lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
From: kkadow at gmail.com (Kevin)
Subject: ICMP Covert channels question

cyberpixl wrote:
> Well, what i meant was what if i use the networks router as a bounce
> host in order to get the packets into the network?
>
> If an icmp packet arrives at routers wan port with a source ip of an
> internal host will it send the echoreply to its lan port?

Yes.  Lacking proper anti-spoof ingress filtering, this will work.

> I currently haven't got the chance to test this, but i will as soon as
> i can. Then, in order to receive replyes from the host behind the
> firewall all I'd have to do is make it send packets to a bounce server
> outsede the network, like google.com with source set to my ip
> (assuming then that the router freely allows icmp traffic out 
> of the network).

Yes, lacking proper anti-spoof egress filtering, this will work.  A
correctly configured firewall should reject such packets on several
grounds, even if ICMP is permitted by policy.


On Wed, 02 Feb 2005 13:02:07 -0500, Valdis.Kletnieks@...edu
<Valdis.Kletnieks@...edu> wrote:
> > Also, packet filtering is based on router configuration. More and more
> > administrators are filtering packets with unexpected source and/or
> > destination addresses ( ingress and egress filtering ).

Proper ingress and egress filtering at all edge routers is critical
for security.
Rarely do I find a small site blocking outbound traffic based on the source IP.
While "non-routable" *destination* addresses should not make it across the
Internet, it is common for unroutable source addresses to be seen on inbound
packets coming from the Internet.


> The number of sites doing proper filtering may be growing, but it's certainly
> still low enough that the attack still has a fairly high chance of working.

With the a growing number of ISPs implementing Reverse Path Forwarding 
(aka "Unicast RPF") on all customer connections, it should become more
difficult to inject spoofed traffic through reputable providers.

Kevin

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