I've come across ICMP tunneling only a handful of times, but this was the first time I had seen it used as part of a VPN client. The VPN client was SoftEther VPN and, in addition to SSL VPN, it can also perform ICMP and DNS tunneling. During a recent hunting engagement, I had the opportunity to identify and create content to detect this activity.
Let's have a look.
I drilled into ICMP traffic (ip.proto = 1) and then looked at Session Characteristics (analysis.session). This led me to the meta 'icmp large session'. Previously, I had created meta to describe when sessions had 'session.split' meta. Session.split occurs when a session is either very large or very long. You can find more about session.split in a previous post I wrote here. However, one simple way to identify when session.split exists, is to simply write an application rule.
As we look at the sessions associated with this activity, we see the following:
The data called out above is around the transmitted (requestpayload) and received (responsepayload) as well as the payload size and overall size of the session. If you've ever looked at ICMP traffic before, its typically small. This is not small.
Furthermore, this does not look like typical ICMP traffic as shown below:
With RSA Netwitness Packets, we have an opportunity to describe our network traffic pretty effectively. When I saw this traffic, I wanted to improve some of the meta I had to describe the size. The one below will let me know if a session is greater than 1mb.
Now, circling back to the ICMP tunneling, we can do this with another application rule.
By taking these steps, I am now better equipped at identifying ICMP tunneling when I observe it.
|name="session split" rule="session.split exists" alert=analysis.session type=application|
|name="session size greater than 1mb" rule="streams=2 && size=1024000 -u" alert=analysis.session type=application|
|name=possible_icmp_tunneling rule="ip.proto=1 && session.split exists && analysis.session = 'icmp large session' && analysis.session = 'session size greater than 1mb'" alert=ioc type=application|
Note that 'session split' and 'session size greater than 1mb' should be before the 'possible_icmp_tunneling' rule. Order is important.
I'll try to get some DNS tunneling created with this SoftEther VPN client soon.
Good luck and happy hunting.