An Empirical Evaluation of IP Time To Live Covert Channels

Communication is not necessarily made secure by the use of encryption alone. The mere existence of communication is often enough to raise suspicion and trigger investigative actions. Covert channels aim to side-step this problem by hiding additional information within the ´normal´ behaviour of preexisting communication streams. The huge amount of data and vast number of different protocols in the Internet make it ideal as a high-bandwidth vehicle for covert channels. Several researchers have proposed modulation techniques to encode covert information into the IP Time To Live field. In this paper we compare the different encoding techniques and also propose two new improved encoding schemes. We present a software framework developed for evaluating covert channels in network protocols. We use this software to empirically evaluate the transmission rates of the different TTL modulation techniques for real Internet traffic.