[Dshield] Communication when emails are being watched
Johannes B. Ullrich
jullrich at sans.org
Fri Dec 26 15:05:03 GMT 2003
On Fri, 2003-12-26 at 09:26, DAN MORRILL wrote:
> so what we can do is take one of the unassigned ICMP code types
> either 7 or anything that does not trigger a IDS
No. wrong direction. Its rather simple for an IDS (or many firewalls
for that matter) to spot an illegal code/type. The idea of a covert
channel is to make the packet look as "regular" as possible.
ICMP Echo is probably as simple as it gets. Other channels are
usually easier to spot, and may not even make it past the
Some of the channels I have seen in the wild:
- Loki style ICMP traffic
- port 53 UDP ("DNS like"). Not all that easy to spot, but will
generate errors if it hits a DNS server. Some IDS's may identify
the traffic as illegal DNS queries.
- port 80 TCP. Very easy to hide here. I never can make up my mind
if SOAP / XML-RPC is a covert channel or a legit application ;-)
- IPSEC: strictly speaking its not a covert channel. But once you
got an IPSEC tunnel, an IDS is more or less useless. However, if
you are not using IPSEC, its easily blocked and recognized.
- "odd protocols". I have seen them more in DDOS tools (e.g. protocol
0 or 255). But once in a while people build covert channels around
this. It may not work well as typically these odd protocols are
not routed by everyone.
- SEBEK: it is typically used to capture traffic from honeypots without
the attacker recognizing that they are watched. Requires cooperation
from the monitored host.
CTO SANS Internet Storm Center http://isc.sans.org
phone: (617) 786 1563
fax: (617) 786 1550 jullrich at sans.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://www.dshield.org/pipermail/list/attachments/20031226/69257efc/attachment.bin
More information about the list