covert tcp

Discussion in 'other firewalls' started by snowy, Jun 18, 2002.

Thread Status:
Not open for further replies.
  1. snowy

    snowy Guest

    The following is from a white paper by Craig Rowland....all credit due author.


    The TCP/IP protocol suite has a number of weaknesses that allow an attacker to leverage techniques in the form of covert channels to surreptitiously pass data in otherwise benign packets


    ...The implications of these methods depend on the purposes they are being used for. Immediate use could allow for an encrypted and concealed communication channel between hosts located in countries that may frown upon the use of cryptography (snipped). Additional purposes could be served in the areas of data smuggling and anonymous communication.
    Protection from these techniques include the use of an application proxy firewall system which is not allowing packets from logically separated networks to pass directly to each other. I know of no other firewall type that can guarantee this. A packet-filter "firewall" MAY stop the traffic depending if true network address translation is used (re-writing of the ENTIRE TCP/IP header information), which is often not the case despite what advertisers may say.

    Additionally, if you are bouncing the packets off a remote site with a listening port, the return packet will have a SYN/ACK combination set in the header and will look like an "established" connection to the packet filter. This has the potential to punch through many of these filters, even some that claim to be "stateful". A straight packet filter in the form of a router will probably offer little or no protection, especially if you allow any "establishedi" traffic back in from any site, which is almost a certainty.

    Detection of these techniques can be difficult, especially if the information being passed in the packet data is encrypted with a good software package (PGP and others). Particularly, hosts receiving a server bounced packet will have a difficult time determining from where the packet originated unless they can put a sniffer on the inbound side of the bounced server, which will still only reveal that a forged packet originated from somewhere on the Internet. Methods to track down the packet can still be used at this point however, so caution should be used (assuming anyone notices it occurring).


    its not possible for me to post a link here due to the nature of the information it would provide.
    those who are awear of this exploit will understand......please notice the mentioning of an application firewall being the best means of preventing\defending against this exploit......although I use an application firewall...I find it rather difficult to accept that a properly config rule based firewall would not defend against this exploit............please also notice that encrytion enhances the exploit..........
    personally I can't offer very much imput on this subject...its above me at this time....however, it would be for interesting discussion if others would care to do so...I certainly would be interested in the subject matter.

    snowman

    Please note this this is not an issue of which is the best firewall...application or rule based.....the intent should be aimed at prevention of the exploit...thank you.
     
  2. root

    root Registered Member

    Joined:
    Feb 19, 2002
    Posts:
    1,723
    Location:
    Missouri, USA
    Thanks Snowman. Easy enough to find the article. Interesting stuff.
    I sent the link to Mikhail in case he can use the information to make a better Outpost firewall. ;)
    Hope you have recovered nicely from that nasty bout you just had.
    root
     
  3. snowy

    snowy Guest

    Root

    heya buddy...nice to be hearing from you....an glad you were able to locate the site.....although knowing you I am not surprised that you did LOL
    persons like yourself will understand the seriousness of this issue......an what wont surprise me is if a few others will say "oh, its not happening" an chances are they will never know they are already being exploited.....
    there is alot that can be said on this subject...its very much a reality today.....an appears no one is noticing it,
    well in a case such as this its best I leave the discussion to others like yourself....I hope there is way that this can be addressed by firewall vendors everywhere....
    wishing you a pleasent night
    snowman

    P/S oh..I am under doctor's care again...became overly exhusted an had a set-back....today I had business to take care of otherwise would not be out of bed....man I am much to young to be going through this. thanks for the well wishes
     
  4. Checkout

    Checkout Security Rhinoceros

    Joined:
    Feb 11, 2002
    Posts:
    1,226
    Funny you should post this now...can't say why, though!
     
  5. bubs

    bubs Registered Member

    Joined:
    Apr 28, 2002
    Posts:
    106
    Location:
    Suffolk, England
    As I understand it (now there's an oxymoron!!! :D), only allowing outbound connections provides 100% proof against this kind of problem.

    Can anybody help?
     
  6. Checkout

    Checkout Security Rhinoceros

    Joined:
    Feb 11, 2002
    Posts:
    1,226
    That's how I read it.
     
Thread Status:
Not open for further replies.