on robust covert channels inside dns
play

On Robust Covert Channels Inside DNS Lucas Nussbaum , Pierre Neyron - PowerPoint PPT Presentation

Sep 16, 2022 •585 likes •784 views

On Robust Covert Channels Inside DNS Lucas Nussbaum , Pierre Neyron and Olivier Richard Laboratoire dInformatique de Grenoble / INRIA Lucas Nussbaum, Pierre Neyron and Olivier Richard On Robust Covert Channels Inside DNS 1 / 18 Introduction

  1. On Robust Covert Channels Inside DNS Lucas Nussbaum , Pierre Neyron and Olivier Richard Laboratoire d’Informatique de Grenoble / INRIA Lucas Nussbaum, Pierre Neyron and Olivier Richard On Robust Covert Channels Inside DNS 1 / 18

  2. Introduction Many networks with restricted Internet access : Wireless access points in hotels and airports Censored Internet access in some countries Question : How can one get full Internet access ? Idea : Leverage one of the unfiltered protocols Lucas Nussbaum, Pierre Neyron and Olivier Richard On Robust Covert Channels Inside DNS 2 / 18

  3. DNS ? DNS : perfect protocol ? (Almost) never filtered And cannot reply with wrong results because of cache But was not designed for tunnelling data Need to work around several DNS limitations Lucas Nussbaum, Pierre Neyron and Olivier Richard On Robust Covert Channels Inside DNS 3 / 18

  4. DNS covert channels : principle Hide data into DNS requests and replies Communicate with a rogue DNS server on the Internet Lucas Nussbaum, Pierre Neyron and Olivier Richard On Robust Covert Channels Inside DNS 4 / 18

  5. Existing implementations of DNS tunnelling Not a new idea : IP over DNS tunnels : NSTX Iodine TCP over DNS tunnels : OzymanDNS dns2tcp ⇒ Compromises between protocol compliance and efficiency Lucas Nussbaum, Pierre Neyron and Olivier Richard On Robust Covert Channels Inside DNS 5 / 18

  6. DNS record types Example : > CNAME ? www.google.com . < q : CNAME ? www.google.com. www.google.com. CNAME www.l.google.com . Name being queried : only text (A-Z, a-z, 0-9, "-") Record type being queried (implies type of reply) : A : only 4 bytes of data ! CNAME : text with additional requirements (valid DNS name) TXT : any kind of data [NSTX, OzymanDNS, dns2tcp] But not many real-life uses ⇒ often blocked NULL : for experimental purposes [Iodine] No known real-life usage Lucas Nussbaum, Pierre Neyron and Olivier Richard On Robust Covert Channels Inside DNS 6 / 18

  7. DNS extension : EDNS0 Specified in RFC 2671 Allow for larger packets Used by Iodine and OzymanDNS Not many real-life uses ⇒ can easily be blocked by ISPs Lucas Nussbaum, Pierre Neyron and Olivier Richard On Robust Covert Channels Inside DNS 7 / 18

  8. Data encoding in queries and replies DNS names : A-Z, a-z, 0-9, "-" => 63 characters DNS servers "should" preserve case if possible 2 solutions : Base32 (need 32 characters) Less efficient, but protocol compliant [OzymanDNS] Base64 (need 64 characters) Adding another, invalid character : "_" [NSTX, Iodine] "/" [dns2tcp] Using an escaping system But packet length would vary Lucas Nussbaum, Pierre Neyron and Olivier Richard On Robust Covert Channels Inside DNS 8 / 18

  9. Evaluation of existing solutions All solutions tested on several networks (academic, home ISP , hotels, airports, etc...) Each of them failed to work in some cases ⇒ Too many compromises with protocol compliance ? ⇒ Build our own solution ? Lucas Nussbaum, Pierre Neyron and Olivier Richard On Robust Covert Channels Inside DNS 9 / 18

