Covert Communications in Network Protocols: A Study of Techniques

Covert Communications in Network Protocols: A Study of Techniques

Abstract:

This research paper explores the realm of network-based covert communications and data hiding, focusing on three prominent techniques: TCP/IP Steganography, Covert Timing Channel Steganography, and DNS Tunneling. These methods operate discreetly within network trafic, concealing sensitive information and enabling covert communication. Through in-depth analysis, we unveil their principles, applications, and the emerging synergy between DNS Tunneling and network steganography.

Introduction:

Covert communications and data hiding, known as steganography, have transcended ancient practices to find a home within computer networks. This paper ventures into the intricacies of network-based covert communications and steganography, illuminating the methods by which information is concealed within the vast labyrinth of digital communication.

As we delve into this secretive domain, we aim to distinguish network-based steganography from its counterparts. Unlike traditional steganography, which embeds data within static media such as images or audio, network-based steganography conceals information within the dynamic flow of network trafic. This distinction provides attackers with a potent tool, allowing them to establish covert communication channels that operate under the radar of traditional security measures.

These covert channels are of paramount importance to attackers. They serve as conduits for transmiting sensitive information, evading detection, and achieving their nefarious objectives. From espionage to data exfiltration, cyber-espionage, and censorship circumvention, these channels offer a cloak of invisibility in the digital realm.

In this paper we will dissect three network-based covert communications techniques: TCP/IP Steganography; Covert Timing Channel Steganography; and DNS Tunneling. Each method operates within the layered architecture of computer networks, employing unique tactics to hide and extract concealed data. Our journey will encompass detailed analyses, comparative assessments, and a glimpse into the potential of integrating DNS Tunnelling with broader network steganography.

TCP/IP Steganography

TCP/IP Steganography is a sophisticated network steganographic technique that operates by concealing data within the packet headers of TCP/IP (Transmission Control Protocol/Internet Protocol) trafic. The technique involves several steps:

1. Packet Selection: The initial step involves the careful selection of specific network packets from an ongoing communication session. These packets are chosen strategically to minimize suspicion and blend in with legitimate trafic.

2. Data Embedding: The core of TCP/IP Steganography lies in the modification of certain fields within the packet headers. These fields are typically chosen to minimize detection, and they commonly include the Time To Live (TTL) field, IP Identification field, and TCP header flags.

3. Data Extraction: On the recipient's side, a complementary algorithm is applied to identify and extract the concealed data from the altered packet headers. This process involves decoding the data and reconstructing the original message [3][4].

2.1 Implementation

TCP/IP Steganography can be implemented in various scenarios. In a corporate espionage scenario, an insider can modify the TTL values of ICMP (Internet Control Message Protocol) echo request packets to exfiltrate sensitive data, which is concealed within the TTL field. For covert communication, attackers can use TCP flags to establish a hidden channel within seemingly innocuous web trafic. For instance, they may set specific flag combinations to represent different letters or commands [4].

The Taidoor RAT is a well-documented example of TCP/IP Steganography implementation in the wild. Taidoor used this technique to hide its C2 communications within seemingly legitimate network trafic. It manipulated packet headers to encode and transmit commands to infected systems without raising suspicion. This made it challenging for security systems to detect and block Taidoor's malicious activity [5].

2.2 Technical Feasibility

Attackers must possess a deep understanding of network protocols and trafic patterns to manipulate packet headers. Packet header modifications may also introduce errors, potentially corrupting the concealed data. Maintaining data integrity while concealing information adds complexity.

The payload capacity of TCP/IP Steganography is contingent on the chosen encoding method and the specific fields within packet headers that are used for data hiding. Bandwidth, in this context, refers to the rate at which data can be covertly transmitted. The capacity may vary depending on the media types used for embedding [3].

