Presentation is loading. Please wait.

Presentation is loading. Please wait.

Covert Channels Thomas Arnold CSCI 5235/Summer 2010 7/12/2010.

Published byMitchell Patrick Modified over 9 years ago

Similar presentations

Presentation on theme: "Covert Channels Thomas Arnold CSCI 5235/Summer 2010 7/12/2010."— Presentation transcript:

1 Covert Channels Thomas Arnold CSCI 5235/Summer 2010 7/12/2010

2 Outline Background Covert Channel Designs Detection Methods Example: Passive Covert Channel Example: Tunneling NDIS

3 What are covert channels? You want to communicate with someone without being observed Cryptography/Encryption is not good enough – You want to hide the fact you are communicating at all – Best way is to hide the communication in innocuous-looking network traffic or data – Firewall must let the traffic pass through

4 Why would you need covert channels? Stealing of confidential information – Government/corporate espionage, Intelligence gathering of criminal/terrorist activity Malware – Rootkits, keyloggers, botnets, etc.

5 Covert Channel Techniques Storage Channels – Hide data within unused TCP/IP packet header fields TCP Flags field, TCP ISN, etc. Timing channels – Modulate system resources in such a way that a receiver can observe and decode it – Port Knocking, varying packet rates, etc. Steganography – Hide messages in email, images

6 Detection/Prevention Detection – Network traffic analysis Higher bandwidth usage Formatting of HTTP headers Request regularity Prevention – Block susceptible outbound ports/protocols

7 Example: Passive TCP Covert Channels Technique uses existing traffic (does not generate it’s own) Requires that attacker control the network gateway as well Uses the TCP ISN field to transmit data – Compromised gateway filters out secret TCP ISN to send to attacker, and forwards the legitimate traffic to the intended destination Pros/Cons – Blends in with existing traffic, difficult to detect – ISN data must not look too conspicuous, and gateway processing can be very complicated to filter out and forward the legitimate traffic

8 Example: Passive TCP Covert Channels

9 Example: Tunneling using NDIS Idea is to tunnel information on existing protocols such as HTTP, DNS, and ICMP Pros/Cons with each protocol – HTTP good for large data transfer, but more conspicuous – DNS not great for data transfer, but good for C&C – ICMP is good for C&C but is often blocked Author of The Rootkit Arsenal proposes writing your own TCP/IP stack using MS Windows NDIS

10 Example: Tunneling using NDIS Since you have already have root privileges, you can implement a Kernel Mode NDIS Driver – Complete control, can act as a NIC and create your own MAC/IP addresses, and format any of the protocol headers as you wish Built in diagnostic tools such as ipconfig, netstat, etc. (as well as firewalls) can’t see it because they use the native TCP/IP stack Pros/Cons – Extremely difficult to detect, but also hard to implement

Download ppt "Covert Channels Thomas Arnold CSCI 5235/Summer 2010 7/12/2010."

Similar presentations

Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.

Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.
FIREWALLS Chapter 11.

FIREWALLS Chapter 11.
SYSTEM ADMINISTRATION Chapter 19

SYSTEM ADMINISTRATION Chapter 19
CSCI 530 Lab Firewalls. Overview Firewalls Capabilities Limitations What are we limiting with a firewall? General Network Security Strategies Packet Filtering.

CSCI 530 Lab Firewalls. Overview Firewalls Capabilities Limitations What are we limiting with a firewall? General Network Security Strategies Packet Filtering.
Raw Sockets CS-480b Dick Steflik Raw Sockets Raw Sockets let you program at just above the network (IP) layer You could program at the IP level using.

Raw Sockets CS-480b Dick Steflik Raw Sockets Raw Sockets let you program at just above the network (IP) layer You could program at the IP level using.
Firewalls and Intrusion Detection Systems

Firewalls and Intrusion Detection Systems
 Firewalls and Application Level Gateways (ALGs)  Usually configured to protect from at least two types of attack ▪ Control sites which local users.

 Firewalls and Application Level Gateways (ALGs)  Usually configured to protect from at least two types of attack ▪ Control sites which local users.
Traffic Management - OpenFlow Switch on the NetFPGA platform Chun-Jen Chung(1203584897) Sriram Gopinath(1203800749)

Traffic Management - OpenFlow Switch on the NetFPGA platform Chun-Jen Chung( ) Sriram Gopinath( )
Common IS Threat Mitigation Strategies An overview of common detection and protection technologies Max Caceres CORE Security Technologies www.coresecurity.com.

Common IS Threat Mitigation Strategies An overview of common detection and protection technologies Max Caceres CORE Security Technologies
1 Some TCP/IP Basics....NFSDNSTELNETSMTPFTP UDPTCP IP and ICMP Ethernet, serial line,..etc. Application Layer Transport Layer Network Layer Low-level &

1 Some TCP/IP Basics....NFSDNSTELNETSMTPFTP UDPTCP IP and ICMP Ethernet, serial line,..etc. Application Layer Transport Layer Network Layer Low-level &
Transition Mechanisms for Ipv6 Hosts and Routers RFC2893 By Michael Pfeiffer.

Transition Mechanisms for Ipv6 Hosts and Routers RFC2893 By Michael Pfeiffer.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.
Firewalls CS591 Topics in Internet Security November 15 1999 Steve Miskovitz, Steve Peckham, Kan Hayashi.

Firewalls CS591 Topics in Internet Security November Steve Miskovitz, Steve Peckham, Kan Hayashi.
Information Networking Security and Assurance Lab National Chung Cheng University Anti-hacker Tool Kit: CH13 Port Redirection Jared 04/03/31.

Information Networking Security and Assurance Lab National Chung Cheng University Anti-hacker Tool Kit: CH13 Port Redirection Jared 04/03/31.
Introduction to InfoSec – Recitation 12 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)

Introduction to InfoSec – Recitation 12 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)
1 Review of Important Networking Concepts Introductory material. This slide uses the example from the previous module to review important networking concepts:

1 Review of Important Networking Concepts Introductory material. This slide uses the example from the previous module to review important networking concepts:
1 Enabling Secure Internet Access with ISA Server.

1 Enabling Secure Internet Access with ISA Server.
Embedding Covert Channels into TCP/IP

Embedding Covert Channels into TCP/IP
FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.

FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.
Information Hiding: Covert Channels Amir Houmansadr CS660: Advanced Information Assurance Spring 2015 Content may be borrowed from other resources. See.

Information Hiding: Covert Channels Amir Houmansadr CS660: Advanced Information Assurance Spring 2015 Content may be borrowed from other resources. See.

Similar presentations

Ads by Google