DNS隐蔽信道综述

doi:10.11959/j.issn.1000-436x.2021090

Abstract

Abstract:

DNS covert channel is an important security issue that cannot be ignored in network security.The operation of using DNS to access the server is widely used in the network communication of traditional PC, smart phones and new infrastructure.Basic defense facilities such as firewalls generally do not filter DNS data too much.The ubiquity and concealment make it an ideal secret channel for attackers.It is necessary to pay attention to the existing research results and development trends.The development process was summarized into three stages, and the situation of each stage was analyzed.Formally it was defined and the construction mechanism was deeply analyzed.The existing abnormal points that cannot be bypassed were analyzed and summarized, the detection methods were summarized and divided into traditional detection methods and artificial intelligence-powered detection methods, the existing problems were raised.Based on the above classification, the construction and detection frontiers of DNS covert channel was reviewed, and an in-depth analysis was conducted from different perspectives such as development trends, technical mechanisms, and detection methods.Finally, the main research direction of the current was summarized, and its future development trend was prospected.

Key words: DNS covert channel, C&C, data exfiltration, detection, APT

CLC Number:

TP393

Jiawen DIAO, Binxing FANG, Xiang CUI, Zhongru WANG, Ruiling GAN, Lin FENG, Hai JIANG. Survey of DNS covert channel[J]. Journal on Communications, 2021, 42(5): 164-178.

