Member Labs

NSA Technology Detects Intermediary Computers on Network

NSA Security

One way hackers and other bad actors hide their identity and location on a network is through the use of a proxy or an intermediary device, also known as a stepping stone. What they cannot hide, however, is the transmission time, or latency, it takes to link through the proxy. When such a device is employed, the round-trip transmission time seen from the attacked computer to the intermediary is smaller than the round trip time to the application being used by the bad actor. This is a result of the unavoidable extra path length between the bad actor and the proxy. Comparing such times allows security administrators to detect the stepping stone.

The National Security Agency (NSA) has developed a patented methodology (US 7,466,654) that uses latency differences to detect proxy devices. A sensor, such as a standard packet sniffer or other custom software, is placed on the user’s computer to record communication packets to and from the bad actor’s communication device. The packet times are recorded and analyzed to extract the minimum network layer latency (the time to a potential stepping stone) and the minimum application layer latency (time to where the application is running). When those two latency times are the same, the application is running at the advertised network connection. But as the application layer latency begins to get larger than the network layer latency, it becomes an indicator the application is not being operated from the advertised network connection, but from elsewhere.

Benefits of this technology include:

  • Leveraging passively collected network latency data
  • Transparency to network devices
  • Indication whether the client computer is near or far from the stepping stone.

This technology has several potential Information Assurance (IA) applications, including use as a tool:

  • To ensure that network usage guidelines are not circumvented by means of an intermediary
  • Used whenever the operator’s location is used for transaction verification.

For more information on this and other network and communications technologies available from the NSA, email NSA Tech Transfer.

Member Labs