Hunting
Statistics → Conversations → ICMP Statistics → Endpoints → IPv4 Statistics → Protocol Hierarchy Statistics → IO Graph
Goal
- Attacker gains C2 on internal host
- Encodes/encrypts data
- Inserts payload into ICMP Echo Request/Reply
- Sends repeatedly to external server
- External server extracts payload
- Replies with command in ICMP reply
This creates:
- Bidirectional ICMP echo traffic
- Structured, repetitive payload size
- Often constant interval timing
Red Flags
- Large ICMP payloads
- High-frequency ICMP echo traffic
- Regular interval ICMP (beaconing pattern)
- ICMP to external unknown host
- Base64-like content in payload
- High entropy payload
- Fragmented ICMP packets
Fragmentation is especially suspicious for ICMP.
Filters
# Show ICMP Echo Only
icmp.type == 8 || icmp.type == 0
# Detect Large ICMP Payloads (200 suspicious, 500 very suspicious)
icmp && ip.len > 200
icmp && ip.len > 500
# Detect Fragmented ICMP (super suspicious)
icmp && (ip.flags.mf == 1 || ip.frag_offset > 0)
# High-Frequency ICMP
icmp
# External Destinations
icmp && ip.dst == EXTERNAL_IP
Content-Based Detection
Look in packet bytes pane.
Signs of tunneling:
- Base64 patterns (A-Z a-z 0-9 + / =)
- Repeated structured blocks
- High entropy random-like bytes
- Embedded credentials
- Clear ASCII commands
Example Base64 filter (rough manual inspection):
Right-click → Follow → ICMP stream
Killchain
- Attacker gains internal foothold
- Encodes/encrypts data
- Inserts payload into ICMP Echo Request
- Sends repeated ICMP packets to C2
- External server extracts data
- ICMP Echo Reply contains command
- Persistent bidirectional echo traffic
Defense
Instead of “Block ICMP entirely” (often unrealistic), better:
- Rate limit ICMP
- Block outbound ICMP to internet
- Inspect payload size anomalies
- Use egress filtering
- Deploy IDS signatures for ICMP tunneling tools