Perspectives in Science (2016) 7, 95—100

Available online at www.sciencedirect.com

ScienceDirect

journal homepage: www.elsevier.com/pisc

Whispering through DDoS attack夽

Miralem Mehic, Jiri Slachta, Miroslav Voznak ∗

VSB-Technical University of Ostrava, 17. listopadu 15, 708 00 Ostrava-Poruba, Czech Republic

Received 26 October 2015; accepted 11 November 2015

Available online 23 December 2015

KEYWORDS Summary Denial of service (DoS) attack is an attempt of the attacker to disable victim’s
DDoS; machine by depleting network or computing resources. If this attack is performed with more
Covert channel; than one machine, it is called distributed denial of service (DDoS) attack. Covert channels
SIP; are those channels which are used for information transmission even though they are neither
Network designed nor intended to transfer information at all. In this article, we investigated the possibil-
steganography ity of using of DDoS attack for purposes of hiding data or concealing the existing covert channel.
In addition, in this paper we analyzed the possibility of detection of such covert communication
with the well-known statistical method. Also, we proposed the coordination mechanisms of the
attack which may be used. A lot of research has been done in order to describe and prevent
DDoS attacks, yet research on steganography on this field is still scarce.
© 2016 Published by Elsevier GmbH. This is an open access article under the CC BY-NC-ND license
(http://creativecommons.org/licenses/by-nc-nd/4.0/).

Introduction of compromised channels and machines which were used

for attack. If the attack or data leakage has occurred, any
It is obvious that the battle for the security of computer further efforts are made to collect reliable evidence about
networks will be constantly present. The security agencies the attack. Often, it is not an easy task, especially in the
are trying to distance computing resources from a variety case of a large number of data that have been generated
of attacks and methods of data leaks, while the computer by an attacker.
hackers are constantly trying to find a more intuitive way Network steganography is a method of hiding data in
for a smooth and efficient access to data. One of the ordinary network flow in order to achieve covert commu-
challenges facing the digital forensics is the detection of nication and it was first introduced in 2003 by Deepa and
channels used for data leakage and elimination of such Szczypiorski (Kundur & Ahsan, 2003; Szczypiorski, 2003).
threats. Accordingly, there is a growing interest in detecting Szczypiorski presented basic ideas for several techniques,
while Deepa examined practical applications of these tech-
niques and the usage of Internet steganography at that time.
夽 This article is part of a special issue entitled ‘‘Proceedings of Following these presentations, a lot of research in network
the 1st Czech-China Scientific Conference 2015’’. steganography has been carried out, especially in the field
∗ Corresponding author. of voice over Internet protocol (VoIP).
E-mail addresses: [email protected] (M. Mehic), The idea of hiding data in network flow can be divided
[email protected] (J. Slachta), [email protected] (M. Voznak). into two types: utilization of unused packet fields and

http://dx.doi.org/10.1016/j.pisc.2015.11.016
2213-0209/© 2016 Published by Elsevier GmbH. This is an open access article under the CC BY-NC-ND license
(http://creativecommons.org/licenses/by-nc-nd/4.0/).
96 M. Mehic et al.

Figure 1 The figure show the number of packets received with a given delay during the experiment which is explained in Berk
et al. (2005). The horizontal axis shows the inter-arrival time in seconds, and the vertical axis shows the number of packets received.
Left image — two spikes show that a covert channel communication is in place, right image — represents normal communication.

