Chapter 3 Time-to-live Covert Channels - CAIA

More documents

Recommendations

Info

CHAPTER 3. TIME-TO-LIVE COVERT CHANNELS Table 3.1: Packet traces used in the analysis Trace Capture location Date Public CAIA Public game server at Swinburne University, Melbourne, Australia Grangenet Public game server connected to Grangenet, Canberra, Australia 05/2005 – 06/2006 no 05/2005 – 06/2006 no Twente Uplink of ADSL access network [165] 07/02/2004 – 12/02/2004 yes Leipzig Access router at Leipzig University [166] 21/02/2003 yes Bell Firewall at Bell Labs [166] 19/05/2002 – 20/05/2002 yes Waikato Access router at University of Waikato, New Zealand 04/05/2005 no We evaluate the throughput of the developed reliable transport technique for aggregate overt traffic taken from traces under different simulated network conditions. We also analyse the throughput across a real network with different rates of TTL errors, overt packet loss and reordering, using single overt traffic flows as carrier. Comparison of the results with the channel capacity shows that our technique is not optimal, but it provides throughputs of at least 50% of the capacity, except in the case of high reordering. The throughput is up to over hundred bits per second. 3.1 Normal TTL variation First we analyse ‘normal’ TTL variation (TTL noise). We analyse how TTL varies at small time scales of subsequent packets of traffic flows (series of packets with the same IP addresses, ports, and protocol) and not only focus on variation caused by path changes as previous work [161, 162, 163, 164]. An extended version of this study is in [9]. 3.1.1 Datasets and methodology We use packet traces of different size, origin and date for our analysis (see Table 3.1). The CAIA trace contains only game traffic arriving at a public game server, the Grangenet trace contains game and web traffic arriving at a specific server, and the other traces contain a mix of bidirectional traffic. Usually analysis of network traffic is based on packet flows. Because we found the number of TTL changes is correlated with the number of packets and the duration of flows, we analyse many characteristics of TTL changes based on packet pairs, defined as two subsequent packets of a flow. This isolates the characteristic under study (e.g. estimated hop count) from correlated flow properties (e.g. size and duration). However, for analysis requiring a sequence of packets we still use flows (e.g. in Section 3.1.4). 39
CHAPTER 3. TIME-TO-LIVE COVERT CHANNELS Table 3.2: Flows and packet pairs with/without TTL changes and percentage of changes Flows Packet pairs No change (kilo) Change (kilo) Change (%) No change (Mega) Change (kilo) Change (%) CAIA 128.6 2.8 2.1 1 456.3 340.0 0.02 Grangenet 283.0 8.6 2.9 215.7 62.1 0.03 Twente 1 354.6 24.7 1.8 95.5 74.8 0.08 Waikato 1 255.9 57.8 4.4 21.2 86.4 0.4 Bell 899.8 52.9 5.6 36.4 87.1 0.2 Leipzig 7 155.1 429.1 5.7 365.5 1 822.7 0.5 First, packets were grouped into unidirectional flows according to IP addresses, port numbers and protocol (each being a series of packet pairs). We only considered flows with at least four packets (‘minimum’ TCP flow) and an average packet rate of at least one packet per second. We extracted the series of TTL values from the IP headers. If different TTL values occur in a flow or between packet pairs this is referred to as TTL change. Otherwise we refer to the TTL being constant. 3.1.2 Amount of TTL variation Table 3.2 shows the number and the percentage of flows and packet pairs with and without TTL changes (numbers are rounded). Overall, the TTL is constant for the majority of flows, but 2–6% of flows do experience TTL changes. The percentage of packet pairs with TTL changes is between 0.02–0.5%. This shows that if there is TTL variation in flows, changes occur only for a very small number of the flows’ packet pairs. 3.1.3 Distinct values and change amplitudes Figure 3.1 shows the cumulative density functions (CDFs) of the number of distinct TTL values per flow. Most flows with TTL variation have only two distinct TTL values. Only less than 10% of the flows have more than two values and flows with more than five different TTLs are very rare, except in the CAIA trace. We examined CDFs of the amplitude of TTL changes of packet pairs, where the amplitude is defined as the difference between the maximum and the minimum TTL value. The amplitude is one for many packet pairs, but in some traces large numbers of packet pairs have amplitudes around 64, 127, or 191 [9]. The reason for these high amplitudes is middleboxes, such as firewalls or proxies, (re)sending packets part of the TCP handshake or teardown on behalf of end hosts (e.g. for SYN flood attack protection). The TTLs in these packets are set to the initial TTL of the middlebox, which can differ from the initial TTL used by the host. Different operating systems use different 40
Page 1: Chapter 3 CHAPTER 3. TIME-TO-LIVE C
Page 5 and 6: Proportion ≤≤ x 1.0 0.8 0.6 0.4
Page 7 and 8: CHAPTER 3. TIME-TO-LIVE COVERT CHAN
Page 11 and 12: Capacity (bits/packet) 1.00 0.95 0.
Page 13 and 14: 0 1 1-p L 1-p L p L p L CHAPTER 3.
Page 21 and 22: Algorithm 3.3 Block decoding algori
Page 23 and 24: Error rate 1e−02 1e−04 1e−06
Page 27 and 28: Proportion ≤ x 1.0 0.8 0.6 0.4 0.
Page 29 and 30: Block corruption rate Block corrupt
Page 31 and 32: Throughput (bits/s) 60 50 40 30 20
Page 33 and 34: Throughput (bits/s) 200 150 100 50

Chapter 3 Time-to-live Covert Channels - CAIA

Create successful ePaper yourself

Delete template?

Save as template?