[p2p-hackers] ICMP tunneling

Ivan Arce ivan.arce at coresecurity.com
Thu Jun 22 19:44:44 UTC 2006


Travis,

I think you are correct, in theory there shouldn't be a problem with
outbound ICMP over raw sockets (after all ping.exe does that right?)

I don't recall the exact technical details but in the end we decided to move
over to using winpcap after SP2. The reasons for that were centered around
the crippling of raw sockets plus the TCP throttling and some undocumented
changes to ARP table management.

-ian


Travis Kalanick wrote:
> It's getting late here guys. . .
> 
> What I meant to say was I do not see any restrictions here about SP2
> blocking ICMP over raw sockets, though it clearly states there are absolute
> restrictions with TCP, and only some restrictions with regards to UDP.
> 
> Maybe restrictions on ICMP is just another "undocumented feature" from our
> friends in Redmond.
> 
> T
> 
> 
> -----Original Message-----
> From: Travis Kalanick [mailto:travis at redswoosh.net] 
> Sent: Tuesday, June 20, 2006 1:00 AM
> To: 'Peer-to-peer development.'
> Subject: RE: [p2p-hackers] ICMP tunneling
> 
> Regarding Windows implementation, it does not appear that SP2 restricts UDP
> datagrams over raw sockets (except in the case of spoofing).  I'll qualify
> that I haven't seen/tried an implementation yet, but take a look at this:
> 
> http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/sp2netwk.mspx
> 
> 
> <snippet>
> 
> What new functionality is added to [TCP] in Windows XP Service Pack 2?
> Restricted traffic over raw sockets
> Detailed description
> 
> A very small number of Windows applications make use of raw IP sockets,
> which provide an industry-standard way for applications to create TCP/IP
> packets with fewer integrity and security checks by the TCP/IP stack. The
> Windows implementation of TCP/IP still supports receiving traffic on raw IP
> sockets. However, the ability to send traffic over raw sockets has been
> restricted in two ways:
> 
> . TCP data cannot be sent over raw sockets.
>  
> . UDP datagrams with invalid source addresses cannot be sent over raw
> sockets. The IP source address for any outgoing UDP datagram must exist on a
> network interface or the datagram is dropped. 
>  
> 
> Why is this change important? What threats does it help mitigate?
> 
> This change limits the ability of malicious code to create distributed
> denial-of-service attacks and limits the ability to send spoofed packets,
> which are TCP/IP packets with a forged source IP address.
> 
> Limited number of simultaneous incomplete outbound TCP connection attempts
> Detailed description
> 
> The TCP/IP stack now limits the number of simultaneous incomplete outbound
> TCP connection attempts. After the limit has been reached, subsequent
> connection attempts are put in a queue and will be resolved at a fixed rate.
> Under normal operation, when applications are connecting to available hosts
> at valid IP addresses, no connection rate-limiting will occur. When it does
> occur, a new event, with ID 4226, appears in the system's event log.
> 
> Why is this change important? What threats does it help mitigate?
> 
> This change helps to limit the speed at which malicious programs, such as
> viruses and worms, spread to uninfected computers. Malicious programs often
> attempt to reach uninfected computers by opening simultaneous connections to
> random IP addresses. Most of these random addresses result in a failed
> connection, so a burst of such activity on a computer is a signal that it
> may have been infected by a malicious program.
> 
> </snippet>
> 
> 
> According to MSFT, this is the only place where UDP restrictions for raw
> sockets seem to apply in SP2.  I'm sure I'm missing something. . .
> 
> Travis
> 
> 
> 
> 
> -----Original Message-----
> From: p2p-hackers-bounces at zgp.org [mailto:p2p-hackers-bounces at zgp.org] On
> Behalf Of Alex Pankratov
> Sent: Monday, June 19, 2006 11:26 AM
> To: Peer-to-peer development.
> Subject: Re: [p2p-hackers] ICMP tunneling
> 
>  > Alex (pankratov), do you have any experience with Hamachi on this tip?
> 
> No, not with Hamachi. Implementing ICMP tunneling on Windows requires
> writing NDIS/IM driver or an equivalent and it is an absolutely royal pain
> in the butt to support. In other words it is somewhat hard to justify :)
> 
> Alex
> 
> Travis Kalanick wrote:
>> Doing a bunch of traveling recently in Asia (adventures blogged here: 
>> http://blog.redswoosh.net <http://blog.redswoosh.net/>), I've found 
>> myself in many situations where I've had to purchase wireless Internet 
>> access, quite often at double or triple the prices seen in the States.
>>
>>  
>>
>> Before paying however, I am almost always able to do a DNS look-up and 
>> sometimes even ping remote hosts, though normal Internet traffic over 
>> port 80 (and various other ports) is blocked.
>>
>>  
>>
>> It got me to thinking about ICMP tunneling around these wireless "toll 
>> booths" so I could travel Asia and even the states without having to 
>> communicate over those popular ports that cost money to communicate over.
>>
>>  
>>
>> Maybe something could be coded up to tunnel over ICMP to a proxy 
>> server (or proxy peer), that then translates communication back to the 
>> intended protocol and port and forwards communication along.  It seems 
>> that at least theoretically, with raw sockets and promiscuous 
>> settings, even on Windows machines, this should be possible.
>>
>>  
>>
>> Anybody have experience with tunneling over this widespread, but often 
>> forgotten protocol and port?  Could it also be useful for NAT 
>> traversal in extreme conditions?
>>
>>  
>>
>> Alex (pankratov), do you have any experience with Hamachi on this tip?
>>
>>  
>>
>> T
>>
>>  
>>
>>  
>>
>> Travis Kalanick
>> Red Swoosh, Inc.
>>
>> Blog - http://blog.redswoosh.net <http://blog.redswoosh.net/>
>>
>> High quality video without bandwidth costs!
>>
>> www.redswoosh.net
>>
>>  
>>
>>
>> ----------------------------------------------------------------------
>> --
>>
>> _______________________________________________
>> p2p-hackers mailing list
>> p2p-hackers at zgp.org
>> http://zgp.org/mailman/listinfo/p2p-hackers
>> _______________________________________________
>> Here is a web page listing P2P Conferences:
>> http://www.neurogrid.net/twiki/bin/view/Main/PeerToPeerConferences
> _______________________________________________
> p2p-hackers mailing list
> p2p-hackers at zgp.org
> http://zgp.org/mailman/listinfo/p2p-hackers
> _______________________________________________
> Here is a web page listing P2P Conferences:
> http://www.neurogrid.net/twiki/bin/view/Main/PeerToPeerConferences
> 
> _______________________________________________
> p2p-hackers mailing list
> p2p-hackers at zgp.org
> http://zgp.org/mailman/listinfo/p2p-hackers
> _______________________________________________
> Here is a web page listing P2P Conferences:
> http://www.neurogrid.net/twiki/bin/view/Main/PeerToPeerConferences
> 

-- 
---
"Buy the ticket, take the ride" -HST

Ivan Arce
CTO

CORE SECURITY TECHNOLOGIES
http://www.coresecurity.com

PGP Fingerprint: C7A8 ED85 8D7B 9ADC 6836  B25D 207B E78E 2AD1 F65A




More information about the P2p-hackers mailing list