information encoding in traffic behavior. The first type is a ordinary data since many IDS/IPS systems are simply not
well-known technique that emerged from old Xmas packets. efficient enough to process huge amounts of data in real-
These packets with every single option set for used protocol time.
are included in a well-known nmap network scanning tool, 3. It is recommended to hide smaller amounts of data in the
and they were named Xmas packets because they look like ordinary data flow and deliver it frequently rather hide
bright bulbs on a Christmas tree. These packets can be eas- large amounts of data and deliver it sporadically. If the
ily detected by intrusion-detection systems (IDS), or more amount of the hidden data in a package, one can assume
advanced firewalls (Mazurczyk and Szczypiorski, 2008). The that those data are just simple coincidence, or that they
second type, encoding information in traffic behavior, was are just a random behavior of the network. If those values
first presented in 2005 (Berk et al., 2005). This idea was are quite large, there is a considerable probability they
further modified in 2008 by Mazurczyk and presented as lost will be intercepted by firewalls or IDS somewhere in the
audio packets steganography (LACK) solution (Mazurczyk network before reaching its destination.
and Szczypiorski, 2008) for VoIP communication.
Covert channels were first observed and defined in the
In one of the first papers on this subject (Berk et al.,
mid-1980s as a result of the rapid development of com-
2005), an approach to statistical detection of covert chan-
munication networks. Lampson classified communication
nel embedded in network packet delays is presented. This
channels into three categories: storage, legitimate, and
simple technique implies the existence of clear differences
covert. He also gave the first definition of covert channels
between the packet delay and it is based on the probability
stating that covert channels are those channels which are
of the existence of covert channel, which is calculated as
used for information transmission even though they are nei-
follows:
ther designed nor intended to transfer information at all
(Lampson, 1973). In the last 10 years, a large number of C
covert channels have been introduced, and a great develop- PCovChan = 1 − (1)
Cmax
ment of new techniques in the following years is expected.
All these techniques can significantly affect the level of
where Cu is the packet count at the mean and Cmax is the
security and reputation that certain communication solu-
maximum packet-count of the histogram which is shown in
tions offer. Viewed from the client’s side, it is reasonable to
Fig. 1.
doubt the safety and quality of a particular communication
The difference between a binary covert channel (left
solution which has weak points in the system that can be
image) and regular traffic (right image in Fig. 1) is evident.
used for the undetected leak of confidential data. Because
The author used the calculation of the sample mean (aver-
of that, covert channels are under close supervision of gov-
age) value of the presented values and calculation of packet
ernments and security companies that aim to prevent these
count in the histogram at that point. For covert-packet, that
leaks.
value should be a very low while, for normal traffic pattern,
Based on existing techniques we can define certain rules
the mean value should be in the center of the highest spike.
which apply to the hiding data with network steganography
Therefore, the probability of having converted channel is
techniques:
inversely proportional to the ratio C /Cmax . If the ratio is
smaller, the probability expressed with Eq. (1) is higher.
1. Selected information carrier should be frequently used, In this paper, we analyze situations where the proposed
which makes detection considerably difficult. If one method of detection can be unsuccessful. We suggest the
wants to hide information in a rarely used protocol, there circumstances in which this situation can happen and we try
is a big probability that network firewalls or IDS (intruder to explain the ways they occurred.
detection system) will raise an alarm. In the following chapters, the organization and usage of
2. Selected carrier must create a lot of network data (i.e. DDoS attacks to hide date are discussed, continuing with
VoIP traffic, IPTV or similar). This will decrease the prob- the discussion of the proposed detection method and the
ability of detecting information that is hidden inside the conclusion in the last section.
Whispering through DDoS attack 97

Table 1 Attack specifications.

Specifications Values

Duration of attack (D) 35.34 s

Number of clients 244
Average number of messages per client 6193
Type of generated messages INVITE

