A typical computer network includes, among other things, intermediary and edge devices configured so that a user may connect to and communicate with a server or other host computer in order to exchange information. The user may also connect to network elements to communicate with a host on another network.
When a user wishes to obtain a secure communications link to a network host, the user may employ a secure communications protocol or a virtual private network (VPN). Secure communications protocols and VPNs are commonly established with the use of cooperating software and/or hardware elements in the network. For example, the SSH protocol enables encrypted communications between the user's personal computer and another computer (e.g., a host or server) by establishing a secure connection. Intermediary network devices, such as firewalls, routers, load balancers, and intrusion detection systems (IDSs), do not need to decrypt the traffic in order to process or route it and consequently are not necessarily even aware of the presence of an SSH-encrypted connection. Likewise, a VPN connection appears to the network's intermediary devices as simply another stream of packets. It too is not generally paid any special attention by the intermediary devices, other than the routine packet checking functions typically performed by IDSs and firewalls.
A virtual private network is a common example of a “tunneling” protocol being used to provide a quasi-covert communications channel embedded within standard TCP/IP traffic. In general, a tunnel embeds one communication channel within another. To the users, the VPN appears as a secure, closed network that is not easily intercepted or tampered with by others. It is not necessarily hidden or invisible, however, so it is not entirely covert.
True covert communications channels are also known: these are communications sessions embedded within other, more innocuous connections and are deliberately hidden. A reverse tunnel is an example of a true covert communications channel specifically configured for deceptive purposes, not just to hide its contents but also to hide the very existence of the channel itself. For example, a reverse tunnel may be used to conceal communications with and enable control of a compromised host by embedding an inbound communications channel to the host within an apparently outbound HTTP browsing channel from the host to the (putative) user. In this way, HTTP reverse tunnels can take advantage of subversion by network “insiders” (i.e., those who have obtained, by whatever means, root or other high-level access to the host) to provide remote operation of a compromised host on that network via what appear to be harmless outbound HTTP browsing communications.
Reverse tunnels are further described in Pieter Zatko (a.k.a. Mudge), Insider Threat Models and Solutions, Login: the USENIX Magazine, vol. 28, no. 3 (December 2003), incorporated herein by reference in its entirety. Reverse tunneling standards for use in mobile IP routing are further discussed in Reverse Tunneling for Mobile IP, Revised, Internet Request for Comments (RFC) no. 3024, G. Montenegro, ed., available on the Internet's world wide web at www[dot]networksorcery[dot]com/-enp/rfc/rfc3024[dot]txt (last viewed on May 26, 2004), incorporated herein by reference in its entirety. Clearly, the owners and administrators of such a compromised (or “zombie”) host would like to be aware (at least) of such nefarious uses of their proprietary resources.
One conventional approach to detecting the presence of reverse tunnels and covert communications channels in general is to perform off-line (non-real-time) analysis of a communications session logs commonly maintained by network management systems. Such an approach is detailed in, for example, the Mudge article cited above (Insider Threat: Models and Solutions) and in Fisher, “Defending the Core,” eWeek Enterprise News and Reviews (Mar. 1, 2004) available on the Internet's world wide web at www[dot]eweek[dot]com/print_article/0,1761,a=120465,00[dot]asp (last viewed on May 4, 2004), incorporated herein by reference in its entirety.