SlideShare a Scribd company logo

Network tunneling techniques

Download as PPTX, PDF
I
inbroker

This document discusses network tunneling protocols and tools. It describes how protocols like SSH, GRE, and ICMP can be used to encapsulate other protocols and bypass network restrictions. Examples of network tunneling tools that operate over HTTP, DNS, and ICMP are provided. The document notes both legitimate and malicious uses of tunneling, and outlines challenges in detecting tunneling traffic and payloads.

Technology
1 of 52
Network Security’s Friend or Foe Spyridon Dosis
 Description & Concerns  Tunneling Protocols & Protocol Tunneling  Network Tunneling Tools & Setup  Demo  Conclusions
 A delivery network protocol encapsulates a payload network protocol  The delivery protocol usually operates at the same or higher level (e.g. in the TCP/IP stack) than the payload protocol
 Protocol Tunneling ◦ Order in Protocol Encapsulation ◦ Obfuscation rather than hiding ◦ Practical use cases & misuse  Covert Channels ◦ Channels not intended for information transfer ◦ Hiding in unused protocol fields, utilizing fields such as IP ID, TCP Sequence number etc. ◦ Network Steganography
 Carry data over incompatible delivery-networks  Provide a (encrypted) path through a public network ◦ Monitoring vs Anti-Censorship  Allowing “some kind” of traffic may lead to “any kind”
 Pre-existing network-based security tools (firewalls, IDS) may not be able to apply the controls to the tunneled traffic ◦ Evading traffic regulation  Lack of host-based security controls ◦ Defense in depth  Inability for ingress and egress filtering  ‘Open-ended’ tunnel may forward traffic to other internal hosts
 Advanced Persistent Threats (APTs) - Remote Control & Data exfiltration ◦ Backdoors with OS commands, file transfer capabilities are installed in target systems. ◦ Upload collected files using common ports such as HTTP (80), HTTPS (443) and DNS (53) bypassing detection.  Covert channels for malware ◦ e.g. C&C communications over DNS (i.e. Feederbot, W32.Morto )
 Description & Concerns  Tunneling Protocols & Protocol Tunneling  Network Tunneling Tools & Setup  Demo  Conclusions
 The original IP packet is encrypted  The ESP header indicates that the entire packet is the payload (IP-in-IP)  Inserts a new IP header (next header is ESP) Image taken from http://www.free-it.de/archiv/talks_2005/paper-11156/paper-11156.html
 Security services from gateway to gateway or from host to gateway over an insecure network  The entire original packet is encrypted ◦ Internal traffic behind the gateways is not protected  Often used to implement Virtual Private Networks (IPsec VPNs) ◦ Site-to-site ◦ Client-to-site
 “GRE (Generic Routing Encapsulation) specifies a protocol for encapsulation of an arbitrary protocol over another arbitrary network layer protocol” – RFC 2784 and 2890  Point-to-point links Image taken from http://netwild.ru/pptp/
 Ethernet over IPv4/IPv6 (e.g. Openstack Neutron)  Support for tunneling broadcasting/multicasting ◦ e.g. Delivering routing updates to multiple sites  IPv4/IPv6 over IPv4/IPv6  No default encryption/security services ◦ IPSec Tunnel/Transport over GRE
 Tunnel Brokers provide a network tunneling service  6in4 – IPv6 over IPv4  4in6 – IPv4 over IPv6  ISATAP  Teredo – IPv6 over UDP over IPv4  …and others
 Secure channel over an insecure network between an SSH client and an SSH server (e.g. OpenSSH) typically listening at TCP port 22  Public-key cryptography for server (and client) authentication  Remote command execution, file transfer (SCP, SFTP), TCP port and X forwarding, tunneling
 Local-port forwarding when traffic coming to a local port is forwarded to a specified remote host/port  Destination is relative to the SSH server’s location and mostly unrestricted  SSH client can be configured to act either as a local-only service or public to other hosts
 Remote-port forwarding when traffic coming to a remote port is forwarded to a specified local host/port  Destination is relative to the SSH client’s location and mostly unrestricted  SSH server can be configured to act either as a local-only service or public to other hosts
 Performs successfully for single- host/port communications ◦ Simple Web (HTTP) ◦ Mail (SMTP, POP3, IMAP) ◦ SSH  Fails for more complex network services ◦ Web with External References / Surfing  Solution: Chain to a Web Proxy ◦ FTP ◦ Peer-to-Peer
 The SOCKS protocol proxies TCP connections/forwards UDP packets from client to server through a proxy  A local SOCKS proxy is created on the SSH client’s side and can forward traffic to arbitrary remote hosts and ports  Firewall Traversal / Content-filtering circumvention
 Run remote X Window System based applications but displayed locally  Need for X server for Windows  Secure the X protocol by tunneling it over SSH  ssh –X user@host <application> ◦ Run a remote browser visiting a blocked website
