 testing all right everyone welcome to black ops DNS now usually we start our talks with a nice slide that says absolutely nothing instead I seem to be showing you some kind of screen saver let me tell you guys a little story I don't know how much you guys know about me I wrote a really fast network scanner called scan random a while ago and in the process of doing DNS research well I kind of adapted it to do DNS scanning and I scan the entire 64 dot range and every single dot there is a DNS server that is plotted XYZ space according to last three bytes in 64 dot long story short there's about a hundred and forty thousand DNS servers on one single chunk of the internet alone maybe we should look into the security aspects of this so that's what we're talking about today by the way I want to thank all of you you all waited in an incredibly long line I can't believe how long that thing got thank you everyone and as it goes every year you have first of all I want questions I really want good questions so if you got a good question you can give me a beer give me one second I have to plug my laptop in and we'll begin this little shandy I'll be careful all right I can't he's right you're under 21 I can't give you beer here all right and anyway guys don't give priests too much hell he actually had a really good reason to be giving a speech and he's right they're really just at the end of the day I agree with the sentiment so let's begin the tech stuff though first of all who am I I'm a geek why why are we going to be looking into this today well DNS is globally deployed the stuff is everywhere you run you use DNS every time you access the internet if you run a server of any sort you probably have some kind of server level involvement in the protocol it solves a deceptively simple problem the internet like the telephone system does not work on names when you call your friend you don't say go to your phone and say you know Bob dogs please no you put in a number and it's the same way on the Internet you'll put in www.defcon.org well you may do that but the computer has no idea what to do with that it has to look up a number and by DNS it goes from Defcon.org to 1.2.3.4 whatever the internet address happens to be it is a very old protocol we're talking early mid 80s it is the second oldest what I call uncontested hell yeah you know when you've been handed a random drink by Humperdink all logic says do not drink it screw logic all right so you look at that we don't do that again wait till after so we don't do tell that anymore we do SSH we don't do that much FTP anymore a lot of people do HTTP but really you know DNS solved this problem 20 years ago and there's not anything else that comes close on the SMTP is still being used and we're really suffering for it hello spammers but DNS is really just it one it's good it's there I got interested in DNS really especially when blaster happened blasters one of the three worms of the summer of worms last year blaster not changed so big and blaster went ahead and looked up windows update dot com the wrong name guys it's windows update dot Microsoft dot com how did you forget Microsoft they're kind of a big company but a query to windows update dot com before going ahead to launch a flood against this site funny little thing everyone was running scanners to try to find their infected blaster hosts meanwhile the blaster host every last one of them was making a quiz for windows update dot com I go ahead put out a single one liner pearl command over SSH that would parse out all the infected hosts people are looking at me like what you can find worms with DNS that's when I got the idea maybe we should really start experimenting with this so we have now a new toolkit for DNS experimentation it's called Ozzy man DNS it was released at the black briefings a few days ago and it's pretty cool we've got a couple tools non D as a name as a non the gear is our experimental DNS test platform it is a dynamic DNS server very accessible very easy to code for if you can write maybe 10 lines of code a pearl you can actually return arbitrary results on a DNS query it's beautiful and the joy goes to pearl for having an amazing DNS library there's a library good enough I learned the freaking language that doesn't happen what some of you may have heard about do you out yes we have SSH over DNS if you can DNS out of a network you can get arbitrary network connectivity we have file and set file and stream receivers and senders ask on get a ask a stupid question get a stupid answer and we have glance which is a freshness check over DNS I'll tell you more about that in a bit so what are the useful traits of DNS that are interesting from a security perspective well first of all DNS is hierarchical the example you should explain this is to say let's say you could dial 411 and instead of just saying give me the number of this company you could say give me the extension of this person at the company and they would go forward one go out and find this person's extension and tell you oh yeah Bob's extension four three nine one would you like us to connect to you the phone system is very centralized we're really only a few bell system bells out there and they store all their data internally DNS is a very distributed architecture we go to calm it tells you how to get to docks para dot com you go to docks para dot com it tells you how to find food docks para dot com and so on it is a hierarchical process that gets you closer and closer it routes you through hops much like the internet routes you through hops that's kind of interesting there are two kinds of look ups recursive versus inner of look up and recursive look up you know you basically go to some sort of a ham so it's actually a complicated process to go through this entire hierarchy to follow the coms expert com to food expert com and so on this process has been offloaded to specialize servers so called name servers you go to them you say here's the answer I'm looking for it does a whole bunch of work in the background and it comes back to you with an answer that means it's a proxy server is you ask it something it goes out on the internet and does a bunch of work for you interesting so now we can tell other machines to do look ups for us and also these other machines they cash so in other words I go to you know like the 411 let's say 411 did the whole extension finding out at Bob was at extension 4931 the next time someone called 411 for 4931 say oh I don't remember that I don't need to call the company again he's at 4931 same with the DNS where there's a caching of results it's much like HTTP proxy servers like squid will prox will store results so if you ask for it instead of going out on the internet it already knows the answer it provides it these are some interesting traits for our globally deployed DNS system maybe we can use them now the primary research areas for water no so check this out the primary research areas for DNS 99 in 2000 was basically not a good year for bind no Paul Vixie has kind of removed that from his memories filled with exploits against the world's most common DNS server it was a very bad time luckily most of the bugs have been fixed I'm sure some of you know bugs that are have been have not been resolved but for the most part the DNS is okay the other second class of attack involves DNS spoofing that's where false addresses are returned for addresses a lot of work has gone into preventing the ability to spoof a DNS address that's not so much of a problem anymore used to be a lot more there are still some definite threats but that's not what I'm looking in I'm looking into DNS tunneling now there's been some interesting work lately in terms of DNS as well as well lately we have bit torrent seats how many people in this room have used bit torrent very cool good friend Bram wrote bit torrent guys awesome so bit torrent depends on a little bit of data to seed you on your goal towards getting your files people have been talking about putting those seeds in DNS as a retarded little example people have done math service you'd look up 2 plus 2 for address calm receive an IP of 4 but this violates the RFC because you're not allowed to have a plus in DNS so I'm not the first person to put odd things in DNS I do not claim to be but I'm doing some interesting stuff anyway how is the arbitrary data put in DNS now most people think well you know all things returns is a couple IP addresses ring how much storage capacity can there be an IP addresses of 4 bytes long well first of all you don't just need to host DNS addresses you can host what are called text records text records are unstructured fields of data you can get actually decent amount of content into them and shove them into a packet they're most commonly used in what are called SPF records which are they're used to validate the source addresses for spam instead of that I'm kind of putting arbitrary data in what's called base 64 format and it looks like what you see up there where it's just a large string of English character you know English standard characters you can get about 220 bytes of arbitrary data for text record now sometimes you may not want to move text records sometimes you just you don't have those available what you can actually do is in a query in a lookup in the name in the address that you look up you can throw data so when you look food calm bar calm or so on you can append a huge batch of arbitrary data in the lookup itself up to 63 characters between each dot and up to 256 characters total through this method and by the way we can't use base 64 because there are 63 not 64 63 legal characters in a DNS name so there's actually something called base 32 which takes all arbitrary data and shoves it into five bit text so you get a foodie in a couple of the numbers and through they get about 110 bytes per packet now DNS tunneling who's doing it well now nstx is the most popular system for tunneling arbitrary data over DNS it takes IP packets standard things that you move over the internet and it encapsulates them in DNS queries now the problem with nstx is that it really only works under Linux and hey that's true but you know sometimes you run another operating system every once in a while OS X say perhaps see see how I got that to be cool again so beyond that there are serious rumors it's true that various botnets and malware are using DNS as a covert channel in order to get the control channel for their worms so this is happening and at the same time it's happening nobody's monitoring their DNS traffic nobody had no idea that even worms were going on over DNS so I mean rooms were doing lookups over DNS so this here is an attempt to try to raise the lights on a real problem let's start simple nstx requires kernel cooperation and we don't want to have that so let's make something that doesn't require the kernel but still allows remote networking now what is remote networking like VPNs I'm on this network but I wanted to be over there I'm at the Starbucks network I want to be on the internet you know stuff like that so a little project I was involved in it's called SSH you might have heard of it and SSH has a function that I wrote called dynamic forwarding dynamic forwarding is basically a poor man's VPN and where's my ethernet jack could it come up and give me an ethernet cable yeah just set it up okay SSH dynamic forwarding is interesting because you can basically route arbitrary TC arbitrary TCP applications over any host you can SSH into so you want to look up websites you go over SSH you want to use your messenger you go over SSH your firewall against websites and instant messenger no problem because you're going out over SSH and with the latest hack you're now going out over SSH over DNS problem DNS is not TCP and SSH depends on TCP TCP moves by streams you know there's some arbitrary data go send it DNS means records and individual records are in the blocks of data TCP let's either side speak first DNS is client