  10. TUNS IP over DNS tunnel Standard-compliance : uses CNAME records and Base32 Handle poor network conditions : Does not split IP packets Lower MTU instead Handle duplicate replies Efficient polling mechanism Lucas Nussbaum, Pierre Neyron and Olivier Richard On Robust Covert Channels Inside DNS 10 / 18

  11. Example packets Data packet from client to server : dIUAAAVAAABAAAQABJ5K4BKBVAHAKQNICBAAAOS5TD4ASKPSQIJEM7VABAAEASC. MRTGQ2TMNY0.domain.tld: type CNAME, class IN The client sends a short query that the server will use to send a reply : r882.domain.tld: type CNAME, class IN The server acknowledges the data that was sent : Queries dIUAAAVAAABAAAQABJ5K4BKBVAHAKQNICBAAAOS5TD4ASKPSQIJEM7VABAAEASC. MRTGQ2TMNY0.domain.tld: type CNAME, class IN Answers dIUA[..]0.domain.tld: type CNAME, class IN, cname l4.domain.tld The server sends a reply containing data to the client : Queries r882.domain.tld: type CNAME, class IN Answers r882.domain.tld: type CNAME, class IN, cname dIUAAAVCWIUAAAQABH VCY2DMO2HQ7EAQSEIZEEUTCOKBJFIVSYLJOF4YDC.MRTGQ2TMNY0.domain.tld Lucas Nussbaum, Pierre Neyron and Olivier Richard On Robust Covert Channels Inside DNS 11 / 18

  12. Efficiently polling the server Problem : Server sends data to client using DNS replies To send a DNS reply, the server needs a query Solution : On regular intervals, send a DNS query to the server The server answers with data or indicates that there’s no data Optimization : [NSTX and TUNS, but not Iodine] If there’s no data, wait for a while. Data might arrive in the meantime. From the client POV, the server simply looks busy. ⇒ Improves perceived latency significantly Lucas Nussbaum, Pierre Neyron and Olivier Richard On Robust Covert Channels Inside DNS 12 / 18

  13. Performance evaluation Compared NSTX, Iodine and TUNS using a network emulator Measured the tunnel’s latency and bandwidth with varying network latency Also when facing degraded network conditions (5% packet loss, variable latency causing packet reordering) TUNS client emulator TUNS server Lucas Nussbaum, Pierre Neyron and Olivier Richard On Robust Covert Channels Inside DNS 13 / 18

  14. Results : bandwidth Bandwidth, server to client Bandwidth, client to server 500 500 NSTX NSTX bandwidth (Kbps) bandwidth (Kbps) 400 Iodine 400 Iodine Tuns Tuns 300 300 200 200 100 100 0 0 0 50 100 150 200 0 50 100 150 200 emulated RTT (ms) emulated RTT (ms) ⇒ TUNS is slower than the other implementations Lucas Nussbaum, Pierre Neyron and Olivier Richard On Robust Covert Channels Inside DNS 14 / 18

  15. Results : bandwidth, with loss / reordering Bandwidth, server to client Bandwidth, client to server 100 100 NSTX NSTX bandwidth (Kbps) bandwidth (Kbps) 80 Iodine 80 Iodine Tuns Tuns 60 60 40 40 20 20 0 0 0 50 100 150 200 0 50 100 150 200 emulated RTT (ms) emulated RTT (ms) ... but stays more stable when network conditions are degrated, and outperforms NSTX Lucas Nussbaum, Pierre Neyron and Olivier Richard On Robust Covert Channels Inside DNS 15 / 18

  16. Results : latency Latency, pings initiated by server Latency, pings initiated by client 1400 250 NSTX NSTX perceived RTT (ms) perceived RTT (ms) 1200 Iodine 200 Iodine 1000 Tuns Tuns 150 800 600 100 400 50 200 0 0 0 50 100 150 200 0 50 100 150 200 emulated RTT (ms) emulated RTT (ms) ⇒ Iodine’s polling mechanism is inefficient Lucas Nussbaum, Pierre Neyron and Olivier Richard On Robust Covert Channels Inside DNS 16 / 18