 “An ICMP ECHO_REQUEST packet contains an additional 8 bytes worth of ICMP header followed by an arbitrary-amount of data” – ping(8) man page  LOKI (Phrack Issue 49) utilized it to establish a covert channel between client/server  IP over ICMP  TCP over ICMP
 Various network protocols are encapsulated using the HTTP protocol  HTTP is rarely blocked  Bypass restrictions ◦ Firewalls ◦ Proxy server / Content-filtering
 Transport arbitrary data by encoding them into DNS messages  Wide support and availability of the global DNS infrastructure  Few organizations block DNS traffic from individual clients to the Internet (e.g. captive portals in public Wi-Fi)  Effective for bypassing security measures such as firewalls or ACLs  Used for two-way communication or data exfiltration
 Around since 1998  NSTX (Nameserver Transfer Protocol)  OzymanDNS (Dan Kaminsky) – “Tunneling Audio, Video and SSH over DNS”  Used mostly for bypassing paywalls
 Mapping domain names and IP addresses  Record types ◦ A, AAAA, CNAME, MX, NS, PTR, TXT, NULL  EDNS for UDP payloads larger than 512 bytes ◦ Increased bandwidth  Internal users can contact arbitrary external domains through the organization’s DNS servers/resolvers
Image taken from http://nirlog.com/2006/03/28/dns-amplification-attack/
 Maximum 253 characters in domain  Maximum 63 characters per subdomain  Case-insensitive (Base32 encoding)  TXT requests allow for maximum characters in response + Base64 encoding  Bandwidth up to 110KB/s, 150ms latency (Van Leijenhorst, 2008)
 Description & Concerns  Tunneling Protocols & Protocol Tunneling  Network Tunneling Tools & Setup  Demo  Conclusions
 Combined with NetCat ◦ Establish a local/remote port forward over SSH with an SSH server ◦ Create a FIFO special file (a named pipe) on both sides ◦ Listen for UDP requests / Relay through the SSH tunnel ◦ Forward UDP requests / Relay through the SSH tunnel  tcp_to_udp & udp_to_tcp  socat Relay & UDPTunnel (UDP over TCP)
 In the case of HTTP browsing, DNS requests are still submitted by the client  Monitoring can reveal DNS requests for common websites along SSH traffic.  Solution: forward DNS requests also to the SSH server. ◦ (e.g. Firefox network.proxy.socks_remote_dns)  Multi-hop setups ◦ Client (SSH lpf) -> Host 1 (SSH dpf) -> Host 2 -> Web
 SSH Traffic Volume & SSH Tunnel Endpoints  Tunnel Hunter (Dusi et al., 2008) ◦ Naïve Bayes Classifier ◦ Packet size & Packet inter-arrival time ◦ Detect Tunneling & Classify the actual protocol (BitTorrent, POP, SMTP, HTTP) with high accuracy ◦ Limitations with respect to multiple SSH authentication types, data compression, login failures, network protocols  SSH server in non-standard ports (e.g. 443) ◦ EmergingThreats Snort Rules, Cisco IDS  Degrade SSH performance (TCP over TCP )
Image taken from http://www.sectechno.com/2010/10/31/bypassing-firewalls-using-icmp-tunnel/
 ICMPTX (IP over ICMP)  ICMP Tunnel (IP over ICMP)  Hans (IP over ICMP)  itun (IP over ICMP)  Ptunnel (TCP over ICMP)  Droid-VPN , Troid-VPN (Android Apps, need root)  PD-Proxy, Wi-Free, Tunnel Guru
 Detection Signatures ◦ ICMP_PingTunnel_Detected ◦ LOKI ICMP tunneling back door ◦ ICMP Raw Sockets  Non-standard average packet size  High ICMP traffic volume between tunnel endpoints  Disallow ICMP traffic
 The Tunnel Client initiates an HTTP connection to the Tunnel Server  The application encapsulates the application requests in HTTP requests destined to the Tunnel Server  The Tunnel Server unwraps and forwards
 GNU httptunnel ◦ htc – Tunnel Client component ◦ hts – Tunnel Server component  Syntax ◦ Server: hts –F remote:<remote_port> 80 ◦ Client: htc –F <local_port> server:80 ssh –p <local_port> user@localhost
 OzymanDNS  Dns2tcp  Iodine  Heyoka (+ source IP spoofing)  DNSCat  NSTX  DNScapy  MagicTunnel, Element53, VPN-over-DNS (Android)  iodine for iOS  “VPN over DNS”
 Increased DNS traffic (network traffic profiling)  Maximum DNS request packet size  Large number of DNS TXT requests  Number of DNS requests, unique hostnames to a single domain  Composition of hostnames ◦ Length, unique characters, character frequency analysis  Split DNS ◦ Web proxies (but not clients) can resolve external domains
 Determining which tunneling messages are malicious ◦ Real-time Blackhole Lists (DNSBL lookups)  23.42.168.192.dnsbl.example.net  example.net.dnslist.example.com ◦ NIST National Software Reference Library  84C0C5914FF0B825141BA2C6A9E3D6F4.md5.dshield.or g  Mail server performs DNS TXT requests (SPF)
 Description & Concerns  Tunneling Protocols & Protocol Tunneling  Network Tunneling Tools & Setup  Demo  Conclusions
 Description & Concerns  Tunneling Protocols & Protocol Tunneling  Network Tunneling Tools & Setup  Demo  Conclusions
 Using existing core network protocols in innovative ways  Ability to bypass filtering controls and make monitoring difficult (SSH encrypted tunnels)  Need for improved tunneling detection (both delivery and payload protocols) methods and even forensic capabilities
Network tunneling techniques

