Detail publikace

Ukrytí provozu TCP: Hrozby a opatření

POLČÁK, L. HRANICKÝ, R. MATOUŠEK, P.

Originální název

Hiding TCP Traffic: Threats and Counter-measures

Český název

Ukrytí provozu TCP: Hrozby a opatření

Anglický název

Hiding TCP Traffic: Threats and Counter-measures

Typ

článek ve sborníku

Jazyk

en

Originální abstrakt

Computer networks were designed to be simple and routers do not validate the integrity of the processed traffic. Consequently, an attacker can modify his or her traffic with the aim of confusing any analyser that intercepts the traffic, e.g. monitoring and security software or lawful interception. This paper studies the attack that is based on sending additional colliding TCP segments with the same sequential number but different content. The segments with the correct message are delivered to the other communicating party of the TCP connection while the fake segments are dropped en route. The goal of the fake segments is to confuse analysers into decoding a different message to the one that is received by the other communicating party. The other communicating party does not need to be aware of the attack and therefore does not need any specific software. Although this paper discuss the advantages and disadvantages of the attack for an attacker, our ultimate goal was to find counter-measures against the attack. Our contribution can be divided into four following parts. 1) We converted the attack to IPv6 and searched for possibilities that may force a middle box to drop fake packets. 2) We developed a tool called LDP, which behaves as a TCP proxy server that masks outbound TCP traffic of a whole network. 3) We identified several counter-measures. In addition, we implemented LNC, a tool that identifies the attack in pcap files and removes the fake segments. Since LNC is a stand-alone tool, it also deals with traces generated by other software than LDP as long as it is based on the same attack vector. 4) LDP and LNC were tested in both laboratory environment and on the Internet. The experiments validated that the attack is applicable for a communication with a server that is not under the control of an attacker. Several parameters of the attack were evaluated during the experiments; mainly the number and the length of fake packets and their influence on the performance of the attack and counter-measures.

Český abstrakt

Směrovače v počítačových sítítch nekontrolují integritu přenášených dat. Útočník tak může modifikovat svůj provoz takovým způsobem, že analyzátor provozu vidí jiný obsah než cílová stnaice. Tento článek se zabývá proveditelností takového útoku a možnými opatřeními, jak útoku předcházet.

Anglický abstrakt

Computer networks were designed to be simple and routers do not validate the integrity of the processed traffic. Consequently, an attacker can modify his or her traffic with the aim of confusing any analyser that intercepts the traffic, e.g. monitoring and security software or lawful interception. This paper studies the attack that is based on sending additional colliding TCP segments with the same sequential number but different content. The segments with the correct message are delivered to the other communicating party of the TCP connection while the fake segments are dropped en route. The goal of the fake segments is to confuse analysers into decoding a different message to the one that is received by the other communicating party. The other communicating party does not need to be aware of the attack and therefore does not need any specific software. Although this paper discuss the advantages and disadvantages of the attack for an attacker, our ultimate goal was to find counter-measures against the attack. Our contribution can be divided into four following parts. 1) We converted the attack to IPv6 and searched for possibilities that may force a middle box to drop fake packets. 2) We developed a tool called LDP, which behaves as a TCP proxy server that masks outbound TCP traffic of a whole network. 3) We identified several counter-measures. In addition, we implemented LNC, a tool that identifies the attack in pcap files and removes the fake segments. Since LNC is a stand-alone tool, it also deals with traces generated by other software than LDP as long as it is based on the same attack vector. 4) LDP and LNC were tested in both laboratory environment and on the Internet. The experiments validated that the attack is applicable for a communication with a server that is not under the control of an attacker. Several parameters of the attack were evaluated during the experiments; mainly the number and the length of fake packets and their influence on the performance of the attack and counter-measures.

Rok RIV

2013

Vydáno

22.05.2013

Nakladatel

Brno University of Defence

Místo

Brno

ISBN

978-80-7231-922-0

Kniha

Security and Protection of Information 2013, Proceedings of the Conference

Edice

NEUVEDEN

Číslo edice

NEUVEDEN

Strany od

83

Strany do

96

Strany počet

14

URL

BibTex


@inproceedings{BUT103497,
  author="Libor {Polčák} and Radek {Hranický} and Petr {Matoušek}",
  title="Hiding TCP Traffic: Threats and Counter-measures",
  annote="Computer networks were designed to be simple and routers do not validate the
integrity of the processed traffic.
Consequently, an attacker can modify his or her traffic with the aim of confusing
any analyser that intercepts the
traffic, e.g. monitoring and security software or lawful interception. This paper
studies the attack that is based on
sending additional colliding TCP segments with the same sequential number but
different content. The segments
with the correct message are delivered to the other communicating party of the
TCP connection while the fake
segments are dropped en route. The goal of the fake segments is to confuse
analysers into decoding a different
message to the one that is received by the other communicating party. The other
communicating party does not
need to be aware of the attack and therefore does not need any specific software.
Although this paper discuss the
advantages and disadvantages of the attack for an attacker, our ultimate goal was
to find counter-measures
against the attack. Our contribution can be divided into four following parts. 1)
We converted the attack to IPv6
and searched for possibilities that may force a middle box to drop fake packets.
2) We developed a tool called
LDP, which behaves as a TCP proxy server that masks outbound TCP traffic of a
whole network. 3) We
identified several counter-measures. In addition, we implemented LNC, a tool that
identifies the attack in pcap
files and removes the fake segments. Since LNC is a stand-alone tool, it also
deals with traces generated by other
software than LDP as long as it is based on the same attack vector. 4) LDP and
LNC were tested in both
laboratory environment and on the Internet. The experiments validated that the
attack is applicable for a
communication with a server that is not under the control of an attacker. Several
parameters of the attack were
evaluated during the experiments; mainly the number and the length of fake
packets and their influence on the
performance of the attack and counter-measures.",
  address="Brno University of Defence",
  booktitle="Security and Protection of Information 2013, Proceedings of the Conference",
  chapter="103497",
  edition="NEUVEDEN",
  howpublished="print",
  institution="Brno University of Defence",
  year="2013",
  month="may",
  pages="83--96",
  publisher="Brno University of Defence",
  type="conference paper"
}