Firewall Wizards mailing list archives
Re: Covert Channels (was dns outbound)
From: "Stephen P. Berry" <spb () meshuga incyte com>
Date: Thu, 20 May 1999 11:52:15 -0700
-----BEGIN PGP SIGNED MESSAGE----- In message <88256775.00518FC6.00 () gwwest sybase com>, "Ryan Russell" writes:
Sure my bandwidth is not as great but it could still work. The greatest challenge here is that you need to have some way of guaranteeing that DNS packets will reach X but I can see how that could still be made to work.
Just make a a request for an authoratative lookup for a host that has never been looked up before. Obviously, you encode your data in the name. This particular tunnel (DNS) would be easier to spot than others... hostnames could be checked for human-language looking characteristics, and length.
Why would you want to send your `convert' data in the clear? Encode, encrypt, compress if it helps, then use, say, the last sixteen bits of the address as your carrier (you could theoretically use all 32 bits, but only using the last 16 allows you to avoid suspicious first octects, as well as almost certainly avoiding repetition of the last two). This more or less requires that the recipient either be able to intercept traffic between you (the sender) and the destination IP address(es) or that you (the sender) can get DNS queries to arbitrary hosts. You'd probably want to include some state or parity information to prevent data loss, and also have some way of signifying nulls (the sum of the single digits in all the octets is divisible by three or something like that), but you get the basic idea. It's not a great system for concealing data theft or anything like that, as the throughput is fairly lousy. But you could transmit a 500 byte message (about the size of a PGP encrypted passwd or shadow file, for example) over 24 hours with (figuring about a third of the packets as nulls) about 14 lookups an hour. - -Steve -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBN0RZMirw2ePTkM9BAQGhkQQAg80+7ykZuGEGqZJk9LtMkVBRwq/ruT9Q 4ufBZftCaZvYmeHbSda6XJu4ctmgWUrMZ5UMaSJo5SmMwd+LIr6yaFWvwy3JEOkr Hkz/YTTucdc6Ixz8Ghcq62WUBFJTn100VpteSpwf3SUAXECLCOVyBSp5htjqPc4B FeHp8KmksXo= =XeH+ -----END PGP SIGNATURE-----
Current thread:
- Re: Covert Channels (was dns outbound) Ryan Russell (May 18)
- Re: Covert Channels (was dns outbound) Andrew Brown (May 19)
- Re: Covert Channels (was dns outbound) Stephen P. Berry (May 21)
- <Possible follow-ups>
- Re: Covert Channels (was dns outbound) Epstein, Jeremy (May 21)
- Re: Covert Channels (was dns outbound) Andrew Brown (May 21)