Recommended

IPv4
IPv4IPv4
IPv4
Dhiraj Mishra
 
TOR NETWORK
TOR NETWORKTOR NETWORK
TOR NETWORK
Rishikese MR
 
Ports and protocols
Ports and protocolsPorts and protocols
Ports and protocols
Kailash Kumar
 
Firewall
FirewallFirewall
Firewall
trilokchandra prakash
 
Routing
RoutingRouting
Routing
Saima Azam
 
Packet switching
Packet switchingPacket switching
Packet switchingasimnawaz54
 
Unicast multicast & broadcast
Unicast multicast & broadcastUnicast multicast & broadcast
Unicast multicast & broadcast
NetProtocol Xpert
 
Connection Establishment & Flow and Congestion Control
Connection Establishment & Flow and Congestion ControlConnection Establishment & Flow and Congestion Control
Connection Establishment & Flow and Congestion Control
Adeel Rasheed
 

Recommended

IPv4
IPv4IPv4
IPv4
Dhiraj Mishra
 
TOR NETWORK
TOR NETWORKTOR NETWORK
TOR NETWORK
Rishikese MR
 
Ports and protocols
Ports and protocolsPorts and protocols
Ports and protocols
Kailash Kumar
 
Firewall
FirewallFirewall
Firewall
trilokchandra prakash
 
Routing
RoutingRouting
Routing
Saima Azam
 
Packet switching
Packet switchingPacket switching
Packet switchingasimnawaz54
 
Unicast multicast & broadcast
Unicast multicast & broadcastUnicast multicast & broadcast
Unicast multicast & broadcast
NetProtocol Xpert
 
Connection Establishment & Flow and Congestion Control
Connection Establishment & Flow and Congestion ControlConnection Establishment & Flow and Congestion Control
Connection Establishment & Flow and Congestion Control
Adeel Rasheed
 
GRE (Generic Routing Encapsulation)
GRE (Generic Routing Encapsulation)GRE (Generic Routing Encapsulation)
GRE (Generic Routing Encapsulation)
NetProtocol Xpert
 
Vpn presentation
Vpn presentationVpn presentation
Vpn presentation
Ram Bharosh Raut
 
IPv4 Addressing
IPv4 Addressing IPv4 Addressing
IPv4 Addressing
TheGodfather HA
 
Spanning tree protocol (stp)
Spanning tree protocol (stp)Spanning tree protocol (stp)
Spanning tree protocol (stp)
RaghulR21
 
Routing protocols
Routing protocolsRouting protocols
Routing protocols
Sourabh Goyal
 
Proxy Servers
Proxy ServersProxy Servers
Proxy Servers
Sourav Roy
 
Computer Network - Network Layer
Computer Network - Network LayerComputer Network - Network Layer
Computer Network - Network Layer
Manoj Kumar
 
TCP and UDP
TCP and UDP TCP and UDP
TCP and UDP
Ramesh Giri
 
Osi model vs TCP/IP
Osi model vs TCP/IPOsi model vs TCP/IP
Osi model vs TCP/IPMannu Khani
 
Network Security Fundamentals
Network Security FundamentalsNetwork Security Fundamentals
Network Security Fundamentals
Rahmat Suhatman
 
Port forwarding
Port forwardingPort forwarding
Port forwarding
Ronak Mehta
 
Vpn(virtual private network)
Vpn(virtual private network)Vpn(virtual private network)
Vpn(virtual private network)
sonangrai
 
IPv4 and IPv6
IPv4 and IPv6IPv4 and IPv6
IPv4 and IPv6
saurav kumar mourya
 
Igmp presentation
Igmp presentationIgmp presentation
Igmp presentation
SamreenAkhtar8
 
Subnetting
SubnettingSubnetting
SubnettingGichelle Amon
 
Tcp IP Model
Tcp IP ModelTcp IP Model
Tcp IP Model
Ankur Kumar
 
TCP/IP and UDP protocols
TCP/IP and UDP protocolsTCP/IP and UDP protocols
TCP/IP and UDP protocols
Dawood Faheem Abbasi
 
Domain name system
Domain name systemDomain name system
Domain name systemDiwaker Pant
 
