Re: Detecting covert data channels?

[Kowsik <kowsik () gmail com>]

Try this: http://www.icir.org/vern/papers/backdoor/

It works like a charm. It mostly uses heuristics (packet lengths and
frequency of small packets) and doesn't care about the contents of the
packets.

The main caveat, though, is that this algorithm picks up an
interactive backdoor (someone typing something over an encrypted
channel), not a scripted one

K.

On 5/25/07, Joff Thyer <jsthyer () gmail com> wrote:
> It is reasonably trivial to encode data within packet headers, and
> even encrypt said data as most are probably aware.  There are past
> examples where control information has been sent within ICMP and other
> packets using header fields.
>
> My question surrounds detection; given that IDS tends to be payload
> focused, if a covert channel exists that has encrypted data in a
> packet header, how do we go about detecting it?
>
> My initial thought leans toward the fact that encrypted data blocks
> are statistically flat over time.  Given say 'snort', how can we use
> this idea?   I am not a snort expert by any means, so please no
> flames!
>
> I would be happy to summarize opinions.
>
> -Joff Thyer
>
> ------------------------------------------------------------------------
> Test Your IDS
>
> Is your IDS deployed correctly?
> Find out quickly and easily by testing it
> with real-world attacks from CORE IMPACT.
> Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw
> to learn more.
> ------------------------------------------------------------------------

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw 
to learn more.
------------------------------------------------------------------------