Episode: 747
Title: HPR0747: Botnets and DNS Tunnelling
Source: https://hub.hackerpublicradio.org/ccdn.php?filename=/eps/hpr0747/hpr0747.mp3
Transcribed: 2025-10-08 01:52:57

---

music
Hello, HPR audience, this is co-cruncher and Phoenix, we're kind of chatting today.
This is the first time we're actually talking. It's strange to talk to a stranger, but Phoenix,
why don't you start by also greeting the audience?
Hello, podcast listeners. It's been a while since we've been on HPR, but yeah, it's nice
to speak with you, co-cruncher, how are you?
I'm fine. You said you're in sunny Dundee. I'm in Rainy Vancouver, so that's quite a contrast,
I guess.
I suppose it stands to show how diverse the HPR community actually is.
Yes, that's true. So I have a question for you, because I'm only listening to HPR, starting
last October, so I haven't really heard many of your shows at HPR before you started
then doing your own show. I always thought that HPR is actually a good way to get started
with podcasting and then do your own show, just wondering how that is working out for you.
I mean, I have such a love-hate relationship with podcast and if truth be told, I've talked
about podcasting before, like it's software freedom day and all of that sort of stuff,
and I'm a big fan of podcasting and I've always said that HPR is an ideal way to get into
podcasting and I was once given some advice by the HPR god himself, Klaatu, that said,
you shouldn't really start your own podcast, you should always do it through syndicated
through HPR and that sort of stuff. And for some silly reason, I just didn't take the
advice and I've had two podcasts in the end that I've started up like through HPR,
track set that made about four episodes and Felix Tech weekly. But sometimes it's very
hard because of your outside commitments to be able to do it. But we're getting Felix
Tech weekly back on and it's a lot of fun. In the flip side, if I'm struggling getting
that out, it makes it hard sometimes for me to podcast the HPR and the HPR has always
been like my first podcasting love. I love the community, I love everything about it.
But yeah, if you want to get into podcasting, there is no better way than using HPR, definitely
than outdo. Yeah, that makes a lot of sense. I mean, I never thought I would ever do podcasting
before. The last time that Ken actually was desperate to get shows in and I recorded
my show on how I got into Linux. Yeah, I think Ken's putting some really nice features.
A lot of good works gone into HPR. I haven't really been much of an active member for a while
just without such stuff. But like they have that number that you can call in and record
podcasts where I think that's a fantastic addition. Yeah, they syndicate Thursdays. I think
that's a really good idea. I mean, the HPRs come on leaps and bounce this year and yeah,
definitely. I have to stick my hands up. I'm an HPR fan boy. There's no to you, there's
no to you, but yeah. So people at home, if you get bored, you should start recording
episodes. That could be just as easy as getting two geeks on Skype, I suppose. We probably
have to tell the audience the reason why we're doing this show now is because Ken kind of
saw the queue getting too empty and was putting out the call in the mailing list for shows.
So you said you have something to talk about and I said I have time to record and edit
it. So now we're doing it. It's awesome. And I mean, we did have a little pre-show, very
short chat through Facebook to kind of agree on one or two topics. Shall we start with
a botnet topic? Yeah, yeah. So maybe I give a little introduction how that actually came
up because I was listening to your last Finox Tech Weekly. There you mentioned that in Canada,
there was a 53% increase in command and control servers for botnets. But then in Finox Tech Weekly,
there was this pause of five seconds or something. And during that time, a lot of questions piled
up in my head and I decided to go online and do a little bit of research about why is it in
Canada and what happened. The information I got is not... there isn't that much information.
The reason... Sorry? No, there's not. I mean, it's an interesting question. Why kind of
nowhere else? So what did they come across? It seems to me that... How this number came out is
because this company... Let me see if I wrote it down some websites. There is this guy, Patrick
Ronald. And they started looking into this issue after they decided to invest the situation
that they were seeing an increase in targeted attacks against the Canadian government.
That's the reason why they looked into the numbers. And they saw an increase of 53% in the botnets.
I mean, in the command and controls and over 300% increase in spyware or no,
phishing networks or phishing attacks. So it's a huge increase coming from Canada. But I mean,
one of the first questions I have is like, how do you really identify and count command and
control servers? Because they are dormant most of the time, aren't they?
Yes, yes and no. It's an interesting question. I mean, we have to take whatever statistics come
out of this with a pinch of salt because it's one commercial entity's outlook on what they're seeing
through their data, which they collect in their ways of doing. So it's not been independently
verified, say the least. So websites are seeing what it considers to be a command and control,
which could very well be legitimate. But it is what website sees as a command and control.
Now, this is not to say that there isn't an increase in it. But command and control would be
if someone is to get infected, Confaker was a prime example of this sort of stuff that the botnets
needs to speak about Conf. So by code analysis, you can say, right, this piece of evil code
contacts this server. In some way, shape or form, it will be hard coded, either an IP address
or a domain name or something like that. And that's where they'll say there's a command and
control center in Canada, because they'll be doing an IP lookup so to speak of. Does that sort of
make sense? It does, but I mean, there are also these command and control centers that kind of
have an algorithm on a time-based algorithm for finding the connection. So it may actually not
necessarily be hard coded or easy to identify that certain calculation results in an IP number or
something. Yeah, I mean, at the end, but in the end, the point for delivering control has to be,
I mean, no matter how much you encrypt it, at the end, it's got to be decrypted, no matter what,
that there is an exit point and an entry point. And that software has to speak to an exit point
at some point and that has the nature of it. You can make it more difficult, so on and so forth.
It's not to say, though, that a vanlode of cyber criminals rolled into Canada. I mean,
this is the bit that I found very hard to get my head around, that trying to make this localisation
of the problem. And the internet isn't like that. It doesn't work that way. And I think
websites did a very strange job as well, because they picked on Canada, but they failed to say
that America is still the number one host of phishing data. Canada is number two.
Maybe there isn't such a surprise that if the biggest country in the world producing this stuff
is your next own neighbour, maybe there is going to be a novel spill. I don't think that it's,
yeah, I was very dubious about it on the show, I have to be to be honest with you.
I mean, they talk a little bit. I mean, there's like, they have different numbers in their statistic.
And I'm gonna post the link in the show notes. So Canada is number two now for phishing sites,
and it moved from 13 to 6 for the botnets, I think. Well, there are two reasons. One reason they
talk about why the US is leading, and that it's just because a lot of the servers are in the US,
I mean, it's like, really, you have a huge infrastructure there, so that also means
high numbers for everything. And then they talk about two botnets that were taken down in the US,
and that's why maybe the people moved to Canada, because the line for tonight is cracking down
botnets more in the US currently. It's just a transient issue. If you squeeze one end,
it's gonna pop up at any other end. I mean, at the end of the day, I suppose the relieving point is,
if they're saying that this is due to the rush stock and core flood botnets being taken down,
what they're ultimately trying to say with this sort of argument is that there actually
hasn't been an increase in any cybercrime whatsoever, it's just been moved. So there isn't
more cybercriminals, you know, just the problem is, and you know, you can only do crackdowns for
a certain amount of time as well. I don't think, I think, I wouldn't be surprised if we saw
this sort of number drop and move about. Maybe it's just a good, maybe what we're really going to
start seeing now is a transient cybercrime bubble just popping about and moving to different countries
and so on and so forth. I don't know if this is going to be like a permanent problem for Canada,
100% sure on that. Well, it's a problem that's not going to go away. I mean, you're not saying that
the number is going to drop overall. It's just the ranking maybe change again.