server the client has to look up and the server and then you know the server can respond if the client doesn't look up there's no response and TCP is apicly you can move any byte you want where's DNS you know you can only send this character if you don't send that character you know it's almost like I've heard this story before I shall call me HTTP all over again XML RPC and soap and all these other protocols are taking really complex stuff and shoving it into the HTTP channel because well no one's firewalling that same junk just like the HTTP tunnel we're going to go ahead and we're going to move data over something that really it wasn't intended to now that I have to point out there's a significant difference between DNS and HTTP in HTTP you can have an arbitrarily sized response to a request in DNS you can't there's really a 576 byte limit unless you use the UDP size option but I'm not sporting that yet so with that restriction we can still do interesting things with a tool I've written called DRoute which is a DNS stream router now let me give you a little bit of an example of how it works and then I'll see if I have enough net to show it to you because live demos are always fun upstream first of all upstream and downstream have completely different semantics upstream as limited bandwidth you'll notice on your ADSL links at home it's very slow up but very fast down because most protocols in common use you're downloading a lot more than you're uploading conveniently DNS gives us a much slower upstream than downstream we basically have the name that is available to look up we put 110 bytes in as I showed you earlier with the in between every 63 dots downstream level bandwidth we can use that 220 byte method I talked about but we have to pull for new content there are text lookups and they return base 64 data we have a byte offset that describes how far into the download stream we want to be if a poll now I don't want to continually be flooding a remote non-deserver to grab my data so this is how I do it I'm always pulling if I don't get any data back I wait three times longer before I try again up to some maximum sleep time so if I send it you know as soon as I have data I speed up because it was probably going to be more but if there's no data for me to download I back off it's a simple protocol but it actually works pretty well for for not making too much noise when there's no data to download now my present implementation is single threaded and only one packet can be outstanding at a given time but this is temporary and once it's fixed this will be a lot faster now let's do something really stupid and try to actually give you guys a demo that's mildly readable but not greatly sorry we have no net wrong one no I mean it's not live on my side nice no I don't have link on my side all right I'm gonna continue my talk and as soon as this thing maybe works I'll give you guys a lot demo so yes you know we can do SSH over DNS it does the same thing ultimately that STX does so yay all right we can do lookups wonderful this is a little bit more interesting something new something that's never been done before yes yes we can check this out so you go to a DNS server and you ask it to none of them like I said it's as if every web server was also a web proxy every DNS server or most DNS servers out there will do recursive lookups on your behalf I don't care now the basic trick is to obviously you're at a hotel network that wants you to charge you're at a Starbucks that wants you to charge you just go out through the DNS requests because they'll actually feed you DNS data before they actually hijack your outgoing HTTP instead you just donate to me now but check this out wait maybe I might be able to give you this demo one two three four Bing cake oh so DNS on this you don't say okay this one fails do I have no DHCP on this thing yes we have we may have net no I don't look at my top interface I'm not getting any DNS out so I actually need to I have link but no DNS what's this plugged into the same thing well hang on I'm gonna try this one last thing just come up here look at what you need I'm gonna continue my talk all right let's check this out guys DNS trust the hierarchy to tell it where to route next now like I told you calm takes you to Docs para.com Docs para.com says no no I don't got the answer go here it'll tell you where all the answers are for all Docs para.com and so on you can do something very interesting with this and it's called source routing because I go ahead and I communicate with a recursive server a server that's doing lookups for me and I tell it to look up an address that I control and when it comes to me trying to resolve this address I tell it no no no no no no I don't have the address but you know who does 10 or 111 it's an address in your network and it goes out the other interface on the DNS server so this is very new DNS comes from an era where firewalls didn't exist where you could globally route to any IP address possible that's its design when you have a DNS server that can go out of multiple interfaces one to the public internet one to the internal network and you go to that public internet interface and you say hey give me this answer and then you tell it by the way the answer you're looking for is on your internal interface it goes into the internal interface this look like because I'm not just going to tell you this theoretically no no no no no I'm actually going to go ahead and implement it part of Nambi Nambi has an echo service if you look up 10-0-1.55 at echoaltdocs para.com you get the name server for that is an S whatever when you look up the address for that it dynamically returns a packet that says oh that address you're looking for that's a 10-0-1.55 so guess what happens you go ahead and you try to communicate you go to recursive server it goes ahead says was my next hop the next hop is a 10-0-1.55 it goes backwards now you say fine I'll just disable recursion on my external interfaces I