Network Security’s Friend or Foe
Spyridon Dossis / DSV, Stockholm University



Description & Concerns
Tunneling Protocols &
Protocol Tunneling
Network Tunneling Tools &
Setup

Demo

Conclusions


A delivery network protocol
encapsulates a payload
network protocol
The delivery protocol
usually operates at the
same or higher level (e.g.
in the TCP/IP stack) than
the payload protocol

Protocol Tunneling
◦ Order in Protocol Encapsulation
◦ Obfuscation rather than hiding
◦ Practical use cases & misuse

Covert Channels
◦ Channels not intended for information
transfer
◦ Hiding in unused protocol fields, utilizing
fields such as IP ID, TCP Sequence number
etc.
◦ Network Steganography


Carry data over incompatible
delivery-networks
Provide a (encrypted) path
through a public network
◦ Monitoring vs Anti-Censorship

Allowing “some kind” of
traffic may lead to “any kind”

Pre-existing network-based security
tools (firewalls, IDS) may not be able to
apply the controls to the tunneled
traffic
◦ Evading traffic regulation

Lack of host-based security controls
◦ Defense in depth

Inability for ingress and egress filtering

‘Open-ended’ tunnel may forward
traffic to other internal hosts

Advanced Persistent Threats
(APTs) - Remote Control & Data
exfiltration
◦ Backdoors with OS commands, file
transfer capabilities are installed in
target systems.
◦ Upload collected files using
common ports such as HTTP (80),
HTTPS (443) and DNS (53)
bypassing detection.

Covert channels for malware
◦ e.g. C&C communications over DNS
(i.e. Feederbot, W32.Morto )



Description & Concerns
Tunneling Protocols &
Protocol Tunneling
Network Tunneling Tools &
Setup

Demo

Conclusions



The original IP packet is encrypted
The ESP header indicates that the entire
packet is the payload (IP-in-IP)
Inserts a new IP header (next header is ESP)
Image taken from http://www.free-it.de/archiv/talks_2005/paper-11156/paper-11156.html


Security services from gateway to gateway or
from host to gateway over an insecure
network
The entire original packet is encrypted
◦ Internal traffic behind the gateways is not protected

Often used to implement Virtual Private
Networks (IPsec VPNs)
◦ Site-to-site
◦ Client-to-site


“GRE (Generic Routing Encapsulation)
specifies a protocol for encapsulation of an
arbitrary protocol over another arbitrary
network layer protocol” – RFC 2784 and 2890
Point-to-point links
Image taken from http://netwild.ru/pptp/


Ethernet over IPv4/IPv6
(e.g. Openstack Neutron)
Support for tunneling
broadcasting/multicasting
◦ e.g. Delivering routing updates to multiple sites


IPv4/IPv6 over IPv4/IPv6
No default encryption/security services
◦ IPSec Tunnel/Transport over GRE






Tunnel Brokers provide a network tunneling
service
6in4 – IPv6 over IPv4
4in6 – IPv4 over IPv6
ISATAP
Teredo – IPv6 over UDP over IPv4
…and others



Secure channel over an insecure
network between an SSH client
and an SSH server (e.g. OpenSSH)
typically listening at TCP port 22
Public-key cryptography for server
(and client) authentication
Remote command execution, file
transfer (SCP, SFTP), TCP port and
X forwarding, tunneling



Local-port forwarding when traffic coming to
a local port is forwarded to a specified
remote host/port
Destination is relative to the SSH server’s
location and mostly unrestricted
SSH client can be configured to act either as a
local-only service or public to other hosts



Remote-port forwarding when traffic coming
to a remote port is forwarded to a specified
local host/port
Destination is relative to the SSH client’s
location and mostly unrestricted
SSH server can be configured to act either as
a local-only service or public to other hosts

Performs successfully for singlehost/port communications
◦ Simple Web (HTTP)
◦ Mail (SMTP, POP3, IMAP)
◦ SSH

Fails for more complex network
services
◦ Web with External References / Surfing
 Solution: Chain to a Web Proxy
◦ FTP
◦ Peer-to-Peer



The SOCKS protocol proxies TCP
connections/forwards UDP packets from
client to server through a proxy
A local SOCKS proxy is created on the SSH
client’s side and can forward traffic to
arbitrary remote hosts and ports
Firewall Traversal / Content-filtering
circumvention

Run remote X Window System based
applications but displayed locally

Need for X server for Windows

Secure the X protocol by tunneling it over SSH

ssh –X user@host <application>
◦ Run a remote browser visiting a blocked website




“An ICMP ECHO_REQUEST packet contains an
additional 8 bytes worth of ICMP header
followed by an arbitrary-amount of data” –
ping(8) man page
LOKI (Phrack Issue 49) utilized it to establish
a covert channel between client/server
IP over ICMP
TCP over ICMP

Various network protocols are encapsulated
using the HTTP protocol

HTTP is rarely blocked

Bypass restrictions
◦ Firewalls
◦ Proxy server / Content-filtering





Transport arbitrary data by encoding them into DNS
messages
Wide support and availability of the global DNS infrastructure
Few organizations block DNS traffic from individual clients to
the Internet (e.g. captive portals in public Wi-Fi)
Effective for bypassing security measures such as firewalls or
ACLs
Used for two-way communication or data exfiltration

Around since 1998

NSTX (Nameserver Transfer Protocol)


OzymanDNS (Dan Kaminsky) – “Tunneling
Audio, Video and SSH over DNS”
Used mostly for bypassing paywalls

Mapping domain names and IP addresses

Record types
◦ A, AAAA, CNAME, MX, NS, PTR, TXT, NULL

EDNS for UDP payloads larger than 512 bytes
◦ Increased bandwidth

Internal users can contact arbitrary external
domains through the organization’s DNS
servers/resolvers
Image taken from http://nirlog.com/2006/03/28/dns-amplification-attack/





Maximum 253 characters in domain
Maximum 63 characters per subdomain
Case-insensitive (Base32 encoding)
TXT requests allow for maximum characters
in response + Base64 encoding
Bandwidth up to 110KB/s, 150ms latency
(Van Leijenhorst, 2008)



Description & Concerns
Tunneling Protocols &
Protocol Tunneling
Network Tunneling Tools &
Setup

Demo

Conclusions

Combined with NetCat
◦ Establish a local/remote port forward over SSH with
an SSH server
◦ Create a FIFO special file (a named pipe) on both
sides
◦ Listen for UDP requests / Relay through the SSH
tunnel
◦ Forward UDP requests / Relay through the SSH
tunnel


tcp_to_udp & udp_to_tcp
socat Relay & UDPTunnel (UDP over TCP)



In the case of HTTP browsing, DNS requests are
still submitted by the client
Monitoring can reveal DNS requests for common
websites along SSH traffic.
Solution: forward DNS requests also to the SSH
server.
◦ (e.g. Firefox network.proxy.socks_remote_dns)

Multi-hop setups
◦ Client (SSH lpf) -> Host 1 (SSH dpf) -> Host 2 -> Web


SSH Traffic Volume & SSH Tunnel Endpoints
Tunnel Hunter (Dusi et al., 2008)
◦ Naïve Bayes Classifier
◦ Packet size & Packet inter-arrival time
◦ Detect Tunneling & Classify the actual protocol
(BitTorrent, POP, SMTP, HTTP) with high accuracy
◦ Limitations with respect to multiple SSH
authentication types, data compression, login
failures, network protocols

SSH server in non-standard ports (e.g. 443)
◦ EmergingThreats Snort Rules, Cisco IDS

Degrade SSH performance (TCP over TCP )
Image taken from http://www.sectechno.com/2010/10/31/bypassing-firewalls-using-icmp-tunnel/
ICMPTX (IP over ICMP)
 ICMP Tunnel (IP over ICMP)
 Hans (IP over ICMP)
 itun (IP over ICMP)
 Ptunnel (TCP over ICMP)

Droid-VPN , Troid-VPN (Android Apps,
need root)
 PD-Proxy, Wi-Free, Tunnel Guru


Detection Signatures
◦ ICMP_PingTunnel_Detected
◦ LOKI ICMP tunneling back door
◦ ICMP Raw Sockets

Non-standard average packet size
High ICMP traffic volume between tunnel
endpoints

Disallow ICMP traffic




The Tunnel Client initiates an HTTP
connection to the Tunnel Server
The application encapsulates the application
requests in HTTP requests destined to the
Tunnel Server
The Tunnel Server unwraps and forwards

GNU httptunnel
◦ htc – Tunnel Client component
◦ hts – Tunnel Server component

Syntax
◦ Server: hts –F remote:<remote_port> 80
◦ Client: htc –F <local_port> server:80
ssh –p <local_port> user@localhost







OzymanDNS
Dns2tcp
Iodine
Heyoka (+ source IP spoofing)
DNSCat
NSTX
DNScapy

MagicTunnel, Element53, VPN-over-DNS (Android)
iodine for iOS

“VPN over DNS”


Increased DNS traffic (network traffic profiling)

Maximum DNS request packet size

Large number of DNS TXT requests

Number of DNS requests, unique hostnames to a single
domain

Composition of hostnames

Split DNS
◦ Length, unique characters, character frequency analysis
◦ Web proxies (but not clients) can resolve external domains

Determining which tunneling messages are
malicious
◦ Real-time Blackhole Lists (DNSBL lookups)
 23.42.168.192.dnsbl.example.net
 example.net.dnslist.example.com
◦ NIST National Software Reference Library
 84C0C5914FF0B825141BA2C6A9E3D6F4.md5.dshield.or
g

Mail server performs DNS TXT requests (SPF)



Description & Concerns
Tunneling Protocols &
Protocol Tunneling
Network Tunneling Tools &
Setup

Demo

Conclusions



Description & Concerns
Tunneling Protocols &
Protocol Tunneling
Network Tunneling Tools &
Setup

Demo

Conclusions



Using existing core network protocols in
innovative ways
Ability to bypass filtering controls and make
monitoring difficult (SSH encrypted tunnels)
Need for improved tunneling detection (both
delivery and payload protocols) methods and
even forensic capabilities