Yeah, there's no doubt that the issue needs to be looked at. I mean, at the end of the day,
if you've got cybercriminals using your infrastructure, at some point there is always going to be a
problem and it is up to governments to regulate that sort of issues. So yeah, and in the kind of
government are going to have to look at what they can do to make sure that they come out of that
situation and what appropriate actions of government can take at their level. Because yeah,
if it's easy to commit cybercrime in Canada, you'll not be surprised if you have cybercriminals move
in. I suppose that's almost like common sense. Yeah, that's something I read in like the comments by
different people. The articles that I looked at, that like the Canadian government really isn't
doing much or doesn't have good structures in place to actually deal with cybercriminals.
And that's not particularly unusual. I used to do it. It was involved in the Math Gohacking
degree and we, at the beginning, we did a lot of learning about how laws take a long time to
cut shop with what's happening, technologically related, a massive time. And you know, there was
times where cybercrime in the UK wasn't very well regulated and times in America. It's a very
interesting book by, I was recommended by a friend of mine called The Cuckoo's Egg by Clifford Strong.
It's an awesome book. It's a true story. And they had, they basically had hackers,
this is years and years ago, maybe it was in the 70s or something like this,
had hackers breaking into systems. But the American like into like Melnet,
none of this sort of stuff. I mean, they had some serious intrusion going on,
but they didn't have the laws to actually get the FBI involved. The FBI couldn't get involved
unless it was a million dollars in crime. And so the problem with laws, the thing is that they don't,
it's easy to write a patch, but it's not so easy to write a law and you have to get it through
courts and votes and so on and so forth. So yeah, it's an ever-changing step.
It's a tough problem. I wouldn't want to be a government trying to fix what's legal and not legal.
Yeah, it's certainly cyberspace. Yeah, cyberspace, because it's global and it's really hard to
deal with it on a country by country level. Or packets don't know borders, like that's the long
storage shop. They don't care if they were sent from Canada or they don't care if they were
received in America. But unfortunately, those states have to have some level of control.
Not much you can do about that, I suppose. Another question that came to my mind is like,
I mean, you have the command and control servers and then you have the zombie computers,
right, that they can contact. Yeah. How can you find out if your computer is a zombie?
Numerous of ways. But it's all, you all have to, it's kind of like a per-situation basis,
I suppose. I suppose we need to understand as if you've been compromised. Exactly what a
compromise is. It's probably easier to look at it that way. Changing performance,
instability already system, because obviously bad guys don't care if they break APIs in your
system or libraries or any of that sort of thing. They don't care. Also of strange network
activity, definitely a big giveaway of something's going on. So, yeah, I mean firewalls,
firewalls are good at picking this stuff up. If you're running semi-decent firewall stuff,
it's good. Linux, obviously, in a lot of ways is, in my opinion, a little bit ahead of the game
on that, but I also think that Windows are their own firewall that they, I mean, I don't use
Windows systems anymore and haven't done for years, but the last time I knew they had a firewall
and XP and that seems to have been pretty good from most of the research I did at the time.
So these things will help. At the end of the day, if your zombie can't communicate with its
command and control, then it's still a zombie. It's not an active player anymore. But yeah, there's
a big, they're interesting. I mean, it's something that we talk about. Obviously, when I speak to
people not involved in hacking or I'm the first hacker that they've met and the conversations
ultimately always start off with, you know, how can hacking be ethical, blah, blah, blah, blah, blah.
But eventually, what happens is people start saying, well, I've got nothing to hide, so no one's
going to hack me. You know, there's this, I'm only a small fish, there's plenty of other fish in
the sea, so I'm not, you know, I'm not a target. I've got nothing for them to target.
And it's this point that I always come back to. It's these zombie machines.
And you inadvertently be involved in cybercrime. Russian, the Russian mafia have been
reported to have used botnets to take down gambling websites during life matches. So they would say to
basically an extortion hacker. You will pay us 25,000 pounds during the Arsenal Chelsea soccer match,
or we will deduce your site during that match. And if you don't believe us, we'll take your site
off now, and they're not the site either. And then the gambling companies don't have two choices,
really. They either pay or they don't pay. And obviously, if your business is taking online
bets during sporting events, you being off during a major sporting event is a massive issue.
But yeah, I mean, that's an example of you being used purely as a resource. People don't
understand that. We just tend to think that as a target, as a target, a bad guy is interested
in your data. It's not always the case. Sometimes a bad guy is interested in your resources,
such as your bad ones, such as your machine, so on and so on. So gambling sites, that's an
interesting one, because I mean, there is a lot of money involved, so you can really also
probably get a lot of money. The only reason we know about it is we, one of the gambling sites,
refused to pay and got knocked off. We don't know how many actually paid prior to that. So it could
have been the first one, it could have just got caught, or, you know, all it could be one in many.
That's for sure. There is a, I certainly know of companies and organizations in the UK that have
paid money, extortion money for data, not to be. Yeah, I know of a university in London that paid three
times before they called in the police. Wow. So yeah, we don't really like these.
Yeah, it's only one that we know about. So it's either, either widespread or not. But yeah,
it's an example of, it's an example of using the situation and they don't just target on
gambling sites. I mean, at the end of the day, you could inadvertently be by being a part of
a botanet being involved in lots of different stuff. Anonymous, a prime example, interesting case
anonymous people, willingly, in fact, in themselves of the botanet, that certainly would take any of
your protection, certainly under any UK law, that's certainly you wouldn't have any protection under
law and that situation. And I would be surprised under many, many, well, many countries that you would
be protected under law. As far as I know, you don't have protection in the US either. I mean,
that's what I heard on other podcasts that I'm listening to.
The, I think the long story short is, most laws are based on intent anyway.
The intent to commit a crime is the criminal act itself. So, you know, you know, knowingly
using yourself as a tool to knock over PayPal or Amazon, you know, you knew what you were doing.
There's no, it doesn't matter if you were a small cog in a big machine at the end of the day,
your intent was to cause damage. So, you know, if you're lost in support of those arguments,
you know, as we would say in the UK, you're banged to right.
Yeah. There is also the other side of the story. I mean, it's an amazing kind of, you know,
invention to actually have computers, control other computers and have them do a lot of things.
I think the most extreme botnet that I remember was the Estonia attack where they actually took
down a whole country. There's a lot of cases about this. British NIDA is,
he's on a little bit of a rant about this stuff recently. And I have to agree with him.
The problem with cyber warfare in this kind of context is that
you should never really use the term, you should never really use the term more,
unless it does refer to, you know, bombs and bullets and death. Because it desensitizes people.
There is no, you know, nothing's happening now. So, nothing happened to Estonia that hasn't
happened before. There was nothing new in what happened here. You know, it just had a name,
that's all that happened. At the end of the day, if you talk about this in a warfare context,
right, the reality of what happened in Estonia was an invading army invaded the country
and filled up all the queues in the supermarket. That's the equivalent of what they did.
You know, they turned off some services. Yes, it was a pain in the bum, but no one, you know,
they occupied services that's all they did. And it's not really, you know,
what we should be starting to see, and we have been starting to see, is more cyber components
being deployed during warfare. But yeah, the term, the Estonia thing is, you know, it was done for
no other reason than to annoy Estonia. You know, let's be, let's be perfectly, it was
designed to be the ultimate nagua. But yet we see, I mean, you don't want to talk about like
cyber warfare, we see cyber weapons. That's what we're seeing. We see this with, you know,
I mean, alleged blah, blah, blah, blah, blah, blah. But let's be honest about this. This
software attacked not only a specific nuclear reactor, a specific nuclear refinement facility,
but a specific reactor within the facility, right? So that code was a very specifically written
for a target. No two ways about it had an auto kill switch, all of these sorts of stuff.
You know, so I'm going to make my opinion that that cyber, you know, that's the cyber weapon.
And what we need to start talking about in terms of war, because this is a problem when you say
things like cyber war, is that an act of war? You know, is that cyber attack an act of war?