won't let you come back into my network and the story could end there but I'm an evil bastard the interesting things happen when you scan 16 million IP addresses about 20 or 30 thousand hosts are like who the hell is this guy and what they do is they actually look up your IP address to determine the name you're coming from lots of firewalls you know IDS is a couple individual auditors guys when you're investigating someone realize your investigations might send a big flare back that says hi I'm looking into you of course I would need to have control over my own reverse DNS I do have control over my own reverse DNS thank you very much and there's something very interesting that you can do they come to you and say hey what's the name associated with your IP address now you could tell them or you could tell them no no no no I don't have the answer either no who does know it's this IP address inside your network but it gets a little bit more complicated because we don't just want this original reverse request to come back to us I mean to get to go to the inside network no no we want arbitrary data so what we do is we say no no I don't know the answer but this other name you know big batch of data dot other domain dot com has the answer now this big batch of data will actually be the address that is eventually pointed back in the network but the very interesting thing is it is put into a separate domain then the one they looked under for the reverse lookup why I told you earlier about DNS spoofing DNS spoofing used to work like this they would reverse you know they would look up through one house look up to another look up to another you say no no no I don't have the answer but yahoo has the answer and yahoo that my address and then it would store it now every time that server tried to go yahoo it would come to this address so this is bad so it was deemed the solution was to not trust the server if it told you the IP address of a given address was in the of a given domain if that domain was some completely different place it would say oh you know what you aren't qualified to answer requests about yahoo or you're not qualified to answer requests about this other domain so it would start a completely new recursion process and this new recursion process will be for this new arbitrary name and would follow that path to its inevitable IP address and it's that arbitrary name and arbitrary IP address lookup that gets leaked all the way back into the target network that is our pipe in now what's our pipe out we just do the same thing the guy on the inside our Trojan horse on the inside picks up this request says oh I've got a big request here I've got data I've got an incoming message I don't know the answer but this guy on the outside does and thus you have a path that goes both directions you communicate with the IDS it sent a message to the DNS causing the DNS to proxy traffic back and forth between an outside host and an inside host and there's no recursion involved from in a public thing it's kind of nasty and did I mention that actually a human auditor looking into your IP address can actually cause this social engineering as an aside by the way I'm kind of embarrassed to have to talk about this but I'm going to do it anyway please don't log when you're writing software just the name return from a point of value your point of value IP address say 6 you know 1.2.3.4 equals this name lots and lots of places will just say hey if I got a name back I'm not going to log the IP well you know what I can return for my name 12701 is my name hey guess you know how much that messes up your logs yeah guys by the way who does this I don't know Apache SSHD bunch of IDS's don't do this thank you okay this is cute some people came to me they said Dan I would like to be able to communicate with my friend and I'm behind and at and he's behind and we can't talk to each other and we don't have any open bullets and boards that we can communicate through we would like to communicate with one another how can you do so can we do with the DNS servers I'm like well the DNS servers aren't going to like store you know list out all the results of their cash they're like please Dan there's got to be away so I'm like okay you go to a recursive server say hey you over there for 221 what is a data docs com and it goes ahead and it finds out and it stores that value for a while now a second guy comes along and he says what is data docs better calm well it's already cash so the answer is there when he does that second request the second guy comes along he can actually say no don't investigate don't recurse if you have the answer already that's great go ahead and give it to me but if not no I don't want to know that's just a recursion desired bit now data docs bear coms already cashed so it still returns that's information I now know that this guy had already gone ahead and seen data docs bear com and this is related to the whole class of information leakage where you can find out of a server has been looking up yahoo looking up hotmail been looking up arbitrary name that you want you can query his cash and not do it destructively by destroying your recursion desired bit but you can also send information based on whether an individual record has already been looked up or not here is the method for single bit data transfer over DNS and yes this is even slower than it sounds step one split your message and it better be short into individual bits for each bite that's going to be available for reading to a recursive lookup against a value that says you know I'm starting another bite for each bit that is one to a recursive lookup against a wild card hosted name meaning it'll return a response no matter what the query is that identifies that bit as active so say if you had a letter with you know three of the bits the first bit the sixth bit in the eighth bit active you'd send a request that correspond to one six and eight how do you retrieve that data you scan from zero you know one