Vulnerability Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Covert Channels

From: Jeff Nathan <jeff () wwti com>
Date: Fri, 18 Oct 2002 09:34:52 -0700
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- --On Friday, October 18, 2002 21:45:01 +1000 Darryl Luff 
<darryl () snakegully nu> wrote:
[...]


I imagine that the easiest way would be to pick an unknown IP or TCP
option number and insert your own options field into the IP or TCP
header. This keeps your data separate from the TCP connection data. I
think that an option field can be up to 253 bytes of data?

Do any IDS systems trigger on unrecognised option fields?


Darryl Luff


In TCP and IP headers, the options length is limited to 40 bytes as the 
header length field is 4 bits in length.

Many NIDS make a respectable attempt at normalizing and parsing options 
data contextually.

- -Jeff

- --
http://jeff.wwti.com            (pgp key available)
"Common sense is the collection of prejudices acquired by age eighteen."
- - Albert Einstein
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (OpenBSD)

iD8DBQE9sDgwEqr8+Gkj0/0RAjseAJwLBvokhPedulRqI2xa8/lF4vAvxACfRwSa
++woesdmHZXyZ8HD1JiLlZY=
=uNz9
-----END PGP SIGNATURE-----
Previous By Date Next
Previous By Thread Next

Current thread: