Dns tunneling is a common method that allows an attacker to accomplish which attack?
Show
DNS acts as a phone directory for the internet, allowing IP addresses and domain names to be translated. Long strings of numbers are difficult for humans to remember. A web address (such as extrahop.com/network-attack-library) is easy to remember and provides some information about your destination. Since web browsers employ IP addresses, you’ll need an option to transform the two. DNS Tunneling: “DNS tunneling is a technique which exploits DNS protocol for tunneling data via DNS query and response packet”
The botnet’s C&C communication channel refers to the protocol used to communicate between the bots and the botnet’s C&C Server. To use DNS Tunneling as a C&C communication channel, the attacker embeds the DNS Tunneling mechanism in the malware’s binary and the malware binary is also hardcoded with the domain name where the C&C server was hosted. To establish a connection with the C&C server, the bot would send a DNS query to resolve the IP address of the C&C server. How does DNS Tunneling work?Basic working procedure:
Detailed Explanation:
Example: An attacker first registers a domain name, such as “dns.com”. Then points its nameserver records towards the server where the DNS tunneling server program is running. The server acts as an authoritative name server for that domain name and its sub-domain to facilitate server-side tunneling and decapsulating the payload data by running DNS tunnel server daemon on the server
DNS Tunneling records:Attackers will use different types of DNS Tunneling record types in which to embed their attack. The most popular DNS tunneling records are TXT, NULL, and CNAME. TXT records are often used because they have the largest and most diverse payload structure. DNS Tunneling Attacks:
Data Exfiltration via DNS Tunneling:
Data is transferred back and forth via DNS Tunnel in this manner. To avoid caching, DNS answers have a short TTL value. The DNS protocol does not allow the server to create a connection with the client; instead, the client must make a query to the attacker’s DNS server on a regular basis to obtain new commands (C&C Server). DNS Tunneling Impacts:
How to identify DNS tunneling attacks?The detection techniques will be discussed in two separate categories, payload analysis, and traffic analysis. 1-Payload Analysis: Some of the payload analysis techniques are: 1.1-Size of request and response: One technique involves analyzing the size of the request and response. DNS tunneling utilities usually try to put as much data into requests and responses as possible. Thus, it is likely that tunneling requests will have long labels, up to 63 characters, and long overall names up to 255 characters. 1.2-Entropy of hostnames: DNS tunnels can be detected based on the entropy of requested hostnames. Legitimate DNS names often have dictionary words or something that looks meaningful. Encoded names have a higher entropy and more even use of the characters set. Although, there are exceptions to this where DNS names are used to represent some type of information. Looking for DNS names that have high entropy can be an indicator of tunneling. 1.3-Statistical Analysis: Looking at the specific character makeup of DNS names is another method that can be used to detect tunneling. Legitimate DNS names tend to have few numbers whereas encoded names can have a lot of numbers. Looking at the percentage of numerical characters in domain names has been proposed. 1.4-Uncommon Record Types: Looking for records that are not commonly used by a typical client e.g. ‗TXT‘ records is another possible detection method. 1.5-Policy Violation: If a policy requires all DNS look-ups to go through an internal DNS server, violations of that policy could be used as a detection method. Traffic could be monitored for DNS requests directly to the internet. Most DNS tunneling utilities are designed to function even when forwarding requests through an internal DNS server. 1.6-Specific Signatures: In some cases, researchers have provided signatures for specific DNS tunneling utilities. A signature can be used to check specific attributes in a DNS header and check for specific content in the payload. For example, a Snort signature was developed for detecting NSTX DNS tunneling. 2-Traffic Analysis: Traffic Analysis involves looking at multiple requests/response pairs over time. The amount and frequency of requests can be used for an indication of tunneling. Some of the traffic analysis detection techniques are:
Preventive Measures for DNS Tunneling:
Conclusion:DNS is critical for all businesses. Unfortunately, preventing DNS-based threats is a big task, and hackers are taking advantage of its inescapable but not totally evident exploitable surface. The above-mentioned techniques will be useful to detect and prevent DNS tunneling. What is the best defense against script kiddie attacks?A strong perimeter defense is the best defense against script kiddies.
Which of the following is one of the most common attacks on employees?Which of the following is one of the MOST common attacks on employees? Phishing attacks are one of the most common attacks directed at employees. In most cases, employees are lured into clicking a link or downloading an attachment from a seemingly legitimate email.
When confidential or protected data is exposed either intentionally or accidentally it is considered to be which of the following?When confidential or protected data is exposed, either intentionally or accidentally, it is considered to be which of the following? EXPLANATION A data breach is when confidential or protected data is exposed. Data loss involves the loss of important data, such as a file being deleted.
In which phase of an attack does the attacker gather information about the target?Reconnaissance, also known as the preparatory phase, is where the hacker gathers information about a target before launching an attack and is completed in phases prior to exploiting system vulnerabilities. One of the first phases of Reconnaissance is dumpster diving.
|