DNS tunnelling: that's not your grandma's exfil

Presented at VB2018, Oct. 4, 2018, 3 p.m. (30 minutes)

DNS tunnelling has changed. And in most cases, it is not even officially 'tunnelling'. The latest techniques for covertly transferring data over DNS are more creative and even harder to detect. Over the last year, we've been analysing DNS tunnelling tools, command-and-control traffic, multi-staged payloads, and exfiltration modules to profile how DNS is being abused and to develop reliable detection techniques. In this session we'll describe each pattern using traffic observed in the wild and provide novel ways to detect them. Finally, we'll release exfilr, an open-source tool for covertly transferring data over DNS which implements all patterns described and can serve as a detection testbed or a penetration testing tool.

Presenters:

• Brad Antoniewicz - Cisco Umbrella
  Brad Antoniewicz Brad Antoniewicz works in Cisco Umbrella's security research group. He is an Adjunct Professor teaching vulnerability analysis and exploitation and a Hacker in Residence at NYU's Tandon School of Engineering. Antoniewicz is also a contributing author to both the Hacking Exposed and Hacking Exposed: Wireless series of books. @brad_anton

Links:

• https://www.virusbulletin.com/conference/vb2018/abstracts/dns-tunnelling-s-not-your-grandmas-exfil

Similar Presentations:

• DeepSec 2017 „Science First!“ / XFLTReaT: A New Dimension In Tunnelling
• NolaCon 2019 / DNS – Strategies for Reducing Data Leakage & Protecting Online Privacy
• DeepSec 2018 „I like to mov &6974,%bx“ / DNS Exfiltration and Out-of-Band Attacks