Analyzing network-aware active wardens in IPv6

Authors:
Grzegorz Lewandowski;Norka B. Lucena;Steve J. Chapin
Affiliations:
Systems Assurance Institute, Syracuse University, Syracuse, NY;Systems Assurance Institute, Syracuse University, Syracuse, NY;Systems Assurance Institute, Syracuse University, Syracuse, NY
Venue:
IH'06 Proceedings of the 8th international conference on Information hiding
Year:
2006

Citing 10
Cited 0

Stretching the Limits of Steganography

Proceedings of the First International Workshop on Information Hiding
Hiding Data in the OSI Network Model

Proceedings of the First International Workshop on Information Hiding
Eliminating Steganography in Internet Traffic with Active Wardens

IH '02 Revised Papers from the 5th International Workshop on Information Hiding
Active Mapping: Resisting NIDS Evasion without Altering Traffic

SP '03 Proceedings of the 2003 IEEE Symposium on Security and Privacy
New covert channels in HTTP: adding unwitting Web browsers to anonymity sets

Proceedings of the 2003 ACM workshop on Privacy in the electronic society
IP covert timing channels: design and detection

Proceedings of the 11th ACM conference on Computer and communications security
Network intrusion detection: evasion, traffic normalization, and end-to-end protocol semantics

SSYM'01 Proceedings of the 10th conference on USENIX Security Symposium - Volume 10
Covert messaging through TCP timestamps

PET'02 Proceedings of the 2nd international conference on Privacy enhancing technologies
Covert channels in IPv6

PET'05 Proceedings of the 5th international conference on Privacy Enhancing Technologies
On the limits of steganography

IEEE Journal on Selected Areas in Communications

Quantified Score

Hi-index	0.00

Visualization

Abstract

A crucial security practice is the elimination of network covert channels. Recent research in IPv6 discovered that there exist, at least, 22 different covert channels, suggesting the use of advanced active wardens as an appropriate countermeasure. The described covert channels are particularly harmful not only because of their potential to facilitate deployment of other attacks but also because of the increasing adoption of the protocol without a parallel deployment of corrective technology. We present a pioneer implementation of network-aware active wardens that eliminates the covert channels exploiting the Routing Header and the hop limit field as well as the well-known Short TTL Attack. Network-aware active wardens take advantage of network-topology information to detect and defeat covert protocol behavior. We show, by analyzing their performance over a controlled network environment, that the wardens eliminate a significant percentage of the covert channels and exploits with minimal impact over the end-to-end communications (approximately 3% increase in the packet roundtrip time).