Forums
Main Category
General (Technical,...
MultiPath TCP (MPTC...
 
Notifications
Clear all

MultiPath TCP (MPTCP) RFC6824 Wifi Offloading (4G LTE)

 
General (Technical, Procedural, Software, Hardware etc.)
Last Post by RolfGutmann 8 years ago
4 Posts
2 Users
0 Reactions
606 Views
RSS
RolfGutmann
 RolfGutmann
(@rolfgutmann)
Noble Member
Joined: 10 years ago
Posts: 1185
Topic starter 25/01/2016 4:26 pm  

Complex case of date flown over MPTCP to reconstruct for chain of evidence. Who has experience in MPTCP forensics to help?


   
Quote
MDCR
 MDCR
(@mdcr)
Reputable Member
Joined: 15 years ago
Posts: 376
28/01/2016 10:16 pm  

MPTCP is a new experimental protocol from 2013 = I do not think many have, myself included.

However, i did read the RFC https://tools.ietf.org/html/rfc6824

Wireshark seem to have support for parts of MPTCP
https://www.wireshark.org/docs/dfref/m/mptcp.html

(Though i'd use TShark -T fields -e fieldname to dump the fields of the protocol to a textfile.)

The protocol itself reveals what IP addresses that are part of the transfer (ADD_ADDR and REMOVE_ADDR) and the substreams that are opened up. If you can get this info, you can reconstruct (watch out for retransmits - which are also advertised).

ADD_ADDR
https://tools.ietf.org/html/rfc6824#section-3.4.1

REMOVE_ADDR
https://tools.ietf.org/html/rfc6824#section-3.4.2

You could probably also reconstruct with the Subflow tokens too since they are described as "Connection ID".
https://tools.ietf.org/html/rfc6824#page-6

My first alternative to reconstructing data would be to to focus on the hosts (sender and receiver) by trying to determine the network data to see what is being transferred (if not encrypted - which the RFC does leave open), then do investigation on both sides - if the data warrants it.

For future reference

https://tools.ietf.org/html/rfc6824#section-3.6

Looks like it can be attacked to revert back to single flow TCP which could be useful in an investigation. Though it could possible be detectable by the person(s) who are being investigated. I'm guessing it could also be possible to physically disconnect the network a flow uses to make it singleflow. Or faking RST, FIN or the specific DATA_FIN packets if possible/allowed.

Wish you good luck.


   
ReplyQuote
RolfGutmann
 RolfGutmann
(@rolfgutmann)
Noble Member
Joined: 10 years ago
Posts: 1185
Topic starter 02/02/2016 1:17 pm  

Thank you, great analysis. The case is more complex. The connection to the cloud service provider was running over Wifi Offloading (mobile com cell pulls the connection to a Small Cell (Wifi) to make free space on the cell). The Virtual Mobile Network Operator (VMNO) is somehow unable to get the logs from the (physical) MNO. As the endpoint device is missing, but data of the cloud provider indicates that MPTCP was in use, we fight. The MPTCP we actually use for more precise suspects geospatial position as cell triangulation is here for a long time but unprecise we hope for the Small Cell of the MNO to give us information about location. Forensic data for precise location timeline lookup. Pure fun as heavy complex -)

WP about LTE wlan offloading here
LTE wlan offloading


   
ReplyQuote
RolfGutmann
 RolfGutmann
(@rolfgutmann)
Noble Member
Joined: 10 years ago
Posts: 1185
Topic starter 05/09/2017 3:40 pm  

Found a presentation about Robust Session Management of MPTCP, you may like to overfly

https://datatracker.ietf.org/meeting/99/materials/slides-99-mptcp-a-proposal-for-mptcp-robust-session-establishment-mptcp-robe


   
ReplyQuote
Forum Jump:
  Previous Topic
Next Topic  
Share: