GCIH · Question #464
An attacker is tunneling TLS encrypted traffic within ICMP echo and reply packets. How will most network appliances see this?
The correct answer is C. As ping traffic. When TLS traffic is encapsulated inside ICMP echo/reply packets, network appliances inspect the outer protocol header and classify the traffic as ping (ICMP) traffic unless deep packet inspection is enabled.
Question
An attacker is tunneling TLS encrypted traffic within ICMP echo and reply packets. How will most network appliances see this?
Options
- AAs reverse shell traffic
- BAs covert TCP traffic
- CAs ping traffic
- DAs TLS traffic
How the community answered
(42 responses)- A10% (4)
- B2% (1)
- C83% (35)
- D5% (2)
Why each option
When TLS traffic is encapsulated inside ICMP echo/reply packets, network appliances inspect the outer protocol header and classify the traffic as ping (ICMP) traffic unless deep packet inspection is enabled.
Reverse shell traffic is characterized by outbound TCP connections carrying interactive command sessions, not ICMP packets, so appliances would not classify ICMP as a reverse shell.
Covert TCP traffic specifically abuses TCP header fields (such as ISN or urgent pointer) to hide data - it is TCP-based and unrelated to ICMP tunneling.
ICMP tunneling works by embedding arbitrary payloads - in this case TLS data - inside the data field of ICMP echo request and reply packets. Standard firewalls, routers, and IDS devices make forwarding and classification decisions based on the outer IP/ICMP headers, so they see only legitimate ping traffic. Without deep payload inspection, the encapsulated TLS content is invisible to the appliance.
Network appliances see the outermost protocol, which is ICMP - not TLS - unless they perform deep packet inspection that decodes the ICMP payload.
Concept tested: ICMP tunneling and protocol encapsulation evasion
Source: https://www.ietf.org/rfc/rfc792.txt
Topics
Community Discussion
No community discussion yet for this question.