You said in the papers that you found a way, using some functionalities open by RPZ (ok, my interpretation of a quick read), to block NULL record in Bind. Care to give more information on how to do it?
De : [email protected] [mailto:[email protected]] De la part de Abhi Jalan Envoyé : 18 octobre 2015 11:25 À : [email protected] Objet : RE: [NTSysADM] C2 tunneling over DNS If anyone is interested in this topic, I wrote a report about DNS tunneling and some practical ways to identify and stop it, as part of a security class at the University of Calgary. The research was done in 2012, but most of it should still be applicable today. The paper and notes are available here [1], [2]. [1] https://www.scribd.com/doc/285742893/Identifying-and-Blocking-DNS-Tunnels [2] https://www.scribd.com/doc/285742920/DNS-Tunneling-Slides-With-Notes From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of Andrew S. Baker Sent: Sunday, October 18, 2015 10:57 AM To: ntsysadm <[email protected]<mailto:[email protected]>> Subject: Re: [NTSysADM] C2 tunneling over DNS I would argue that you could develop signatures for identifying it, so IPS vendors should be able to do this without too much difficulty. Still, the real issue is to prevent the original infection, which likely used a more prevalent vector. ASB http://XeeMe.com/AndrewBaker<http://xeeme.com/AndrewBaker> Providing Virtual CIO Services (IT Operations & Information Security) for the SMB market… GPG: 1AF3 EEC3 7C3C E88E B0EF 4319 8F28 A483 A182 EF3A On Sat, Oct 17, 2015 at 10:05 PM, Erik Goldoff <[email protected]<mailto:[email protected]>> wrote: seems to me that a good IPS system should detect and block this method, or am I way off base ? On Sat, Oct 17, 2015 at 9:53 PM, Andrew S. Baker <[email protected]<mailto:[email protected]>> wrote: Most SMBs? Larger orgs will be equally at a loss. The key in this case is to prevent or quickly detect the initial breach/compromise, because once a machine on the inside is compromised, preventing it from spreading will be much, much harder. ASB http://XeeMe.com/AndrewBaker<http://xeeme.com/AndrewBaker> Providing Virtual CIO Services (IT Operations & Information Security) for the SMB market… GPG: 1AF3 EEC3 7C3C E88E B0EF 4319 8F28 A483 A182 EF3A On Fri, Oct 16, 2015 at 10:59 PM, Richard Stovall <[email protected]<mailto:[email protected]>> wrote: I had not heard of this before. https://zeltser.com/c2-dns-tunneling/ How in the world can most SMBs ever begin to beat back this kind of stuff? Mise en garde concernant la confidentialité : Le présent message, comprenant tout fichier qui y est joint, est envoyé à l'intention exclusive de son destinataire; il est de nature confidentielle et peut constituer une information protégée par le secret professionnel. Si vous n'êtes pas le destinataire, nous vous avisons que toute impression, copie, distribution ou autre utilisation de ce message est strictement interdite. Si vous avez reçu ce courriel par erreur, veuillez en aviser immédiatement l'expéditeur par retour de courriel et supprimer le courriel. Merci! Confidentiality Warning: This message, including any attachment, is sent only for the use of the intended recipient; it is confidential and may constitute privileged information. If you are not the intended recipient, you are hereby notified that any printing, copying, distribution or other use of this message is strictly prohibited. If you have received this email in error, please notify the sender immediately by return email, and delete it. Thank you!
