Covert channels in the IP time to live field

Covert channels are used for the secret transfer of information. Unlike encryption, which only protects the information from unauthorised observers, covert channels aim to hide the very existence of the communication. The sheer amount of data and vast number of different network protocols in the Internet makes it an ideal high-capacity vehicle for covert communication. Covert channels pose a serious security threat as criminals can use them to hide their communication activities. In this paper we present a novel covert channel inside the IP header’s Time To Live (TTL) field. The sender manipulates the TTLs of subsequent packets transmitting covert information to the receiver. Since network elements along the path also modify the TTL, the capacity and stealth of this channel depend on the 'natural' TTL variation. We analyse this variation in multiple traffic traces and propose an encoding scheme, which makes the TTL covert channel look similar to “natural” variation. We also discuss methods to eliminate and detect this covert channel.