Figures/Tables 15

References 62

[1]	MOCKAPETRIS P V . Domain names-implementation and specification[R]. RFC Editor, 1987.
[2]	HINCHLIFFE A . DNS tunneling:how DNS can be (ab)used by malicious actors[R]. Unit42, 2019.
[3]	PISCITELLO D . What is a DNS covert channel?[R]. ICANN, 2016.
[4]	ARENDS R . Domain name system (DNS) parameters[R]. IANA, 2020.
[5]	Black Lotus Labs Alina point of sale malware still lurking in DNS[R]. LUMEN, 2020.
[6]	KREMEZ V . FIN6 “FrameworkPOS”:point-of-sale malware analysis＆ internals[R]. Sentinel LABS, 2019.
[7]	REAVES J . Anchor project for Trickbot adds ICMP[R]. Sentinel LABS, 2020.
[8]	BARBEHENN B . Threat assessment:Ryuk ransomware and Trickbot targeting U.S.healthcare and public health sector[R]. Unit42, 2020.
[9]	FALCONE R . xHunt campaign:newly discovered backdoors using deleted email drafts and DNS tunneling for command and control[R]. Unit42, 2020.
[10]	FALCON R . OilRig targets middle eastern telecommunications organization and adds novel C2 channel with steganography to its inventory[R]. Unit42, 2020.
[11]	EKMAN E . Iodine[R]. GitHub, 2021.
[12]	ANDERSSON B . Iodine[R]. kryo.se, 2014.
[13]	ARNO0X. DNSExfiltrator[R]. GitHub, 2017.
[14]	RON. Dnscat2[R]. Skullsecurity, 2019.
[15]	BORGES D . Reverse_DNS_shell[R]. GitHub, 2015.
[16]	MILLER T . Reverse DNS tunneling staged loading shellcode[R]. Black Hat, 2008.
[17]	DEMBOUR O . Dns2tcp[R]. GitHub, 2017.
[18]	CIMPANU C . Iranian hacker group becomes first known APT to weaponize DNS-over-HTTPS(DoH)[R]. ZDNet, 2020.
[19]	WINNTI GROUP:Insights from the past[R]. Quointelligence, 2020.
[20]	PAGANINI P . China-linked Winnti APT targets south korean gaming firm[R]. Securityaffairs, 2020.
[21]	Application Layer Protocol:DNS[R]. MITRE ATT＆CK, 2020.
[22]	DIETRICH C J , ROSSOW C , FREILING F C ,et al. On botnets that use DNS for command and control[C]// 2011 Seventh European Conference on Computer Network Defense. Piscataway:IEEE Press, 2011: 9-16.
[23]	GRUNZWEIG J . New Wekby attacks use DNS requests as command and control mechanism[R]. Unit42, 2016.
[24]	Global Research,Analysis Team The projectsauron APT[R]. Kaspersky, 2016.
[25]	SEALS T . OilRig APT drills into malware innovation with unique backdoor[R]. Unit42, 2020.
[26]	WILHOIT K . OilRig uses updated BONDUPDATER to target middle eastern government[R]. Unit42, 2018.
[27]	SZERB T . NSTX[R]. Nongnu, 2002.
[28]	KAMINSKY D . Black ops of DNS[R]. Black Hat USA, 2004.
[29]	REVELLI A . Introducing Heyoka:DNS tunneling 2.0[R]. SOURCE Boston, 2009.
[30]	BORN K . PSUDP:a passive approach to network-wide covert communication[J]. Black Hat USA, 2010.
[31]	Morto worm sets a (DNS) record[R]. Symantec, 2011.
[32]	PEARSON O . DNS tunnel-through bastion hosts[R]. Gray-world.net, 1998.
[33]	REVELLI A . Playing with Heyoka:spoofed tunnels,undetectable data exfiltration and more fun with DNS packets[R]. Shakacon, 2009.
[34]	BORN K . PSUDP:passive network covert communication slides[R]. Black Hat USA, 2010.
[35]	BROMBERGER S . DNS as a covert channel within protected networks[R]. NESCO, 2011.
[36]	XU K , BUTLER P , SAHA S ,et al. DNS for massive-scale command and control[J]. IEEE Transactions on Dependable and Secure Computing, 2013,10(3): 143-153.
[37]	New Framework POS variant exfiltrates data via DNS requests[R]. GDATA, 2014.
[38]	FALCONE R . DNS tunneling in the wild:overview of OilRig’s DNS tunneling[R]. Unit42, 2019.
[39]	PAGANINI P . APT34:Glimpse project[R]. Securityaffairs, 2019.
[40]	LEE B . Behind the scenes with OilRig[R]. Unit42, 2019.
[41]	PAXSON V , CHRISTODORESCU M , JAVED M ,et al. Practical comprehensive bounds on surreptitious communication over DNS[C]// 22nd USENIX Security Symposium. Berkeley:USENIX Association, 2013: 17-32.
[42]	BARR D . Common DNS operational and configuration errors[R]. RFC Editor, 1996.
[43]	BORN K , GUSTAFSON D . Detecting DNS tunnels using character frequency analysis[J]. arXiv Preprint,arXiv:1004.4358, 2010.
[44]	KARASARIDIS A , MEIER-HELLSTERN K , HOEFLIN D . NIS04-2:detection of DNS anomalies using flow data analysis[C]// IEEE Globecom. Piscataway:IEEE Press, 2006: 1-6.
[45]	ELLENS W , ?URANIEWSKI P , SPEROTTO A ,et al. Flow-based detection of DNS tunnels[C]// IFIP International Conference on Autonomous Infrastructure,Management and Security. Berlin:Springer, 2013: 124-135.
[46]	KARA A M , BINSALLEEH H , MANNAN M ,et al. Detection of malicious payload distribution channels in DNS[C]// 2014 IEEE International Conference on Communications. Piscataway:IEEE Press, 2014: 853-858.
[47]	FARNHAM G . Detecting DNS tunneling[R]. SANS, 2013.
[48]	BILGE L , KIRDA E , KRUEGEL C ,et al. EXPOSURE:finding malicious domains using passive DNS analysis[C]// Proceedings of the Network and Distributed System Security Symposium.[S.n.:s.l.], 2011: 1-17.
[49]	BILGE L , SEN S , BALZAROTTI D ,et al. Exposure[J]. ACM Transactions on Information and System Security, 2014,16(4): 1-28.
[50]	AIELLO M , MONGELLI M , PAPALEO G . Basic classifiers for DNS tunneling detection[C]// 2013 IEEE Symposium on Computers and Communications. Piscataway:IEEE Press, 2013: 880-885.
[51]	章思宇, 邹福泰, 王鲁华 ,等. 基于 DNS 的隐蔽通道流量检测[J]. 通信学报, 2013,34(5): 143-151.
	ZHANG S Y , ZOU F T , WANG L H ,et al. Detecting DNS-based covert channel on live traffic[J]. Journal on Communications, 2013,34(5): 143-151.
[52]	BUCZAK A L , HANKE P A , CANCRO G J ,et al. Detection of tunnels in PCAP data by random forests[C]// Proceedings of the 11th Annual Cyber and Information Security Research Conference. New York:ACM Press, 2016: 1-4.
[53]	LIU J K , LI S H , ZHANG Y Z ,et al. Detecting DNS tunnel through binary-classification based on behavior features[C]// 2017 IEEE Trustcom/BigDataSE/ICESS. Piscataway:IEEE Press, 2017: 339-346.
[54]	ALMUSAWI A , AMINTOOSI H . DNS tunneling detection method based on multilabel support vector machine[J]. Security and Communication Networks, 2018: 1-9.
[55]	HOMEM I , PAPAPETROU P , DOSIS S . Information-entropy-based DNS tunnel prediction[C]// IFIP International Conference on Digital Forensics. Geneva:IFIP Newsletter, 2018: 127-140.
[56]	单康康, 郭晔, 陈文智 ,等. 基于混合分类算法模型的DNS隧道检测[J]. 通信学报, 2018,39(S1): 53-57.
	SHAN K K , GUO Y , CHEN W Z ,et al. Detection of DNS tunneling based on combined classification algorithm model[J]. Journal on Communications, 2018,39(S1): 53-57.
[57]	NADLER A , AMINOV A , SHABTAI A . Detection of malicious and low throughput data exfiltration over the DNS protocol[J]. Computers＆ Security, 2019,80: 36-53.
[58]	AHMED J , GHARAKHEILI H H , RAZA Q ,et al. Monitoring enterprise DNS queries for detecting data exfiltration from internal hosts[J]. IEEE Transactions on Network and Service Management, 2020,17(1): 265-279.
[59]	HIND J . Catching DNS tunnels with A.I[R]. Defcon, 2009.
[60]	LIU C , DAI L , CUI W J ,et al. A byte-level CNN method to detect DNS tunnels[C]// 2019 IEEE 38th International Performance Computing and Communications Conference. Piscataway:IEEE Press, 2019: 1-8.
[61]	张猛, 孙昊良, 杨鹏 . 基于改进卷积神经网络识别DNS隐蔽信道[J]. 通信学报, 2020,41(1): 169-179.
	ZHANG M , SUN H L , YANG P . Identification of DNS covert channel based on improved convolutional neural network[J]. Journal on Communications, 2020,41(1): 169-179.
[62]	WU K M , ZHANG Y Z , YIN T . TDAE:autoencoder-based automatic feature learning method for the detection of DNS tunnel[C]// 2020 IEEE International Conference on Communications. Piscataway:IEEE Press, 2020: 1-7.

