topic Re: [ICMP Covert Channel] Allow only ICMP Ping packet that has specific payload. in General Topics

[ICMP Covert Channel] Allow only ICMP Ping packet that has specific payload.

hibagus — Mon, 06 May 2019 00:20:17 GMT

Dear all,

I am using PA-8.0.0-ESXi virtual machine and I am trying to prevent covert channel communication using ICMP Payload.

For example, as captured using Wireshark, the default ICMP type 8 (Echo request) for Windows machine is abcdefghijklmnopqrstuvwabcdefghi or \x 61 62 63 64 65 66 67 68 69 6a 6b 6c 6d 6e 6f 70 71 72 73 74 75 76 77 61 62 63 64 65 66 67 68 69 x\ in hexadecimal. I only want to allow ICMP packet that has a specific payload pattern to go through the firewall. Therefore, other ICMP packet that has random payload value will be blocked.

Is there any way to do that on Palo Alto Firewall? I have tried to define custom applications with signature but I cannot get it working. I think I am missing something.

Any help would be appreciated.

Thank you,

Sincerely,

Bagus Hanindhito

Re: [ICMP Covert Channel] Allow only ICMP Ping packet that has specific payload.

OtakarKlier — Tue, 07 May 2019 18:58:36 GMT

Hello,

So are you saying when you created a security policy that allowed 'ping', that policy also allowed data to be exfiltrated?

Please advise,

Re: [ICMP Covert Channel] Allow only ICMP Ping packet that has specific payload.

hibagus — Tue, 07 May 2019 19:04:27 GMT

What I mean is that the ping packet can contain a payload which can be set randomly. If we allow the ping to pass the firewall, someone can use the payload part of the ping packet to transfer the data in a covert channel. From outside, it is just an ordinary ping packet but with a payload that is designed to silently establish a communication channel with the outside world.

Therefore, I would like to keep the ping pass the firewall with an exception. If the payload does not match the standard payload for Windows ping or Unix ping, then the ping packet will not be able to go through the firewall. If the payload matches the standard payload, then it can go through the firewall.

Re: [ICMP Covert Channel] Allow only ICMP Ping packet that has specific payload.

OtakarKlier — Tue, 07 May 2019 20:51:22 GMT

Hello,

The PAN knows what the ping packet should look like. If it doesnt match the criteria, it wont be classified as ping and the security policy wont apply. Hopefully you have a eny all policy at the bottom to deny all other traffic.

Regards,

Re: [ICMP Covert Channel] Allow only ICMP Ping packet that has specific payload.

hibagus — Tue, 07 May 2019 21:08:43 GMT

Look at two ping packets below.

1. This ping packet is generated on Windows by typing ping google.com in command prompt. Please pay attention to the Data (32 bytes) highlighted below.

2. This ping packet is generated on Ubuntu by typing ping google.com in bash shell. Please pay attention to the Data (48 bytes) highlighted below.

Both are valid ping packets and by default will be allowed to get through by the firewall although they have different data inside the packet.

My question is, how do I allow only the first type of Ping (i.e., Windows Ping) and block the second type of Ping (i.e., Ubuntu Ping)?

Re: [ICMP Covert Channel] Allow only ICMP Ping packet that has specific payload.

OtakarKlier — Tue, 07 May 2019 21:11:37 GMT

Hello,

In this case you might want to create a custom application for the Ubuntu ping and then use a security policy to deny it. However I think ping is a RFC standard so it might generate false postives/negatives? Also just a a security think, I never allow ping outbound or inbound, but thats just me.

Regards,

Re: [ICMP Covert Channel] Allow only ICMP Ping packet that has specific payload.

hibagus — Tue, 07 May 2019 21:44:10 GMT

Okay, so firstly I block all of the ping application on my rule.

Then, I define new custom application as follows. I only want the Windows Ping to get through the firewall thus the pattern should be the same as Windows Ping data payload (in hexadecimal).

Then, I added the new application to my rule.

After committing, I see that both Windows ping and Ubuntu ping can still get through. I want to only allow the Windows ping.

Do I set the signature incorrectly for the new apps?

Re: [ICMP Covert Channel] Allow only ICMP Ping packet that has specific payload.

Remo — Tue, 07 May 2019 21:44:13 GMT

The best actually is as mentionned by @OtakarKlier : do not allow pings outbound. PaloAlto will identify the ping propery but the App-ID does not care what is inside the ping packet.

With a "harmless" ping it is not even possible to exfiltrate data, there is also software available that allows you to create a VPN connection over the icmp protocol.

Re: [ICMP Covert Channel] Allow only ICMP Ping packet that has specific payload.

hibagus — Tue, 07 May 2019 21:52:29 GMT

I wish I could just block all of ping. But sadly, I cannot.

Re: [ICMP Covert Channel] Allow only ICMP Ping packet that has specific payload.

OtakarKlier — Tue, 07 May 2019 21:54:00 GMT

What about just from certain sources? i.e. IP address's or ranges? Perhaps just AD groups (if you use those)?

Re: [ICMP Covert Channel] Allow only ICMP Ping packet that has specific payload.

Remo — Tue, 07 May 2019 21:59:14 GMT

@hibagus wrote:
I wish I could just block all of ping. But sadly, I cannot.

For what do you need the pings exactly? Maybe for some super-admins who blame you with a not properly working firewall/network when they are not able to ping whatever they want in the internet? Would it be possible that you allow some specific "trusted" destinations (destinations where you know that they don't do anything else than simply replying to the ping)?

Re: [ICMP Covert Channel] Allow only ICMP Ping packet that has specific payload.

hibagus — Wed, 08 May 2019 16:34:16 GMT

I am currently doing research on modeling security threats that uses ICMP to establish a covert communication channel.

I wish that I can use the deep packet inspection on the Palo Alto Firewall to inspect the ICMP packet.

Any help to define new application signature will be appreciated.

Re: [ICMP Covert Channel] Allow only ICMP Ping packet that has specific payload.

Remo — Wed, 08 May 2019 22:21:24 GMT

@hibagus

Unfortunately what you're asking for is not possible. The signatures you can create do not allow you to do a pattern match on icmp-payloads - the decoder probably only checks icmp type and code and nothing else.

The only thing you can do so far is to create a feature request...

Re: [ICMP Covert Channel] Allow only ICMP Ping packet that has specific payload.

hibagus — Wed, 08 May 2019 22:36:39 GMT

Thanks for replying.

One more question regarding this topic.

There is an application in Palo Alto Firewall called ping-tunnel as an addition to ping.

I have tried to read the documentation of the ping-tunnel and indeed it uses ICMP for tunneling.

How does the firewall differentiate the original ping and the ping-tunnel?

Maybe it is a good starting point for me.

Thanks.

Re: [ICMP Covert Channel] Allow only ICMP Ping packet that has specific payload.

Remo — Thu, 09 May 2019 13:55:41 GMT

Ho @hibagus

Only paloalto knows how this is done 😛

But I found something which may be useful for you: you cannot create an app to identify linux/windows pings, but you can create an app that checks the length of the ping payload. So maybe it works if you specify a length of 0 (<1) and allow only that. This way not the default pings are allowed but you could make sure that there is no data sent put of your network.

Re: [ICMP Covert Channel] Allow only ICMP Ping packet that has specific payload.

JarerkZajac — Mon, 16 Jan 2023 00:17:19 GMT

Hi,

have you received any answer/solution for your problem?

Best

Jarek