The use of“http hidden channel”big break LAN-a vulnerability warning-the black bar safety net

2005-10-25T00:00:00
ID MYHACK58:6220054035
Type myhack58
Reporter 佚名
Modified 2005-10-25T00:00:00

Description

What is http hidden passage? What is Local Area Network Security, System Administrators how to ensure LAN security? This is a constantly changing concept of security, a very long a time since, in the LAN and the external interconnect is placed at a firewall, strictly control the open ports, it can to a large extent on mastering the security of the initiative, convenient control inside and outside the network the user can use the service. For example, on the firewall only open 8 0, and 5 3 of the two ports, then either the inside or the outside of the malicious people will not be able to use some already proven more dangerous service.

But to note that, the firewall in some sense is very stupid, the administrator of the firewall of the excessive reliance on and thereby produce slack mood will inevitably form the security of the major hazard, as a proof,"channel"technology is a good example, which is also herein discussed.

So what is the channel? Here the so-called channel refers to a method to bypass the firewall port shield means of communication. The firewall at both ends of the data encapsulated in the firewall are allowed through the packet type or port, and then through the firewall and to the end of the communication, when the encapsulated packet reaches the destination, then the packet is restored, and the restored packet is delivered to the corresponding service. For example as follows:

A host system behind a firewall, protected by a firewall, the firewall configuration of the access control principle is to only allow 8 0 Port a data out B to the host system outside the firewall, is open. Now suppose you want from A system, Telnet to B system up, what do I do? Use the normal telnet is certainly impossible, but we know that they can use only 8 0 port, then this time use Httptunnel channel, is a good way, the idea is as follows:

In A machine from one tunnel to the client-side, so it listens for the machine A is not using any of the specified ports, such as 1 2 3 4, while the future self 1 2 3 4 port on the data directed to the distal end(B)8 0 port on the(Note, 8 0 port, the firewall allow through), and then in the B machine on a server, also attached to the 8 0 on the port, while the guide 8 0 port from the client is forwarded to this machine is the telnet service port 2 3, so it is ok. Now in A machine on telnet local port 1 2 3 4, according to just the settings data package will be forwarded to the target port is 8-0 in the B machine, because the firewall allows through 8 0 port of the data, so the data packets flow through the firewall, to reach the B machine. In this case B machine in 8 0 the port listener process is received from A data packet, the packet will be restored, and then return to the telnet process. When the data package required by B to A return, by 8 0 port and then sent back, the same can smoothly pass through the firewall.

In fact the tunnel concept has been produced for a long time, and quite possibly the readers use similar technology, such as the following URL http://www.http-tunnel.com the. It is a professional to provide tunnel services company, through their online tunnel server,the LAN user can use is a firewall the shield ICQ, E-MAIL, pcanywhere, AIM, MSN, Yahoo, Morpheus, Napster and other software. We see, here are the ICQ,Napster and other software, I believe our readers many of them used to go proxy, ICQ,OICQ and so on, in fact their principle is about the same.

What is the Httptunnel

As a practical example, we here to tell one in the"non public domain"the use of the software channel, httptunnel for. In the httptunnel Homepage on one end of the telephone,

httptunnel creates a bidirectional virtual data connection tunnelled in HTTP requests. The HTTP requests can be sent via an HTTP proxy if so desired. This can be useful for users behind restrictive firewalls. If WWW access is allowed through a HTTP proxy, it's possible to use httptunnel and, say, telnet or PPP to connect to a computer outside the firewall.

From this description we can see to it is today we say to the introduction of tunnel technology in a proof, we roughly explain its use.

httptunnel is currently the more stable version is 3. 0. 5, Support for various common unix systems, including Windows platform. From the relevant site to download, its installation is relatively simple, according to the INSTALL file do on can, here is not introduced.

The entire software installation is finished, we will get two key files, htc and hts,which htc is the client(c), and hts is the server(s)end, we'll look at specifically how to use.

