A covert channel is “any communication channel that can be exploited by a process to transfer information in a manner that violates the systems security policy.” Covert channels do not modify the TCP/IP stack. The make legitimate use of the protocols. Obviously, covert channels need either specialized client and/or servers to inject and retrieve covert data.
Covert channels are the principle enablers in a distributed denial of service (DDoS) attack that causes a denial of service to legitimate machines.39 A DDoS attacker covertly distributes (portions of) his attack tools over many machines spread across the Internet, and later triggers these intermediary machines into beginning the attack and remotely coordinates the attack.
Covert channels are possible in nearly all the protocols of the TCP/IP suite. Covert channels can be setup using the ID ﬁeld of IP packets, IP check- sums, TCP initial sequence numbers, or TCP timestamps. E.g., ICMP echo request packets should have an 8-byte header and a 56-byte payload. ICMP echo requests should not be carrying any data. However, such ICMP packets can be signiﬁcantly larger, carrying covert data in their payloads.
A simple ICMP implementation is covert-tcp,and the project Loki (http://www.phrack.org/leecharch.php?p=49) tunnels covert data in the data portion of ICMP-ECHO, and ICMP-ECHOREPLY messages. stegtunnel (http://www.synacklabs.net/projects/stegtunnel/) hides data in the initial SEQ numbers and IP IDs of TCP connections. Unlike covert-tcp, stegtunnel does not simply write raw packets out. It intercepts outbound and inbound traﬃc, and rewrites them.
Published on Sat 22 February 2014 by Macy Leftwing in Security with tag(s): covert channel