ATTENTION: The new home of the Digital Forensics Wiki is at Yeah, it's a silly name, but it was cheap.
This wiki will be going offline permanently in the near future. An exact date will be announced soon. Thank you for being a part of this community.
If you wish to work on the new forensicswiki, please join the Google Group forensicswiki-reborn

Difference between revisions of "Hidden channels"

From ForensicsWiki
Jump to: navigation, search
(One intermediate revision by the same user not shown)
Line 25: Line 25:
== External Links ==
== External Links ==
* [ Covert Channels in the TCP/IP Protocol Suite]
* [ Wikipedia: Covert channel]
* [ Unusual firewall bypassing techniques, network and computer security]
* [ SANS InfoSec Reading Room - Covert Channels]
* [ SANS InfoSec Reading Room - Covert Channels]
[[Category:Network Forensics]]
[[Category:Network Forensics]]

Latest revision as of 15:42, 17 February 2009

Hidden channels (covert channels) are communication channels that transmit information without the authorization or knowledge of the channel's designer, owner, or operator.

Common Uses

  • Bypassing network filters;
  • Bypassing network sniffers.


Information can be hidden within:

  • IP ID;
  • TCP ISN;
  • TCP options;
  • DNS ID;
  • HTTP cookie;
  • etc.

Detection of hidden channels

Generally, it is impossible to detect well-designed hidden channels by means of traffic analysis. For example, information hidden within TLS Client/Server Hello random bytes in encrypted form cannot be distinguished from bytes produced by secure random number generator.

However, it is possible to detect hidden channels by detecting attendant events, such as successful intrusion attempts. Some hidden channels produce network anomalies, for example, hidden channels using DNS ID to hide information may produce large number of DNS queries without further communication between hosts.

External Links