GCIH · Question #514
Which of the following is an effective method of detecting a covert communication tunnel such as ptunnel?
The correct answer is C. Restricting ICMP port unreachables with a non-zero payload. ICMP port unreachable messages carrying a non-zero payload beyond their RFC-specified structure are definitively anomalous, making them a high-precision indicator of ICMP-based covert tunneling.
Question
Which of the following is an effective method of detecting a covert communication tunnel such as ptunnel?
Options
- ARejecting incoming UDP packets with source port < 1024
- BCapturing outgoing HTTP traffic at unusual times
- CRestricting ICMP port unreachables with a non-zero payload
- DDetecting ICMP packets with uncommon payloads
How the community answered
(22 responses)- A9% (2)
- B23% (5)
- C64% (14)
- D5% (1)
Why each option
ICMP port unreachable messages carrying a non-zero payload beyond their RFC-specified structure are definitively anomalous, making them a high-precision indicator of ICMP-based covert tunneling.
Rejecting incoming UDP packets with source port below 1024 is a generic port-filtering measure targeting well-known service ports and has no relationship to ICMP-based tunneling protocols.
Monitoring HTTP traffic at unusual hours targets exfiltration over HTTP/HTTPS at the application layer and would not detect a tunnel operating at the ICMP network layer.
Per RFC 792, ICMP error messages such as port unreachables (Type 3) must contain only the original IP header plus the first 8 bytes of the offending datagram - no additional payload is permitted. When a covert tunneling tool embeds arbitrary data into these messages, the result is an RFC violation that produces a non-zero unexpected payload, which is unambiguous and generates minimal false positives. Detecting or restricting these packets provides a precise method for identifying the covert channel.
Detecting ICMP packets with 'uncommon' payloads is too imprecise because normal ICMP echo requests and replies legitimately carry variable-length payloads, producing excessive false positives and making reliable detection impractical.
Concept tested: ICMP covert tunnel detection via RFC protocol violation
Source: https://www.rfc-editor.org/rfc/rfc792
Topics
Community Discussion
No community discussion yet for this question.