A security analyst has found the following suspicious DNS traffic while analyzing a packet capture:
• DNS traffic while a tunneling session is active.
• The mean time between queries is less than one second.
• The average query length exceeds 100 characters.
Which of the following attacks most likely occurred?
The presence of DNS traffic while a tunneling session is active, a mean time between queries of less than one second, and an average query length exceeding 100 characters strongly indicate DNS exfiltration. DNS exfiltration involves tunneling data over the DNS protocol, often resulting in frequent and lengthy DNS queries as data is transferred covertly.
Here's the rationale: DNS traffic while a tunneling session is active: This suggests that data is being tunneled over the DNS protocol, which is a common technique used in DNS exfiltration attacks to bypass network security measures. The mean time between queries is less than one second: A high rate of DNS queries, especially with such a short interval between them, is indicative of automated or scripted behavior, which is often associated with data exfiltration attempts. The average query length exceeds 100 characters: Longer-than-normal DNS queries can be a sign that data is being encoded or hidden within the DNS queries themselves, further supporting the likelihood of DNS exfiltration.
Very good explanation thank you!
Another word for DNS exfiltration is DNS tunneling
A long query length for DNS indicates data exfiltration