On Fri, 2007-05-04 at 09:47 -0400, Bret Lambert wrote: > On Fri, 2007-05-04 at 07:26 -0600, Open Phugu wrote: > > > if you deny icmp, you shall burn in hell > > You may burn in hell, but ICMP can be used to infiltrate and exfiltrate data: > > http://www.cs.uit.no/~daniels/PingTunnel/ > > This looks like it's pretty trivially defeated; bzero()'ing the data > portion of the ICMP echo request/response removes the piggybacked data > channel. > > For even more fun, you could overwrite the actual data in the covert > channel with a fun message about the Care Bears. > > Or, for bonus points, some nice Harry Potter slashfic ;-)
For certain types of network links it can be useful for troubleshooting/debugging purposes to put different patterns into the data portion of the ICMP packet: http://www.cisco.com/en/US/tech/tk713/tk628/technologies_tech_note09186a00800 a7599.shtml Although I agree that having the option to scrub or block ICMP packets with non-zero data payloads would be useful. Jeff [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]