You know, that was a cyber weapon that went off, you know, and unless we dropped the cyber
warfare, Malaki, and start talking about it in the context of what it is. And stop with this,
this media hype about it all, and start being a little bit more realistic about it. We're going
to get into crazy situations based on doses. I mean, we've seen, we've seen cyber components
being used in warfare for quite a while, believe the beginning of Cold War one. We hacked into
the Iraqis air defenses and shot them off, you know, cyber weapons and warfare.
They're allied forces. I believe I'm not sure if it's British or not, I'm not sure which ones
did it, but yeah, they switched the radar off and then bombed. It's not unusual. But we didn't
call that cyber warfare, we called that war. So yeah, that's my issue, and I don't mean to go
into a big rant about it. And I think, I mean, it is really too bad that the terminology kind of
distracts from what is actually going on and happening and, you know, blurring the actual
discussion about the technology and the potential. But I mean, these incidents are wake-up calls
and make us realize that there are vulnerabilities out there that are new because of our networked
world. That's kind of what I see. The prime example is this internet
culture. Well, I mean, it's an echo of Bruce Naiveau again on this one. But if you make a button
that could turn off your internet as a bad guy, that's pretty much the button I want to press.
And now I have a target. So, you know, it's making a nuclear bomb because
someone's got a nuclear bomb. You know, it blows my mind how it even gets discussed. I mean,
have a friend who would say that it's that wrong. It's not even wrong anymore. You know,
and that's almost the meaning that, you know, it couldn't be wrong if you tried. It's that far
away from even sensible. God knows how they would even think about doing gang impl... Well, I've
got ideas about how they could implement something like that. But what would you want to
is such a different question. And in fairness as well, I mean, say America shot up shot for 24 hours.
You know, what's the impact on the rest of the internet? Does the internet carry on? Does it stop?
Do we inadvertently lose all our services because of American press as a botanist worrying
times? No doubt about it. I kind of think that the internet is still going to survive even without
the US. But the question is, like, how many services actually come from that country
that we depend on and that don't, you know, have read because outside that would survive?
Yeah, the, the interest that we see, well, you know, if they make a kill switch,
they might soon find out. You think somebody will be tempted to find out.
Oh, God, it'd be the holy grail, wouldn't it? I mean, really. It's like the world's biggest target.
Yeah. You know, it's not going to get bigger target than I turned off America's internet.
Yeah. You know, it's the ultimate dose.
Yeah, I never really thought about it that way, but it's intriguing.
Okay, well, that was much much longer or much longer answers to my questions that I have regarding
this botanist thing in Canada. She just tell me to shut up when I ran below you.
No, I think it was very interesting because I mean, we're taking a risk here. We're having a
discussion without that actually knowing each other and it works quite well. But there was
another topic that you mentioned, which is something you talked about at meetings, which is
tunneling over, what was it, tunneling over DNS? DNS in quite. Yeah. I've recently been talking
a couple of it. It's not a, it's not a new thing, but I've been talking about how it's possible to
wrap up your communications into DNS inquiries and send them,
and transfer them over DNS inquiries. So basically wrapping your IP traffic in DNS inquiries.
And it wouldn't surprise people to know that there isn't many legitimate reasons why you'd
be doing this. But the reason for it is, is that it's a very effective means of bypassing captive
portals or some firewalls as well. It's very handy at doing that. And the reality of it is.
What can you just explain DNS inquiries? Like, what is actually the information that has been sent
in DNS queries? What happens in, yeah, what happens in DNS is, DNS is the system that we use
so that we have domain names that are memorable. Otherwise, we don't have to remember
number ranges and people notoriously about it remembering those. So DNS is the system that we use
to cover that transfer domain name service or system or something like that. And the idea is,
is that there is, I think, 16 or maybe 13 root DNS servers. And what they handle is the .coms,
the .orgs and so on and so on and so forth. And then the domain name part, which is like
phoenix.co.uk. My ISP would handle the resolution between getting the phoenix bit and translating that
to a number that refers to a system somewhere on the internet. So what happens in a DNS inquiry
is pretty much one end, you have a request that goes out and says, I'm looking for
.phoenix.co.uk. And the system goes, okay, that ends in a code.uk, that root domain
say over holds that, will hold the information for that. Hi, where as phoenix is okay, phoenix
is held by this domain name server, and this is his IP address. And that's pretty much how it
should work. I've got some notes on it somewhere on the site and stuff like that, but I'll send you
some stuff and you maybe stick with me on the HPR site, where there's a better job of explaining
DNS stuff. But basically DNS requests in the end are your computer's way of asking the domain
name server where a resource on the internet is. So and then you can use this for tunneling?
