Define "good" - and name one IDS/IPS that will detect C2 over DNS in the general case. I am unaware of any, and would love to know about one, even if I (that is, my company) can't afford it. That would mean that we're well on the way to solving the problem.
Unfortunately, changing DNS encoding is trivially easy for the attacker. AFAIK, the only really good indicator is the newness of the domain - most malware domains are short-lived, as the IDS/IPS vendors discover them and add them to blacklists. For some interesting reading, these links are useful for understanding the problem, and https://www.sans.org/reading-room/whitepapers/dns/detecting-dns-tunneling-34152 http://info.opendns.com/rs/opendns/images/OpenDNS_SecurityWhitepaper-DNSRoleInBotnets.pdf There are lots more, of course. Kurt On Sat, Oct 17, 2015 at 7:05 PM, Erik Goldoff <[email protected]> wrote: > seems to me that a good IPS system should detect and block this method, or > am I way off base ? > > On Sat, Oct 17, 2015 at 9:53 PM, Andrew S. Baker <[email protected]> > wrote: > >> Most SMBs? Larger orgs will be equally at a loss. >> >> The key in this case is to prevent or quickly detect the initial >> breach/compromise, because once a machine on the inside is compromised, >> preventing it from spreading will be much, much harder. >> >> >> >> >> >> >> *ASB **http://XeeMe.com/AndrewBaker* <http://xeeme.com/AndrewBaker> >> *Providing Virtual CIO Services (IT Operations & Information Security) >> for the SMB market…* >> >> * GPG: *1AF3 EEC3 7C3C E88E B0EF 4319 8F28 A483 A182 EF3A >> >> >> On Fri, Oct 16, 2015 at 10:59 PM, Richard Stovall <[email protected]> >> wrote: >> >>> I had not heard of this before. >>> >>> https://zeltser.com/c2-dns-tunneling/ >>> >>> How in the world can most SMBs ever begin to beat back this kind of >>> stuff? >>> >> >> >
