DNS Tunneling for Network Penetration

Raman, D. Raghu; Sutter, Bjorn De; Coppens, Bart; Volckaert, Stijn; Bosschere, Koen De; Danhieux, Pieter; Buggenhout, Erik Van

doi:10.1007/978-3-642-37682-5_6

Cited by 12 publications

(7 citation statements)

References 8 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…In fact, their proposed methods are already used by some malware families such as Feederbot and Morto [11], [15]. Similarly, Raman et al [18] propose a network penetration technique that uses DNS tunneling to infiltrate a secure network to deliver an attack payload. Their technique is based on establishing a tunnel by an exploit code that generates DNS queries.…”

Section: Related Workmentioning

confidence: 98%

Characterization of Covert Channels in DNS

Binsalleeh

Kara²,

Youssef

et al. 2014

2014 6th International Conference on New Technologies, Mobility and Security (NTMS)

View full text Add to dashboard Cite

Malware families utilize different protocols to establish their covert communication networks. It is also the case that sometimes they utilize protocols which are least expected to be used for transferring data, e.g., Domain Name System (DNS). Even though the DNS protocol is designed to be a translation service between domain names and IP addresses, it leaves some open doors to establish covert channels in DNS, which is widely known as DNS tunneling. In this paper, we characterize the malicious payload distribution channels in DNS. Our proposed solution characterizes these channels based on the DNS query and response messages patterns. We performed an extensive analysis of malware datasets for one year. Our experiments indicate that our system can successfully determine different patterns of the DNS traffic of malware families.

show abstract

Section: Related Workmentioning

confidence: 98%

Characterization of Covert Channels in DNS

Binsalleeh

Kara²,

Youssef

et al. 2014

2014 6th International Conference on New Technologies, Mobility and Security (NTMS)

View full text Add to dashboard Cite

show abstract

“…Some researchers [29]- [31] have evaluated the performance (e.g., throughput) of DNS tunneling tools such as iodine [32] and dns2tcp [33]. Raman et al [34] proposed a DNS tunneling method and measured the maximal throughput.…”

Section: A Dns Tunneling Basicsmentioning

confidence: 99%

DNS Tunneling Detection by Cache-Property-Aware Features

Ishikura

Kondo

Vassiliades

et al. 2021

IEEE Trans. Netw. Serv. Manage.

View full text Add to dashboard Cite

Many enterprises are under threat of targeted attacks aiming at data exfiltration. To launch such attacks, in recent years, attackers with their malware have exploited a covert channel that abuses the domain name system (DNS) named DNS tunneling. Although several research efforts have been made to detect DNS tunneling, the existing methods rely on features that advanced tunneling techniques can easily obfuscate by mimicking legitimate DNS clients. Such obfuscation would result in data leakage. To tackle this problem, we focused on a "trace" left by DNS tunneling that cannot be easily hidden. In the context of data exfiltration by DNS tunneling, the malware connects directly to the DNS cache server and the generated DNS tunneling queries produce cache misses with absolute certainty. In this study, we propose a DNS tunneling detection method based on the cache-property-aware features. Our experiments show that one of the proposed features can efficiently characterize the DNS tunneling traffic. Furthermore, we introduce a rule-based filter and a long short-term memory (LSTM)-based filter using this proposed feature. The rule-based filter achieves a higher rate of DNS tunneling attack detection than the LSTM one, which instead detects the attack more quickly, while both maintain a low misdetection rate.

show abstract

“…In the context of computer networks, a tunneling protocol is a communication protocol architecture adopted to communicate through an hidden way. It is one of the major threats affecting networks security, as it can lead to the exfiltration of sensitive data [13], [68]. Tunneling is adopted to achieve different purposes, usually either to exfiltrate data to the outside of the organization (as implementation of a covert channel) or to bypass network restrictions deployed by the organization.…”

Section: Tunnel System Architecturementioning

confidence: 99%

Exploiting Internet of Things Protocols for Malicious Data Exfiltration Activities

et al. 2021

View full text Add to dashboard Cite

Internet of Things is a widely adopted and pervasive technology, but also one of the most relevant in cyber-security, given the volume and sensitivity of shared data and the availability of affordable but insecure products. In this paper, we propose a novel cyber-threat exploiting the Message Queue Telemetry Transport (MQTT) protocol to implement a tunneling attack. In IoT networks, sensitive and critical information are exchanged between devices or external systems to perform data analysis. For this reason, a tunneling threat could be adopted by a malicious user to steal information. In this context, a tunneling system based on MQTT can be considered since this communication protocol could be allowed to pass through enterprise firewalls because it is widely adopted in this IoT world. An attacker can exploit the MQTT protocol for various purposes such as steal information or access to not-allowed websites/servers. In particular in this work, we contribute in two main points: initially we demonstrate how the proposed threat is able to encapsulate messages through the MQTT protocol, by also comparing it with other tunneling systems exploiting different communication protocols. Obtained results show that exploiting MQTT for tunneling purposes is a good choice, compared to other communication protocols, especially for payloads up to 3000 bytes. Then, we propose and validate an initial machine learning based approach able to detect the proposed MQTT tunnel, by comparing different detection algorithms tested with and without a hyperparameter optimization, in terms of accuracy, F1 score and Receiver Operating Characteristic (ROC) curve. In this case, obtained results show that some algorithms are able to identify the attack, with an accuracy exceeding 95%, while others lack of such capability.

show abstract

DNS Tunneling for Network Penetration

Cited by 12 publications

References 8 publications

Characterization of Covert Channels in DNS

Characterization of Covert Channels in DNS

DNS Tunneling Detection by Cache-Property-Aware Features

Exploiting Internet of Things Protocols for Malicious Data Exfiltration Activities

Contact Info

Product

Resources

About