[Dshield] Communication when emails are being watched

Johannes B. Ullrich jullrich at sans.org
Fri Dec 26 15:05:03 GMT 2003


On Fri, 2003-12-26 at 09:26, DAN MORRILL wrote:
> so what we can do is take one of the unassigned ICMP code types
...
> either 7 or anything that does not trigger a IDS

No. wrong direction. Its rather simple for an IDS (or many firewalls
for that matter) to spot an illegal code/type. The idea of a covert
channel is to make the packet look as "regular" as possible.

ICMP Echo is probably as simple as it gets. Other channels are
usually easier to spot, and may not even make it past the
firewall.

Some of the channels I have seen in the wild:

- Loki style ICMP traffic
- port 53 UDP ("DNS like"). Not all that easy to spot, but will
  generate errors if it hits a DNS server. Some IDS's may identify
  the traffic as illegal DNS queries.
- port 80 TCP. Very easy to hide here. I never can make up my mind
  if SOAP / XML-RPC is a covert channel or a legit application ;-)
- IPSEC: strictly speaking its not a covert channel. But once you
  got an IPSEC tunnel, an IDS is more or less useless. However, if
  you are not using IPSEC, its easily blocked and recognized.
- "odd protocols". I have seen them more in DDOS tools (e.g. protocol
  0 or 255). But once in a while people build covert channels around
  this. It may not work well as typically these odd protocols are
  not routed by everyone.
- SEBEK: it is typically used to capture traffic from honeypots without
  the attacker recognizing that they are watched. Requires cooperation
  from the monitored host.


-- 
CTO SANS Internet Storm Center               http://isc.sans.org
phone: (617) 786 1563            
  fax: (617) 786 1550                          jullrich at sans.org

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://www.dshield.org/pipermail/list/attachments/20031226/69257efc/attachment.bin


More information about the list mailing list