Chapter 3 Time-to-live Covert Channels - CAIA
Chapter 3 Time-to-live Covert Channels - CAIA
Chapter 3 Time-to-live Covert Channels - CAIA
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
CHAPTER 3. TIME-TO-LIVE COVERT CHANNELS<br />
infrequent random changes (possibly route changes or anomalies) and flows with frequent<br />
random TTL changes (possibly load balancing or route flaps). A more detailed discussion<br />
is in [9].<br />
This variety makes it more difficult for covert channels <strong>to</strong> mimic normal change pat-<br />
terns well. On the other hand it also makes it potentially more difficult for the warden <strong>to</strong><br />
detect abnormal flows caused by the covert channel.<br />
3.2 Modulation schemes<br />
At the heart of the covert channel is the modulation scheme that defines how covert bits<br />
are encoded in TTL values. We first present previously proposed modulation schemes<br />
and discuss their shortfalls. Then we present our novel improved modulation schemes.<br />
Finally, we discuss implementation issues.<br />
3.2.1 Existing techniques<br />
We group the existing modulation techniques in<strong>to</strong> three classes:<br />
• Direct encoding encodes bits directly in<strong>to</strong> bits of the TTL field.<br />
• Mapped encoding encodes bits by mapping bit values <strong>to</strong> TTL values.<br />
• Differential encoding encodes bits as changes between subsequent TTL values.<br />
Qu et al. described two techniques [95]. The first technique encodes one covert bit<br />
directly in<strong>to</strong> the least significant bit of TTL values. Because this potentially increases the<br />
original TTL values we refer <strong>to</strong> the scheme as Direct Encoding Increasing (DEI). The<br />
second method encodes bits in<strong>to</strong> TTLs using mapped encoding. The original TTL value<br />
represents a logical zero and a TTL value increased by an integer ∆ represents a logical<br />
one (see Figure 3.6). We refer <strong>to</strong> this technique as Mapped Encoding Increasing (MEI).<br />
Lucena et al. proposed modulating the IPv6 Hop Limit field (TTL equivalent in IPv6)<br />
using differential encoding [61]. A logical one is encoded as TTL increase by ∆ and a<br />
logical zero is encoded as TTL decrease by ∆ (see Figure 3.7). Because there is no limit<br />
on how much the original TTL value can change we refer <strong>to</strong> this scheme as Differential<br />
Unbounded (DUB).<br />
Qu and Lucena both proposed encoding information by increasing the original TTL<br />
value. This is problematic for passive senders because it violates the IP standard [89] and<br />
would cause problems if routing loops occur. It also means these techniques cannot be<br />
used if the original TTL value already is the maximum value (some operating systems use<br />
an initial TTL of 255 [167, 168]). Increasing an already high TTL value would cause the<br />
44