Yes, well, this is the interesting thing. I'm sure with all, I'm going to talk about a captive
portal, and it might be easier if I just mention it like a captive portal is, I'm sure we've seen
these wireless networks that you can sign up, you get on it's an open wireless network, but you need
to register to use the web. And what they tend to do, how they tend to work is they tend to
intercept HTTP requests. And until you pay for your servers, it will intercept all those HTTP
requests. However, it would seem and has done for a long, long time, they do allow unfettered DNS
requests. So what you, what I've been able to do, and I'm not the only one in the world that's
done it, and I'm only copying other people's work really, is I've been able to wrap my
club HTTP traffic, which would be intercepted on these captive portals. And I've been able to
wrap it up into DNS requests that aren't being intercepted by the captive portal. So I'm able to
get point-to-point communication working over, but basically without them being able to, they
can't see it, it's not being intercepted by them at all. So I think the trick is to not use the
HTTP protocol so that the other server cannot identify you as somebody who should pay.
Yeah, well, it doesn't, it doesn't see you. I mean, you're allowed to, you're working within
the rules of that particular system, you know, exploiting anything per se. But what happens is,
in this case, so I was able to establish a quite easily, was able to establish an SSH session
over a captive portal, and I was able to establish a nice SSH session out of the captive portal
to another machine and tunnel my traffic and everything like that as well. And what is interesting
here is another vector, when I've talked about this before, and I talk about vectors, and I'm
really talking about uses. I mean, I'm supposed to be a bad guy for the good guys, ultimately,
I'm supposed to be, so I'm supposed to think about how these things are attacked. And what's really
handy is, is that as a bad guy, it's a very, very handy tool. It's easy to say, oh, we get free
internet out of it. But the reality of it is, is that I can tunnel data out of your network
over your DNS servers. Now, you, if you're not watching for that, you may have a very tight up
data lockup kind of policy, but I can bit by bit still data out of your network over your DNS
inquiries. Or I can tunnel, the great thing with DNS, DNS is very good at nut traversing.
It's a reusable address. So we can use it to establish, unless it communications with a target.
So we tunnel our tap code over DNS, and that's second vents problems with nut and quite hard
for it to be picked up as well. So yeah, I mean, there is a lot of interesting uses for it.
But this came about in God. This is not unknown. A bunch of German hackers, I think, in 1998,
used it to call into Microsoft's update service, and then they would tunnel their traffic.
Because it was a toll-free number at the time, like just dial-ups sort of days, but you know,
they were able to call into Microsoft's update service, and then tunnel their IP traffic
over DNS inquiries and get an internet connection, basically, through a toll-free number,
which was Microsoft's update server. And that was the beginning part of that. And then,
very famous research called Dan Kaminsky, released some tools, which my talk was based on
slightly called Aussie Man DNS, which is a really set of pulse scripts that enable you to set
this sort of setup. It's quite easy, actually, to be honest, but you need a machine on the internet.
That's the long story short. I mean, you need something to tunnel too.
Well, I feel like I have to go through my networking book again to actually understand
how in which protocol you're really kind of exploiting here.
What you're ultimately doing is your wrapping, this is quite a bit to get your head around as well,
your wrapping TCP IP pockets up in UDP. Okay, so you move them down.
