The times when it was enough to install an antivirus to protect yourself from hackers are long gone. We actually don’t hear much about viruses anymore. However, nowadays, there are many different, more internet-based threats. And unfortunately, you don’t need to be a million-dollar company to become a target of an attack. Hackers these days use automated scanners that search for vulnerable machines all over the internet. One such modern threat is a traffic analysis attack. In this post, you’ll learn what a traffic analysis is and some countermeasures to protect yourself from it.
What Is a Traffic Analysis Attack?
You may guess from the name that a traffic analysis attack has something to do with, well…analyzing network traffic. And you’d be right! But what does that actually mean?
In a traffic analysis attack, a hacker tries to access the same network as you to listen (and capture) all your network traffic. From there, the hacker can analyze that traffic to learn something about you or your company. So, unlike with other, more popular attacks, a hacker is not actively trying to hack into your systems or crack your password. Therefore, we classify this attack as a passive attack.
What Can Traffic Analysis Reveal About You?
Analyzing a person’s network traffic can tell a hacker a lot. And if you think you’re safe because you encrypt your traffic, then you’re wrong. Traffic analysis attacks also work with encrypted data. And we’re not talking about decrypting that traffic. How’s that possible? Well, encrypting traffic in most cases only secures the content of the traffic. But an attacker can still obtain some information from it. It’s all about the metadata.
Imagine a simple scenario of two people talking via some messaging software. An attacker can’t read the actual messages because the traffic is encrypted. But by analyzing the (encrypted) traffic, they can learn, for example, when and how many messages were sent. Even this simple information can tell a lot.
By searching for patterns in captured traffic, an attacker can, for example, figure out when you typically wake up and go to sleep. Add the device name and location to that, and now the attacker knows when you leave your house and when you usually come back.
Even lack of traffic can say something. If it breaks the pattern, it can mean that you went on vacation (which means that it’s a good time to break into your house). That was only a simple example of analyzing traffic between two people. Imagine how much an attacker can learn by analyzing traffic from your company office or your data center.
In some scenarios, an attacker can use traffic analysis as a base for other attacks. Take SSH, for example. Every time you press a key on your keyboard, SSH sends a separate IP packet. By analyzing these packets, an attacker can distinguish the timing between key presses. They can then use this information then, for example, to guess users’ password lengths. This can, in effect, help an attacker to narrow down brute force attacks. With more advanced techniques, an attacker can even guess the actual keys you are pressing using statistical methods.
Traffic analysis can also help attackers understand the network structure and pick their next target. For example, if there is much more traffic coming to and from one specific node, it’s probably a good target for trying more active attacks.
On the other hand, a server that doesn’t get many connections may be an easy target. There is a chance that it’s a less important server or even a test server, and therefore, it may be less secure. Now imagine we apply this approach to military traffic. By analyzing that traffic, a hacker may try to find the location of a command center.
There’s a whole other story with SIP/VoIP traffic. Even if the actual voice call is encrypted, the connection initialization might not be. This means that the attacker can see phone numbers that are being called. Even if phone numbers are encrypted too, in some cases, an attacker will still be able to use traffic analysis to get some useful information.
For example, if an attacker tries a phishing attack on one of the employees, they can monitor the SIP/VoIP traffic at the same time. This will help them check if that employee is calling the security department (which can be distinguished by an IP address to which traffic is flowing).
How to Protect Yourself
There is good news and bad news. The bad news is that it’s not that easy to protect yourself from traffic analysis attacks. It’s the same with other passive attacks. Since an attacker isn’t doing anything besides listening, it’s hard to detect them. The good news is that this type of attack is pretty time-consuming: it requires hours of analysis, and an attacker needs to get access to your network somehow first.
Nevertheless, there are some countermeasures you can take to protect yourself from traffic analysis attacks.
Encrypt the Traffic
We mentioned before that a traffic analysis attack works even with encrypted traffic. That’s true, but encryption definitely makes traffic analysis more difficult. You may also think that it’s obvious that you should encrypt your traffic, but many companies skip encrypting some internal traffic. The thinking goes that the traffic is internal by design, so no unauthorized person should have access to it. So, while it takes a little extra effort to encrypt the traffic where (in theory) you don’t need to, it helps make attackers’ jobs more difficult.
Network address translation is a surprisingly effective way of preventing traffic analysis attacks. Since all the traffic will be routed via a NAT device and IP addresses will be encapsulated and hidden behind a NAT IP, an attacker loses a lot of important information. For example, they won’t be able to easily see who is connecting with who, which is one of the main goals of this attack.
“Pad” the Traffic
If you’re looking for every possible way to prevent any possible attack, here’s something to help with traffic analysis attacks. Padding the traffic means inserting fake packets into the traffic stream. It confuses the attacker and, in some cases, makes it seems like the traffic doesn’t make sense. The real traffic blends in with fake traffic.
Of course, this brings us back to the traffic encryption tips. This countermeasure will only work with encrypted traffic. Without it, an attacker will simply be able to see which packets are fake and filter them out.
Another more advanced countermeasure is controlling the timing of the packets. In this method, you place traffic first into a queue and only release it at specific times. From the attacker’s perspective, such traffic will look artificial. Therefore, they won’t be able to perform most of the standard time-based analysis.
Traffic analysis attacks, as passive attacks, aren’t the easiest to prevent. Also, because it can look like an attacker “doesn’t actually do anything,” you may have a wrong impression that it’s nothing worth preventing—especially if all your traffic is encrypted. Hopefully, this post convinced you otherwise. You already have an idea of what you can do to shield yourself from traffic analysis attacks. But if you want to learn even more about securing your data with the tools you already have, you can watch this webinar.
This post was written by Dawid Ziolkowski. Dawid has 10 years of experience as a Network/System Engineer at the beginning, DevOps in between, Cloud Native Engineer recently. He’s worked for an IT outsourcing company, a research institute, telco, a hosting company, and a consultancy company, so he’s gathered a lot of knowledge from different perspectives. Nowadays he’s helping companies move to cloud and/or redesign their infrastructure for a more Cloud Native approach.