When embedding data within the TTL (Time To Live) field, the bandwidth is relatively low. Typically, a binary '0' may be represented by one TTL value, while a '1' corresponds to another value. This binary encoding results in a slower transmission rate due to the limited number of TTL values. Using the IP Identification field for data encoding can provide a slightly higher bandwidth compared to TTL field encoding. This is because the IP Identification field can accommodate a larger range of numerical values, allowing for more eficient data transmission. TCP header flags offer a moderate bandwidth, as there are several flag combinations available to represent binary values. However, this method may be less eficient for transmiting large volumes of data compared to IP Identification field encoding [1][3][4].

2.3 Defensive Measures

Detecting TCP/IP Steganography is complex because it requires the ability to differentiate between legitimate and covertly altered packet headers, which can be subtle. It necessitates specialized tools and continuous monitoring for irregular patterns. Detection becomes more feasible with the identification of known signatures or behaviors linked to this technique. DPI (Deep Packet Inspection) tools scrutinize packet headers to identify unusual modifications or anomalies [4]. Anomaly-based IDS can raise alarms when atypical packet header alterations occur, indicating potential steganographic activity [3][4].

2.4 Ways to Improve TCP/IP Steganography

• Encoding: Encoding can add an additional layer of security against defensive measures. Advanced encoding methods like adaptive encoding, where encoding changes dynamically based on network conditions, can further improve eficiency.

• Careful selection of packets: Improving the packet selection process, such as targeting packets with less impact on network performance, can enhance concealment and reduce detection likelihood.

• Nested Steganography: Hiding the payload within another carrier can add an additional complexity to hide data from forensic analysis.

3. Covert Timing Channels

Covert Timing Channels exploit variations in timing, such as packet arrival times or response delays, to convey hidden information. The sender generates a precise timing pattern by introducing controlled delays between network events. These events can include packet transmissions, server responses, or even timing intervals between keystrokes during communication. The introduced delays serve as carriers to encode binary data. For example, a brief delay might signify '0,' while an extended delay indicates '1.' The sender meticulously orchestrates these timing variations to encode the entire message. At the recipient's end, a matching timing pattern is established to extract the concealed data. This is done by carefully analyzing the variations in timing delays and decoding them to reconstruct the original message [6][7].

3.1 Implementation

Covert Timing Channels can be implemented in various scenarios. In a botnet operation, attackers can introduce subtle timing variations in their communication with compromised systems. These variations can encode commands or instructions for the compromised bots to execute. A malicious insider can use Covert Timing Channels to exfiltrate sensitive data by introducing timing delays in outgoing network trafic. The delays encode the data, which is then reconstructed at the recipient's end.

"Ping Exfiltration" is a well-known example of Covert Timing Channels. In this technique, attackers manipulate the timing between ICMP echo request and reply packets to encode and clandestinely transmit data. By carefully controlling the timing between these packets, they can encode information and transmit it through standard ICMP ping requests and replies [7].

3.2 Technical Feasibility

The feasibility of deploying Covert Timing Channels largely hinges on the level of control an attacker can exert over the timing variations within the target network environment. While the concept of manipulating timing intervals to encode data is relatively straightforward, achieving precise and reliable timing control can be challenging. In practice, successful implementation often requires in-depth knowledge of the target network's behavior, including its latency characteristics, packet transmission patterns, and response times. This level of insight can be achieved through various means, including reconnaissance and post-exploitation activities. In cases where attackers have a foothold in the network or control over certain network elements, such as routers or servers, they may have an easier time in implementing Covert Timing Channels. However, even in scenarios with limited control, attackers can leverage existing timing variations within protocols or systems to establish covert channels [6][7][8].

The payload capacity is also closely tied to the precision of timing variations achievable within the network. Covert Timing Channels often rely on introducing slight delays between packets or events, with each delay representing a binary '0' or '1'. The bandwidth largely depends on the accuracy of timing control, which can vary from milliseconds to microseconds. The payload capacity is also influenced by the rate at which packets or events occur. Higher packet rates allow for faster data transmission but may risk detection due to more frequent timing variations. Finally, network

conditions, such as latency and jitter, can affect the achievable timing precision. More stable and predictable networks may provide a higher payload capacity compared to highly dynamic networks [6][7].

3.3 Defensive Measures

Limiting the variability in packet timing can help mitigate covert timing channel attacks. Network trafic can be shaped to adhere to predefined patterns, making it challenging for attackers to introduce noticeable timing variations. Detecting Covert Timing Channels is dificult due to the subtle nature of timing variations. It often requires advanced statistical analysis and specialized monitoring tools for effective identification. These systems analyze timing variations and raise alerts when deviations from expected patterns occur [6][8].

3.4 Ways to Improve Covert Timing Channels

Improving the effectiveness of Covert Timing Channels involves several potential strategies:

• Precise Timing Control: Implementing more precise timing control mechanisms, such as hardware-based timers, can enhance the accuracy of timing variations and increase the payload capacity.

• Variable Timing: Introducing variable timing intervals between events can make the covert channel more challenging to detect. Adaptive timing variations can help mitigate detection based on fixed patterns [7].

• Compression: Implementing data compression techniques can optimize data encoding within timing variations, effectively increasing the payload capacity by encoding more information in shorter intervals.

• Trafic Injection: Injecting covert timing variations into legitimate network trafic can help mask the channel. This approach relies on leveraging existing trafic patterns to conceal covert communications [7].

Again, the focal point of this technique is the ability to manipulate timing intervals. Any improvement suggestions short of broad TTP combinations must keep this aspect in mind.

4. TCP/IP Steganography vs. Covert Timing Channels: A Comparative Analysis

The two data hiding methods operate using the same infrastructure, but each offer a unique functionality across several concepts:

• Payload Capacity: TCP/IP Steganography offers discrete and relatively low bandwidth for data transmission due to subtle packet header modifications. Covert Timing Channels can potentially achieve higher transmission rates, especially with precise timing control.

• Detection: Both techniques are challenging to detect due to their covert nature. Covert Timing Channels may be more resistant to detection when sophisticated timing control is employed, as it can normalize behavior to fool anomaly detection.

• Technical Feasibility: TCP/IP Steganography requires deep protocol knowledge but is accessible to attackers with networking expertise. Covert Timing Channels require precise timing control, potentially demanding hardware-level access.

• Use Cases: TCP/IP Steganography is better suited for discreet communication, data exfiltration within existing trafic, and bypassing security controls. It also has significant scope to adapt and utilize more specific techniques. Covert Timing Channel excel in scenarios requiring higher data transmission rates and effective control of timing variations.

Ultimately, Covert Timing Channels prioritize potential for higher transmission rates, while TCP/IP steganography tends to maintain focus on discretion and resilience. The choice depends on specific use cases and trade-offs between bandwidth, detection risk, and technical feasibility. Both techniques require ongoing research for effective detection and mitigation

5. DNS Tunneling

DNS tunneling is a method of covert communication that capitalizes on the inherent functionality of the Domain Name System (DNS) protocol. It involves embedding data within DNS queries and responses, often using subdomains or resource records. The process can be broken down as follows:

1. Data Encapsulation: Data is first divided into smaller, manageable chunks. The size of these chunks can vary depending on the DNS server's configuration and the specific tunneling tool or method used. Each data chunk undergoes encoding to represent it as a valid DNS query or response. Common encoding techniques include Base64, hexadecimal, or binary representations.

2. Subdomain or Resource Record Manipulation: The encoded data chunks are inserted into DNS queries or responses as subdomains or resource records. For example, a subdomain like "sub.domain.com" might be used to carry the encoded data. The choice of subdomains or resource records depends on the tunneling tool and its compatibility with DNS server configurations.

3. DNS Server Resolution: The manipulated DNS queries or responses are sent to a DNS server. These servers are typically either controlled by the attacker (for malicious purposes) or are public DNS servers (for bypassing network restrictions). The DNS server receives these queries or responses and processes them as part of its standard DNS resolution operations.

