[ICMP Covert Channel] Allow only ICMP Ping packet that has specific payload.

cancel
Showing results for 
Search instead for 
Did you mean: 

[ICMP Covert Channel] Allow only ICMP Ping packet that has specific payload.

L2 Linker

Dear all,

 

I am using PA-8.0.0-ESXi virtual machine and I am trying to prevent covert channel communication using ICMP Payload.

 

For example, as captured using Wireshark, the default ICMP type 8 (Echo request) for Windows machine is abcdefghijklmnopqrstuvwabcdefghi or \x 61 62 63 64 65 66 67 68 69 6a 6b 6c 6d 6e 6f 70 71 72 73 74 75 76 77 61 62 63 64 65 66 67 68 69 x\ in hexadecimal. I only want to allow ICMP packet that has a specific payload pattern to go through the firewall. Therefore, other ICMP packet that has random payload value will be blocked.

 

Is there any way to do that on Palo Alto Firewall? I have tried to define custom applications with signature but I cannot get it working. I think I am missing something.

 

Any help would be appreciated.

 

Thank you,

Sincerely,

Bagus Hanindhito

14 REPLIES 14


@hibagus wrote:

I wish I could just block all of ping. But sadly, I cannot.


For what do you need the pings exactly? Maybe for some super-admins who blame you with a not properly working firewall/network when they are not able to ping whatever they want in the internet? Would it be possible that you allow some specific "trusted" destinations (destinations where you know that they don't do anything else than simply replying to the ping)?

I am currently doing research on modeling security threats that uses ICMP to establish a covert communication channel.

I wish that I can use the deep packet inspection on the Palo Alto Firewall to inspect the ICMP packet.

Any help to define new application signature will be appreciated.

@hibagus 

Unfortunately what you're asking for is not possible. The signatures you can create do not allow you to do a pattern match on icmp-payloads - the decoder probably only checks icmp type and code and nothing else.

The only thing you can do so far is to create a feature request...

Thanks for replying.

 

One more question regarding this topic.

There is an application in Palo Alto Firewall called ping-tunnel as an addition to ping.

I have tried to read the documentation of the ping-tunnel and indeed it uses ICMP for tunneling.

How does the firewall differentiate the original ping and the ping-tunnel?

Maybe it is a good starting point for me.

 

Thanks.

 

Ho @hibagus 

 

Only paloalto knows how this is done 😛

But I found something which may be useful for you: you cannot create an app to identify linux/windows pings, but you can create an app that checks the length of the ping payload. So maybe it works if you specify a length of 0 (<1) and allow only that. This way not the default pings are allowed but you could make sure that there is no data sent put of your network.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!