Article 43

 

Monday, March 09, 2020

DNS Tunneling

image: cybercrime

How Hackers Use DNS Tunneling to Own Your Network

By Ron Lifinski, Cyber Security Researcher
Cynet
October 22, 2018

DNS Tunneling

Most organizations have a firewall that acts as a filter between their sensitive internal networks and the threatening global Internet. DNS tunneling has been around for a while.  But it continues to cost companies and has seen hackers invest more time and effort developing tools.  A recent study[1] found that DNS attacks in the UK alone have risen 105% in the past year.  DNS tunneling is attractivehackers can get any data in and out of your internal network while bypassing most firewalls. Whether it֒s used to command and control (C&C) compromised systems, leak sensitive data outside, or to tunnel inside your closed network, DNS Tunneling poses a substantial risk to your organization. Heres everything you need to know about the attack, the tools and how to stop it.

Introduction

DNS tunneling has been around since the early 2000s, when NSTX[2] an easy to use tool has been published to the masses. Since then there was a clear trend - tighter firewall security led to more widespread DNS tunneling. By 2011 it had already been used by malware such as Morto[3] and Feederbot[4] for C&C, and by the popular malicious payload for point-of-sale systems FrameworkPOS[5] for credit card exfiltration.

Why It’s a Problem

DNS was originally made for name resolution and not for data transfer, so its often not seen as a malicious communications and data exfiltration threat. Because DNS is a well-established and trusted protocol, hackers know that organizations rarely analyze DNS packets for malicious activity. DNS has less attention and most organizations focus resources on analyzing web or email traffic where they believe attacks often take place. In reality, diligent endpoint monitoring is required to find and prevent DNS tunneling.

Furthermore, tunneling toolkits have become an industry and are wildly available on the Internet, so hackers don’t really need technical sophistication to implement DNS tunneling attacks.

Common Abuse Cases (and the tools that make them possible)

Malware command and control (C&C) Malware can use DNS Tunneling to receive commands from its control servers, and upload data to the internet without opening a single TCP/UDP connection to an external server. Tools like DNSCAT2 are made specifically used for C&C purposes.

Create a “firewall bypassing tunnel” - DNS Tunneling allows an attacker to place himself into the internal network by creating a complete tunnel. Tools like IODINE allow you to create a common network between devices by creating a full IPv4 tunnel.

Bypass captive portals for paid Wi-Fi A lot of captive portal systems allow all DNS traffic out, so it’s possible to tunnel IP traffic without paying a fee. Some commercial services even provide a server-side tunnel as a service. Tools like YOUR-FREEDOM are made specifically for escaping captive portals.

How It Works

image: dns tunnel

The attacker acquires a domain, for example, evilsite.com.

The attacker configures the domains name servers to his own DNS server.

The attacker delegates a subdomain, such as “tun.evilsite.com” and configures his machine as the subdomain’s authoritative DNS server.

Any DNS request made by the victim to “{data}.tun.evilsite.com” will end up reaching the attacker’s machine.

The attacker’s machine encodes a response that will get routed back to the victim’s machine.

A bidirectional data transfer channel is achieved using a DNS tunneling tool.

References

[1] www dot infosecurity-magazine.com/news/dns-attack-costs-soar-105-in-uk

[2] thomer dot com/howtos/nstx.html

[3] www dot symantec.com/connect/blogs/morto-worm-sets-dns-record

[4] chrisdietri dot ch/post/feederbot-botnet-using-dns-command-and-control/

[5] www dot gdatasoftware.com/blog/2014/10/23942-new-frameworkpos-variant-exfiltrates-data-via-dns-requests

[6] github dot com/iagox86/dnscat

[7] github dot com/yarrick/iodine

[8] heyoka dot sourceforge.net/

SOURCE

Posted by Elvis on 03/09/20 •
Section Privacy And Rights • Section Broadband Privacy
View (0) comment(s) or add a new one
Printable viewLink to this article
Home
Page 1 of 1 pages

Statistics

Total page hits 9749771
Page rendered in 0.7383 seconds
40 queries executed
Debug mode is off
Total Entries: 3222
Total Comments: 337
Most Recent Entry: 05/04/2020 08:41 am
Most Recent Comment on: 01/02/2016 09:13 pm
Total Logged in members: 0
Total guests: 7
Total anonymous users: 0
The most visitors ever was 172 on 12/25/2019 07:40 am


Email Us

Home

Members:
Login | Register
Resumes | Members

In memory of the layed off workers of AT&T

Today's Diversion

Since I've given up hope, I feel much better. - Anonymous

Search


Advanced Search

Sections

Calendar

July 2020
S M T W T F S
      1 2 3 4
5 6 7 8 9 10 11
12 13 14 15 16 17 18
19 20 21 22 23 24 25
26 27 28 29 30 31  

Must Read

Most recent entries

RSS Feeds

Today's News

ARS Technica

External Links

Elvis Picks

BLS Pages

Favorites

All Posts

Archives

RSS


Creative Commons License


Support Bloggers' Rights