DThe Internet Control Message Protocol (ICMP) is a layer three protocol in the ISO/OSI model and is described in RCF 792. Basically, ICMP is a component of IPv4, but is treated as an independent protocol.
The digital threat situation has evolved significantly in recent years. The IT security landscape in companies has adapted accordingly.
firewalls, intrusion detection and prevention systems (IDS & IPS), Security Information and Event Management Systems (SIEM), User and Entity Behavior Analytics (UEBA) and Stateful Protocol Analysis - Network monitoring is becoming increasingly tighter and attackers are being forced to find new ways to remain undetected on the network.
A popular option is ICMP tunneling. Chippers use protocols from the lower ISO/OSI model layers, which are usually not monitored as closely, to obscure your traffic.
ICMP, uses the basic support of IP as if it were a higher level protocol, however, ICMP is actually an integral part of IP, and must be implemented by every IP module.
The table only shows a small part of the ICMP packet types
Normally, more detailed information about the assignment of the ICMP message is stored in the data field of the ICMP packet. However, there is no regulation in RFC 792 as to what must be in the data field. Attackers exploit this design decision during ICMP tunneling. Instead of communicating directly with the target via TCP, for example, attackers wrap each packet in an ICMP echo or reply packet. In a network recording you would only see a series of ping packets instead of, for example, a TCP connection.
Windows and Linux ICMP tools usually send packets with a payload of 64 bytes. However, the protocol allows a payload of a total of 64 kilobytes.
To tunnel data via ICMP, a client and a server are required. With asynchronous connections the traffic is significantly higher than with synchronous connections.
But things then become problematic with stateful firewalls or NAT devices. These only allow an echo reply if there is a matching echo request package. Stateful firewalls and NAT devices would therefore drop many echo reply packets because there would be more replies than requests.
However, there are already some ICMP tunneling tools that can also circumvent this problem. The client continuously sends empty Echo Request packets, to which the server can respond with Echo Reply packets.
In order to bypass stateful firewalls and NAT, ICMP tunneling sends empty ICMP echo requests at continuous intervals. These should be noticeable upon closer inspection of the network traffic, but are difficult to distinguish from normal ICMP traffic.
Typically, ICMP echo replies contain the same payload as corresponding echo requests. If the payload is different, this is a sign of ICMP tunneling.
To ensure that your company's sensitive data remains safe and protected, the IT security of your company network is of great importance. ICMP tunneling represents a new threat to your IT infrastructure and should therefore not be ignored when checking IT security. per sec is aware of this fact and uses penetration tests to check this possibility of intrusion into your company network. Find out how much risk ICMP tunneling poses to you and contact us today. We help you stay safe and protected.
