A covert channel attack is initiated by using an existing information channel to transfer objects from one source to another without the knowledge of the user. Since the system or information channel was not originally built for such communication or conveyance of information, hackers transfer the data in small bits to keep the attack unnoticed.
The data is embedded in the free space available in a data stream without affecting the main body of information being transferred. The space used for creating a covert channel may be the free space left within the padding or other parts of the network data packets. Usually, only 1-2 bits of covert data stream are added to one data packet which makes it difficult to detect the attack. As the original data is not tampered, the covert receiver can receive information from the system without creating a data trail.
Covert channels are of two types:
- Covert Time Channel- The processing of signal information of a network channel by manipulating own system resources which affects real response time observed by the original network.
- Covert Storage Channel- Direct or indirect embedding of data to a storage location by a system & direct or indirect reading of this data by another system at a different security level.
Using DNS As A Covert Channel
To create a covert channel, attacker installs a malware or specially designed program on the victim’s system via malicious links or by using remote administration to alter its DNS. An altered DNS is configured to serve random text in addition to website information. It behaves normally under usual conditions, but acts as per the covert channel program for a special domain. The flow of information between DNS & malware follows the normal client-server architecture. The malware plays the role of second component of covert channel. It sends DNS requests which look legitimate. The compromised DNS responds to these requests with hidden key information. Covert receiver extracts this hidden information. Thus, a covert channel uses a fully functional authorized system to transfer unauthorized information in a secretive manner.
Covert channel attacks make use of simple forums like a file or time used for computation, which makes it difficult to identify these attacks. Two techniques that are commonly used for detection of covert channels are analyzing the resources of a system and vigilance of the source code.
For more information on tips to secure your computer network, contact Centex Technologies at (972) 375 - 9654.