TCP segment reordering and covert channels

01/05/2007, 18h54

Hello,

The thesis "Covert Channel Analysis and Data Hiding in TCP/IP", Kamran
Ahsan, 2002, introduced a new covert channel technique for IPsec. For
instance the sequence packet1 packet2 would code 0 while the sequence
packet2 packet1 would code 1. The original sequence of the packets is
guessed by the receiver with the sequence number of ESP or AH.

The author says that this technique is not applicable to IP or TCP
because "the sequence number field and acknowledgement number field
point to the number of octets of data and are not directly related to
the packet number".

In my view, TCP segments can also be reordered. According to RFC 793,
a TCP segment is accepted if

"RCV.NXT =< SEG.SEQ < RCV.NXT+RCV.WND or RCV.NXT =< SEG.SEQ+SEG.LEN-1
< RCV.NXT+RCV.WND"

Thus it seems that this technique is also available for TCP. Or am I
wrong ?

01/05/2007, 18h54	#1
Kototama Messages: n/a Hébergeur:	TCP segment reordering and covert channels Hello, The thesis "Covert Channel Analysis and Data Hiding in TCP/IP", Kamran Ahsan, 2002, introduced a new covert channel technique for IPsec. For instance the sequence packet1 packet2 would code 0 while the sequence packet2 packet1 would code 1. The original sequence of the packets is guessed by the receiver with the sequence number of ESP or AH. The author says that this technique is not applicable to IP or TCP because "the sequence number field and acknowledgement number field point to the number of octets of data and are not directly related to the packet number". In my view, TCP segments can also be reordered. According to RFC 793, a TCP segment is accepted if "RCV.NXT =< SEG.SEQ < RCV.NXT+RCV.WND or RCV.NXT =< SEG.SEQ+SEG.LEN-1 < RCV.NXT+RCV.WND" Thus it seems that this technique is also available for TCP. Or am I wrong ?

Outils de la discussion
Afficher une version imprimable Envoyer un lien vers cette page par email