If anyone is interested in this topic, I wrote a report about DNS tunneling and some practical ways to identify and stop it, as part of a security class at the University of Calgary. The research was done in 2012, but most of it should still be applicable today. The paper and notes are available here [1], [2].
[1] https://www.scribd.com/doc/285742893/Identifying-and-Blocking-DNS-Tunnels [2] https://www.scribd.com/doc/285742920/DNS-Tunneling-Slides-With-Notes From: [email protected] [mailto:[email protected]] On Behalf Of Andrew S. Baker Sent: Sunday, October 18, 2015 10:57 AM To: ntsysadm <[email protected]> Subject: Re: [NTSysADM] C2 tunneling over DNS I would argue that you could develop signatures for identifying it, so IPS vendors should be able to do this without too much difficulty. Still, the real issue is to prevent the original infection, which likely used a more prevalent vector. ASB <http://xeeme.com/AndrewBaker> http://XeeMe.com/AndrewBaker Providing Virtual CIO Services (IT Operations & Information Security) for the SMB market… GPG: 1AF3 EEC3 7C3C E88E B0EF 4319 8F28 A483 A182 EF3A On Sat, Oct 17, 2015 at 10:05 PM, Erik Goldoff <[email protected] <mailto:[email protected]> > wrote: seems to me that a good IPS system should detect and block this method, or am I way off base ? On Sat, Oct 17, 2015 at 9:53 PM, Andrew S. Baker <[email protected] <mailto:[email protected]> > wrote: Most SMBs? Larger orgs will be equally at a loss. The key in this case is to prevent or quickly detect the initial breach/compromise, because once a machine on the inside is compromised, preventing it from spreading will be much, much harder. ASB <http://xeeme.com/AndrewBaker> http://XeeMe.com/AndrewBaker Providing Virtual CIO Services (IT Operations & Information Security) for the SMB market… GPG: 1AF3 EEC3 7C3C E88E B0EF 4319 8F28 A483 A182 EF3A On Fri, Oct 16, 2015 at 10:59 PM, Richard Stovall <[email protected] <mailto:[email protected]> > wrote: I had not heard of this before. https://zeltser.com/c2-dns-tunneling/ How in the world can most SMBs ever begin to beat back this kind of stuff?
smime.p7s
Description: S/MIME cryptographic signature
