Chapter 3 Time-to-live Covert Channels - CAIA

More documents

Recommendations

Info

Proportion ≤≤ x 1.00 0.95 0.90 0.85 CHAPTER 3. TIME-TO-LIVE COVERT CHANNELS 0 10 20 30 40 50 60 Number of distinct TTLs CAIA GrangeNet Twente Waikato Bell Leipzig Figure 3.1: Distribution of the number of distinct TTL values per flow Proportion ≤ x 1.00 0.95 0.90 0.85 0.80 CAIA GrangeNet Twente Waikato Bell Leipzig 0 10 20 30 40 50 Amplitude of estimated hop count change Figure 3.2: Distribution of the estimated hop count amplitude of packet pairs initial TTLs, the most common being: 64 (Linux, FreeBSD), 128 (Windows), 255 (Cisco) [167, 168]. Therefore, the difference of two TTLs is 64, 127, or 191 plus/minus the number of hops between middlebox and host. Because of this effect TTL changes are more likely at the start or end of TCP flows. Figure 3.2 shows the CDFs of the amplitude of the estimated hop counts of packet pairs, defined as the difference between estimated maximum and minimum hop counts. The hop count is estimated by subtracting a packet’s TTL value from the closest initial TTL. For most packet pairs with TTL changes the hop count changes only by one. 3.1.4 Frequency of changes Figure 3.3 shows CDFs of the number of TTL changes per flow. For most datasets the majority of flows only have very few TTL changes. But a large percentage of flows in 41
Proportion ≤≤ x 1.0 0.8 0.6 0.4 0.2 0.0 CHAPTER 3. TIME-TO-LIVE COVERT CHANNELS CAIA GrangeNet Twente 0 5 10 15 20 Number of TTL changes Waikato Bell Leipzig Figure 3.3: Distribution of number of TTL changes per flow (x-axis limited to 20 changes) Proportion ≤ x 1.0 0.8 0.6 0.4 0.2 0.0 0.0 0.2 0.4 0.6 0.8 1.0 Frequency of TTL change (1/packet_pair) CAIA GrangeNet Twente Waikato Bell Leipzig Figure 3.4: Distribution of frequency of TTL changes for flows with at least six TTL changes the CAIA trace have a large number of changes, because the trace contains many long flows that have roughly periodic TTL changes of unknown origin. Shorter flows are predominant in all other traces. Figure 3.4 depicts the CDFs of the change frequency for flows with at least six TTL changes. The TTL change frequency of a flow is defined as the number of TTL changes divided by the number of packet pairs. CAIA and Grangenet traces have very low frequencies. Twente, Leipzig, Waikato and Bell have higher frequencies, with roughly half of the flows changing TTL on average every third to second packet pair. 3.1.5 Error probability distribution We define a TTL error as deviation of the TTL value of a packet from the most common value of the TTL during the life of a flow. Let the most common TTL value be TTLnorm. 42
Page 1 and 2: Chapter 3 CHAPTER 3. TIME-TO-LIVE C
Page 3: CHAPTER 3. TIME-TO-LIVE COVERT CHAN
Page 7 and 8: CHAPTER 3. TIME-TO-LIVE COVERT CHAN
Page 11 and 12: Capacity (bits/packet) 1.00 0.95 0.
Page 13 and 14: 0 1 1-p L 1-p L p L p L CHAPTER 3.
Page 21 and 22: Algorithm 3.3 Block decoding algori
Page 23 and 24: Error rate 1e−02 1e−04 1e−06
Page 27 and 28: Proportion ≤ x 1.0 0.8 0.6 0.4 0.
Page 29 and 30: Block corruption rate Block corrupt
Page 31 and 32: Throughput (bits/s) 60 50 40 30 20
Page 33 and 34: Throughput (bits/s) 200 150 100 50

Chapter 3 Time-to-live Covert Channels - CAIA

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?