DNS Tunneling: Difference between revisions
Appearance
No edit summary |
No edit summary |
||
Line 9: | Line 9: | ||
:# the attacker owns the target domain, and the DNS requests go to the attacker’s DNS server | :# the attacker owns the target domain, and the DNS requests go to the attacker’s DNS server | ||
:# the attacker needs many malicious DNS requests to exfiltrate data or implement a command and control attack due to the character limit on domain names.<ref>[https://www.checkpoint.com/cyber-hub/network-security/what-is-dns-tunneling/ DNS Tunneling, Check Point]</ref> | :# the attacker needs many malicious DNS requests to exfiltrate data or implement a command and control attack due to the character limit on domain names.<ref>[https://www.checkpoint.com/cyber-hub/network-security/what-is-dns-tunneling/ DNS Tunneling, Check Point]</ref> | ||
==Hackers Rely on DNS Tunneling== | |||
* [[OilRig]] - Unit 42, of Palo Alto Networks, revealed that Iran-linked cyber-espionage group OilRig broadly and persistently uses DNS tunneling across.<ref>[https://unit42.paloaltonetworks.com/dns-tunneling-in-the-wild-overview-of-oilrigs-dns-tunneling/ DNS Tunneling in the Wild]</ref><ref>[https://www.securityweek.com/iranian-hackers-heavily-reliant-dns-tunneling Iranian hackers use DNS Tunneling, Security Week]<ref> | |||
==References== | ==References== | ||
[[Category:DNS Abuse]] | [[Category:DNS Abuse]] |
Revision as of 20:07, 13 July 2021
DNS tunneling refers to the manipulation of the DNS protocol to direct malicious traffic past an organization’s defenses. Using malicious domains and DNS servers, an attacker can use DNS to evade network security to exfiltrate data.
Overview
An attacker can use DNS requests to implement a command and control channel for malware because organizations allow DNS traffic to pass through their firewalls. Inbound DNS traffic carries commands to the malware so that outbound traffic can exfiltrate data or respond to the malware operator requests, which go to attacker-controlled DNS servers.
Paths
- DNS tunneling malware encodes data within a requested domain name, for instance, in the subdomain.
- Sudden surges in requests because
- the attacker owns the target domain, and the DNS requests go to the attacker’s DNS server
- the attacker needs many malicious DNS requests to exfiltrate data or implement a command and control attack due to the character limit on domain names.[1]
Hackers Rely on DNS Tunneling
- OilRig - Unit 42, of Palo Alto Networks, revealed that Iran-linked cyber-espionage group OilRig broadly and persistently uses DNS tunneling across.[2]<ref>Iranian hackers use DNS Tunneling, Security Week<ref>