A story about bypassing air Canada's in-flight network restrictions

(ramsayleung.github.io)

137 points samray | 2 comments | 10 Oct 25 07:50 UTC | HN request time: 0.001s | source

Show context

ajd555 ◴[10 Oct 25 11:52 UTC] No.45537856[source]▶

If a ping to a specific IP times out, I wouldn't say the IP is blocked. It could be that ICMP specifically is blocked, following some network rules on the firewall. This is pretty common in entreprise networks to not allow endpoint discovery. I could be missing something and happy to be corrected here, but I was surprised to read that.

replies(5): >>45537931 #>>45538067 #>>45538538 #>>45538647 #>>45540200 #

1. _trampeltier ◴[10 Oct 25 15:39 UTC] No.45540200[source]▶

>>45537856 #

In my old company it was the oposite. Ping worked allways, even when you where blocked on to a specific VLAN.

replies(1): >>45540372 #

2. EvanAnderson ◴[10 Oct 25 15:54 UTC] No.45540372[source]▶

>>45540200 (TP) #

I've worked in gigs that wanted that. They were all about segmentation, but wanted ICMP echo / response available throughout.

Edit: I wonder if any "enterprise" firewalls do ICMP echo proxying. Having the firewall replace the payload would remove some of the tunneling capability (thought I assume you could still finagle a side channel by just timing the packets) but would also eliminate some of the utility (since being able to craft the payload provides a way to test for specific bit patterns in packets causing problems).

↑