Presentation is loading. Please wait.

Presentation is loading. Please wait.

Embedding Covert Channels into TCP/IP

Published byPhillip Richard Modified over 9 years ago

Similar presentations

Presentation on theme: "Embedding Covert Channels into TCP/IP"— Presentation transcript:

1 Embedding Covert Channels into TCP/IP
S.J. Murdoch, S. Lewis University of Cambridge, United Kingdom th Information Hiding Workshop, June 2005 Sweety Chauhan October 26, 2005

2 Overview New and Significant Overview of Covert Channels
TCP/IP based Steganography Detection of TCP/IP Steganography Conclusion

3 New and Significant Proposed a scheme “Lathra” for encoding data in TCP/IP header not detected by warden A message can be hidden so that an attacker cannot demonstrate its existence without knowing a secret key

4 Covert Channels Communication in a non-obvious manner
Potential methods - to get information out of the security perimeter Two Types: Storage Timing

5 Types of Covert Channels
Storage Timing Information conveyed by writing or abstaining from writing Information conveyed by the timing of events Clock not needed Receiver needs clock

6 Where is this relevant? The use of covert channels is relevant in organizations that: restrict the use of encryption in their systems have privileged or private information wish to restrict communication monitor communications

7 Network Covert Channels
Information hiding placed in network headers AND/OR conveyed through action/reaction Goal - channel undetectable or unobservable Network watchers (sniffer, IDS, ..) will not be aware that data is being transmitted

8 Taxonomy (I) Network covert channels can be Storage-based Timing-based
Frequency-based Protocol-based any combination of the above

9 Taxonomy (II) Each of the above categories constitute a dimension of data Information hiding in packet payload is outside the realm of network covert channels These cases fit into the broader field of steganography

10 Packet Header Hiding IP Header TCP Header DATA
20-64 bytes 0-65,488 bytes IP Source Address IP Destination Address TCP Source Port TCP Destination Port This is Information Assurance Class TCP/IP Header can serve as a carrier for a steganographic covert channel

11 IP Header Fields that may be used to embed steganographic data 0-44
bytes Fields that may be used to embed steganographic data

12 TCP Header 0-44 bytes Timestamp

13 Storage Based Information is leaked by hiding data in packet header fields IP identification Offset Options TCP Checksum TCP Sequence Numbers

14 Timing Channels (I) Information is leaked by triggering or delaying events at specific time intervals

15 Timing Channels (II)

16 Frequency Based (I) Information is encoded over many channels of cover traffic The order or combination of cover channel access encodes information

17 Frequency Based (II)

18 Protocol Based Exploits ambiguities or non-uniform features in common protocol specifications

19 Traditional Detection Mechanisms
Statistical methods Storage-based Data analysis Time-based Time analysis Frequency-based Flow analysis

20 Threat Model Passive Warden Threat Model Active Warden Threat Model

21 IP Covert Channel IP allows fragmentation and reassembly of long datagrams, requiring certain extra headers For IP Networks: Data hidden in the IP header Data hidden in ICMP Echo Request and Response Packets Data tunneled through an SSH connection “Port 80” Tunneling, (or DNS port 53 tunneling) In image files

22 IP ID and TCP ISN Implementation
Two fields which are commonly used to embed steganographic data are the IP ID and TCP ISN Due to their construction, these fields contain some structure Partially unpredictable

23 Detection of TCP/IP Steganography
Each operating system exhibits well defined characteristics in generated TCP/IP fields can be used to identify any anomalies that may indicate the use of steganography suite of tests applied to network traces to identify whether the results are consistent with known operating systems

24 IP ID Characteristics Sequential Global IP ID
Sequential Per-host IP ID IP-ID MSB Toggle IP-ID Permutation

25 TCP ISN Characteristics
Rekey Timer Rekey Counter ISN MSB Toggle ISN Permutation Zero bit 15 Full TCP Collisions Partial TCP Collisions

26 Explicit Steganography Detection
12. Nushu Cryptography encrypts data before including it in the ISN field results in a distribution which is different from normally generated by Linux and so will be detected by the other TCP tests

27 13. TCP Timestamp If a low bandwidth TCP connection is being used to leak information a randomness test can be applied to the least significant bits of the timestamps in the TCP packets If “too much“ randomness is detected in the LSBs → a steganographic covert channel is in use

28 14. Other Anomalies unusual flags (e.g. DF when not expected, ToS set)
excessive fragmentation use of IP options non-zero padding unexpected TCP options (e.g. timestamps from operating systems which do not generate them) excessive re-ordering

29 Results

30 Detection-Resistant TCP Steganography Schemes
Lathra - Robust scheme, using the TCP ISNs generated by OpenBSD and Linux as a steganographic carrier Simply encoding data within the least significant 24 bits of the ISN could be detected by the warden

31 Conclusion TCP/IP header fields can be used as a carrier for a steganographic covert channel Two schemes for encoding data with ISNs generated by OpenBSD and Linux indistinguishable from those generated by a genuine TCP stack

32 Future Work Flexible covert channel scheme which can be used in many channels Create a protocol for jumping between multiple covert channels New schemes to detect different encoding mechanisms in TCP/IP Header fields

