1. Attacks
    1. port knocking
      1. uses covert channels for sending the authentication information
      2. port knocking is a method of externally opening ports on a firewall by generating a connection attempt on a set of prespecified closed ports
      3. Tools
        1. knockd
    2. packet traceback
    3. ARP spoofing(ARP attacks )(ARP flooding, ARP poisoning or ARP Poison Routing)
      1. ARP Spoofing may allow an attacker to sniff data frames on a local area network (LAN), modify the traffic, or stop the traffic altogether
    4. Replay attack
    5. Denial-of-service attack(DoS)(DDoS)
    6. man-in-the-middle attack (MITM)( bucket-brigade attack)( Janus attack)
    7. Smurf attack
      1. a way of generating significant computer network traffic on a victim network. This is a type of denial-of-service attack that floods a target system via spoofed broadcast ping messages.
    8. Ping Flood
      1. ICMP can be abused in the following scheme: the attacker sends echo request packets with spoofed source IP addresses, and ties up the victim into spending all his time on replying to non-existent senders. The attack can be further strengthened by sending large datagram sizes (exceeding 65536 octets). Early operating systems would crash when receiving such oversized packets (also known as PING of Death). Sending large datagrams further strains the victim's network throughput, because his border router may have to spend lots of time fragmenting the oversized packets
  2. History
  3. Definitation
    1. Covert channels in computer network protocols are similar to techniques for hiding information in audio, visual or textual content (steganography)
    2. The term ‘covert channel’, when applied to computer networks, describes a mechanism for sending information without the knowledge of the network administrator or other users.
    3. Ways
      1. 1.a transmission channel that may be used to transfer data in a manner that violates security policy (Van Horenbeeck, 2010). 2. a means of communication not normally intended to be used for communication (Zander, Armitage & Branch, 2007). 3. a mechanism for sending and receiving information data between machines without alerting any firewalls and IDSs on the network (Buetler, 2008).
  4. Open Channel
    1. such as the free transfer of memory sticks in and out of organisations as
  5. Filters
    1. ingress FIltering
      1. Problem
        1. Networks receive packets from other networks. Normally a packet will contain the IP address of the computer that originally sent it. This allows other computers in the network to know where it came from, which is needed for things like sending a packet back to the sending computer. In certain cases, the sending IP address will be spoofed. This is usually done as part of an attack, so that the attacked computer does not know where the attack is really coming from
      2. Solution
        1. In ingress filtering, packets coming into the network are filtered if the network sending it should not send packets from IP addresses of the originating computer.
    2. Egress filtering
      1. Egress filtering helps ensure that unauthorized or malicious traffic never leaves the internal network.
      2. Egress filtering may require policy changes and administrative work whenever a new application requires external network access . For this reason egress filtering is an uncommon feature on consumer and very small business networks.
  6. Communication Channels
    1. ICMP
      1. ICMP
        1. It communicates at layer 3, the Network layer, of the network stack and operates on a datagram basis, much like UDP.
        2. ICMP is primarily used for sending control and error messages between endpoints
        3. ICMP is usually generated as a result of a transmission failure or diagnostic effort by another network protocol
      2. Why ?
        1. Since ICMP is commonly allowed through firewalls for network troubleshooting purposes
        2. network devices do not filter the contents of ICMP_ECHO traffic
      3. ICMP Data FIeld
        1. This field is designed to return textual data in response to a network error, but the data is not verified or limited in any meaningful way The payload can be crafted to hold any manner of data, which will piggyback on the ICMP packet
      4. ICMP traffic is often considered to be benign,so network equipment does not check its payload.Therefore,an attacker can hide any generated information in the payload of ICMP
      5. Stateless Solution
        1. 10.1.1.61.5798.pdf
          1. ICMP tunneling is becoming a vital part of the malicious software. To prevent ICMP tunneling kernel modifications are necessary to enforce a fixed predefined payload policy for ICMP packets. If the proposed solution becomes an integral part of the kernels which runs as host, gateways, and DMZ routers then it will be impossible to establish ICMP tunnels. Another way to remove ICMP tunneling is to simply truncate the data field of ICMP. However truncation of the data field will require amendments in the RFC [11][12] which supports data field for ICMP. Scanning and erasing of the ICMP data field is compliant with RFC and prevents ICMP tunneling irrespective of the type of firewall used.
      6. ICMP Covert Channels
        1. Disable all ICMP traffic
        2. Disable part of the ICMP traffic allowed by a firewall.
        3. Limit the size of ICMP packets
        4. Preserve the state of ICMP packet to check for covert channel.