Metrics

Recommended 0

No Suggested Reading articles found!

时间	恶意代码	子域名构成方法（编码）	字符长度/个	域名
2016年	Helminth	00<SysI><FN><SeqN><RN><ED>（Hex）	48	go0gie.com
2017年	ALMA Dot	<RN>.IDID.<Vid>.<SeqN>.<TSeqN>.<ED>.<FN>（Base16）	60	newusers.tk
2017年	ISMAgent	<ED><SeqN>.d.<Vid>（Base64）	13	ntpupdateserver.com
2017年	BONUPDATER	<RN>4<SeqN><SysI>B007（Base16）	50	poison-frog.club
2017年	ALMA Dash	<RN>ID<Vid>-<SeqN>-<TN>-<ED>-<FN>（Base16）	20	prosalar.com
2018年	QUADAGENT	<ED>.<RN>（Base64）	60	acrobatverify.com
2020年	RDAT	<ED>.<EM><KEY>（Base32 or 64）	16	rsshay.com
注：<SysI>为系统标识符, <FN>为文件名, <SeqN>为序列号, <TSeqN>为序列总数, <RN>为随机数, <ED>为编码后的待传送数据, <EM>为编码方法, <Vid>为受害设备ID, <TN>为总包数, <KEY>为加密密钥。

