13 Signs that bad guys are using DNS Exfiltration to steal your data

by Security Dude

dns-packet-exchange-step4

Picture

13 Signs that bad guys are using DNS Exfiltration to steal your data

UDP 53 Indicators of Exfiltration

  • encrypted payloads
  • MD5, SHA1, SHA256 hashed subdomains
  • lots of requests to restricted domain
  • lots of requests to one domain
  • lots of requests to fast flux domains
  • plain text requests of subdomains
  • DNS replies have private addresses
  • DNS replies have single IP address
  • lots of DNS traffic going to bad guy country
  • DNS replies have patterned encoding
  • Packet size outside the normal distribution
  • Pattern of many requests to specific domains in round robin pattern
  • Spike in DNS byte count across normal traffic patterns

Packet Capture Creation

tcpdump -i en1 -w dns-file udp dst port 53

Screen Shot 2012-12-06 at 11.55.00 AM

Python DNS Data Exfiltration Tool

https://github.com/bigsnarfdude/DFTP

Data Exfiltration SME job

http://www.acrg-llc.com/intelligence/jobs/data-exfiltration-sme/

Ruby Exfil

http://scilspace.com/content/data-exfiltration-over-dns

C Exfil

http://code.kryo.se/iodine/

DNS RFC (not Real Fried Chicken)

http://pydns.sourceforge.net/docs.html

Detection Tool

http://dspace.udel.edu:8080/dspace/bitstream/handle/19716/5838/Tyrell_Fawcett_thesis.pdf?sequence=1

DNS Exfil Tool

http://code.google.com/p/dnscapy/

DNS Tunnelling

http://dnstunnel.de/

 

More Reading

http://www.splitbrain.org/blog/2008-11/02-dns_tunneling_made_simple

http://blog.spiderlabs.com/2012/12/pcap-files-are-great-arnt-they.html

About these ads