  17. Conclusion Exposed the various challenges faced by DNS covert channels Described TUNS, our IP over DNS tunnel Slower that the other implementations in some cases But uses only standard DNS features Harder to block by system administrators Remaining solution : traffic shaping Worked on all networks we could try Except those with broken DNS, of course Lucas Nussbaum, Pierre Neyron and Olivier Richard On Robust Covert Channels Inside DNS 17 / 18

  18. Future Work Tuning of tunnel parameters from the client-side Packet length, DNS record type, encoding Automatic detection of best parameters Headers compression ⇒ more space for data TCP tuning to better handle packet re-ordering Very frequent over DNS Encryption of data being transmitted Lucas Nussbaum, Pierre Neyron and Olivier Richard On Robust Covert Channels Inside DNS 18 / 18

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

May 26: Covert Channels Covert channels Composition of policies Problem

May 26: Covert Channels Covert channels Composition of policies Problem

May 26: Covert Channels Covert channels Composition of policies Problem Deterministic Noninterference Nondeducibility Generalized Noninterference Restrictiveness May 26, 2017 ECS 235B Spring Quarter 2017 Slide #1

370 views • 33 slides
Covert and Side Channels Robert Brotzman-Smith Covert Channels Any communication channel that

Covert and Side Channels Robert Brotzman-Smith Covert Channels Any communication channel that

Covert and Side Channels Robert Brotzman-Smith Covert Channels Any communication channel that can be exploited by a process to transfer information in a manner that violates the systems security policy US DoD 1985 Basically a

1.04k views • 67 slides
Side Channels and Covert Channels Daniel Bosk Department of Information and Communication Systems

Side Channels and Covert Channels Daniel Bosk Department of Information and Communication Systems

Side Channels Covert Channels References Side Channels and Covert Channels Daniel Bosk Department of Information and Communication Systems (ICS), Mid Sweden University, Sundsvall. 1st May 2017 Daniel Bosk MIUN ICS Side Channels and Covert

689 views • 32 slides
Covert channels in TCP/IP: attack and defence The creation and detection of TCP/IP steganography

Covert channels in TCP/IP: attack and defence The creation and detection of TCP/IP steganography

Covert channels in TCP/IP: attack and defence The creation and detection of TCP/IP steganography for covert channels and device fingerprinting Steven J. Murdoch and Stephen Lewis http://www.cl.cam.ac.uk/users/ { sjm217 , srl32 } Computer

915 views • 36 slides
Covert channels in TCP/IP: attack and defence The creation and detection of TCP/IP steganography

Covert channels in TCP/IP: attack and defence The creation and detection of TCP/IP steganography

Covert channels in TCP/IP: attack and defence The creation and detection of TCP/IP steganography for covert channels and device fingerprinting Steven J. Murdoch and Stephen Lewis http://www.cl.cam.ac.uk/users/ { sjm217 , srl32 } Computer

1.12k views • 37 slides
PHY Covert Channels: Can you see the Idles? Ki

PHY Covert Channels: Can you see the Idles? Ki

PHY Covert Channels: Can you see the Idles? Ki Suh Lee Chupja Cornell University Joint work with Han Wang, and Hakim Weatherspoon 1

627 views • 38 slides
COVERT CHANNELS ERIK TEWS &lt;E.TEWS@UTWENTEL.NL&gt; HOUSEKEEPLING Lab on May 30th seems to

COVERT CHANNELS ERIK TEWS &lt;E.TEWS@UTWENTEL.NL&gt; HOUSEKEEPLING Lab on May 30th seems to

COVERT CHANNELS ERIK TEWS &lt;E.TEWS@UTWENTEL.NL&gt; HOUSEKEEPLING Lab on May 30th seems to be problematic for Delft Lab on May 31st seems to be problematic for Twente Systems Security Covert Channels 2 14.05.2018 Prepare to vote 1

