Covert Channels Drew Hintz. At A Glance Definitions Who are you? Who are “they”? A Couple Good Solutions A Couple Really Good Solutions Demo Tool.

Slides:

Advertisements

Similar presentations

Transport Layer3-1 Transport Overview and UDP. Transport Layer3-2 Goals r Understand transport services m Multiplexing and Demultiplexing m Reliable data.

Advertisements

Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.

1 Features of IPv6 Larger Address Extended Address Hierarchy Flexible Header Format Improved Options Provision For Protocol Extension Support for Auto-configuration.

IPv4 - The Internet Protocol Version 4

IP Fragmentation. MTU Maximum Transmission Unit (MTU) –Largest IP packet a network will accept –Arriving IP packet may be larger IP Packet MTU.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 OSI Transport Layer Network Fundamentals – Chapter 4.

Intermediate TCP/IP TCP Operation.

Covert Channels in TCP and IP Headers Drew Hintz

UDP & TCP Where would we be without them!. UDP User Datagram Protocol.

1 TCP - Part I Relates to Lab 5. First module on TCP which covers packet format, data transfer, and connection management.

Internet Control Message Protocol (ICMP). Introduction The Internet Protocol (IP) is used for host-to-host datagram service in a system of interconnected.

Overview of Digital Stenography

CSEE W4140 Networking Laboratory Lecture 6: TCP and UDP Jong Yul Kim

Examining IP Header Fields

Internet Networking Spring 2003

1 Internet Networking Spring 2002 Tutorial 2 IP Checksum, Fragmentation.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.

IP-UDP-RTP Computer Networking (In Chap 3, 4, 7) 건국대학교 인터넷미디어공학부 임 창 훈.

1 IPv6 Refs: Chapter 10, Appendix A. 2 IPv6 availability Generally not part of O.S. Available in beta for many operating systems. 6-Bone is experimental.

John Degenhart Joseph Allen.  What is FTP?  Communication over Control connection  Communication over Data Connection  File Type  Data Structure.

Embedding Covert Channels into TCP/IP

Module A Panko and Panko Business Data Networks and Security, 9 th Edition © 2013 Pearson.

CIS679: RTP and RTCP r Review of Last Lecture r Streaming from Web Server r RTP and RTCP.

Packet Filtering. 2 Objectives Describe packets and packet filtering Explain the approaches to packet filtering Recommend specific filtering rules.

Internet Protocol (IP)

Covert Communications Simple Nomad DC Feb2004.

Computer Networks: Multimedia Applications Ivan Marsic Rutgers University Chapter 3 – Multimedia & Real-time Applications.

1 TCP/IP Perversion Rares Stefan, Third Brigade Inc. SecTor 2007.

Protocol(TCP/IP, HTTP) 송준화 조경민 2001/03/13. Network Computing Lab.2 Layering of TCP/IP-based protocols.

Internet Protocol Internetworking Lab 1. Why Internet?

Packet Filtering Chapter 4. Learning Objectives Understand packets and packet filtering Understand approaches to packet filtering Set specific filtering.

Transport Layer: UDP, TCP

1 The Internet and Networked Multimedia. 2 Layering  Internet protocols are designed to work in layers, with each layer building on the facilities provided.

TCP1 Transmission Control Protocol (TCP). TCP2 Outline Transmission Control Protocol.

E Multimedia Communications Anandi Giridharan Electrical Communication Engineering, Indian Institute of Science, Bangalore – , India Multimedia.

More on TCP Acknowledgements Sequence Number Field Initial Sequence Number Acknowledgement Number Field.

Transport Layer1 Ram Dantu (compiled from various text books)

1 Transport Layer Lecture 7 Imran Ahmed University of Management & Technology.

Lecture91 Administrative Things r Return homework # 1 r Review some problems in homework # 1 r Questions about grading? Yona r WebCT for CSE245 is working!

Covert Channels Thomas Arnold CSCI 5235/Summer /12/2010.

Internet Protocol Formats. IP (V4) Packet byte 0 byte1 byte 2 byte 3 data... – up to 65 K including heading info Version IHL Serv. Type Total Length Identifcation.

Transport Layer 3-1 Chapter 3 Outline r 3.1 Transport-layer services r 3.2 Multiplexing and demultiplexing r 3.3 Connectionless transport: UDP.

Chapter 3: Transport Layer Our goals: r understand principles behind transport layer services: m multiplexing/demultipl exing m reliable data transfer.

