A Reflective Covert Channel Attack Anchored on Trusted Web Services

  • Feng Zhu
  • Youngtae Yun
  • Jinpeng WeiEmail author
  • Brent Byunghoon Kang
  • Yongzhi Wang
  • Daehyeok Kim
  • Peng Li
  • He Xu
  • Ruchuan Wang
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10966)


This paper introduces a novel attack that can covertly exfiltrate data from a compromised network to a blocked external endpoint, using public web services as the intermediaries and exploiting both HTTP requests and DNS queries. We first identify at least 16 public web services and 2 public HTTP proxies that can serve this purpose. Then we build a prototype attack using these public services and experimentally confirm its effectiveness, including an average data transfer rate of 361 bits per second. Finally, we present the design, implementation and evaluation of a proof-of-concept defense that uses information-theoretic entropy of the DNS queries to detect this novel attack.


Advanced persistent threats Data exfiltration Covert channel Security 



This research has been funded in part by the National Key R&D Program of China 2018YFB1003201, NUPT Initial Scientific Research Grant No. NY216016, United States Army Research Office grants W911NF-17-1-0437 and W911NF-17-1-0418, National Security Agency grant H98230-17-1-0354, and ETRI in Korea.


  1. 1.
    Hutchins, E., Cloppert, M., Amin, R.: Intelligence-driven computer network defense informed by analysis of adversary campaigns and intrusion kill chains. In: Proceedings of the 6th International Conference on Information Warfare and Security 2011, pp. 113–125. Academic Conferences Ltd., USA (2011)Google Scholar
  2. 2.
    Grand Theft Data: Data exfiltration study: actors, tactics, and detection (2015). Accessed 10 Apr 2018
  3. 3.
    Annarita, G., Vincent, H.B., George, V.C.: Data exfiltration and covert channels. In: Defense and Security Symposium, 17–21 April 2006, Orlando, Florida, USA (2006)Google Scholar
  4. 4.
    DNS attacks putting organizations at risk, survey finds (2014). Accessed 10 Apr 2018
  5. 5.
    Bauer, M.: New covert channels in HTTP: adding unwitting web browsers to anonymity sets. In: Proceedings of the 2003 ACM Workshop on Privacy in the Electronic Society, pp. 72–78. ACM, New York (2003)Google Scholar
  6. 6.
    Born, K.: Browser-based covert data exfiltration. In: 9th Annual Security Conference, Las Vegas, NV, USA (2010)Google Scholar
  7. 7.
    Born, K.: PSUDP: a passive approach to network-wide covert communication. In: Black Hat USA 2010, Las Vegas, NV, USA (2010)Google Scholar
  8. 8.
    Exploitation of Data Streams Authorized by a Network Access Control System for Arbitrary Data Transfers: Tunneling and Covert Channels over the HTTP Protocol. Technique report, Gray-World (2003). Accessed 10 Apr 2018
  9. 9.
    Fifield, D., Nakibly, G., Boneh, D.: OSS: using online scanning services for censorship circumvention. In: De Cristofaro, E., Wright, M. (eds.) PETS 2013. LNCS, vol. 7981, pp. 185–204. Springer, Heidelberg (2013). Scholar
  10. 10.
    Application Layer Covert Channel Analysis and Detection. Technique report, Napier University Edinburgh (2006). Accessed 10 Apr 2018
  11. 11.
    Revelli, A., Leidecker, N.: Playing with Heyoka: spoofed tunnels, undetectable data exfiltration and more fun with DNS packets. In: Shakacon 2009, Honolulu, HI, USA (2009)Google Scholar
  12. 12.
    Van Horenbeeck, M.: Deception on the network: thinking differently about covert channels. In: Proceedings of the 7th Australian Information Warfare and Security Conference, pp. 174–184. Edith Cowan University, Perth (2006)Google Scholar
  13. 13.
    Xu, K., Butler, P., Saha, S., Yao, D.: DNS for massive-scale command and control. IEEE Trans. Dependable Secure Comput. 10(3), 143–153 (2013)CrossRefGoogle Scholar
  14. 14.
    Borders, K., Prakash, A.: Towards quantification of network-based information leaks via HTTP. In: Proceedings of the Third USENIX Workshop on Hot Topics in Security (HotSEC 2008). USENIX Association, Berkeley (2008)Google Scholar
