ICMPv4 control channel detection
As a proposal I would like to detect:
- Unsolicited ECHO Reply
- ECHO Reply with different payload
If there is no such options (I'm pretty sure in it) I will be happy to try and contribute.
In this case I'd like someone experienced to validate the idea details.
Updated by Vlad Solontsov almost 7 years ago
First of all, by detecting I would setup a flow to avoid any additional work for alerting further traffic between src and dest.
Just have a rule to alert all the ICMP traffic within a flow.
Secondary, seems like I need a kind of transactions hash-map (I saw this kind of thing in DNS at app level) with a copy of initial Packet.So, as far as I understand, at registering a module I need to initialize a hash-map (key is to be based on src, dest, id and sequence number).
At receiving ECHO Request/Reply try to find and update existing flow.
If no flow,
- for request I need to create a transaction, copy the packet and store the copy in the transaction.
- for reply I need to find a transaction and check the payload.
- No transaction -- create a flow and raise alert (return 1 from detecting module)
- Payload mismatch -- create a flow, add initial packet for processing with the flow, update the flow for the current packet (drop the transaction)
- No mismatch -- just drop the transaction.
Could you please comment how reasonable it is, what are the pitfalls with threading model, etc?