Penetration Testing mailing list archives
Re: [PEN-TEST] IP Tunneling over DNS
From: Peter Van Epp <vanepp () SFU CA>
Date: Tue, 12 Sep 2000 17:09:06 -0700
I think a lot of people are missing the real danger here. Say I run a firewall that does not allow any traffic from SubnetA to the internet, since there have been problems with people in the department uploading confidential data outside the company. Before this announcement I assumed there was no way for people to get traffic out (without ANY open ports, no tunnels are possible). Now anyone on SubnetA that can talk to a DNS server in SubnetB (SubnetB is allowed to pass DNS traffic to the Internet) can create a bi-directional tunnel out to the Internet. Furthermore, unless I have some heavy logging on the DNS server, I have no idea who is sending all the traffic. Eric D. Thiel
For starters if you can't trust the people behind the firewall how can the firewall protect you? By definition, if you have a firewall there are ports open, because you are right without an open port there is no path to tunnel over or to communicate to a supposedly authorized host either, although thats not the end of the story. What stops them from transferring the data from the firewalled segment to the unfirewalled segement and from there out to the Internet? Nothing except your trust that they won't do it and if you don't have that trust you need to fire them and get someone you can trust that far. This issue is part of an entire subject known to the military types as covert channel elimination in secure computing systems (it is on the not very paranoid end of that spectrum as well, its when you are inserting disk seeks at random in to your operating system to avoid a disk busyness modulation covert channel that you are getting to the more paranoid end of this subject). The best explaination of this subject that I have seen is in a book on Advanced Operating Systems by Springer Verlag back in the 80s. If there is interest I can dig up the title and ISBN (although I imagine it is long out of print and there are probably modern references that someone on the list can recommend). If you need that level of security (or even the level of security requiring defeating this relatively high bandwith covert channel) hopefully you are aware of the research in this particular field and how you can defeat such attacks (but be prepared for the pain!).
Current thread:
- Re: [PEN-TEST] IP Tunneling over DNS, (continued)
- Re: [PEN-TEST] IP Tunneling over DNS matthew patton (Sep 12)
- Re: [PEN-TEST] IP Tunneling over DNS Jonathan Rickman (Sep 11)
- Re: [PEN-TEST] IP Tunneling over DNS Mordechai Ovits (Sep 11)
- Re: [PEN-TEST] IP Tunneling over DNS Andre Delafontaine (Sep 12)
- Re: [PEN-TEST] IP Tunneling over DNS Dunker, Noah (Sep 11)
- Re: [PEN-TEST] IP Tunneling over DNS Mordechai Ovits (Sep 12)
- Re: [PEN-TEST] IP Tunneling over DNS BMM (Sep 12)
- Re: [PEN-TEST] IP Tunneling over DNS Eric Thiel (Sep 12)
- Re: [PEN-TEST] IP Tunneling over DNS Teicher, Mark (Sep 12)
- Re: [PEN-TEST] IP Tunneling over DNS Wolfgang Zenker (Sep 12)
- Re: [PEN-TEST] IP Tunneling over DNS Peter Van Epp (Sep 12)