Abstract
A crucial security practice is the elimination of network covert channels. Recent research in IPv6 discovered that there exist, at least, 22 different covert channels, suggesting the use of advanced active wardens as an appropriate countermeasure. The described covert channels are particularly harmful not only because of their potential to facilitate deployment of other attacks but also because of the increasing adoption of the protocol without a parallel deployment of corrective technology. We present a pioneer implementation of network-aware active wardens that eliminates the covert channels exploiting the Routing Header and the hop limit field as well as the well-known Short TTL Attack. Network-aware active wardens take advantage of network-topology information to detect and defeat covert protocol behavior. We show, by analyzing their performance over a controlled network environment, that the wardens eliminate a significant percentage of the covert channels and exploits with minimal impact over the end-to-end communications (approximately 3% increase in the packet roundtrip time).
Access provided by Autonomous University of Puebla. Download to read the full chapter text
Chapter PDF
Similar content being viewed by others
Keywords
References
The IPv6 Portal (Retrieved on June 22, 2005) from the World Wide Web (2005), http://www.ist-ipv6.org/
Press Trust of India. TRAI wants govt to kickstart shift to ipv6 through e-gov (2005), http://www.hindustantimes.com/news/181_1578124,00020020.htm
ChinaView. China, EU to build wide-band network (Retrieved on January 12, 2006) from the World Wide Web (2006), http://news.xinhuanet.com/english/2006-01/12/content_4045153.htm
United States IPv6 Summit (Retrieved on November 05, 2005) from the World Wide Web (2005), http://www.usipv6.com/
Global Summit IPv6 (Retrieved on May 17, 2005) from the World Wide Web (2005), http://www.ipv6-es.com/05/in/i-intro.php
IPv6 Forum Korea (Retrieved on October 13, 2005) from the World Wide Web (2005), http://www.ipv6.or.kr/
Luxembourg IPv6 Summit 2005 (Retrieved on June 22, 2005) from the World Wide Web (2005), http://wiki.uni.lu/ipv6/Luxembourg+IPv6+Summit+2005.html
Evans, K.S.: Memorandum for the chief information officers, M-05-22 (2005), http://www.whitehouse.gov/omb/memoranda/fy2005/m05-22.pdf
United States Government Accountability Office. Internet protocol version 6: Federal agencies need to plan for transition and manage security risks. Technical Report GAO-05-471 (2005), http://www.gao.gov/new.items/d05471.pdf
Lucena, N.B., Lewandowski, G., Chapin, S.J.: Covert Channels in IPv6. In: Proceedings of the 5th Workshop on Privacy Enhancing Technologies, Dubrovnik (Cavtat), Croatia (2005)
Handley, M., Paxson, V.: Network intrusion detection: Evasion, traffic normalization, and end-to-end protocol semantics. In: Proceedings of the 10th USENIX Security Symposium, Washington, DC, USA, USENIX Association (2001)
horizon<jmcdonal@unf.edu>: Defeating sniffers and intrusion detection systems. Phrack Magazine 8(54) (Retrieved on May 13, 2005) from the World Wide Web (1998), http://www.phrack.org/phrack/54/P54-10
Malan, G.R., Watson, D., Jahanian, F., Howell, P.: Transport and Application Protocol Scrubbing. In: Proceedings of the IEEE INFOCOM 2002 Conference, Tel-Aviv, Israel, pp. 1381–1390. IEEE Computer Society Press, Los Alamitos (2000)
Shankar, U., Paxson, V.: Active Mapping: Resisting NIDS Evasion without Altering Traffic. In: Proceedings of the 2003 IEEE Symposium on Security and Privacy, Washington, DC, USA, pp. 44–61. IEEE Computer Society Press, Los Alamitos (2003)
Cabuk, S., Brodley, C.E., Shields, C.: IP Covert Timing Channels: Design and Detection. In: Proceedings of the 11th ACM Conference on Computer and Communications Security, Washington DC, USA, pp. 178–187. ACM Press, New York (2004)
Handel, T., Sandford, M.: Hiding data in the OSI network model. In: Anderson, R. (ed.) Information Hiding. LNCS, vol. 1174, pp. 23–38. Springer, Heidelberg (1996)
Abad, C.: IP checksum covert channels and selected hash collision (Retrieved on January 3, 2005) from the World Wide Web (2001), http://gray-world.net/cn/papers/ipccc.pdf
Bauer, M.: New Covert Channels in HTTP - Adding Unwitting Web Browsers to Anonymity Sets. In: Samarati, P., Syverson, P. (eds.) Proceedings of the 2003 ACM Workshop on Privacy in the Electronic Society, Washington, DC, USA, pp. 72–78. ACM Press, New York (2003)
daemon9 (route@infonexus.com): Loki2 (the implementation). Phrack Magazine 51, article 6 (Retrieved on August 27, 2002) from the World Wide Web (1997), http://www.phrack.org/show.php?p=51&a=6
daemon9 (route@infonexus.com), alhambra (alhambra@infornexus.com): Project loki. Phrack Magazine 49, article 6 (Retrieved on August 27, 2002) from the World Wide Web (1996), http://www.phrack.org/show.php?p=49&a=6
