ICMP tunnel

Discussion in 'other firewalls' started by ggf31416, Mar 10, 2008.

Thread Status:
Not open for further replies.
  1. ggf31416

    ggf31416 Registered Member

    Joined:
    Aug 20, 2006
    Posts:
    314
    Location:
    Uruguay
    Googling for ICMP tunnel I found some interesting results:
    http://en.wikipedia.org/wiki/ICMP_tunnel
    http://www.cs.uit.no/~daniels/PingTunnel/
    http://thomer.com/icmptx/

    There is at least a trojan using ICMP to transmit sensitive data (link provided by egemen)
    http://www.websense.com/securitylabs/alerts/alert.php?AlertID=570

    If I understand correctly the idea is put data in the data section of ICMP Echo request packets and the other computer will reply with ICMP echo replies containing data as well.

    How about this scenario?: A downloader (forget HIPS, Anti-executable, LUA, DEP, etc for the moment) connects to a malicious server using echo requests and the malicious server sends malware using echo replies.

    Which firewalls can block outgoing ICMP for a specific application without blocking ICMP for other program? I know that Comodo and OA Free can but how about other firewalls?
     
  2. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    Hi ggf31416,

    Yes, it as been a problem for a while.

    Most users (certainly those who visit security forums) do now block all ICMP to/from the internet.

    Most firewalls do only have ICMP on a system wide basis:-

    I do still need time to look at Comodo latest. OA is system wide, not per application, and does require work to give direction on such rules.

    I have seen other firewall have such options, but will need to find time to re-check which these are.
     
  3. ggf31416

    ggf31416 Registered Member

    Joined:
    Aug 20, 2006
    Posts:
    314
    Location:
    Uruguay
    Comodo seems to have to ICMP control per application (see screenshot)
    Last time I tried OA Free alerted me about ping.exe and about "Comodo Outbound Conenction Tests", which uses ICMP.

    123.234.45.87 is just a random IP. "Comodo Outbound Connection Tests" can be found at this thread
    https://forums.comodo.com/leak_test...simple_outbound_protection_test-t18780.0.html
     

    Attached Files:

    Last edited: Mar 10, 2008
  4. lasu

    lasu Registered Member

    Joined:
    Mar 19, 2005
    Posts:
    43
    ggf31416,
    Sygate has the opition of blocking ICMP traffic for each app.
    http://www.kotiposti.net/string/SPF_eng/SPFGuide.html

    under 'Configuration' you can uncheck 'act as server' and 'allow ICMP traffic' for each.
    if you decide to use Sygate be sure to use the 5.5.2710 version and the above link has excellent setup steps for Sygate.
    ive used this fw and version on many 98, 98se, me, 2000, and xp's without problems. sorry it dosent work w/vista if thats your sys.
    L
     
    Last edited: Mar 10, 2008
  5. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    That shows the system application making the Ping (as we would see svchost making DNS (when the service is active)). It would be a case of interception of application to such system service that needs interception. Do you have screenshot of that? For example "P2P client attempting ping"?
     
  6. wat0114

    wat0114 Guest

    Most pc firewalls seem to have default system ICMP rules as echo request=out & echo reply=in. Isn't this enough for basic security in this area? This is not to mention the inbound only on unreachable and time exceeded.
     
  7. ggf31416

    ggf31416 Registered Member

    Joined:
    Aug 20, 2006
    Posts:
    314
    Location:
    Uruguay
    Sorry, I don't understand. o_O I wrote PING 123.234.45.87 in the command prompt. Comodo Outbound Test and the first version of System Shutdown Simulator also cause alerts. I was unable to generate any outbound ICMP alert with utorrent.
     

    Attached Files:

  8. ggf31416

    ggf31416 Registered Member

    Joined:
    Aug 20, 2006
    Posts:
    314
    Location:
    Uruguay
    Outgoing echo requests can be used to transmit information to a remote computer and the remote computer can send a reply using echo replies.
     
  9. wat0114

    wat0114 Guest

    Yes, I understand that, especially in the context of these rules. It would seem there is no problem with those rules in place because my pc will not respond to pings. The ping is initiated only at my will (provided malware does not take over) , nor will it respond to incoming pings from remote machines (echo replies are incoming only).
     
  10. DavidON

    DavidON Registered Member

    Joined:
    Mar 7, 2008
    Posts:
    19
    Location:
    North Island

    Ohh man i loved the sygate firewall, so easy so nice - very nice GUI, so very good protection, why why would did they let the symantec to take control over them :(.
    I hope someone will come up with a good idéa to make a exactly firewall as Sygate, with exactly options, GUI and the nice looking GUI... some day..
     
