ICMP TUNNELING

icmp has the ability to carry additional data payload which adversaries typically use to exfiltrate data. analysts can identify anomalous icmp traffic either by filtering packet sizes greater than 64 bytes or monitoring large volume of icmp traffic. additionally, analysts must be aware that adversaries could create custom packets that match the regular ICMP packet size of 64 bytes.

root@dco:~$ Wireshark

#step 1: get an overview 
WireShark
 Filter: icmp
 
#anomalous
WireShark > icmp && data.len > 64
 * normal ICMP packet are 64-bytes in size. anything more than this number could be 
   a sign of tunneling

PreviousWIRESHARK NextDNS TUNNELING

Last updated 4 months ago