Difference between pages "Hidden channels" and "Talk:Dd"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
m (removed dead link, added new links)
 
(New page: Let's Talk DD ! I have experienced major performance issues with DD and cannot find valid justifications for that. Playing with many different parameters (bs, nosync, noerror, ...) I ha...)
 
Line 1: Line 1:
'''Hidden channels''' (covert channels) are communication channels that transmit information without the authorization or knowledge of the channel's designer, owner, or operator.
+
Let's Talk DD !
  
== Common Uses ==
+
I have experienced major performance issues with DD and cannot find valid justifications for that.
  
* Bypassing network filters;
+
Playing with many different parameters (bs, nosync, noerror, ...)  I have always fairly much the same results:
* Bypassing network [[Sniffer|sniffers]].
+
* First few seconds are 3.4 GB/min
 +
* Then massive drop down to 50 MB/min
 +
* Copying NULs does not reproduce the above symptoms and speed is stable at 3.4GB/min.
  
== Techniques ==
+
I see in blogs that I am not the only one with this issue but cannot find an answer...
 
+
Information can be hidden within:
+
 
+
* IP ID;
+
* TCP ISN;
+
* TCP options;
+
* DNS ID;
+
* HTTP cookie;
+
* etc.
+
 
+
== Detection of hidden channels ==
+
 
+
Generally, it is impossible to detect well-designed hidden channels by means of traffic analysis. For example, information hidden within TLS ''Client/Server Hello'' random bytes in encrypted form cannot be distinguished from bytes produced by secure random number generator.
+
 
+
However, it is possible to detect hidden channels by detecting attendant events, such as successful intrusion attempts. Some hidden channels produce network anomalies, for example, hidden channels using DNS ID to hide information may produce large number of DNS queries without further communication between hosts.
+
 
+
== External Links ==
+
 
+
* [http://en.wikipedia.org/wiki/Covert_channel Wikipedia: Covert channel]
+
* [http://www.fas.org/irp/nsa/rainbow/tg030.htm ]
+
* [http://gray-world.net/ Unusual firewall bypassing techniques, network and computer security]
+
* [http://www.sans.org/reading_room/whitepapers/covert/ SANS InfoSec Reading Room - Covert Channels]
+
 
+
[[Category:Network Forensics]]
+
[[Category:Steganography]]
+

Revision as of 17:12, 11 October 2008

Let's Talk DD !

I have experienced major performance issues with DD and cannot find valid justifications for that.

Playing with many different parameters (bs, nosync, noerror, ...) I have always fairly much the same results:

  • First few seconds are 3.4 GB/min
  • Then massive drop down to 50 MB/min
  • Copying NULs does not reproduce the above symptoms and speed is stable at 3.4GB/min.

I see in blogs that I am not the only one with this issue but cannot find an answer...