Bugtraq mailing list archives
ICMP spoofed source tunneling
From: Max Tulyev <maxtul () titan parkline ru>
Date: Tue, 21 Sep 2004 20:55:04 +0400 (MSD)
ICMP spoofed source payload tunneling I. ABSTRACT Almost any device having IP stack with enabled ICMP can be used to be a tunnel redirector. II. DESCRIPTION Let's imagine in Net a hacker having his source server(S), destination server(D), and a ip-capable device - victim(V). S sends to V spoofed ICMP echo request packet containing IP source address of D, and the data in Payload. When V receiving that packet, it sends ICMP echo-reply packet to D, AND FORWARDS TO D ALL DATA IN PAYLOAD! Backward is the same. I spent an only hour to write working exploit attaching this to Linux tuntap device... III. ANALYSIS Where it can be used? 1. Hacker have a victim traffic to that one cost lesser than to the World. That way Victim will pay for traffic with other hacker's server. 2. Hacker have no access to the world at all, but have external server (D). For Victim can be used any neighbour device (I tried IP phone - it works!) or even firewall or gateway! This can make a tunnel through a server with completely disabled IP forwarding at all. Very high probability of their attacks is in ISPs that gives a free access to some networks (I know that situation exists in Ukraine - to UA Internet Exchange access often is free and/or at higher speed, and in home Ethernet networks almost all ISPs provides free access to their clients and local resources). IV. DETECTION This can be detected by observing an anomally ICMP activity, and if you have more than one network interfaces - by presence of spoofed packets that can't be in certain interfaces. Or maybe by viewing your Internet bill ;-) V. WORKAROUND Turning On reverse-path filtering and other antispoofed mechanisms. Limiting rates or even denying ICMP type 8 at all.
Current thread:
- ICMP spoofed source tunneling Max Tulyev (Sep 21)
- Re: ICMP spoofed source tunneling fenfire (Sep 22)
- Re: ICMP spoofed source tunneling Tim Newsham (Sep 22)
- Re: ICMP spoofed source tunneling fenfire (Sep 23)
- Re: ICMP spoofed source tunneling Calum (Sep 28)
- Re: ICMP spoofed source tunneling Tim Newsham (Sep 22)
- Re: ICMP spoofed source tunneling sin (Sep 23)
- <Possible follow-ups>
- Re: ICMP spoofed source tunneling Dave Paris (Sep 23)
- Re: ICMP spoofed source tunneling raiblehugo (Sep 25)
- Re: ICMP spoofed source tunneling fenfire (Sep 22)