BananaGlee. I just love saying that word ;)

So, was reading up on the NSA backdoors for Cisco and other OSes,, and got to thinking about how the NSA might exfiltrate their data or run updates…It’s gotta be pretty stealthy, and I’m sure they have means of reflecting data to/from their Remote Operations Center (ROC) in such a way that you can’t merely look at odd destination IPs from your network.

This got me thinking about how I would find such data on a network. First off, obviously, I’d have to tap the firewall between firewall and edge router. I’d also want to tap the firewall for all internal connections. Each of these taps would be duplicated to a separate network card on a passive device.

1) eliminate all traffic that originated from one interface and went out another interface. This has to be an exact match. I would think any changes outside of TTL would be something that would have to be looked at.

2) what is left after (1) would have to be traffic originating from the firewall (although not necessarily using the firewalls IP or MAC). That’s gotta be a much smaller set of data.

3) With the data set from (2), you’ve gotta just start tracing through each one.

This would, no doubt, be tons of fun. I don’t know how often the device phones home to the ROC, what protocol they might use , etc…

If anyone has any ideas, I’d love to hear them. I find this extremely fascinating.

  • Michael Argast

    One thing to consider is the fact that the NSA can capture a significant portion of backbone Internet traffic. This means that instead of looking for traffic that is ‘calling home’, they could, for example, be manipulating TCP header or other information knowing they could intercept it downstream regardless of what the destination is.

    So, for example, they could manipulate the TCP information in non-encrypted Google search requests on the way to Google, and still allow the Google search query and results to process back and forth, without anyone being the wiser that it is carrying C&C or other traffic.

    I seem to recall Stonesoft had a bunch of technology that looked for this sort of TCP bypass attacks.

    • dmitryc

      Yeah, I had thought of that ;) I would want to look at anything changing outside of
      TTL (and maybe a few other fields…). I’ll have to check out Stonesoft, thanks for the lead.

  • intrest

    how do you ignore traffic that matches an internal session being nat’d on the way out? what tech / tools are you using to perform such delineations of interesting traffic?