Wednesday, May 27, 2009

Stego Using TCP Retransmissions

Follow the title link to an article that describes steganographic techniques using TCP ACK packets. Remember, these are the packets that are designed to either positively acknowledge how many bytes are received and even negatively acknowledge which byte is expected next. The article claims how the researchers can smuggle data as a covert channel in ACK to circumvent filtering and censorship.

If you HEARD my SCALE 7X presentation Custom FileSystems (slides), you would have heard how I described injecting spoofed ACKs to create an ACK storm that actually sustains a filesystem until the storm subsides. To create a sustainable filesystem, you would only need to create mirrors or parity storms ala RAID to give you a chance to restart the fallen one.

The reasons this is particularly more attractive than an alternative:

1) Transport layer--nobody knows you are using their webserver to bounce bytes off of unless they are looking at the transport layer.
2) Spoofable--you can spoof the ACK, ignore the resets, which allows you bounce the filesystem around a little and potentially avoid detection.
3) Troubleshooting ACK storms (if they are even noticed) usually involve part swapping network hardware--which won't affect the filesystem.

The next month is very busy, so I don't know if I'll have a chance to roll out a hello-world for this, but since I promissed it in February, I'll try to make it happen while stuck on a a long flight or two.

Labels: , , , ,


Post a Comment

Subscribe to Post Comments [Atom]

Links to this post:

Create a Link

<< Home