DNS cloud school | analysis of hidden tunnel attacks in the hidden corner of DNS

DNS It's a web service portal , It is the only way for all business visits . Normal business needs to pass DNS Access the service , Malicious programs also need to pass DNS Outreach . data display , near 91.3% Malicious programs were found to use DNS As the main means of invasion . This is because DNS The fragility of the protocol itself makes it easy to be used , And the attacker can hide himself well .DNS Tunnel attack is one of the attack methods often used by attackers , Analysis of cloud school in this issue DNS The principle of tunnel attack , Share the basic ideas for judging tunnel attacks ,enjoy：

 

One 、DNS Principle and characteristics of tunnel attack

                                    Schematic diagram of basic principle

 

• DNS Overview of tunnel attack principle

utilize DNS The query process , Encapsulate illegal data compression coding in DNS Agreement , And then to DNS Request and response packets complete the transmission of data ( signal communication ).

• DNS Application of tunnel attack

Through C&C The server completes point-to-point data propagation , Or implant a Trojan horse 、 worm 、 Malware, etc. complete long-term hidden APT attack .

• DNS The advantages of tunnel attack

For traditional safety equipment , Such as network firewall, it has strong penetration ;DNS The cost of attack is relatively low , But the attack effect is obvious .

• DNS Tunnel attack features

The attacker's traffic data is encapsulated in DNS Agreement , Traditional safety equipment is difficult to find , From the perspective of traffic packets, it is not easy to identify , No professional analysis will only be considered 53 port DNS data , Concealment is strong .

 

Two 、 utilize DNS Tunnel attack example

• adopt DNS The tunnel realizes data transmission

A malicious program encapsulates control instructions in DNS Request and response interaction in the protocol , The real control instructions in the request and response are encoded into a string .

 

Generally, the domain name that initiates the request is Base64,Binary code ,NetBios code 、Hex Code and other coding methods for encryption , In order to transmit more data, generally TXT type （DNS A type of request ）. Therefore, it is difficult to consider that firewall and intrusion detection equipment are in normal recursive out of the network DNS Flow analysis and filtration , therefore , Attackers can use it to achieve attacks such as remote control .

 

• adopt DNS The tunnel realizes data transmission

  

 

DNS In addition to enabling malicious programs and C&C Control instruction interaction at the end , It can also provide an always available rear tunnel for attackers to disclose stolen data or sensitive data . Although limited by the length of the domain name , as well as UDP Unreliability of transmission , utilize DNS It is difficult for the tunnel to transmit large documents to the outside , But transmitting important and sensitive information is enough . The above figure shows that it is transmitted to the control end through continuous subdomain request , Then, at the control end, these requests are spliced together in order to obtain sensitive data .

 

 

Pass... In the test environment Wireshark And other packet capture tools , It can be seen that DNS Tunnel file transfer DNS The message interaction process has the following characteristics ： Request a series of super long random subdomains 、 The requested domain name contains a serial number 、 High frequency access to the same parent domain 、 The request response packet is large 、 Faster request frequency 、DNS Traffic surge .

 

3、 ... and 、DNS Tunnel attack judgment and analysis method

at present ,DNS Tunnel technology has been very mature , There are many related tools , And different tools have their own characteristics . At present, the more active ones are iodine,dnscat2, Others are DeNise,dns2tcp,Heyoka wait .

Through the previous introduction , It's not hard to see DNS Tunnel attack has a strong camouflage . But they all have one thing in common —— The request and response look strange ; So how do we detect ？ So , in the light of DNS Principle and characteristics of tunnel attack , We sorted out the ideas and methods of judging the attack ：

① Comparative analysis of modeling features

Let's take a look at modeling and comparing the following features ：

• Domain name length 、 Legal characters of domain name 、 domain name RFC The rules , Modeling feature comparison

 

• Proportion of uplink large packet in request message , Modeling feature comparison

 

• The proportion of downlink packets in the total number of response messages , Modeling feature comparison

 

• Information entropy , Modeling feature comparison

   

  

  ② Critical value of characteristic analysis

Through our modeling and analysis of different scenarios , It's not hard to find that we can target DNS Some characteristics of tunnel flow are summarized, namely “ critical value ”, For example, domain name label String length 52、 Legal characters of domain name a-z, A-Z, 0-9、 Upload and download ratio %500; At the same time, the total number of session messages is greater than 20 Wait a minute . By targeting DNS For the detection of tunnel flow, we can achieve certain effective defense by matching the critical value .

In addition, we can also learn from other DNS Carry features 、 Flow analysis and other aspects, so as to achieve the effect of protection .

Four 、 Conclusion

DNS Tunnel is an important for network attackers “ Commit crime ” methods , At present, there are many public or undisclosed tools . In the traditional means of safety protection , Not for DNS Traffic protection strategy , Boundary devices usually target 53 Port traffic release , therefore , If the DNS The flow is not subject to any supervision , It is very likely that DNS Safety protection , Make the safety system that enterprises spend a lot of money to build become “ Achilles' Heel ”.

 

This article is only for DNS The principle and basic analysis and judgment of tunnel attack 、 Protection is briefly introduced , Deeper targeted strategies also need to be summarized from practice . Today's sharing is here , If you have any questions about DNS Other problems with tunnel attacks , Welcome to leave a message at the bottom of the article , We will arrange professional engineers to answer your questions , Next stage 《DNS Cloud school 》 Let's see each other ！