1 | © 2013 infoblox inc. all rights reserved. 1 | © 2014 infoblox inc. all rights reserved....
TRANSCRIPT
1 | © 2013 Infoblox Inc. All Rights Reserved. 1 | © 2014 Infoblox Inc. All Rights Reserved.
Securing DNS InfrastructureSteven Barber | Principle Sales EngineerApril 2014
2 | © 2013 Infoblox Inc. All Rights Reserved. 2 | © 2014 Infoblox Inc. All Rights Reserved.
Agenda
Securing DNS Infrastructure
Securing the DNS Platform
Defending Against DNS Attacks
Preventing Malware from using DNS
DNS Security Challenges
Infoblox Overview
3 | © 2013 Infoblox Inc. All Rights Reserved. 3 | © 2014 Infoblox Inc. All Rights Reserved.
Infoblox Overview & Business Update
($MM)
Founded in 1999
Headquartered in Santa Clara, CA with global operations in 25 countries
Market leadership• Gartner “Strong Positive” rating
• 40%+ Market Share (DDI)
6,900+ customers, 64,000+ systems shipped
38 patents, 25 pending
IPO April 2012: NYSE BLOX
Leader in technologyfor network control
Total Revenue (Fiscal Year Ending July 31)
FY2007 FY2008 FY2009 FY2010 FY2011 FY2012 FY2013$0
$50
$100
$150
$200
$250
$35.0
$56.0$61.7
$102.2
$132.8
$169.2
$225.0
30%
CAGR
4 | © 2013 Infoblox Inc. All Rights Reserved. 4 | © 2014 Infoblox Inc. All Rights Reserved.
InfrastructureSecurity
Infoblox : Technology for Network ControlN
ET
WO
RK
INF
RA
ST
RU
CT
UR
E
FIREWALLS SWITCHES ROUTERS WEB PROXY LOAD BALANCERS
Discovery, Real-time Configuration & Change, Compliance
Historical / Real-time Reporting & Control
AP
PS
&
EN
D-P
OIN
TS
END POINTS VIRTUAL MACHINES PRIVATE CLOUD APPLICATIONS
Essential Network Control Functions: DNS, DHCP, IPAM (DDI)
CO
NT
RO
L P
LA
NE
Infoblox GridTM w/ Real-timeNetwork Database
5 | © 2013 Infoblox Inc. All Rights Reserved. 5 | © 2014 Infoblox Inc. All Rights Reserved.
Why is DNS an Ideal Target?
DNS is the cornerstone of the Internet used by every business/
Government
DNS as a Protocol is easy to exploit
DNS outage = business downtime
Traditional protection is
ineffective against evolving threats
6 | © 2013 Infoblox Inc. All Rights Reserved. 6 | © 2014 Infoblox Inc. All Rights Reserved.
Today’s DNS Security Challenges
Defending Against DNS Attacks2
Preventing Malware from using DNS3
Securing the DNS Platform1
7 | © 2013 Infoblox Inc. All Rights Reserved. 7 | © 2014 Infoblox Inc. All Rights Reserved.
Securing DNS
Defend Against DNS Attacks
Prevents Malware/APT from Using DNS
Secure the DNS Platform
8 | © 2013 Infoblox Inc. All Rights Reserved. 8 | © 2014 Infoblox Inc. All Rights Reserved.
Defend Against DNS Attacks
Prevents Malware/APT from Using DNS
Secure the DNS Platform
Securing DNS
9 | © 2013 Infoblox Inc. All Rights Reserved. 9 | © 2014 Infoblox Inc. All Rights Reserved.
Hacks of DNS – 2013 & 2014
10 | © 2013 Infoblox Inc. All Rights Reserved. 10 | © 2014 Infoblox Inc. All Rights Reserved.
Security Risks with Conventional ApproachDNS installed on off-the-shelf server
• Many open ports subject to attack
• Users have OS-level account privileges on server
• No visibility into good vs. bad traffic
• Requires time-consuming manual updates
• Requires multiple applications for device management
Multiple Open Ports
11 | © 2013 Infoblox Inc. All Rights Reserved. 11 | © 2014 Infoblox Inc. All Rights Reserved.