4. Data Extraction: On the receiving end, a client or a listening component monitors the DNS trafic. This monitoring system extracts the encoded data from the subdomains or resource records. Extracted data chunks are reassembled in the correct order to reconstruct the original message or payload [11].

5.1 Implementation

DNS tunneling can serve both legitimate and malicious purposes. It can be used for secure, encrypted communication in scenarios where traditional network trafic may be monitored or restricted. Dnscat2 is a legitimate tool designed for secure DNS tunneling. Security professionals use it to establish covert communication channels for testing and secure data transfer. On the other side, malicious actors employ DNS tunneling for a range of activities, including command and control communication, data exfiltration, and concealing their actions within a network.

The banking trojan IcedID has used DNS tunneling to communicate with its C2 servers. By encapsulating malicious data within DNS queries and responses, it evades traditional network security measures, making it challenging to detect and mitigate [11].

5.2 Technical Feasibility

The technical feasibility of deploying DNS tunneling largely depends on the attacker's knowledge and resources. Seting up a basic DNS tunnel is relatively straightforward, but evading detection is a complex and ongoing challenge.

In terms of payload capacity of DNS tunneling, it varies based on several factors:

• DNS Message Size Limit: The typical DNS message size limit is 512 bytes for UDP queries, which limits the size of each chunk.

• DNS Server Configuration: Some DNS servers may impose restrictions on the size of DNS messages, which can limit payload capacity.

• Encoding Method: The encoding method used affects the eficiency of data representation. Different encoding techniques result in varying levels of overhead.

Overall, payloads are often limited to a few hundred bytes per query or response, making DNS tunneling suitable for transmiting relatively small amounts of data [11][12].

5.3 Defensive Measures

Mitigating DNS tunneling risks can be complex but is critical for network security. Several controls and measures can be implemented:

• DNS Sinkholing: DNS sinkholing involves redirecting DNS queries for known malicious domains to a sinkhole server that logs the activity or returns false information. Sinkholing known malicious domains associated with DNS tunneling tools or command and control servers can disrupt tunneling attempts. It effectively halts communication with malicious entities.

• Deep Packet Inspection (DPI): DPI involves the inspection of the actual content of network packets, allowing for the detection of anomalies or suspicious patterns. DPI can be a potent tool for identifying DNS tunneling activity by examining the payload of DNS packets. It can detect encoded data that does not conform to expected DNS trafic patterns.

• DNS Security Extensions (DNSSEC): DNSSEC is a suite of extensions that adds an additional layer of security to DNS by digitally signing DNS data. DNSSEC helps verify the authenticity of DNS responses, reducing the risk of DNS tunneling attacks that rely on forged DNS data.

• Rate Limiting: Rate limiting restricts the number of DNS queries that can be made in a given time frame. Implementing rate limiting on DNS queries can hinder the eficiency of DNS tunneling attempts, as it limits the volume of data that can be transmitted within a short period [10].

Detection of DNS tunneling can be challenging, especially when encryption is used. Anomaly detection in DNS trafic patterns and monitoring for suspicious subdomains or resource records can provide a wide net. However, sophisticated attackers continuously develop evasion techniques to circumvent detection.

5.4 Ways to Improve DNS Tunneling:

Improvements to DNS tunneling techniques involve enhancing encryption, obfuscation, and evasion methods. Additionally, the development of more advanced tunneling protocols capable of bypassing increasingly sophisticated detection mechanisms is an ongoing area of research. As we will explore later, there is a lot of potential to combine DNS Tunneling with other techniques to develop a robust set of TTPS.

6. Comparative Analysis of DNS Tunneling and Network Steganography

DNS tunneling differs fundamentally from network-based steganography in that it uses the DNS protocol specifically to transmit data covertly. DNS tunneling encodes data within DNS queries and

responses, often using subdomains or resource records. Network-based steganography, on the other hand, embeds data within the actual network packets themselves. There are a number of aspects across which these techniques offer unique capability.

