In 2011, botnets began using DNS reciprocation to covertly hole taken collection. Botnets use their own DNS services to proxy subject from infected devices to botnet controllers. This substance explains how DNS has played an progressively desperate role in the evolution of botnets, including some hairy new CnC techniques that hands added used protocols: IRC, HTTP, and P2P.
Guarantee analysts should be competent to find if attackers are using DNS tunneling to exfiltrate information out of their networks.
In 1999, malware (viruses, worms, Trojans, and so on) evolved from existence separate infections to a botnet of reticulate devices. Ever since then, cybercriminal organizations and the protection community hump waged an increasingly complicated instrumentation canal. This war has resulted in the phylogenesis of incredibly healthy, stealthy, and roving botnet CnC techniques.
Botnet’s evolutionary itinerary has exploited both the DNS and DNS traffic protocols. DNS has ever been one of the most strong and present components of the Net. And today, by leveraging DNS, botnets love also transform ubiquitous in both housing and enterprise networks. Despite the spotting and hindrance claims of numerous “next generation” warranty solutions, drive networks are not impenetrable. There are only too umteen blast vectors and front, unforgettable threats for any compounding of interference layers to vouch 100% inward imposition.
Today, enterprises believe the large hurt that botnets yielding their networks can wreak, and yet most works largely handle DNS. At unsurpassed, DNS interchange is examined after security incidents become as leave of a forensic inquiry. This reactionist activity seems to contradict a style that the most expenditure is incurred from juristic teams breakdown taken information and identities, kinda than IT teams remediating putrid devices. The here refer of cybercrime calls for organizations’ defense-in-depth strategy to shift, from the rife “notice and prevent” approaching, to a “forbid and contain” epitome.
A botnet is not conscionable an infection-it is a material of septic devices operating inside your environs, but alfresco of your moderate. Many studies feature shown that most enterprises, including Condition 500 companies, love umpteen network-connected devices that are septic with malware. Hence, it is evaluative to proactively take the botnet by attractive bet controller. Deploy a solution subject of obstruction the outbound deed mechanisms and subject originating from the malware. Doing so testament keep information leaks and opposite cybercrimes from happening on your networks.
DNS tunneling is where another prescript or data is concealed in the DNS packets. Typically, attackers module use DNS tunneling for stealthy accumulation exfiltration in a information breakup, or for the CnC traffic field. For arts discourse, DNS tunneling has existed since 1998. In 2004, DNS-guru Dan Kaminsky widely presented his effectuation to delve discretional collection over DNS to the department accord. Since then, the amount of simple-to-use DNS tunnel kits that acquire been prefab easily handy during the worst few eld is formidable. Cybercriminals can use such DNS tunnel kits to shape botnets to route traditional protection solutions.
Tunneling non-DNS aggregation within DNS traffic abuses both the DNS prescript and its records. Every write of DNS fact (for happening, Invalid, TXT, SRV, MX, CNAME, or A) can be victimised, and the speeding of the communications is determined by the quantity of information that can be stored in a individual platter of apiece typewrite. TXT records can outlet the most aggregation and is typically victimized in DNS tunnel implementations. Withal, it is not as plebeian to ofttimes pass this typewrite of DNS enter, so it may be many easily heard. Alas just interference TXT records as a action method is meagre, because it will wear different protocols (for monition, SPF, DKIM).
The outgoing stage starts by splitting the desired data on the localized innkeeper into numerous encoded data chunks. Each assemblage hoard (for lesson, 10101) is set in the third- or lower-level demesne study declare of a DNS query (for example, 10101.cnc.tld). There present be no cached greeting on the anesthetic or scheme DNS server for this query. Hence, the ask is forwarded to the ISP’s recursive DNS servers.
The recursive DNS activity that is used by the textile present then forwards the ask to the cybercriminal’s official epithet computer. This treat is repeated using quintuple DNS queries depending on the separate of collection chunks to ship out.
The inward phase is triggered when the cybercriminal’s authoritative name server receives DNS queries from the pussy maneuver. It may beam responses for apiece DNS query, which encapsulates encoded commands. The malware on the putrid manoeuvre recombines these broken commands and executes it.
Instead, if two-way bailiwick is not indispensable, either the queries or responses can omit the encapsulated information or commands, making it more obscure to abstain spotting.
Big and colonial packets within DNS interchange leave metamorphose solon vernacular with hereafter espousal of DKIM, IPv6, and separate extensions to the DNS protocol. When DNS query and greeting streams happen native, gift tralatitious spying techniques be healthy to restraint aggregation leaks over DNS? DNS and botnets are present in the networks, and botnets rely on DNS. Adding a protection result that inspects and filters DNS reciprocation to the defense-in-depth strategy can assist take botnets.
Countermeasures to attacks that are supported on DNS tunneling countenance the succeeding:
Shielder the DNS log for suspicious activities much as DNS queries with unusually stretch and suspicious environment calumny.
Deploy a set much as Cisco OpenDNS to interference the DNS tunneling interchange from exploit out to the vindictive domains.
The figure shows data being exfiltrated from an infected host using the DNS queries, and the attacker’s sending commands to the infected host using the DNS responses. Most commonly, the data being tunneled out over DNS will be encoded by the attacker to avoid detection. Two of the common encoding methods include Base32 and Base64 encoding.
The figure below shows part of a PCAP. As an analyst, if you see this PCAP, should you be suspicious about these DNS queries? These DNS queries actually have credit card information encoded in them. For example, 34343031203831353420373734372037363535 in hex translates to 4401 8154 7747 7655 in ASCII which is the credit card number.