Project

General

Profile

Actions

Feature #1566

open

ICMPv4 control channel detection

Added by Vlad Solontsov almost 6 years ago. Updated almost 2 years ago.

Status:
New
Priority:
Normal
Target version:
Effort:
Difficulty:
Label:

Description

I'm trying to find a way detecting control channels over ICMP (ICMP shell and others).
As a proposal I would like to detect:
  • Unsolicited ECHO Reply
  • ECHO Reply with different payload

If there is no such options (I'm pretty sure in it) I will be happy to try and contribute.
In this case I'd like someone experienced to validate the idea details.

Actions #1

Updated by Victor Julien almost 6 years ago

You are correct. There is no specific detection for such cases. What do you have in mind?

Actions #2

Updated by Vlad Solontsov almost 6 years ago

First of all, by detecting I would setup a flow to avoid any additional work for alerting further traffic between src and dest.
Just have a rule to alert all the ICMP traffic within a flow.

Secondary, seems like I need a kind of transactions hash-map (I saw this kind of thing in DNS at app level) with a copy of initial Packet.

So, as far as I understand, at registering a module I need to initialize a hash-map (key is to be based on src, dest, id and sequence number).
At receiving ECHO Request/Reply try to find and update existing flow.
If no flow,
  • for request I need to create a transaction, copy the packet and store the copy in the transaction.
  • for reply I need to find a transaction and check the payload.
    • No transaction -- create a flow and raise alert (return 1 from detecting module)
    • Payload mismatch -- create a flow, add initial packet for processing with the flow, update the flow for the current packet (drop the transaction)
    • No mismatch -- just drop the transaction.

Could you please comment how reasonable it is, what are the pitfalls with threading model, etc?

Actions #3

Updated by Vlad Solontsov almost 6 years ago

Hi,

Sorry for chasing, but is proposal completely wrong?

Actions #4

Updated by Andreas Herz over 5 years ago

  • Assignee set to Anonymous

It's just still in the Queue :)

Actions #5

Updated by Andreas Herz over 2 years ago

  • Assignee set to Community Ticket
Actions #6

Updated by Victor Julien almost 2 years ago

The flow tracking for (some) ICMP is now done. The rest of the logic will be non-trivial, as ICMP packets are not sent to the app-layer API where the DNS parser lives.

Actions

Also available in: Atom PDF