Covert Channel Detection

Intrusion Detection

1. Abstract 

A Covert channel is a simple yet very effective mechanism for sending and receiving information data between machines without alerting any firewalls and IDS’s on the network. The technique derives its stealthy nature by virtue of the fact that it sends traffic through ports that most firewalls will permit through. In addition the technique can bypass an IDS by appearing to be an innocuous packet carrying ordinary information when in fact it is concealing its actual data in one of the several control fields in the TCP and IP headers. 

The objective of this paper is to demonstrate the effectiveness of this technique in the presence of a firewall and an IDS. It will be shown that even though the technique avoids detection by an stateless IDS by using a variety randomized signatures, the activity can still be detected by diligently examining network traffic for certain patterns in the protocol information that will characterize the tool being used. 

2. Introduction 

The tool used for this exploit was a slightly modified version of “covert_tcp” code developed and released by Craig Rowland [1]. This tool provides three different methods of sending covert data embedded within one of the following fields: * The IP packet identification field. * The TCP initial sequence number field. * The TCP acknowledge sequence number field “Bounce”.This paper will demonstrate the use of the first and third methods. The original code was modified slightly and compiled individually on each machine. Two machines will be used for this exploit. One is a passive server (receiver) and the other is a client (transmitter) that initiates a transfer with the server. The server would normally be a compromised machine and have the code running on it, listening for connections on any specified port. It should be noted that the server need not always be a compromised machine; a legitimate owner of the machine could use this tool to transfer...