Combating Malicious DNS Tunnel

نویسنده

  • Zheng Wang
چکیده

The Domain Name System (DNS) is a fundamental Internet infrastructure, which resolves billions of queries per day in support of global communications and commerce. The most common use of DNS is to map human-friendly domain names to machine-readable IP addresses.The DNS is designed based on the client-server model where stub resolver at the client side originates DNS query for some query name and authoritative server at the server side responses with the requested mapping associated with the query name. To simplify client and enhance the scalability and efficiency of name resolution, stub resolver commonly relies on recursive resolver to traverse the DNS tree and return final answer. The DNS is known to be susceptible to cache poisoning and man-in-the-middle attacks, so the major efforts devoted to securing DNS in the past two decades focused on ensuring source authentication and data integrity (such as the DNSSEC initiatives), which are essential for the common use of DNS. As the DNS is taken for granted an indispensable service for almost every Internet end user, it is also convenient for malicious use. An emerging misuse of DNS in recent years is DNS tunnel. Unlike the common use of DNS which aims at finding the mapping data associated with the interested query name, the goal of DNS tunnel is to use DNS as a communication stack between the querier and the responder. A DNS tunnel can be used for “command and control”, data exfiltration or tunneling of any internet protocol (IP) traffic. There are a variety of services that leverage DNS tunnel to convey specific information about their users to their providers.For example, Sophos [5] designs and maintains a protocol/framework to encode generic information about the threat and the detection, which is based on DNS transaction. When a Sophos-enabled endpoint triggers a detection by a scanner and needs to look up the security services, it requests the sophosxl.net name servers using a specially crafted DNS query. The domain in the DNS query is generated to include all necessary information about the suspicious file. Then the endpoint adjust its behavior according to the information

برای دانلود متن کامل این مقاله و بیش از 32 میلیون مقاله دیگر ابتدا ثبت نام کنید

ثبت نام

اگر عضو سایت هستید لطفا وارد حساب کاربری خود شوید

منابع مشابه

Detecting Active Bot Networks Based on DNS Traffic Analysis

Abstract—One of the serious threats to cyberspace is the Bot networks or Botnets. Bots are malicious software that acts as a network and allows hackers to remotely manage and control infected computer victims. Given the fact that DNS is one of the most common protocols in the network and is essential for the proper functioning of the network, it is very useful for monitoring, detecting and redu...

متن کامل

GMAD: Graph-based Malware Activity Detection by DNS traffic analysis

Malicious activities on the Internet are one of the most dangerous threats to Internet users and organizations. Malicious software controlled remotely is addressed as one of the most critical methods for executing the malicious activities. Since blocking domain names for command and control (C&C) of the malwares by analyzing their Domain Name System (DNS) activities has been the most effective ...

متن کامل

EXPOSURE: Finding Malicious Domains Using Passive DNS Analysis

The domain name service (DNS) plays an important role in the operation of the Internet, providing a two-way mapping between domain names and their numerical identifiers. Given its fundamental role, it is not surprising that a wide variety of malicious activities involve the domain name service in one way or another. For example, bots resolve DNS names to locate their command and control servers...

متن کامل

Building a Dynamic Reputation System for DNS

The Domain Name System (DNS) is an essential protocol used by both legitimate Internet applications and cyber attacks. For example, botnets rely on DNS to support agile command and control infrastructures. An effective way to disrupt these attacks is to place malicious domains on a “blocklist” (or “blacklist”) or to add a filtering rule in a firewall or network intrusion detection system. To ev...

متن کامل

Assessing the Real-World Dynamics of DNS

The DNS infrastructure is a key component of the Internet and is thus used by a multitude of services, both legitimate and malicious. Recently, several works demonstrated that malicious DNS activity usually exhibits observable dynamics that may be exploited for detection and mitigation. Clearly, reliable differentiation requires legitimate activity to not show these dynamics. In this paper, we ...

متن کامل

ذخیره در منابع من


  با ذخیره ی این منبع در منابع من، دسترسی به آن را برای استفاده های بعدی آسان تر کنید

برای دانلود متن کامل این مقاله و بیش از 32 میلیون مقاله دیگر ابتدا ثبت نام کنید

ثبت نام

اگر عضو سایت هستید لطفا وارد حساب کاربری خود شوید

عنوان ژورنال:
  • CoRR

دوره abs/1605.01401  شماره 

صفحات  -

تاریخ انتشار 2016