Firewall Wizards mailing list archives

Re: Covert Channels (was dns outbound)

From: "Ryan Russell" <Ryan.Russell () sybase com>
Date: Tue, 18 May 1999 07:50:08 -0700

But how far do you need to go to eliminate covert channels ?


Well.. I don't believe you can.  It's a statistical problem, really.
You need to be able to decide upon "normal" and then look
for variations.

Any protcol can be tunneled over any other, as long as it's not
timing sensitive.  On a really busy firewall with users doing
lots of protocols, and an inside subversive tunneling out,
you probably won't spot him.  As long as he's not trying to
get a lot of data through in a short amount of time, he might look
really normal.  You'd have to suspect him first, guess the method
he's using, and then you'd probably spot him.

If my
firewall checks for valid DNS structure in `DNS' packets, then what
is to stop someone tunneling data using the "variable" part of the
DNS packet, such as the IP address/domain being requested ?


Nothing.

Sure my
bandwidth is not as great but it could still work.  The greatest
challenge here is that you need to have some way of guaranteeing
that DNS packets will reach X but I can see how that could still
be made to work.


Just make a a request for an authoratative lookup for a host that
has never been looked up before.   Obviously, you encode
your data in the name.  This particular tunnel (DNS) would
be easier to spot than others... hostnames could be checked
for human-language looking characteristics, and length.

How about transferring a file from outside to inside
via a zone transfer (properly structured, data just isn't DNS data) ?


Most FW admins can block zone transfers entirely with the
DNS structure they have.

You're almost saying that a firewall needs to have design properties
from those A1 Orange book systems (which we all love to hate) by
being careful to eliminate leakage of information.


Hmm... I don't know the standards that well.  I can't imagine they
do that effective a job of eliminating this threat.  I wish I had
one I could try to fool.

                         Ryan

Current thread:

Re: Covert Channels (was dns outbound) Ryan Russell (May 18)
- Re: Covert Channels (was dns outbound) Andrew Brown (May 19)
- Re: Covert Channels (was dns outbound) Stephen P. Berry (May 21)
- <Possible follow-ups>
- Re: Covert Channels (was dns outbound) Epstein, Jeremy (May 21)
  - Re: Covert Channels (was dns outbound) Andrew Brown (May 21)