Monitoring and analyzing your network traffic is more of an art form than a science: every network is unique. The differences appear in the services we run, the types of traffic we generate, as well as our network design and layout. In order to properly analyze traffic dumps, we must first know what kind of traffic is normal for our network. We must also keep in mind that attackers will do their best to mimic legitimate traffic in order to bypass our filters and any safeguards we may have in place. This applies to more than just DDoS mitigation. As you have seen in previous articles concerning DDoS attacks, the individuals performing the attacks will do their best to bypass filters by mimicking real traffic and targeting open ports that we have services on.
Let’s discuss how attackers may bypass your Firewalls by tunneling Command and Control traffic through DNS. While this technique has been around for over 15 years, it is still relevant today and we must take the proper steps to protect ourselves with payload or traffic analysis. Let’s take a look at how these tunnels work: First, an attacker would set up a host that listens for specially formulated DNS queries. Next they would run the client side (which may be built into their malware on the target). The client would establish communication with the host server, tunneling the traffic through DNS on port 53.
If you notice these are ‘TXT’ record responses, which can have upper and lower case which provides 52 characters, the numbers add another 10 and then we add ‘-‘ and ‘+’ to get 64 unique values which can be used for base 64 encoding. There are more encoding methods we can use for different DNS record types, however this depends on the DNS tunneling utility we are using and what our intent is. There are many utilities currently available to help us tunnel over DNS, many of which were developed with the intention of bypassing captive portals for paid Wi-Fi services. These are developed in Python, Perl, C, Java and more, making integration in malware trivial for attackers. While the above example could be easily stopped if you restrict outbound traffic and only allow DNS only with trusted servers, this is still not a total solution. By registering a domain name that designates our host system as the authoritative DNS server for that domain we can get around this. When the victim machine issues a query for the attackers domain to the trusted DNS server, it would forward the message to the malicious host server and return the response to the victim.
In the end, we must combine a number of strategies to help protect our networks. We can limit the number of DNS servers to further complicate the attackers setup, and if possible direct DNS activities through a set of servers we control. In addition, we must also use a combination of payload and traffic analysis to help reduce the risk of DNS tunneling. For more tips on detecting and preventing this type of traffic check out ‘Know Your Network First: DNS and the Power of Feature Classification’ by Lance James.
Farnham, Greg, and Antonios Atlasis. “Detecting DNS Tunneling.” SANS Institute InfoSec Reading Room. Sans Institute, 25 Feb. 2013. Web. 15 July 2015.
Zeltser, Lenny. “Tunneling Data and Commands Over DNS to Bypass Firewalls.” Zeltser Content. 8 July 2015. Web. 15 July 2015.