Abstract
DNS tunnels allow circumventing access and security policies in firewalled networks. Such a security breach can be misused for activities like free web browsing, but also for command & control traffic or cyber espionage, thus motivating the search for effective automated DNS tunnel detection techniques. In this paper we develop such a technique, based on the monitoring and analysis of network flows. Our methodology combines flow information with statistical methods for anomaly detection. The contribution of our paper is twofold. Firstly, based on flow-derived variables that we identified as indicative of DNS tunnelling activities, we identify and evaluate a set of non-parametrical statistical tests that are particularly useful in this context. Secondly, the efficacy of the resulting tests is demonstrated by extensive validation experiments in an operational environment, covering many different usage scenarios.
Chapter PDF
Similar content being viewed by others
References
Cisco.com: Cisco ios netflow configuration guide, release 12.4. (September 2010), http://www.cisco.com
Quittek, J., Zseby, T., Claise, B., Zander, S.: Requirements for IP Flow Information Export (IPFIX). RFC 3917, Informational (2004)
Sperotto, A., Schaffrath, G., Sadre, R., Morariu, C., Pras, A., Stiller, B.: An overview of ip flow-based intrusion detection. IEEE Communications Surveys & Tutorials 12(3), 343–356 (2010)
Sperotto, A., Mandjes, M.R.H., Sadre, R., de Boer, P.T., Pras, A.: Autonomic parameter tuning of anomaly-based idss: an ssh case study. IEEE Transactions on Network and Service Management 9, 128–141 (2012)
Mandjes, M., Żuraniewski, P.: M/G/ ∞ transience, and its applications to overload detection. Performance Evaluation 68(6), 507–527 (2011)
Nussbaum, L., Neyron, P., Richard, O.: On Robust Covert Channels Inside DNS. In: Gritzalis, D., Lopez, J. (eds.) SEC 2009. IFIP AICT, vol. 297, pp. 51–62. Springer, Heidelberg (2009)
Aiello, M., Merlo, A., Papaleo, G.: Performance assessment and analysis of DNS tunneling tools. Logic Journal of IGPL (2012)
Crotti, M., Dusi, M., Gringoli, F., Salgarelli, L.: Detecting HTTP Tunnels with Statistical Mechanisms. In: IEEE International Conference on Communications (ICC 2007), pp. 6162–6168 (June 2007)
Dusi, M., Crotti, M., Gringoli, F., Salgarelli, L.: Tunnel Hunter: Detecting application-layer tunnels with statistical fingerprinting. Computer Networks 53(1), 81–97 (2009)
Marchal, S., Francois, J., Wagner, C., State, R., Dulaunoy, A., Engel, T., Festor, O.: DNSSM: A large scale passive DNS security monitoring framework. In: IEEE Network Operations and Management Symposium (NOMS 2012), pp. 988–993 (2012)
Karasaridis, A., Meier-Hellstern, K., Hoeflin, D.: NIS04-2: Detection of DNS Anomalies using Flow Data Analysis. In: IEEE International Conference on Global Telecommunications Conference (GLOBECOM 2006), pp. 1–6 (December 2006)
Callegari, C., Coluccia, A., D’Alconzo, A., Ellens, W., Giordano, S., Mandjes, M., Pagano, M., Pepe, T., Ricciato, F., Żuraniewski, P.: A methodological overview on anomaly detection. COST-TMA Book chapter (to appear, 2013)
Brodsky, B., Darkhovsky, B.: Nonparametric methods in change-point problems. Mathematics and Its Applications, vol. 243. Springer (1993)
Kolmogorov, A.: On the empirical determination of a distribution law (1933). In: Shiryayev, A. (ed.) Selected Works of A.N. Kolmogorov. Probability Theory and Mathematical Statistics, vol. II, pp. 139–146. Springer Netherlands (1992)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2013 IFIP International Federation for Information Processing
About this paper
Cite this paper
Ellens, W., Żuraniewski, P., Sperotto, A., Schotanus, H., Mandjes, M., Meeuwissen, E. (2013). Flow-Based Detection of DNS Tunnels. In: Doyen, G., Waldburger, M., Čeleda, P., Sperotto, A., Stiller, B. (eds) Emerging Management Mechanisms for the Future Internet. AIMS 2013. Lecture Notes in Computer Science, vol 7943. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-38998-6_16
Download citation
DOI: https://doi.org/10.1007/978-3-642-38998-6_16
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-38997-9
Online ISBN: 978-3-642-38998-6
eBook Packages: Computer ScienceComputer Science (R0)