[p2p-hackers] ICMP tunneling

Travis Kalanick travis at redswoosh.net
Tue Jun 20 08:46:02 UTC 2006


It's getting late here guys. . .

What I meant to say was I do not see any restrictions here about SP2
blocking ICMP over raw sockets, though it clearly states there are absolute
restrictions with TCP, and only some restrictions with regards to UDP.

Maybe restrictions on ICMP is just another "undocumented feature" from our
friends in Redmond.

T


-----Original Message-----
From: Travis Kalanick [mailto:travis at redswoosh.net] 
Sent: Tuesday, June 20, 2006 1:00 AM
To: 'Peer-to-peer development.'
Subject: RE: [p2p-hackers] ICMP tunneling

Regarding Windows implementation, it does not appear that SP2 restricts UDP
datagrams over raw sockets (except in the case of spoofing).  I'll qualify
that I haven't seen/tried an implementation yet, but take a look at this:

http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/sp2netwk.mspx


<snippet>

What new functionality is added to [TCP] in Windows XP Service Pack 2?
Restricted traffic over raw sockets
Detailed description

A very small number of Windows applications make use of raw IP sockets,
which provide an industry-standard way for applications to create TCP/IP
packets with fewer integrity and security checks by the TCP/IP stack. The
Windows implementation of TCP/IP still supports receiving traffic on raw IP
sockets. However, the ability to send traffic over raw sockets has been
restricted in two ways:

. TCP data cannot be sent over raw sockets.
 
. UDP datagrams with invalid source addresses cannot be sent over raw
sockets. The IP source address for any outgoing UDP datagram must exist on a
network interface or the datagram is dropped. 
 

Why is this change important? What threats does it help mitigate?

This change limits the ability of malicious code to create distributed
denial-of-service attacks and limits the ability to send spoofed packets,
which are TCP/IP packets with a forged source IP address.

Limited number of simultaneous incomplete outbound TCP connection attempts
Detailed description

The TCP/IP stack now limits the number of simultaneous incomplete outbound
TCP connection attempts. After the limit has been reached, subsequent
connection attempts are put in a queue and will be resolved at a fixed rate.
Under normal operation, when applications are connecting to available hosts
at valid IP addresses, no connection rate-limiting will occur. When it does
occur, a new event, with ID 4226, appears in the system's event log.

Why is this change important? What threats does it help mitigate?

This change helps to limit the speed at which malicious programs, such as
viruses and worms, spread to uninfected computers. Malicious programs often
attempt to reach uninfected computers by opening simultaneous connections to
random IP addresses. Most of these random addresses result in a failed
connection, so a burst of such activity on a computer is a signal that it
may have been infected by a malicious program.

</snippet>


According to MSFT, this is the only place where UDP restrictions for raw
sockets seem to apply in SP2.  I'm sure I'm missing something. . .

Travis




-----Original Message-----
From: p2p-hackers-bounces at zgp.org [mailto:p2p-hackers-bounces at zgp.org] On
Behalf Of Alex Pankratov
Sent: Monday, June 19, 2006 11:26 AM
To: Peer-to-peer development.
Subject: Re: [p2p-hackers] ICMP tunneling

 > Alex (pankratov), do you have any experience with Hamachi on this tip?

No, not with Hamachi. Implementing ICMP tunneling on Windows requires
writing NDIS/IM driver or an equivalent and it is an absolutely royal pain
in the butt to support. In other words it is somewhat hard to justify :)

Alex

Travis Kalanick wrote:
> Doing a bunch of traveling recently in Asia (adventures blogged here: 
> http://blog.redswoosh.net <http://blog.redswoosh.net/>), I've found 
> myself in many situations where I've had to purchase wireless Internet 
> access, quite often at double or triple the prices seen in the States.
> 
>  
> 
> Before paying however, I am almost always able to do a DNS look-up and 
> sometimes even ping remote hosts, though normal Internet traffic over 
> port 80 (and various other ports) is blocked.
> 
>  
> 
> It got me to thinking about ICMP tunneling around these wireless "toll 
> booths" so I could travel Asia and even the states without having to 
> communicate over those popular ports that cost money to communicate over.
> 
>  
> 
> Maybe something could be coded up to tunnel over ICMP to a proxy 
> server (or proxy peer), that then translates communication back to the 
> intended protocol and port and forwards communication along.  It seems 
> that at least theoretically, with raw sockets and promiscuous 
> settings, even on Windows machines, this should be possible.
> 
>  
> 
> Anybody have experience with tunneling over this widespread, but often 
> forgotten protocol and port?  Could it also be useful for NAT 
> traversal in extreme conditions?
> 
>  
> 
> Alex (pankratov), do you have any experience with Hamachi on this tip?
> 
>  
> 
> T
> 
>  
> 
>  
> 
> Travis Kalanick
> Red Swoosh, Inc.
> 
> Blog - http://blog.redswoosh.net <http://blog.redswoosh.net/>
> 
> High quality video without bandwidth costs!
> 
> www.redswoosh.net
> 
>  
> 
> 
> ----------------------------------------------------------------------
> --
> 
> _______________________________________________
> p2p-hackers mailing list
> p2p-hackers at zgp.org
> http://zgp.org/mailman/listinfo/p2p-hackers
> _______________________________________________
> Here is a web page listing P2P Conferences:
> http://www.neurogrid.net/twiki/bin/view/Main/PeerToPeerConferences
_______________________________________________
p2p-hackers mailing list
p2p-hackers at zgp.org
http://zgp.org/mailman/listinfo/p2p-hackers
_______________________________________________
Here is a web page listing P2P Conferences:
http://www.neurogrid.net/twiki/bin/view/Main/PeerToPeerConferences




More information about the P2p-hackers mailing list