DNS tunnelling: that's not your grandma's exfil

Thursday 4 October 15:00 - 15:30, Red room

Brad Antoniewicz (Cisco Umbrella)

DNS tunnelling has changed. And in most cases, it is not even officially 'tunnelling'. The latest techniques for covertly transferring data over DNS are more creative and even harder to detect. Over the last year, we’ve been analysing DNS tunnelling tools, command-and-control traffic, multi-staged payloads, and exfiltration modules to profile how DNS is being abused and to develop reliable detection techniques. In this session we’ll describe each pattern using traffic observed in the wild and provide novel ways to detect them. Finally, we’ll release exfilr, an open-source tool for covertly transferring data over DNS which implements all patterns described and can serve as a detection testbed or a penetration testing tool.



Brad Antoniewicz

Brad Antoniewicz works in Cisco Umbrella's security research group. He is an Adjunct Professor teaching vulnerability analysis and exploitation and a Hacker in Residence at NYU's Tandon School of Engineering. Antoniewicz is also a contributing author to both the Hacking Exposed and Hacking Exposed: Wireless series of books.


We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.