Chapter 3 Time-to-live Covert Channels - CAIA

More documents

Recommendations

Info

Density 1e+00 5e−01 1e−01 5e−02 1e−02 5e−03 1e−03 5e−04 1e−04 5e−05 1e−05 5e−06 1e−06 5e−07 1e−07 −100 −50 0 50 100 TTL error CHAPTER 3. TIME-TO-LIVE COVERT CHANNELS Density 1e+00 5e−01 1e−01 5e−02 1e−02 5e−03 1e−03 5e−04 1e−04 5e−05 1e−05 5e−06 1e−06 5e−07 1e−07 −200 −100 0 100 200 TTL error Figure 3.5: TTL error distribution for the CAIA trace (left) and Leipzig trace (right) Then for a packet i of a flow a TTL error occurs if TTLi TTLnorm. We computed the error probability distribution based on the trace files. Figure 3.5 shows the TTL error distributions for the CAIA and Leipzig traces (other graphs are in Appendix B.1). The average error probability for CAIA is only 0.02% compared to 0.5% for Leipzig (see Table 3.2). Note that the y-axis is logarithmic and we only show error rates above 1 −7 . Error values are largely confined between −200 and 200, and the error probability does not monotonically decrease with increasing TTL error. For datasets containing TCP traffic there are the characteristic peaks around ±64, ±128 and ±191 described earlier. The error probability distributions vary significantly between traces and the empirical distributions cannot be easily modelled with standard statistical distributions. 3.1.6 Conclusions Overall the amount of TTL variation is relatively small. Less than 1% of the packet pairs and less than 6% of the flows experience TTL changes. This provides a good opportunity for TTL covert channels. Normal TTL variation is common enough to not raise suspicion, but not frequent enough to cause high error rates on the channel. Most normal flows with TTL changes have only two distinct TTL values with a hop count difference of one and there are only a few transitions between different TTLs. This means to avoid detection the covert channel should generally only use two different TTL values that differ by one and avoid very frequent changes. Most TTL changes are of deterministic nature, meaning the changes occur in specific packet pairs of a flow. For example, in many TCP flows packets part of the TCP handshake or teardown have TTL values that differ from the other TTLs in the flow (see Section 3.1.3). However, there are also flows with approximately periodic changes, flows with 43
CHAPTER 3. TIME-TO-LIVE COVERT CHANNELS infrequent random changes (possibly route changes or anomalies) and flows with frequent random TTL changes (possibly load balancing or route flaps). A more detailed discussion is in [9]. This variety makes it more difficult for covert channels to mimic normal change pat- terns well. On the other hand it also makes it potentially more difficult for the warden to detect abnormal flows caused by the covert channel. 3.2 Modulation schemes At the heart of the covert channel is the modulation scheme that defines how covert bits are encoded in TTL values. We first present previously proposed modulation schemes and discuss their shortfalls. Then we present our novel improved modulation schemes. Finally, we discuss implementation issues. 3.2.1 Existing techniques We group the existing modulation techniques into three classes: • Direct encoding encodes bits directly into bits of the TTL field. • Mapped encoding encodes bits by mapping bit values to TTL values. • Differential encoding encodes bits as changes between subsequent TTL values. Qu et al. described two techniques [95]. The first technique encodes one covert bit directly into the least significant bit of TTL values. Because this potentially increases the original TTL values we refer to the scheme as Direct Encoding Increasing (DEI). The second method encodes bits into TTLs using mapped encoding. The original TTL value represents a logical zero and a TTL value increased by an integer ∆ represents a logical one (see Figure 3.6). We refer to this technique as Mapped Encoding Increasing (MEI). Lucena et al. proposed modulating the IPv6 Hop Limit field (TTL equivalent in IPv6) using differential encoding [61]. A logical one is encoded as TTL increase by ∆ and a logical zero is encoded as TTL decrease by ∆ (see Figure 3.7). Because there is no limit on how much the original TTL value can change we refer to this scheme as Differential Unbounded (DUB). Qu and Lucena both proposed encoding information by increasing the original TTL value. This is problematic for passive senders because it violates the IP standard [89] and would cause problems if routing loops occur. It also means these techniques cannot be used if the original TTL value already is the maximum value (some operating systems use an initial TTL of 255 [167, 168]). Increasing an already high TTL value would cause the 44
Page 1 and 2: Chapter 3 CHAPTER 3. TIME-TO-LIVE C
Page 3 and 4: CHAPTER 3. TIME-TO-LIVE COVERT CHAN
Page 5: Proportion ≤≤ x 1.0 0.8 0.6 0.4
Page 11 and 12: Capacity (bits/packet) 1.00 0.95 0.
Page 13 and 14: 0 1 1-p L 1-p L p L p L CHAPTER 3.
Page 21 and 22: Algorithm 3.3 Block decoding algori
Page 23 and 24: Error rate 1e−02 1e−04 1e−06
Page 27 and 28: Proportion ≤ x 1.0 0.8 0.6 0.4 0.
Page 29 and 30: Block corruption rate Block corrupt
Page 31 and 32: Throughput (bits/s) 60 50 40 30 20
Page 33 and 34: Throughput (bits/s) 200 150 100 50

Chapter 3 Time-to-live Covert Channels - CAIA

Create successful ePaper yourself

Delete template?

Save as template?