GIAC Certified Incident Handler (GCIH) — Question 162

An attacker is tunneling TLS encrypted traffic within ICMP echo and reply packets. How will most network appliances see this?

Answer options

• A. As reverse shell traffic
• B. As covert TCP traffic
• C. As ping traffic
• D. As TLS traffic

Correct answer: C

Explanation

Most network appliances will identify this kind of tunneling as ICMP echo requests and replies, which are commonly used for ping operations. The other options are incorrect because reverse shell traffic and covert TCP traffic do not accurately describe ICMP packets, and while the traffic is TLS encrypted, the encapsulation within ICMP makes it appear as regular ping traffic.