Top

Published in:

2018 | OriginalPaper | Chapter

A Reflective Covert Channel Attack Anchored on Trusted Web Services

Authors : Feng Zhu, Youngtae Yun, Jinpeng Wei, Brent Byunghoon Kang, Yongzhi Wang, Daehyeok Kim, Peng Li, He Xu, Ruchuan Wang

Published in: Web Services – ICWS 2018

Publisher: Springer International Publishing

Activate our intelligent search to find suitable subject content or patents.

search-config

AI-assisted search

Off

Abstract

This paper introduces a novel attack that can covertly exfiltrate data from a compromised network to a blocked external endpoint, using public web services as the intermediaries and exploiting both HTTP requests and DNS queries. We first identify at least 16 public web services and 2 public HTTP proxies that can serve this purpose. Then we build a prototype attack using these public services and experimentally confirm its effectiveness, including an average data transfer rate of 361 bits per second. Finally, we present the design, implementation and evaluation of a proof-of-concept defense that uses information-theoretic entropy of the DNS queries to detect this novel attack.

Dont have a licence yet? Then find out more about our products and how to get one now:

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

über 102.000 Bücher
über 537 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Finance + Banking
Management + Führung
Marketing + Vertrieb
Maschinenbau + Werkstoffe
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

inform now

Springer Professional "Technik"

Online-Abonnement

Mit Springer Professional "Technik" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 390 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Maschinenbau + Werkstoffe

Jetzt Wissensvorsprung sichern!

inform now

Springer Professional "Wirtschaft"

Online-Abonnement

Mit Springer Professional "Wirtschaft" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 340 Zeitschriften

aus folgenden Fachgebieten:

Bauwesen + Immobilien
Business IT + Informatik
Finance + Banking
Management + Führung
Marketing + Vertrieb
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

inform now

previous chapter TProv: Towards a Trusted Provenance-Aware Service Based on Trusted Computing

next chapter Privacy-Preserving Homomorphic MACs with Efficient Verification

Hutchins, E., Cloppert, M., Amin, R.: Intelligence-driven computer network defense informed by analysis of adversary campaigns and intrusion kill chains. In: Proceedings of the 6th International Conference on Information Warfare and Security 2011, pp. 113–125. Academic Conferences Ltd., USA (2011)

Grand Theft Data: Data exfiltration study: actors, tactics, and detection (2015). https://www.mcafee.com/us/resources/reports/rp-data-exfiltration.pdf. Accessed 10 Apr 2018

Annarita, G., Vincent, H.B., George, V.C.: Data exfiltration and covert channels. In: Defense and Security Symposium, 17–21 April 2006, Orlando, Florida, USA (2006)

DNS attacks putting organizations at risk, survey finds (2014). https://www.scmagazine.com/ddos-attacks-mask-crime/article/539683. Accessed 10 Apr 2018

Bauer, M.: New covert channels in HTTP: adding unwitting web browsers to anonymity sets. In: Proceedings of the 2003 ACM Workshop on Privacy in the Electronic Society, pp. 72–78. ACM, New York (2003)

Born, K.: Browser-based covert data exfiltration. In: 9th Annual Security Conference, Las Vegas, NV, USA (2010)

Born, K.: PSUDP: a passive approach to network-wide covert communication. In: Black Hat USA 2010, Las Vegas, NV, USA (2010)

Exploitation of Data Streams Authorized by a Network Access Control System for Arbitrary Data Transfers: Tunneling and Covert Channels over the HTTP Protocol. Technique report, Gray-World (2003). http://gray-world.net/projects/papers/covert_paper.txt. Accessed 10 Apr 2018

Fifield, D., Nakibly, G., Boneh, D.: OSS: using online scanning services for censorship circumvention. In: De Cristofaro, E., Wright, M. (eds.) PETS 2013. LNCS, vol. 7981, pp. 185–204. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-39077-7_10CrossRef

10.

Application Layer Covert Channel Analysis and Detection. Technique report, Napier University Edinburgh (2006). http://billatnapier.com/zk.pdf. Accessed 10 Apr 2018

11.

Revelli, A., Leidecker, N.: Playing with Heyoka: spoofed tunnels, undetectable data exfiltration and more fun with DNS packets. In: Shakacon 2009, Honolulu, HI, USA (2009)

12.

Van Horenbeeck, M.: Deception on the network: thinking differently about covert channels. In: Proceedings of the 7th Australian Information Warfare and Security Conference, pp. 174–184. Edith Cowan University, Perth (2006)

13.

Xu, K., Butler, P., Saha, S., Yao, D.: DNS for massive-scale command and control. IEEE Trans. Dependable Secure Comput. 10(3), 143–153 (2013)CrossRef

14.

Borders, K., Prakash, A.: Towards quantification of network-based information leaks via HTTP. In: Proceedings of the Third USENIX Workshop on Hot Topics in Security (HotSEC 2008). USENIX Association, Berkeley (2008)

15.

Born, K., Gustafson, D.: Detecting DNS tunnels using character frequency analysis. In: 9th Annual Security Conference, Las Vegas, NV, USA, 7–8 April 2010 (2010)

16.