Transport Layer3-1 Chapter 3 Transport Layer Computer Networking: A Top Down Approach Featuring the Internet, 3 rd edition. Jim Kurose, Keith Ross Addison-Wesley,

CMSC 691 IAUMBC Analysis and Detection of Network Covert Channels Sweety Chauhan CMSC 691 IA 30 th Nov. 2005

1 Computer Communication & Networks Lecture 19 Network Layer: IP and Address Mapping Waleed Ejaz.

1 Figure 3-13: Internet Protocol (IP) IP Addresses and Security  IP address spoofing: Sending a message with a false IP address (Figure 3-17)  Gives.

Internet Protocol Version 4 VersionHeader Length Type of Service Total Length IdentificationFragment Offset Time to LiveProtocolHeader Checksum Source.

Covert Channels in IPv6 Norka B. Lucena, Grzegorz Lewandowski, and Steve J. Chapin Syracuse University PET 2005, Cavtat, Croatia May 31 st, 2005.

MULTIPLEXING/DEMULTIPLEXING, CONNECTIONLESS TRANSPORT.

1 Figure 3-5: IP Packet Total Length (16 bits) Identification (16 bits) Header Checksum (16 bits) Time to Live (8 bits) Flags Protocol (8 bits) 1=ICMP,

Transport Protocols.

CIT 380: Securing Computer SystemsSlide #1 CIT 380: Securing Computer Systems Covert Channels.

Lecture 21: Network Primer 7/9/2003 CSCE 590 Summer 2003.

Mike Switlick. Overview What is a covert channel? Storage / Timing Requirements Bunratty attack Covert_tcp Questions.

Network Layer Protocols COMP 3270 Computer Networks Computing Science Thompson Rivers University.

IP Fragmentation. Network layer transport segment from sending to receiving host on sending side encapsulates segments into datagrams on rcving side,

2: Transport Layer 11 Transport Layer 1. 2: Transport Layer 12 Part 2: Transport Layer Chapter goals: r understand principles behind transport layer services:

IP - Internet Protocol No. 1  Seattle Pacific University IP: The Internet Protocol Kevin Bolding Electrical Engineering Seattle Pacific University.

Chapter 3 outline 3.1 Transport-layer services

Domain 4 – Communication and Network Security

Internet Networking Spring 2002

Process-to-Process Delivery

Internet Protocol (IP)

IP - The Internet Protocol

Net 323 D: Networks Protocols

IP - The Internet Protocol

Refs: Chapter 10, Appendix A

Chapter 3 Transport Layer

IP - The Internet Protocol

Presentation transcript:

Covert Channels Drew Hintz

At A Glance Definitions Who are you? Who are “they”? A Couple Good Solutions A Couple Really Good Solutions Demo Tool

Definitions Steganography vs. Covert Channel

Steganography the art of communication through obscurity High Tech: flipping the low two bits in a jpeg Low Tech: Shaving your Head Getting a tattoo Growing your hair back

Covert Channel Subcategory of Stego –Communication Stream between hosts –Sent in the open/open for eavesdropping –Uses common internet protocols in imaginative ways

Who Are You? FUD Trojan Horses

Who are “they”? Dedicated Observer –All portions of traffic closely monitored –Are aware of all the tricks in the book Casual Observer –Automated systems sifting on keywords –Focusing mainly on Payload

How covert is covert-enough? Semi-Covert: Fooling the Casual Observer –Security through obscurity –Breaks common implementation standards –Assumes “they” won’t bother looking Truly Covert: Fooling Everyone –Traffic appears normal –Does not stray from common implementation –Will work even if “they” know the procedure used

Methods in General Uses some amount of cover/permissible traffic Sender embeds covert message outbound Client receives traffic, retrieves message

A simple example Dick wants to send a message to Jane FTPs Jane a couple of old vacation pictures And encodes the secret formula for coke bit by bit using the PSH flag

Rating A Method Fault Tolerance Bandwidth Ease of Detection

Rating the PSH Example Fault Tolerance –IP Header may be rewritten by firewalls Bandwidth –Poor: one bit per packet Detection –Easy: PSH rarely used –ENTER SNORT RULE HERE

Semi-Covert Channels IP Identification Field TCP Checksum

What it is: –2 byte sum of the contents of the TCP packet How it’s exploited –YOU TELL ME

Details of How the TCP Checksum Works

Rating of TCP Checksum You tell me

IP Identification Field What it is –2 byte number in IP Header –Unique number assigned to each packet –Used in reassembling fragments How It’s Exploited –Straight encoding of message into field

IP ID Field Rating Fault Tolerance –Can get rewritten by NAT/Firewalls Bandwidth –Good: 2 Byte number on each packet Ease of Detection –Good Depending on Sender OS –Some OSs will increment each ID per session

Covert Channels TCP Timestamp ISN Field Method Addon: ISN Bounce