Chapter 3 Time-to-live Covert Channels - CAIA
Chapter 3 Time-to-live Covert Channels - CAIA
Chapter 3 Time-to-live Covert Channels - CAIA
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
Density<br />
1e+00<br />
5e−01<br />
1e−01<br />
5e−02<br />
1e−02<br />
5e−03<br />
1e−03<br />
5e−04<br />
1e−04<br />
5e−05<br />
1e−05<br />
5e−06<br />
1e−06<br />
5e−07<br />
1e−07<br />
−100 −50 0 50 100<br />
TTL error<br />
CHAPTER 3. TIME-TO-LIVE COVERT CHANNELS<br />
Density<br />
1e+00<br />
5e−01<br />
1e−01<br />
5e−02<br />
1e−02<br />
5e−03<br />
1e−03<br />
5e−04<br />
1e−04<br />
5e−05<br />
1e−05<br />
5e−06<br />
1e−06<br />
5e−07<br />
1e−07<br />
−200 −100 0 100 200<br />
TTL error<br />
Figure 3.5: TTL error distribution for the <strong>CAIA</strong> trace (left) and Leipzig trace (right)<br />
Then for a packet i of a flow a TTL error occurs if TTLi TTLnorm. We computed the<br />
error probability distribution based on the trace files.<br />
Figure 3.5 shows the TTL error distributions for the <strong>CAIA</strong> and Leipzig traces (other<br />
graphs are in Appendix B.1). The average error probability for <strong>CAIA</strong> is only 0.02%<br />
compared <strong>to</strong> 0.5% for Leipzig (see Table 3.2). Note that the y-axis is logarithmic and we<br />
only show error rates above 1 −7 .<br />
Error values are largely confined between −200 and 200, and the error probability<br />
does not mono<strong>to</strong>nically decrease with increasing TTL error. For datasets containing TCP<br />
traffic there are the characteristic peaks around ±64, ±128 and ±191 described earlier.<br />
The error probability distributions vary significantly between traces and the empirical<br />
distributions cannot be easily modelled with standard statistical distributions.<br />
3.1.6 Conclusions<br />
Overall the amount of TTL variation is relatively small. Less than 1% of the packet pairs<br />
and less than 6% of the flows experience TTL changes. This provides a good opportunity<br />
for TTL covert channels. Normal TTL variation is common enough <strong>to</strong> not raise suspicion,<br />
but not frequent enough <strong>to</strong> cause high error rates on the channel.<br />
Most normal flows with TTL changes have only two distinct TTL values with a hop<br />
count difference of one and there are only a few transitions between different TTLs. This<br />
means <strong>to</strong> avoid detection the covert channel should generally only use two different TTL<br />
values that differ by one and avoid very frequent changes.<br />
Most TTL changes are of deterministic nature, meaning the changes occur in specific<br />
packet pairs of a flow. For example, in many TCP flows packets part of the TCP handshake<br />
or teardown have TTL values that differ from the other TTLs in the flow (see Section<br />
3.1.3). However, there are also flows with approximately periodic changes, flows with<br />
43