channel. To implement this idea into practice, it is neces-

sary to consider the mechanism of coordination between the
Figure 2 Common DDoS network architecture. machines involved in the attack. If the data volume is larger
than the communication or computing capacity of the vic-
tim, then the victim will not be able to process information
DDoS attacks was hidden and the whole covert communication will be in
vain. On the other hand, the victim wants to maximize the
Denial of service (DoS) is an attempt of an attacker to flow of covert communication, and it is important that there
exhaust the resources available to the network, application is an existing mechanism that will allow her to control the
or service so that real users cannot gain access. If this attack data throughput. In the following section, we focus on this
is performed with more than one machine, it is called dis- problem.
tributed denial of service (DDoS) attack. Usually, DDoS is
performed through a botnet, which can count up to several SIP flood attack
hundreds of machines. These machines are usually called
slaves since they are controlled by botnet master computers There are two main protocols used in VoIP call: SIP and RTP.
(Fig. 2). From the victim’s perspective, it is quite difficult to The former is used for establishing and changing the settings
locate initial attacker and prevent the attack. Additionally, of the session, and the latter for exchanging voice packets.
it is difficult for the victim to separate the traffic that comes In VoIP, SIP flooding attacks can be identified as DoS attacks.
from actual users and the traffic that is generated for the As mentioned above, if DoS attack is executed from multi-
purposes of the attack, making it difficult to stop the attack. ple locations (hosts), it is called a DDoS attack. SIP flooding
In May 2014 Arbor networks announced an analysis of the attacks are easy to launch and are able to quickly deplete
correlation of DDoS attacks with important political dates the resources of both networks and nodes.
(Soluk, 2014); and the results show that DDoS attacks are a In our experiment, we used Asterisk software version
daily occurrence. 1.8.13.0 as the victim, which was installed on a machine
CloudFlare presented statistical results regarding DDoS with Intel Atom D410, 1 GB of RAM, 8 GB SSD drive and Debian
attacks in (Graham-Cumming, 2013), and explained the most GNU/Linux 7.6 (Wheezy). In order to simulate other com-
common cases of DDoS attack. According to this report, most ponents shown in Fig. 2, we used open source SIP traffic
common DDoS attacks are based on ‘‘fire and forget’’ proto- generator SIPp (Day et al., n.d.). This solution is frequently
cols like UDP or ICMP, and 97% of these attacks are DNS DDoS used due of its simplicity and customization options. SIPp
attacks. Cloudflare believes that the reason for this are lack was used to simulate DDoS attack involving 24 clients.
of source IP authentication, and huge number of open DNS Results of the experiment are shown in Fig. 3, and the spec-
recursors which can be used to amplify desired attack. Also, ifications of the attack are presented in Table 1.
it is suggested to use anycast attack dilution as the first line It is important to emphasize that Asterisk reacts differ-
of defense against these attacks. ently to different types of attack. By default, it does not
Taking the above into account, we assume that DDoS can have to execute detailed queries in its database to find spec-
be used as a cover channel due to the following reasons: ifications of the receiver or the call when it detects OPTION
or ACK messages. But in the case when REGISTER or INVITE
1. DDoS attacks occur on a daily basis around the world messages are detected, asterisk will require much more CPU
which means that they are not unusual in networks. resources to process these requests. Therefore, we can con-
2. DDoS mainly involves a large amount of data; it means clude that some types of messages can cause more damage
that the detection of the covert channel is even harder than other.
due to the large amount of data which needs to be Therefore, it is interesting to consider the usage of dif-
processed. Mostly this is not feasible to perform the ferent types of messages during the attack. INVITE message
detection in real-time, so the data needs to be stored is accompanied by two additional SIP messages, one 200 OK
and subsequently analyzed which also presents difficul- from receiver and ACK additional message from the sender.
ties due to the large volume of traffic. But, INFO and OPTION messages produce only one additional
3. An attacker may use a large amount of data which is message, 200 OK. Such sequence of SIP messages can be
sent through DDoS attack to hide the existence of covert used for coordination of the attack since there are mes-
communication which may have a smaller bandwidth. sages which are transmitted in both directions. For example,
if host (slave machine from Fig. 2) sends INVITE message
Therefore, we assume that victim wants to be exposed and does not receive returning message from victim, it can
to DDoS attacked which serves as a wrapper for a covert mean that the amount of data which is sent from that host
98 M. Mehic et al.

Figure 3 Result of DDoS attack; left — asterisk’s response after 35.34 s. It is important to notice an ERROR 2605 message which
states that asterisk is not able to create socket to process incoming message.

