Speaker
Description
DNS tunneling is a covert communication method that can bypass traditional security mechanisms, facilitating data exfiltration and unauthorized access. This thesis investigates DNS tunneling detection on a large scale, focusing on .nl traffic at the country code top-level domain (ccTLD) level.
The research explores existing detection methodologies and adapts them to real world constraints, leveraging a controlled DNS testbed and the ENTRADA analysis tool. Detection rules are developed and validated against testbed data and .nl traffic, employing a scoring system to identify suspicious DNS queries. Comprehensive measurements of DNS query traffic are conducted across specific dates, highlighting geographical patterns and query types linked to potential tunneling activity.
Findings reveal that while most DNS tunneling activity is concentrated in specific regions and query types, such as "TXT" records, the proposed detection rules effectively filter out benign traffic and isolate suspicious activity. These results emphasize the importance of tailored detection strategies to enhance DNS security, offering insights for further research and practical applications in cybersecurity.
Summary
A talk about the detection, analysis, and measurement of DNS tunnelling techniques.
| Talk duration | 20 Minutes (+5 for Q&A) |
|---|
