Embedding Covert Channels into TCP/IP

Slides:



Advertisements
Similar presentations
Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.
Advertisements

Computer Networks20-1 Chapter 20. Network Layer: Internet Protocol 20.1 Internetworking 20.2 IPv IPv6.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 OSI Transport Layer Network Fundamentals – Chapter 4.
Intermediate TCP/IP TCP Operation.
UDP & TCP Where would we be without them!. UDP User Datagram Protocol.
1 Reading Log Files. 2 Segment Format
Chapter 7 – Transport Layer Protocols
Copyright 1999, S.D. Personick. All Rights Reserved. Telecommunications Networking II Lecture 32 Transmission Control Protocol (TCP) Ref: Tanenbaum pp:
IP Security. Overview In 1994, Internet Architecture Board (IAB) issued a report titled “Security in the Internet Architecture”. This report identified.
Internet Control Message Protocol (ICMP). Introduction The Internet Protocol (IP) is used for host-to-host datagram service in a system of interconnected.
Lesson 7 – THE BUSINESS OF NETWORKING. TCP/IP and UDP Other Internet protocols Important Internet protocols OVERVIEW.
Securing TCP/IP Chapter 6. Introduction to Transmission Control Protocol/Internet Protocol (TCP/IP) TCP/IP comprises a suite of four protocols The protocols.
TCP. Learning objectives Reliable Transport in TCP TCP flow and Congestion Control.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.
Chapter 2 Networking Overview. Figure 2.1 Generic protocol layers move data between systems.
Chapter 11 Phase 5: Covering Tracks and Hiding. Attrition Web Site  Contains an archive of Web vandalism attacks
Information Hiding: Covert Channels Amir Houmansadr CS660: Advanced Information Assurance Spring 2015 Content may be borrowed from other resources. See.
1 Chapter Internetworking Part 4 (Transport Protocols, UDP and TCP, Protocol Port Numbers)
ITIS 6167/8167: Network Security Weichao Wang. 2 Contents ICMP protocol and attacks UDP protocol and attacks TCP protocol and attacks.
Packet Filtering. 2 Objectives Describe packets and packet filtering Explain the approaches to packet filtering Recommend specific filtering rules.
What is a Protocol A set of definitions and rules defining the method by which data is transferred between two or more entities or systems. The key elements.
Chapter 6: Packet Filtering
Covert Communications Simple Nomad DC Feb2004.
1 Semester 2 Module 10 Intermediate TCP/IP Yuda college of business James Chen
Firewall and Internet Access Mechanism that control (1)Internet access, (2)Handle the problem of screening a particular network or an organization from.
Chabot College ELEC Ports (Layer 4).
TCP/IP Essentials A Lab-Based Approach Shivendra Panwar, Shiwen Mao Jeong-dong Ryoo, and Yihan Li Chapter 5 UDP and Its Applications.
Introduction to Networks CS587x Lecture 1 Department of Computer Science Iowa State University.
Chap 9 TCP/IP Andres, Wen-Yuan Liao Department of Computer Science and Engineering De Lin Institute of Technology
Cosc 4765 SSL/TLS and VPN. SSL and TLS We can apply this generally, but also from a prospective of web services. Multi-layered: –S-http (secure http),
Defense Techniques Sepehr Sadra Tehran Co. Ltd. Ali Shayan November 2008.
1 LAN Protocols (Week 3, Wednesday 9/10/2003) © Abdou Illia, Fall 2003.
Fall 2005Computer Networks20-1 Chapter 20. Network Layer Protocols: ARP, IPv4, ICMPv4, IPv6, and ICMPv ARP 20.2 IP 20.3 ICMP 20.4 IPv6.
1 The Internet and Networked Multimedia. 2 Layering  Internet protocols are designed to work in layers, with each layer building on the facilities provided.
Copyright 2002, S.D. Personick. All Rights Reserved.1 Telecommunications Networking II Topic 20 Transmission Control Protocol (TCP) Ref: Tanenbaum pp:
TCP/IP Protocols Contains Five Layers
Covert Channels Thomas Arnold CSCI 5235/Summer /12/2010.
TCP/IP Honolulu Community College Cisco Academy Training Center Semester 2 Version 2.1.
Covert Tunnels in your Network Next Generation Network Warfare David Gordon Gabriel Girard Universite de Sherbrooke.
Cisco Networking Academy S2 C9 TCP/IP. ensure communication across any set of interconnected networks Stack components such as protocols to support file.
Internet Protocol Formats. IP (V4) Packet byte 0 byte1 byte 2 byte 3 data... – up to 65 K including heading info Version IHL Serv. Type Total Length Identifcation.
Lecture 4 Overview. Ethernet Data Link Layer protocol Ethernet (IEEE 802.3) is widely used Supported by a variety of physical layer implementations Multi-access.
CSC 600 Internetworking with TCP/IP Unit 5: IP, IP Routing, and ICMP (ch. 7, ch. 8, ch. 9, ch. 10) Dr. Cheer-Sun Yang Spring 2001.
Advanced Packet Analysis and Troubleshooting Using Wireshark 23AF
CMSC 691 IAUMBC Analysis and Detection of Network Covert Channels Sweety Chauhan CMSC 691 IA 30 th Nov. 2005
Covert Channels in IPv6 Norka B. Lucena, Grzegorz Lewandowski, and Steve J. Chapin Syracuse University PET 2005, Cavtat, Croatia May 31 st, 2005.
THE CLASSIC INTERNET PROTOCOL (RFC 791) Dr. Rocky K. C. Chang 20 September
Firewalls A brief introduction to firewalls. What does a Firewall do? Firewalls are essential tools in managing and controlling network traffic Firewalls.
Machine Learning for Network Anomaly Detection Matt Mahoney.
CIT 380: Securing Computer SystemsSlide #1 CIT 380: Securing Computer Systems Covert Channels.
K. Salah1 Security Protocols in the Internet IPSec.
Mike Switlick. Overview What is a covert channel? Storage / Timing Requirements Bunratty attack Covert_tcp Questions.
Cisco I Introduction to Networks Semester 1 Chapter 7 JEOPADY.
The Transport Layer Implementation Services Functions Protocols
Chapter 9: Transport Layer
Multiplexing.
Instructor Materials Chapter 9: Transport Layer
Transport Protocols Relates to Lab 5. An overview of the transport protocols of the TCP/IP protocol suite. Also, a short discussion of UDP.
Internet Protocol Formats
Understand the OSI Model Part 2
Byungchul Park ICMP & ICMPv DPNM Lab. Byungchul Park
Internet Control Message Protocol (ICMP)
Transport Protocols Relates to Lab 5. An overview of the transport protocols of the TCP/IP protocol suite. Also, a short discussion of UDP.
What does this packet do?
Net 323 D: Networks Protocols
COVERT STORAGE CHANNEL MODULE
Internet Protocol Formats
46 to 1500 bytes TYPE CODE CHECKSUM IDENTIFIER SEQUENCE NUMBER OPTIONAL DATA ICMP Echo message.
Transport Protocols Relates to Lab 5. An overview of the transport protocols of the TCP/IP protocol suite. Also, a short discussion of UDP.
Presentation transcript:

Embedding Covert Channels into TCP/IP S.J. Murdoch, S. Lewis University of Cambridge, United Kingdom 7th Information Hiding Workshop, June 2005 Sweety Chauhan October 26, 2005

Overview New and Significant Overview of Covert Channels TCP/IP based Steganography Detection of TCP/IP Steganography Conclusion

New and Significant Proposed a scheme “Lathra” for encoding data in TCP/IP header not detected by warden A message can be hidden so that an attacker cannot demonstrate its existence without knowing a secret key

Covert Channels Communication in a non-obvious manner Potential methods - to get information out of the security perimeter Two Types: Storage Timing

Types of Covert Channels Storage Timing Information conveyed by writing or abstaining from writing Information conveyed by the timing of events Clock not needed Receiver needs clock

Where is this relevant? The use of covert channels is relevant in organizations that: restrict the use of encryption in their systems have privileged or private information wish to restrict communication monitor communications

Network Covert Channels Information hiding placed in network headers AND/OR conveyed through action/reaction Goal - channel undetectable or unobservable Network watchers (sniffer, IDS, ..) will not be aware that data is being transmitted

Taxonomy (I) Network covert channels can be Storage-based Timing-based Frequency-based Protocol-based any combination of the above

Taxonomy (II) Each of the above categories constitute a dimension of data Information hiding in packet payload is outside the realm of network covert channels These cases fit into the broader field of steganography

Packet Header Hiding IP Header TCP Header DATA 20-64 bytes 0-65,488 bytes IP Source Address IP Destination Address TCP Source Port TCP Destination Port This is Information Assurance Class TCP/IP Header can serve as a carrier for a steganographic covert channel

IP Header Fields that may be used to embed steganographic data 0-44 bytes Fields that may be used to embed steganographic data

TCP Header 0-44 bytes Timestamp

Storage Based Information is leaked by hiding data in packet header fields IP identification Offset Options TCP Checksum TCP Sequence Numbers

Timing Channels (I) Information is leaked by triggering or delaying events at specific time intervals

Timing Channels (II)

Frequency Based (I) Information is encoded over many channels of cover traffic The order or combination of cover channel access encodes information

Frequency Based (II)

Protocol Based Exploits ambiguities or non-uniform features in common protocol specifications

Traditional Detection Mechanisms Statistical methods Storage-based Data analysis Time-based Time analysis Frequency-based Flow analysis

Threat Model Passive Warden Threat Model Active Warden Threat Model

IP Covert Channel IP allows fragmentation and reassembly of long datagrams, requiring certain extra headers For IP Networks: Data hidden in the IP header Data hidden in ICMP Echo Request and Response Packets Data tunneled through an SSH connection “Port 80” Tunneling, (or DNS port 53 tunneling) In image files

IP ID and TCP ISN Implementation Two fields which are commonly used to embed steganographic data are the IP ID and TCP ISN Due to their construction, these fields contain some structure Partially unpredictable

Detection of TCP/IP Steganography Each operating system exhibits well defined characteristics in generated TCP/IP fields can be used to identify any anomalies that may indicate the use of steganography suite of tests applied to network traces to identify whether the results are consistent with known operating systems

IP ID Characteristics Sequential Global IP ID Sequential Per-host IP ID IP-ID MSB Toggle IP-ID Permutation

TCP ISN Characteristics Rekey Timer Rekey Counter ISN MSB Toggle ISN Permutation Zero bit 15 Full TCP Collisions Partial TCP Collisions

Explicit Steganography Detection 12. Nushu Cryptography encrypts data before including it in the ISN field results in a distribution which is different from normally generated by Linux and so will be detected by the other TCP tests

13. TCP Timestamp If a low bandwidth TCP connection is being used to leak information a randomness test can be applied to the least significant bits of the timestamps in the TCP packets If “too much“ randomness is detected in the LSBs → a steganographic covert channel is in use

14. Other Anomalies unusual flags (e.g. DF when not expected, ToS set) excessive fragmentation use of IP options non-zero padding unexpected TCP options (e.g. timestamps from operating systems which do not generate them) excessive re-ordering

Results

Detection-Resistant TCP Steganography Schemes Lathra - Robust scheme, using the TCP ISNs generated by OpenBSD and Linux as a steganographic carrier Simply encoding data within the least significant 24 bits of the ISN could be detected by the warden

Conclusion TCP/IP header fields can be used as a carrier for a steganographic covert channel Two schemes for encoding data with ISNs generated by OpenBSD and Linux indistinguishable from those generated by a genuine TCP stack

Future Work Flexible covert channel scheme which can be used in many channels Create a protocol for jumping between multiple covert channels New schemes to detect different encoding mechanisms in TCP/IP Header fields

References Hide and Seek: An Introduction to Steganography, Niels Provos, Peter Honeyman, IEEE Security and Privacy Journal, May-June 2003 Embedding Covert Channels into TCP/IP, Steven J. Murdoch, Stephen Lewis, 7th Information Hiding Workshop, Barcelona, Catalonia (Spain) June 2005

Thanks a lot … For Your Presence

Any Questions

Presentation Slides and Research Papers are available at : Homework Presentation Slides and Research Papers are available at : www.umbc.edu/~chauhan2/CMSC691I/

Covert Channel Tools SSH (SCP, FTP Tunneling, Telnet Tunneling, X-Windows Tunneling, ...) - can be set to operate on any port (<1024 usually requires root privilege). Loki (ICMP Echo R/R, UDP 53) NT - Back Orifice (BO2K) plugin BOSOCK32 Reverse WWW Shell Server - looks like a HTTP client (browser). App headers mimic HTTP GET and response commands.

Linux 2.0 ISN Generator

Linux ISN and ID generator

Open BSD ISN generator

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com. Inc. All rights reserved.