Data exfiltration and detection has been the subject of lots of research in recent years. DNS exfiltration is the process of abusing the DNS protocol, originally designed for hostname resolving, to send data from a querying machine to a remote nameserver. While DNS exfiltration is commonly associated with free DNS tunneling applications, it’s also used by bots (e.g., Feederbot, Morto) to steal sensitive data from compromised enterprises and communicate with their command and control servers.

In this talk, we present a new real-time DNS exfiltration detection solution designed to be deployed on recursive DNS resolvers, based on estimating the amount of data that is transferred to registered domains via DNS requests FQDN. The algorithm is designed to be light-weight in both memory requirements and execution run time and allows real-time mitigation of DNS exfiltration campaigns.