mailing list archives
Re: [PEN-TEST] IP Tunneling over DNS
From: Peter Van Epp <vanepp () SFU CA>
Date: Tue, 12 Sep 2000 17:09:06 -0700
I think a lot of people are missing the real danger here.
Say I run a firewall that does not allow any traffic from SubnetA to the
internet, since there have been problems with people in the department
uploading confidential data outside the company. Before this announcement I
assumed there was no way for people to get traffic out (without ANY open
ports, no tunnels are possible). Now anyone on SubnetA that can talk to a
DNS server in SubnetB (SubnetB is allowed to pass DNS traffic to the
Internet) can create a bi-directional tunnel out to the Internet.
Furthermore, unless I have some heavy logging on the DNS server, I have no
idea who is sending all the traffic.
Eric D. Thiel
For starters if you can't trust the people behind the firewall how
can the firewall protect you? By definition, if you have a firewall there
are ports open, because you are right without an open port there is no path
to tunnel over or to communicate to a supposedly authorized host either,
although thats not the end of the story. What stops them from transferring the
data from the firewalled segment to the unfirewalled segement and from there
out to the Internet? Nothing except your trust that they won't do it and if
you don't have that trust you need to fire them and get someone you can trust
This issue is part of an entire subject known to the military types as
covert channel elimination in secure computing systems (it is on the not very
paranoid end of that spectrum as well, its when you are inserting disk seeks
at random in to your operating system to avoid a disk busyness modulation
covert channel that you are getting to the more paranoid end of this subject).
The best explaination of this subject that I have seen is in a book on
Advanced Operating Systems by Springer Verlag back in the 80s. If there is
interest I can dig up the title and ISBN (although I imagine it is long out of
print and there are probably modern references that someone on the list can
recommend). If you need that level of security (or even the level of security
requiring defeating this relatively high bandwith covert channel) hopefully
you are aware of the research in this particular field and how you can defeat
such attacks (but be prepared for the pain!).
- Re: [PEN-TEST] IP Tunneling over DNS, (continued)