Data Exfiltration Source

• Unusually large outbound data volumes at unexpected hours (e.g., gigabytes transferred at 3 AM)
• DNS queries with abnormally long subdomains (>50 chars) — characteristic of DNS tunneling
• Persistent low-and-slow outbound HTTPS connections to newly registered or low-reputation domains
• ICMP packets with payloads larger than 64 bytes sent to external hosts
• Outbound traffic to cloud storage services (S3, Mega, Dropbox) not used operationally
• Internal hosts communicating directly with external IPs (bypassing proxy) on unusual ports
• Data leaving in structured, repetitive small packets (chunked exfiltration to avoid size-based DLP alerts)
• Encoded or encrypted payloads in HTTP query parameters or POST bodies to unusual endpoints

DNS tunneling detection

# Monitor for long DNS subdomains (potential tunneling)
sudo tcpdump -i eth0 -n 'udp port 53' -l | \
  awk '/[A-Za-z0-9+\/=]{50,}/' | head -50

# Using zeek (formerly bro) for DNS analysis
zeek -i eth0 /usr/share/zeek/policy/protocols/dns/detect-external-names.zeek

Outbound data volume monitoring

# iftop — real-time bandwidth by host
sudo iftop -i eth0 -n -P

# nethogs — bandwidth by process
sudo nethogs eth0

# Log large outbound transfers (>100MB) with iptables
iptables -A OUTPUT -m connbytes --connbytes 104857600: \
  --connbytes-dir both --connbytes-mode bytes \
  -j LOG --log-prefix "LARGE-TRANSFER: "

ICMP covert channel detection

# Capture ICMP with large payloads
sudo tcpdump -i eth0 -n 'icmp and greater 100' -X

Snort rules

# DNS tunneling
alert udp any any -> any 53 \
  (msg:"Possible DNS Tunneling — Long Subdomain"; \
   content:"|00 01 00 00|"; offset:4; depth:4; \
   pcre:"/[a-zA-Z0-9+\/=]{50,}\.[a-z]{2,}/i"; \
   classtype:trojan-activity; sid:9100024; rev:1;)

# Large ICMP payload
alert icmp any any -> any any \
  (msg:"ICMP Large Payload — Possible Covert Channel"; \
   dsize:>200; \
   classtype:trojan-activity; sid:9100025; rev:1;)

1. Deploy Data Loss Prevention (DLP) solutions that inspect outbound traffic for sensitive patterns (PII, credit card numbers, internal document keywords).
2. Force all outbound traffic through an explicit proxy — block direct internet access from internal hosts at the firewall level.
3. Implement DNS-based monitoring: log all DNS queries with response sizes and flag queries with unusually long subdomain labels.
4. Block ICMP outbound from servers that do not require it; restrict to only ping (type 8) with payload size limits.
5. Enable network flow analysis (NetFlow, sFlow, IPFIX) and alert on anomalous data volumes per host per hour.
6. Restrict outbound HTTPS to an allowlist of approved destinations — use TLS inspection (SSL/TLS interception) at the proxy for egress inspection.
7. Segment your network: prevent database servers and file stores from initiating any outbound connections directly.
8. Audit cloud storage egress: create IAM policies prohibiting uploads to external cloud storage buckets not owned by your organization.
9. Incident response: preserve memory dumps and network captures before isolation — forensic evidence is critical for attribution and recovery.

The 2020 SolarWinds Orion supply chain attack resulted in SUNBURST malware exfiltrating data from 18,000+ organizations — including US government agencies — using DNS-based command-and-control that blended with legitimate Orion network traffic for months before detection by FireEye. In the 2013 Target breach, attackers exfiltrated 40 million credit card records by first compromising an HVAC vendor, then pivoting to the POS network and exfiltrating data in small batches to a staging server within Target's own DMZ to avoid triggering size-based DLP rules.