Page 55 - Cyber Warnings
P. 55
Companies in Middle East Using DNS for Data Transport will
become Cybercrime Targets
Rod Rasmussen, vice president of cybersecurity at Infoblox
Malicious DNS tunnelling is a big problem in cybersecurity and companies in the Middle East
should be aware of this. The technique involves the use of the Domain Name System (DNS)
protocol to smuggle sensitive corporate or personal information out of a network, and to enable
malware command and control communications in and out.
Indeed, as the Infoblox Security Assessment Report revealed recently, two in five enterprise
networks showed evidence of DNS tunnelling in the second quarter of 2016.
However, all is not necessarily as it seems. Close scrutiny of apparent DNS tunnelling traffic
repeatedly reveals an amount of anomalous activity which appears harmful but is, in fact, being
sent intentionally by users and services on enterprise networks, and tended not to be malicious
in nature.
Exploiting the DNS protocol
Typically DNS queries are very small data packets, and their intended purpose is not to
transport any data other than that needed to perform name-resolution services. And, although
the introduction of authentication mechanisms such as DNSSEC and DKIM may have changed
the landscape over recent years, their primary intent is also only to serve up information on a
domain name, rather than transporting any other data.
But, there is sufficient flexibility in the DNS protocol that unrelated data can be inserted into a
DNS query and then sent in to or out from a targeted network.
DNS signalling, the most basic form of this technique, typically involves using a cryptographic
hash function to encode information into query strings or response records. Performance tends
to be quite slow though, as the restrictive size of DNS packets mean a large number are
required even for a small amount of data.
This is taken a step further by DNS tunnelling which, by employing surprisingly basic
techniques, uses DNS queries to encode other protocols such as http, ftp or SMTP, over a DNS
session.
For the sake of simplicity, and given their essential similarity, both of these techniques can be
viewed under the header of DNS tunnelling.
55 Cyber Warnings E-Magazine October 2016 Edition
Copyright © Cyber Defense Magazine, All rights reserved worldwide
