Heroes of Packet Analysis Quiz
5: Given an infected host system with Covert_TCP successfully installed/configured, will the beacon back to the malicious C2 server be successful in traversing the depicted network to its intended destination?
A. No, all WAN optimizers have next-generation firewalls onboard and it would filter this malicious traffic.
B. Yes, the infected host’s Covert_TCP packet will reach its destination since WAN optimizers simply allow traffic to pass through them, inspecting the traffic flow to make better informed decisions about future bandwidth allocation and planning.
C. Yes, the infected host will be able to communicate with the C2 server since Covert_TCP uses TCP header fields that are left unaltered, as packets traverse the network.
D. No, WAN optimizers that use TCP acceleration will create a new TCP session on behalf of the client/server and during the creation of this new session the covert channel information would be dropped.
A host has been compromised on the distant end of a satellite communication link. The host has malware that has been successfully uploaded and is attempting to run the Covert_TCP tool (i.e., covert channels within TCP headers). This tool is being utilized to beacon back to a malicious command & control (C2) server and receive follow-on instructions. The satellite communication path utilizes WAN optimization devices to provide better user experience and utilization of the bandwidth. The system administrator has enabled protocol spoofing, latency optimization, and TCP acceleration on the WAN optimization devices.
Who asked the question:
Operator at BruteForce LLC
Read his White Paper › ProfiShark 1G Use Case Analysis
Join the conversation
Find us on one of the following social platforms to get a sneak peek into the network monitoring world.
Be Part of the Team
We are always on the lookout for passionate people, who are open to change and innovation.
Check the Careers Page