Skip to main content
SpringerLink
Log in

Analyzing Network-Aware Active Wardens in IPv6

  • Conference paper
Information Hiding (IH 2006)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 4437))

Included in the following conference series:

Abstract

A crucial security practice is the elimination of network covert channels. Recent research in IPv6 discovered that there exist, at least, 22 different covert channels, suggesting the use of advanced active wardens as an appropriate countermeasure. The described covert channels are particularly harmful not only because of their potential to facilitate deployment of other attacks but also because of the increasing adoption of the protocol without a parallel deployment of corrective technology. We present a pioneer implementation of network-aware active wardens that eliminates the covert channels exploiting the Routing Header and the hop limit field as well as the well-known Short TTL Attack. Network-aware active wardens take advantage of network-topology information to detect and defeat covert protocol behavior. We show, by analyzing their performance over a controlled network environment, that the wardens eliminate a significant percentage of the covert channels and exploits with minimal impact over the end-to-end communications (approximately 3% increase in the packet roundtrip time).

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. The IPv6 Portal (Retrieved on June 22, 2005) from the World Wide Web (2005), http://www.ist-ipv6.org/

  2. Press Trust of India. TRAI wants govt to kickstart shift to ipv6 through e-gov (2005), http://www.hindustantimes.com/news/181_1578124,00020020.htm

  3. ChinaView. China, EU to build wide-band network (Retrieved on January 12, 2006) from the World Wide Web (2006), http://news.xinhuanet.com/english/2006-01/12/content_4045153.htm

  4. United States IPv6 Summit (Retrieved on November 05, 2005) from the World Wide Web (2005), http://www.usipv6.com/

  5. Global Summit IPv6 (Retrieved on May 17, 2005) from the World Wide Web (2005), http://www.ipv6-es.com/05/in/i-intro.php

  6. IPv6 Forum Korea (Retrieved on October 13, 2005) from the World Wide Web (2005), http://www.ipv6.or.kr/

  7. Luxembourg IPv6 Summit 2005 (Retrieved on June 22, 2005) from the World Wide Web (2005), http://wiki.uni.lu/ipv6/Luxembourg+IPv6+Summit+2005.html

  8. Evans, K.S.: Memorandum for the chief information officers, M-05-22 (2005), http://www.whitehouse.gov/omb/memoranda/fy2005/m05-22.pdf

  9. United States Government Accountability Office. Internet protocol version 6: Federal agencies need to plan for transition and manage security risks. Technical Report GAO-05-471 (2005), http://www.gao.gov/new.items/d05471.pdf

  10. Lucena, N.B., Lewandowski, G., Chapin, S.J.: Covert Channels in IPv6. In: Proceedings of the 5th Workshop on Privacy Enhancing Technologies, Dubrovnik (Cavtat), Croatia (2005)

    Google Scholar 

  11. Handley, M., Paxson, V.: Network intrusion detection: Evasion, traffic normalization, and end-to-end protocol semantics. In: Proceedings of the 10th USENIX Security Symposium, Washington, DC, USA, USENIX Association (2001)

    Google Scholar 

  12. horizon<jmcdonal@unf.edu>: Defeating sniffers and intrusion detection systems. Phrack Magazine 8(54) (Retrieved on May 13, 2005) from the World Wide Web (1998), http://www.phrack.org/phrack/54/P54-10

  13. Malan, G.R., Watson, D., Jahanian, F., Howell, P.: Transport and Application Protocol Scrubbing. In: Proceedings of the IEEE INFOCOM 2002 Conference, Tel-Aviv, Israel, pp. 1381–1390. IEEE Computer Society Press, Los Alamitos (2000)

    Google Scholar 

  14. Shankar, U., Paxson, V.: Active Mapping: Resisting NIDS Evasion without Altering Traffic. In: Proceedings of the 2003 IEEE Symposium on Security and Privacy, Washington, DC, USA, pp. 44–61. IEEE Computer Society Press, Los Alamitos (2003)