Suppose there is A(域名 client.yiming.com)machine, B(域名 server.yiming.com)machine, the two machines are solaris environment, A machine in the firewall protection, the B machine in the firewall other than the firewall administrator to control the access rules only ALLOW 8 0 and 5 3-port out of the packet. And our task is to use Httptunnel from A machine to telnet to the B machine, through the firewall restrictions. The operation is as follows:

First, we In A to start on the client end, the command is very simple: the client. yiming. com#htc-F 1 2 3 4 server. yiming. com:8 0, the

The system returns to the prompt, at the moment we use the netstat-an can be seen within the system a 1 2 3 4 port of the listener

.1234.* 0 0 0 0 LISTEN

Then we in the B machine to start on the server end, the command is as follows: server. yiming. com#hts-F localhost:2 3 8 0

The system returns to the prompt, at the moment we use netstat to see

.80.* 0 0 0 0 LISTEN

8 0 the port is in listening state, it is noted that if the system itself is running the web service(8 0 port itself is in the listener), and will not affect Httptunnel work.

Ok,server and client terminal are started, we can start our"passage"test, in client. yiming. the com performed on the bit the following command to see:

Client. yiming. com#telnet localhost 1 2 3 4

Trying 0.0.0.0...

Connected to 0.

Escape character is '^]'.

SunOS 5.7

This is yiming's private box! Any question,contact me with yiming@security.zz.ha.cn

login:

See B machine to the login prompt,enter the account password to see if working properly?

Login:yiming

Password: (omit here;) )

sever.yiming.com# ls

bak check go httpd lost+found mrtg run soft wg

OK! Work normal, and normal telnet no difference.

Carefully observe the entire process, will find in the beginning where the show is Trying 0.0.0.0..., Connected to 0. Instead of Trying server.yiming.com...,Connect to server.yiming.com this is very intuitive as it can be seen to client-side forwarding 1 2 3 4 data packet to the machine 8 0 port. (And then forwarded to the remote)rather than directly connected to the distal end of the B machine.

The above is more intuitive test, in order to further validate the server and client between the not by 2 3-port communication, we grab the data package to take a look. We are in the server a packet capture tool tcpdump to see.

server. yiming. com#tcpdump host client.yiming.com

tcpdump: listening on hme0

1 4:4 2:54.213699 client. yiming. com. 5 1 7 6 7 > server. yiming. com. 8 0: S 1 2 3 7 9 7 7 8 5 7:1 2 3 7 9 7 7 8 5 7(0) win 8 7 6 0 (DF)

1 4:4 2:54.213767 server. yiming. com. 8 0 > client. yiming. com. 5 1 7 6 7: S 1 6 0 7 7 8 5 6 9 8:1 6 0 7 7 8 5 6 9 8(0) ack 1 2 3 7 9 7 7 8 5 8 win 8 7 6 0 (DF)

1 4:4 2:54.216186 client. yiming. com. 5 1 7 6 8 > server. yiming. com. 8 0: . ack 1 win 8 7 6 0 (DF)

1 4:4 2:54.218661 client. yiming. com. 5 1 7 6 8 > server. yiming. com. 8 0: P 1:4 4(4 3) ack 1 win 8 7 6 0 (DF)

1 4:4 2:54.218728 client. yiming. com. 5 1 7 6 8 > server. yiming. com. 8 0: P 4 4:4 8(4) ack 1 win 8 7 6 0 (DF)

Limited space, just above the interception results in a little packet, but can already illustrate the problem, we see the server and the client between a successfully completed three-way handshake, and then began to push the data, and communication does go is 8 0 port. A little mean, Oh.