时间	恶意软件名称	应答	连接方式
2011年	Feederbot	TXT	中继
2011年	Morto	TXT	中继
2014年	FrameworkPOS	A	中继
2015年	HTTPBrowser	TXT	中继
2016年	Pisloader	TXT、Base32	中继
2016年	C3PRO-RACCOON	CNAME、Base64	中继
2016年	Helminth	A	中继
2017年	Denis	NULL、Base64	中继
2017年	Goopy	TXT、Base64	直连
2017年	Matroyshka	A	中继
2017年	POWERSOURCE	TXT	中继
2017年	Ebury	A、TXT	中继
2017年	ALMA Communicator	A	中继
2017年	ISMAGENT	AAAA	中继
2018年	BONDUPDATER	A、TXT	中继
2018年	QUADAGENT	AAAA	中继
2018年	RogueRobin	A、AAAA、TXT、CNAME、MX等	中继
2019年	Glimpse	A、TXT	中继
2020年	RDAT	A、AAAA、TXT	中继

时间	工具	使用记录	平台
2004年	OzymanDNS	TXT	Linux, Windows
2004年	Dnscat-P/Dnscat2	A、CNAME	Unix
2006年	Iodine	A、CNAME、TXT、MX、SRV、NULL、PRIVATE等	Linux, Mac OS X, Windows
2007年	TUNS	CNAME	Linux
2008年	Dns2tcp	TXT、KEY	Linux, Windows
2008年	tcp-over-dns	TXT	Windows, Linux and Solaris
2009年	Heyoka	TXT、NULL	Windows
2011年	DNScapy	CNAME、TXT	Linux
2015年	Your Freedom	CNAME、TXT、MX、NULL、WKX	Windows, Mac OSX, Linux and Android
2015年	ReverseDns Shell	A、TXT	Windows, Mac OS X, Linux
2018年	DNSExfiltrator	TXT	Linux, Windows
2019年	DNSlivery	TXT	Linux, Windows

名称	域名	应答IP地址	规律
	xxx7303d.windows64x.com	1.2.3.4
WekbyxHunt	xxx73d3d.windows64x.com	1.2.3.4	相同
	xxx13033.windows64x.com	1.2.3.4
	xxx5E41A.malicious.com	41.2.3.1
APT34Glimpse	xxx5E41A.malicious.com	41.2.3.2	递增
	xxx5E41A.malicious.com	41.2.3.3
注：由于域名过长，xxx表示省略子域名后五位之前的元素写法。

时间	文献	方法	训练集	测试集	目的	结果
2013年	文献[51]	J48决策树、朴素贝叶斯和逻辑回归	Iodine、Dns2tcp、DNSCat、tcp-overdns、PSUDP	Iodine、Dns2tcp、DNSCat、tcp- over-dns、PSUDP及OzyManDNS、Heyoka	针对已知及未知数据集的二分类检测问题	J48决策树AUC最大（平均性能最优），正检率为 95.6%，误报率为0.15%
2016年	文献[52]	随机森林	Iodine、DNSCat2、Cobalt Strike	Iodine、DNSCat2、Cobalt Strike、Pick Pocket	针对已知及未知数据集的二分类检测问题	对已知数据集：99.92%，对未知数据集：95.89%
2017年	文献[53]	支持向量机、决策树和逻辑回归	Dnscat2、Iodine、Dns2tcp、OzymanDNS	Dnscat2、Iodine、Dns2tcp、OzymanDNS	针对已知数据集的二分类检测问题	使用SVM效果最佳，准确率为99.96%，精度为99.98%，召回率为99.93%
2018年	文献[54]	多标签支持向量机（Kernel SVM）	Iodine、Dns2tcp	Iodine、Dns2tcp	针对已知数据集的多分类检测问题	Kernel SVM 效果更佳，平均精度为0.795，召回率为 0.805 6， F-measure为0.800 028
2019年	文献[57]	iForest	良性流量	Iodine、Dns2tcp、FrameworkPOS、Backdoor.Win32.Denis	异常检测模型	阈值为0.653，检测率为100%
2020年	文献[58]	iForest	良性流量	DET、Iodine、BernhardPOS、DNSMessenger、FrameworkPOS、DNSpoinage	针对未知数据的二分类检测问题	准确率为99.50%，误报率为0.55%

