Home | @unixist | unixist@freenode

>: Data Transfer over ICMP


Many sys admins, network engineers, and even IDS/IPS systems focus their network monitoring on TCP and UDP protocols. ICMP is often overlooked, but is nearly as viable for data transfer. So I wrote a pair of programs to demonstrate the viability and relative simplicity of data transfer over the unusually-monitored protocol.

In this post I use the word “client” to refer to the sender of an ICMP echo request and “server” to refer to the receiver, the piece that responds with an ICMP echo response.

Two things about ICMP data transfer

  1. It’s possible
  2. It probably happening somewhere to exfiltrate data, tunnel other protocols, or bypass IDS/filters/ACLs/who-knows?

At the bottom of the post are client and server proofs of concept that can be used to transfer a single file. Though the code below has a minimal featureset, it is possible to incorporate compression, encryption, sophisticated detection evasion, reliable and snazzy protocols, and other stuff of which I haven’t thought.

Notes on the code

Ways to identify this type of ICMP data transfer/tunneling/shenanigans

How to use the programs to transfer a single file or any input from client to server:

  1. Start server first (optionally writes to stdout): ./server [-f <file>]
  2. Next, fire up the client (optionally reads from stdin): ./client -h <server_ip> [-f <file>]

Files: server, client
Repo: git clone https://bitbucket.org/unixist/icmpxfr.git

Note somehow I have managed to lose the most recent version of the files without committing them, so in this older version is a bug in the transfer of the hash at the end of the transmission. The bug causes mangled data to output to stderr, though, so it doesn’t affect data writes to stdout (the important piece). I’ll fix this soon.