[SOLVED] Router firewall ICMP risks and threats?

Oblivion77

Honorable
Jul 6, 2018
238
2
10,585
Hello everyone

I have found out, that my Router firewall has never blocked ICMP traffic.

There is a lot of opinions online regarding ICMP, and whether it should be disabled or limited.

So far I have found out, that it can exploited to monitor network traffic / I/O traffic (man-in-the-middle).
It can also be exploited to carry and infect a PC system with malware.

My questions / worries are:

1.
If someone monitored my network traffic using ICMP, would HTTPS traffic then still be encrypted / unreadable?

2.
Would my Windows Defender firewall block an attack / attempted malware infection via ICMP?

3.
Would Malwarebytes (example) scan detect, if my PC system had been infected by malware via ICMP?

4. Are there other ways someone can access my PC system using ICMP, besides via malware infection?

Thanks in advance for your answers
And happy weekend!

Best regards
 
Solution
Why do you want to focus on ICMP. This is almost a worthless article.

It and you are ignoring the number 1 factor.

The NAT function in your router prevents any traffic from reaching any machine in your house unless your machine first talked to that location.

So this is pretty much end of this discussion. Does not matter if it is ICMP or tcp or http or whatever. Nothing happens until the internal machine somehow makes the first contact. After that it doesn't really matter what protocol is used to transfer the data. It would actually be much better to use HTTPS because then the traffic is encrypted and no firewall can see what is going on.
You don't want to turn off ICMP--there is no way for packets to properly fragment without being able to ping.

1. The only thing you can monitor about a site with ICMP is if it is up or down. Traffic is completely unaffected by ICMP.

2. You can't get malware from ICMP.

3. See #2.

4. There is no way to access a device using ICMP.
 
  • Like
Reactions: Oblivion77

Oblivion77

Honorable
Jul 6, 2018
238
2
10,585
You don't want to turn off ICMP--there is no way for packets to properly fragment without being able to ping.

1. The only thing you can monitor about a site with ICMP is if it is up or down. Traffic is completely unaffected by ICMP.

2. You can't get malware from ICMP.

3. See #2.

4. There is no way to access a device using ICMP.

Thank you for your reply

This is the article from where I got my info, and from there my questions / worries began


Regarding using ICMP with malware:

And

https://thehackernews.com/2021/05/new-pingback-malware-using-icmp.html
 
Last edited by a moderator:

USAFRet

Titan
Moderator
This is the article from where I got my info, and from there my questions / worries began
The text in that article is pretty standard in any cybersecurity class.

The question is....did you understand what it said, past the word "attack".

If you system were to be infected with a backdoor trojan or similar, then this ICMP transport mechanism might be one of the methods used to further the data transmittal.

BUT....that would require your system to be infected in the first place. Or another system on your house LAN is infected.
It can't just happen randomly.

And if were thusly infected, there are a LOT of different transport mechanisms.
 

kanewolf

Titan
Moderator
Thank you for your reply

This is the article from where I got my info, and from there my questions / worries began

^^ What he said. The things addressed in that article assume you are already compromised.
The tunneling allows a compromised device to elude firewall OUTBOUND protocol prohibitions.
Your LAN is protected, primarily not by the firewall rules in your router, but by the network address translation (NAT) layer.
For example, if your IP camera was compromised, then the tactics in the article could help someone. BUT NOBODY CARES about home networks. They just don't have enough pay to offset the cost. Why go to all these covert methods when they can send you (or your kids or spouse or mother) a phishing e-mail and get them to volunteer the info that is desired.
 

Oblivion77

Honorable
Jul 6, 2018
238
2
10,585
The text in that article is pretty standard in any cybersecurity class.

The question is....did you understand what it said, past the word "attack".

If you system were to be infected with a backdoor trojan or similar, then this ICMP transport mechanism might be one of the methods used to further the data transmittal.

BUT....that would require your system to be infected in the first place. Or another system on your house LAN is infected.
It can't just happen randomly.

And if were thusly infected, there are a LOT of different transport mechanisms.

1.
If someone monitored my network traffic using ICMP, would HTTPS traffic then still be encrypted / unreadable?
Monitoring my network, does not require malware etc. infection, right?

And the rest of my questions still stands:
2.
Would my Windows Defender firewall block an attack / attempted malware infection via ICMP?

3.
Would Malwarebytes (example) scan detect, if my PC system had been infected by malware via ICMP?

4.
Are there other ways someone can access my PC system using ICMP, besides via malware infection?

I am sorry, I didn't link all the correct articles / links:
And
https://thehackernews.com/2021/05/new-pingback-malware-using-icmp.html
 

USAFRet

Titan
Moderator
I read / understood it as:
The ICMP traffic is being used to infect the PC system

But in reality, the ICMP traffic is sending the data to the "hacker", after the "hacker" has first infected the PC system by other means?
"The malicious file in question is a mere 66-KB DLL called oci.dll, and is typically dropped within Windows "System" folder by another malicious process or attack vector. "


"But, where does the malicious oci.dll come from?

While the initial entry vector is still being investigated, the researchers suspect that another malware sample, updata.exe is behind both dropping the malicious oci.dll in the Windows "System" folder and configuring msdtc to run on every startup."
 
  • Like
Reactions: Oblivion77

Oblivion77

Honorable
Jul 6, 2018
238
2
10,585
"The malicious file in question is a mere 66-KB DLL called oci.dll, and is typically dropped within Windows "System" folder by another malicious process or attack vector. "


"But, where does the malicious oci.dll come from?

While the initial entry vector is still being investigated, the researchers suspect that another malware sample, updata.exe is behind both dropping the malicious oci.dll in the Windows "System" folder and configuring msdtc to run on every startup."

So ICMP can't be used to infect a system, only transfer data after the infection?
 
Why do you want to focus on ICMP. This is almost a worthless article.

It and you are ignoring the number 1 factor.

The NAT function in your router prevents any traffic from reaching any machine in your house unless your machine first talked to that location.

So this is pretty much end of this discussion. Does not matter if it is ICMP or tcp or http or whatever. Nothing happens until the internal machine somehow makes the first contact. After that it doesn't really matter what protocol is used to transfer the data. It would actually be much better to use HTTPS because then the traffic is encrypted and no firewall can see what is going on.
 
  • Like
Reactions: Oblivion77
Solution