当前位置:网站首页>DNS cloud school | analysis of hidden tunnel attacks in the hidden corner of DNS
DNS cloud school | analysis of hidden tunnel attacks in the hidden corner of DNS
2022-04-23 20:15:00 【National Engineering Research Center】
DNS It's a web service portal , It is the only way for all business visits . Normal business needs to pass DNS Access the service , Malicious programs also need to pass DNS Outreach . data display , near 91.3% Malicious programs were found to use DNS As the main means of invasion . This is because DNS The fragility of the protocol itself makes it easy to be used , And the attacker can hide himself well .DNS Tunnel attack is one of the attack methods often used by attackers , Analysis of cloud school in this issue DNS The principle of tunnel attack , Share the basic ideas for judging tunnel attacks ,enjoy:
One 、DNS Principle and characteristics of tunnel attack
Schematic diagram of basic principle
-
DNS Overview of tunnel attack principle
utilize DNS The query process , Encapsulate illegal data compression coding in DNS Agreement , And then to DNS Request and response packets complete the transmission of data ( signal communication ).
-
DNS Application of tunnel attack
Through C&C The server completes point-to-point data propagation , Or implant a Trojan horse 、 worm 、 Malware, etc. complete long-term hidden APT attack .
-
DNS The advantages of tunnel attack
For traditional safety equipment , Such as network firewall, it has strong penetration ;DNS The cost of attack is relatively low , But the attack effect is obvious .
-
DNS Tunnel attack features
The attacker's traffic data is encapsulated in DNS Agreement , Traditional safety equipment is difficult to find , From the perspective of traffic packets, it is not easy to identify , No professional analysis will only be considered 53 port DNS data , Concealment is strong .
Two 、 utilize DNS Tunnel attack example
-
adopt DNS The tunnel realizes data transmission
A malicious program encapsulates control instructions in DNS Request and response interaction in the protocol , The real control instructions in the request and response are encoded into a string .
Generally, the domain name that initiates the request is Base64,Binary code ,NetBios code 、Hex Code and other coding methods for encryption , In order to transmit more data, generally TXT type (DNS A type of request ). Therefore, it is difficult to consider that firewall and intrusion detection equipment are in normal recursive out of the network DNS Flow analysis and filtration , therefore , Attackers can use it to achieve attacks such as remote control .
-
adopt DNS The tunnel realizes data transmission
DNS In addition to enabling malicious programs and C&C Control instruction interaction at the end , It can also provide an always available rear tunnel for attackers to disclose stolen data or sensitive data . Although limited by the length of the domain name , as well as UDP Unreliability of transmission , utilize DNS It is difficult for the tunnel to transmit large documents to the outside , But transmitting important and sensitive information is enough . The above figure shows that it is transmitted to the control end through continuous subdomain request , Then, at the control end, these requests are spliced together in order to obtain sensitive data .
Pass... In the test environment Wireshark And other packet capture tools , It can be seen that DNS Tunnel file transfer DNS The message interaction process has the following characteristics : Request a series of super long random subdomains 、 The requested domain name contains a serial number 、 High frequency access to the same parent domain 、 The request response packet is large 、 Faster request frequency 、DNS Traffic surge .
3、 ... and 、DNS Tunnel attack judgment and analysis method
at present ,DNS Tunnel technology has been very mature , There are many related tools , And different tools have their own characteristics . At present, the more active ones are iodine,dnscat2, Others are DeNise,dns2tcp,Heyoka wait .
Through the previous introduction , It's not hard to see DNS Tunnel attack has a strong camouflage . But they all have one thing in common —— The request and response look strange ; So how do we detect ? So , in the light of DNS Principle and characteristics of tunnel attack , We sorted out the ideas and methods of judging the attack :
① Comparative analysis of modeling features
Let's take a look at modeling and comparing the following features :
-
Domain name length 、 Legal characters of domain name 、 domain name RFC The rules , Modeling feature comparison
-
Proportion of uplink large packet in request message , Modeling feature comparison
-
The proportion of downlink packets in the total number of response messages , Modeling feature comparison
-
Information entropy , Modeling feature comparison
② Critical value of characteristic analysis
Through our modeling and analysis of different scenarios , It's not hard to find that we can target DNS Some characteristics of tunnel flow are summarized, namely “ critical value ”, For example, domain name label String length 52、 Legal characters of domain name a-z, A-Z, 0-9、 Upload and download ratio %500; At the same time, the total number of session messages is greater than 20 Wait a minute . By targeting DNS For the detection of tunnel flow, we can achieve certain effective defense by matching the critical value .