    Google Scholar 

  15. Cabuk, S., Brodley, C.E., Shields, C.: IP Covert Timing Channels: Design and Detection. In: Proceedings of the 11th ACM Conference on Computer and Communications Security, Washington DC, USA, pp. 178–187. ACM Press, New York (2004)

    Chapter  Google Scholar 

  16. Handel, T., Sandford, M.: Hiding data in the OSI network model. In: Anderson, R. (ed.) Information Hiding. LNCS, vol. 1174, pp. 23–38. Springer, Heidelberg (1996)

    Google Scholar 

  17. Abad, C.: IP checksum covert channels and selected hash collision (Retrieved on January 3, 2005) from the World Wide Web (2001), http://gray-world.net/cn/papers/ipccc.pdf

  18. Bauer, M.: New Covert Channels in HTTP - Adding Unwitting Web Browsers to Anonymity Sets. In: Samarati, P., Syverson, P. (eds.) Proceedings of the 2003 ACM Workshop on Privacy in the Electronic Society, Washington, DC, USA, pp. 72–78. ACM Press, New York (2003)

    Chapter  Google Scholar 

  19. daemon9 (route@infonexus.com): Loki2 (the implementation). Phrack Magazine 51, article 6 (Retrieved on August 27, 2002) from the World Wide Web (1997), http://www.phrack.org/show.php?p=51&a=6

  20. daemon9 (route@infonexus.com), alhambra (alhambra@infornexus.com): Project loki. Phrack Magazine 49, article 6 (Retrieved on August 27, 2002) from the World Wide Web (1996), http://www.phrack.org/show.php?p=49&a=6

  21. Dunigan, T.: Internet steganography. Technical report, Oak Ridge National Laboratory (Contract No. DE-AC05-96OR22464), Oak Ridge, Tennessee (1998), [ORNL/TM-limited distribution]

    Google Scholar 

  22. Giffin, J., Greenstadt, R., Litwack, P., Tibbetts, R.: Covert Messaging through TCP Timestamps. In: Dingledine, R., Syverson, P.F. (eds.) PET 2002. LNCS, vol. 2482, pp. 194–208. Springer, Heidelberg (2003)

    Chapter  Google Scholar 

  23. Ka0ticSH: Diggin em walls (part 3) - advanced/other techniques for bypassing firewalls. New Order(Retrieved on August 28, 2002) from the World Wide Web (2002), http://neworder.box.sk/newsread.php?newsid=3957

  24. Rowland, C.H.: Covert channels in the TCP/IP protocol suite. Psionics Technologies (Retrieved on November 13, 2004) from the World Wide Web (1996), http://www.firstmonday.dk/issues/issue2_5/rowland/

  25. Ahsan, K.: Covert channel analysis and data hiding in TCP/IP. Master’s thesis, University of Toronto (2002)

    Google Scholar 

  26. Ahsan, K., Kundur, D.: Practical Data Hiding in TCP/IP. In: Proceedings of the ACM Workshop on Multimedia Security at ACM Multimedia, ACM Press, New York (2002)

    Google Scholar 

  27. Servetto, S.D., Vetterli, M.: Codes for the Fold-Sum Channel. In: Proceedings of the 35th Annual Conference on Information Science and Systems (CISS), Baltimore, MD, USA (2001)

    Google Scholar 

  28. Servetto, S.D., Vetterli, M.: Communication using Phantoms: Covert Channels in the Internet. In: Proceedings of the IEEE International Symposium on Information Theory (ISIT), Washington, DC, USA, IEEE Computer Society Press, Los Alamitos (2001)

    Google Scholar 

  29. Anderson, R.: Stretching the Limits of Steganography. In: Anderson, R. (ed.) Information Hiding. LNCS, vol. 1174, pp. 39–48. Springer, Heidelberg (1996)

    Google Scholar 

  30. Anderson, R.J., Petitcolas, F.A.P.: On the Limits of Steganography. In: IEEE Journal of Selected Areas in Communications:Special Issue on Copyright and Privacy Protection, pp. 474–481. IEEE Computer Society Press, Los Alamitos (1998)

