08-04-2014, 04:59 PM
IMPLEMENTATION OF STEGANOGRAPHY FOR OVERSIZED IP PACKETS
[attachment=60826]
Abstract
This paper identifies new class of network steganography methods that utilize mechanisms to handle oversized packets in IP networks: IP fragmentation, PMTUD (Path MTU Discovery) and PLPMTUD (Packetization Layer Path MTU Discovery). In particular, we propose two new steganographic methods and two extensions of existing ones. We show how IP fragmentation simplifies utilizing steganographic methods which requires transmitter-receiver synchronization. We present how mentioned mechanisms can be used to enable hidden communication for both versions of IP protocol: 4 and 6. Also the detection of the proposed methods is enclosed in this paper.
INTRODUCTION
Communication network steganography is a method of hiding secret data in users' normal data transmissions, ideally, so it cannot be detected by third parties. Many new methods have been proposed and analyzed, e.g. [1], [3] or [4]. Network steganography methods may be seen as a threat to network security as they may be used as a tool to cause for example confidential information leakage. That is why it is important to identify potential possibilities for covert communication, because knowledge of the information hiding procedure can be used to develop countermeasures. Both versions of IP protocol 4 [5] and 6 [9] were designed to be used on various transmission links. The maximum length of an IP packet is 64 kB but on most transmission links maximum packet length is smaller - this limited value characteristic for the specific link is called a MTU (Maximum Transmission Unit). MTU depends on the type of the transmission link e.g. for Ethernet - 1500, wireless IEEE 802.11 - 2300 and PPP (Point to Point Protocol) - 296 bytes.
OVERVIEW OF MECHANISM FOR HANDLING OVERSIZED IP PACKETS
IP Fragmentation
To accommodate MTU differences on links in end-to-end path in IP fragmentation, intermediate nodes are
allowed to fragment oversized packets to smaller ones. Then receiver or some other network node (e.g. router) is responsible for reassembling the fragments back into the original IP packet. IP fragmentation mechanism involves using the following fields of the IPv4 header: Identification, Fragment Offset fields, along with the MF (More Fragments) and DF (Don't fragment) flags (Fig. 1). It also needs to adjust values in Total Length and Header Checksum fields for each fragment to represent correct values. The above header fields are used as follows:
- Identification (16 bits) is a value assigned by the sender to each IP packet to enable correct reassembling of the fragments (each fragment has the same Identification value). The value used in IP Identification header field must uniquely identify an IP packet for a certain amount of time [5]. - Fragment Offset (13 bits) indicates which part of the original packet fragment carries.
PMTUD (Path MTU Discovery)
PMTUD was standardized and published for IPv4 in 1990, but it did not become widely deployed for the next few years – currently PMTUD is implemented in major operating systems (Windows, Unix, Linux) – in 2002 about 80% - 90% of endpoints on the Internet were using this mechanism. As mentioned in the introduction this mechanism was developed to avoid fragmentation in the path between the endpoints. Similar to IPv4 PMTUD mechanism was also developed and standardized for IPv6 [7].
Steganographic method F2
The main idea of this method is to divide a packet into fragments and insert hidden information by modulating the values that are inserted into Fragment Offset field. As mentioned in Section 3, Murdoch et al. [4] proposed inserting steganogram directly into Fragment Offset field and modulate the size of the fragment to match this value. Such approach can cause high irregularities in fragments sizes which may be easily detected. We propose enhancement of this method which has lower steganographic bandwidth but is harder to detect.
Conclusions
In this paper we presented potential steganographic methods that can be used for mechanisms for handling oversized IP packets: IP fragmentation, PMTUD and PLPMTUD. In particular, we propose two newsteganographic methods, two extensions of existing ones and we show how IP fragmentation simplifies utilizing steganographic solutions which require transmitter-receiver synchronization.
Proposed methods can be utilized to enable hidden communication for both versions of IP protocol: 4 and 6. They are characterized by different steganographic bandwidth and detection possibilities, thus they can have various impact on network security. Knowledge of these information hiding procedures can be now to develop and implement countermeasures for network traffic monitoring, which may limit the risk of confidential information leakage or other threats caused by covert communication.
[attachment=60826]
Abstract
This paper identifies new class of network steganography methods that utilize mechanisms to handle oversized packets in IP networks: IP fragmentation, PMTUD (Path MTU Discovery) and PLPMTUD (Packetization Layer Path MTU Discovery). In particular, we propose two new steganographic methods and two extensions of existing ones. We show how IP fragmentation simplifies utilizing steganographic methods which requires transmitter-receiver synchronization. We present how mentioned mechanisms can be used to enable hidden communication for both versions of IP protocol: 4 and 6. Also the detection of the proposed methods is enclosed in this paper.
INTRODUCTION
Communication network steganography is a method of hiding secret data in users' normal data transmissions, ideally, so it cannot be detected by third parties. Many new methods have been proposed and analyzed, e.g. [1], [3] or [4]. Network steganography methods may be seen as a threat to network security as they may be used as a tool to cause for example confidential information leakage. That is why it is important to identify potential possibilities for covert communication, because knowledge of the information hiding procedure can be used to develop countermeasures. Both versions of IP protocol 4 [5] and 6 [9] were designed to be used on various transmission links. The maximum length of an IP packet is 64 kB but on most transmission links maximum packet length is smaller - this limited value characteristic for the specific link is called a MTU (Maximum Transmission Unit). MTU depends on the type of the transmission link e.g. for Ethernet - 1500, wireless IEEE 802.11 - 2300 and PPP (Point to Point Protocol) - 296 bytes.
OVERVIEW OF MECHANISM FOR HANDLING OVERSIZED IP PACKETS
IP Fragmentation
To accommodate MTU differences on links in end-to-end path in IP fragmentation, intermediate nodes are
allowed to fragment oversized packets to smaller ones. Then receiver or some other network node (e.g. router) is responsible for reassembling the fragments back into the original IP packet. IP fragmentation mechanism involves using the following fields of the IPv4 header: Identification, Fragment Offset fields, along with the MF (More Fragments) and DF (Don't fragment) flags (Fig. 1). It also needs to adjust values in Total Length and Header Checksum fields for each fragment to represent correct values. The above header fields are used as follows:
- Identification (16 bits) is a value assigned by the sender to each IP packet to enable correct reassembling of the fragments (each fragment has the same Identification value). The value used in IP Identification header field must uniquely identify an IP packet for a certain amount of time [5]. - Fragment Offset (13 bits) indicates which part of the original packet fragment carries.
PMTUD (Path MTU Discovery)
PMTUD was standardized and published for IPv4 in 1990, but it did not become widely deployed for the next few years – currently PMTUD is implemented in major operating systems (Windows, Unix, Linux) – in 2002 about 80% - 90% of endpoints on the Internet were using this mechanism. As mentioned in the introduction this mechanism was developed to avoid fragmentation in the path between the endpoints. Similar to IPv4 PMTUD mechanism was also developed and standardized for IPv6 [7].
Steganographic method F2
The main idea of this method is to divide a packet into fragments and insert hidden information by modulating the values that are inserted into Fragment Offset field. As mentioned in Section 3, Murdoch et al. [4] proposed inserting steganogram directly into Fragment Offset field and modulate the size of the fragment to match this value. Such approach can cause high irregularities in fragments sizes which may be easily detected. We propose enhancement of this method which has lower steganographic bandwidth but is harder to detect.
Conclusions
In this paper we presented potential steganographic methods that can be used for mechanisms for handling oversized IP packets: IP fragmentation, PMTUD and PLPMTUD. In particular, we propose two newsteganographic methods, two extensions of existing ones and we show how IP fragmentation simplifies utilizing steganographic solutions which require transmitter-receiver synchronization.
Proposed methods can be utilized to enable hidden communication for both versions of IP protocol: 4 and 6. They are characterized by different steganographic bandwidth and detection possibilities, thus they can have various impact on network security. Knowledge of these information hiding procedures can be now to develop and implement countermeasures for network traffic monitoring, which may limit the risk of confidential information leakage or other threats caused by covert communication.