Jump to content

DNS Tunneling: Difference between revisions

From ICANNWiki
Jessica (talk | contribs)
Jessica (talk | contribs)
 
(8 intermediate revisions by the same user not shown)
Line 1: Line 1:
'''DNS tunneling''' refers to the manipulation the DNS protocol to direct malicious traffic past an organization’s defenses. Using malicious domains and DNS servers, an attacker can use DNS to evade network security to exfiltrate data.
'''DNS tunneling''' refers to the manipulation of the DNS protocol to direct malicious traffic past an organization’s defenses. Using malicious domains and DNS servers, an attacker can use DNS to evade network security to exfiltrate data.
 
==Overview==
An attacker can use DNS requests to implement a command and control channel for malware because organizations allow DNS traffic to pass through their firewalls. Inbound DNS traffic carries commands to the malware so that outbound traffic can exfiltrate data or respond to the malware operator requests, which go to attacker-controlled DNS servers.
 
==Paths==
# DNS tunneling malware encodes data within a requested domain name, for instance, in the subdomain.
# Sudden surges in requests because
:# the attacker owns the target domain, and the DNS requests go to the attacker’s DNS server
:# the attacker needs many malicious DNS requests to exfiltrate data or implement a command and control attack due to the character limit on domain names.<ref>[https://www.checkpoint.com/cyber-hub/network-security/what-is-dns-tunneling/ DNS Tunneling, Check Point]</ref>
 
==Hackers Relying on DNS Tunneling==
* [[OilRig]] - Unit 42, of [[Palo Alto Networks]], revealed that Iran-linked cyberespionage group OilRig began broadly and persistently using DNS tunneling in 2017.<ref>[https://unit42.paloaltonetworks.com/dns-tunneling-in-the-wild-overview-of-oilrigs-dns-tunneling/ DNS Tunneling in the Wild]</ref><ref>[https://www.securityweek.com/iranian-hackers-heavily-reliant-dns-tunneling Iranian hackers use DNS Tunneling, Security Week]</ref>
* [[Greenbug]] - In 2017, [[Symantec]] discovered the Greenbug cyberespionage group during its investigation into [[Shamoon]] attacks against energy companies in Saudi Arabia in 2012.<ref>[https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=dbb48763-8f17-49c7-8c09-813e97a62b37&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments Symantec Library]</ref>
 
==References==


[[Category:DNS Abuse]]
[[Category:DNS Abuse]]

Latest revision as of 20:30, 13 July 2021

DNS tunneling refers to the manipulation of the DNS protocol to direct malicious traffic past an organization’s defenses. Using malicious domains and DNS servers, an attacker can use DNS to evade network security to exfiltrate data.

Overview

An attacker can use DNS requests to implement a command and control channel for malware because organizations allow DNS traffic to pass through their firewalls. Inbound DNS traffic carries commands to the malware so that outbound traffic can exfiltrate data or respond to the malware operator requests, which go to attacker-controlled DNS servers.

Paths

  1. DNS tunneling malware encodes data within a requested domain name, for instance, in the subdomain.
  2. Sudden surges in requests because
  1. the attacker owns the target domain, and the DNS requests go to the attacker’s DNS server
  2. the attacker needs many malicious DNS requests to exfiltrate data or implement a command and control attack due to the character limit on domain names.[1]

Hackers Relying on DNS Tunneling

  • OilRig - Unit 42, of Palo Alto Networks, revealed that Iran-linked cyberespionage group OilRig began broadly and persistently using DNS tunneling in 2017.[2][3]
  • Greenbug - In 2017, Symantec discovered the Greenbug cyberespionage group during its investigation into Shamoon attacks against energy companies in Saudi Arabia in 2012.[4]

References