Field of the Invention
The present invention relates generally to computer networks and, more specifically, to real-time cloud-based detection and mitigation of DNS data exfiltration and DNS tunneling.
Description of the Related Art
In the domain of computer networks, computing devices are often vulnerable to attack from malicious users via network-based messages. Typically, firewalls are implemented to protect computing devices that are connected to various networks from such malicious activities. Among other things, a firewall monitors and controls incoming and outgoing network messages on behalf of different computing devices connected to a network. The firewall commonly performs these monitoring and control operations by applying security rules or policies to the incoming and outgoing messages. As one example, if potentially malicious activity is detected on one or more of internet socket port numbers, then the firewall can block some or all of the incoming or outgoing messages on those internet socket port numbers. In effect, a firewall establishes a barrier or filter between computing devices within a trusted, secure internal network and machines within an oftentimes larger external network, such as the internet, that is presumed to be untrustworthy or unsecure.
One drawback of conventional firewalls is that traffic on certain internet socket port numbers cannot be blocked. For example, port number 53 is typically configured to handle all domain name system (DNS) related traffic, such as DNS requests and responses to such DNS requests. If certain network traffic on port 53 is blocked, then DNS-related services provided on port 53 may fail to work properly or may fail completely. Therefore, firewalls typically are required to keep port 53 open and are configured to forward all traffic transmitted or received on port 53 to ensure that DNS-related surfaces function properly. Because port 53 usually is left open, malicious users have employed DNS-based messages to attack target enterprise networks, knowing that most conventional firewalls are not set up to block DNS-based messages.
In one example, a computer system within a target enterprise network could become infected with a malicious software application that is configured to utilize port 53 to exfiltrate, or extract, sensitive data, such as social security numbers and credit card information, from that computer system and/or other computer systems within the target enterprise network. The malicious software application could gather data from the target enterprise network and encode the gathered data into one or more DNS requests transmitted over port 53. The DNS request could be formatted to transmit a request to a fully-qualified domain name (FQDN) of the form of label1.label2.label3.sld.tld, where “tld” is a top level domain (TLD), such as .com or .net, “sld” is a second level domain (SLD) registered to the malicious user, and “label1,” “label2,” and “label3” are fields that contain data gathered by the malicious software application and encoded into the DNS request. One or more DNS resolvers could then forward the DNS request to a malicious authoritative name server for resolution. The malicious authoritative name server could receive the DNS request, and decode the data within label1, label2, label3. Regardless of whether the malicious authoritative name server is configured to respond to the DNS request, the malicious authoritative name server would be in possession of the sensitive data that has been exfiltrated from the target enterprise network via the DNS request.
In another example, a computer system within a target enterprise network could become infected with a malicious software application that is configured to utilize port 53 to engage in DNS tunneling, or two-way communications, with a malicious authoritative name server. In such a situation, a malicious software application executing on an infected computer system could exfiltrate sensitive data within the target enterprise network via DNS requests, as described above. In addition, the malicious authoritative name server could respond to the DNS requests with one or more responsive DNS messages that include additional instructions for the malicious software application. For example, the responsive DNS messages could include a listing of computer systems, files, and/or types of data for the malicious software application to search. After searching the listed computer systems, files, and/or types of data, the malicious software application could then encode and transmit any findings to the malicious authoritative name server in subsequent DNS requests. Alternatively or in addition, the responsive DNS messages could include malicious payload data, such as executable code for the malicious software application to install and execute on one or more computer systems within the target enterprise network. The executable code could configure the one or more computer systems to find and transmit additional sensitive data to the malicious authoritative name server. The executable code could also configure the one or more computer systems to sabotage the target enterprise network by erasing or corrupting data residing within the target enterprise network, by reducing performance of one or more computer systems within the target enterprise network, or by directly controlling the functionality of one or more computer systems within the target enterprise network.
As the foregoing illustrates, what is needed in the art are techniques for detecting and mitigating DNS-based attacks directed towards computer networks.