Speaker
Description
DNS exfiltration and tunneling tools exploit DNS to evade
surveilance and masquerade online behavior. Identifying these events
in real-time proves challenging because efficent techniques are required
to crack an encrypted message without impacting performance
of a resolver, which must also resolve non-malicious query volumes
at a magnitude of up to millions of queries per second. In this talk we'll
explore an elementary dns tunneling algorithm that is efficient and clever
enough to fit in many recursive DNS resolver code bases. To do that,
we'll first explore DNS resolver caches like those in djbdns-1.05.
We'll outline architectural decisions such introducing two new caches,
a realtime blocklist and tunnneling cache, highligting the pros and cons
of early and late detection techniques. Additionally, two probabilistic
techniques will be discussed to identify unique counts and strings
containing hidden messages with just enough confidence to make the
detection of DNS tunneling and exfiltration events as easy as modifying
a couple threshold values. In closing, we'll discuss how Cisco Umbrella
deployed a realtime DNS tunneling algorithm into it's global resolver
fleet and note a few lessons we learned while maintaining this algorithm
for the past year.
