Skip to main content
SpringerLink
Log in

Malicious ICMP Tunneling: Defense against the Vulnerability

  • Conference paper
  • First Online:
Information Security and Privacy (ACISP 2003)

Part of the book series: Lecture Notes in Computer Science ((LNCS,volume 2727))

Included in the following conference series:

Abstract

This paper presents a systematic solution to the problem of using ICMP tunneling for covert channel. ICMP is not multiplexed via port numbers and the data part of the ICMP packet provides considerable bandwidth for malicious covert channels. These factors make it an integral part of many malicious software like remote access and denial of service attack tools. These tools use ICMP to establish covert communication channels. In this paper a stateless model is proposed to prevent ICMP tunneling. A Linux kernel module was implemented to demonstrate the proposed stateless solution. The module enforces a fixed payload policy for ICMP packets and virtually eliminates ICMP tunneling which arises due to the data carrying capability of ICMP. The performance impact on end hosts and routers due to the stateless monitoring model is described.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. CERT Advisory. Denial of service attack tools. http://www.cert.org/advisories/CA-1999-17.html.

    Google Scholar 

  2. Backorifice SDK Documents. http://bo2k.sourceforge.net/indexnews.html.

    Google Scholar 

  3. Root Exploit and Dos in the Linux Kernel. http://linux.oreillynet.com/pub/a/linux/2001/10/22/insecurities.html.

    Google Scholar 

  4. ISS. Loki icmp tunneling back door. http://www.iss.net/securitycenter/static/1452.php.

    Google Scholar 

  5. Postel J. Internet control mesage protocol — darpa internet program protocol specification. RFC 792, September 1981.

    Google Scholar 

  6. Postel J. Internet protocol — darpa internet program protocol specification. RFC 791, September 1981.

    Google Scholar 

  7. Phrack. Loki 2(the implementation). http://www.phrack.com/show.php?p=51&a=6.

    Google Scholar 

  8. Phrack. Project loki. http://www.phrack.com/show.php?p=49&a=6.

    Google Scholar 

  9. Guido Van Rooji. Real stateful tcp packet filtering. In 10th USENIX Secutrity Symposium, August 2001.

    Google Scholar 

  10. Craig H. Rowland. Covert channels in the tcp/ip protocol suite. http://www.firstmonday.dk/issues/issue25/rowland.

    Google Scholar 

  11. Sans. Icmp attacks illustrated. http://www.sans.org/rr/threats/ICMP attacks.php.

    Google Scholar 

  12. Sans. Intrusion detection faqs. http://www.sans.org/resources/dfaq/icmp misuses.php.

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Georgia Tech. Information Security Center (GTISC) Center for Experimental Research in Computer Systems (CERCS) College of Computing, Georgia Institute of Technology, Atlanta, GA, 30332

    Abhishek Singh, Ola Nordström, Chenghuai Lu & Andre L. M. dos Santos

Authors
  1. Abhishek Singh
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Ola Nordström
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Chenghuai Lu
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Andre L. M. dos Santos
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. School of Information Technology and Computer Science, University of Wollongong, Wollongong, NSW, 2522, Australia

    Rei Safavi-Naini  & Jennifer Seberry  & 

Rights and permissions

Reprints and permissions

Copyright information

© 2003 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Singh, A., Nordström, O., Lu, C., dos Santos, A.L.M. (2003). Malicious ICMP Tunneling: Defense against the Vulnerability. In: Safavi-Naini, R., Seberry, J. (eds) Information Security and Privacy. ACISP 2003. Lecture Notes in Computer Science, vol 2727. Springer, Berlin, Heidelberg. https://doi.org/10.1007/3-540-45067-X_20

Download citation

  • DOI: https://doi.org/10.1007/3-540-45067-X_20

  • Published:

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-540-40515-3

  • Online ISBN: 978-3-540-45067-2

  • eBook Packages: Springer Book Archive

Publish with us

Policies and ethics

Search

Navigation