See is seen, and but too is not straightforward, in the end in what Ah, we then slightly change what tcpdump run, and further in look at the telnet whether the data is encapsulated in the 8 0 port of the data packet within the transmission?

server. yiming. com#tcpdump-X host client.yiming.com1 4:4 3:05.246911 server. yiming. com. 8 0 > client. yiming. com. 5 1 7 6 8: . 2 9 9 7:4 4 5 7(1 4 6 0) ack 8 9 win 8 7 6 0 (DF)

0x0000 4 5 0 0 05dc 3b23 4 0 0 0 ff06 e2c2 yyyy yyyy E...;#@...... f. D

0x0010 xxxx xxxx 0 0 5 0 de42 5fd5 ac4f 39ac 016f . f.#. P. B_..O9..o

0x0020 5 0 1 0 2 2 3 8 98e4 0 0 0 0 746f 7 4 6 1 6c20 3 6 3 6 P."8.... total. 6 6

0x0030 370d 0a64 7 2 7 7 7 8 7 2 2d78 722d 7 8 2 0 2 0 3 2 7..drwxr-xr-x..2

0x0040 3 9 2 0 726f 6f74 2 0 2 0 2 0 2 0 2 0 7 2 6f6f 7 4 2 0 9. root..... root.

Oh, this time clearly more, the above should be a ls command output, you can clearly see the telnet results! Sure enough, the telnet data is in 8 0 port of the data packet within!

Httptunnel bring security issues Write to here, we can imagine, if the administrator fully trust your firewall, then in a There is such a risk of the LAN, what would happen to the consequences?

We can see, over the years, the firewall dependence has also been listed in the SANS Top 1 0 security.

That being the case, it naturally will have a problem is:this httptunnel behavior can be found?

First of all we think of is to useintrusion detectionsystem, in the currentnetwork securitydesign, firewall plusintrusion detectionsystem is one of the more popular security linkage configuration, since the httptunnel to bypass the firewall, then an IDS system? We have to test and see.

In the following tests, we will use the IDS system is Snort, the version 1. 8. 2。 This is the famous open source IDS system, in its description, is described as a lightweight, cross-platform work of theintrusion detectionsystem, in 2 0 0 1 In 1 2 on the UK independent testing lab NSS evaluation, the defeated including commercial IDS system of all opponents, these commercial software but including ISS, CISCO SECURE IDS, CA ETRUST, the CYBERSAFE CENTRAX, the NFR is. Interested readers can also see this post titled Open source mounts IDS challenge reported.

Well, the Snort of the General introduction is completed, let's see the results of it, the Snort of the entire test process captured data packet into the alarm, as follows:

[] WEB-MISC whisker splice attack []

12/02-1 4:4 2:54.389175 client. yiming. com:5 1 7 6 7-> server. yiming. com:8 0

TCP TTL:2 5 1 TOS:0x0 ID:3 3 2 7 IpLen:2 0 DgmLen:4 2 DF

AP Seq: 0x49CA0BA7 Ack: 0x5FD4DCE3 Win: 0x2238 TcpLen: 2 0

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

[] WEB-MISC whisker splice attack []

12/02-1 4:4 3:03.195006 client. yiming. com:5 1 7 6 7 -> server. yiming. com:8 0

TCP TTL:2 5 1 TOS:0x0 ID:3 4 3 9 IpLen:2 0 DgmLen:4 1 DF

AP Seq: 0x49CA0C20 Ack: 0x5FD4DCE3 Win: 0x2238 TcpLen: 2 0

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

[] WEB-MISC whisker splice attack []

12/02-1 4:4 3:04.630268 client. yiming. com:5 1 7 6 8-> server. yiming. com:8 0

TCP TTL:2 5 1 TOS:0x0 ID:3 4 9 6 IpLen:2 0 DgmLen:4 1 DF

AP Seq: 0x49CA0C4E Ack: 0x5FD4DCE3 Win: 0x2238 TcpLen: 2 0

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

We see snort on the captured data packet generation of WEB-MISC whisker splice attack alarms, however this attack did not happen at the same time snort on the tunnel data packets do not perceive. So snort at the same time the emergence of the IDS system of the two problems, false positive, false negative.

