Uninformed: Informative Information for the Uninformed

Vol 1» 2005.May

Heuristic based filtering

One method of prevention would be to implement an outbound filter that made use of contextual heuristics to determine if the traffic passing between two hosts might be potentially indicative of encapsulated data. For instance, a transparent HTTP proxy could monitor and track the variance of form and the spacing of requests and responses between two hosts. In the case of the simple HTTP tunnel described in this document, a transparent HTTP proxy could note that there is very little variance between the headers of both the requests and the responses and that the form of communication between the two hosts is unchanging. Though this could be made to work, there are a number of problems that make using this technique of prevention not entirely viable.

The first and foremost problem with this technique is that it does not actually prevent communication between the two entities until it is able to determine that the requests and responses are of a common form and pattern. This alone makes this method of "prevention" entirely unreasonable, but it is nonetheless worthy of consideration from a completeness standpoint. Other problems with this approach include the fact that it's very easy to fool by making the communication unpredictable, sporadic, and very similar to normal HTTP traffic. This fact makes using a heuristic based form of validation less favorable as it will always need to error towards non-positive in order to prevent a poor user experience for legitimate traffic passing through the proxy.