A Covert Channel in TTL Field of DNS Packets

Covert channels are used as a means of secretly transferring information when there is a need to hide the fact that communication is taking place. With the vast amount of traffic on the internet, network protocols have become a common vehicle for covert channels, typically hiding information in the header fields of packets. Domain name service (DNS) packets contain a 32-bit time to live (TTL) fields for each response record. This is the number of seconds the entry is valid for before caching servers remove the entry. There is no prescribed value for this field making it an ideal covert carrier.

[1]  I. Ahmedy,et al.  Indirect DNS covert channel based on name reference for minima length distribution , 2011, ICIMU 2011 : Proceedings of the 5th international Conference on Information Technology & Multimedia.

[2]  Robert C. Newman Covert computer and network communications , 2007, InfoSecCD '07.

[3]  Sebastian Zander,et al.  Covert channels in the IP time to live field , 2006 .

[4]  Daryl Johnson,et al.  Behavior-Based Covert Channel in Cyberspace , 2009 .

[5]  Dengguo Feng,et al.  A typical noisy covert channel in the IP protocol , 2004, 38th Annual 2004 International Carnahan Conference on Security Technology, 2004..

[6]  Sebastian Zander,et al.  An Empirical Evaluation of IP Time To Live Covert Channels , 2007, 2007 15th IEEE International Conference on Networks.

[7]  Olivier Richard,et al.  On Robust Covert Channels Inside DNS , 2009, SEC.

[8]  Sebastian Zander,et al.  A survey of covert channels and countermeasures in computer network protocols , 2007, IEEE Communications Surveys & Tutorials.