It is also very normal, because this is also signature-based IDS system is a common problem, the current determination of the maximum number of the IDS system includes a famous commercial software ISS,NFR, etc. are signature-based, meaning that the system maintains a set of specific attack data packets of the data pattern signature. The system is working, check through the packets of the content, and their owndatabasewithin the data pattern signature contrast, if some kind of attack mode is the same signature, then it determines the occurrence of a certain attack.

Thus we can see clearly the presence of a number of issues:such as the signature dependence inevitably lead to two results, false negative ,false positive and. In other words will produce false negatives and false positives, which is very easy to understand, when a new appear to an attack mode, since the IDS within the system there is no corresponding data signature, then it is impossible to capture the corresponding attack packet, the false negative thus occurs. At the same time, too dependent on the signature mode is also very easy to false positives, as in our example above. At the same time, the data signatures of dependencies will to some extent reduce the system performance-through data packets are required, and IDS systems signature control.

In addition, signature-based IDS system itself is possible since according to the signature this feature while being attacked, an example is a stick, thisprogramthe author of the use of the IDS system for signature matching works, sending a large number of with the attack signature of the packet to the IDS system, the IDS system itself processing capacity exceeds the limit, causing the IDS system is unable to respond. According to the author Coretez Giovanni saying, run for 2 seconds to stick on to make the famous commercial IDS systems, ISS real secure crash. From the above we see that the IDS system is completely dependent on the same is risky. Some of the solution ideas

It seems to rely on the hand of the IDS is unable to detect such behavior, then a other way? We carefully analyze the events during interception of the httptunnel packet to say it.

Careful observation of the intercepted httptunnel data packet, can be found followed by the three-way handshake after the completion of the first data packet containing a POST action, is by htc(client-side)is sent to the hts(server-side). As follows:

1 4:5 5:39.128908 client. yiming. com. 5 1 7 6 7 > server. yiming. com. 8 0: S 3 5 2 1 9 3 1 8 3 6:3 5 2 1 9 3 1 8 3 6(0) win 8 7 6 0 (DF)

0x0000 4 5 0 0 002c d3cc 4 0 0 0 fb06 53c9 xxxx xxxx E..,..@...S..f.#

0x0010 yyyy yyyy ca37 0 0 5 0 d1ec 6a3c 0 0 0 0 0 0 0 0 . f. D. 7. P..j<....

0x0020 6 0 0 2 2 2 3 8 1 7 0 8 0 0 0 0 0 2 0 4 05b4 0 0 0 0 `." 8..........

1 4:5 5:39.128945 server. yiming. com. 8 0 > client. yiming. com. 5 1 7 6 7: 2 9 4 6 0 0 4 9 6 4:2 9 4 6 0 0 4 9 6 4(0) ack 3 5 2 1 9 3 1 8 3 7 win 8 7 6 0 (DF)

0x0000 4 5 0 0 002c cb85 4 0 0 0 ff06 5 8 1 0 yyyy yyyy E..,..@.....f. D

0x0010 xxxx xxxx 0 0 5 0 ca37 af98 77e4 d1ec 6a3d . f.#. P. 7..w...j=

0x0020 6 0 1 2 2 2 3 8 ef79 0 0 0 0 0 2 0 4 05b4 `." 8. y......

1 4:5 5:39.131002 client. yiming. com. 5 1 7 6 7 > server. yiming. com. 8 0: . ack 1 win 8 7 6 0 (DF)

0x0000 4 5 0 0 0 0 2 8 d3cd 4 0 0 0 fb06 53cc xxxx xxxx E..(.#

0x0010 yyyy yyyy ca37 0 0 5 0 d1ec 6a3d af98 77e5 . f. D. 7. P..j=..w.

0x0020 5 0 1 0 2 2 3 8 0 7 3 7 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 P."8.7........

1 4:5 5:39.132841 server. yiming. com. 8 0 > client. yiming. com. 5 1 7 6 7: . ack 4 4 win 8 7 6 0 (DF)

0x0000 4 5 0 0 0 0 2 8 cb86 4 0 0 0 ff06 5 8 1 3 yyyy yyyy E..( 0x0010 xxxx xxxx 0 0 5 0 ca37 af98 77e5 d1ec 6a68 . f.#. P. 7..w...jh

0x0020 5 0 1 0 2 2 3 8 070c 0 0 0 0 P."8....

1 4:5 5:39.132860 client. yiming. com. 5 1 7 6 7 > server. yiming. com. 8 0: P 1:4 4(4 3) ack 1 win 8 7 6 0 (DF)

0x0000 4 5 0 0 0 0 5 3 d3ce 4 0 0 0 fb06 53a0 xxxx xxxx

0x0010 yyyy yyyy ca37 0 0 5 0 d1ec 6a3d af98 77e5 . f. D. 7. P..j=..w.

0x0020 5 0 1 8 2 2 3 8 d23a 0 0 0 0 504f 5 3 5 4 202f 696e P."8.:.. POST/in

0x0030 6 4 6 5 782e 6 8 7 4 6d6c 3f63 7 2 6 1 703d 3 1 3 0 dex. html? crap=1 0

0x0040 3 0 3 7 3 8 3 8 3 0 3 4 3 8 3 6 2 0 4 8 5 4 5 4 502f 312e 0 7 8 8 0 4 8 6. HTTP/1.

0x0050 310d 0a 1..

1..

Look is send client-side data packet to the server-side, then server have what reaction? We look down,in the above this process is completed, htc and hts also happened to a handshake(note that once again the handshake), as follows:

1 4:5 5:39.134301 client. yiming. com. 5 1 7 6 8 > server. yiming. com. 8 0: S 2 8 5 1 1 9 9 4 4 8:2 8 5 1 1 9 9 4 4 8(0) win 8 7 6 0 (DF)

0x0000 4 5 0 0 002c d3df 4 0 0 0 fb06 53b6 xxxx xxxx E..,..@...S..f.#

0x0010 yyyy yyyy ca38 0 0 5 0 a9f1 d9d8 0 0 0 0 0 0 0 0 . f. D. 8. P........

0x0020 6 0 0 2 2 2 3 8 cf65 0 0 0 0 0 2 0 4 05b4 0 0 0 0 `." 8. e........

1 4:5 5:39.134389 server. yiming. com. 8 0 > client. yiming. com. 5 1 7 6 8: 2 9 4 6 0 6 0 4 4 9:2 9 4 6 0 6 0 4 4 9(0) ack 2 8 5 1 1 9 9 4 4 9 win 8 7 6 0 (DF)

0x0000 4 5 0 0 002c cb8f 4 0 0 0 ff06 5 8 0 6 yyyy yyyy E..,..@.....f. D

0x0010 xxxx xxxx 0 0 5 0 ca38 af99 50a1 a9f1 d9d9 . f.#. P. 8..P.....

0x0020 6 0 1 2 2 2 3 8 cf19 0 0 0 0 0 2 0 4 05b4`." 8........

1 4:5 5:39.136527 client. yiming. com. 5 1 7 6 8 > server. yiming. com. 8 0: . ack 1 win 8 7 6 0 (DF)

0x0000 4 5 0 0 0 0 2 8 d3e0 4 0 0 0 fb06 53b9 xxxx xxxx E..(

0x0010 yyyy yyyy ca38 0 0 5 0 a9f1 d9d9 af99 50a2 . f. D. 8. P...... P.

0x0020 5 0 1 0 2 2 3 8 e6d6 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 P."8..........

1 4:5 5:39.137333 client. yiming. com. 5 1 7 6 8 > server. yiming. com. 8 0: P 1:4 3(4 2) ack 1 win 8 7 6 0 (DF)

0x0000 4 5 0 0 0 0 5 2 d3e1 4 0 0 0 fb06 538e xxxx xxxx

0x0010 yyyy yyyy ca38 0 0 5 0 a9f1 d9d9 af99 50a2 . f. D. 8. P...... P.

