Knowing how to identify and understand network tunneling traffic is key when attempting to prevent data loss. In this blog, we’ll examine covert network tunnels to provide a better understanding of how they operate, how we can identify them and how we may review their contents.
What is network tunneling ?
Network tunneling refers to the encapsulation of data within specific network protocols. While some forms of tunnels can have legitimate uses, we’ll be focusing on tunnels which are commonly used to covertly exfiltrate data from a network. In this context, the purpose of the tunnels is to allow the transmission of data in a context where ordinarily it would be blocked (e.g. due to firewall rules) or detected (e.g. by an IDS).
Why network tunnels matter?
The ability to control network access, and to understand the traffic that traverses a network is key to prevent data loss. Data transmitted over tunnels may represent valuable intellectual property, sensitive employee data or reconnaissance data which will provide an assailant with insights into your network.
Types of Network Tunnels
We’ll be looking at two types of convert tunnels today, DNS tunnels and ICMP tunnels.
DNS tunneling, is the ability to encode the data of other programs or protocols in DNS queries and responses.
DNS tunnels may be aimed directly at a non-standard DNS server. In this configuration, such tunnels may be more easily distinguished from legitimate traffic through the identification of an unusual target address. However, if an attacker is the authoritative source for name resolution within a particular domain on the internet, they can allow their DNS traffic to be routed as normal, safe in the knowledge that the traffic will ultimately be delivered to their remote name server.
ICMP tunneling involves encapsulating data within ICMP (Ping) packets and transmitting these packets to a remote computer. Ping traffic is often seen as being innocuous, so transmitting data in this manner can allow malware or a malicious actor to exfiltrate data from a network without raising an alarm.
Dns2tcp is an application for tunneling TCP traffic through DNS traffic. Two main components make up Dns2tcp; the first is a daemon, Dns2tcpd, which is generally run on a remote server, while the second is a client application, Dns2tcpc, which can be run on a compromised computer and from which a connection will be initiated.
Iodine is an IP-over-DNS tunneling application. As with Dns2tcp, Iodine comprises two main components; Iodined and Iodine. As before, Iodined is a daemon to be run on a server which is awaiting a connection, whilst Iodine is normally run on a compromised computer within a private network.