[SOLVED] Router firewall ICMP risks and threats?

[Oblivion77]

Hello everyone

I have found out, that my Router firewall has never blocked ICMP traffic.

There is a lot of opinions online regarding ICMP, and whether it should be disabled or limited.

So far I have found out, that it can exploited to monitor network traffic / I/O traffic (man-in-the-middle).
It can also be exploited to carry and infect a PC system with malware.

My questions / worries are:

1.
If someone monitored my network traffic using ICMP, would HTTPS traffic then still be encrypted / unreadable?

2.
Would my Windows Defender firewall block an attack / attempted malware infection via ICMP?

3.
Would Malwarebytes (example) scan detect, if my PC system had been infected by malware via ICMP?

4. Are there other ways someone can access my PC system using ICMP, besides via malware infection?

Thanks in advance for your answers
And happy weekend!

Best regards

 

[SamirD]

You don't want to turn off ICMP--there is no way for packets to properly fragment without being able to ping.

1. The only thing you can monitor about a site with ICMP is if it is up or down. Traffic is completely unaffected by ICMP.

2. You can't get malware from ICMP.

3. See #2.

4. There is no way to access a device using ICMP.

 

[Oblivion77]

You don't want to turn off ICMP--there is no way for packets to properly fragment without being able to ping.

1. The only thing you can monitor about a site with ICMP is if it is up or down. Traffic is completely unaffected by ICMP.

2. You can't get malware from ICMP.

3. See #2.

4. There is no way to access a device using ICMP.

Thank you for your reply

This is the article from where I got my info, and from there my questions / worries began

Understanding ICMP: The Most Used Protocol in Networking | Infosec

Dive into the world of ICMP attacks, the most used protocol in networking technology. Learn about ICMP packet formats and attack types.

resources.infosecinstitute.com

Regarding using ICMP with malware:

New Windows 'Pingback' malware uses ICMP for covert communication

Today, Trustwave researchers have disclosed their findings on a novel Windows malware sample that uses Internet Control Message Protocol (ICMP) for its command-and-control (C2) activities. Dubbed "Pingback," this malware targets Windows 64-bit systems, and uses DLL Hijacking to gain persistence.

www.bleepingcomputer.com

And

https://thehackernews.com/2021/05/new-pingback-malware-using-icmp.html

 

[USAFRet]

This is the article from where I got my info, and from there my questions / worries began

The text in that article is pretty standard in any cybersecurity class.

The question is....did you understand what it said, past the word "attack".

If you system were to be infected with a backdoor trojan or similar, then this ICMP transport mechanism might be one of the methods used to further the data transmittal.

BUT....that would require your system to be infected in the first place. Or another system on your house LAN is infected.
It can't just happen randomly.

And if were thusly infected, there are a LOT of different transport mechanisms.

 

[kanewolf]

Thank you for your reply

This is the article from where I got my info, and from there my questions / worries began

Understanding ICMP: The Most Used Protocol in Networking | Infosec

Dive into the world of ICMP attacks, the most used protocol in networking technology. Learn about ICMP packet formats and attack types.

resources.infosecinstitute.com

^^ What he said. The things addressed in that article assume you are already compromised.
The tunneling allows a compromised device to elude firewall OUTBOUND protocol prohibitions.
Your LAN is protected, primarily not by the firewall rules in your router, but by the network address translation (NAT) layer.
For example, if your IP camera was compromised, then the tactics in the article could help someone. BUT NOBODY CARES about home networks. They just don't have enough pay to offset the cost. Why go to all these covert methods when they can send you (or your kids or spouse or mother) a phishing e-mail and get them to volunteer the info that is desired.

 

[Oblivion77]

The text in that article is pretty standard in any cybersecurity class.

The question is....did you understand what it said, past the word "attack".

If you system were to be infected with a backdoor trojan or similar, then this ICMP transport mechanism might be one of the methods used to further the data transmittal.

BUT....that would require your system to be infected in the first place. Or another system on your house LAN is infected.
It can't just happen randomly.

And if were thusly infected, there are a LOT of different transport mechanisms.