Dunigan, T.: Internet steganography. Technical report, Oak Ridge National Laboratory (Contract No. DE-AC05-96OR22464), Oak Ridge, Tennessee (1998), [ORNL/TM-limited distribution]
Giffin, J., Greenstadt, R., Litwack, P., Tibbetts, R.: Covert Messaging through TCP Timestamps. In: Dingledine, R., Syverson, P.F. (eds.) PET 2002. LNCS, vol. 2482, pp. 194–208. Springer, Heidelberg (2003)
Ka0ticSH: Diggin em walls (part 3) - advanced/other techniques for bypassing firewalls. New Order(Retrieved on August 28, 2002) from the World Wide Web (2002), http://neworder.box.sk/newsread.php?newsid=3957
Rowland, C.H.: Covert channels in the TCP/IP protocol suite. Psionics Technologies (Retrieved on November 13, 2004) from the World Wide Web (1996), http://www.firstmonday.dk/issues/issue2_5/rowland/
Ahsan, K.: Covert channel analysis and data hiding in TCP/IP. Master’s thesis, University of Toronto (2002)
Ahsan, K., Kundur, D.: Practical Data Hiding in TCP/IP. In: Proceedings of the ACM Workshop on Multimedia Security at ACM Multimedia, ACM Press, New York (2002)
Servetto, S.D., Vetterli, M.: Codes for the Fold-Sum Channel. In: Proceedings of the 35th Annual Conference on Information Science and Systems (CISS), Baltimore, MD, USA (2001)
Servetto, S.D., Vetterli, M.: Communication using Phantoms: Covert Channels in the Internet. In: Proceedings of the IEEE International Symposium on Information Theory (ISIT), Washington, DC, USA, IEEE Computer Society Press, Los Alamitos (2001)
Anderson, R.: Stretching the Limits of Steganography. In: Anderson, R. (ed.) Information Hiding. LNCS, vol. 1174, pp. 39–48. Springer, Heidelberg (1996)
Anderson, R.J., Petitcolas, F.A.P.: On the Limits of Steganography. In: IEEE Journal of Selected Areas in Communications:Special Issue on Copyright and Privacy Protection, pp. 474–481. IEEE Computer Society Press, Los Alamitos (1998)
Craver, S.: On Public-Key Steganography in the Presence of an Active Warden. In: Aucsmith, D. (ed.) IH 1998. LNCS, vol. 1525, pp. 355–368. Springer, Heidelberg (1998)
Fisk, G., Fisk, M., Papadopoulos, C., Neil, J.: Eliminating steganography in Internet traffic with active wardens. In: Petitcolas, F.A.P. (ed.) IH 2002. LNCS, vol. 2578, pp. 29–46. Springer, Heidelberg (2003)
Cisco. Cisco IOS Net Flow (Retrieved on November 17, 2005) from the World Wide Web (2005), http://www.cisco.com/en/US/products/ps6601/products_ios_protocol_group_home.html
Deri, L., Suin, S.: Improving Network Security Using Ntop. In: Debar, H., Mé, L., Wu, S.F. (eds.) RAID 2000. LNCS, vol. 1907, Springer, Heidelberg (2000)
Case, J., Fedor, M., Schoffstall, M., Davin, J.: A simple network management protocol (SNMP), RFC 1157 (Retrieved on January 13, 2005) from the World Wide Web (1990), http://www.ietf.org/rfc/rfc1157.txt
IBM. Tivoli Net View (Retrieved on November 17, 2005) from the World Wide Web (2005), http://www-306.ibm.com/software/tivoli/products/netview/
HP. Network node manager advanced edition (Retrieved on November 17, 2005) from the World Wide Web (2005), http://www.managementsoftware.hp.com/products/nnm/index.html
Sun. Solstice site manager (Retrieved on November 17, 2005) from the World Wide Web (2005), http://www.sun.com/software/solstice/sm/index.xml
Doyle, J.: Routing TCP/IP, vol. I. Cisco Press, Indianapollis, IN 46240 (1998)
Shannon, C.E.: Communication theory of secrecy systems. Technical report (1949)
Deering, S., Hinden, R.: Internet protocol, version 6 (IPv6) specification, RFC 2460 (Retrieved on October 08, 2004) from the World Wide Web (1998), http://www.ietf.org/rfc/rfc2460.txt?number=2460
Hinde, R., Deering, S.: IP version 6 addressing architecture, RFC 2373 (Retrieved on October 08, 2004) from the World Wide Web (1998) , http://www.ietf.org/rfc/rfc2373.txt?number=2373
IANA. Internet Protocol version 6 address space (Retrieved on October 29, 2005) from the World Wide Web (2005), http://www.iana.org/assignments/ipv6-address-space
IANA. IP version 6 parameters (Retrieved on October 28, 2004) from the World Wide Web (2004), http://www.iana.org/assignments/ipv6-parameters
Author information
Authors and Affiliations
Editor information
Rights and permissions
Copyright information
© 2007 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Lewandowski, G., Lucena, N.B., Chapin, S.J. (2007). Analyzing Network-Aware Active Wardens in IPv6. In: Camenisch, J.L., Collberg, C.S., Johnson, N.F., Sallee, P. (eds) Information Hiding. IH 2006. Lecture Notes in Computer Science, vol 4437. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-74124-4_5
Download citation
DOI: https://doi.org/10.1007/978-3-540-74124-4_5
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-74123-7
Online ISBN: 978-3-540-74124-4
eBook Packages: Computer ScienceComputer Science (R0)