For some reason there is no dedicated discussion about this in my understanding extremely important, but ignored subject. I did some searches online, but couldn't find anything useful. Anyone wants to share some ideas? Let me begin.
Cover traffic or dummy traffic how it is sometimes called is a type of network traffic which is meaningless for somebody "at work", the sole purpose of such traffic is to make, as hard as it is possible to mask what is actually going on with traffic going in and out from the machine. Without cover traffic, an external observers, depending on their skills can recognize and separate traffic. If they are following the chain, they could say is machine originator, relay or terminator of the traffic. Especially if they get access to the machine.
At the moment I think that cover traffic is a bespoke thing, meaning that there is no one works for everything scenario, but there could be some templates. Also, cover traffic is a thing which must be adapted to the plan, not the other way around. For example, cover traffic should be different in the scenario where purpose of the machine is to send and receive as much traffic as possible compared to the machine which relays audio/video traffic. In first scenario random connections, downloading large files from many different websites could be an option and for audio/video - something like bittorrent could be an option, obviously controlling quality of service to make sure this traffic wont affect audio/video/latency.
If I was tasked to understand what is going with hacked machine, I would also find things very hard to understand if machine would behave in one way one hour, but completely different in other one and so on.
When it comes to hiding things inside box, I think setting up everything in tmp/ramfs is a one of the first things to do. If machine gets rebooted or if connection is lost, it is debatable if it is worth connecting back and restoring things manually. Maybe it is worth abandoning such machine if stakes are high? Or maybe it is worth adding some hidden loaders inside system, where when machines comes back online - some hidden scripts/binaries will restore everything automatically?
Cover traffic or dummy traffic how it is sometimes called is a type of network traffic which is meaningless for somebody "at work", the sole purpose of such traffic is to make, as hard as it is possible to mask what is actually going on with traffic going in and out from the machine. Without cover traffic, an external observers, depending on their skills can recognize and separate traffic. If they are following the chain, they could say is machine originator, relay or terminator of the traffic. Especially if they get access to the machine.
At the moment I think that cover traffic is a bespoke thing, meaning that there is no one works for everything scenario, but there could be some templates. Also, cover traffic is a thing which must be adapted to the plan, not the other way around. For example, cover traffic should be different in the scenario where purpose of the machine is to send and receive as much traffic as possible compared to the machine which relays audio/video traffic. In first scenario random connections, downloading large files from many different websites could be an option and for audio/video - something like bittorrent could be an option, obviously controlling quality of service to make sure this traffic wont affect audio/video/latency.
If I was tasked to understand what is going with hacked machine, I would also find things very hard to understand if machine would behave in one way one hour, but completely different in other one and so on.
When it comes to hiding things inside box, I think setting up everything in tmp/ramfs is a one of the first things to do. If machine gets rebooted or if connection is lost, it is debatable if it is worth connecting back and restoring things manually. Maybe it is worth abandoning such machine if stakes are high? Or maybe it is worth adding some hidden loaders inside system, where when machines comes back online - some hidden scripts/binaries will restore everything automatically?