[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [FW1] ICMP Traffic Security Issues
Oh yeah - ICMP tunneling can definitely be done. If I recall correctly, the original concept appeared in Phrack 49 (Aug 1996): http://phrack.infonexus.com/search.phtml?view&article=p49-6 After that article it was only about a month, before someone (can't recall who) released concept code. Today, Packetstorm has several downloadable versions of it at: http://209.143.242.119/cgi-bin/search/search.cgi?searchvalue=loki&type=archi ves Even more scary is the sheer number of copycat's that have been made since then. Doing a search on Packetstorm for "ICMP Tunnel" yields 384 matches, including several programs (icmptunnel, itunnel, 007shell, loki, loki2, etc.) for sending data over covert ICMP channels. Hell, B02k has a butt-plug to run BO through ICMP.... From what I've seen in IDS over the past 3 years, it's a lot more common than people think..... Hope this adds to the conversation. Jason At 02:28 PM 3/1/01 -0000, iden fw wrote: > > > And I believe there was a Loki2 that encrypted the traffic... > -i > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > >den_ > > > > > >>From: >CryptoTech > > >>ply-To: >[email protected] > >>To: >"Fontelera, >Jaime." > >>CC: >"'fw1mail >'" >>Sject: Re: >[FW1] >ICMP >Trfic Security >Issues > >>Dat >Thu, 01 >Mar >2001 06:30:44 >-00 > > >>Jaime, >>In >the >current >release, (and >I >believe in >all >previous >releases >of >FireWall-1,) >ICMP > >packets >are >inspected >on an >instance >by >instance >basis. So >simply >having a >rule in > >>that says >internal >any >icmp-proto >accept >will not >allow >responses >to >those >>same >pings. My >Check Point >rep >has >informed me that >a >new >release >will >allow >for > > >>'intelligent/stateful' handling >of >ping >requests >as >well. > > >>I >am >most likely not as up to date >as >some >of >the >ISS >or >intrusion >specialists >here, >but >I >have >never >heard >of >'smuggling' >over icmp, but >icmp >does >give >attackers a > >clear >and >easy >way to see what >devices >you >he >to >start probing >for an >attack. > >Also >remember >that >CheckPoint >is >only >allowing a >subset of >icmp >packet types >(I >>believe >icmp >type 8 >(echo >request) >and type 0 >(echo >response.)) > >> >Cheers, > >>CryptoTech > > > >>"Fontelera, Jaime >C." >wrote: > > > >>> >I'm >currently >blocking >both >incoming/outgoing >ICMP >packets >from >our >network. >> I have >a net >admin >who wants >pinging >and >traceroute >packet >enabled going >> out. >But >I'm >kind >of >hesitant at >this point >because >the security issues. >> > > >>> >I've >read in a book >some where >that ICMP >packets can be >exploited >by an > >>> >attacker to >smuggle >data through a >site >who's >firewall >ONLY >allows >outbound >> >echo >request by >sending >echo >responses even >when they >haven't >seen a >>> >request. >It is a way >for >the attacker to >maintain >connections >to a > >>> >compromised site. >>> > >> What's your >opinion on >this ? >> > > >>> >Thanks. >> >Jaime > > >>> > > >>> >=========================================================================== ===== >> To unsubscribe from this mailing list, please see the instr======================================================================= === ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
|