Presentation is loading. Please wait.

Presentation is loading. Please wait.

Stealth Data Dispersion ICMP Moon-Bounce Saqib A. Khan, Principal Latest

Published byJeffrey Rich Modified over 9 years ago

Similar presentations

Presentation on theme: "Stealth Data Dispersion ICMP Moon-Bounce Saqib A. Khan, Principal Latest"— Presentation transcript:

1 Stealth Data Dispersion ICMP Moon-Bounce Saqib A. Khan, Principal khan@SecurityV.com Latest Version @ http://SecurityV.com/research

2 Copyright 2002 Security Verification, Inc. All rights reserved. Definition Stealth Data Dispersal is an asynchronous covert channel

3 Copyright 2002 Security Verification, Inc. All rights reserved. Project Goal Reside small amounts of data on the “ether” (within network traffic) rather than fixed physical storage.

4 Copyright 2002 Security Verification, Inc. All rights reserved. Project Benefit Data becomes highly survivable in case of catastrophic failure/removal of Network Hosts

5 Copyright 2002 Security Verification, Inc. All rights reserved. Preferred Embodiment Dispersal of small amounts of data (< 1500 bytes = PPP MTU) Data stays “alive” on the wire vs. a storage device, as long as possible Data is retrieved or refreshed before data expires on the “wire”

6 Copyright 2002 Security Verification, Inc. All rights reserved. Core TCP/IP Impediment TTL limits all TCP/IP packets to expire automatically after 255 hops! Packets which reach limit are automatically discarded

7 Copyright 2002 Security Verification, Inc. All rights reserved. Candidate TCP/IP Protocols 1. ICMP (Inet Control Message Protocol) Implementation required on all TCP/IP stacks Echo Replies required to echo back original “Request” data Universally available – Print servers, etc Fair amount of ICMP traffic always present on the wire, ergo stealthy

8 Copyright 2002 Security Verification, Inc. All rights reserved. Candidate TCP/IP Protocols 2. Multicast/IGMP (Inet Group Mgmt Protocol) Designed for communicating between single Source to multiple Destinations (utilizing single transmission) Very large amount of data can be found on the wire at any time (being used to broadcast numerous audio streams, etc), ergo very stealthy!

9 Copyright 2002 Security Verification, Inc. All rights reserved. ICMP Moon-Bounce Basic Operation: Bounce data between 2 Hosts utilizing an intermediary Victim Host. Process: 1.A sends spoofed Echo Request pkt -> V (w/ B’s Src Addr) 2.V Echo Reply’s -> B, inadvertently echo-ing A’s data 3.B Ack’s A directly, signaling data received. 4.B repeats A’s procedure to return data Data is now bouncing between 2 Hosts! PS - Doubles as a good synchronous covert channel, as well! AB 1- Src = B, Dst = V Data = *Key* 2- Src = V, Dst = B Data = *Key* *Key* V

10 Copyright 2002 Security Verification, Inc. All rights reserved. Moon-Bounce Dispersal A B <255 Hops C V1 V3 V4 V2 Ad Infinitum 1 st pkt 2 nd pkt … <255 Hops

11 Copyright 2002 Security Verification, Inc. All rights reserved. Moon-Bounce Accomplishes 1. Possible data dispersal over 1020 hops (255 x 4) per co-operating Host! (as long as routes are chosen carefully) 2. Double your pleasure! (double hops available utilizing spoofing) 3. Delayed packet releases over mulitple routes ensures intermediary Hosts capable of detecting failure and responding!

12 Copyright 2002 Security Verification, Inc. All rights reserved. Conclusions 1.Stealth Data Dispersal is possible utilizing current TCP/IP Protocol manipulation 2.It can be achieved very efficiently 3.It can very stealthy and should be able to bypass most defenses unhindered 4.The ICMP Moon-bounce has been rumored to be used as a covert channel by dark government agencies!!! Further research on using Multicast/IGMP and proof of concept tools, etc currently under way @ http://SecurityV.com/research Thank you!