6.1 Visibility:

DNS tunneling, by its nature, involves interactions with DNS servers, which can make it more visible at the network level. While it can blend with legitimate DNS trafic, certain anomalies may be detectable in DNS query patterns, making it somewhat conspicuous. Network steganography operates at a lower protocol layer and does not directly interact with DNS servers, which allows it to blend more effectively with legitimate network trafic. It typically exhibits a lower level of visibility, making it harder to detect.

6.2 Detection:

Detecting DNS tunneling can be challenging due to its ability to mimic legitimate DNS trafic. Detection methods often rely on identifying anomalies in DNS trafic patterns, monitoring for unusual subdomains or resource records, and using Deep Packet Inspection (DPI) techniques. It may require specialized tools and expertise. Detecting network steganography is generally more dificult as it conceals data within the payload of network packets. Specialized tools and algorithms are often needed to distinguish hidden data from normal network communication. Detection relies on identifying patterns or anomalies that deviate from expected network trafic behavior [10].

6.3 Payload Capacity:

The payload capacity of DNS tunneling is constrained by DNS message size limits, typically limited to 512 bytes for UDP queries. This limitation restricts the size of each data chunk, making DNS tunneling suitable for transmiting relatively small amounts of data in each query or response. Network steganography's payload capacity is primarily constrained by the size of network packets. It can potentially accommodate larger amounts of data within each packet, depending on the network packet size and the chosen embedding technique. This makes it more suitable for transmiting larger volumes of covert data [2][11].

6.4 Resilience Against Mitigations:

DNS tunneling may be more susceptible to network security mitigations like DNS sinkholing and rate limiting. These measures can disrupt tunneling attempts but may not be foolproof against advanced evasion techniques. Network steganography is designed to blend seamlessly with legitimate network trafic, making it more resilient against traditional network-based mitigations. However, its effectiveness can still be compromised if up against robust anomaly detection.

6.5 Use Cases:

DNS tunneling is often employed for C2 communication, data exfiltration, and bypassing network restrictions. It has both legitimate and malicious use cases, with legitimate applications in secure communication. Network steganography is primarily used for concealing data within network trafic to evade surveillance or monitoring. Its applications are more focused on maintaining secrecy and are less commonly associated with C2 communication.

In summary, DNS tunneling relies on the DNS protocol to transmit data covertly and may be more visible due to its interaction with DNS servers. Network steganography conceals data within the content of network packets and is designed to blend in with normal network trafic, making it harder

to detect but limited by packet size constraints. Both methods serve the purpose of covert communication but operate at different protocol layers with distinct characteristics.

7. Combining DNS Tunneling with Network Steganography:

DNS tunneling and network steganography are distinct covert communication techniques, but they can be combined to create a more resilient and sophisticated covert channel. This cooperation allows attackers to leverage the strengths of both methods while mitigating some of their individual weaknesses.

7.1 Technical Integration:

A few examples of how these techniques can be combined:

1. Data Fragmentation: Data can be divided into smaller chunks and distributed across both DNS queries and network packets. This fragmentation makes it harder to detect and reassemble the complete message [4].

2. Encryption and Obfuscation: Encrypting data before embedding it in DNS queries and using steganographic techniques within network packets can add multiple layers of security.

3. Cover Timing DNS: Covert Timing Channel steganography can be used to control the timing of DNS queries in a similar manner to what was discussed earlier. By introducing intentional delays or patterns into the timing of DNS queries, adversaries make their covert communication less predictable [6].

4. Protocol Switching: Adversaries may employ dynamic communication protocols that switch between DNS tunneling and network steganography based on reconnaissance of network conditions and security measures. This adaptability enhances their resilience against detection.

One notable example of combining DNS tunneling with network steganography is the "Duqu" malware, which is related to the Stuxnet worm. Duqu utilized a multi-stage communication mechanism which integrated both techniques. Duqu initially used DNS tunneling to establish contact with its command and control (C&C) servers. This allowed it to bypass certain network restrictions and evade detection. Once the initial connection was established, Duqu switched to network steganography to further covertly communicate with its C&C servers. It embedded data within seemingly legitimate network packets, making it extremely dificult to distinguish malicious trafic from legitimate trafic. The combination of these techniques made Duqu a highly sophisticated and elusive piece of malware [9].

