Detection of communication over DNSSEC covert channels

Author

Nicole M. Hands, Purdue University

Date of Award

8-2016

Degree Type

Thesis

Degree Name

Master of Science (MS)

Department

Computer and Information Technology

First Advisor

Baijan Yang

Committee Chair

Baijan Yang

Committee Member 1

Marcus K. Rogers

Committee Member 2

Dongyan Xu

Abstract

Unauthorized data removal and modification from information systems represents a major and formidable threat in modern computing. Security researchers are engaged in a constant and escalating battle with the writers of malware and other methods of network intrusion to detect and mitigate this threat. Advanced malware behaviors include encryption of communications between the server and infected client machines as well as various strategies for resilience and obfuscation of infrastructure. These techniques evolve to use any and all available mechanisms. As the Internet has grown, DNS has been expanded and has been given security updates. This study analyzed the potential uses of DNSSEC as a covert channel by malware writers and operators. The study found that changing information regarding the Start of Authority (SOA) and resigning the zone can create a covert channel. The study provided a proof of concept for this previously undocumented covert channel that uses DNSSEC.

Recommended Citation

Hands, Nicole M., "Detection of communication over DNSSEC covert channels" (2016). Open Access Theses. 949.
https://docs.lib.purdue.edu/open_access_theses/949