Fakultät Medien

Kreativität, kritisches Denken und gesellschaftliche Verantwortung - das ist die Fakultät Medien!
 

IPv4 Covert Channels and Mitigation Approaches

|

Covert channels and mitigation approaches are investigated for network protocols IPv4. The header fields are being used to silently transmit information. The goal in this project is to both try to silently transmit and detect information being transmitted. Two teams compete to see who is more successful at their task.

IPv4 CCM Approaches
© M

This project goal is to implement the silent transmission of information and to protect against the
transmission of information. To accomplish this the team has been divided into two parts attack and
defense. The first team will build covert channels while the second team will develop mitigation and
alerting to counter the transfer of the secret information.

There are two main types of Covert Channels, storage and timing. In this project we have decided to
build up a storage covert channel. In storage channels one process writes to a shared resource while
another reads. We preferred network storage channels to timing channels, because of the
synchronization issues present in timing channels, their complexity, noisiness, and their significantly
lower bandwidth in comparison to storage channels. Covert channels can be created using fields in
protocol’s header that are changing during transmission. We are manipulating TTL in ICMP (Internet
Control Protocol), which is a connectionless protocol on the internet layer to transfer error
messages and other information.

The job of the mitigation team will be defend against the malicious changes during transmission.
Snort is being used by the mitigation team for intrusion. Snort is an intrusion detection and
prevention system. Custom snort rules can be created to detect malicious activity found in packets
and defend or alert against the attack. We have used Snort’s IPS and IDS mode for our project
where snort.conf is the name of your rules file. This will apply the rules set in the snort.conf file to
each packet to decide if an action based upon the rule type in the file should be taken. There are
several techniques that have been developed for covert channel detection using IDS signatures.

First team will build a storage covert channel that can be exploited by a process to secretly transfer
information in a manner that violates the systems security policies. In this project, we have created
covert communication using IPV4 by manipulating time-to-live header field and UDP field.

Second team will create mitigation techniques for the network protocols IPv4 using IDS and IPS
techniques utilizing Snort to alert the system and automatically drop the corrupt packets before
reaching the destination.

Utilizing a CTF framework the two teams will compete against each other in an attack and defense
game. Scores will be provided to each team based on successful team mission as mentioned earlier.
For attack team a win would be successfully transferring the message and for the defend team a win
would be successful stopping the malicious communication.

Projektteam:
Aakash Goyal

Projektbetreuung:
Prof. Dirk Westhoff