Ipv6
Ipv6Ipv6
Ipv6satish 486
 
Transport layer
Transport layer Transport layer
Transport layer
Mukesh Chinta
 
Application Layer and Protocols
Application Layer and ProtocolsApplication Layer and Protocols
Application Layer and Protocols
Rubal Sagwal
 
6 networking
6 networking6 networking
6 networkingricharddxd
 

More Related Content

What's hot

GRE (Generic Routing Encapsulation)
GRE (Generic Routing Encapsulation)GRE (Generic Routing Encapsulation)
GRE (Generic Routing Encapsulation)
NetProtocol Xpert
 
Vpn presentation
Vpn presentationVpn presentation
Vpn presentation
Ram Bharosh Raut
 
IPv4 Addressing
IPv4 Addressing IPv4 Addressing
IPv4 Addressing
TheGodfather HA
 
Spanning tree protocol (stp)
Spanning tree protocol (stp)Spanning tree protocol (stp)
Spanning tree protocol (stp)
RaghulR21
 
Routing protocols
Routing protocolsRouting protocols
Routing protocols
Sourabh Goyal
 
Proxy Servers
Proxy ServersProxy Servers
Proxy Servers
Sourav Roy
 
Computer Network - Network Layer
Computer Network - Network LayerComputer Network - Network Layer
Computer Network - Network Layer
Manoj Kumar
 
TCP and UDP
TCP and UDP TCP and UDP
TCP and UDP
Ramesh Giri
 
Osi model vs TCP/IP
Osi model vs TCP/IPOsi model vs TCP/IP
Osi model vs TCP/IPMannu Khani
 
Network Security Fundamentals
Network Security FundamentalsNetwork Security Fundamentals
Network Security Fundamentals
Rahmat Suhatman
 
Port forwarding
Port forwardingPort forwarding
Port forwarding
Ronak Mehta
 
Vpn(virtual private network)
Vpn(virtual private network)Vpn(virtual private network)
Vpn(virtual private network)
sonangrai
 
IPv4 and IPv6
IPv4 and IPv6IPv4 and IPv6
IPv4 and IPv6
saurav kumar mourya
 
Igmp presentation
Igmp presentationIgmp presentation
Igmp presentation
SamreenAkhtar8
 
Tcp IP Model
Tcp IP ModelTcp IP Model
Tcp IP Model
Ankur Kumar
 
TCP/IP and UDP protocols
TCP/IP and UDP protocolsTCP/IP and UDP protocols
TCP/IP and UDP protocols
Dawood Faheem Abbasi
 
Domain name system
Domain name systemDomain name system
Domain name systemDiwaker Pant
 
Transport layer
Transport layer Transport layer
Transport layer
Mukesh Chinta
 

What's hot (20)

GRE (Generic Routing Encapsulation)
GRE (Generic Routing Encapsulation)GRE (Generic Routing Encapsulation)
GRE (Generic Routing Encapsulation)
 
Vpn presentation
Vpn presentationVpn presentation
Vpn presentation
 
IPv4 Addressing
IPv4 Addressing IPv4 Addressing
IPv4 Addressing
 
Spanning tree protocol (stp)
Spanning tree protocol (stp)Spanning tree protocol (stp)
Spanning tree protocol (stp)
 
Routing protocols
Routing protocolsRouting protocols
Routing protocols
 
Proxy Servers
Proxy ServersProxy Servers
Proxy Servers
 
Computer Network - Network Layer
Computer Network - Network LayerComputer Network - Network Layer
Computer Network - Network Layer
 
TCP and UDP
TCP and UDP TCP and UDP
TCP and UDP
 
Osi model vs TCP/IP
Osi model vs TCP/IPOsi model vs TCP/IP
Osi model vs TCP/IP
 
Network Security Fundamentals
Network Security FundamentalsNetwork Security Fundamentals
Network Security Fundamentals
 
Port forwarding
Port forwardingPort forwarding
Port forwarding
 
Vpn(virtual private network)
Vpn(virtual private network)Vpn(virtual private network)
Vpn(virtual private network)
 
IPv4 and IPv6
IPv4 and IPv6IPv4 and IPv6
IPv4 and IPv6
 
Igmp presentation
Igmp presentationIgmp presentation
Igmp presentation
 
Subnetting
SubnettingSubnetting
Subnetting
 
Tcp IP Model
Tcp IP ModelTcp IP Model
Tcp IP Model
 
TCP/IP and UDP protocols
TCP/IP and UDP protocolsTCP/IP and UDP protocols
TCP/IP and UDP protocols
 
Domain name system
Domain name systemDomain name system
Domain name system
 
Ipv6
Ipv6Ipv6
Ipv6
 
Transport layer
Transport layer Transport layer
Transport layer
 

Similar to Network tunneling techniques

Application Layer and Protocols
Application Layer and ProtocolsApplication Layer and Protocols
Application Layer and Protocols
Rubal Sagwal
 
