DNS: The Easiest Way to Exfiltrate Data?
A Domain Name System (DNS) request is the starting point for nearly everything that happens on the internet, and so it comes as little surprise that threat actors leverage the DNS protocol. There are a number of ways that DNS is abused, including DNS amplification, which is used for distributed denial-of-service attacks, and DNS hijacking, which is used to redirect a benign DNS request to a malicious domain. More advanced, more targeted, and less frequently encountered in the wild is DNS exfiltration.
High throughput DNS tunneling vs. low throughput DNS exfiltration
Although the basic technique used for both high throughput DNS tunneling and low throughput DNS exfiltration is broadly similar, there are significant differences between them. In terms of similarities, both use the DNS protocol to transfer data that is unrelated to the DNS query, which is accomplished by appending the additional data to the DNS request. Both leverage the fact that most organizations do not interfere with DNS traffic because of its critical role. But that’s where the similarity ends.
When high throughput DNS tunneling is operating, there will be a significant change in DNS traffic volumes to one specific domain or to a few domains; the DNS request length to the domain or domains will increase, and the time between the requests will be shorter. DNS tunneling can be used for relatively benign purposes (e.g., to bypass a Wi-Fi paywall) or for malicious purposes (e.g., to communicate with a command and control [C2] server). However, because of its characteristics, detecting and blocking DNS tunneling is relatively straightforward.
Conversely, when low throughput DNS data exfiltration is operating, there’s no significant increase in traffic volumes to any single domain or domains and there are longer gaps between the requests. For example, an endpoint that has been infected by malware may only wake up every hour and send a DNS request with a short appended message to its C2 server. That makes the detection of low throughput DNS exfiltration extremely difficult without increasing the number of false positive security alerts.
Why do attackers like low throughput data exfiltration?
One big limitation of using DNS to transfer data is that the DNS message length is limited to 255 bytes and a large amount of that can be taken up with UDP control messages. However, as previously noted, organizations are reluctant to tamper with DNS traffic, which often means that it is not monitored; even if it is, the monitoring is very likely to only be able to identify high throughput tunneling.
That scenario makes the use of low throughput data exfiltration very attractive for attackers, especially when the data being exfiltrated is hugely valuable, like credit card numbers. It might take a while to exfiltrate the card details, but that low-and-slow approach can be worth the wait.
Protections against DNS exfiltration
Because low throughput DNS exfiltration malware can be highly dangerous and potentially lead to a significant and costly data breach for an organization, Akamai’s security research team has recently been focused on better understanding the problem to build a more effective detection technique. Much of that research was covered in some detail in this paper, which is well worth reading if you, too, would like a much deeper understanding.
Our DNS data exfiltration detection algorithm was borne out of that research and has been continuously enhanced over time to improve detection speed and accuracy and to minimize false positive alerts. It’s used to continually analyze DNS traffic logs from customers who have deployed our cloud secure web gateway. When a new detection occurs, we proactively alert the impacted customer, and the domains associated with the exfiltration are added to our threat intelligence so all customers are subsequently protected.
In April 2022, the system highlighted an instance of DNS exfiltration that showed just how effective the algorithm is. It identified a burst of DNS traffic to a number of domains in customer traffic logs, where the exfiltrated data was being appended to requests to subdomains. What was most interesting was that the algorithm detected this within the first hour of activity and the detection was based on a relatively small number or requests to the subdomains: 1,109 in total.
After Akamai’s security teams alerted the customer to the detection, we learned that the customer had been conducting penetration testing. The security team was delighted that Enterprise Threat Protector had detected the exfiltration behavior so quickly.
Is DNS still a security blind spot?
As mentioned previously, many organizations are still reluctant to tamper with DNS because of the risk of inadvertently breaking internet traffic. One approach to getting visibility into and securing DNS traffic without that risk is to deploy a DNS security service that looks at every DNS request made and compares them against a real-time threat intelligence database.
That approach means that safe DNS traffic proceeds as normal, but malicious traffic is blocked. Critically, it also allows DNS logs to be inspected in near real time to identify low throughput DNS data exfiltration.
DNS requests: Akamai delivers needle-in-a-haystack detection
At Akamai we love numbers, and so we thought it would be interesting to see how the number of DNS requests that it took to detect the exfiltration compared with some other Akamai DNS stats. Akamai delivers 7 trillion DNS requests every day and our internet security services proactively block 2.8 billion malicious DNS requests.
To put it another way, the 1,109 DNS requests related to the exfiltration is 0.000000015842857% of the daily DNS requests and 0.00003960714286% of the malicious DNS requests: truly a needle-in-a-haystack detection.
To find out how you can quickly get better visibility and control over your DNS traffic to reduce risk, visit akamai.com/etp to sign up for a free 60-day trial.