Chapter 3 Time-to-live Covert Channels - CAIA

More documents

Recommendations

Info

CHAPTER 3. TIME-TO-LIVE COVERT CHANNELS is limited to single flows. Our testbed consisted of two computers 6 connected via a Fast Ethernet switch. Alice and Bob were co-located with the actual sender and receiver, but they could have been middlemen. We used different applications with different packet rates as overt traffic. We used scp to perform file transfers capped at 2 Mbit/s, and SSH to perform remote interactive shell sessions (recorded and repeatedly played back with XMacro [187]). We generated game traffic using Quake III Arena (Q3) [188], with bots as players. These applications represent bulk transfer, interactive and real-time traffic classes. Each experiment lasting 20 minutes was repeated three times and we report the aver- age throughput. We emulated packet loss and reordering rates of 0%, 0.1%, 0.5% and 1% using Linux Netem [189]. For both we configured a correlation of 25% [189], because in the Internet packet loss and reordering are typically bursty. The delay was set to fixed 25 ms in each direction, except for the experiments with reordering. With Netem’s packet reordering the resulting bit error rate depends not only on the configured reordering rate, but also on the configured delay and the traffic’s inter-packet times [189]. We used different delays for the different applications to achieve similar error rates, but scp still experienced slightly higher error rates than Q3 and SSH. We verified the accuracy of Netem prior to performing the experiments (see Appendix F). As we showed in Section 3.1 TTL noise basically falls into two categories: deterministic and random. Since deterministic noise generally only occurs at the start and end of flows it would not have much impact here given the long duration of the flows. Hence we used CCHEF to emulate uniformly random TTL noise with Normal-distributed amplitudes using error rates of 0%, 0.001%, 0.1% and 1%. We only used the MED modulation scheme but limited tests indicated a similar perfor- mance of the DED scheme. Without packet loss and reordering the non-deletion technique was used to provide reliable transport. Otherwise the marker-based technique was used. For simplicity we used the same codes for the different applications. In the experiments with packet reordering the codes were dimensioned for scp, and hence they were slightly less efficient for Q3 and SSH. The code parameters are given in Appendix B.11. The encoding parameters were manually tuned according to the error rates in the different scenarios with the goal of achieving a very low block corruption rate with FEC alone. As before we computed the actual throughput assuming a FEC+ARQ scheme with a target block corruption rate of 1 −9 . Because we used relatively high redundancies, in all experiments the block corruption rate was below 0.5% with FEC alone. In most experiments it was actually zero. 6 An Intel Celeron 2.4 GHz with 256MB RAM and an Intel Celeron 3.0 GHz with 1GB RAM, both running Linux 2.6.18. 69
Throughput (bits/s) 200 150 100 50 0 ● ● CHAPTER 3. TIME-TO-LIVE COVERT CHANNELS ● ● ● ● scp A−>B scp B−>A Q3 A−>B Q3 B−>A 0.000 0.002 0.004 0.006 0.008 0.010 TTL error rate SSH A−>B SSH B−>A Figure 3.25: Throughput depending on the TTL error rate for 0% packet loss and reordering Throughput (bits/s) 200 150 100 50 0 ● ● ● ● scp A−>B scp B−>A ● ● ● ● Q3 A−>B Q3 B−>A 0.0 0.2 0.4 0.6 0.8 1.0 Packet loss rate ● ● SSH A−>B SSH B−>A Figure 3.26: Throughput depending on the packet loss rate with 0.1% TTL error rate and 0% packet reordering We used smaller code lengths for the testbed experiments to increase the total number of blocks, given that the packet rates were much smaller than the rates in the traces. Because of the smaller block sizes and the higher redundancies the code rates are smaller than in the trace-file analysis. Figure 3.25, 3.26 and 3.27 show the throughput for the different applications and error rates. For scp the data was transferred from Alice to Bob and hence the rate of overt packets in that direction is higher. For Q3 the throughput from Alice to Bob is much larger, as Alice’s host running the Q3 client sent one packet every 10–20 ms, but Bob’s host running the server only sent one packet every 50 ms [190]. SSH throughput is roughly symmetric with the used shell commands. Figure 3.28 shows the percentage of the channel capacity reached for the different applications averaged over both directions. The percentage should be roughly equal for all applications. However, SSH performs worse since the number of data blocks transmitted 70 ● ●
Page 1 and 2: Chapter 3 CHAPTER 3. TIME-TO-LIVE C
Page 3 and 4: CHAPTER 3. TIME-TO-LIVE COVERT CHAN
Page 5 and 6: Proportion ≤≤ x 1.0 0.8 0.6 0.4
Page 11 and 12: Capacity (bits/packet) 1.00 0.95 0.
Page 13 and 14: 0 1 1-p L 1-p L p L p L CHAPTER 3.
Page 21 and 22: Algorithm 3.3 Block decoding algori
Page 23 and 24: Error rate 1e−02 1e−04 1e−06
Page 27 and 28: Proportion ≤ x 1.0 0.8 0.6 0.4 0.
Page 29 and 30: Block corruption rate Block corrupt
Page 31: Throughput (bits/s) 60 50 40 30 20

Chapter 3 Time-to-live Covert Channels - CAIA

Create successful ePaper yourself

Delete template?

Save as template?