Retransmission steganography in real-world scenarios: a practical study

Retransmission steganography (RSTEG) is one of the state-of-the-art network steganography techniques which can be used for various network protocols that make use of a retransmission mechanism. Essentially, RSTEG works by intentionally not acknowledging a correctly received segment to invoke a retransmission and secret data is embedded in the payload of the retransmitted segment. In this paper, we explore the characteristic features of RSTEG in laboratory and real-world setups. To this aim, a client/server architecture has been built with a simple TCP implementation based on retransmission timeout (RTO) that includes the RSTEG functionality. The application is able to communicate using an HTTP implementation built on top of it. The performed experiments evaluate the steganographic bandwidth, robustness and detectability of the implemented method. An average bandwidth of 5.2 kB/s was achieved for a 5% of retransmission probability on a 122 kB/s TCP throughput in a LAN environment. Also, a 500 B/s bandwidth was obtained while connecting to a high latency host through the Internet and we measured the bandwidth for different payload sizes under network impairments such as delays and packet loss. Lastly, we have tried to detect the implemented method using a Network Intrusion Detection System such as Snort.