six to eight an auction scan all seven all eight but all eight bits in the bite first do look up for the first bite start bit if you get a reply do a non recursive lookup against all the names that map to the eight bits the names that do return an answer though that's a one the bits that don't return an answer are zero you integrate the bytes into a bit the bits into a bike and you save increment the bike counter return step one long story short you get about eight bits a second but two hosts can communicate over a tremendous amount of traffic implications well first of all we do bidirectional communication really really slowly secondly this method can be extended to pretty much anything web counters can be used for communication IP ID counters and IP stacks there's a story about Paul Revere's lamps in the tower the British are coming you know all sorts of there's a court in the intelligence community you can always send a bit and there's a question of did it increment or not with a start at spikes between six and one and six or two so I mean there's always a way to send a bit could possibly send more data last modified just last week I'm writing this all this code about DNS and there's a slash that story says RSS is overloading the internet well lots and lots of news readers will do big heavy HTTP queries every hour on the hour and according to the admins this looks a lot like HTTP I mean this looks a lot like a DDoS you know all these those coming at once is really inconvenient now the only information they want to know is if there's any new data for them to download so like fine we'll take this one tiny piece of information we'll shove it in a DNS text record and they can just do a lookup but you know it's a pain in the ass and a lot of languages to do text record lookups and I'm like huh last modified the date that this RSS news file was updated well that's a date dates are times and times are represented as 32-bit integers in Unix what does DNS move a lot of that's 32 bits wide oh yeah IP addresses so is what I went ahead and wrote I won't last modified over DNS it encodes a date as the IP address for an arbitrary name so you go ahead and you run a simple command called glance the critical source code is right above it doesn't get host by name and then it casts it as a time you can glance that WWC and then com glance alt.experio.com did we kill someone again damn and then look at what it returns number of seconds since that time Thursday July 29 1611 21 GMT one packet instead of 10 very very efficient and it caches everyone in AOL can find out that CNN hasn't updated yet hallelujah but let's say we wanted a little bit more storage you know what could we do that might possibly be interesting to move over DNS well let's say we want to do really big files I call this domaincast normally normally in DNS you talk to your own server and it retrieves the canonical official data on demand for a particular request from just the official server and the data is consistent for everyone that's normally let's have a little bit more fun I showed you that screensaver at the beginning and there were a lot of dots there right what if in each of those dots we stored 20 kilobytes of data a different 20 kilobytes of data for each of those dots well if you do the math it would take if we had 20 kilobytes of server and a 700 megabyte not big CD but only take about 35,000 servers to host all 700 megs of data and guess what they're all storing data in their cache for up to a week so for up to a week we could store this big huge file would it be fast well out of the DNS server you can only get about a kilobyte a second more or less well time one kilobyte a second times 35 met thousand is 35 megabytes a second I think that's faster than my net connection now yes you know there's going to be some overhead say 50% overhead that's still 17 meg a second that's still a heck of a lot faster than my net connection so by using a divide and conquer strategy we can actually store a tremendous out of data in effectively the internet itself kind of a deep toy now how do we distribute the list of sites to go to I used to have this big complex algorithm for encoding the next hop to go to in each packet then like you know what 35,000 times four bytes is 140 kilobytes I'll just send that as my list of where to go for each individual byte and if that's even too much to host we'll just host that in domaincast as well across seven key servers BFD so yeah that's how you distribute a large file very fast over DNX but that's for a file what if we wanted to do a stream an audio stream say voice over DNS anyone so it turns out awesome so it turns out voice compresses really freaking well like two kilobits a second like 276 bytes in a second okay you know what DNS is slow any that slow I can move to 176 bytes even through a pretty slow server so it turns out interesting I didn't expect this to actually be useful but DNS caches so you can have like you know one of the things you notice when you're serving audio data is as soon as you get a whole bunch of listeners your bandwidth bill goes through the roof when to be nice if everyone will cashed your data and it distributed it shared well I look into this for a second and with HTTP it's a stream so it doesn't know how exactly to cash it but if you divide your data into say 880 millisecond chunks these chunks get cashed just fine so um yeah that's what we do we basically take data put in 800 milliseconds chunks we upload them using standard dynamic update to a buying server and we pull them down what does it sound like I'm gonna see if I have net maybe I'm hoping we have net that's a big fat maybe modify this real quick and then we're gonna win now do we all understand no promises radio San Francisco California this isn't saved this isn't a lame demo that was live and now and now that we have actually met hang on we gotta do that SSH over DNS come on how long have we wanted this at our disposal I shall even put this down since what could you afford a hooker maybe I have to modify one thing again I can document this so I said I don't know how many of you can read this SSH actually has support for something called a proxy command a proxy command says you know what a straight up TCP connection isn't gonna work instead run this command and it will go ahead and give you connectivity to where you want now normally it will just you know work normally use this for socks or for a she to be a she to be or whatever this isn't normal I'm using it for DNS now what I'm doing is I'm adding an option to my D route command to tell it to go through the resolver at 4 2 2 1 I can actually tell it to go through multiple resolvers that my data is actually bouncing off an arbitrary large list of name servers so if you say wanted to spread your communications across 30 or 50 hosts no problem boss let's see if this works maybe oh yeah this is going not straight up but over SSH receive disconnect that sucks show one more time entering interactive session and you know what just cuz I feel like doing it I feel like talking to my friends cookie scent and maybe maybe how you doing now that's a stunt we can actually actually port this hat that audio hack back to HTTP return 1 to 5 second chunks of audio over HTTP and now it'll be compatible with proxy servers so people have come to me and they've said Dan we've talked about a whole bunch of stuff I don't really understand what I'm supposed to take out of this talk fine I'll give you a nice little summary first DNS is globally deployed you use it you probably serve it as well second as the rest of IP networking has become more and more filtered DNS has been left pretty much just the same for important reasons but has been left the same and its services actually outstrip what a normal IP network provides normal IP networks don't cash data DNS does third this connectivity can be used to offer an entire range of services from an encrypted VPN style link to a completely silent but remotely accessible Trojan horse to an unexpectedly useful distributed audio caching system fourth don't shut off your DNS servers don't try to firewall it off to just knock out your network connectivity but please watch your DNS traffic see what's going on pay attention cuz people like me are out there all right any questions we got three minutes for questions and seven beers to give out so who's got something good go hang on get the heck out here you got questions come up now we got three minutes how do you deal with a blind any cast system like the dot org system that's been implemented over the past six months why would it be a problem if I register name in the dot org domain it still comes to me it still comes to you but over multiple hops you're still you're not dealing with the same cash on every system anymore no no no I'm not hosting stuff in the root servers it's being hosted in my particular endpoint unless the unless dot org hosts all the names under dot org itself which it may vary in other words we're talking about third level domains are these hosted in dot org no I was looking more at the attack vector not at the not at the hosting part of this tell me more tell me more about this attack later go ahead is it customizable the size of packets because I know it specifically picks at least by default will limit the return size of DNS queries I am staying one of an I have been overly conservative I am a hundred percent RFC compliant my DNS packets do not exceed the 576 but 512 by limit now it turns out a lot of sites don't require such paranoia just by default I coded against the system as good as I would write what would you recommend to protect against this sort of DNS routing into your private network do not allow recursive DNS on any server that's dual hosted no you got a drink I was wondering if you're doing SSH over DNS is there caching the data no I said TTL equal to zero on all my traffic so that it's not cached hey actually for the last modified self there's an optional header for a CDB called expired if you take expired minus server date you get a number of seconds that server wants you to cash the value use that as your TTL for your last modified data what if you got say 50 or 60 servers to cash a single packet of data in their servers and then forced another host to or I'm sorry sent a spooked DNS request to all of those servers and the return address for something like Microsoft comm that is very good attack do you think you're 140,000 in the 64 range is that reasonable or is that because you chose 64 is it probably an average selection 65 does not have as much 64 does my guess is that 64 was moderately heavily populated because 64 happens to be one of those that was distributed to lots and lots of different endpoints there are so a lot of companies that have the whole class B's are even class A's these companies do not host as many public DNS servers what do you foresee is a problem with say everyone started using the system to do SSH caching or caching of their video streams this is going to create a large load on everyone's DNS servers far as bandwidth the CPU consumption what what sort of problems and solutions do you foresee well for audio the interesting thing is that it actually reduces overall bandwidth because it's caching locally and you're not using your external link as much for SSH over DNS it it could get problematic if everybody was using this just because you're well you know what it is because SSH over DNS is going to be slower your aggregate data is sent is going to possibly be less so you know what bug me later we'll think about how this could actually cause problems oh apparently I can do as many questions as I want so come on up if you got a hang on hang on if you've asked me a question grab a beer where can I get a copy of your code oh yeah did I mention I actually released this junk yeah dot d o x p a r a dot com docs para the backwards paradox with the high failure rate of name lookups what I'm trying to get at is