nerdexam
GIAC

GCIH · Question #464

An attacker is tunneling TLS encrypted traffic within ICMP echo and reply packets. How will most network appliances see this?

The correct answer is C. As ping traffic. When TLS traffic is encapsulated inside ICMP echo/reply packets, network appliances inspect the outer protocol header and classify the traffic as ping (ICMP) traffic unless deep packet inspection is enabled.

Malware Analysis & Advanced Persistent Threats

Question

An attacker is tunneling TLS encrypted traffic within ICMP echo and reply packets. How will most network appliances see this?

Options

  • AAs reverse shell traffic
  • BAs covert TCP traffic
  • CAs ping traffic
  • DAs TLS traffic

How the community answered

(42 responses)
  • A
    10% (4)
  • B
    2% (1)
  • C
    83% (35)
  • D
    5% (2)

Why each option

When TLS traffic is encapsulated inside ICMP echo/reply packets, network appliances inspect the outer protocol header and classify the traffic as ping (ICMP) traffic unless deep packet inspection is enabled.

AAs reverse shell traffic

Reverse shell traffic is characterized by outbound TCP connections carrying interactive command sessions, not ICMP packets, so appliances would not classify ICMP as a reverse shell.

BAs covert TCP traffic

Covert TCP traffic specifically abuses TCP header fields (such as ISN or urgent pointer) to hide data - it is TCP-based and unrelated to ICMP tunneling.

CAs ping trafficCorrect

ICMP tunneling works by embedding arbitrary payloads - in this case TLS data - inside the data field of ICMP echo request and reply packets. Standard firewalls, routers, and IDS devices make forwarding and classification decisions based on the outer IP/ICMP headers, so they see only legitimate ping traffic. Without deep payload inspection, the encapsulated TLS content is invisible to the appliance.

DAs TLS traffic

Network appliances see the outermost protocol, which is ICMP - not TLS - unless they perform deep packet inspection that decodes the ICMP payload.

Concept tested: ICMP tunneling and protocol encapsulation evasion

Source: https://www.ietf.org/rfc/rfc792.txt

Topics

#ICMP tunneling#covert channel#traffic obfuscation#protocol encapsulation

Community Discussion

No community discussion yet for this question.

Full GCIH Practice