ICMP Tunneling
Covert channel technique encapsulating data within ICMP echo packets to bypass network monitoring and establish hidden C2 communications.
Covert channel technique encapsulating data within ICMP echo packets to bypass network monitoring and establish hidden C2 communications.
Continue your mission
ICMP tunneling encapsulates arbitrary data within ICMP echo request and reply packets to create covert communication channels. This technique exploits the fact that many network environments permit ICMP traffic for diagnostic purposes while failing to inspect its payload content for signs of data exfiltration or command-and-control activity.
ICMP packets contain a data payload field that is typically filled with arbitrary padding bytes during legitimate ping operations. Tunneling tools replace this padding with encoded command-and-control data or exfiltrated information. The compromised host sends ICMP echo requests containing encoded commands or stolen data to the attacker's server, which responds with ICMP echo replies containing new instructions. Tools like ptunnel, icmpsh, and Hans create reliable bidirectional channels over ICMP. Some implementations layer additional protocols over the ICMP tunnel, effectively creating TCP connections through ping traffic. Advanced variants manipulate ICMP packet timing and sizes to further evade detection.
ICMP tunneling succeeds because many firewalls and network monitoring tools treat ICMP as benign diagnostic traffic. Organizations that permit outbound ICMP without payload inspection create an invisible exfiltration channel. While bandwidth is limited, ICMP tunnels are sufficient for command-and-control communications and gradual data theft that can persist undetected for extended periods.
CDA covers ICMP tunneling within the TID domain as part of understanding covert channel techniques. Theater missions include exercises in detecting ICMP tunnels through payload size analysis, frequency monitoring, and protocol anomaly detection. Operators learn to implement ICMP inspection policies that balance operational diagnostic needs with security requirements, reflecting CDA's practical defense philosophy.
CDA Theater missions that address topics covered in this article.
Rogue access point detection identifies unauthorized wireless APs on the network using WIPS sensors, wired-side monitoring, and signal triangulation to prevent network bypass.
LLM security risks include data leakage, prompt injection, model supply chain attacks, and unauthorized tool execution, requiring organizations to treat AI models as high-privilege components.
Written by CDA Editorial
Found an issue? Help improve this article.