Download ppt "Stealth Data Dispersion ICMP Moon-Bounce Saqib A. Khan, Principal Latest"

Similar presentations

Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.

Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Addressing the Network – IPv4 Network Fundamentals – Chapter 6.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Addressing the Network – IPv4 Network Fundamentals – Chapter 6.
21.1 Chapter 21 Network Layer: Address Mapping, Error Reporting, and Multicasting Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction.

21.1 Chapter 21 Network Layer: Address Mapping, Error Reporting, and Multicasting Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction.
CSCI 4550/8556 Computer Networks Comer, Chapter 23: An Error Reporting Mechanism (ICMP)

CSCI 4550/8556 Computer Networks Comer, Chapter 23: An Error Reporting Mechanism (ICMP)
SYSTEM ADMINISTRATION Chapter 19

SYSTEM ADMINISTRATION Chapter 19
Part IV: Multilayer Switching

Part IV: Multilayer Switching
Internet Control Message Protocol (ICMP)

Internet Control Message Protocol (ICMP)
© 2007 Pearson Education Inc., Upper Saddle River, NJ. All rights reserved.1 Computer Networks and Internets with Internet Applications, 4e By Douglas.

© 2007 Pearson Education Inc., Upper Saddle River, NJ. All rights reserved.1 Computer Networks and Internets with Internet Applications, 4e By Douglas.
1 CCNA 2 v3.1 Module 10. 2 Intermediate TCP/IP CCNA 2 Module 10.

1 CCNA 2 v3.1 Module Intermediate TCP/IP CCNA 2 Module 10.
1 CCNA 2 v3.1 Module 8. 2 TCP/IP Suite Error and Control Messages CCNA 2 Module 8.

1 CCNA 2 v3.1 Module 8. 2 TCP/IP Suite Error and Control Messages CCNA 2 Module 8.
WXES2106 Network Technology Semester 1 2004/2005 Chapter 8 Intermediate TCP CCNA2: Module 10.

WXES2106 Network Technology Semester /2005 Chapter 8 Intermediate TCP CCNA2: Module 10.
ICMP: Ping and Trace CCNA 1 version 3.0 Rick Graziani Spring 2005.

ICMP: Ping and Trace CCNA 1 version 3.0 Rick Graziani Spring 2005.
Internet Command Message Protocol (ICMP) CS-431 Dick Steflik.

Internet Command Message Protocol (ICMP) CS-431 Dick Steflik.
1 ICMP – Using Ping and Trace CCNA Semester 2. 2 172.30.1.20 172.30.1.25.

1 ICMP – Using Ping and Trace CCNA Semester
CMPT 471 Networking II Address Resolution IPv6 Neighbor Discovery 1© Janice Regan, 2012.

CMPT 471 Networking II Address Resolution IPv6 Neighbor Discovery 1© Janice Regan, 2012.
Connecting Networks © 2004 Cisco Systems, Inc. All rights reserved. Defining the IP Packet Delivery Process INTRO v2.0—4-1.

Connecting Networks © 2004 Cisco Systems, Inc. All rights reserved. Defining the IP Packet Delivery Process INTRO v2.0—4-1.
21.1 Chapter 21 Network Layer: Address Mapping, Error Reporting, and Multicasting Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction.

21.1 Chapter 21 Network Layer: Address Mapping, Error Reporting, and Multicasting Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Addressing the Network – IPv4 Network Fundamentals – Chapter 6.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Addressing the Network – IPv4 Network Fundamentals – Chapter 6.
CCNA Introduction to Networking 5.0 Rick Graziani Cabrillo College

CCNA Introduction to Networking 5.0 Rick Graziani Cabrillo College
ITIS 6167/8167: Network Security Weichao Wang. 2 Contents ICMP protocol and attacks UDP protocol and attacks TCP protocol and attacks.

ITIS 6167/8167: Network Security Weichao Wang. 2 Contents ICMP protocol and attacks UDP protocol and attacks TCP protocol and attacks.

Similar presentations

Ads by Google