Data Driven Attacks Using HTTP TunnelingMarch 8, 2008 – 3:27 PM
While many systems administrators are turning to firewalls and routers to control content on port 80, HTTP (hypertext transfer protocol), as well as intrusion detection and prevention, attackers can use HTTP tunneling to bypass access control restrictions. Tunneling involves encapsulating traffic in HTTP headers; a tunneling program receives the HTTP traffic, strips out the headers, and forwards the traffic. TCP (Transmission Control Protocol) and UDP (User Datagram Protocol) packets can be sent in this way. An attacker, once inside a network, can install an HTTP tunnel program to covertly access other parts of the network using other ports and services, such as Telnet (TCP port 23). An attacker could also gather intelligence about a network without alerting administrators with a visible port scan. Penetration testers can use HTTP tunneling to find holes that would otherwise go unnoticed, since most networks inspect inbound traffic with few restrictions on outbound traffic.