hiding tcp traffic nadpis 1 threats and countermeasures
play

Hiding TCP Traffic: Nadpis 1 Threats and Countermeasures Nadpis 2 - PowerPoint PPT Presentation

Nov 07, 2022 •48 likes •318 views

Hiding TCP Traffic: Nadpis 1 Threats and Countermeasures Nadpis 2 Nadpis 3 Libor Polk, Radek Hranick, Petr Matouek Jmno Pjmen Vysok uen technick v Brn, Fakulta informanch technologi v Brn Brno University of

  1. Hiding TCP Traffic: Nadpis 1 Threats and Countermeasures Nadpis 2 Nadpis 3 Libor Polčák, Radek Hranický, Petr Matoušek Jméno Příjmení Vysoké učení technické v Brně, Fakulta informačních technologií v Brně Brno University of Technology, Fakulty of information technology Božetěchova 2, 612 66 Brno Božetěchova 2, 612 66 Brno ipolcak@fit.vutbr.cz jmeno@fit.vutbr.cz xhrani00@stud.fit.vutbr.cz matousp@fit.vutbr.cz 99.99.2008 24.5.2013

  2. Motivation • Detection of traffic hiding in IP networks • Completness of lawful interceptions • Focus on a specific attack • Confusion of packet decoding • Misleading information Hiding TCP Traffic: Threats and Countermeasures 2

  3. Attack description Hiding TCP Traffic: Threats and Countermeasures 3

  4. Normal TCP communication • Decoding software • Firewall, IDS/IPS • Wireshark, TCP session decoding • Proprietary e-investigation software Hiding TCP Traffic: Threats and Countermeasures 4

  5. Attack description Hiding TCP Traffic: Threats and Countermeasures 5

  6. Attack description • Main advantage: data hiding without cooperation of the other side • Receiver uses standard TCP without any modification Hiding TCP Traffic: Threats and Countermeasures 6

  7. Attack description Hiding TCP Traffic: Threats and Countermeasures 7

  8. Extensions to the attack Hiding TCP Traffic: Threats and Countermeasures 8

  9. Cover message in the last segments Hiding TCP Traffic: Threats and Countermeasures 9

  10. Configurable-sized segments Hiding TCP Traffic: Threats and Countermeasures 10

  11. Datagram drops in IPv6 • Hop Limit (HL) • Middleboxes (e.g. firewalls, IDS/IPS, routers etc.) may drop some packets • Flow label, traffic class • Extension headers • IPSec (AH, unencrypted ESP) • Hop-by-hop headers options Hiding TCP Traffic: Threats and Countermeasures 11

  12. LDP – proxy for the attack • Source code available at http://www.fit.vutbr.cz/~ipolcak/prods.php • Automatically detects number of hops to the destination Hiding TCP Traffic: Threats and Countermeasures 12

  13. Attack analysis Hiding TCP Traffic: Threats and Countermeasures 13

  14. Attack analysis – Wireshark/IRC Hiding TCP Traffic: Threats and Countermeasures 14

  15. Downside of the attack • Information leakage from the opposite directions of the TCP stream (indirect clue) • Incoming IRC messages • Preview of the message send to a discussion forum • Consequence: The attack might be misused only in a specific scenario • Opposite direction unavailable to the interceptor • No valuable data in the opposite direction Hiding TCP Traffic: Threats and Countermeasures 15

  16. Attack characteristic: overhead • Very big overhead for short-sized segments • Overhead for 16 KB data transfer • What can an attacker do? • Big segments → easier reconstruction • Hide only a specific part of communication Hiding TCP Traffic: Threats and Countermeasures 16

  17. Countermeasures and attack detection Hiding TCP Traffic: Threats and Countermeasures 17

  18. Attack detection • Hop Limit variation • NetFlow Duration Direction Packets Bytes Bpp 3.502 s Attacker -> Server 8467 521056 61 3.502 s Server -> Attacker 1016 79352 78 Hiding TCP Traffic: Threats and Countermeasures 18

  19. Decoding software Decoding SW IPv6 support Interpretation Detected anomalies Wireshark Yes First cover message High number of TCP retransmittions Chaosreader Yes Random noise None tcpflow Yes Last cover message None tcptrace Yes Last cover message High number of segments with the same sequential number (rexmt) … TCP connection 1: … total packets: 3051 … a->b: b->a: total packets: 2565 486 ack pkts sent: 2564 486 … unique bytes sent: 504 8826 … rexmt data pkts: 2037 9 rexmt data bytes: 2037 4759 Hiding TCP Traffic: Threats and Countermeasures 19

  20. LNC – Fake data removal • Filters fake packets in a PCAP file Hiding TCP Traffic: Threats and Countermeasures 20

  21. LNC – Fake data removal Hiding TCP Traffic: Threats and Countermeasures 21

  22. LNC – Fake data removal • Source code available at http://www.fit.vutbr.cz/~ipolcak/prods.php Hiding TCP Traffic: Threats and Countermeasures 22

  23. Fake data removal • What can go wrong? • Packets are not dropped due to HL/TTL • If the destination receives overlapping segments with distinct content → the behaviour differs • Fake packets send when the correct were already processed Hiding TCP Traffic: Threats and Countermeasures 23

  24. Conclusion Hiding TCP Traffic: Threats and Countermeasures 24

  25. Conclusion • The attack has dozens of modifications • Segment length • Noise, cover messages • Packet dropping • Etc. • Some forms easy to detect, some harder • Suspicious retransimitions • Unusual metadata • Limited usability due to leakage of data in the opposite direction Hiding TCP Traffic: Threats and Countermeasures 25

  26. Conclusion • http://www.fit.vutbr.cz/~ipolcak/prods.php • LDP – proxy, LNC – PCAP cleaner • Cooperation with Ministry of Interior and Czech police • Project Modern Tools for Detection and Mitigation of Cyber Criminality on the New Generation Internet (http://www.fit.vutbr.cz/~ipolcak/grants.php?id=517) • Lawful Interception System Hiding TCP Traffic: Threats and Countermeasures 26

  27. Thank you for your attention. Hiding TCP Traffic: Threats and Countermeasures 27

Recommend

SOCIAL ENGINEERING THREATS & COUNTERMEASURES IN AN OVERLY

SOCIAL ENGINEERING THREATS & COUNTERMEASURES IN AN OVERLY

SOCIAL ENGINEERING THREATS & COUNTERMEASURES IN AN OVERLY CONNECTED WORLD SHANE MACDOUGALL TACTICAL INTELLIGENCE INC. About Me InfoSec since 1989

1k views • 79 slides
Introduction Problem: side-channel attacks Countermeasures: hiding, masking, TI . . . 1 / 21

Introduction Problem: side-channel attacks Countermeasures: hiding, masking, TI . . . 1 / 21

I SAP Towards Side-channel Secure AE Christoph Dobraunig, Maria Eichlseder, Stefan Mangard, Florian Mendel, Thomas Unterluggauer ESC 2017 www.iaik.tugraz.at Introduction Problem: side-channel attacks Countermeasures: hiding, masking, TI . .

476 views • 33 slides
Introduction Problem: side-channel attacks Countermeasures: hiding, masking, TI . . . 1 / 18

Introduction Problem: side-channel attacks Countermeasures: hiding, masking, TI . . . 1 / 18

I SAP Towards Side-channel Secure AE Christoph Dobraunig, Maria Eichlseder, Stefan Mangard, Florian Mendel, Thomas Unterluggauer FSE 2017 www.iaik.tugraz.at Introduction Problem: side-channel attacks Countermeasures: hiding, masking, TI . .

635 views • 30 slides
Fault Attacks and Countermeasures Michael Hutter Summer School on Design and Security of

Fault Attacks and Countermeasures Michael Hutter Summer School on Design and Security of

Introduction Threats Setups Attacks Countermeasures Conclusion 1 / 31 Fault Attacks and Countermeasures Michael Hutter Summer School on Design and Security of Cryptographic Algorithms and Devices for Real-World Applications Sibenik,

849 views • 31 slides
Peek-a-Boo, I Still See You: Why Efficient Traffic Analysis Countermeasures Fail Kevin P Dyer

Peek-a-Boo, I Still See You: Why Efficient Traffic Analysis Countermeasures Fail Kevin P Dyer

Peek-a-Boo, I Still See You: Why Efficient Traffic Analysis Countermeasures Fail Kevin P Dyer Portland State University Joint work with: Scott Coull , RedJack LLC Thomas Ristenpart , University of Wisconsin-Madison Thomas Shrimpton , Portland

576 views • 44 slides
Riding the Mobile Traffic Tsunami Opportunities and Threats in the Making of 5G Mobile

Riding the Mobile Traffic Tsunami Opportunities and Threats in the Making of 5G Mobile