1.05k views • 50 slides
Abusing hardware for fun and profit Agenda Cache-based Covert channels w/ demo Spectre

Abusing hardware for fun and profit Agenda Cache-based Covert channels w/ demo Spectre

Abusing hardware for fun and profit Agenda Cache-based Covert channels w/ demo Spectre and Meltdown from covert channels Process isola8on + OS (CS 423) OS paging OS services 0x00000000 Communica&lt;on to other processes

568 views • 15 slides
Hiding in Plain Sight Advances in Malware Covert Communication Channels Pierre-Marc Bureau

Hiding in Plain Sight Advances in Malware Covert Communication Channels Pierre-Marc Bureau

Hiding in Plain Sight Advances in Malware Covert Communication Channels Pierre-Marc Bureau Christian Dietrich Outline 1. Covert Channels 2. Steganography a. Lurk b. Gozi c. Stegoloader 3. Inconspicuous Carrier Protocols a.

674 views • 49 slides
Treating Interference as Noise is Optimal for Covert Communication over Interference Channels

Treating Interference as Noise is Optimal for Covert Communication over Interference Channels

Treating Interference as Noise is Optimal for Covert Communication over Interference Channels Kang-Hee Cho and Si-Hyeon Lee School of Electrical Engineering KAIST 2020 ISIT 1 / 14 Covert Communication ^ Y n W Decoder X n W P n Encoder

386 views • 15 slides
IP Covert Timing Channels: Design and Detection By Serdar Cabuk, Carla E. Brodley, Clay

IP Covert Timing Channels: Design and Detection By Serdar Cabuk, Carla E. Brodley, Clay

IP Covert Timing Channels: Design and Detection By Serdar Cabuk, Carla E. Brodley, Clay Shields. Outline Positive Traits Problems Questions Extensions Other Covert Channels Discussion Positive Traits What are the

496 views • 34 slides
March 6, 2014 1 Mitigation of Covert Channels 2 About Voting and Computers March 6, 2014 ECS 235B

March 6, 2014 1 Mitigation of Covert Channels 2 About Voting and Computers March 6, 2014 ECS 235B

Mitigation of Covert Channels About Voting and Computers March 6, 2014 1 Mitigation of Covert Channels 2 About Voting and Computers March 6, 2014 ECS 235B Winter Quarter 2014 Slide 1 Mitigation of Covert Channels About Voting and Computers

416 views • 26 slides
May 24: Confinement Confinement, non-VM isolation Program modification Covert channels

May 24: Confinement Confinement, non-VM isolation Program modification Covert channels

May 24: Confinement Confinement, non-VM isolation Program modification Covert channels May 24, 2017 ECS 235B Spring Quarter 2017 Slide #1 Compiling Compiler enforces or validates constraints Type-safe language enforces them

313 views • 27 slides
NetFlow Analysis: Detecting covert channels on the network Detecting malicious traffic by using

NetFlow Analysis: Detecting covert channels on the network Detecting malicious traffic by using

NetFlow Analysis: Detecting covert channels on the network Detecting malicious traffic by using NetFlow data By: Joey Dreijer, Student OS3 5-07-14 1 NetFlow Analysis: Detecting covert channels on the network Gathering NetFlow data

346 views • 16 slides
Prevention of Microarchitectural Covert Channels on an Open-Source 64-bit RISC-V Core Fourth

Prevention of Microarchitectural Covert Channels on an Open-Source 64-bit RISC-V Core Fourth

Prevention of Microarchitectural Covert Channels on an Open-Source 64-bit RISC-V Core Fourth Workshop on Computer Architecture Research with RISC-V (CARRV 2020) May 29 th , 2020 Nils Wistoff Moritz Schneider Frank K. Grkaynak Luca Benini

750 views • 58 slides
Abusing the Windows WiFi native API to create a covert channel Andrs Blanco Ezequiel Gutesman

Abusing the Windows WiFi native API to create a covert channel Andrs Blanco Ezequiel Gutesman

