Tunneling through ICMP and DNS for the SafeNetwork?

Hello guys, I was wondering if these obfuscated ways of tunneling would also be needed to make the job of sysadmins a nightmare to block the SafeNetwork nodes.

There are several projects that attempt to use it as a proof of concept for data exfiltration but I think that it would be useful as an extra protocol to fall back if everything else fails lol

Some interesting projects are:

  1. IP-over-ICMP:
  1. IP-over-DNS:

There is a VPN project in Japan that is offering VPN-over-ICMP and VPN-over-DNS features, and that is just the beginning:
Look at all the crazy features they are providing, it is simply mindblowing:

Some techniques are more exposed to statistical analysis of traffic and abnormal behavior, Heyoka seems to be more stealthy than the others DNS methods.

There is an interesting talk that addresses covert tunnels, and it may be interesting if these techniques can be tweaked and added to the Safe Network multiprotocol arsenal.


Could it serve to prevent blocking bootstrap nodes?

If you are in a network where TCP and UDP traffic is blocked, for all practical purposes your internet connection is blocked.
But sometimes they allow pinging other computers and DNS resolution, in those cases we can tunnel encapsulating tcp in wherever location they allow storing data. IP datagrams allow storing data up to 65,535 bytes and in DNS you can have data in the resource record.
This could be the last recourse fallback mechanism when all other attempts for connection has failed, and I think it would make the SafeNetwork resilient as hell.

What do you think @dirvine?


We are currently integrating utp again, so tcp encapsulated in udp datagrams. I Think this will make a big difference. So we have the multi protocol multi port network that is fully encrypted. Also keys passed from overlay networks down, i.e. no key negotiation so MiTM resistant as well. We will get there I am pretty sure.


Yes, but I was imagining as a fallback option when there is for example Syria that blocked all Internet access to their citizens, or other Middle Eastern (Iraq, Libya) and African countries (Egypt, Uganda, Burundi, Ethiopia, Chad, Republic of Congo and Gabon) that basically “shut down” the internet for everyone to restrict the voice of their people and the access to knowledge in critical times.
UDP and TCP traffic were dropped nationally.
In such extreme cases, a fallback mechanism to esoteric methods wouldn’t be really a bad idea.
IF uTP fails, try ICMP; and if ICMP fails, try DNS.
It would be badass.

1 Like

Are you sure it was not only DNS that was culled in these cases ? I have seen some corporate network ban Utp but allow Tcp etc. (I believe Google used to do that). I would imagine cutting off completely the internet would be physical disconnect, which would cripple a country I would think.

Not sure, this is why I am asking.

1 Like

Was that not an “air gap” cut off? Like Egypt too a while ago. They simply turned off the routers on links in/out of the country.

I’d say this will be of minimal benefit if a country wishes to isolate its people from the outside internet. They would simply turn off the access. Why waste time programming the routers to block utp&tcp when turning them off is more secure.

I don’t understand how it could be considered of “little benefit” when you can leverage the OSI layer 3 in the case of having the whole layer 4 blocked. Also, having the option of tunneling through DNS when it is often neglected in firewall rules, it is also a nice trick to have under the sleeve.
Having more options is always good in my book, especially when these options are not standard and it can sneak through cleverly hacking it’s original purpose.

Also setting a drop rule is easier than walking through every building and cutting the cables. It is literally two lines of commands.

Btw, FYI, ICMP packets were reachable in the Egyptian internet blackout during the Arab spring.

Little benefit when routers are turned OFF because a country wants to cut off its people from the rest of the world. This is what that statement was limited to.

For other situations such as firewalls in companies etc then yes maybe. But what of the throughput? [quote=“piluso, post:9, topic:12619”]
ICMP packets were reachable in the Egyptian internet blackout during the Arab spring.

Via sat internet that they forgot. Not only ICMP but full internet for some. That is how the video got out IIRC.

Here are some papers that discuss about the applied methods of censorships in these countries:

Analysis of Country-wide Internet Outages Caused by Censorship

Internet Censorship Detection, a survey
https://ufile.io/6b842 (link valid for 30 days)

Censorship in the wild: Analyzing Internet filtering in Syria

Anatomy of Web Censorship in Pakistan

Internet Censorship in Iran: A first look

Inferring Mechanics of Web Censorship Around the World

The tl;dr version is every country has their own favorite recipe of censorship. Only Pakistan applies a simplistic DNS based filtering. The conflict in Egypt was more severe, 3500 BGP routes were withdrawn from the routing tables.
The rest of the world they mix a set of strategies, mainly to snoop and censor specific content or traffic.

But since I believe the main concern for the Safe Network is not tampering but connectivity, right?
Allowing to connect to the network through the layer 3 would be quite a nice trick to have under the sleeve imho.
The last paper is an eye opener, even in South Korea they are applying online censorship quite heavily.

@neo my understanding is that ICMP tunneling is quite fast, as fast as not using the tunnel at all, especially the ‘icmptunnel’ version.
DNS tunnels are slower and less reliable, unless you create a direct connection between the server and the client. What I’ve read is that in direct connections to the host in ‘iodine’ is surprisingly very fast.
I haven’t tested them myself yet, but it sounds exciting.



I’m not sure. Any sensible router configuration caps the size and frequency of ICMP packets.

1 Like

Most routers allow MTU up to about 1500 bytes, as long as you don’t exceed that you should be pretty much okay.
The application could execute pmtud to self-configure the max MTU allowed.

You could be extra sneaky by limiting it to max 64 bytes each package just to make it look like normal sized ping echo.

Oh, btw, with ICMP you can also traverse NATs.
ICMP hole punching: https://samy.pl/pwnat/
Paper: http://samy.pl/pwnat/pwnat.pdf
Another tool in the arsenal, worth to be analyzed.