is the process of modifying IP address information in IP packet headers while in transit across a traffic routing device....
). This bidirectional data flow can be abstracted with an ordinary serial line.
This vulnerability exists because RFC 792, which is IETF's rules governing ICMP packets, allows for an arbitrary data length for any type 0 (echo reply) or 8 (echo message) ICMP packets.
Uses
ICMP tunneling can be used to bypass firewalls rules through obfuscationObfuscation
Obfuscation is the hiding of intended meaning in communication, making communication confusing, wilfully ambiguous, and harder to interpret.- Background :Obfuscation may be used for many purposes...
of the actual traffic. Depending on the implementation of the ICMP tunneling software, but this type of connection can also be categorized as an encrypted communication channel between two computers. Without proper deep packet inspection
Deep packet inspection
Deep Packet Inspection is a form of computer network packet filtering that examines the data part of a packet as it passes an inspection point, searching for protocol non-compliance, viruses, spam, intrusions or predefined criteria to decide if the packet can...
or log review, network administrators will not be able to detect this type of traffic through their network.
Mitigation
Although the only way to prevent this type of tunneling is to block ICMP traffic altogether, this is not realistic for a production or real-world environment. One method for mitigation of this type of attack is to only allow fixed sized ICMP packets through firewalls to virtually eliminate this type of behavior .External links
- http://sourceforge.net/projects/itun Simple ICMP tunnel
- http://www.cs.uit.no/~daniels/PingTunnel/
- http://www.bluebitter.de
- http://icmpshell.sourceforge.net/ a telnet-like protocol using only ICMP
- ICMP Crafting http://www.giac.org/paper/gsec/1354/icmp-crafting-issues/102553 by Stuart Thomas
- Malacious ICMP Tunneling : Defense Againts the Vulnerabilityhttp://www.2factor.us/icmp.pdf by Abhishek Singh
- RFC 792, Internet Control Message Protocol
- Using the ICMP tunneling tool Ping Tunnel
- Project Loki" Article on ping tunneling in PhrackPhrackPhrack is an ezine written by and for hackers first published November 17, 1985. Described by Fyodor as "the best, and by far the longest running hacker zine," the magazine is open for contributions by anyone who desires to publish remarkable works or express original ideas on the topics of interest...