is too big and host should decrease its traffic rate. Other- UDP applications on the hosts are set to be run with dif-
wise, the arrival of feedback message from victim means ferent intensities, so each host sends a different amount of
that the rate of the attack is acceptable for the victim. With- data to the victim. To maintain maximum throughput, each
out compromising generality, this mechanism is very easy to host every second increases the intensity of UDP flow for
be mapped to TCP communication since TCP is connection 100 kbits. Victim measures the number of received bits on
oriented protocol (Fig. 4). UDP socket and decides whether the received number of bits
is lower than the maximum receiver buffer size of the socket
Covert channel within DDoS attack (RcvBufSize). If the number of received bits is higher than
RcvBufSize value, the socket needs to drop the packet since
the upper OSI/ISO layer did not process it within time and
For the purpose of testing we performed a simulation in
well-known network simulator ns-3 which is a discrete-event
network simulator for Internet systems, targeted primar-
ily for research and educational use. ns-3 is free software,
licensed under the GNU GPLv2 license, and is publicly avail-
able for research, development, and use (Stoffers and Riley,
2012).
The simulation, as shown in Fig. 5, consists of 10 nodes
which are connected in a star topology with the peer-to-
peer links. At node 5 UDP sink application was installed while
on other nodes1 UDP client application was installed. In this
experiment, we assumed that the attacker wanted to utilize
type of service (TOS) value in the header of internet proto-
col (IP) packets to create a covert channel. Traditionally,
the first three IP precedence (RFC 791) bits were supposed
to be used in TOS Application Routing (RFC 1583). The TOS
field has then been redefined as the Differentiated Services
Code Point (RFC 2474) which consists of the first 6 bits and
2 bits used for a TCP mechanism called explicit congestion
notification (ECN) defined in RFC 3168 (Table 2).
For the purposes of experiment, we used following nota-
tion in covert communication. If the packet with decimal
TOS value 48 is sent, it encodes binary ‘‘0’’; if the packet
with decimal TOS value 160 is sent it encodes binary ‘‘1’’
in covert communication. All other TOS values were used
to mask the covert channel and to make confusion to the Figure 4 The feedback about the data intensity; Case a (up)
detection algorithm. — sends INVITE message and the arrival of feedback message
(200 OK) from the victim means that the rate of the attack
is acceptable. Otherwise, if there is no feedback message, it
1 In this paragraph, all nodes except the node 5 are called ‘‘host’’ means that the intensity of the attack from that host is too
nodes while node 5 is called ‘‘victim’’ node. large and host should decrease its traffic rate (case b — down).
Whispering through DDoS attack 99

Table 2 ToS values used for communication in covert

channel.

Node TOS TOS Covert channel

(decimal) (hex) value

Node 0 0 0x00 —
Node 1 12 0x0C —
Node 2 32 0x20 —
Node 3 48 0x30 Value ‘‘0’’
Node 4 112 0x70 —
Node 6 136 0x88 —
Node 7 144 0x90 —
Node 8 152 0x98 —
Node 9 160 0xA0 Value ‘‘1’’

Figure 5 10 nodes connected in a star topology with peer-

to-peer links. Each node generates UDP and TCP traffic to the
be transferred per packet or per second, while detectabil-
node 5.
ity measures the probability of detection of the hidden
information. Usually, these two are connected, since higher
socket does not have enough storage capabilities to store it. bandwidth requires a large flow of data, thus increasing the
If this happen, we assume that the amount of data which is probability of detection of covert communication. However
received on the victim’s machine is too high and it means in the case of DDoS, it is not necessarily true.
that computing capabilities of the victim are depleted. In Fig. 6 shows the number of packet counts on the victim’s
ns-3 simulator, the initial value of RcvBufSize is 1,048,576 machine which was obtained during the experiment. The
bits. figure on the left shows one main spike in the middle of
Thus, the victim needs to have the ability to control the the graph and other values which are scattered around the
incoming data flow from host machines. Therefore, every middle value. In this case, the probability of detection of
host machine establishes a TCP connection with the victim having a covert channel, expressed with Eq. (1) will be small
and periodically (each 4 s) sends a keep-alive packet to the since the ratio C /Cmax is high.
victim. If host receives acknowledge to the sent packet, it An interesting case in when victim evenly spread the
means that the rate of UDP flow is acceptable and it will not incoming data using its coordination mechanism explained
be changed. Otherwise, if the acknowledge from the victim above (the figure on right). In that case, the spikes of the
was not received, the rate of UDP flow will be reduced in graph will have similar values and the detection of covert
half. In this way, the victim can easily control the flow of communication will be decreased even more.
data. As for the error probability (error rate for zeros being
received as one and otherwise), it depends on the coordina-
Detection tion mechanism of the attack. If the amount of data that is
received by the victim is below the RcvBufSize value, then
As far as covert channels are concerned, two criteria are ini- the packet will be processed and TOS value will be ana-
tially considered: bandwidth and detectability. Bandwidth lyzed. Otherwise, the packet needs to be dropped without
is defined as the amount of hidden information that can analyzing TOS values which will undermine covert channel.

