This document discusses network tunneling protocols and tools. It describes how protocols like SSH, GRE, and ICMP can be used to encapsulate other protocols and bypass network restrictions. Examples of network tunneling tools that operate over HTTP, DNS, and ICMP are provided. The document notes both legitimate and malicious uses of tunneling, and outlines challenges in detecting tunneling traffic and payloads.

1. Network Security’s Friend or Foe
Spyridon Dosis

2.  Description & Concerns
 Tunneling Protocols &
Protocol Tunneling
 Network Tunneling Tools &
Setup
 Demo
 Conclusions

3.  A delivery network protocol
encapsulates a payload
network protocol
 The delivery protocol
usually operates at the
same or higher level (e.g.
in the TCP/IP stack) than
the payload protocol

4.  Protocol Tunneling
◦ Order in Protocol Encapsulation
◦ Obfuscation rather than hiding
◦ Practical use cases & misuse
 Covert Channels
◦ Channels not intended for information
transfer
◦ Hiding in unused protocol fields, utilizing
fields such as IP ID, TCP Sequence number
etc.
◦ Network Steganography

5.  Carry data over incompatible
delivery-networks
 Provide a (encrypted) path
through a public network
◦ Monitoring vs Anti-Censorship
 Allowing “some kind” of
traffic may lead to “any kind”

6.  Pre-existing network-based security
tools (firewalls, IDS) may not be able to
apply the controls to the tunneled
traffic
◦ Evading traffic regulation
 Lack of host-based security controls
◦ Defense in depth
 Inability for ingress and egress filtering
 ‘Open-ended’ tunnel may forward
traffic to other internal hosts

7.  Advanced Persistent Threats
(APTs) - Remote Control & Data
exfiltration
◦ Backdoors with OS commands, file
transfer capabilities are installed in
target systems.
◦ Upload collected files using
common ports such as HTTP (80),
HTTPS (443) and DNS (53)
bypassing detection.
 Covert channels for malware
◦ e.g. C&C communications over DNS
(i.e. Feederbot, W32.Morto )

8.  Description & Concerns
 Tunneling Protocols &
Protocol Tunneling
 Network Tunneling Tools &
Setup
 Demo
 Conclusions

9.  The original IP packet is encrypted
 The ESP header indicates that the entire
packet is the payload (IP-in-IP)
 Inserts a new IP header (next header is ESP)
Image taken from http://www.free-it.de/archiv/talks_2005/paper-11156/paper-11156.html

10.  Security services from gateway to gateway or
from host to gateway over an insecure
network
 The entire original packet is encrypted
◦ Internal traffic behind the gateways is not protected
 Often used to implement Virtual Private
Networks (IPsec VPNs)
◦ Site-to-site
◦ Client-to-site

11.  “GRE (Generic Routing Encapsulation)
specifies a protocol for encapsulation of an
arbitrary protocol over another arbitrary
network layer protocol” – RFC 2784 and 2890
 Point-to-point links
Image taken from http://netwild.ru/pptp/

12.  Ethernet over IPv4/IPv6
(e.g. Openstack Neutron)
 Support for tunneling
broadcasting/multicasting
◦ e.g. Delivering routing updates to multiple sites
 IPv4/IPv6 over IPv4/IPv6
 No default encryption/security services
◦ IPSec Tunnel/Transport over GRE

13.  Tunnel Brokers provide a network tunneling
service
 6in4 – IPv6 over IPv4
 4in6 – IPv4 over IPv6
 ISATAP
 Teredo – IPv6 over UDP over IPv4
 …and others

14.  Secure channel over an insecure
network between an SSH client
and an SSH server (e.g. OpenSSH)
typically listening at TCP port 22
 Public-key cryptography for server
(and client) authentication
 Remote command execution, file
transfer (SCP, SFTP), TCP port and
X forwarding, tunneling

15.  Local-port forwarding when traffic coming to
a local port is forwarded to a specified
remote host/port
 Destination is relative to the SSH server’s
location and mostly unrestricted
 SSH client can be configured to act either as a
local-only service or public to other hosts

16.  Remote-port forwarding when traffic coming
to a remote port is forwarded to a specified
local host/port
 Destination is relative to the SSH client’s
location and mostly unrestricted
 SSH server can be configured to act either as
a local-only service or public to other hosts

17.  Performs successfully for single-
host/port communications
◦ Simple Web (HTTP)
◦ Mail (SMTP, POP3, IMAP)
◦ SSH
 Fails for more complex network
services
◦ Web with External References / Surfing
 Solution: Chain to a Web Proxy
◦ FTP
◦ Peer-to-Peer

18.  The SOCKS protocol proxies TCP
connections/forwards UDP packets from
client to server through a proxy
 A local SOCKS proxy is created on the SSH
client’s side and can forward traffic to
arbitrary remote hosts and ports
 Firewall Traversal / Content-filtering
circumvention

19.  Run remote X Window System based
applications but displayed locally
 Need for X server for Windows
 Secure the X protocol by tunneling it over SSH
 ssh –X user@host <application>
◦ Run a remote browser visiting a blocked website

20.  “An ICMP ECHO_REQUEST packet contains an
additional 8 bytes worth of ICMP header
followed by an arbitrary-amount of data” –
ping(8) man page
 LOKI (Phrack Issue 49) utilized it to establish
a covert channel between client/server
 IP over ICMP
 TCP over ICMP

22.  Various network protocols are encapsulated
using the HTTP protocol
 HTTP is rarely blocked
 Bypass restrictions
◦ Firewalls
◦ Proxy server / Content-filtering

24.  Transport arbitrary data by encoding them into DNS
messages
 Wide support and availability of the global DNS infrastructure
 Few organizations block DNS traffic from individual clients to
the Internet (e.g. captive portals in public Wi-Fi)
 Effective for bypassing security measures such as firewalls or
ACLs
 Used for two-way communication or data exfiltration

25.  Around since 1998
 NSTX (Nameserver Transfer Protocol)
 OzymanDNS (Dan Kaminsky) – “Tunneling
Audio, Video and SSH over DNS”
 Used mostly for bypassing paywalls

26.  Mapping domain names and IP addresses
 Record types
◦ A, AAAA, CNAME, MX, NS, PTR, TXT, NULL
 EDNS for UDP payloads larger than 512 bytes
◦ Increased bandwidth
 Internal users can contact arbitrary external
domains through the organization’s DNS
servers/resolvers

27. Image taken from http://nirlog.com/2006/03/28/dns-amplification-attack/

29.  Maximum 253 characters in domain
 Maximum 63 characters per subdomain
 Case-insensitive (Base32 encoding)
 TXT requests allow for maximum characters
in response + Base64 encoding
 Bandwidth up to 110KB/s, 150ms latency
(Van Leijenhorst, 2008)

30.  Description & Concerns
 Tunneling Protocols &
Protocol Tunneling
 Network Tunneling Tools &
Setup
 Demo
 Conclusions

33.  Combined with NetCat
◦ Establish a local/remote port forward over SSH with
an SSH server
◦ Create a FIFO special file (a named pipe) on both
sides
◦ Listen for UDP requests / Relay through the SSH
tunnel
◦ Forward UDP requests / Relay through the SSH
tunnel
 tcp_to_udp & udp_to_tcp
 socat Relay & UDPTunnel (UDP over TCP)

35.  In the case of HTTP browsing, DNS requests are
still submitted by the client
 Monitoring can reveal DNS requests for common
websites along SSH traffic.
 Solution: forward DNS requests also to the SSH
server.
◦ (e.g. Firefox network.proxy.socks_remote_dns)
 Multi-hop setups
◦ Client (SSH lpf) -> Host 1 (SSH dpf) -> Host 2 -> Web

36.  SSH Traffic Volume & SSH Tunnel Endpoints
 Tunnel Hunter (Dusi et al., 2008)
◦ Naïve Bayes Classifier
◦ Packet size & Packet inter-arrival time
◦ Detect Tunneling & Classify the actual protocol
(BitTorrent, POP, SMTP, HTTP) with high accuracy
◦ Limitations with respect to multiple SSH
authentication types, data compression, login
failures, network protocols
 SSH server in non-standard ports (e.g. 443)
◦ EmergingThreats Snort Rules, Cisco IDS
 Degrade SSH performance (TCP over TCP )

37. Image taken from http://www.sectechno.com/2010/10/31/bypassing-firewalls-using-icmp-tunnel/

39.  ICMPTX (IP over ICMP)
 ICMP Tunnel (IP over ICMP)
 Hans (IP over ICMP)
 itun (IP over ICMP)
 Ptunnel (TCP over ICMP)
 Droid-VPN , Troid-VPN (Android Apps,
need root)
 PD-Proxy, Wi-Free, Tunnel Guru

40.  Detection Signatures
◦ ICMP_PingTunnel_Detected
◦ LOKI ICMP tunneling back door
◦ ICMP Raw Sockets
 Non-standard average packet size
 High ICMP traffic volume between tunnel
endpoints
 Disallow ICMP traffic

41.  The Tunnel Client initiates an HTTP
connection to the Tunnel Server
 The application encapsulates the application
requests in HTTP requests destined to the
Tunnel Server
 The Tunnel Server unwraps and forwards

42.  GNU httptunnel
◦ htc – Tunnel Client component
◦ hts – Tunnel Server component
 Syntax
◦ Server: hts –F remote:<remote_port> 80
◦ Client: htc –F <local_port> server:80
ssh –p <local_port> user@localhost

45.  OzymanDNS
 Dns2tcp
 Iodine
 Heyoka (+ source IP spoofing)
 DNSCat
 NSTX
 DNScapy
 MagicTunnel, Element53, VPN-over-DNS (Android)
 iodine for iOS
 “VPN over DNS”

46.  Increased DNS traffic (network traffic profiling)
 Maximum DNS request packet size
 Large number of DNS TXT requests
 Number of DNS requests, unique hostnames to a single
domain
 Composition of hostnames
◦ Length, unique characters, character frequency analysis
 Split DNS
◦ Web proxies (but not clients) can resolve external domains

47.  Determining which tunneling messages are
malicious
◦ Real-time Blackhole Lists (DNSBL lookups)
 23.42.168.192.dnsbl.example.net
 example.net.dnslist.example.com
◦ NIST National Software Reference Library
 84C0C5914FF0B825141BA2C6A9E3D6F4.md5.dshield.or
g
 Mail server performs DNS TXT requests (SPF)

48.  Description & Concerns
 Tunneling Protocols &
Protocol Tunneling
 Network Tunneling Tools &
Setup
 Demo
 Conclusions

50.  Description & Concerns
 Tunneling Protocols &
Protocol Tunneling
 Network Tunneling Tools &
Setup
 Demo
 Conclusions

51.  Using existing core network protocols in
innovative ways
 Ability to bypass filtering controls and make
monitoring difficult (SSH encrypted tunnels)
 Need for improved tunneling detection (both
delivery and payload protocols) methods and
even forensic capabilities