SecureTrust Cybersecurity
Helios Cloud Protects against DNS Tunneling

How the Helios Cloud Protects
against DNS Tunneling

Domain Name System (DNS) Tunneling is a common method for hackers to exploit the DNS service for malicious purposes, such as exfiltrating sensitive organization data or infiltrating malware.

This article explains how the IPS engine in the Helios Cloud protects your network from the DNS tunneling malware attacks.

When we configure the IPS policy to block traffic, this also enables the Helios Cloud’s protections against DNS Tunneling attacks for your account.

Detecting DNS Tunneling

The Helios Cloud analyzes DNS requests and identifies potential DNS Tunneling attacks based on these properties:

  1. Packet Size – The length of the requests may indicate anomalous communication over DNS. Large DNS packets are anomalous and indicate a potential attack.
  2. Record Type – Resource records (RR) that map domains to IP addresses (such as A and AAAA records) are most common in DNS protocol usage but are restricted to a short response length. When exchanging data over DNS, usage of RR may vary to allow more data to be transported and can indicate an attack.
  3. Unique Ratio – DNS queries and responses that carry encoded information are likely to be unique. When there is a high level of unique subdomains in a query, this can indicate an attack.

Blocking DNS Tunneling

To protect customers from DNS tunneling related to malicious hackers, Helios uses machine learning algorithms to detect anomalies overall outbound DNS queries.

The DNS traffic between each site connected to the Helios Cloud and each unique domain is analyzed offline over a time period of 24 hours.

Domains with a low reputation that receive frequent anomalous DNS queries are automatically signed in the following day.

Then the IPS policy for all accounts is able to block the relevant DNS traffic for these domains.

Furthermore, Helios prevents data exfiltration over DNS tunneling using a set of heuristics that trigger IPS to block the traffic.

These heuristics have been tested over multiple DNS tunneling tools and techniques.

This real-time prevention is achieved even without knowing the threat actor or the domain name and complements Helios’s machine learning algorithms.

Why Choose SecureTrust?

SecureTrust is a leading provider of cybersecurity automation solutions.

SecureTrust’s platform can help organizations to mitigate data exfiltration
Are you ready to block cyber criminals from stealing your data?

Get secure today!

Helios is SecureTrust's cutting-edge platform and AI technology that empower our team of experts to provide efficient and effective security services.

Share This Article

Get the week’s best
cybersecurity content

Join 10,000 Subscribers

AI & Cybersecurity Insights

SecureTrust Cybersecurity Powered By Helios