Figure 6 The figure show the number of packets received with a given TOS values in the header of IPv4 packet during the
experiment. The horizontal axis shows the TOS values which were used, and the vertical axis shows the number of packets received.
100 M. Mehic et al.

Conclusion References

In this paper, we analyzed the possibilities of implementing Berk, V., Giani, A., Cybenko, G., 2005. Detection of Covert Chan-
of covert channels within DDoS attacks. We proposed the nel Encoding in Network Packet Delays. Technical Report TR536.
technique which may be used for coordination between the Darthmouth College.
nodes and we showed that statistical detection mechanism Day, R., et al., n.d. SIPp. Available at: http://sipp.sourceforge.net/
(accessed 17.11.14).
may not be effective for covert channels that are hidden
Graham-Cumming, J., 2013. How to launch and defend against
in the much larger network flow. The use of unused bits in a DDoS, Available at: http://www.secure.edu.pl/pdf/2013/D1
packet headers may be very effective in such case. In addi- 1530 A Graham-Cumming.pdf.
tion, the channel can be dynamically oriented, which can Kundur, D., Ahsan, K., 2003. Practical Internet steganography: data
make it difficult for the mechanism of detection (i.e. using hiding in IP. In: Proceedings of the Texas Workshop on Security
TOS values in first several minutes of the attack, then using of Information Systems, vol. 2, Available at: http://vanilla47.
TTL values for next several minutes or similar). com/PDFs/Cryptography/Steganography/PracticalInternet
Our demonstration of the existence of the covert chan- SteganographyDataHidinginIP.pdf (accessed 07.11.14).
nels through DDoS points to the possibility of associating Lampson, B.W., 1973. A note on the confinement problem. CACM
additional information in the network flow. DDoS attacks 16 (10), 613—615, Available at: http://portal.acm.org/citation.
cfm?doid=362375.362389.
happen on a daily basis, and the usage of similar network
Mazurczyk, W., Szczypiorski, K., 2008. Steganography of VoIP
attacks for other purposes should be examined. However, it streams. In: On the Move to Meaningful Internet Systems:
is important to emphasize that the techniques presented OTM 2008. Springer, pp. 1001—1018, Available at: http://link.
here can be used in other scenarios regardless of DDoS springer.com/chapter/10.1007/978-3-540-88873-4 6 (accessed
attacks. 16.04.14).
Soluk, K., 2014. DDoS & Security Reports. In: DDoS and Geopolitics
Conflict of interest — Attack Analysis in the Context of the Israeli-Hamas Conflict,
Available at: http://www.arbornetworks.com/asert/2014/08/
ddos-and-geopolitics-attack-analysis-in-the-context-of-the-
The authors declare that there is no conflict of interest. israeli-hamas-conflict/ (accessed 15.11.14).
Stoffers, M., Riley, G., 2012. Comparing the ns-3 propagation
Acknowledgements models. In: Proceedings of the 2012 IEEE 20th Interna-
tional Symposium on Modeling, Analysis and Simulation of
Computer and Telecommunication Systems, MASCOTS 2012,
Results achieved in this research received funding from the pp. 61—67.
Moravian-Silesian Region within the project VSB-Technical Szczypiorski, K., 2003. Steganography in TCP/IP Networks. State of
University of Ostrava activities with China and partially was the Art and a Proposal of a New System — HICCUPS. Institute of
supported by the grant SGS reg. no. SP2015/82 conducted Telecommunications’ Seminar, Warsaw University of Technology,
at VSB-Technical University of Ostrava, Czech Republic. Poland.