In addition, we can also learn from other DNS Carry features 、 Flow analysis and other aspects, so as to achieve the effect of protection .
Four 、 Conclusion
DNS Tunnel is an important for network attackers “ Commit crime ” methods , At present, there are many public or undisclosed tools . In the traditional means of safety protection , Not for DNS Traffic protection strategy , Boundary devices usually target 53 Port traffic release , therefore , If the DNS The flow is not subject to any supervision , It is very likely that DNS Safety protection , Make the safety system that enterprises spend a lot of money to build become “ Achilles' Heel ”.
This article is only for DNS The principle and basic analysis and judgment of tunnel attack 、 Protection is briefly introduced , Deeper targeted strategies also need to be summarized from practice . Today's sharing is here , If you have any questions about DNS Other problems with tunnel attacks , Welcome to leave a message at the bottom of the article , We will arrange professional engineers to answer your questions , Next stage 《DNS Cloud school 》 Let's see each other !
版权声明
本文为[National Engineering Research Center]所创,转载请带上原文链接,感谢
https://yzsam.com/2022/04/202204210554571159.html
边栏推荐
- R language survival package coxph function to build Cox regression model, ggrisk package ggrisk function and two_ Scatter function visualizes the risk score map of Cox regression, interprets the risk
- PCA based geometric feature calculation of PCL point cloud processing (52)
- Five minutes to show you what JWT is
- R language uses the preprocess function of caret package for data preprocessing: BoxCox transform all data columns (convert non normal distribution data columns to normal distribution data and can not
- STM32 Basics
- Project training of Software College of Shandong University - Innovation Training - network security shooting range experimental platform (6)
- 基于pytorch搭建GoogleNet神经网络用于花类识别
- nc基础用法2
- Tencent Qiu Dongyang: techniques and ways of accelerating deep model reasoning
- 腾讯邱东洋:深度模型推理加速的术与道
猜你喜欢
Unity general steps for creating a hyper realistic 3D scene
php参考手册String(7.2千字)
Sqoop imports tinyint type fields to boolean type
LeetCode动态规划训练营(1~5天)
Project training of Software College of Shandong University - Innovation Training - network security shooting range experimental platform (VII)
【目标跟踪】基于帧差法结合卡尔曼滤波实现行人姿态识别附matlab代码
Kubernetes introduction to mastery - ktconnect (full name: kubernetes toolkit connect) is a small tool based on kubernetes environment to improve the efficiency of local test joint debugging.
基于pytorch搭建GoogleNet神经网络用于花类识别
An error is reported when sqoop imports data from Mysql to HDFS: sqlexception in nextkeyvalue
LeetCode异或运算
随机推荐
uIP1. 0 actively sent problem understanding
2022 - Data Warehouse - [time dimension table] - year, week and holiday
[problem solving] 'ASCII' codec can't encode characters in position XX XX: ordinal not in range (128)
R语言使用timeROC包计算无竞争风险情况下的生存资料多时间AUC值、使用confint函数计算无竞争风险情况下的生存资料多时间AUC指标的置信区间值
PCL点云处理之计算两平面交线(五十一)
NC basic usage 3
selenium.common.exceptions.WebDriverException: Message: ‘chromedriver‘ executable needs to be in PAT
Error reported by Azkaban: Azkaban jobExecutor. utils. process. ProcessFailureException: Process exited with code 64
Video understanding
Project training of Software College of Shandong University - Innovation Training - network security shooting range experimental platform (VII)
Kubernetes introduction to mastery - ktconnect (full name: kubernetes toolkit connect) is a small tool based on kubernetes environment to improve the efficiency of local test joint debugging.
JDBC tool class jdbcconutil gets the connection to the database
Paper writing 19: the difference between conference papers and journal papers
NC basic usage
SIGIR'22「微软」CTR估计:利用上下文信息促进特征表征学习
Kubernetes getting started to proficient - install openelb on kubernetes
Remote code execution in Win 11 using wpad / PAC and JScript 1
Is the wechat CICC wealth high-end zone safe? How to open an account for securities
Efficient serial port cyclic buffer receiving processing idea and code 2
考研英语唐叔的语法课笔记