This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
ABOUT CHECKMATES & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Rene_Atanassoff
Explorer
‎2018-02-06 03:20 PM

ICMP covert channel detection

Hi All

I have been asked by a customer to ensure that all protections for covert channel attacks are enabled on their R77.30 gateways which are managed through an R80.10 Management server.  The customer has threat prevention blades, IPS, AV & Anti-bot enabled.  I could find the IPS signature for DNS tunneling but I don't see anything for ICMP. Could someone please explain how Checkpoint deals with ICMP covert channel attacks?

Thank you

Rene

0 Kudos
5 Replies
G_W_Albrecht
Legend
Legend
‎2018-02-07 03:25 AM

The TCSEC defines two kinds of covert channels:  Storage channels - Cover communication by modifying a "storage location", such as a hard drive, and Timing channels - Perform operations that affect the "real response time observed" by the receiver.

As for ICMP, this is a supporting protocol not regularly employed by end-user network applications (with the exception of some diagnostic tools like ping and traceroute). So it is a standard to block it in rulebase or restrict it use (no ping to the GW gets answered).

The threat you speak of is covered by APCL - see Application/Categories ICMPTX, Data Exfiltration Toolkit ICMP Mode and ICMP shell, all supported since R80.

CCSE CCTE CCSM SMB Specialist
0 Kudos
Vladimir
Champion
Champion
‎2018-02-07 05:43 AM

To add to Guenther's post, unsuccessful UDP queries to DNS may result in ICMP replies from those. It is possible to use this mechanism for exfiltration, modifying payload of the replies. 

0 Kudos
PhoneBoy
Admin
Admin
‎2018-02-10 03:50 PM

One thing you can do in IPS to limit this is to limit the size of ICMP Echo Requests.

0 Kudos
Rene_Atanassoff
Explorer
‎2018-02-11 02:38 PM
In response to PhoneBoy

Thanks guys much appreciate the feedback, I will check out the various options.

0 Kudos
Joe_Sullivan
Explorer
‎2018-02-14 10:38 AM
In response to Rene_Atanassoff

I'm a little late on this one... but if you want some insight on how that works, this is a good program for running TCP over ICMP:

Ping Tunnel - Send TCP traffic over ICMP 

This was a popular tool to use in hotels to get out of paying for Internet - then they started blocking ICMP.