Survey of DNS covert channel

RichHTML

PDF

Knowledge

Abstract

Cite this article

share this article

Figures/Tables 15

References 62

Related Articles 15

Metrics

Recommended 0

[1]	Yang GAO, Hongli ZHANG. Survey on community detection method based on random walk [J]. Journal on Communications, 2023, 44(6): 198-210.
[2]	Ying FANG, Yiwen XU, Tiesong ZHAO. Joint vibrotactile coding for machine recognition and human perception [J]. Journal on Communications, 2023, 44(5): 42-51.
[3]	Jinzhi ZHENG, Ruyi JI, Libo ZHANG, Chen ZHAO. End-to-end scene text detection and recognition algorithm based on Transformer decoders [J]. Journal on Communications, 2023, 44(5): 64-78.
[4]	Xin SUN, Guifu ZHANG, Hongyan XING, Wang Zenghui. Research on intrusion detection for maritime meteorological sensor network based on balancing generative adversarial network [J]. Journal on Communications, 2023, 44(4): 124-136.
[5]	Qianyi DAI, Bin ZHANG, Song GUO, Kaiyong XU. Blockchain network layer anomaly traffic detection method based on multiple classifier integration [J]. Journal on Communications, 2023, 44(3): 66-80.
[6]	Bingpeng ZHOU, Shanshan MA. Simultaneous vehicular location and velocity detection towards 6G integrated communication and sensing [J]. Journal on Communications, 2023, 44(3): 81-92.
[7]	Yanshuo ZHANG, Ning LIU, Yuqi YUAN, Yatao YANG. Adaptor signature scheme based on ISRSAC digital signature algorithm [J]. Journal on Communications, 2023, 44(3): 178-185.
[8]	Helin SUN, Hongyuan GAO, Yanan DU, Jianhua CHENG, Yapeng LIU. Joint estimation method of target number and orientation parameters for FDA-MIMO radar [J]. Journal on Communications, 2023, 44(2): 41-51.
[9]	Wei CUI, Ying YU, Haixia YU, Chao CHEN, Yunpeng LI. Sparse channel fast reconstruction algorithm for OFDM system based on IOC-CSMP [J]. Journal on Communications, 2023, 44(2): 52-58.
[10]	Weigang HUO, Rui LIANG, Yonghua LI. Anomaly detection model for multivariate time series based on stochastic Transformer [J]. Journal on Communications, 2023, 44(2): 94-103.
[11]	Xiaoyun WANG, Xiaozhou ZHANG, Liang MA, Yajuan WANG, Mengting LOU, Tao JIANG, Jing JIN, Qixing WANG, Guangyi LIU. Research and optimization on the sensing algorithm for 6G integrated sensing and communication network [J]. Journal on Communications, 2023, 44(2): 219-230.
[12]	Guojun LI, Cuiling XIANG, Changrong YE, Zunli WANG. Fast link-establishment method of integrated of communication and detection based on short-wave digital channelization [J]. Journal on Communications, 2023, 44(1): 89-102.
[13]	Hongyu YANG, Haiyun YANG, Liang ZHANG, Xiang CHENG. Feature dependence graph based source code loophole detection method [J]. Journal on Communications, 2023, 44(1): 103-117.
[14]	Zheng YANG, Yun ZHENG, Yuehao YU, Yi WU, Zhicheng DONG, Song XING. Performance analysis for cooperative NOMA networks based SWIPT with adaptive power splitting [J]. Journal on Communications, 2023, 44(1): 177-188.
[15]	Yanhua LIU, Jiaqi LI, Zhengui OU, Xiaoling GAO, Ximeng LIU, Weizhi MENG, Baoxu LIU. Adversarial training driven malicious code detection enhancement method [J]. Journal on Communications, 2022, 43(9): 169-180.

时间	文献	方法	训练集	测试集	目的	结果
2019年	文献[60]	CNN	Iodine、Dns2tcp、Dnscat2、OzymanDNS、Reverse_DNS_hell	Iodine、Dns2tcp、Dnscat2、OzymanDNS、Reverse_DNS_ hell	针对已知数据集的二分类检测问题	准确率为 99.98%，精度为1.00，召回率为 99.96%， F1-Score为0.999 8
2020年	文献[61]	改进CNN （RDCC-CNN）	DNSCat、Iodine、PSUDP、Dns2tcp、tcp-over-dns	DNSCat、Iodine、PSUDP、Dns2tcp、tcp-over-dns	针对已知数据集的二分类检测问题	准确率为 99.50%，误报率为0.55%