Information Technology Reference
In-Depth Information
Note that the calculated ISNs are very close to each other and this could raise
suspicions in anyone paying close attention. However, with 32 bits available, one
could adopt ISN calculation algorithms that produce much more random results.
Such values would be more credible making the covert channel less likely to be
detected.
5.2.4
Acknowledge Sequence Number Method
This method depends on the use of IP spoofing allowing the sender to 'bounce' the
packet off a remote server and on to the proper destination. The technique fools the
recipient into thinking that the server off which the packet was bounced is actually the
source host, thus achieving an anonymous communication, but only in one direction.
This type is covert channel is very difficult to detect, especially if the bounce-server
is heavily loaded.
This technique rests on a particular feature of TCP/IP protocols whereby the des-
tination server responds to the connection request by sending a packet with an ISN
increased by one. The sender needs to forge an ad hoc packet changing the following
fields:
- Source IP;
- Source port;
- Destination IP;
- Destination port;
- TCP Initial Sequence Number containing the coded data.
The choice of the destination and source ports is entirely arbitrary. The destination
IP must be that of the bounce-server, and the source IP that of the destination host.
The packet is thus sent by the client to the bounce-server, which proceeds to forward
it to the destination machine (with the ISN increased by one) for decoding.
A correctly configured router/firewall should not allow a packet with the ACK
flag active to pass, if it does not recognize that the destination host is responsible
for opening the connection. Widespread use of stateful racket filters means that this
method is becoming increasingly ineffective, but it may still work if the configura-
tion can be altered. Using known bounce-servers (.mil, .gov web sites, for instance)
may also block other types of filters which might be applied on the destination host
network.
