Steganography with TCP retransmissions

Polish researchers have described a way of hiding information in retransmissions of IP-based data traffic. Transmission errors are simulated in a TCP connection to provoke retransmissions and, before packets are retransmitted, their content is replaced with data intended to be concealed.

With the steganographic protocol known to both sender and receiver, a more or less hidden channel can be established. The researchers Wojciech Mazurczyk, Miłosz Smolarczyk and Krzysztof Szczypiorski call their method "Retransmission Steganography" (RSTEG). In principle, the approach will also work with other network protocols.

No further measures are taken to conceal the message, but since retransmissions are not a rarity when data are sent over the internet, the approach assumes they will not be conspicuous among the other traffic. According to the authors, anyone watching the traffic between sender and receiver will have difficulty spotting the hidden channel. Normal retransmissions are one of the problems though; the recipient must be prepared to separate the steganographic packets from the naturally occurring retransmission packets which are generated by the recipients connections.

The report presents various ways to provoke such a retransmission and what effect this has on the bandwidth of the hidden channel. As can be expected, normal retransmission time-outs occasioned by the omission of an acknowledgement from the recipient, reduce its bandwidth, since the sender has to wait during the time-out. With Fast Retransmit/Recovery, the receiver sends several acknowledgements (ACK) for a data segment and tells the sender to send a retransmission immediately. This, however, increases the number of packets sent, because as a rule, the sender retransmits a complete segment. When Selective Acknowledgement (SACK) is used, the receiver can specify to the sender exactly which packet is to be retransmitted.

(crve)