Information Technology Reference
In-Depth Information
5 . 6 W h y U s e D N S C o v e r t C h a n n e l s ?
Why might it be useful to use a covert channel? Let's imagine the case of a com-
pany that has many branch offices and needs to centralize its logs. How can it send
these without keeping the
Syslog
service publicly open?
Some
syslog
daemons allow you to authenticate the clients that are allowed to send
messages. Although this is easy to configure, the
syslog
messages are still transmitted
in the clear and require the log service to be public on the net. It might be a good idea
to tunnel the messages in SSH encrypted sessions, but this simply shifts the problem
onto another service that you may want to close with a firewall. Another solution
could be to use a VPN, but configuration is expensive and in some cases costly to
maintain.
None of the above ideas is inherently wrong. Any decision has to take into account
a variety of factors: simplicity, cost, availability, and so on. What advantages does a
covert channel offer in this case, especially considering the peculiarities of the DNS
service?
If we want to implement a project using covert channels we have to consider the
task to be performed. By analyzing the requisites we can decide which techniques
are best suited to provide the desired solution. We could start by examining the data
transmission bandwidth required.
What kind of data does a
syslog
client transmit to the server? How frequently
are log messages sent to the server? As we mentioned earlier, if we need to con-
tact the server many times it might be a good idea to mask the covert channel in a
very common type of traffic, like HTTP GET or DNS queries. This would make the
communication less visible and suspect.
Syslog
is simply a system for exchanging text strings. This does not exclude
a
priori
the use of HTTP tunneling, but this offers a huge amount of bandwidth, most
of which is unnecessary. The
syslog
daemon does not make very heavy demands
since it only needs to send strings of a few characters at a time. On the other hand,
techniques using TCP and IP headers are hardly suitable either. They provide limited
bandwidth so that a single message might generate an enormous volume of traffic
which would quickly attract attention.
Furthermore, DNS tunneling techniques are interesting and as yet little used. The
fact that there are still no application filtering techniques (unlike those for HTTP)
gives this method a big advantage. Indeed it is likely that viruses and worms in the
future, if not already, will base their communications on DNS covert channels.
One other advantage is the very widespread availability of DNS servers. Every
medium/large company has one or more internal DNS server, some of which are
also accessible to various clients in the subsidiaries. Often the service is not even
filtered.
