Network Covert Channels
A top down approach
$whois Felipe.Pr0teus
Não trabalho na Proteus.
- Works for TJRJ
- Security Researcher(Independent)
- Love coffee!
- Like to Help
Disclaimer
The data, or the results found here were tested in controled environment, may or may not correspond to a real life situations. My employer has nothing to do with it =D
Agenda
- Data Exfiltration.
- Remote Access, Botnet C&C and so on
- If you play defensive: Knowledge
Motivation
- Data Exfiltration.
- Remote Access, Botnet C&C and so on
- If you play defensive: Knowledge
Covert Channels
Intention to leak information
vs
Side Channels
Not intended to leak any information
Types
- Storage
- Timing
- Protocol
- Hopping
- Hybrid
Storage
Timing
Protocol
Hopping
Scenarious
By network position: Active vs Passive By Capacity: Client/Server vs BothProperties
stealh
Top-Down approach
OSI-model
but first...
shall we play a game ?!
Layer 7 8(Users)
Common protocols:
OSI-model
Layer 7
Common protocols:
OSI-model
Layer 6
Common protocols:
OSI-model
Layer 5
Common protocols:
OSI-model
Layer 4
Common protocols:
OSI-model
Layer 3
Common protocols:
OSI-model
Layer 2
Common protocols:
OSI-model
Detections and Defenses
Kinda hard to detect and eliminate. Always prefereable detect than eliminate
As usual:
- segment your network
- Manage & block unused protocols
- Signatures or Heuristic
Detections and Defenses
keep going...
- packet normalization
- inject random delay on network
- Document the covert channel technique
- limit their capacity
Conclusions
Any Questions ?!
Capture The Flag - Results
Based on ACK - first written in 2006 by Laurent Butti http://rfakeap.tuxfamily.org/#Raw_Covert
The 1st flag is:
FLAG
The is a 2nd ?! it's matter of time ! Tweet and meet me @Pr0teusBR and @CONFdence!
Thanks !
Contacts: E-mail(ask-me), @Pr0teusBR or RL ;)