0x0020 5 0 1 8 2 2 3 8 25ce 0 0 0 0 4 7 4 5 5 4 2 0 2f69 6e64 P."8%...GET/ind

0x0030 6 5 7 8 2e68 746d 6c3f 6 3 7 2 6 1 7 0 3d31 3 0 3 0 ex. html? crap=1 0 0

0x0040 3 7 3 8 3 8 3 0 3 4 3 8 3 6 2 0 4 8 5 4 5 4 5 0 2f31 2e31 7 8 8 0 4 8 6. HTTP/1.1

0x0050 0d0a ..

1 4:5 5:39.137379 server. yiming. com. 8 0 > client. yiming. com. 5 1 7 6 8: . ack 4 3 win 8 7 1 8 (DF)

0x0000 4 5 0 0 0 0 2 8 cb90 4 0 0 0 ff06 5 8 0 9 yyyy yyyy E..(

0x0010 xxxx xxxx 0 0 5 0 ca38 af99 50a2 a9f1 da03 . f.#. P. 8..P.....

0x0020 5 0 1 0 220e e6d6 0 0 0 0 P.".....

1 4:5 5:39.139733 client. yiming. com. 5 1 7 6 8 > server. yiming. com. 8 0: P 4 3:8 9(4 6) ack 1 win 8 7 6 0 (DF)

0x0000 4 5 0 0 0 0 5 6 d3e2 4 0 0 0 fb06 5 3 8 9 xxxx xxxx .#

0x0010 yyyy yyyy ca38 0 0 5 0 a9f1 da03 af99 50a2 . f. D. 8. P...... P.

0x0020 5 0 1 8 2 2 3 8 e156 0 0 0 0 486f 7 3 7 4 3a20 3 2 3 0 P."8. V..Host:.20

0x0030 322e 3 1 3 0 322e 3 2 3 2 372e 3 6 3 8 3a38 300d 2.102.227.68:8 0.

0x0040 0a43 6f6e 6e65 6 3 7 4 696f 6e3a 2 0 6 3 6c6f . Connection:. clo

0x0050 7 3 6 5 0d0a 0d0a se....

1 4:5 5:39.151300 server. yiming. com. 8 0 > client. yiming. com. 5 1 7 6 8: P 1:1 7 0(1 6 9) ack 8 9 win 8 7 6 0 (DF)

0x0000 4 5 0 0 00d1 cb91 4 0 0 0 ff06 575f yyyy yyyy

0x0010 xxxx xxxx 0 0 5 0 ca38 af99 50a2 a9f1 da31 . f.#. P. 8..P.... 1

0x0020 5 0 1 8 2 2 3 8 e721 0 0 0 0 4 8 5 4 5 4 5 0 2f31 2e31 P."8.!.. HTTP/1.1

0x0030 2 0 3 2 3 0 3 0 204f 4b0d 0a43 6f6e 7 4 6 5 6e74 . 2 0 0. OK..Content

0x0040 2d4c 656e 6 7 7 4 683a 2 0 3 1 3 0 3 2 3 4 3 0 300d-Length:. 1 0 2 4 0 0.

0x0050 0a43 6f6e 6e65 6 3 7 4 696f 6e3a 2 0 6 3 6c6f . Connection:. clo

0x0060 7 3 6 5 0d0a 5 0 7 2 6 1 6 7 6d61 3a20 6e6f 2d63 se..Pragma:. no-c

0x0070 6 1 6 3 6 8 6 5 0d0a 4 3 6 1 6 3 6 8 652d 436f 6e74 ache..Cache-Cont

0x0080 726f 6c3a 206e 6f2d 6 3 6 1 6 3 6 8 652c 206e rol:. no-cache,. n

0x0090 6f2d 7 3 7 4 6f72 652c 206d 7 5 7 3 742d 7 2 6 5 o-store, the. must-re

0x00a0 7 6 6 1 6c69 6 4 6 1 7 4 6 5 0d0a 4 5 7 8 7 0 6 9 7 2 6 5 validate..Expire

