Detection
- DNS tunnelling can be detected by monitoring the size of DNS request and reply queries. It’s likely that tunnelled traffic will have more than 64 characters in DNS.
- Use of updated IPS and IDS is another detection mechanism.
- Rules must be configured to monitor a large number of DNS TXT in a DNS server.
- Rules must be configured in SIEM to trigger if volume of DNS traffic from a particular source is very high.
- Another method is to use the split horizon DNS concept so that internal addresses are dealt on a specific server; clients should use a proxy server to connect out to the internet, and the proxy server resolves the external DNS for them. Some proxies also have the capability to check the DNS information too.
- DNSTrap is a tool developed to detect DNS tunnelling by using artificial neural network. In this tool, five attributes are used to train an Artificial Neural Network (ANN) to detect tunnels: the domain name, how many packets are sent to a particular domain, the average length of packets to that domain, the average number of distinct characters in the LLD, and the distance between LLD’s.
- Next generation firewalls like Paloalto and Fire Eye have the capability to detect DNS tunnelling.http://resources.infosecinstitute.com/dns-tunnelling/#gref
No comments:
Post a Comment