WIFI MODEM Part-22
WIFI MODEM Part-22WIFI MODEM Part-22
WIFI MODEM Part-22
Techvilla
 
Network and security concepts
Network and security conceptsNetwork and security concepts
Network and security concepts
sonuagain
 
Primer to Browser Netwroking
Primer to Browser NetwrokingPrimer to Browser Netwroking
Primer to Browser Netwroking
Shuya Osaki
 
Aplication and Transport layer- a practical approach
Aplication and Transport layer- a practical approachAplication and Transport layer- a practical approach
Aplication and Transport layer- a practical approach
Sarah R. Dowlath
 
Nachos Theoretical assigment 3
Nachos Theoretical assigment 3Nachos Theoretical assigment 3
Nachos Theoretical assigment 3colli03
 
Part 7 : HTTP/2, UDP and TCP
Part 7 : HTTP/2, UDP and TCPPart 7 : HTTP/2, UDP and TCP
Part 7 : HTTP/2, UDP and TCP
Olivier Bonaventure
 
Chapter_Five[1].ppt
Chapter_Five[1].pptChapter_Five[1].ppt
Chapter_Five[1].ppt
BachaSirata
 
Computer network coe351- part2- final
Computer network coe351- part2- finalComputer network coe351- part2- final
Computer network coe351- part2- final
Taymoor Nazmy
 
Exploiting Network Protocols To Exhaust Bandwidth Links 2008 Final
Exploiting Network Protocols To Exhaust Bandwidth Links 2008 FinalExploiting Network Protocols To Exhaust Bandwidth Links 2008 Final
Exploiting Network Protocols To Exhaust Bandwidth Links 2008 Finalmasoodnt10
 
Computer Networks
Computer NetworksComputer Networks
Computer NetworksShylesh BC
 
DIY Internet: Snappy, Secure Networking with MinimaLT (JSConf EU 2013)
DIY Internet: Snappy, Secure Networking with MinimaLT (JSConf EU 2013)DIY Internet: Snappy, Secure Networking with MinimaLT (JSConf EU 2013)
DIY Internet: Snappy, Secure Networking with MinimaLT (JSConf EU 2013)
Igalia
 
Open source network forensics and advanced pcap analysis
Open source network forensics and advanced pcap analysisOpen source network forensics and advanced pcap analysis
Open source network forensics and advanced pcap analysis
GTKlondike
 
Web technologies: recap on TCP-IP
Web technologies: recap on TCP-IPWeb technologies: recap on TCP-IP
Web technologies: recap on TCP-IPPiero Fraternali
 
Cyber security tutorial2
Cyber security tutorial2Cyber security tutorial2
Cyber security tutorial2
sweta dargad
 
WebSockets Everywhere: the Future Transport Protocol for Everything (Almost)
WebSockets Everywhere: the Future Transport Protocol for Everything (Almost)WebSockets Everywhere: the Future Transport Protocol for Everything (Almost)
WebSockets Everywhere: the Future Transport Protocol for Everything (Almost)
Ericom Software
 

Similar to Network tunneling techniques (20)

Application Layer and Protocols
Application Layer and ProtocolsApplication Layer and Protocols
Application Layer and Protocols
 
6 networking
6 networking6 networking
6 networking
 
class12_Networking2
class12_Networking2class12_Networking2
class12_Networking2
 
WIFI MODEM Part-22
WIFI MODEM Part-22WIFI MODEM Part-22
WIFI MODEM Part-22
 
Network and security concepts
Network and security conceptsNetwork and security concepts
Network and security concepts
 
Primer to Browser Netwroking
Primer to Browser NetwrokingPrimer to Browser Netwroking
Primer to Browser Netwroking
 
Aplication and Transport layer- a practical approach
Aplication and Transport layer- a practical approachAplication and Transport layer- a practical approach
Aplication and Transport layer- a practical approach
 
Nachos Theoretical assigment 3
Nachos Theoretical assigment 3Nachos Theoretical assigment 3
Nachos Theoretical assigment 3
 
Part 7 : HTTP/2, UDP and TCP
Part 7 : HTTP/2, UDP and TCPPart 7 : HTTP/2, UDP and TCP
Part 7 : HTTP/2, UDP and TCP
 
Chapter_Five[1].ppt
Chapter_Five[1].pptChapter_Five[1].ppt
Chapter_Five[1].ppt
 
Firewall
FirewallFirewall
Firewall
 
Computer network coe351- part2- final
Computer network coe351- part2- finalComputer network coe351- part2- final
Computer network coe351- part2- final
 
Exploiting Network Protocols To Exhaust Bandwidth Links 2008 Final
Exploiting Network Protocols To Exhaust Bandwidth Links 2008 FinalExploiting Network Protocols To Exhaust Bandwidth Links 2008 Final
Exploiting Network Protocols To Exhaust Bandwidth Links 2008 Final
 
Firewall
FirewallFirewall
Firewall
 
Computer Networks
Computer NetworksComputer Networks
Computer Networks
 
DIY Internet: Snappy, Secure Networking with MinimaLT (JSConf EU 2013)
DIY Internet: Snappy, Secure Networking with MinimaLT (JSConf EU 2013)DIY Internet: Snappy, Secure Networking with MinimaLT (JSConf EU 2013)
DIY Internet: Snappy, Secure Networking with MinimaLT (JSConf EU 2013)
 
Open source network forensics and advanced pcap analysis
Open source network forensics and advanced pcap analysisOpen source network forensics and advanced pcap analysis
Open source network forensics and advanced pcap analysis
 
Web technologies: recap on TCP-IP
Web technologies: recap on TCP-IPWeb technologies: recap on TCP-IP
Web technologies: recap on TCP-IP
 
Cyber security tutorial2
Cyber security tutorial2Cyber security tutorial2
Cyber security tutorial2
 
WebSockets Everywhere: the Future Transport Protocol for Everything (Almost)
WebSockets Everywhere: the Future Transport Protocol for Everything (Almost)WebSockets Everywhere: the Future Transport Protocol for Everything (Almost)
WebSockets Everywhere: the Future Transport Protocol for Everything (Almost)
 

Recently uploaded

When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...
Elena Simperl
 
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
Sri Ambati
 
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
BookNet Canada
 
Monitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR EventsMonitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR Events
Ana-Maria Mihalceanu
 
To Graph or Not to Graph Knowledge Graph Architectures and LLMs
To Graph or Not to Graph Knowledge Graph Architectures and LLMsTo Graph or Not to Graph Knowledge Graph Architectures and LLMs
To Graph or Not to Graph Knowledge Graph Architectures and LLMs
Paul Groth
 
UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4
DianaGray10
 
Generating a custom Ruby SDK for your web service or Rails API using Smithy
Generating a custom Ruby SDK for your web service or Rails API using SmithyGenerating a custom Ruby SDK for your web service or Rails API using Smithy
Generating a custom Ruby SDK for your web service or Rails API using Smithy
g2nightmarescribd
 
Essentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with ParametersEssentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with Parameters
Safe Software
 
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 previewState of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
Prayukth K V
 
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Tobias Schneck
 
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
James Anderson
 
Elevating Tactical DDD Patterns Through Object Calisthenics
Elevating Tactical DDD Patterns Through Object CalisthenicsElevating Tactical DDD Patterns Through Object Calisthenics
Elevating Tactical DDD Patterns Through Object Calisthenics
Dorra BARTAGUIZ
 
UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3
DianaGray10
 
JMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and GrafanaJMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and Grafana
RTTS
 
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
Product School
 
How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...
Product School
 
Key Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdfKey Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdf
Cheryl Hung
 
Epistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI supportEpistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI support
Alan Dix
 
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
Product School
 
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdfFIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance
 

Recently uploaded (20)

When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...
 
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
 
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
 
Monitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR EventsMonitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR Events
 
To Graph or Not to Graph Knowledge Graph Architectures and LLMs
To Graph or Not to Graph Knowledge Graph Architectures and LLMsTo Graph or Not to Graph Knowledge Graph Architectures and LLMs
To Graph or Not to Graph Knowledge Graph Architectures and LLMs
 
UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4
 
Generating a custom Ruby SDK for your web service or Rails API using Smithy
Generating a custom Ruby SDK for your web service or Rails API using SmithyGenerating a custom Ruby SDK for your web service or Rails API using Smithy
Generating a custom Ruby SDK for your web service or Rails API using Smithy
 
Essentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with ParametersEssentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with Parameters
 
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 previewState of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
 
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
 
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
 
Elevating Tactical DDD Patterns Through Object Calisthenics
Elevating Tactical DDD Patterns Through Object CalisthenicsElevating Tactical DDD Patterns Through Object Calisthenics
Elevating Tactical DDD Patterns Through Object Calisthenics
 
UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3
 
JMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and GrafanaJMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and Grafana
 
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
 
How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...
 
Key Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdfKey Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdf
 
Epistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI supportEpistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI support
 
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
 
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdfFIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
 

Network tunneling techniques

  • 1. Network Security’s Friend or Foe Spyridon Dosis
  • 2.  Description & Concerns  Tunneling Protocols & Protocol Tunneling  Network Tunneling Tools & Setup  Demo  Conclusions
  • 3.  A delivery network protocol encapsulates a payload network protocol  The delivery protocol usually operates at the same or higher level (e.g. in the TCP/IP stack) than the payload protocol
  • 4.  Protocol Tunneling ◦ Order in Protocol Encapsulation ◦ Obfuscation rather than hiding ◦ Practical use cases & misuse  Covert Channels ◦ Channels not intended for information transfer ◦ Hiding in unused protocol fields, utilizing fields such as IP ID, TCP Sequence number etc. ◦ Network Steganography
  • 5.  Carry data over incompatible delivery-networks  Provide a (encrypted) path through a public network ◦ Monitoring vs Anti-Censorship  Allowing “some kind” of traffic may lead to “any kind”
  • 6.  Pre-existing network-based security tools (firewalls, IDS) may not be able to apply the controls to the tunneled traffic ◦ Evading traffic regulation  Lack of host-based security controls ◦ Defense in depth  Inability for ingress and egress filtering  ‘Open-ended’ tunnel may forward traffic to other internal hosts
  • 7.  Advanced Persistent Threats (APTs) - Remote Control & Data exfiltration ◦ Backdoors with OS commands, file transfer capabilities are installed in target systems. ◦ Upload collected files using common ports such as HTTP (80), HTTPS (443) and DNS (53) bypassing detection.  Covert channels for malware ◦ e.g. C&C communications over DNS (i.e. Feederbot, W32.Morto )
  • 8.  Description & Concerns  Tunneling Protocols & Protocol Tunneling  Network Tunneling Tools & Setup  Demo  Conclusions
  • 9.  The original IP packet is encrypted  The ESP header indicates that the entire packet is the payload (IP-in-IP)  Inserts a new IP header (next header is ESP) Image taken from http://www.free-it.de/archiv/talks_2005/paper-11156/paper-11156.html
  • 10.  Security services from gateway to gateway or from host to gateway over an insecure network  The entire original packet is encrypted ◦ Internal traffic behind the gateways is not protected  Often used to implement Virtual Private Networks (IPsec VPNs) ◦ Site-to-site ◦ Client-to-site
  • 11.  “GRE (Generic Routing Encapsulation) specifies a protocol for encapsulation of an arbitrary protocol over another arbitrary network layer protocol” – RFC 2784 and 2890  Point-to-point links Image taken from http://netwild.ru/pptp/
  • 12.  Ethernet over IPv4/IPv6 (e.g. Openstack Neutron)  Support for tunneling broadcasting/multicasting ◦ e.g. Delivering routing updates to multiple sites  IPv4/IPv6 over IPv4/IPv6  No default encryption/security services ◦ IPSec Tunnel/Transport over GRE
  • 13.  Tunnel Brokers provide a network tunneling service  6in4 – IPv6 over IPv4  4in6 – IPv4 over IPv6  ISATAP  Teredo – IPv6 over UDP over IPv4  …and others
  • 14.  Secure channel over an insecure network between an SSH client and an SSH server (e.g. OpenSSH) typically listening at TCP port 22  Public-key cryptography for server (and client) authentication  Remote command execution, file transfer (SCP, SFTP), TCP port and X forwarding, tunneling
  • 15.  Local-port forwarding when traffic coming to a local port is forwarded to a specified remote host/port  Destination is relative to the SSH server’s location and mostly unrestricted  SSH client can be configured to act either as a local-only service or public to other hosts
  • 16.  Remote-port forwarding when traffic coming to a remote port is forwarded to a specified local host/port  Destination is relative to the SSH client’s location and mostly unrestricted  SSH server can be configured to act either as a local-only service or public to other hosts
  • 17.  Performs successfully for single- host/port communications ◦ Simple Web (HTTP) ◦ Mail (SMTP, POP3, IMAP) ◦ SSH  Fails for more complex network services ◦ Web with External References / Surfing  Solution: Chain to a Web Proxy ◦ FTP ◦ Peer-to-Peer
  • 18.  The SOCKS protocol proxies TCP connections/forwards UDP packets from client to server through a proxy  A local SOCKS proxy is created on the SSH client’s side and can forward traffic to arbitrary remote hosts and ports  Firewall Traversal / Content-filtering circumvention
  • 19.  Run remote X Window System based applications but displayed locally  Need for X server for Windows  Secure the X protocol by tunneling it over SSH  ssh –X user@host <application> ◦ Run a remote browser visiting a blocked website
  • 20.  “An ICMP ECHO_REQUEST packet contains an additional 8 bytes worth of ICMP header followed by an arbitrary-amount of data” – ping(8) man page  LOKI (Phrack Issue 49) utilized it to establish a covert channel between client/server  IP over ICMP  TCP over ICMP
  • 21.
  • 22.  Various network protocols are encapsulated using the HTTP protocol  HTTP is rarely blocked  Bypass restrictions ◦ Firewalls ◦ Proxy server / Content-filtering
  • 23.
  • 24.  Transport arbitrary data by encoding them into DNS messages  Wide support and availability of the global DNS infrastructure  Few organizations block DNS traffic from individual clients to the Internet (e.g. captive portals in public Wi-Fi)  Effective for bypassing security measures such as firewalls or ACLs  Used for two-way communication or data exfiltration
  • 25.  Around since 1998  NSTX (Nameserver Transfer Protocol)  OzymanDNS (Dan Kaminsky) – “Tunneling Audio, Video and SSH over DNS”  Used mostly for bypassing paywalls
  • 26.  Mapping domain names and IP addresses  Record types ◦ A, AAAA, CNAME, MX, NS, PTR, TXT, NULL  EDNS for UDP payloads larger than 512 bytes ◦ Increased bandwidth  Internal users can contact arbitrary external domains through the organization’s DNS servers/resolvers
  • 27. Image taken from http://nirlog.com/2006/03/28/dns-amplification-attack/
  • 28.
  • 29.  Maximum 253 characters in domain  Maximum 63 characters per subdomain  Case-insensitive (Base32 encoding)  TXT requests allow for maximum characters in response + Base64 encoding  Bandwidth up to 110KB/s, 150ms latency (Van Leijenhorst, 2008)
  • 30.  Description & Concerns  Tunneling Protocols & Protocol Tunneling  Network Tunneling Tools & Setup  Demo  Conclusions
  • 31.
  • 32.
  • 33.  Combined with NetCat ◦ Establish a local/remote port forward over SSH with an SSH server ◦ Create a FIFO special file (a named pipe) on both sides ◦ Listen for UDP requests / Relay through the SSH tunnel ◦ Forward UDP requests / Relay through the SSH tunnel  tcp_to_udp & udp_to_tcp  socat Relay & UDPTunnel (UDP over TCP)
  • 34.
  • 35.  In the case of HTTP browsing, DNS requests are still submitted by the client  Monitoring can reveal DNS requests for common websites along SSH traffic.  Solution: forward DNS requests also to the SSH server. ◦ (e.g. Firefox network.proxy.socks_remote_dns)  Multi-hop setups ◦ Client (SSH lpf) -> Host 1 (SSH dpf) -> Host 2 -> Web
  • 36.  SSH Traffic Volume & SSH Tunnel Endpoints  Tunnel Hunter (Dusi et al., 2008) ◦ Naïve Bayes Classifier ◦ Packet size & Packet inter-arrival time ◦ Detect Tunneling & Classify the actual protocol (BitTorrent, POP, SMTP, HTTP) with high accuracy ◦ Limitations with respect to multiple SSH authentication types, data compression, login failures, network protocols  SSH server in non-standard ports (e.g. 443) ◦ EmergingThreats Snort Rules, Cisco IDS  Degrade SSH performance (TCP over TCP )
  • 37. Image taken from http://www.sectechno.com/2010/10/31/bypassing-firewalls-using-icmp-tunnel/
  • 38.
  • 39.  ICMPTX (IP over ICMP)  ICMP Tunnel (IP over ICMP)  Hans (IP over ICMP)  itun (IP over ICMP)  Ptunnel (TCP over ICMP)  Droid-VPN , Troid-VPN (Android Apps, need root)  PD-Proxy, Wi-Free, Tunnel Guru
  • 40.  Detection Signatures ◦ ICMP_PingTunnel_Detected ◦ LOKI ICMP tunneling back door ◦ ICMP Raw Sockets  Non-standard average packet size  High ICMP traffic volume between tunnel endpoints  Disallow ICMP traffic
  • 41.  The Tunnel Client initiates an HTTP connection to the Tunnel Server  The application encapsulates the application requests in HTTP requests destined to the Tunnel Server  The Tunnel Server unwraps and forwards
  • 42.  GNU httptunnel ◦ htc – Tunnel Client component ◦ hts – Tunnel Server component  Syntax ◦ Server: hts –F remote:<remote_port> 80 ◦ Client: htc –F <local_port> server:80 ssh –p <local_port> user@localhost
  • 43.
  • 44.
  • 45.  OzymanDNS  Dns2tcp  Iodine  Heyoka (+ source IP spoofing)  DNSCat  NSTX  DNScapy  MagicTunnel, Element53, VPN-over-DNS (Android)  iodine for iOS  “VPN over DNS”
  • 46.  Increased DNS traffic (network traffic profiling)  Maximum DNS request packet size  Large number of DNS TXT requests  Number of DNS requests, unique hostnames to a single domain  Composition of hostnames ◦ Length, unique characters, character frequency analysis  Split DNS ◦ Web proxies (but not clients) can resolve external domains
  • 47.  Determining which tunneling messages are malicious ◦ Real-time Blackhole Lists (DNSBL lookups)  23.42.168.192.dnsbl.example.net  example.net.dnslist.example.com ◦ NIST National Software Reference Library  84C0C5914FF0B825141BA2C6A9E3D6F4.md5.dshield.or g  Mail server performs DNS TXT requests (SPF)
  • 48.  Description & Concerns  Tunneling Protocols & Protocol Tunneling  Network Tunneling Tools & Setup  Demo  Conclusions
  • 49.
  • 50.  Description & Concerns  Tunneling Protocols & Protocol Tunneling  Network Tunneling Tools & Setup  Demo  Conclusions
  • 51.  Using existing core network protocols in innovative ways  Ability to bypass filtering controls and make monitoring difficult (SSH encrypted tunnels)  Need for improved tunneling detection (both delivery and payload protocols) methods and even forensic capabilities