Secure DNS Servers – Hardware / OS / Application
• Minimal attack surfaces
• Active / Active HA & DR recovery
• Fast/easy upgrades
• Detailed audit logging
• Centralized management with role-based control (No Root Access)
• Encrypted Inter-appliance Communication
• Secured Access, communication & API
12 | © 2013 Infoblox Inc. All Rights Reserved. 12 | © 2014 Infoblox Inc. All Rights Reserved.
Cryptographically signed DNS data
DNS Root
2nd Level Domain
nth Level Domain
Automatically Implement DNSSEC to mitigate hijacking threats such as the Kaminsky attack
Implementing DNSSEC…..
• Central configuration of all DNSSEC parameters
• Automated key refresh
• Automated maintenance
• Automatic maintenance of signed zones
Tru
st C
hain
DNSSEC - External DNS Security
13 | © 2013 Infoblox Inc. All Rights Reserved. 13 | © 2014 Infoblox Inc. All Rights Reserved.
Securing DNS
Prevents Malware/APT from Using DNS
Secure the DNS Platform
Defend Against DNS Attacks
14 | © 2013 Infoblox Inc. All Rights Reserved. 14 | © 2014 Infoblox Inc. All Rights Reserved.
DNS Attacks up 216%
Source: Prolexic Quarterly Global DDoS Attack Report Q4 2013
ACK: 2.81%
CHARGEN: 6.39%
FIN PUSH: 1.28%
DNS: 9.58%
ICMP: 9.71% RESET: 1.4%
RP: 0.26%SYN: 14.56%
TCP FRAGMENT: 0.13%SYN PUSH: 0.38%
UDP FLOODS: 13.15%
UDP FRAGMENT: 17.11%
~ 10% of infrastructure attacks targeted DNS
Source: Arbor Networks
Other
IRC
SIP/VOIP
HTTPS
SMTP
DNS
HTTP
0% 10% 20% 30% 40% 50% 60% 70% 80% 90%
9%
6%
20%
54%
25%
77%
82%
~ 80% of organizations surveyed experienced application layer attacks on DNS
Survey Respondents
15 | © 2013 Infoblox Inc. All Rights Reserved. 15 | © 2014 Infoblox Inc. All Rights Reserved.
Anatomy of an AttackDistributed Reflection DoS Attack (DrDoS)
• Combines Reflection and Amplification
• Use third-party open resolvers in the Internet (unwitting accomplice)
• Attacker sends small spoofed packets to the open recursive servers, requesting a large amount of data to be sent to the victim’s IP address
• Uses multiple such open resolvers, often thousands of servers
• Queries specially crafted to result in a very large response
• Causes DDoS on the victim’s server
How the attack works
Attacker
Internet
Spoofed
queries
Open Recursive Servers
Am
plified
Reflected
packets
Target Victim
16 | © 2013 Infoblox Inc. All Rights Reserved. 16 | © 2014 Infoblox Inc. All Rights Reserved.
Protection against attacks
ReportingServer
Automatic updates
Cloud-based Threat-rule
UpdateService
External DNS
Reports on attack types, severity
Amplif
icationCache Poisoning
Legitimate Traffic
Legi
timat
e Tr
affic
Le
git
ima
te T
raff
ic
Legitimate Traffic
Rec
on
nai
ssan
ceDN
S E
xploits
Internal DNS
Threat Rule
Update Service
Dat
a fo
r R
epo
rts
17 | © 2013 Infoblox Inc. All Rights Reserved. 17 | © 2014 Infoblox Inc. All Rights Reserved.