7.2 Advantages of Combining Techniques:

By combining DNS tunneling with network steganography, attackers can make it significantly more challenging for security systems to detect and block their covert communication channels. The use of multiple techniques can help adversaries minimize their digital footprint, making it less likely that security analysts will notice unusual patterns of behavior. Combining methods also allows attackers to adapt to changing network conditions and security measures more effectively.

In summary, the integration of DNS tunneling with network steganography represents a highly advanced and evasive form of covert communication. While it significantly raises the bar for detection and mitigation, it also highlights the importance of comprehensive security measures that encompass both DNS trafic monitoring and network packet analysis.

8. Conclusion

In the realm of covert communications and data hiding, network protocols offer a vast domain for exploitation. The constant evolution of protocols allows for continuous opportunity to develop data hiding methods which can be increasingly dynamic. This is even more telling in the backdrop of developments in neural networks and AI technologies. Research into this field is more urgent than ever if security practitioners are to stay ahead of the curve of stealthy attackers.

References

1. Lubacz, J., Mazurczyk, W., & Szczypiorski, K. (2014). Principles and Overview of Network Steganography. IEEE Communications Magazine, 52(5). https://doi.org/10.1109/mcom.2014.6815916

2. Singh, N., Bhardwaj, J., & Raghav, G. (2017). Network Steganography and its Techniques: A Survey. International Journal of Computer Applications, 174(2). https://www.ijcaonline.org/archives/volume174/number2/singh-2017-ijca-915319.pdf

3. Mileva, A., & Panajotov, B. (2014). Covert Channels in TCP/IP Protocol Stack - Extended Version-. Open Computer Science, 4(2). https://doi.org/10.2478/s13537-014-0205-6

4. Murdoch, S. J., & Lewis, S. (2005). Embedding Covert Channels into TCP/IP. Information Hiding, 247–261. https://doi.org/10.1007/11558859_19

5. Mar-10292089-1.V2 – Chinese Remote Access Trojan: Taidoor: CISA. Cybersecurity and Infrastructure Security Agency CISA. (2020, August 3). https://www.cisa.gov/news-events/analysis-reports/ar20-216a

6. Cabuk, S., Brodley, C. E., & Shields, C. (2004). IP Covert Timing Channels: Design and Detection. Proceedings of the 11th ACM Conference on Computer and Communications Security. https://doi.org/10.1145/1030083.1030108

7. Liu, Y., Ghosal, D., Armknecht, F., Sadeghi, A.-R., Schulz, S., & Katzenbeisser, S. (2009). Hide and Seek in Time — Robust Covert Timing Channels. Computer Security - ESORICS 2009, 5789. https://link.springer.com/chapter/10.1007/978-3-642-04444-1_8

8. Lu, S., Chen, Z., Fu, G., & Li, Q. (2019). A novel timing-based Network Covert Channel Detection Method. Journal of Physics: Conference Series, 1325(1), 012050. https://doi.org/10.1088/1742-6596/1325/1/012050

9. Kaspersky Labs (2021, May). The Mystery of Duqu 2.0: A Sophisticated Cyberespionage Actor Returns. Securelist English Global securelistcom. https://securelist.com/the-mystery-of-duqu-2-0-a-sophisticated-cyberespionage-actor-returns/70504/

10. J. Sunddler, & J. Åstrand. (2019). DNS Tunnelling Detection. Retrieved from [https://www.diva-portal.org/smash/get/diva2:1324289/FULLTEXT01.pdf]{.underline}

11. Hinchliffe, A. (2019, March 27). DNS tunneling: How DNS can be (ab)used by malicious actors. Unit 42. [https://unit42.paloaltonetworks.com/dns-tunneling-how-dns-can-be-abused-by-malicious-actors/]{.underline}