Used to use this quite a lot because my cell plan provider didn't firewall DNS queries when roaming (they needed it to redirect you to the captive portal, I guess).
But now it's fully blocked, so I haven't been using it too much.
The ping ICMP tunnel is older, but this is probably the best known and most widely attempted exfil tunnel technique; here's Kaminsky presenting it in 2004:
I’ve used an OpenVPN server running on port 53 to bypass a number of restricted networks over the years. Seems like the network engineers are getting better at detecting and blocking the technique but it still works around half the time
A former coworker and I played around with this. He was red team, I was blue. It was a fun experiment. Stopping this with some of the corporate firewalls is easy but I wanted to see if I could break it with rate limiting. Unbound has really nice controls for IP/domain rate limiting but it's a double edged sword. Iodine can be broken with rate limiting but then poorly coded applications also break. One would have to take on the challenge of fixing all applications to obey TTL's and it turns out that is quite a monumental challenge. This also required increasing the min TTL of requests and that has an impact on AWS EC2 instances that are designed around a 5s TTL. In the end all I could come up with was a way to alert on an IP exhibiting this behavior and send a syslog message with the IP and just hope someone responds to it quickly enough which is a very sub-optimal solution. The expensive corporate firewalls would just block that specific IP for a period of time and also send an alert which I suppose could have been done with a wrapper to null route the specific IP but then false positives from poorly coded applications would result in outages. At least with the corporate firewalls people could point the finger at them and not me. It was still fun nonetheless.
If anyone is curious why we were going through this exercise, all 50k+ servers had Unbound running locally to take the load off the edge recursive servers and handle upstream fail-over faster. Unbound is remarkable in the data-center for this purpose.
9 comments
[ 4.9 ms ] story [ 45.1 ms ] threadBut now it's fully blocked, so I haven't been using it too much.
https://www.blackhat.com/presentations/bh-usa-04/bh-us-04-ka...
Iodine – tunneling IP over DNS - https://news.ycombinator.com/item?id=7619259 - April 2014 (36 comments)
Was a random internet gem I found through del.icio.us.
If anyone is curious why we were going through this exercise, all 50k+ servers had Unbound running locally to take the load off the edge recursive servers and handle upstream fail-over faster. Unbound is remarkable in the data-center for this purpose.