    Google Scholar 

  31. Craver, S.: On Public-Key Steganography in the Presence of an Active Warden. In: Aucsmith, D. (ed.) IH 1998. LNCS, vol. 1525, pp. 355–368. Springer, Heidelberg (1998)

    Chapter  Google Scholar 

  32. Fisk, G., Fisk, M., Papadopoulos, C., Neil, J.: Eliminating steganography in Internet traffic with active wardens. In: Petitcolas, F.A.P. (ed.) IH 2002. LNCS, vol. 2578, pp. 29–46. Springer, Heidelberg (2003)

    Chapter  Google Scholar 

  33. Cisco. Cisco IOS Net Flow (Retrieved on November 17, 2005) from the World Wide Web (2005), http://www.cisco.com/en/US/products/ps6601/products_ios_protocol_group_home.html

  34. Deri, L., Suin, S.: Improving Network Security Using Ntop. In: Debar, H., Mé, L., Wu, S.F. (eds.) RAID 2000. LNCS, vol. 1907, Springer, Heidelberg (2000)

    Google Scholar 

  35. Case, J., Fedor, M., Schoffstall, M., Davin, J.: A simple network management protocol (SNMP), RFC 1157 (Retrieved on January 13, 2005) from the World Wide Web (1990), http://www.ietf.org/rfc/rfc1157.txt

  36. IBM. Tivoli Net View (Retrieved on November 17, 2005) from the World Wide Web (2005), http://www-306.ibm.com/software/tivoli/products/netview/

  37. HP. Network node manager advanced edition (Retrieved on November 17, 2005) from the World Wide Web (2005), http://www.managementsoftware.hp.com/products/nnm/index.html

  38. Sun. Solstice site manager (Retrieved on November 17, 2005) from the World Wide Web (2005), http://www.sun.com/software/solstice/sm/index.xml

  39. Doyle, J.: Routing TCP/IP, vol. I. Cisco Press, Indianapollis, IN 46240 (1998)

    Google Scholar 

  40. Shannon, C.E.: Communication theory of secrecy systems. Technical report (1949)

    Google Scholar 

  41. Deering, S., Hinden, R.: Internet protocol, version 6 (IPv6) specification, RFC 2460 (Retrieved on October 08, 2004) from the World Wide Web (1998), http://www.ietf.org/rfc/rfc2460.txt?number=2460

  42. Hinde, R., Deering, S.: IP version 6 addressing architecture, RFC 2373 (Retrieved on October 08, 2004) from the World Wide Web (1998) , http://www.ietf.org/rfc/rfc2373.txt?number=2373

  43. IANA. Internet Protocol version 6 address space (Retrieved on October 29, 2005) from the World Wide Web (2005), http://www.iana.org/assignments/ipv6-address-space

  44. IANA. IP version 6 parameters (Retrieved on October 28, 2004) from the World Wide Web (2004), http://www.iana.org/assignments/ipv6-parameters

Download references

Author information

Authors and Affiliations

  1. Systems Assurance Institute, Syracuse University, Syracuse, NY 13244, USA

    Grzegorz Lewandowski, Norka B. Lucena & Steve J. Chapin

Authors
  1. Grzegorz Lewandowski
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Norka B. Lucena
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Steve J. Chapin
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Jan L. Camenisch Christian S. Collberg Neil F. Johnson Phil Sallee

Rights and permissions

Reprints and permissions

Copyright information

© 2007 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Lewandowski, G., Lucena, N.B., Chapin, S.J. (2007). Analyzing Network-Aware Active Wardens in IPv6. In: Camenisch, J.L., Collberg, C.S., Johnson, N.F., Sallee, P. (eds) Information Hiding. IH 2006. Lecture Notes in Computer Science, vol 4437. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-74124-4_5

Download citation

  • DOI: https://doi.org/10.1007/978-3-540-74124-4_5

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-540-74123-7

  • Online ISBN: 978-3-540-74124-4

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation