On Fri, 18 Oct 2002 14:41:25 -0400 (EDT) Michal Zalewski <lcamtufat_private> wrote: > On Fri, 18 Oct 2002, Ofir Arkin wrote: > > > There are protocols which you CAN perfectly understand and distinguish > > between legit and not legit traffic. > > No, because, as I stated, this is not an either-or distinction. Simply > put, the presence or abstence of a legitimate traffic, or a specific > nature (sequence, target, type) of legitimate traffic can establish a > covert channel. ICMP ping with no payload, normalized options, etc, can > considered be a legitimate traffic, assuming your policy allows pings. Yet > the fact the host is pinged three times, as opposed to two, may establish > a covert information flow (practical for some purposes, not practical for > others). To reinforce Michal's statement and to further contradict Ofir and all the would be covert channel filter advocates: You will _never_ be able to screen all covert channels. You can modulate information (albeit slowly) for instance by _not_ pinging in a predetermined fashion. I am reminded of the old "ladies dress code" where spies modulated/encoded/signalled information by having lady messengers wear certain colors/styles of outfits. Uhm you should then force everyone (especially pretty ladies :-) go nude to avoid this possibility... :-P (On second thought this might not be so good it would mean ugly old fat guys would have to go nude too :-) Same thing applies to packets. The only way to block a potential covert channel is to disable the communications link altogether. Blocking covert channels may be futile, but detection is another matter :-). Subverting the covert channel to disinform is left as an excercise for the reader. -- --dr pgpkey: http://dragos.com/dr-dursec.asc 0 = 1 , for large values of zero and small values of one.
This archive was generated by hypermail 2b30 : Mon Oct 21 2002 - 08:25:48 PDT