---
title: Lab Meeting Minutes 2023/03/17
tags: lab_meeting
---
> Outline
> [TOC]
---
# PERAL Lab Meeting
- 時間:112 年 03 月 17 日 9:00
- 地點:線上
- 線上會議連結 : [Online](https://meet.google.com/ghe-huck-fng)
- 出席者:吳坤熹老師、吳騰然、劉怡君、田蕙瑜、洪胤勛、莊才賢、紀見如、劉冠伶、林大智、繆亭霄、謝萬霖(請假)
- 會議主題:[Network steganography using DNS NCache](https://docs.google.com/presentation/d/182qIFa-6QvnWltmzdOZkfEzl3FbkmV3RJD6xhQjMyg0/edit?usp=sharing)
- 主講者: 劉冠伶
- 主記: 林大智
## 會議內容
### Previous Work
#### DNS
- DNS is used to map a host name in the application layer to an IP address in the network layer
- Negative Cache -> 失敗的 query 會存在 cache 中,以防止持續query不存在的hostname會造成DNS負擔
### Inprovement
#### Advantage
1. ARP cache and SNMP walks -> DNS negative cache
2. If the Covert Sender keeps sending ARP packets with fake MAC address, this attack is called ARP spoofing. Usually it will be directly blocked by the L2 switch.
3. Does not require special configuration of dead drop. (snmpd)
4. 375 bytes/hr -> 105,882 bytes/hr (282 times)
#### Detail
##### Step1 : The sender possesses secret information that it wants to store in the DNS negative cache
![](https://i.imgur.com/z83Ug91.png)
##### Step2 : Thus, he exploits the negative cache of a DNS resolver by sending a non-existent Resource Record.
![](https://i.imgur.com/MR7PBD8.png)
##### Step3 : The actual domain name does not exist and the third-party host Dead Drop adds the information to its DNS negative cache
![](https://i.imgur.com/RpkGlHv.png)
##### Step4 : Receiver query all domain names to check if the result is from dns resolver.
![](https://i.imgur.com/wa2k5Jz.png)
### Experiment
#### Step1 : Convert messages into domain name
![](https://i.imgur.com/aczabib.png)
#### Step2 : Send hostnames to particular server
![](https://i.imgur.com/qfkFNJQ.png)
#### Step3 : Query hostnames from server
![](https://i.imgur.com/HcdxGDP.png)
#### Step4 : Reassemble message
![](https://i.imgur.com/9X0zzZC.png)
###
---
### 建議&問題
1. [name=Solomon] P.5 resolver 的角色應該要解釋
Ans: [name=]
2. [name=Solomon] P.5 ns1.ntrc.edu.tw 應是 resolver, 查詢的對象是 www.gnu.org
Ans: [name=]
3. [name=Solomon] Demo 時 sender 的 prompt string 就改成 "sender". Receiver 的 prompt string 則設為 "receiver". 這樣看起來很清楚!很好的設計。
4. [name=Lawrence] 其他人做的QUERY會不會影響到資訊重組
Ans: 不會,因為會使用約定好的 domain name
5. [name=August] How long will a secret message survive?
6. [name=Jennifer] 收跟送之前都會轉成檔案,會不會造成效率低下
Ans: 不會
Solomon ans: 但是可以省略,而且盡量不要留下證據
7. [name=Branko] 若因為Domain name的名字很怪,有沒有可能被抓出來
Ans: Future work有待改進
Solomon ans: 在L2的防禦上不會有反應已是改進,要上到 application layer上才會發現,不過也有待改進,可以試試使用多通道隱藏
8. [name=Jerry] 如果 1st 被 2nd 或 3rd server給暫時取代,會不會影響到資料的隱藏
Ans: 不會,因為資料是放在 local 的DNS resolver內
9. [name=Angela] 會不會被其他人的 query 蓋過去
Ans: Possible, so I must carefully choose a dead drop.
10. [name=Phoebe] Maximum number of entries in NCACHE?
Ans: Theoretically there must be an upperbound, but I failed to reach that even after I've kept sending DNS queries for 8 hours.
## 待追蹤事項
## 臨時動議
---
散會結束時間: