1 | © 2013 infoblox inc. all rights reserved. 1 | © 2014 infoblox inc. all rights reserved....

1 | © 2013 Infoblox Inc. All Rights Reserved. 1 | © 2014 Infoblox Inc. All Rights Reserved.

Securing DNS InfrastructureSteven Barber | Principle Sales EngineerApril 2014


Agenda

Securing DNS Infrastructure

Securing the DNS Platform

Defending Against DNS Attacks

Preventing Malware from using DNS

DNS Security Challenges

Infoblox Overview


Infoblox Overview & Business Update

($MM)

Founded in 1999

Headquartered in Santa Clara, CA with global operations in 25 countries

Market leadership• Gartner “Strong Positive” rating

• 40%+ Market Share (DDI)

6,900+ customers, 64,000+ systems shipped

38 patents, 25 pending

IPO April 2012: NYSE BLOX

Leader in technologyfor network control

Total Revenue (Fiscal Year Ending July 31)

FY2007 FY2008 FY2009 FY2010 FY2011 FY2012 FY2013$0

$50

$100

$150

$200

$250

$35.0

$56.0$61.7

$102.2

$132.8

$169.2

$225.0

30%

CAGR


InfrastructureSecurity

Infoblox : Technology for Network ControlN

ET

WO

RK

INF

RA

ST

RU

CT

UR

E

FIREWALLS SWITCHES ROUTERS WEB PROXY LOAD BALANCERS

Discovery, Real-time Configuration & Change, Compliance

Historical / Real-time Reporting & Control

AP

PS

&

EN

D-P

OIN

TS

END POINTS VIRTUAL MACHINES PRIVATE CLOUD APPLICATIONS

Essential Network Control Functions: DNS, DHCP, IPAM (DDI)

CO

NT

RO

L P

LA

NE

Infoblox GridTM w/ Real-timeNetwork Database


Why is DNS an Ideal Target?

DNS is the cornerstone of the Internet used by every business/

Government

DNS as a Protocol is easy to exploit

DNS outage = business downtime

Traditional protection is

ineffective against evolving threats


Today’s DNS Security Challenges

Defending Against DNS Attacks2

Preventing Malware from using DNS3

Securing the DNS Platform1


Securing DNS

Defend Against DNS Attacks

Prevents Malware/APT from Using DNS

Secure the DNS Platform





Securing DNS


Hacks of DNS – 2013 & 2014


Security Risks with Conventional ApproachDNS installed on off-the-shelf server

• Many open ports subject to attack

• Users have OS-level account privileges on server

• No visibility into good vs. bad traffic

• Requires time-consuming manual updates

• Requires multiple applications for device management

Multiple Open Ports


Secure DNS Servers – Hardware / OS / Application

• Minimal attack surfaces

• Active / Active HA & DR recovery

• Fast/easy upgrades

• Detailed audit logging

• Centralized management with role-based control (No Root Access)

• Encrypted Inter-appliance Communication

• Secured Access, communication & API


Cryptographically signed DNS data

DNS Root

2nd Level Domain

nth Level Domain

Automatically Implement DNSSEC to mitigate hijacking threats such as the Kaminsky attack

Implementing DNSSEC…..

• Central configuration of all DNSSEC parameters

• Automated key refresh

• Automated maintenance

• Automatic maintenance of signed zones

Tru

st C

hain

DNSSEC - External DNS Security


Securing DNS





DNS Attacks up 216%

Source: Prolexic Quarterly Global DDoS Attack Report Q4 2013

ACK: 2.81%

CHARGEN: 6.39%

FIN PUSH: 1.28%

DNS: 9.58%

ICMP: 9.71% RESET: 1.4%

RP: 0.26%SYN: 14.56%

TCP FRAGMENT: 0.13%SYN PUSH: 0.38%

UDP FLOODS: 13.15%

UDP FRAGMENT: 17.11%

~ 10% of infrastructure attacks targeted DNS

Source: Arbor Networks

Other

IRC

SIP/VOIP

HTTPS

SMTP

DNS

HTTP

0% 10% 20% 30% 40% 50% 60% 70% 80% 90%

9%

6%

20%

54%

25%

77%

82%

~ 80% of organizations surveyed experienced application layer attacks on DNS

Survey Respondents


Anatomy of an AttackDistributed Reflection DoS Attack (DrDoS)

• Combines Reflection and Amplification

• Use third-party open resolvers in the Internet (unwitting accomplice)

• Attacker sends small spoofed packets to the open recursive servers, requesting a large amount of data to be sent to the victim’s IP address

• Uses multiple such open resolvers, often thousands of servers

• Queries specially crafted to result in a very large response

• Causes DDoS on the victim’s server

How the attack works

Attacker

Internet

Spoofed

queries

Open Recursive Servers

Am

plified

Reflected

packets

Target Victim


Protection against attacks

ReportingServer

Automatic updates

Cloud-based Threat-rule

UpdateService

External DNS

Reports on attack types, severity

Amplif

icationCache Poisoning

Legitimate Traffic

Legi

timat

e Tr

affic

Le

git

ima

te T

raff

ic

Legitimate Traffic

Rec

on

nai

ssan

ceDN

S E

xploits

Internal DNS

Threat Rule

Update Service

Dat

a fo

r R

epo

rts


DNS Protection is not Just About DDoS

DNS reflection/DrDoS attacksUsing third-party DNS servers(open resolvers) to propagate a DOS or DDOS attack

DNS amplificationUsing a specially crafted query to create an amplified response to flood the victim with traffic

DNS-based exploits Attacks that exploit vulnerabilities in the DNS software

TCP/UDP/ICMP floodsDenial of service on layer 3 by bringing a network or service down by flooding it with large amounts of traffic

DNS cache poisoning Corruption of the DNS cache data with a rogue address

Protocol anomaliesCausing the server to crash by sending malformed packets and queries

ReconnaissanceAttempts by hackers to get information on the network environment before launching a DDoS or other type of attack

DNS tunnelingTunneling of another protocol through DNS for data exfiltration





Securing DNS


Anatomy of an AttackCryptolocker “Ransomware”

• Targets Windows-based computers

• Appears as an attachment to legitimate looking email

• Upon infection, encrypts files: local hard drive & mapped network drives

• Ransom: 72 hours to pay $300US

• Fail to pay and the encryption key is deleted and data is gone forever

• Only way to stop (after executable has started) is to block outbound connection to encryption server


Blocking Malware from using DNSAn infected device brought into the office. Malware spreads to other devices on network.

1

2

3

Malware makes a DNS query to find “home.” (botnet / C&C). DNS Server RPZ detects & blocks DNS query to malicious domain

Malicious domains

DNS Severwith RPZ

Blocked attempt sent to Syslog

Malware / APT

1

2

Malware / APT spreads within network; Calls home

4

DNS/DHCP/IPAM : Pinpoint Reporting /Syslogs should be

able to cross correlate the following:

• IP address• MAC address• Host name• DHCP lease history

DNS server RPZ updated every 2 hours with blocking information from reliable service

MalwareData Feed Service

4

IPs, Domains, etc.of Bad Servers

Internet

Intranet

3

2


Blocking APT from using DNS

Detect - FireEye detects APT, alerts are sent to Infoblox.

1

2

3

Disrupt –DNS Server RPZ with FireEye data disrupts malware DNS communication

DNS/DHCP/IPAM: Pinpoint Reporting/Syslogs should be able to cross correlate the following:

• IP address•MAC address•Host name•DHCP lease history

Malicious Domains

Infoblox DDI with DNS Firewall Blocked attempt

sent to Syslog3

Malware

2

1Alerts

FireEye NX Series

FireEye detonates and detects malware

Internet

Intranet

Endpoint Attempting To Download Infected File


DNS RPZ Protects against…..

Fast Flux Rapidly changing of domains & IP addresses by malicious domains to obfuscate identity and location

APT / Malware Malware designed to spread, morph and hide within IT infrastructure to perpetrate a long term attack (FireEye)

DNS Hacking Hacking DNS registry(s) & re-directing users to malicious domain(s)

Geo-Blocking Blocking access to geographies that have rates of malicious domains or Economic Sanctions by US Government


Summary

DNS is the cornerstone of the

Internet

Unprotected DNS infrastructure

introduces security risks

Securing DNS protects critical DNS services





Thank you!

For more information www.infoblox.com

1 | © 2013 infoblox inc. all rights reserved. 1 | © 2014 infoblox inc. all rights reserved....

Documents