Poster: DNS (Do Not Suspect)

  • The purpose of this project is to see if it would be possible for an attacker to use the DNS protocol to communicate with a bot of his own in an infected host in order to avoid being detected. Right now this communication is usually made through the IRC protocol, which is used for chatrooms with a known port easily blocked with a firewall and a pattern that raises a lot of alerts on any IDS available. This does not happen with DNS, which is a protocol used for the well functioning of the whole Internet, so if somebody is able to communicate through DNS packets it would result almost invisible and harder to block that IRC. The purpose of this project is to address if it would be possible to do this and if so, to investigate how to make the protocol safer.