1.
If someone monitored my network traffic using ICMP, would HTTPS traffic then still be encrypted / unreadable?
Monitoring my network, does not require malware etc. infection, right?

And the rest of my questions still stands:
2.
Would my Windows Defender firewall block an attack / attempted malware infection via ICMP?

3.
Would Malwarebytes (example) scan detect, if my PC system had been infected by malware via ICMP?

4.
Are there other ways someone can access my PC system using ICMP, besides via malware infection?

I am sorry, I didn't link all the correct articles / links:

New Windows 'Pingback' malware uses ICMP for covert communication

Today, Trustwave researchers have disclosed their findings on a novel Windows malware sample that uses Internet Control Message Protocol (ICMP) for its command-and-control (C2) activities. Dubbed "Pingback," this malware targets Windows 64-bit systems, and uses DLL Hijacking to gain persistence.

www.bleepingcomputer.com

And
https://thehackernews.com/2021/05/new-pingback-malware-using-icmp.html

 

[USAFRet]

I am sorry, I didn't link all the correct articles / links:

Again, those are assuming your system is already infected, via some other means.

 

[Oblivion77]

Again, those are assuming your system is already infected, via some other means.

I read / understood it as:
The ICMP traffic is being used to infect the PC system

But in reality, the ICMP traffic is sending the data to the "hacker", after the "hacker" has first infected the PC system by other means?

 

[SamirD]

I read / understood it as:
The ICMP traffic is being used to infect the PC system

But in reality, the ICMP traffic is sending the data to the "hacker", after the "hacker" has first infected the PC system by other means?

If the system is already infected, they can send info by any means, not just ICMP.

 

[USAFRet]

I read / understood it as:
The ICMP traffic is being used to infect the PC system

But in reality, the ICMP traffic is sending the data to the "hacker", after the "hacker" has first infected the PC system by other means?

"The malicious file in question is a mere 66-KB DLL called oci.dll, and is typically dropped within Windows "System" folder by another malicious process or attack vector. "


"But, where does the malicious oci.dll come from?

While the initial entry vector is still being investigated, the researchers suspect that another malware sample, updata.exe is behind both dropping the malicious oci.dll in the Windows "System" folder and configuring msdtc to run on every startup."

 

[Oblivion77]

If the system is already infected, they can send info by any means, not just ICMP.

I knew that / asummed so

But now, I am onlu focused on ICMP

 

[Oblivion77]

"The malicious file in question is a mere 66-KB DLL called oci.dll, and is typically dropped within Windows "System" folder by another malicious process or attack vector. "


"But, where does the malicious oci.dll come from?

While the initial entry vector is still being investigated, the researchers suspect that another malware sample, updata.exe is behind both dropping the malicious oci.dll in the Windows "System" folder and configuring msdtc to run on every startup."

So ICMP can't be used to infect a system, only transfer data after the infection?

 

[bill001g]

Why do you want to focus on ICMP. This is almost a worthless article.

It and you are ignoring the number 1 factor.

The NAT function in your router prevents any traffic from reaching any machine in your house unless your machine first talked to that location.

So this is pretty much end of this discussion. Does not matter if it is ICMP or tcp or http or whatever. Nothing happens until the internal machine somehow makes the first contact. After that it doesn't really matter what protocol is used to transfer the data. It would actually be much better to use HTTPS because then the traffic is encrypted and no firewall can see what is going on.

 

[USAFRet]

So ICMP can't be used to infect a system, only transfer data after the infection?

Correct.

 

[USAFRet]

I knew that / asummed so

But now, I am onlu focused on ICMP

That is like worrying about what a burglar will use to carry the stuff out of your house - a plastic garbage bag or a backpack.

The backpack did not grant him entry.

 

[Oblivion77]

The NAT function in your router prevents any traffic from reaching any machine in your house unless your machine first talked to that location.

How can I make sure, that NAT function is enabled / ON?

 

[bill001g]

Just having a router does that.

The whole purpose of a router is to share one IP you get from your ISP with mulitple machines. That is done via NAT and also why it works as a firewall. The router has no idea which of your internal devices to send attacking traffic to so it just drops it.