So I’m sitting in Enterprise Security twiddling my thumbs when the professor offers a lecture in Stego. The form he is discussing is using the useless bits of a random image (least significant bit) to encode a message. So it got me thinking…

What if a botnet used this theory at the packet level? We have been seeing encrypted headers at the Application level for a while (Think encrypted get/post requests). But what if we did something different. Imagine using a packet, changing the fragmentation offset and the IPv4 number and encoding data into those fields. Then on the server end, simply have a rule to detect the packets, reassemble them, and decode them!

How could an IDS/IPS rule possibly be written to defeat this? It could make DLP a whole new nightmare.

Boy, the things you learn in college.

Posted on: Wednesday, September 3rd, 2008 at 3:31 pm | Category: Security.
You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.