Yeah, oh, there's a whole, there's a whole lot of stuff that needs to be worked out. You're exploiting,
what you're really doing is you're exploiting how it works is you can encode traffic in DNS
requests. You get lots of different DNS sort of requests. So you can get a DNS request for a TXT
file, which holds resources in. So what we're able to do is encode traffic into base 64
and base 32, sorry, and then reencode it at the other end and then respond back with the
request. So what you're really happening, what you're really doing is sending structured DNS
requests, because you can get up to the length of a DNS request theoretically, you can get up
to 255 bytes. So in one DNS request, we can send an amount of bytes that dependable, but
no more than 255, but probably a little bit less. And then the fake domain name server in the
internet can respond back with a TXT file that has the appropriate response for our traffic.
And that way we're able to send data from point to point. So you're exploiting the implementation
of DNS more than anything else. Yeah, I mean, because also HTTP requests, they kind of
are in the end broken down into packets that get sent out and reassembled.
Yeah, I mean, the problem of UDP, the problem, the problem you have to overcome in reality is
using UDP for something that is completely incapable of doing.
The problem of UDP has no arrechecking. You drop a packet, you drop a packet. However,
in a TCP IP cell, that's not good for you, that's bad. So there is, as a protocol hacker,
but that's why I kind of really love that sort of stuff, because it's really insane to think
that you've basically put a score of pegging around home and make it work.
So two more questions. I mean, so if packets get dropped, do you just ignore them or can you
identify that they were dropped? Yeah, it's re-request them. Yeah, there's a couple of tools out there
that make this easy. Rosiemann DNS is one of them, without doubt, probably the better one of the
tools. And that is actually available on my site as well. I can't remember the location,
I think, but I'll send it to you. Yeah. And there is a few other tools, one called NSTX,
which this is what the German hacker's developed. And what this does is a Linux tool, I think,
I don't think you can get it for Windows, I could be wrong, though. And I don't think you can get
it for Mac, but I think it's a Linux tool, and you're able to set up like a virtual network device
on your machine, and you have like a fake domain name server on the internet, and you can set up
a virtual device on that machine as well. And you can set up a VPN, and it works that way.
And that one's quite good, there's quite a lot of protection built into it and stuff like that.
I've been talking about it for a while, so you know, I've got some slides and stuff like that,
they'll be coming out in the next couple of weeks, going over all this stuff. I spoke about it
at B size London, and I'll wait to speak about it again in London at the beginning of June.
So the other question you mentioned, TXT files, so that's text files, is there then, I mean,
how much data can you actually transport this way? 255 points. At once, yeah, but in total.
Anyone, yeah, no, no limit to it. If you talk about countermeasures to this sort of attack,
if you're, there's countermeasures to the countermeasures, and it's one of these strange games of
kind of mouse, but the reality of it is there's certain things that you can do. There isn't really
a huge amount of legitimate reason for browse and requests, and then sort of sort of, it really
mail users TXT quite a lot, you know, you shouldn't really need that. Captive portals,
wise, you need to change DNS servers when you're, you know, you shouldn't allow recursive DNS
lookups. This is how it ultimately works. So you're able to, what happens? There's a say we have
evilserver.finix.co.uk. We do a DNS request to that, and what happens is we use a file setup,
a DNS server setup that would say, or requests for this domain name, look at this domain name
server for it, and that's kind of like a recursive lookup, and that's in part where the hack works,
because of this recursive movement. It's very hard to explain over a podcast, I do try and explain
it in my slides, but the true hack in the implementation is two things really, is this recursive lookup
because your DNS server can't use the legitimate peer person, captive port or firewall or so on
and so on and so forth. You're only seeing the resource to evil.finix.co.uk, but what happens when
that lookup happens is when it gets that domain server, that's the bit where it points to a different
fake domain server, that's encoding and decoding, base64 and 34 encoded DNS requests.