  15. 15.
    Born, K., Gustafson, D.: Detecting DNS tunnels using character frequency analysis. In: 9th Annual Security Conference, Las Vegas, NV, USA, 7–8 April 2010 (2010)Google Scholar
  16. 16.
    Dietrich, C.J., Rossow, C., Freiling, F.C., Bos, H., van Steen, M., Pohlmann, N.: On botnets that use DNS for command and control. In: 7th European Conference on Computer Network Defense, Gothenburg, Sweden, 6–7 September 2011 (2011)Google Scholar
  17. 17.
    Karasaridis, A., Meierhellstern, K.S., Hoeflin, D.A.: NIS04-2: detection of DNS anomalies using flow data analysis. In: IEEE GLOBECOM 2006 - Global Telecommunications Conference, pp. 1–6. IEEE, New York (2006)Google Scholar
  18. 18.
    Paxson, V., Christodorescu, M., Javed, M., et al.: Practical comprehensive bounds on surreptitious communication over DNS. In: Proceedings of the 22nd USENIX Security Symposium, pp. 17–32. USENIX Association, Berkeley (2013)Google Scholar
  19. 19.
    Qi, C., Chen, X., Xu, C., Shi, J., Liu, P.: A bigram based real time DNS tunnel detection approach. Procedia Comput. Sci. 17, 852–860 (2013)CrossRefGoogle Scholar
  20. 20.
    Zhang, S., Zou, F., Wang, L., Cheng, M.: Detecting DNS-based covert channel on live traffic. J. Commun. 34(5), 143–151 (2013)Google Scholar
  21. 21.
    Google Search by Image. Accessed 10 Apr 2018
  22. 22.
    DNS Nslookup online. Accessed 10 Apr 2018
  23. 23.
    Dr. Web Online scanner. Accessed 10 Apr 2018
  24. 24.
    DNSCat. Accessed 10 Apr 2018
  25. 25.
    DNS Dig online. Accessed 10 Apr 2018
  26. 26.
    DNS MX record online. Accessed 10 Apr 2018
  27. 27.
    Whois Online. Accessed 10 Apr 2018
  28. 28.
    PDFMyURL. Accessed 10 Apr 2018
  29. 29.
    vURL Online. Accessed 10 Apr 2018
  30. 30.
    IE Netrenderer. Accessed 10 Apr 2018
  31. 31.
    VirusTotal. Accessed 10 Apr 2018
  32. 32.
    Avira’s Virus Scanner. Accessed 10 Apr 2018
  33. 33.
    Google Translate. Accessed 10 Apr 2018
  34. 34.
    Bing Translator. Accessed 10 Apr 2018
  35. 35.
    Baidu Translate. Accessed 10 Apr 2018
  36. 36.
    Web Page Analyzer. Accessed 10 Apr 2018
  37. 37.
    Pingdom Website Speed Test. Accessed 10 Apr 2018
  38. 38.
    PPMD compressor. Accessed 10 Apr 2018
  39. 39.
    Exploitation of Data Streams Authorized by a Network Access Control System for Arbitrary Data Transfers: Tunneling and Covert Channels over the HTTP Protocol. Technique report, Gray-World. Accessed 10 Apr 2018
  40. 40.
    Application Layer Covert Channel Analysis and Detection. Technique report, Napier University Edinburgh. Accessed 10 Apr 2018
  41. 41.
    Paxson, V.: Bro: a system for detecting network intruders in real-time. Comput. Netw. 31, 2435–2463 (1999)CrossRefGoogle Scholar
  42. 42.
    Roesch, M.: SNORT: lightweight intrusion detection for networks. In: Proceedings of the 13th USENIX Conference on Systems Administration, pp. 229–238. USENIX Association, Berkeley (1999)Google Scholar
  43. 43.
    Bernaille, L., Teixeira, R., Akodkenou, I., et al.: Traffic classification on the fly. ACM Spec. Interest Group Data Commun. 36(2), 23–26 (2006)Google Scholar
  44. 44.
    Crotti, M., Dusi, M., Gringoli, F., Salgarelli, L.: Detecting HTTP tunnels with statistical mechanisms. In: Proceedings of the 42th IEEE International Conference on Communications, pp. 6162–6168. IEEE, New York (2007)Google Scholar

Copyright information

© Springer International Publishing AG, part of Springer Nature 2018

Authors and Affiliations

  • Feng Zhu
    • 1
  • Youngtae Yun
    • 2
  • Jinpeng Wei
    • 3
    Email author
  • Brent Byunghoon Kang
    • 4
  • Yongzhi Wang
    • 5
  • Daehyeok Kim
    • 6
  • Peng Li
    • 1
  • He Xu
    • 1
  • Ruchuan Wang
    • 1
  1. 1.Nanjing University of Posts and TelecommunicationsNanjingChina
  2. 2.The Attached Institute of ETRIDaejeonKorea
  3. 3.University of North Carolina at CharlotteCharlotteUSA
  4. 4.Korea Advanced Institute of Science and TechnologyDaejeonKorea
  5. 5.Park UniversityParkvilleUSA
  6. 6.Carnegie Mellon UniversityPittsburghUSA

Personalised recommendations