Abusing the Windows WiFi native API to create a covert channel Andrs Blanco Ezequiel Gutesman 1 Outline Covert Channels Attack Vectors and Scenarios IEEE 802.11 Fundamentals Covert Channel Design Implementation

766 views • 38 slides
DNS and BGP CS642: Computer Security Professor Ristenpart

DNS and BGP CS642: Computer Security Professor Ristenpart

DNS and BGP CS642: Computer Security Professor Ristenpart h9p://www.cs.wisc.edu/~rist/ rist at cs dot wisc dot edu University of Wisconsin CS 642

798 views • 35 slides
Andrs E. Azprua #imv2020 Internet Censorship, DNS poisoning and Phishing in Venezuela

Andrs E. Azprua #imv2020 Internet Censorship, DNS poisoning and Phishing in Venezuela

Andrs E. Azprua #imv2020 Internet Censorship, DNS poisoning and Phishing in Venezuela Measuring from censorship to state-sponsored attacks Andrs E. Azprua #imv2020 @VEsinFiltro VEsinFiltro.com VENEZUELAN CONTEXT Critical failure

833 views • 56 slides
DNS-BASED THREAT HUNTING: learn, share and improve. repeat. Joo Collier de Mendona @sec_joao

DNS-BASED THREAT HUNTING: learn, share and improve. repeat. Joo Collier de Mendona @sec_joao

TLP WHITE DNS-BASED THREAT HUNTING: learn, share and improve. repeat. Joo Collier de Mendona @sec_joao Zurich, September 2016. $ whoami Brazilian living in Germany for a long time Since 2010 at Deutsche Telekom CERT / CDC

643 views • 27 slides
DNS Performance and the Effectiveness of Caching Jaeyeon Jung, Emil Sit, Hari Balakrishnan,

DNS Performance and the Effectiveness of Caching Jaeyeon Jung, Emil Sit, Hari Balakrishnan,

DNS Performance and the Effectiveness of Caching Jaeyeon Jung, Emil Sit, Hari Balakrishnan, Robert Morris Presenter: Gigis Petros Introduction Two factors contribute to the scalability of DNS hierarchical design around delegated name

583 views • 29 slides
DNS Security The Domain Name Service (DNS) translates human-readable names to IP addresses

DNS Security The Domain Name Service (DNS) translates human-readable names to IP addresses

DNS Security The Domain Name Service (DNS) translates human-readable names to IP addresses E.g., thesiger.cs.ucla.edu translates to 131.179.192.144 DNS also provides other similar services It wasnt designed with security in

431 views • 26 slides
Large-scale Analysis of Infrastructure-leaking DNS Servers Dennis Tatang , Carl Schneider,

Large-scale Analysis of Infrastructure-leaking DNS Servers Dennis Tatang , Carl Schneider,

Large-scale Analysis of Infrastructure-leaking DNS Servers Dennis Tatang , Carl Schneider, Thorsten Holz Ruhr-University Bochum, Germany Motivation DNS: www.rub.de 134.147.64.10 Daily use on the Internet by every user Various

422 views • 27 slides
DNS of Multiphase Flows Simple Front Tracking DNS of Multiphase Flows Direct Numerical

DNS of Multiphase Flows Simple Front Tracking DNS of Multiphase Flows Direct Numerical

DNS of Multiphase Flows Simple Front Tracking DNS of Multiphase Flows Direct Numerical Software is needed for a variety of purposes. Simulations of In addition to large scale somewhat general purpose codes that represent close

179 views • 4 slides
DNS Basics 1 Computers use IP Addresses To send an IP datagram to another computer on

DNS Basics 1 Computers use IP Addresses To send an IP datagram to another computer on

DNS Basics 1 Computers use IP Addresses To send an IP datagram to another computer on Internet (e.g. a web server), must know its IP address What is the IP address of the computer running ICT website? Registration? Facebook? Humans

214 views • 8 slides

More recommend