Hiding in plain sight: Preventing data exfiltration via DNS tunnelling
by Eddie, on 29/11/2018 3:02:00 PM
As information security has become more important across organisations, so has the role of an information security leader within organisations. As an information security leader in an organisation, several questions recur and are faced daily:
- Is our organisation secure from attackers?
- How do we know if we have been breached?
- Do we know where our gaps are?
Organisations that have a good grasp on traditional attack vectors think they can confidently answer these questions. Experience shows however that there are often gaps in detection or prevention capabilities when it comes to advanced threats. Organisations need to be aware of their gaps to be able to prevent against them. One technique used by advanced threats to communicate covertly with compromised assets is DNS tunnelling.
In the following section we will cover what DNS tunnelling is, what the risks of not preventing this are, and how to detect/prevent DNS tunnelling in your network.
What is DNS tunnelling?
Securing or monitoring DNS traffic is often overlooked because the protocol is not intended for data transfer. DNS tunnelling leverages the DNS protocol to use it as a covert communications protocol. It exploits the fact that allowing any internet access at all (even if only DNS is allowed) equates to allowing complete internet access provided a suitably skilled attacker under the correct circumstances.
What are the risks?
In situations where a compromised client only has access to DNS and no direct internet access, an attacker can use this technique to reach out to the internet to exfiltrate information or retain control over their compromised asset.
Alternatively, a suitably skilled staff member can utilise this technique to gain unrestricted access to the internet.
How do I detect/prevent this?
Without utilising signatures to target specific DNS tunnelling utilities, the two most straightforward approaches to detecting DNS tunnelling rely on analysing the size of DNS responses and amount of DNS traffic consumed by a single client over time. Hosts performing DNS tunnelling without any thought for doing so slowly and thus covertly should stand out immediately in such traffic analysis. Many DNS requests are required to tunnel TCP over DNS, additionally responses typically utilise the maximum payload size allowed in DNS responses.
To prevent DNS tunnelling in your network, the approach is simply then finding and utilising tools that can detect these symptoms and act on it (e.g. network IDS/IPS). Examples of such include next-gen firewalls and open source software suites like Snort.