Dietrich, C.J., Rossow, C., Freiling, F.C., Bos, H., van Steen, M., Pohlmann, N.: On botnets that use DNS for command and control. In: 7th European Conference on Computer Network Defense, Gothenburg, Sweden, 6–7 September 2011 (2011)

17.

Karasaridis, A., Meierhellstern, K.S., Hoeflin, D.A.: NIS04-2: detection of DNS anomalies using flow data analysis. In: IEEE GLOBECOM 2006 - Global Telecommunications Conference, pp. 1–6. IEEE, New York (2006)

18.

Paxson, V., Christodorescu, M., Javed, M., et al.: Practical comprehensive bounds on surreptitious communication over DNS. In: Proceedings of the 22nd USENIX Security Symposium, pp. 17–32. USENIX Association, Berkeley (2013)

19.

Qi, C., Chen, X., Xu, C., Shi, J., Liu, P.: A bigram based real time DNS tunnel detection approach. Procedia Comput. Sci. 17, 852–860 (2013)CrossRef

20.

Zhang, S., Zou, F., Wang, L., Cheng, M.: Detecting DNS-based covert channel on live traffic. J. Commun. 34(5), 143–151 (2013)

21.

Google Search by Image. http://www.google.com/searchbyimage. Accessed 10 Apr 2018

22.

DNS Nslookup online. http://network-tools.com/nslook. Accessed 10 Apr 2018

23.

Dr. Web Online scanner. http://vms.drweb.com/online. Accessed 10 Apr 2018

24.

DNSCat. https://wiki.skullsecurity.org/Dnscat. Accessed 10 Apr 2018

25.

DNS Dig online. http://dig-nslookup.nmonitoring.com/dns-dig-nslookup.html. Accessed 10 Apr 2018

26.

DNS MX record online. http://www.nmonitoring.com/show-mx-record.html. Accessed 10 Apr 2018

27.

Whois Online. http://whois.nmonitoring.com. Accessed 10 Apr 2018

28.

PDFMyURL. http://pdfmyurl.com. Accessed 10 Apr 2018

29.

vURL Online. http://vurldissect.co.uk. Accessed 10 Apr 2018

30.

IE Netrenderer. http://netrenderer.com. Accessed 10 Apr 2018

31.

VirusTotal. https://www.virustotal.com. Accessed 10 Apr 2018

32.

Avira’s Virus Scanner. https://analysis.avira.com. Accessed 10 Apr 2018

33.

Google Translate. http://translate.google.com. Accessed 10 Apr 2018

34.

Bing Translator. https://www.bing.com/translator. Accessed 10 Apr 2018

35.

Baidu Translate. http://fanyi.baidu.com. Accessed 10 Apr 2018

36.

Web Page Analyzer. http://www.websiteoptimization.com/services/analyze. Accessed 10 Apr 2018

37.

Pingdom Website Speed Test. https://tools.pingdom.com. Accessed 10 Apr 2018

38.

PPMD compressor. http://www.compression.ru/ds. Accessed 10 Apr 2018

39.

Exploitation of Data Streams Authorized by a Network Access Control System for Arbitrary Data Transfers: Tunneling and Covert Channels over the HTTP Protocol. Technique report, Gray-World. http://gray-world.net/projects/papers/covert_paper.txt. Accessed 10 Apr 2018

40.

Application Layer Covert Channel Analysis and Detection. Technique report, Napier University Edinburgh. http://billatnapier.com/zk.pdf. Accessed 10 Apr 2018

41.

Paxson, V.: Bro: a system for detecting network intruders in real-time. Comput. Netw. 31, 2435–2463 (1999)CrossRef

42.

Roesch, M.: SNORT: lightweight intrusion detection for networks. In: Proceedings of the 13th USENIX Conference on Systems Administration, pp. 229–238. USENIX Association, Berkeley (1999)

43.

Bernaille, L., Teixeira, R., Akodkenou, I., et al.: Traffic classification on the fly. ACM Spec. Interest Group Data Commun. 36(2), 23–26 (2006)

44.

Crotti, M., Dusi, M., Gringoli, F., Salgarelli, L.: Detecting HTTP tunnels with statistical mechanisms. In: Proceedings of the 42th IEEE International Conference on Communications, pp. 6162–6168. IEEE, New York (2007)

Title: A Reflective Covert Channel Attack Anchored on Trusted Web Services
Authors: Feng Zhu
Youngtae Yun
Jinpeng Wei
Brent Byunghoon Kang
Yongzhi Wang
Daehyeok Kim
Peng Li
He Xu
Ruchuan Wang
Publisher: Springer International Publishing
Book: Web Services – ICWS 2018
Print ISBN: 978-3-319-94288-9

Electronic ISBN: 978-3-319-94289-6

Copyright Year: 2018
DOI: https://doi.org/10.1007/978-3-319-94289-6_6

Springer Professional

Abstract

Please log in to get access to your license.

Dont have a licence yet? Then find out more about our products and how to get one now:

Springer Professional "Wirtschaft+Technik"

Springer Professional "Technik"

Springer Professional "Wirtschaft"

Premium Partner