33 References Hide and Seek: An Introduction to Steganography, Niels Provos, Peter Honeyman, IEEE Security and Privacy Journal, May-June 2003 Embedding Covert Channels into TCP/IP, Steven J. Murdoch, Stephen Lewis, 7th Information Hiding Workshop, Barcelona, Catalonia (Spain) June 2005

34 Thanks a lot … For Your Presence

35 Any Questions

36 Presentation Slides and Research Papers are available at :
Homework Presentation Slides and Research Papers are available at :

37 Covert Channel Tools SSH (SCP, FTP Tunneling, Telnet Tunneling, X-Windows Tunneling, ...) - can be set to operate on any port (<1024 usually requires root privilege). Loki (ICMP Echo R/R, UDP 53) NT - Back Orifice (BO2K) plugin BOSOCK32 Reverse WWW Shell Server - looks like a HTTP client (browser). App headers mimic HTTP GET and response commands.

38 Linux 2.0 ISN Generator

39 Linux ISN and ID generator

40 Open BSD ISN generator

Download ppt "Embedding Covert Channels into TCP/IP"

Similar presentations

Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.

Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.
Computer Networks20-1 Chapter 20. Network Layer: Internet Protocol 20.1 Internetworking 20.2 IPv4 20.3 IPv6.

Computer Networks20-1 Chapter 20. Network Layer: Internet Protocol 20.1 Internetworking 20.2 IPv IPv6.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 OSI Transport Layer Network Fundamentals – Chapter 4.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 OSI Transport Layer Network Fundamentals – Chapter 4.
Intermediate TCP/IP TCP Operation.

Intermediate TCP/IP TCP Operation.
UDP & TCP Where would we be without them!. UDP User Datagram Protocol.

UDP & TCP Where would we be without them!. UDP User Datagram Protocol.
1 Reading Log Files. 2 Segment Format

1 Reading Log Files. 2 Segment Format
Chapter 7 – Transport Layer Protocols

Chapter 7 – Transport Layer Protocols
Copyright 1999, S.D. Personick. All Rights Reserved. Telecommunications Networking II Lecture 32 Transmission Control Protocol (TCP) Ref: Tanenbaum pp:521-545.

Copyright 1999, S.D. Personick. All Rights Reserved. Telecommunications Networking II Lecture 32 Transmission Control Protocol (TCP) Ref: Tanenbaum pp:
IP Security. Overview In 1994, Internet Architecture Board (IAB) issued a report titled “Security in the Internet Architecture”. This report identified.

IP Security. Overview In 1994, Internet Architecture Board (IAB) issued a report titled “Security in the Internet Architecture”. This report identified.
Internet Control Message Protocol (ICMP). Introduction The Internet Protocol (IP) is used for host-to-host datagram service in a system of interconnected.

Internet Control Message Protocol (ICMP). Introduction The Internet Protocol (IP) is used for host-to-host datagram service in a system of interconnected.
Lesson 7 – THE BUSINESS OF NETWORKING. TCP/IP and UDP Other Internet protocols Important Internet protocols OVERVIEW.

Lesson 7 – THE BUSINESS OF NETWORKING. TCP/IP and UDP Other Internet protocols Important Internet protocols OVERVIEW.
Securing TCP/IP Chapter 6. Introduction to Transmission Control Protocol/Internet Protocol (TCP/IP) TCP/IP comprises a suite of four protocols The protocols.

Securing TCP/IP Chapter 6. Introduction to Transmission Control Protocol/Internet Protocol (TCP/IP) TCP/IP comprises a suite of four protocols The protocols.
TCP. Learning objectives Reliable Transport in TCP TCP flow and Congestion Control.

TCP. Learning objectives Reliable Transport in TCP TCP flow and Congestion Control.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.
Chapter 2 Networking Overview. Figure 2.1 Generic protocol layers move data between systems.

Chapter 2 Networking Overview. Figure 2.1 Generic protocol layers move data between systems.
Chapter 11 Phase 5: Covering Tracks and Hiding. Attrition Web Site  Contains an archive of Web vandalism attacks

Chapter 11 Phase 5: Covering Tracks and Hiding. Attrition Web Site  Contains an archive of Web vandalism attacks
Information Hiding: Covert Channels Amir Houmansadr CS660: Advanced Information Assurance Spring 2015 Content may be borrowed from other resources. See.

Information Hiding: Covert Channels Amir Houmansadr CS660: Advanced Information Assurance Spring 2015 Content may be borrowed from other resources. See.
1 Chapter 24-25 Internetworking Part 4 (Transport Protocols, UDP and TCP, Protocol Port Numbers)

1 Chapter Internetworking Part 4 (Transport Protocols, UDP and TCP, Protocol Port Numbers)
ITIS 6167/8167: Network Security Weichao Wang. 2 Contents ICMP protocol and attacks UDP protocol and attacks TCP protocol and attacks.

ITIS 6167/8167: Network Security Weichao Wang. 2 Contents ICMP protocol and attacks UDP protocol and attacks TCP protocol and attacks.
Packet Filtering. 2 Objectives Describe packets and packet filtering Explain the approaches to packet filtering Recommend specific filtering rules.

Packet Filtering. 2 Objectives Describe packets and packet filtering Explain the approaches to packet filtering Recommend specific filtering rules.

Similar presentations

Ads by Google