2

I am looking for a tool that would be able to scan hosts for working on them iсmp tunnel server. For example ptunnel.

I want to check hosts for which there is a lot of suspicion outgoing pings from my network. I want to make this check automatically (as I will implement - is another question).

Nobody faced with such a tool?

Slipeer
  • 3,295
  • 2
  • 21
  • 33

1 Answers1

1

I have never faced such an issue before, but I think you can at least do something like the following. These are ideas that need to be studied further if you want to implement something.

  1. Check the sizes of incoming and outgoing ICMP packets. Normal ping packets have always the same size and they are usually small (64 bytes on Linux).
  2. Check the data pattern of ICMP packets. If they are just normal ping, they should not be changing. Actual data exchange will always be changing (opening connection, ack, data itself).
  3. If you are concerned about incoming ICMP traffic, you can just block them (allow only what needs to be allowed).
Khaled
  • 36,533
  • 8
  • 72
  • 99
  • Thank you. Check the size of the packets is possible, but it does not give 100% that I found a tunnel. So I'm looking for a tool to scan. "Check the data pattern of ICMP packets" - Can you recommend an example of how it can be implemented? If possible, with a minimum budget. – Slipeer Nov 17 '16 at 08:29
  • 1
    @Slipeer: I am not sure about your options. For example, you can develop a small application to capture the traffic and do your checks. Also, you can look at iptables modules like `u32` and `string` to match the patterns you have already found. – Khaled Nov 17 '16 at 10:09
  • Thanks, but I will still look for scanner. – Slipeer Nov 17 '16 at 10:59