Documente Academic
Documente Profesional
Documente Cultură
@ LayerOne
Dan Kaminsky
Introduction
Who am I?
Senior Security Consultant, Avaya
Enterprise Security Practice
Author of “Paketto Keiretsu”, a collection of
advanced TCP/IP manipulation tools
Speaker at Black Hat Briefings
BlackOps of TCP/IP series
Gateway Cryptography w/ OpenSSH
Protocol Geek
What’s On The Plate for
Today?
/* char descrip[256] = “You’ll see”; */
What is DNS
DNS: Domain Name System
Mechanism for translating human-readable names
into machine routable addresses
“Like 411 for the Internet”
As 411 usually but not always yields simple phone
numbers, DNS usually but not always yields IP
addresses
A: Given name, find IP
MX: Given name, find Mail
DNS Spoofing
Returningfalse addresses = hijack
people’s outgoing net connections
DNS Tunneling
DNS Tunneling [1]
How
Client -> Server
What’s the information for BATCH-OF-ENCODED-
DATA.doxpara.com?
Server -> Client
The information? Why, it’s “HERES-THAT-DATA-YOU-
WERE-LOOKING-FOR”
Why?
DNS is extremely permeable – it will route through
architectures where often nothing else will
Captive portals for Wireless Internet
“More” ;-)
Starting Simple:
DNS Tunneling [0]
Who?
NSTX most popular
Creates a “virtual network device” that routes IP
(actually, Ethernet frames) over DNS
Linux Only
Upsides
Everyone has a DNS server, and it caches
KDNS[0]
What do we have?
A Very Dynamic DNS server
A Desire to Send More Than A Bit
Fine, I’ll go host a name on a server
A challenge to send something new
What do we get?
KDNS[1]
Voice over DNS – TXT w/ Streaming Audio
Speex codec supports Voice compression at
~2kbps (best public codec)
Ends up (with headers) being about 356
bytes/second
We can traffic 356 bytes per second through even
extremely slow DNS servers
Power to the Caching People
Use a TTL of WINDOW seconds (~20s)
All listeners behind the same DNS server will split
the same “stream”
KDNS[2]
Server HOWTO
<timestamp>.server.com
TTL=WINDOW
TXT (or MX) = 1.0s or 0.5s of audio
latest.server.com
CNAME to <window>.<timestamp>.server.com
TTL=0
Color Shift
Trajectory Shift
Brightness / “Flare”