Lesson 03: Blending with Traffic

Estimated read time: ~5 minutes • Last updated: September 4, 2025

Network Ops Camouflage Evasion

Learning Objectives

  • Explain why blending with baseline traffic is essential to evasion.
  • Identify patterns defenders flag: unusual protocols, timing, destinations, and sizes.
  • Apply techniques to mimic ports, protocols, timing jitter, and data volume.

Blue teams don’t need to see everything—they look for what doesn’t fit. Your goal is not invisibility but indistinguishability: make your flows look like everyone else’s.

How Detection Works (Practically)

  • Protocol rarity: ICMP tunnels, raw TCP, or custom C2 frames on odd ports.
  • Timing regularity: beacons at perfectly even intervals (e.g., exactly every 60s).
  • Volume anomalies: exfil spikes outside business hours or mismatched to user behavior.
  • Rare destinations: traffic to unstable, low-reputation IPs or brand-new domains.
  • Header fingerprints: TLS JA3/HTTP headers that don’t match common clients.
Operator heuristic: If your traffic would make a sensible helpdesk ticket (“Why are we FTPing 12GB to Bulgaria at 03:00?”), it’s not blended.

Blending Techniques

  • Ports & protocols: prefer 80/443 and standards-compliant HTTP(S)/HTTP2; avoid exotic ports.
  • Timing jitter: add randomization windows (±15–45%) and sleep distributions (Poisson/normal).
  • Pacing & chunking: throttle exfil; chunk payloads into user-like request sizes.
  • Domain strategy: age domains, build benign traffic history; avoid fresh registrations for exfil.
  • Header mimicry: copy user-agent strings and header ordering; emulate TLS fingerprints.
  • Operational hours: align to local business hours unless baseline shows frequent off-hours usage.

Real-World Context

A well-publicized retail breach detection hinged on scheduled FTP exfil at ~03:00 daily—an obvious deviation from baseline POS traffic. Had actors paced exfil over HTTPS during store hours with realistic headers and jitter, time-to-detect likely increases.

Walkthrough: Build a Mimic Profile

  1. Capture 24–48h of baseline (Wireshark/Zeek/NetFlow): top domains, median request size, inter-arrival times.
  2. Derive parameters: ports, protocols, UA strings, common TLS ciphers, request cadence distributions.
  3. Implement client shim: enforce jitter, header order, size ceilings; rotate benign host paths.
  4. Test: diff your flows vs. baseline histograms; iterate until distributions overlap.

Exercise

  1. Record lab traffic for 2 hours; compute median request size and typical inter-arrival.
  2. Write a small client (or use curl/wget loops) that sends requests with jittered intervals and UA mimicry.
  3. Compare histograms of size/timing against baseline; adjust until differences are minimal.

Deliverable: short report with histograms and chosen mimic parameters.

Key Takeaways

  • Detection loves outliers—your job is to look average.
  • Mimicry is multi-dimensional: ports, protocols, headers, timing, and volume.
  • Age and reputation of infrastructure matter as much as protocol choice.
  • Continuous measurement beats intuition—graph it, then tune it.

OPSEC Reminder: Blend everything—network, host artifacts, and timing—before you ever send a packet that matters.