Tunneling is the practice of embedding messages of one network protocol within messages of a different network protocol. In a security context, tunneling is a way for an attacker to bypass security boundaries like the perimeter firewall of a cloud deployment by encapsulating malicious traffic within permitted traffic. This blog explores the challenges of detecting DNS tunneling, and offers a solution to how you can detect a DNS tunneling attack on you cloud environments.
After an initial breach, when the attacker has code running inside the cloud deployment, she can set up a tunnel from the internet to this code to pass commands to it or to exfiltrate sensitive data through it from the databases in the cloud deployment. The tunnel’s traffic seems like an innocent and prevalent communication protocol, so it is not blocked or limited by commonly installed security policies.
DNS is an infrastructure protocol for mapping human-understandable domain names to IP addresses and is central to all internet activity today. Since DNS is ubiquitous and mandatory to the operation of most networked software, it is rarely blocked by security policies. However, it has been known for years that DNS can easily be abused for tunneling. DNS tunneling is implemented using an attacker-controlled authoritative nameserver and attacker-registered domains. An attacker-controlled software component running on a compromised target can encode and decode payloads into DNS requests and from DNS responses.
The normal operation of the DNS infrastructure ensures that these specially-crafted packets are routed between the attacker-controlled software component and the attacker-controlled nameserver. An attacker can quickly and cheaply prepare this setup, and can even reuse existing public tools for creating the DNS tunnel, so it does not even require advanced technical skills.
Security teams should be able to detect when an attacker abuses DNS messages for malicious communication and mitigate this threat, without compromising the normal functionality of the cloud deployment.
Challenges of Detecting DNS Tunneling
In principle, DNS tunneling can be detected by deep inspection of the content of DNS requests and responses, and indeed several methods have been suggested to identify abused DNS packets. However, in practice these standard approaches suffer from a few drawbacks:
- The sheer volume and variety of DNS records makes them hard to monitor. As an infrastructure protocol, it is difficult to examine and possibly block such packets without impacting network performance.
- Simple techniques of whitelisting and blacklisting domain names have limited value in stopping DNS tunneling. Attacker-controlled domains may change very rapidly. The normal set of domains that the microservices and workloads need to communicate with may also change at a fast pace.
- Advanced detection techniques for DNS tunneling are often based on identifying the technical characteristics of “normal DNS traffic” and comparing it to the observed traffic. However, the set and functionality of microservices and workloads in the cloud deployment often change, quickly invalidating the normal baseline and rendering it useless for detection.
- Even a low rate of false positive detections may severely cripple the normal business functionality, if mitigation is coarse-grained and has widespread impact.
- In a cloud-based data center, there is an additional challenge: the cloud service provider is responsible for infrastructure like DNS capabilities, and users have little if any visibility into DNS activity. On the other hand, users may know what their workloads need with respect to DNS traffic, while the cloud provider does not. The result is that the cloud provider’s firewalls are too coarse-grained to filter malicious DNS traffic, while users cannot tune and adapt the firewalls, and have very limited ability to monitor and detect DNS abuse.
How Alcide Detects DNS Tunneling
Here at Alcide we detect and mitigate DNS tunneling based on the unique architecture of our microservices-firewall. In this way, each workload and service deployed in the cloud is monitored independently by a microservices-firewall. When a new workload is added, a microservices-firewall is automatically attached to it.
In this way, the product continuously collects high-resolution information about traffic of each workload and microservice. This information is analysed using real-time machine learning techniques, for example to detect anomalies in the DNS traffic of each specific workload.
Leveraging this unprecedented visibility into the cloud-based data center and the service mesh, we alert the admin team about microservices or workloads that have been contaminated by software that uses DNS tunneling.
The team can then take remedial action like blocking network activity or taking down the service altogether. Furthermore, the appropriate microservice-firewall can block only the suspicious DNS traffic of a specific misbehaving workload or microservices, without affecting any other traffic in the cloud-based data center.
To summarise, our fine-grained detection and remediation capabilities increase detection accuracy, reduce its performance cost, and minimize the risk of harmful mediation based on false detection.
To learn more about how to detect a DNS tunneling attack, read our white paper:
Nitzan Niv is the Head of Security Research at Alcide.