DNS Data Exfiltration: The obvious problem with a detection approach that relies on reaching a certain threshold of traffic is that avoiding detection is as simple as slowing down the rate you send data. For the user that is trying to use the DNS tunnel for an interactive experience, this isn’t practical. However, if the user is actually a piece of malware that is trying to steal data from inside your network, then slowing down the data rate will work, provided the criminal is patient enough and confident he will avoid detection by going “low and slow”.
Seeing this shortcoming, Infoblox released in late August a new set of signatures for ADP and Internal DNS Security customers that uses a different approach to identify these sessions. Instead of relying on volume, our threat team was able to identify unique signatures that can be used to identify a number of DNS tunneling tools, some of which have been adopted by the malware vendors as their transport of choice for your enterprise data.
By using signatures for detection, we are able to make the detection instantly and with confidence that we are not rate limiting some valid (if strange) DNS traffic.