Information Technology Reference
In-Depth Information
The DNS protocol does however share a number of similarities with the HTTP
protocol:
- DNS works on blocks of data;
- DNS does nothing until the client submits a specific request;
- DNS works on character sets (Base32/Base64).
As we have seen above, many tools have been developed to exploit HTTP tun-
nels. Given the similarities between the two protocols, there must be numerous ways
of using DNS for our purposes and tools similar to the existing ones for HTTP.
The effective implementation of these techniques can be studied in the work of Dan
Kaminsky, who developed the OzyManDNS, a proof-of-concept downloadable off
the Internet.
A final remark on this technique regards the fact that whereas for HTTP and nu-
merous other protocols the first products to filter requests are becoming available,
this is not yet possible for DNS and for various reasons it is quite unlikely to hap-
pen near term. Meanwhile, intense DNS traffic could easily raise suspicion. This is
only partly counter balanced by the high bandwidth (max 220 bytes per packet) the
method offers. From this standpoint, it is still far more effective to use a HTTP tunnel
when a sizable transmission bandwidth is required.
5 . 5
S e c S y s l o g : P r o p o s a l f o r a S y s l o g D a e m o n U s i n g C o v e r t
C h a n n e l s
There are numerous open and closed-source implementations of the
syslog
pro-
tocol available. Each of these adds functionality to the protocol's original features
and answers specific known weaknesses. Today, given the importance of logs both
for troubleshooting and for legal purposes, it is widely considered essential, for
instance, to guarantee that messages reach their destination, and that the communi-
cation remains unaltered, secure and secret. Each version brings both advantages or
disadvantages over the others, so the choice is purely a matter of personal preference
based on a detailed understanding of the particular version and additional features it
offers, weighed against the added complexity of configuration.
In this section we wish to describe a possible implementation of a new system
logging solution using covert channel communications and list the advantages and
disadvantages it offers over other softwares.