Riding the Mobile Traffic Tsunami Opportunities and Threats in the Making of 5G Mobile Broadband Jerry Pi Chief Technology Officer Straight Path Communications Inc. November 16, 2015 Content Drives Demand for Capacity 360 o /VR 4K/8K

621 views • 13 slides
Europes Management of Space Hybrid Threats Dr. Jana Robinson, Space Security Program Director

Europes Management of Space Hybrid Threats Dr. Jana Robinson, Space Security Program Director

2018 International Astronautical Congress, Bremen, Session D5.4., October 5, 2018 Europes Management of Space Hybrid Threats 2018 International Astronautical Congress Session D5.4. Cyber-security threats to space missions and countermeasures

219 views • 11 slides
WISTP 07 A comparative analysis of common threats, vulnerabilities, attacks and

WISTP 07 A comparative analysis of common threats, vulnerabilities, attacks and

WISTP 07 A comparative analysis of common threats, vulnerabilities, attacks and countermeasures within smart card and wireless sensor network node technologies. Kevin Eagles, Konstantinos Markantonakis and Keith Mayes Smart Card Centre,

337 views • 22 slides
New DNS Traffic Analysis Techniques to Identify Global Internet Threats Dhia Mahjoub and Thomas

New DNS Traffic Analysis Techniques to Identify Global Internet Threats Dhia Mahjoub and Thomas

New DNS Traffic Analysis Techniques to Identify Global Internet Threats Dhia Mahjoub and Thomas Mathew January 12 th , 2016 1 Dhia Mahjoub Technical Leader at OpenDNS PhD Graph Theory Applied on Sensor Networks Focus: Security, Graphs &

1.04k views • 72 slides
On the Need of Randomness in Fault Attack Countermeasures Application to AES Victor LOMNE 1 ,

On the Need of Randomness in Fault Attack Countermeasures Application to AES Victor LOMNE 1 ,

Physical Attacks New Attacks on Classical Countermeasures Extended Countermeasures On the Need of Randomness in Fault Attack Countermeasures Application to AES Victor LOMNE 1 , Thomas ROCHE 1 , Adrian THILLARD 1 1 ANSSI (French Network and

358 views • 25 slides
Overview of Countermeasures against Implementation Attacks Marcel Medwed marcel.medwed@nxp.com

Overview of Countermeasures against Implementation Attacks Marcel Medwed marcel.medwed@nxp.com

Overview of Countermeasures against Implementation Attacks Marcel Medwed marcel.medwed@nxp.com Outline Motivation & general mechanisms Side-channel countermeasures Fault countermeasures Conclusions 2 Design and Security of

549 views • 40 slides
MOBILE DATA CHARGING: NEW ATTACKS NEW ATTACKS AND COUNTERMEASURES AND COUNTERMEASURES Chunyi

MOBILE DATA CHARGING: NEW ATTACKS NEW ATTACKS AND COUNTERMEASURES AND COUNTERMEASURES Chunyi

MOBILE DATA CHARGING: NEW ATTACKS NEW ATTACKS AND COUNTERMEASURES AND COUNTERMEASURES Chunyi Peng Chunyi Peng , Chi-Yu Li, Guan-Hua Tu, Songwu Lu, Lixia Zhang University of California, Los Angeles ACM CCS12 ACM CCS'12 C Peng (UCLA)

480 views • 27 slides
Information hiding Information hiding Notice how a user of a service being provided by an

Information hiding Information hiding Notice how a user of a service being provided by an

Information hiding Information hiding Notice how a user of a service being provided by an object, need only know the name of the messages that the object will accept. They need not have any idea how the actions performed in response to

474 views • 34 slides
HOST SCA Countermeasures I ECE 525 Side-Channel Analysis (SCA) Countermeasures Reference

HOST SCA Countermeasures I ECE 525 Side-Channel Analysis (SCA) Countermeasures Reference

HOST SCA Countermeasures I ECE 525 Side-Channel Analysis (SCA) Countermeasures Reference Mangard et. al, "Power Analysis Attacks, Revealing the Secrets of Smart Cards", Springer, 2009 Power analysis attacks are effective because the

479 views • 19 slides
TR15 2018 1 2 TR360 2016 + T h r e a t s + Typical Threats Low-Tech Malicious Threats

TR15 2018 1 2 TR360 2016 + T h r e a t s + Typical Threats Low-Tech Malicious Threats

TR15 2018 1 2 TR360 2016 + T h r e a t s + Typical Threats Low-Tech Malicious Threats Explosive ad incendiary Threats Bio Hazardous Powder Threats 3 Improvised mechanical Devices TR15 Smart Scan Can easily detect the component

192 views • 16 slides
Earthquake and Tsunami Countermeasures in Japan The Committee for Technical Investigation on

Earthquake and Tsunami Countermeasures in Japan The Committee for Technical Investigation on

May 10, 2013 Earthquake and Tsunami Countermeasures in Japan The Committee for Technical Investigation on Countermeasures for Earthquakes and Tsunamis Based on The Lessons Learned from The 2011 Off The Pacific Coast of Tohoku Earthquake

436 views • 29 slides
On Countermeasures for Riverine and Marine Plastic Litter in India 12 -22 May 2020 Session 2:

On Countermeasures for Riverine and Marine Plastic Litter in India 12 -22 May 2020 Session 2:

National Policy Workshop Webinar Series On Countermeasures for Riverine and Marine Plastic Litter in India 12 -22 May 2020 Session 2: Community Perceptions and behavioral aspects for plastic management and promotion of countermeasures to

473 views • 19 slides
53-74% Average anti-virus effectiveness against new threats* * RAP Proactive 400 New threats

53-74% Average anti-virus effectiveness against new threats* * RAP Proactive 400 New threats

53-74% Average anti-virus effectiveness against new threats* * RAP Proactive 400 New threats every minute* * Merrill Lynch ...Causing $3T USD in costs, and expected to double by 2021* * CyberSecurity Ventures (2015) Todays threat

508 views • 35 slides
Using Bro to Hunt Persistent Threats Benjamin H. Klimkowski United States Military Academy 13

Using Bro to Hunt Persistent Threats Benjamin H. Klimkowski United States Military Academy 13

Using Bro to Hunt Persistent Threats Benjamin H. Klimkowski United States Military Academy 13 September 2017 Agenda 1. Goals 2. Definitions 3. Motivating problem 4. Approach 5. How Cobalt Strike works 6. Traffic analysis 7.

821 views • 59 slides
Yoshiyasu MURASHIGE Central Japan Motorway Engineering Tokyo : All sources are from Japan's

Yoshiyasu MURASHIGE Central Japan Motorway Engineering Tokyo : All sources are from Japan's

Traffic Safety Countermeasures on Roads in Residential Areas in Japan 24 April 2019 Yoshiyasu MURASHIGE Central Japan Motorway Engineering Tokyo : All sources are from Japan's Ministry of Land, Infrastructure, Transport and Tourism Traffic

496 views • 22 slides
Attacks and Countermeasures for White-box Designs Alex Biryukov, Aleksei Udovenko CSC and SnT,

Attacks and Countermeasures for White-box Designs Alex Biryukov, Aleksei Udovenko CSC and SnT,

Attacks and Countermeasures for White-box Designs Alex Biryukov, Aleksei Udovenko CSC and SnT, University of Luxembourg December 5, 2018 Plan 1 Introduction 2 Attacks on Masked White-box Implementations 3 Countermeasures 4 Algebraic Security 0

797 views • 53 slides
POKING HOLES IN INFORMATION HIDING Angelos Oikonomopoulos Elias Athanasopoulos Herbert Bos

POKING HOLES IN INFORMATION HIDING Angelos Oikonomopoulos Elias Athanasopoulos Herbert Bos

POKING HOLES IN INFORMATION HIDING Angelos Oikonomopoulos Elias Athanasopoulos Herbert Bos Cristiano Giuffrida Vrije Universiteit Amsterdam Teaser Break ideal information hiding in seconds Few probes, typically no crashes

854 views • 33 slides
David Lorge Parnas When the first papers on information Hiding were published (1970-72) ,

David Lorge Parnas When the first papers on information Hiding were published (1970-72) ,

Middle Road Software, Inc. How Precise Documentation allows Information Hiding to Reduce Software Complexity and Increase its Agility" David Lorge Parnas When the first papers on information Hiding were published (1970-72) , reaction

845 views • 47 slides
Loom ing Threats - transcript of presentation video Nick : Team 4 Looming Threats, please give

Loom ing Threats - transcript of presentation video Nick : Team 4 Looming Threats, please give

Loom ing Threats - transcript of presentation video Nick : Team 4 Looming Threats, please give them a hand. Mark : Good afternoon, Simon and I have the absolute pleasure to be presenting on behalf of Team Looming Threats. So, one of the, I guess

377 views • 3 slides

More recommend