13 Signs that bad guys are using DNS Exfiltration to steal your data
by Security Dude
13 Signs that bad guys are using DNS Exfiltration to steal your data
UDP 53 Indicators of Exfiltration
- encrypted payloads
- MD5, SHA1, SHA256 hashed subdomains
- lots of requests to restricted domain
- lots of requests to one domain
- lots of requests to fast flux domains
- plain text requests of subdomains
- DNS replies have private addresses
- DNS replies have single IP address
- lots of DNS traffic going to bad guy country
- DNS replies have patterned encoding
- Packet size outside the normal distribution
- Pattern of many requests to specific domains in round robin pattern
- Spike in DNS byte count across normal traffic patterns
Packet Capture Creation
tcpdump -i en1 -w dns-file udp dst port 53
Python DNS Data Exfiltration Tool
https://github.com/bigsnarfdude/DFTP
Data Exfiltration SME job
http://www.acrg-llc.com/intelligence/jobs/data-exfiltration-sme/
Ruby Exfil
http://scilspace.com/content/data-exfiltration-over-dns
C Exfil
DNS RFC (not Real Fried Chicken)
http://pydns.sourceforge.net/docs.html
Detection Tool
http://dspace.udel.edu:8080/dspace/bitstream/handle/19716/5838/Tyrell_Fawcett_thesis.pdf?sequence=1
DNS Exfil Tool
http://code.google.com/p/dnscapy/
DNS Tunnelling
More Reading
http://www.splitbrain.org/blog/2008-11/02-dns_tunneling_made_simple
http://blog.spiderlabs.com/2012/12/pcap-files-are-great-arnt-they.html
The World's Oldest Intern 
[…] https://theworldsoldestintern.wordpress.com/2012/11/30/dns-exfiltration-udp-53-indicators-of-exfiltra… […]