Re: Detecting covert data channels?

Try this: http://www.icir.org/vern/papers/backdoor/

It works like a charm. It mostly uses heuristics (packet lengths and
frequency of small packets) and doesn't care about the contents of the
packets.

The main caveat, though, is that this algorithm picks up an
interactive backdoor (someone typing something over an encrypted
channel), not a scripted one

K.

On 5/25/07, Joff Thyer <jsthyer@xxxxxxxxx> wrote:
It is reasonably trivial to encode data within packet headers, and
even encrypt said data as most are probably aware. There are past
examples where control information has been sent within ICMP and other
packets using header fields.

My question surrounds detection; given that IDS tends to be payload
focused, if a covert channel exists that has encrypted data in a
packet header, how do we go about detecting it?

My initial thought leans toward the fact that encrypted data blocks
are statistically flat over time. Given say 'snort', how can we use
this idea? I am not a snort expert by any means, so please no
flames!

I would be happy to summarize opinions.

-Joff Thyer

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw
to learn more.
------------------------------------------------------------------------



------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from CORE IMPACT.
Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw to learn more.
------------------------------------------------------------------------

Relevant Pages

  • Re: TCP Sack processing
    ... The TCP stream reassembly algorithm usually handles out-of-order packets. ... > with real-world attacks from CORE IMPACT. ...
    (Focus-IDS)
  • Re: IDSIPS that can handle one Gig
    ... > 1) Gigabit performance is irrelevant; it's the packets per second that ... > with several processors installed in parallel (ASICs OR Intel) is far more ... > ASIC/FPGA technology does not preclude the use of a hard drive. ... > Find out quickly and easily by testing it with real-world attacks from ...
    (Focus-IDS)
  • RE: IDSIPS that can handle one Gig
    ... devices through use of fragments. ... traffic, an attack can spread itself across multiple packets, which all get ... and totally abused by most vendors on their ... Find out quickly and easily by testing it with real-world attacks from ...
    (Focus-IDS)
  • RE: IDSIPS that can handle one Gig
    ... Single-processor machines can easily FORWARD 64-byte packets at ... A box with one or two ASICs in is easily outperformed by a PC with the ... ASIC/FPGA technology does not preclude the use of a hard drive. ... Find out quickly and easily by testing it with real-world attacks from ...
    (Focus-IDS)
  • Re: IDSIPS that can handle one Gig
    ... especially with 64-byte UDP packets. ... There are plenty of network IPS's ... IDS/IPS devices through use of fragments. ... Find out quickly and easily by testing it with real-world attacks from ...
    (Focus-IDS)
Quantcast