ICQ is a conferencing protocol developed by Mirabilis and run in conjunction with the conferences available on their servers. Although ICQ is a proprietary service, it is one of the more popular web-based chat services. Like IRC, ICQ is a popular place for attackers to look for targets, including computers that may be vulnerable and people who may be possible to manipulate with social engineering. Many people report that they notice an increased number of people probing their site when they use ICQ.
In addition to the significant indirect problems with ICQ, straightforward security problems have occurred with the ICQ client itself. These are mostly denial of service attacks where people can crash or hang the machine running the client, but some of them have been buffer overflow problems that could allow an attacker to run arbitrary commands. In addition, one version of the client set up a web server as well as the ICQ client. This is unpleasant for security no matter what web server it is (the vulnerabilities of a web server are quite a bit larger than those of a chat client) and was made worse by the fact that the particular web server that Mirabilis provided allowed any file on the machine to be transferred. Although these problems have been rapidly corrected by Mirabilis, the history of repeated problems is a cause for concern.
ICQ communicates via UDP on port 4000 to the server at icq.mirabilis.com and via TCP on a port above 1024 from the client to the server or between clients. The client can be configured to control which ports it uses; normally, it will choose ports between 3989 and 4000.
Direction | SourceAddr. | Dest.Addr. | Protocol | SourcePort | Dest.Port | ACKSet | Notes |
---|---|---|---|---|---|---|---|
Out | Int | Mirabilis | UDP | >1023 | 4000 | [9] | Internal client to server |
In | Mirabilis | Int | UDP | 4000 | >1023 | [9] | Server to internal client |
Out | Int | Mirabilis | TCP | >1023[11] | >1023 | [12] | Internal client sending messages via server |
In | Mirabilis | Int | TCP | >1023 | >1023[11] | Yes | Server sending messages to internal client |
Out | Int | Ext | TCP | >1023[11] | >1023 | [12] | Internal client sending messages direct to external client |
In | Ext | Int | TCP | >1023 | >1023[11] | Yes | External client replying to internal client |
In | Ext | Int | TCP | >1023 | >1023[11] | [12] | External client sending messages direct to internal client |
Out | Int | Ext | TCP | >1023[11] | >1023 | Yes | Internal client replying to external client |
[9] UDP has no ACK equivalent. [11] The port range used for this purpose can be configured on the client. [12] ACK is not set on the first packet of this type (establishing connection) but will be set on the rest. |
The ICQ client is SOCKS-aware and will speak to SOCKS4 or SOCKS5 servers. However, since ICQ uses both TCP and UDP, and SOCKS4 does not proxy UDP, using SOCKS4 is not a complete solution; you will also need to allow UDP to port 4000. ICQ will allow you to direct the UDP packets to the firewall to facilitate use of a UDP relayer or SOCKS5 UDP support.
Normally, ICQ clients will attempt to send messages directly to each other. If you are using a proxy server incoming connections will presumably fail, even when outgoing ones succeed, since the initiating client doesn't know that it should contact the proxy server. Therefore, if you tell your ICQ client that you are using a proxy server, it will route conversations through the ICQ server (via the proxy server) instead of directly to the other client.
ICQ uses embedded port number information to set up direct client-to-client communications. In general, this will not work through network address translation, and clients behind a network address translation system will be able to contact the servers at Mirabilis, and to send direct client-to-client messages, but not to receive them. However, if you set up static inbound mappings for the port numbers that ICQ uses, direct client-to-client communication will be possible.