A typical network intrusion isn’t a smash-and-grab raid. It’s a long slow process, where an intruder can spend weeks or months exploring a network before slowly copying the data they want. Perhaps they’re stealing your customer data, including credit cards and personal information, or perhaps they’re after your intellectual property.
But how do they get that data out of your network? Most intrusion detection software looks at the obvious patterns of data exfiltration: over HTTP connections and through FTP. This has allowed intruders to discover new ways of extracting data from your network – and the method many of them use is DNS. Servers might not be set up to use HTTP or FTP (and if they did use them, they’d trigger an alert), but they’re always going to have a DNS client. That DNS client can be used by an intruder to extract data at around 100KB/s.
It’s relatively easy for an intruder to use DNS on an unprotected system. All they need to do is to check if the address they want to use responds to a DNS query. With most DNS systems set up to forward unknown requests to remote servers, an intruder’s pre-configured dropbox will look like any DNS server, and any packets sent to it will look like standard DNS queries. Networks handle many thousands of DNS lookups every day, so a handful of extra DNS packets will just get lost in a torrent of data.
There are many published papers on DNS exfiltration, including presentations from organizations like the US Department of Energy, or from hacker events like the annual BlackHat and DEFCON conferences. Any DNS query can be used to transfer data to a malicious server, including the common A, SRV and TXT queries. Malicious servers can also use specially-constructed DNS records to maintain a command and control channel to remotely operate malware, allowing an intruder to leave exfiltration tools on a network, and use DNS to automate their operation.
From this analysis it appears DNS activity is a powerful indicator of infrastructure health and a potential compromise. Malware spreading across your network will most likely generate specific DNS traffic patterns trying to reach malicious domains already identified by specialized service providers. In the same way, a data breach relying on DNS to exfiltrate sensitive data will result in a large number of large DNS queries asking for random FQDN(s) within specific domains over a period of time.
Such behavior could possibly be identified through complex log analysis, as the resulting traffic has no meaning considering both logged DNS requests and targeted domains. However, the appropriate security answer requires identifying those signs through real-time traffic content analysis, triggering the appropriate countermeasures to prevent the breach and possibly stop the attack. That can’t be found in an existing defense approach relying on firewall and IPS.
As DNS is a complex protocol dealing with massive amounts of concurrent stateless connections, it requires a native security system built in to the core of your DNS service. It is the only efficient way to enhance your capacity to control requested domain reputation and detect threats hidden within DNS traffic. This offers you the capability to respond immediately and stop the attack before any damage can be done. In the meantime, this system must be performant enough to avoid false positives that may otherwise disrupt your business.
In the end, DNS tunneling and other DNS exfiltration attacks are only successful because they use a pathway most organizations don’t consider a vulnerability. By implementing a modern DDI infrastructure, you add specialized solutions and tools that quickly identify these vulnerabilities, and can protect your network – and your valuable data.
Want to learn more about threats to the DNS? Download the white paper below to learn about different types of DNS attacks, and how to protect your mission-critical business protocols.