Evading stepping-stone detection under the cloak of streaming media with SNEAK

Network-based intrusions have become a serious threat to the users of the Internet. To help cover their tracks, attackers launch attacks from a series of previously compromised systems called stepping stones. Timing correlations on incoming and outgoing packets can lead to detection of the stepping stone and can be used to trace the attacker through each link. Prior work has sought to counter the possibility of the attacker employing chaff packets and randomized delays. To date, however, researchers have not accounted for the full range of techniques that a sophisticated attacker could apply. In this work, we show that such an attacker could avoid detection by the best known stepping stone detection methods. We propose a simple buffering technique that could be used by an attacker on a stepping stone to evade detection. This technique makes the timing of packets in the output flow of the stepping stone entirely independent of the timing of packets from the input flow, thereby eliminating the timing link that makes existing stepping stone detection methods possible. To accomplish this, we only require buffering at the stepping stone and enough chaff packets to generate a constant rate flow. This traffic has the characteristics of a multimedia stream, such as Voice over IP (VoIP), which is quite common on the Internet to∗Corresponding author Email addresses: [email protected] (Jaideep D. Padhye), [email protected] (Kush Kothari), [email protected] (Madhu Venkateshaiah), [email protected] (Matthew Wright) Preprint submitted to Elsevier March 21, 2010 day. To test the effectiveness of our technique, we implemented it in a prototype stepping stone application and tested its performance on the DETER testbed and the PlanetLab testbed. Our prototype successfully evades watermark-based detection and provides reasonable performance for shell commands over at least three stepping stones.