PSUDP: A Passive Approach to Network-Wide Covert Communication

Presented at Black Hat USA 2010, July 28, 2010, 4:45 p.m. (75 minutes).

This presentation analyzes a novel approach to covert communication over DNS by introducing PSUDP, a program demonstrating passive network-wide covert communication. While several high-bandwidth DNS tunnel implementations are freely available, they all use similar strategies. Storage channels are created in DNS requests by encoding data in subdomain labels, while responses take many forms such as TXT, NULL, and CNAME resource record types to complete the bi-directional link. However, these tunnels may be detected when examining subdomains and irregular resource records in responses. Additionally, these tunnels only provide communication through the active generation of traffic.

The method and tool discussed in this paper allows a network of computers to participate in passive covert communication by piggy-backing on legitimate network DNS traffic. While low-bandwidth passive tunnels have been built using techniques such as timing channels and field manipulation, no passive high-bandwidth DNS tunnels exist. A novel approach is used to provide significantly higher bandwidth in network-wide covert communication by manipulating legitimate DNS traffic. It is also shown how, in certain scenarios, this method may be used for both covert data exfiltration and as a replacement for existing DNS tunnels. Additionally, it will be shown how a similar method can be applied to many other protocols, not being limited to DNS traffic.

In addition to PSUDP, this presentation will briefly cover a few other recent findings I have had in DNS tunnel creation and detection. Firstly, I will show how bi-directional DNS tunnels may be created using a browser and fine-grained JavaScript manipulation. Secondly, I will show my work in detecting DNS tunnels using n-gram frequency analysis.


Presenters:

Links:

Similar Presentations: