Practical Comprehensive Bounds on Surreptitious Communication over DNS

DNS queries represent one of the most common forms of network traffic, and likely the least blocked by sites. As such, DNS provides a highly attractive channel for attackers who wish to communicate surreptitiously across a network perimeter, and indeed a variety of tunneling toolkits exist [7, 10, 13-15]. We develop a novel measurement procedure that fundamentally limits the amount of information that a domain can receive surreptitiously through DNS queries to an upper bound specified by a site's security policy, with the exact setting representing a tradeoff between the scope of potential leakage versus the quantity of possible detections that a site's analysts must investigate. Rooted in lossless compression, our measurement procedure is free from false negatives. For example, we address conventional tunnels that embed the payload in the query names, tunnels that repeatedly query a fixed alphabet of domain names or varying query types, tunnels that embed information in query timing, and communication that employs combinations of these. In an analysis of 230 billion lookups from real production networks, our procedure detected 59 confirmed tunnels. For the enterprise datasets with lookups by individual clients, detecting surreptitious communication that exceeds 4 kB/day imposes an average analyst burden of 1-2 investigations/week.

[1]  Paul Vixie,et al.  Extension Mechanisms for DNS (EDNS0) , 1999, RFC.

[2]  Steven Gianvecchio,et al.  An Entropy-Based Approach to Detecting Covert Timing Channels , 2011, IEEE Transactions on Dependable and Secure Computing.

[3]  Anestis Karasaridis,et al.  NIS04-2: Detection of DNS Anomalies using Flow Data Analysis , 2006, IEEE Globecom 2006.

[4]  Towards Quantification of Network-Based Information Leaks via HTTP , 2008, HotSec.

[5]  David Dagon,et al.  Use of Bit 0x20 in DNS Labels to Improve Transaction Identity , 2008 .

[6]  Sandeep Yadav,et al.  Detecting algorithmically generated malicious domain names , 2010, IMC '10.

[7]  Vern Paxson,et al.  Empirically derived analytic models of wide-area TCP connections , 1994, TNET.

[8]  Kevin Borders,et al.  Quantifying Information Leaks in Outbound Web Traffic , 2009, 2009 30th IEEE Symposium on Security and Privacy.

[9]  Sushil Jajodia,et al.  Model-Based Covert Timing Channels: Automated Modeling and Evasion , 2008, RAID.

[10]  Boris Nechaev,et al.  Netalyzr: illuminating the edge network , 2010, IMC '10.

[11]  I. S. Moskowitz,et al.  Covert channels-here to stay? , 1994, Proceedings of COMPASS'94 - 1994 IEEE 9th Annual Conference on Computer Assurance.

[12]  Carla E. Brodley,et al.  IP covert timing channels: design and detection , 2004, CCS '04.

[13]  Kenton Born,et al.  Detecting DNS Tunnels Using Character Frequency Analysis , 2010, ArXiv.

[14]  Paul V. Mockapetris,et al.  Domain names - implementation and specification , 1987, RFC.

[15]  Patrick Butler,et al.  Quantitatively Analyzing Stealthy Communication Channels , 2011, ACNS.