Hello,
The thesis "Covert Channel Analysis and Data Hiding in TCP/IP" (Kamran
Ahsan, 2002) introduced a new covert channel technique for IPsec.
Packets sorting is used to convey information. For instance the
sequence packet1 packet2 would code 0 while the sequence packet2 packet1
would code 1. The original sequence of the packets is guessed by the
receiver with the sequence number of ESP or AH.
The author says that this technique is not applicable to IP or TCP
because "the sequence number field and acknowledgement number field
point to the number of octets of data and are not directly related to
the packet number".
In my view, TCP segments can also be reordered. According to RFC 793,
a TCP segment is accepted if
"RCV.NXT =< SEG.SEQ < RCV.NXT+RCV.WND or RCV.NXT =< SEG.SEQ+SEG.LEN-1
< RCV.NXT+RCV.WND"
Thus it seems that this technique is also available for TCP. We can
guess the original order since sequence numbers are always increasing.
I don't have the time yet to make a POC and I would like your advices.
Am I wrong ?
Received on May 05 2007
Intro
