Information Technology Reference
In-Depth Information
protocols. The proposed solution is feasible for real-time Skype detection over HTTP,
providing a very low percentage of false positive.
On ciphered networks, many activities are focused in categorizing communication
patterns of ciphered traffic by evaluating only features and metrics that are not af-
fected by encryption. For instance, in [8] a methodology for recognizing application
level protocols embedded on ciphered TCP channels is presented. Similarly, in [5]
two traffic analysis techniques based on classification algorithms are used for retriev-
ing web sites identities in ciphered HTTPS traffic.
In general, the information leakage in ciphered protocols is a sensitive problem: in
[6], authors investigate how the behavior of anonymity systems (e.g. Tor) could take
to an unwanted reduction of the real level of anonymity, allowing an attacker to dis-
cover information on the network location of a client.
DNS protocol has been deeply investigated in order to monitor and detect attack to
single DNS servers and to the network of servers. In [9] monitoring algorithms are
proposed for detecting attacks to DNS servers (e.g. cache poisoning). In the same
article, a methodology for detecting DNS Tunneling is provided. To this regard, in
[10] a statistical approach based on the analysis of the frequencies of characters in
DNS request is provided: the idea is that characters in DNS tunnels have an evenly
distributed frequency while in normal language (and so, real DNS query), the fre-
quency follows the Zipf's law.
However, previous studies do not consider variation of performance due to the ex-
istence of DNS Tunneling in comparison to DNS traffic without tunnels. However,
some early studies have been made under this perspective. In [11] the impact of DNS
Tunnels on network performance is investigated. However, the study is limited to
DNS tunnels built with DNSCat and on a network scenario distributed over Internet.
3 DNS Tunneling Tools
Existing DNS Tunneling Tools can be divided into two classes, depending on the
abstraction layer at which the information is encapsulated. Each tool requires a real
DNS server to administer the tunneling domain.
3.1 IP over DNS Tunnels
The main part of DNS Tunneling tools are aimed at building IP over DNS tunnels,
namely encapsulating IP packets inside DNS queries:
NSTX [13] has been the first tool to realize IP over DNS. To encode data into
queries, it uses a non-compliant Base64 encoding (adding the character ``_'' to the
63 characters allowed by the DNS RFC). Tunnels are realized on the tun0 interface
and replies are encoded into TXT records. NTSX requires a rogue server running
the NSTX tool. It also requires the client and server to have special kernel configu-
rations.
DNSCat [14] consists of two small programs, a server and client, written in Java.
It is afast, efficient and highly configurable cross platform. The tunnel is made
through the interface ppp0 and data in replies are encapsulated in the CNAME re-
cord. In comparison to NTSX, it does not require special kernel configuration.
Thus, DNSCat is more flexible than NTSX.
Search WWH ::




Custom Search