But you can't say block, if you get a million requests for a domain block, you just can't do that,
because imagine if you are a university that has a captive port or requires your students
to sign into the wireless network via their credentials, a lot of universities have the
similar setup, and you'd be able to tunnel out of that. So, but the problem there is, is that you
can't say, oh well, if you get a million requests to Finix, block Finix, because how many million
requests do they get to Google? I mean, you know, the problem is that you can't do, there's only
certain things you can and can't do. I mean, you're only using functionality. That's the interesting
problem. You know, you're doing what the protocol in some ways was designed to do, you know, the TXT
records, you know, it's in 255 bytes a day, that's exactly what you're doing, that's exactly what
it was designed to do. There is problems, but yeah, if you start to see a huge bandwidth go up
on your port 53, yeah, might be time to start looking. Certainly, there's no two ways about it,
you shouldn't see that much bandwidth or that much traffic, you know, really a DNS request,
isn't a huge amount of data, it shouldn't be, you know, it's a lightweight protocol.
I can't remember what port 53 is standing for. Oh, that's DNS, sorry. That's DNS.
Okay, that's how the circle kind of closes. Yeah, this is really interesting because it's kind of
just exploiting the way things work and I mean, it's a typical hack because you're taking what's
there and making use of it. Yeah, absolutely. All of the best hacks are implementation hacks.
You know, if you look, if the protocol, the problem is when you write something, DNS systems
is an example of this, but this was written years and years ago. So we've had a lot of time to go
over it and find weaknesses and lots and lots and lots of years of doing that and this is always
the game that people play, you know, and you get that. I mean, there's this protocol hacking is
really interesting. Okay, well, I'm looking forward to actually see your slides because it is hard
to imagine the whole thing without the graphic explanation. I had to do this talk,
besides London in 30 minutes from beginning to end. Now, it was recorded, but I don't know when
it's going to be made available. But I have the slides and I'd like to say, I'm giving it again,
but yeah, after that, the slides will be up. I think the slides may be available on the B-Sides
London website, maybe Google and see. I'll find out. Yeah, if I can find them, we should put a link
in the show notes. Have you ever scared you with all the DNS tunneling talk?
No, you're kind of... I'm curious now. And, you know, these are the kind of podcasts that I really
like at HPR when I get information about something that I've never really thought about and then
can actually follow up. And, you know, maybe get more information, get to understand it better or
just... It's thought-provoking in a lot of ways. That's what I like. But I am a little overwhelmed
at this point I have to admit. So, you know, able to look at your slides will be good. Oh, you sent
me the link. That's great. Yeah, I just found the link. Okay, so we'll put that in.
If you have any more questions, if I have more questions, we have to do another show because I think
this one is already getting pretty long. I mean, much longer than I expected it would be.
And maybe we should also mention that in your Finox Tech Weekly, you actually talk about
B-Sides London. So, if people are interested in hearing more about it, they can probably just
try to find your podcast, right? Yeah, you can... We... We... Allegedly, we do a weekly podcast,
but it's not been like that for a while, but yeah, you can find us at dot, dot, dot, dot,
phoenix.co.uk. And, yeah, we've... We've passed a couple of episodes of Ben B-Sides sort of
related, which is a really... It's really been quite fun to be involved in all of that sort of
stuff, so it's been a bit of a lot of fun. It was very nice to speak with you. Yeah.
Like we could do it against someday. Yes, this was very nice. I'm like, glad that I was able to
pick your brain about the botnets, which helped a lot. Yeah, trust it. Thanks for jumping in.
Thanks for offering to record a show for HPR. No, thank you for wanting to do it.
I've really enjoyed it, actually. It's been... It's been fun. Okay, I think we have to say goodbye
to our audience, and thanks for listening. Yeah, thanks very much, and folks, don't forget,
you could be making shows as well, so do take the opportunity to get on calls and talk to people
and record things, and, you know, it's a community podcast, and Ken needs the shows, so, honestly,
folks, stand up and be kind and get yourself recording the show. And your co-grunt show,
you have a good day, okay? Thanks, see you too, Phoenix. Bye.
Thank you for listening to Half Republic Radio. HPR is sponsored by Carol.net,
so head on over to C-A-R-O dot N-E-C for all of her to need.