Information Technology Reference
In-Depth Information
HTTP-based covert channels can therefore take many forms, making the protocol
the ideal vehicle for anyone wishing to hide illicit traffic.
Many open-source and closed-source tools use HTTP tunnels for a wide variety of
purposes. For example, tools designed to “track a stolen computer, wherever it is, as
soon as it is connected to the network” will send the necessary locating information
by, say, e-mail invisibly using covert channels based on TTP tunnels. The SOAP
protocol (RPC over HTTP) is itself based on the use of HTTP tunnels.
So covert channels are not used exclusively for illicit purposes. Studying the loop-
holes which network protocols involuntarily leave open can provide valuable input
for useful projects.
Two tools we might mention whose function is worth examining, even for merely
academic purposes, are
hcovert
and
GNU http-tunnel
, whose code is freely avail-
able over the Internet. To find out more about HTTP tunneling and see a few of
the possible techniques it affords, readers should go to
Exploitation of data streams
authorized by a network access control system for arbitrary data transfers
:
tun-
neling and covert channels over the HTTP protocol
, available to read at the site
5 . 4 D N S
The possibility of using ordinary DNS requests/responses to send all kinds of data
has aroused great interest recently. In 2004 Dan Kaminsky demonstrated tools that
allowed him to achieve SSH sessions and to transmit/receive audio traffic via normal
DNS servers, though he is not the first to exploit the weaknesses of the DNS protocol.
DNS manages a hierarchical naming system (.com; .bar.com; .foo.bar.com) and
this leads us to a number of interesting considerations. If we can control a DNS
server, thanks to the authority granted by a certain name domain, we can change the
tables which provide the information needed to satisfy the client requests.
Exploiting this feature it is clearly possible to create a covert channel using cer-
tain records from the DNS table. What is surprising is the 'bandwidth' available.
Using the CNAME record to code transmitted information we can send/receive 110
bytes per packet, while the TXT record gives a full 220 bytes per packet. This is an
enormous amount of data when compared with that offered by TCP and IP headers.
Many tools use this technique. We should just mention NSTX and note that ru-
mors abound that botnets and other malignant codes may be able to exploit DNS
servers to exchange clandestine data. It will surprise no-one if the next generation of
viruses and worms use precisely this method to synchronize themselves and receive
the command to launch another DDoS of the sort we have become used to in recent
years.
