DNS-over-ICMP (C2) covert channels¶
Attack pattern¶
DNS-over-ICMP command and control (C2) represents a sophisticated evasion technique that abuses ICMP protocols to encapsulate DNS-like communications for covert channels. This method enables malware to establish resilient C2 connections while bypassing traditional DNS monitoring and security controls through protocol manipulation and legitimate traffic mimicry.
2. DNS-over-ICMP (C2) [AND]
2.1 Protocol encapsulation [OR]
2.1.1 DNS query encoding in ICMP echo
2.1.1.1 Domain name encoding in ICMP echo request payloads
2.1.1.2 DNS query simulation through ICMP data patterns
2.1.1.3 Response data embedding in ICMP echo replies
2.1.1.4 TXT record simulation for data exfiltration
2.1.2 ICMPv6 router advertisement DNS injection
2.1.2.1 RDNSS option exploitation for malicious DNS injection
2.1.2.2 DNS search list option abuse for C2 communication
2.1.2.3 Recursive DNS server option manipulation
2.1.2.4 Router advertisement frequency abuse for persistent C2
2.1.3 Neighbour discovery option abuse
2.1.3.1 Source link-layer address option exploitation
2.1.3.2 Target link-layer address option manipulation
2.1.3.3 Prefix information option abuse for network mapping
2.1.3.4 Redirect header option exploitation for traffic manipulation
2.2 Malware integration [OR]
2.2.1 MosaicLoader-style ICMP callbacks
2.2.1.1 Downloader payload retrieval through ICMP
2.2.1.2 Staged execution via ICMP payload commands
2.2.1.3 Configuration data embedding in ICMP packets
2.2.1.4 Update mechanism through ICMP channel
2.2.2 APT41 ICMP-based C2 channels
2.2.2.1 Long-term persistence using ICMP backdoors
2.2.2.2 Data exfiltration through fragmented ICMP responses
2.2.2.3 Lateral movement coordination via ICMP
2.2.2.4 Evasion through ICMP protocol legitimacy
2.2.3 IoT botnet ICMP command systems
2.2.3.1 Lightweight C2 for resource-constrained devices
2.2.3.2 Distributed command distribution through ICMP
2.2.3.3 Botnet synchronisation via ICMP timing packets
2.2.3.4 Persistence mechanisms using ICMP heartbeat
2.3 Evasive C2 techniques [OR]
2.3.1 Dynamic encoding algorithm rotation
2.3.1.1 Multiple encoding scheme implementation
2.3.1.2 Algorithm selection based on network environment
2.3.1.3 Steganographic techniques within ICMP payloads
2.3.1.4 Encryption key rotation through ICMP channel
2.3.2 Legitimate traffic mimicry
2.3.2.1 Network monitoring tool traffic simulation
2.3.2.2 System utility ICMP pattern replication
2.3.2.3 Cloud service ICMP traffic imitation
2.3.2.4 Network infrastructure ICMP communication mimicry
2.3.3 Multi-protocol fallback mechanisms
2.3.3.1 ICMP primary with DNS secondary C2 channels
2.3.3.2 Protocol switching based on detection events
2.3.3.3 Redundant C2 infrastructure across multiple protocols
2.3.3.4 Adaptive protocol selection for network conditions
2.4 Command execution mechanisms [OR]
2.4.1 Payload interpretation systems
2.4.1.1 Custom protocol interpreters for ICMP data
2.4.1.2 Script execution through encoded commands
2.4.1.3 System command embedding in ICMP packets
2.4.1.4 Remote code execution via ICMP channel
2.4.2 Data exfiltration techniques
2.4.2.1 File content chunking across multiple ICMP packets
2.4.2.2 Compression and encryption before transmission
2.4.2.3 Steganographic data hiding in ICMP fields
2.4.2.4 Timing-based exfiltration to avoid detection
2.5 Infrastructure abuse [OR]
2.5.1 Compromised infrastructure exploitation
2.5.1.1 Legitimate server compromise for C2 hosting
2.5.1.2 Cloud instance abuse for ICMP C2 infrastructure
2.5.1.3 IoT device exploitation for distributed C2
2.5.1.4 Network device compromise for persistent access
2.5.2 Public infrastructure manipulation
2.5.2.1 Public DNS server abuse for ICMP reflection
2.5.2.2 Cloud service exploitation for traffic blending
2.5.2.3 Content delivery network abuse for C2 distribution
2.5.2.4 Public monitoring service imitation for legitimacy
Why it works¶