DNS Protection is not Just About DDoS
DNS reflection/DrDoS attacksUsing third-party DNS servers(open resolvers) to propagate a DOS or DDOS attack
DNS amplificationUsing a specially crafted query to create an amplified response to flood the victim with traffic
DNS-based exploits Attacks that exploit vulnerabilities in the DNS software
TCP/UDP/ICMP floodsDenial of service on layer 3 by bringing a network or service down by flooding it with large amounts of traffic
DNS cache poisoning Corruption of the DNS cache data with a rogue address
Protocol anomaliesCausing the server to crash by sending malformed packets and queries
ReconnaissanceAttempts by hackers to get information on the network environment before launching a DDoS or other type of attack
DNS tunnelingTunneling of another protocol through DNS for data exfiltration
19 | © 2013 Infoblox Inc. All Rights Reserved. 19 | © 2014 Infoblox Inc. All Rights Reserved.
Secure the DNS Platform
Defend Against DNS Attacks
Prevents Malware/APT from Using DNS
Securing DNS
20 | © 2013 Infoblox Inc. All Rights Reserved. 20 | © 2014 Infoblox Inc. All Rights Reserved.
Anatomy of an AttackCryptolocker “Ransomware”
• Targets Windows-based computers
• Appears as an attachment to legitimate looking email
• Upon infection, encrypts files: local hard drive & mapped network drives
• Ransom: 72 hours to pay $300US
• Fail to pay and the encryption key is deleted and data is gone forever
• Only way to stop (after executable has started) is to block outbound connection to encryption server
21 | © 2013 Infoblox Inc. All Rights Reserved. 21 | © 2014 Infoblox Inc. All Rights Reserved.
Blocking Malware from using DNSAn infected device brought into the office. Malware spreads to other devices on network.
1
2
3
Malware makes a DNS query to find “home.” (botnet / C&C). DNS Server RPZ detects & blocks DNS query to malicious domain
Malicious domains
DNS Severwith RPZ
Blocked attempt sent to Syslog
Malware / APT
1
2
Malware / APT spreads within network; Calls home
4
DNS/DHCP/IPAM : Pinpoint Reporting /Syslogs should be
able to cross correlate the following:
• IP address• MAC address• Host name• DHCP lease history
DNS server RPZ updated every 2 hours with blocking information from reliable service
MalwareData Feed Service
4
IPs, Domains, etc.of Bad Servers
Internet
Intranet
3
2
22 | © 2013 Infoblox Inc. All Rights Reserved. 22 | © 2014 Infoblox Inc. All Rights Reserved.
Blocking APT from using DNS
Detect - FireEye detects APT, alerts are sent to Infoblox.
1
2
3
Disrupt –DNS Server RPZ with FireEye data disrupts malware DNS communication
DNS/DHCP/IPAM: Pinpoint Reporting/Syslogs should be able to cross correlate the following:
• IP address•MAC address•Host name•DHCP lease history
Malicious Domains
Infoblox DDI with DNS Firewall Blocked attempt
sent to Syslog3
Malware
2
1Alerts
FireEye NX Series
FireEye detonates and detects malware
Internet
Intranet
Endpoint Attempting To Download Infected File
23 | © 2013 Infoblox Inc. All Rights Reserved. 23 | © 2014 Infoblox Inc. All Rights Reserved.
DNS RPZ Protects against…..
Fast Flux Rapidly changing of domains & IP addresses by malicious domains to obfuscate identity and location
APT / Malware Malware designed to spread, morph and hide within IT infrastructure to perpetrate a long term attack (FireEye)
DNS Hacking Hacking DNS registry(s) & re-directing users to malicious domain(s)
Geo-Blocking Blocking access to geographies that have rates of malicious domains or Economic Sanctions by US Government
24 | © 2013 Infoblox Inc. All Rights Reserved. 24 | © 2014 Infoblox Inc. All Rights Reserved.
Summary
DNS is the cornerstone of the
Internet
Unprotected DNS infrastructure
introduces security risks
Securing DNS protects critical DNS services
Defend Against DNS Attacks
Prevents Malware/APT from Using DNS
Secure the DNS Platform
25 | © 2013 Infoblox Inc. All Rights Reserved. 25 | © 2014 Infoblox Inc. All Rights Reserved.
Thank you!
For more information www.infoblox.com