0x00b0 733a 2 0 3 0 0d0a 436f 6e74 656e 742d 5 4 7 9 s:.0..Content-Ty

0x00c0 7 0 6 5 3a20 7 4 6 5 7 8 7 4 2f68 746d 6c0d 0a0d pe:. text/html... From the packet you can see that the distribution in the hts(server)end to the htc(client)sends a GET to the identity package, the estimate is going to"take"just the client end is sent to the data packet, and a new handshake! In order to verify that we are in the client,server-side, perform a netstat-an, The results prove that our observation is correct, as follows:

client. yiming. com. 5 1 7 6 7 server. yiming. com. 8 0 8 7 6 0 0 8 7 6 0 0 ESTABLISHED

client. yiming. com. 5 1 7 6 8 server. yiming. com. 8 0 8 7 6 0 0 8 7 6 0 0 ESTABLISHED

In the server side, perform a netstat-an, The results are as follows:

server. yiming. com. 8 0 client. yiming. com. 5 1 7 6 7 8 7 6 0 0 8 7 6 0 0 ESTABLISHED

server. yiming. com. 8 0 client. yiming. com. 5 1 7 6 8 8 7 6 0 0 8 7 6 0 0 ESTABLISHED

Sure enough, the firewall on both sides of the system are the two sockets, and Generalprocedureis different, this is a rather special phenomenon.

The GET operation is completed, the server end and the client end transmitting a data packet, the content is

HTTP/1.1 2 0 0 OK Content-Length: 1 0 2 4 0 0

Connection: close

Pragma: no-cache

Cache-Control: no-cache, no-store, must-revalidate

Expires: 0

Content-Type: text/html

There should be a defined data packet transmission maximum value and other parameters.

The authors detect, through the three htc and hts between the role after httptunnel only real build up, the back of the work properly carried out, and very interestingly, since then all subsequent data packets are not 8 0 port often go the GET,PUT,POST or the like the content!! Here seems to want to point approach.

As mentioned above, normal to go 8 0 port the data packets should be web behavior, then the packet should ultimately get normal operation of the content, if in 8 0 the port through which the data don't always have these things, then it certainly has problems,

Then this problem has a solution, is manually checked by 8 0 port of the packet, if the data packet is transmitted in plain text, then it is easy to find this kind of behavior. But this behavior can only be theoretically feasible. In fact, the operation is not possible, there is no comparison to Mature this product? According to this idea to retrieve the data on the web, and sure enough found a kind ofintrusion detectione-Gap system can indeed detect and shield httptunnel and other channel software there, it works in the tcp/ip application layer, the application layer level to detect data packets of the exact nature, such as, the detection of 8 0 port of the data packet, if the look data packet is always no valid data(URL,get,put, etc. parameters), then the e-Gap system will alarm, and interrupt the connection behavior.

Note that this detection method only on the plaintext transmission is valid, if the data is encrypted, then there is nothing to be done. Then still further, if the encryption? Currently the authors grasp of the situation, StealthWatchhardwarethe product may be a better choice, it completely abandon the signature-based mode, instead of using a patent-pending based on flow-base architecture strategy, according to several reviews the laboratory results, you can effectively perceive has been disclosed and is not disclosed to a variety of attacks, Dos, worms, viruses, etc., even including the encrypted communication! However, its price is far beyond ordinary commercial IDS system, a set of complete facilities required 4 million dollars! The particular effect the author is currently not conditions to test.

Summary

In our experiments, httptunnel at the same time escaped the firewall shield and theintrusion detectionthe system of tracking, it is worth thinking about. We can see thatnetwork securitydepend only on some or a few of the means is not reliable, especially for very high security requirements of the application system while the safety system of blind dependence tends to create huge security risks