Firewall Wizards mailing list archives

Re: Covert Channels (was dns outbound)

From: "Stephen P. Berry" <spb () meshuga incyte com>
Date: Thu, 20 May 1999 11:52:15 -0700

-----BEGIN PGP SIGNED MESSAGE-----


In message <88256775.00518FC6.00 () gwwest sybase com>, "Ryan Russell" writes:

Sure my
bandwidth is not as great but it could still work.  The greatest
challenge here is that you need to have some way of guaranteeing
that DNS packets will reach X but I can see how that could still
be made to work.

Just make a a request for an authoratative lookup for a host that
has never been looked up before.   Obviously, you encode
your data in the name.  This particular tunnel (DNS) would
be easier to spot than others... hostnames could be checked
for human-language looking characteristics, and length.


Why would you want to send your `convert' data in the clear?  Encode,
encrypt, compress if it helps, then use, say, the last sixteen bits of the
address as your carrier (you could theoretically use all 32 bits, but only 
using the last 16 allows you to avoid suspicious first octects, as well as
almost certainly avoiding repetition of the last two).

This more or less requires that the recipient either be able to
intercept traffic between you (the sender) and the destination IP
address(es) or that you (the sender) can get DNS queries to arbitrary
hosts.

You'd probably want to include some state or parity information to
prevent data loss, and also have some way of signifying nulls (the
sum of the single digits in all the octets is divisible by three or
something like that), but you get the basic idea.

It's not a great system for concealing data theft or anything like
that, as the throughput is fairly lousy.  But you could transmit
a 500 byte message (about the size of a PGP encrypted passwd or shadow
file, for example) over 24 hours with (figuring about a third of
the packets as nulls) about 14 lookups an hour.






- -Steve


-----BEGIN PGP SIGNATURE-----
Version: 2.6.2

iQCVAwUBN0RZMirw2ePTkM9BAQGhkQQAg80+7ykZuGEGqZJk9LtMkVBRwq/ruT9Q
4ufBZftCaZvYmeHbSda6XJu4ctmgWUrMZ5UMaSJo5SmMwd+LIr6yaFWvwy3JEOkr
Hkz/YTTucdc6Ixz8Ghcq62WUBFJTn100VpteSpwf3SUAXECLCOVyBSp5htjqPc4B
FeHp8KmksXo=
=XeH+
-----END PGP SIGNATURE-----

Current thread:

Re: Covert Channels (was dns outbound) Ryan Russell (May 18)
- Re: Covert Channels (was dns outbound) Andrew Brown (May 19)
- Re: Covert Channels (was dns outbound) Stephen P. Berry (May 21)
- <Possible follow-ups>
- Re: Covert Channels (was dns outbound) Epstein, Jeremy (May 21)
  - Re: Covert Channels (was dns outbound) Andrew Brown (May 21)