Protocol necessity: ICMP is essential for network operations and cannot be completely blocked
Monitoring gaps: Many security systems focus on DNS monitoring while overlooking ICMP
Legitimate appearance: ICMP traffic appears normal and blends with network operations
Protocol flexibility: ICMP’s simple structure allows for various data encoding methods
Evasion capabilities: ICMP-based C2 bypasses traditional DNS security controls
Network pervasiveness: ICMP traffic is common across all networks, providing excellent cover
Mitigation¶
Protocol filtering and monitoring¶
Action: Implement strategic ICMP filtering and enhanced monitoring
How:
Configure firewalls to restrict unnecessary ICMP types and codes
Implement ICMP payload inspection where possible
Monitor for unusual ICMP patterns and volumes
Use deep packet inspection for ICMP content analysis
Best practice: Allow only essential ICMP types and monitor them rigorously
Behavioural analysis implementation¶
Action: Deploy behavioural analysis for C2 detection
How:
Implement machine learning for anomalous ICMP pattern detection
Monitor for consistent ICMP traffic to external hosts
Analyse payload characteristics for encoding patterns
Correlate ICMP activity with other suspicious network events
Best practice: Use behavioural analysis to identify covert C2 channels
Network segmentation and hardening¶
Action: Implement strict network segmentation and hardening
How:
Segment networks to limit east-west movement
Implement egress filtering for ICMP traffic
Harden network devices against ICMP-based attacks
Use private addressing and NAT where appropriate
Best practice: Assume breach and segment networks accordingly
Endpoint protection measures¶
Action: Enhance endpoint protection against ICMP-based C2
How:
Implement host-based firewalls with ICMP filtering
Use endpoint detection and response (EDR) solutions
Monitor for unusual ICMP activity at endpoint level
Implement application control to prevent malicious tool execution
Best practice: Defence in depth with multiple protection layers
Threat intelligence integration¶
Action: Leverage threat intelligence for C2 detection
How:
Integrate threat feeds for known C2 infrastructure
Implement reputation-based filtering for ICMP sources
Share indicators of compromise with industry partners
Use threat intelligence to inform detection rules
Best practice: Combine internal detection with external intelligence
Key insights from real-world attacks¶
ICMP C2 remains effective: Many organisations lack proper ICMP monitoring
Advanced malware adoption: Sophisticated threat actors use ICMP for persistence
Evasion techniques evolving: Attackers continuously develop new ICMP abuse methods
IoT vulnerability: Resource-constrained devices often lack ICMP protection
Future trends and recommendations¶
Increased sophistication: ICMP C2 techniques will continue to evolve
Machine learning abuse: Attackers may use AI to optimise ICMP C2 patterns
5G and IoT impact: New networks and devices will create fresh attack surfaces
Cloud exploitation: Cloud environments will be increasingly abused for ICMP C2
Conclusion¶
DNS-over-ICMP C2 represents a significant and evolving threat that leverages fundamental network protocols to establish covert communication channels. These techniques enable sophisticated threat actors to maintain persistence, evade detection, and exfiltrate data while bypassing traditional security controls. Defence against ICMP-based C2 requires a comprehensive approach including protocol filtering, behavioural analysis, network segmentation, endpoint protection, and threat intelligence integration. As attack techniques continue to sophisticate, organisations must maintain vigilance and implement advanced detection capabilities. The future of network security will depend on the ability to distinguish between legitimate ICMP traffic and covert C2 activity while maintaining essential network functionality.