A Reflective Covert Channel Attack Anchored on Trusted Web Services

This paper introduces a novel attack that can covertly exfiltrate data from a compromised network to a blocked external endpoint, using public web services as the intermediaries and exploiting both HTTP requests and DNS queries. We first identify at least 16 public web services and 2 public HTTP proxies that can serve this purpose. Then we build a prototype attack using these public services and experimentally confirm its effectiveness, including an average data transfer rate of 361 bits per second. Finally, we present the design, implementation and evaluation of a proof-of-concept defense that uses information-theoretic entropy of the DNS queries to detect this novel attack.

[1]  Sudip Saha,et al.  DNS for Massive-Scale Command and Control , 2013, IEEE Transactions on Dependable and Secure Computing.

[2]  Peipeng Liu,et al.  A Bigram based Real Time DNS Tunnel Detection Approach , 2013, ITQM.

[3]  Matthias Bauer New covert channels in HTTP: adding unwitting Web browsers to anonymity sets , 2003, WPES '03.

[4]  Chen Ming,et al.  Detecting DNS-based covert channel on live traffic , 2013 .

[5]  Molefi Kete Asante,et al.  Realizing a New Information Order: Alternative Strategies , 1984 .

[6]  Anestis Karasaridis,et al.  NIS04-2: Detection of DNS Anomalies using Flow Data Analysis , 2006, IEEE Globecom 2006.

[7]  Vern Paxson,et al.  Practical Comprehensive Bounds on Surreptitious Communication over DNS , 2013, USENIX Security Symposium.

[8]  Vern Paxson,et al.  Bro: a system for detecting network intruders in real-time , 1998, Comput. Networks.

[9]  Felix C. Freiling,et al.  On Botnets That Use DNS for Command and Control , 2011, 2011 Seventh European Conference on Computer Network Defense.

[10]  Martin Roesch,et al.  Snort - Lightweight Intrusion Detection for Networks , 1999 .

[11]  Renata Teixeira,et al.  Traffic classification on the fly , 2006, CCRV.

[12]  Towards Quantification of Network-Based Information Leaks via HTTP , 2008, HotSec.

[13]  Kenton Born PSUDP: A PASSIVE APPROACH TO NETWORK-WIDE COVERT COMMUNICATION , 2010 .

[14]  Kenton Born,et al.  Detecting DNS Tunnels Using Character Frequency Analysis , 2010, ArXiv.

[15]  Zbigniew Kwecka Application layer covert channel analysis and detection. , 2006 .

[16]  Kenton Born Browser-Based Covert Data Exfiltration , 2010, ArXiv.

[17]  Maarten Van Horenbeeck,et al.  Deception on the network: thinking differently about covert channels , 2006 .

[18]  Maurizio Dusi,et al.  Detecting HTTP Tunnels with Statistical Mechanisms , 2007, 2007 IEEE International Conference on Communications.

[19]  Gabi Nakibly,et al.  OSS: Using Online Scanning Services for Censorship Circumvention , 2013, Privacy Enhancing Technologies.