network covert channels index

comprehensive technical reference for network covert channel techniques. this documentation is for educational and defensive security purposes.

technique catalog

technique	category	bandwidth	primary tool	detection difficulty	status
dns null record tunneling	dns	585 kbit/s	iodine	medium	✓
dns txt record tunneling	dns	10-50 kbit/s	dnscat2	low	✓
dns timing channels	dns	<1 bit/min	custom	very high	✓
dns over https tunneling	dns	100+ kbit/s	doh-proxy	high	✓
icmp tunneling	traditional	kbps-mbps	ptunnel-ng	medium	✓
ntp extension field tunneling	traditional	300-500 bytes/packet	custom	high	✓
ntp timing channels	traditional	<1 bit/min	academic	very high	✓
dhcp option field tunneling	traditional	~192 bytes/exchange	hide_dhcp	very high	✓
http/https tunneling	web	60-80% tcp	abptts	medium	✓
websocket tunneling	web	95-98% tcp	wstunnel	medium-high	✓
webrtc data channels	web	90-95% udp	rtctunnel	high	✓
quic connection id manipulation	modern	near tcp	quicc	high	✓
ipv6 extension headers	modern	5+ bits/packet	custom	high	✓
mqtt tunneling	iot	variable	mqtt_vpn	medium	✓
lorawan covert channels	iot	~38 bits/packet	cloaklora	high	✓
coap protocol tunneling	iot	variable	cceap	medium	✓

github repositories

comprehensive toolkits

repository	description	techniques covered
cdpxe/networkcovertchannels	academic toolkit	multiple network protocols
mindcrypt/covertchannels-steganography	resource collection	comprehensive list

dns tunneling

repository	technique	performance
yarrick/iodine	null records	585 kbit/s
iagox86/dnscat2	txt records	encrypted c2
lukebaggett/dnscat2-powershell	txt records	windows client

protocol tunneling

repository	protocol	description
dhavalkapil/icmptunnel	icmp	virtual tunnel interface
utoni/ptunnel-ng	icmp	tcp over icmp
lacraig2/jhu_ntp_covert_channel	ntp	extension field exploitation
rubenrdp/hide_dchp	dhcp	sname/file field tunneling

web tunneling

repository	protocol	features
nccgroup/abptts	http/https	tcp tunneling
erebe/wstunnel	websocket	gigabit speeds
rtctunnel/rtctunnel	webrtc	p2p tunneling
sensepost/regeorg	http	socks proxy

modern protocols

repository	protocol	description
nuvious/quicc	quic	connection id exploitation
ocram95/ipv6cc_softwarex	ipv6	extension header channels
martin-ger/mqtt_vpn	mqtt	ip over mqtt

real-world usage

threat actors

apt29: dns tunneling for c2
apt32: txt record exfiltration
apt34: multiple dns techniques
2014 home depot breach: 56m cards via dns

commercial frameworks

cobalt strike: malleable c2 profiles ($3,540+ annually)
metasploit: dns/http tunneling modules
empire: multiple tunnel options

academic research

key researchers

steffen wendzel: networkcovertchannels toolkit, pattern-based taxonomy
mordechai guri: 30+ air-gap techniques (beyond network scope)
nikolaos tsapakis: ntp covert channels (virus bulletin)

conferences

usenix security symposium
ieee symposium on security and privacy
acm conference on computer and communications security
virus bulletin conference

detection resources

datasets

cic-bell-dns-exf-2021: dns tunneling samples
malware traffic analysis: pcap collections
academic datasets: ieee/usenix repositories

detection accuracy

technique	ml detection rate	method
dns tunneling	99.38%	lstm models
http tunneling	85-95%	pattern analysis
websocket	80-90%	connection analysis
icmp tunneling	75-85%	packet inspection

disclaimer

this documentation is for educational and defensive security purposes only. understanding these techniques is essential for:

security professionals implementing detection systems
researchers developing countermeasures
incident responders identifying compromise indicators
compliance teams assessing organizational risk

unauthorized implementation or use may violate laws and policies. always ensure proper authorization before testing.