Jump to content

ICMP Hidden Channel


Recommended Posts

  • Administrators

Please make sure that detection of covert data in ICMP is disabled in Endpoint (it is off by default):

image.png

Some applications may utilize ICMP in a non-standard way which is then reported.

Link to comment
Share on other sites

The source and target IP addresses all fall in the IANA private address range, 172.16.0.0 - 172.31.255.255. IP addresses in this range are not externally route-able. In other words, the ICMP Hidden traffic Eset is detecting is originating from and being directed to IP addresses within your local network. If you are using this private address range internally, you will most likely have to create an Eset IDS exception rule to exclude this address range from ICMP hidden channel detection.

Ref.: https://whatismyipaddress.com/private-ip

Edited by itman
Link to comment
Share on other sites

I will also add that this ICMP hidden channel activity needs to be examined in detail to determine the source of the ICMP activity. Whereas the source could be benign legitimate activity, it could also be the result of malicious activity as noted here: https://zeltser.com/reverse-icmp-shell/

For example, malware on the server or a device on the local network could be using ICMP hidden channel methods to gain access to other devices on the network. An example of such malware is Loki: https://resources.infosecinstitute.com/icmp-attacks/

 

Edited by itman
Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...