Difference between revisions of "Hidden channels"

From Forensics Wiki
Jump to: navigation, search
(Detection of hidden channels)
m
Line 11: Line 11:
  
 
* IP ID;
 
* IP ID;
* TCP SEQ/ACK numbers;
+
* TCP ISN;
 
* TCP options;
 
* TCP options;
 +
* DNS ID;
 +
* HTTP cookie;
 
* etc.
 
* etc.
  
Line 19: Line 21:
 
Generally, it is impossible to detect well-designed hidden channels by means of traffic analysis. For example, information hidden within TLS ''Client/Server Hello'' random bytes in encrypted form cannot be distinguished from bytes produced by secure random number generator.
 
Generally, it is impossible to detect well-designed hidden channels by means of traffic analysis. For example, information hidden within TLS ''Client/Server Hello'' random bytes in encrypted form cannot be distinguished from bytes produced by secure random number generator.
  
However, it is possible to detect hidden channels by detecting attendant events, such as successful intrusion attempts.
+
However, it is possible to detect hidden channels by detecting attendant events, such as successful intrusion attempts. Some hidden channels produce network anomalies, for example, hidden channels using DNS ID to hide information may produce large number of DNS queries without further communication between hosts.
  
 
== External Links ==
 
== External Links ==
  
 
* [http://www.firstmonday.org/issues/issue2_5/rowland/ Covert Channels in the TCP/IP Protocol Suite]
 
* [http://www.firstmonday.org/issues/issue2_5/rowland/ Covert Channels in the TCP/IP Protocol Suite]
 +
* [http://www.sans.org/reading_room/whitepapers/covert/ SANS InfoSec Reading Room - Covert Channels]
  
 
[[Category:Network Forensics]]
 
[[Category:Network Forensics]]
 
[[Category:Steganography]]
 
[[Category:Steganography]]

Revision as of 12:09, 23 October 2008

Hidden channels (covert channels) are communication channels that transmit information without the authorization or knowledge of the channel's designer, owner, or operator.

Contents

Common Uses

  • Bypassing network filters;
  • Bypassing network sniffers.

Techniques

Information can be hidden within:

  • IP ID;
  • TCP ISN;
  • TCP options;
  • DNS ID;
  • HTTP cookie;
  • etc.

Detection of hidden channels

Generally, it is impossible to detect well-designed hidden channels by means of traffic analysis. For example, information hidden within TLS Client/Server Hello random bytes in encrypted form cannot be distinguished from bytes produced by secure random number generator.

However, it is possible to detect hidden channels by detecting attendant events, such as successful intrusion attempts. Some hidden channels produce network anomalies, for example, hidden channels using DNS ID to hide information may produce large number of DNS queries without further communication between hosts.

External Links