  11. Nebulus

    Nebulus Registered Member

    Joined:
    Jan 20, 2007
    Posts:
    1,582
    Location:
    European Union
    Sygate still exists, you know... There is no reason to stop using it. :)
     
  12. alex_s

    alex_s Registered Member

    Joined:
    Aug 13, 2007
    Posts:
    1,251
    build 95 (the latest release) can catch ICMP per application. Though, I have found sss test to be incorrect. On attempt to ping OA gave me a popup, I have blocked an attempt. But test said "your FW failed". Then I unplugged ethernet cable and repeated the test. Again, it said "test failed" "ping response message: Success", "Time: 0 ms". How it mastered to get a response with uplugged cable is a true mistery. And my log shows:
    [22:31:16] 998 [TDI] ICMP, Connect, 0.0.0.0 -> 69.147.114.210, D:\Pub\LeakTests\sss\sss.exe(1828/3464)
    [22:31:16] 998 [TDI] Blocked by user.
     
  13. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    Then there would be possible firewall rule, or API access rule for this. I have not seen this. Please post more details, maybe a pic that shows interception of outbound ping from an application.(and I dont mean ping.exe)
     
  14. Dorn

    Dorn Registered Member

    Joined:
    Mar 12, 2008
    Posts:
    34
    No it does not exist anymore o_O
    Because i know it has not been updated more then 2 years ago, and a firewall must update at least once at month to keep all the hackers away.
    so what do you say about this?`
     
  15. ggf31416

    ggf31416 Registered Member

    Joined:
    Aug 20, 2006
    Posts:
    314
    Location:
    Uruguay
    Which application is suitable? Is the Comodo test suitable?
     
  16. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    Hi,

    Sorry, very short of spare time these days, I have missed this "test", please give info/ link so I can "test the test" and then make test ( if that makes sense?)
     
  17. ggf31416

    ggf31416 Registered Member

    Joined:
    Aug 20, 2006
    Posts:
    314
    Location:
    Uruguay
    The link to Comodo's forum in Post #3 (COT.zip).
    EDIT: You must be logged in. I added the .txt extension (.zip is not a allowed file extension) and attached the zip to this post.
     

    Attached Files:

    Last edited: Mar 12, 2008
  18. Tommy

    Tommy Registered Member

    Joined:
    Dec 24, 2002
    Posts:
    1,169
    Location:
    Buenos Aires - Munic
    Sorry for the OT:
    /OT on
    Sorry, but where did you get this missleading info from. Firewalls a not based on any TCP/UCP/ICMP traffic signatures which have to be updated, there is no nead for this. You may be right regarding Leaktests, but those blockings belong more to a HIPS. HIPS functions are more and more build in into FW, but that has nothing todo with a classic FW. Run Sygate and a good HIPS/Behaviour Blocker and well ->perfect.
    /OT off
     
  19. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    Hi Tommy,
    For IPV4 I agree, but how will non-updated firewalls handle IPV6, will this traffic be blocked/allowed or possible cause crash? or ?
     
  20. Tommy

    Tommy Registered Member

    Joined:
    Dec 24, 2002
    Posts:
    1,169
    Location:
    Buenos Aires - Munic
    Good questions as i am so far not very familiar with IPV6. The extendet adress space and the fact that NAT is not needed (not suported?) anymore could be a problem for not updated FW. But i am speculating. So far IPV6 is very rarly used to my knwoledge.
     
  21. wat0114

    wat0114 Guest

    Is it really that important to tie ICMP rules to individual applications? Isn't the system-wide format used by most pc firewalls sufficient enough? AFAIS, only ping and traceroute use it, though there are probably other I'm not aware of, but what is wrong, if anything, with just having system-wide ICMP restrictions? Maybe I'm missing the boat but I don't see a problem here.
     
  22. Tommy

    Tommy Registered Member

    Joined:
    Dec 24, 2002
    Posts:
    1,169
    Location:
    Buenos Aires - Munic
    You are mainly correct as ICMP is not used to send and receive data between systems like TCP/UDP. Its main pupose is to send error messages (service failure, IP Diagram response error,etc.) of various kind.
    So, if you don't have any application which runs as a server on your PC you don't need ICMP exept for 'ping' and 'traceroute' and some other rar application.
     
    Last edited: Mar 12, 2008
  23. wat0114

    wat0114 Guest

    Thanks Tommy!
     
  24. Nebulus

    Nebulus Registered Member

    Joined:
    Jan 20, 2007
    Posts:
    1,582
    Location:
    European Union
    If you are talking about the fact that old firewalls do not handle IPv6, this is true. But it seems that this is a non existent problem (at least for me)... Of course, in time, this will become a real problem, but I'm not sure it's an issue now.

    As for ICMP being used as a tunnel, it is possible, but that would mean you are already infected with some form of malware/trojan/rootkit/etc. In this situation I would be more concerned with finding a way of getting rid of the infection. If you have sensitive data on your computer that could be sent to a 3rd party using an ICMP tunnel, I thnk you should increase your preventive measures (i.e using a good HIPS).
     
  25. lasu

    lasu Registered Member

    Joined:
    Mar 19, 2005
    Posts:
    43
    Tommy:
    the 5.5.2710 is the most stable version and Tommy your absolutely right, IMHO.
    the only alternative to sygate, for me, would be kerio 2.1.5 which ive setup on a few sys's in the last 4 or 5 yrs and is installed on my ole98se/linux box but i use sygate/DW on my/wifes xp.
    L
     
Thread Status:
Not open for further replies.