in UDP streams because that's how DNS communicates mostly how much more overhead will this take well the thing is remember I control the endpoint and so the classic bind model of just failing randomly is greatly reduced however I have a lot of reliability code in my client to go ahead and retry potentially in other servers so I've actually done a lot of work to make sure that reliability is managed a lot of them are shifting from server to client what do you mean like code DNS and some of the others that are coming out to work with DNS better hmm well I mean the idea code DNS will go ahead and deal with DNS caches all the SSH over DNS stuff is uncached because it's part of a live stream thanks when you're storing large when you're storing large files across multiple DNS servers what kind of redundancy do you have built in in case one of them goes down ah that's a very good question you get the last beer the mechanism I'm using ends up using what's it called there's a whole secret splitting mechanism you can use you know like there's lots of algorithms for 90 you know like like par on use net there's actually a more advanced version of that that's tuned towards larger files and if you have a 90% an arbitrary 90% of the data you're able to reconstruct the entire file what sort of passive attacks do you see people are using against somebody uses this as a communication method can you repeat that what sort of passive attacks do you see against people using this as a can we get a communication method you mean how would you hurt people who are doing this how would you drop on somebody using this as a connection well I'm moving at ideally I'm moving a man I'm allergic to a question no I did this is actually the big reason why I chose to use SSH over DNS because the SSH layer will prevent any kind of attacks from being particularly effective I mean yeah you can corrupt the link without a problem but you're not even going to be able to spoof traffic at me and this is as opposed to what I was using as I was developing this which was just I net D into a shell now SSH has a cost it has a lot of back and forth and that increases the setup time substantially but in return you get immunity from the kind of attacks that you were thinking of I think so go ahead just wondering if you've dealt with or care about how AOL doesn't seem to pay attention to all of the DNS RFCs tell me more I know that you know a person expects a certain behavior for caching from a DNS server and you're expected to be able to tell a DNS server oh nonsense I throw a knot into every request in SSH over DNS so I know exactly what we're referring to bind can be configured to have a minimum TTL value that it'll respect it will refuse to accept that data isn't going to be cash you'll cash it anyway so what you do is in your query you throw a little random knots of random value so it can't pretend that it has a cash because it doesn't actually know that these two requests correspond to the same value that's how I handle that okay all right no but great question I give you a beer if I had one is there any way to arbitrarily float extremely large files for longer than a week at a time through DNS you can repopulate the data so if you if you don't actually want to make another connection and repost anything so so let's say you put a payload up and you wanted to have that float around arbitrarily you know what you could do is assuming in your first week you had a whole bunch of people downloading your data you could actually have some code on the clients distribute the the updating of the data so you distribute to 35,000 servers and then you get a hundred thousand clients and every week the code on the clients knows oh I better go ahead and update that data that being said this is extraordinarily evil please don't write this client two questions are you going to release your list of IP addresses not publicly can I have a copy of it I can't publicly I can neither confirm nor deny so the third question it seems pretty easy to see that someone's doing this the way that you make the request are you going to make so that it will be hidden because right now it would be really easy to write a snort signature and say this is someone titling over DNS important actually something very important how would you write a snort signature to find this because these packets are entirely RFC compliant now you could just say there's a lot of DNS traffic coming from this particular host but a better method is to notice that these requests are actually have very high levels of entropy in other words English language follows a certain distribution of consonants and vowels and lead numbers and so on and DNS names very much follow that as well if you were to write a snort signature to detect this kind of traffic you would simply need to have an algorithm that detected hey look at all this very large highly intropic data I bet this is in capsule and SSH traffic do you want me to stop or take more one more question if you done any work to try to transfer four byte chunks over multiple a records problem with that is that you end up with inefficiencies because of all the data in between each a record the record stuff came originally now what people say well why don't I just shut off text record lookups first answer because it kills SPF second answer fine I'll put them in MX records and they say well why MX records are you know individual records get desorted get randomly sorted well MX records have a precedence value and this precedence value can be used to sort your request into the original order so that's why the bottom line is you're not going to stop this by trying to limit what types of records you serve so so from your standpoint is an efficiency question yes and I know efficiency and arbitrary data over DNS are not concepts that go together but it works anyway great thanks all right I think that's all we got time for find me later oh and I am going to the dunk take if you want to dunk me come get some