1 / 25

Covert Channels in Networks: Techniques and Countermeasures

Learn about covert channels, their importance, examples, and countermeasures in network security. Discover techniques and technology used to hide information within different data representations. Explore successful covert channel strategies and suitable fields in IP, TCP, and UDP headers. Follow a Proof of Concept (PoC) involving TCP and UDP headers for covert communication.

jhogue
Download Presentation

Covert Channels in Networks: Techniques and Countermeasures

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Network Covert Channels Evgeny Pinchuk (evgenyp@radware.com) Radware SOC Team

  2. Agenda • What are covert channels? • Importance of network covert channels • Techniques examples • Available technology • Counter measures

  3. Introduction • The need for secrecy • Encryption is good only for making data hard to read rather than hiding it • We can hide information inside channels which assumed as different data representation • Covert channels allow us transporting unnoticed information which makes it hard to be detected by programmed tools.

  4. Common Covert Channels • Steganography • Pictures, Audio, Binary files • Network • Various protocols (i.e. IP, TCP, DNS…) • Text • Words, characters substitution • File Systems • Hidden files, ADS • Appending Data • EOF, Headers, Footers

  5. Successful covert channels • The packet which contains covert data should look like a regular packet • Choosing the wrong fields in the packet will make traffic look anomalous • Choosing a protocol which is common to the specific network environment will aid to covertness of the information • Bounced traffic will make harder tracing you back

  6. IP Header

  7. Suitable fields in IP Header • Identification field (Can be changed on some firewalls) • Source address (if the data will flow only one way) • IP options (in certain environments) PoC: http://invisiblethings.org/tools/passivecc_ipid.c By Joanna Rutkowska

  8. TCP Header

  9. Bounced Sequence Message ‘Hello\n’: A -> B ‘H’ 0x48 * 255 = 0x47B8 ‘e’ 0x65 * 255 = 0x649B ‘l’ 0x6C * 255 = 0x6B94 ‘l’ 0x6C * 255 = 0x6B94 ‘o’ 0x6F * 255 = 0x6E91 ‘\n’ 0x0A * 255 = 0x09F6 We got the following sequences: Sequence 1: 0x47B8649B Sequence 2: 0x6B946B94 Sequence 3: 0x6E9109F6 • Host A: 1.1.1.1 • Host B: 2.2.2.2 • Bounce Servers: • 3.3.3.3 • 4.4.4.4 • 5.5.5.5

  10. Bounced Sequence Host A sends SYN packet to 3.3.3.3: Sequence number - 0x47B8649B Acknowledge number Source address – 2.2.2.2 Host B receives SYN+ACK packet from 3.3.3.3: Sequence number – X Acknowledge number – 0x47B8649C Destination address – 2.2.2.2

  11. Bounced Sequence - Results • We succeed receiving the encoded sequence number + 1 through 3rd party server • On the 3rd party server our request looks like a legitimate connection request • If someone will try to analyze traffic on Host B, he’ll see low bandwidth reflection denial of service attack

  12. Direct transition through TCP Header Good covert places: • Window field • Sequence numbers • Acknowledge numbers • Source/Destination ports • Urgent pointer (looks anomalous though!) • TCP Options (i.e. time stamps)

  13. UDP Header

  14. UDP Header advantages Advantages: • Connectionless • 3 out of 4 fields are suitable for covert channels • Can be bounced Disadvantages: • Unreliable!!!

  15. Bounced UDP message Message ‘Hello\n’: A -> B ‘H’ 0x48 * 255 = 0x47B8 ‘e’ 0x65 * 255 = 0x649B ‘l’ 0x6C * 255 = 0x6B94 ‘l’ 0x6C * 255 = 0x6B94 ‘o’ 0x6F * 255 = 0x6E91 ‘\n’ 0x0A * 255 = 0x09F6 • Host A: 1.1.1.1 • Host B: 2.2.2.2 • Bounce Servers: • 3.3.3.3 • 4.4.4.4 • 5.5.5.5

  16. Bounced UDP message Host A send UDP packet to some port on 3.3.3.3: Source address - 2.2.2.2 (Host B) Source port - 0x47B8 Checksum - 0x649B Host B receives ICMP Port Unreachable message from host 3.3.3.3 with the original UDP packet in which source port and checksum contain our covert data.

  17. Bounced UDP message - Results • We succeed in receiving the data we encoded through a different protocol!!! • We two fields to hide our data (we could use more but it would look anomalous) • We successfully bounced through a 3rd party server

  18. ICMP Header • There isn’t much you could do with ICMP header fields. • People prefer to use the fields of different ICMP messages types

  19. Application Layer • We cannot do bounced covert channel on TCP protocol due to the demand of 3-way handshake • For bounced covert channels we can only use UDP protocol • Not all the software providers follow are RFC compliant; hence some of the applications are unreliable for covert channels • Numerous protocols available • Most popular layer for covert channels today

  20. Bouncing through SIP We are sending UDP message with spoofed source IP address to some SIP server: INVITE sip:bob@3rdparty-server.com SIP/2.0 Via: SIP/2.0/UDP 2.2.2.2:666;branch=z9hG4bK776asdhds Max-Forwards: 70 To: Bob <sip:bob@3rdparty-server.com> From: Alice <sip:alice@host-b.com>;tag=1928301774 Call-ID: a84b4c76e66710@host-b.com CSeq: 314159 INVITE Contact: <sip:alice@host-b.com> Content-Type: application/sdp Content-Length: 142 The reply will be directed to Host B With the sequence number we encoded

  21. Available Technology for Application Layer • CCTT by Gray World - http://www.gray-world.net/pr_cctt.shtml • MSNShell by Wei Zheng - http://wei-zheng.3322.org/msnshell/ • IP-over-DNS - http://nstx.dereference.de/

  22. Counter measures • Header fields re-writing (where it’s possible) • Protocol anomaly detection • Understanding how covert channels work • Analyzing the randomness of numbers in header fields

  23. The End Questions?

  24. Contact Information Evgeny Pinchuk Email: evgenyp@radware.com

  25. References • Covert Channels in the TCP/IP Protocol Suite by Craig H. Rowland - http://www.firstmonday.dk/issues/issue2_5/rowland/ • Covert Channels – Towards a Qual Project by Rachel Greenstadt - http://www.eecs.harvard.edu/~greenie/ccslides.pdf • Cover Channels Analysis and Data Hiding in TCP/IP by Kamran Ahsan - http://ee.tamu.edu/~deepa/theses/ahsan02.pdf

More Related