ICMP tunnel

Googling for ICMP tunnel I found some interesting results:
http://en.wikipedia.org/wiki/ICMP_tunnel
http://www.cs.uit.no/~daniels/PingTunnel/
http://thomer.com/icmptx/

There is at least a trojan using ICMP to transmit sensitive data (link provided by egemen)
http://www.websense.com/securitylabs/alerts/alert.php?AlertID=570

If I understand correctly the idea is put data in the data section of ICMP Echo request packets and the other computer will reply with ICMP echo replies containing data as well.

How about this scenario?: A downloader (forget HIPS, Anti-executable, LUA, DEP, etc for the moment) connects to a malicious server using echo requests and the malicious server sends malware using echo replies.

Which firewalls can block outgoing ICMP for a specific application without blocking ICMP for other program? I know that Comodo and OA Free can but how about other firewalls?

 

Hi ggf31416,

Yes, it as been a problem for a while.

Most users (certainly those who visit security forums) do now block all ICMP to/from the internet.

Most firewalls do only have ICMP on a system wide basis:-

I do still need time to look at Comodo latest. OA is system wide, not per application, and does require work to give direction on such rules.

I have seen other firewall have such options, but will need to find time to re-check which these are.

 

Comodo seems to have to ICMP control per application (see screenshot)
Last time I tried OA Free alerted me about ping.exe and about "Comodo Outbound Conenction Tests", which uses ICMP.

123.234.45.87 is just a random IP. "Comodo Outbound Connection Tests" can be found at this thread
https://forums.comodo.com/leak_test...simple_outbound_protection_test-t18780.0.html

 

ggf31416,

Sygate has the opition of blocking ICMP traffic for each app.
http://www.kotiposti.net/string/SPF_eng/SPFGuide.html

under 'Configuration' you can uncheck 'act as server' and 'allow ICMP traffic' for each.
if you decide to use Sygate be sure to use the 5.5.2710 version and the above link has excellent setup steps for Sygate.
ive used this fw and version on many 98, 98se, me, 2000, and xp's without problems. sorry it dosent work w/vista if thats your sys.
L

 

That shows the system application making the Ping (as we would see svchost making DNS (when the service is active)). It would be a case of interception of application to such system service that needs interception. Do you have screenshot of that? For example "P2P client attempting ping"?

 

Most pc firewalls seem to have default system ICMP rules as echo request=out & echo reply=in. Isn't this enough for basic security in this area? This is not to mention the inbound only on unreachable and time exceeded.

 

Sorry, I don't understand. I wrote PING 123.234.45.87 in the command prompt. Comodo Outbound Test and the first version of System Shutdown Simulator also cause alerts. I was unable to generate any outbound ICMP alert with utorrent.

 

Outgoing echo requests can be used to transmit information to a remote computer and the remote computer can send a reply using echo replies.

 

Yes, I understand that, especially in the context of these rules. It would seem there is no problem with those rules in place because my pc will not respond to pings. The ping is initiated only at my will (provided malware does not take over) , nor will it respond to incoming pings from remote machines (echo replies are incoming only).

 

Ohh man i loved the sygate firewall, so easy so nice - very nice GUI, so very good protection, why why would did they let the symantec to take control over them .
I hope someone will come up with a good idéa to make a exactly firewall as Sygate, with exactly options, GUI and the nice looking GUI... some day..

 

Sygate still exists, you know... There is no reason to stop using it.

 

build 95 (the latest release) can catch ICMP per application. Though, I have found sss test to be incorrect. On attempt to ping OA gave me a popup, I have blocked an attempt. But test said "your FW failed". Then I unplugged ethernet cable and repeated the test. Again, it said "test failed" "ping response message: Success", "Time: 0 ms". How it mastered to get a response with uplugged cable is a true mistery. And my log shows:
[22:31:16] 998 [TDI] ICMP, Connect, 0.0.0.0 -> 69.147.114.210, D:\Pub\LeakTests\sss\sss.exe(1828/3464)
[22:31:16] 998 [TDI] Blocked by user.

 

Then there would be possible firewall rule, or API access rule for this. I have not seen this. Please post more details, maybe a pic that shows interception of outbound ping from an application.(and I dont mean ping.exe)

 

No it does not exist anymore
Because i know it has not been updated more then 2 years ago, and a firewall must update at least once at month to keep all the hackers away.
so what do you say about this?`

 

Which application is suitable? Is the Comodo test suitable?

 

Hi,

Sorry, very short of spare time these days, I have missed this "test", please give info/ link so I can "test the test" and then make test ( if that makes sense?)

 

The link to Comodo's forum in Post #3 (COT.zip).
EDIT: You must be logged in. I added the .txt extension (.zip is not a allowed file extension) and attached the zip to this post.

 

Sorry for the OT:
/OT on

Sorry, but where did you get this missleading info from. Firewalls a not based on any TCP/UCP/ICMP traffic signatures which have to be updated, there is no nead for this. You may be right regarding Leaktests, but those blockings belong more to a HIPS. HIPS functions are more and more build in into FW, but that has nothing todo with a classic FW. Run Sygate and a good HIPS/Behaviour Blocker and well ->perfect.
/OT off

 

Hi Tommy,

For IPV4 I agree, but how will non-updated firewalls handle IPV6, will this traffic be blocked/allowed or possible cause crash? or ?

 

Good questions as i am so far not very familiar with IPV6. The extendet adress space and the fact that NAT is not needed (not suported?) anymore could be a problem for not updated FW. But i am speculating. So far IPV6 is very rarly used to my knwoledge.

 

Is it really that important to tie ICMP rules to individual applications? Isn't the system-wide format used by most pc firewalls sufficient enough? AFAIS, only ping and traceroute use it, though there are probably other I'm not aware of, but what is wrong, if anything, with just having system-wide ICMP restrictions? Maybe I'm missing the boat but I don't see a problem here.

 

You are mainly correct as ICMP is not used to send and receive data between systems like TCP/UDP. Its main pupose is to send error messages (service failure, IP Diagram response error,etc.) of various kind.
So, if you don't have any application which runs as a server on your PC you don't need ICMP exept for 'ping' and 'traceroute' and some other rar application.

 

Thanks Tommy!

 

If you are talking about the fact that old firewalls do not handle IPv6, this is true. But it seems that this is a non existent problem (at least for me)... Of course, in time, this will become a real problem, but I'm not sure it's an issue now.

As for ICMP being used as a tunnel, it is possible, but that would mean you are already infected with some form of malware/trojan/rootkit/etc. In this situation I would be more concerned with finding a way of getting rid of the infection. If you have sensitive data on your computer that could be sent to a 3rd party using an ICMP tunnel, I thnk you should increase your preventive measures (i.e using a good HIPS).

 

Tommy:

the 5.5.2710 is the most stable version and Tommy your absolutely right, IMHO.
the only alternative to sygate, for me, would be kerio 2.1.5 which ive setup on a few sys's in the last 4 or 5 yrs and is installed on my ole98se/linux box but i use sygate/DW on my/wifes xp.
L