1 | © 2013 infoblox inc. all rights reserved. 1 | © 2014 infoblox inc. all rights reserved. domain...

25
1 | © 2014 Infoblox Inc. All Rights Reserved. Domain Name System (DNS) Network Security Asset or Achilles Heel? Arya Barirani, VP Product Marketing / Infoblox November 2014

Upload: reynard-parrish

Post on 17-Dec-2015

218 views

Category:

Documents


2 download

TRANSCRIPT

Page 1: 1 | © 2013 Infoblox Inc. All Rights Reserved. 1 | © 2014 Infoblox Inc. All Rights Reserved. Domain Name System (DNS) Network Security Asset or Achilles

1 | © 2013 Infoblox Inc. All Rights Reserved. 1 | © 2013 Infoblox Inc. All Rights Reserved. 1 | © 2014 Infoblox Inc. All Rights Reserved.

Domain Name System (DNS)Network Security Asset or Achilles Heel?

Arya Barirani, VP Product Marketing / InfobloxNovember 2014

Page 2: 1 | © 2013 Infoblox Inc. All Rights Reserved. 1 | © 2014 Infoblox Inc. All Rights Reserved. Domain Name System (DNS) Network Security Asset or Achilles

2 | © 2013 Infoblox Inc. All Rights Reserved. 2 | © 2013 Infoblox Inc. All Rights Reserved. 2 | © 2014 Infoblox Inc. All Rights Reserved.

Agenda

• What is DNS and How Does it Work?• Threat Landscape Trends • Common Attack Vectors

5Anatomy of an attack: DNS Hijacking5Anatomy of an attack: Reflection Attack5Anatomy of an attack: DNS DDoS

• How To Protect Yourself?• Q & A

Page 3: 1 | © 2013 Infoblox Inc. All Rights Reserved. 1 | © 2014 Infoblox Inc. All Rights Reserved. Domain Name System (DNS) Network Security Asset or Achilles

3 | © 2013 Infoblox Inc. All Rights Reserved. 3 | © 2013 Infoblox Inc. All Rights Reserved. 3 | © 2014 Infoblox Inc. All Rights Reserved.

• Address book for all of internet• Translates “google.com” to 173.194.115.96• Invented in 1983 by Paul Mokapetris (UC Irvine)

What is the Domain Name System (DNS)?

Without DNS, The Internet & Network Communications Would Stop

Page 4: 1 | © 2013 Infoblox Inc. All Rights Reserved. 1 | © 2014 Infoblox Inc. All Rights Reserved. Domain Name System (DNS) Network Security Asset or Achilles

4 | © 2013 Infoblox Inc. All Rights Reserved. 4 | © 2013 Infoblox Inc. All Rights Reserved. 4 | © 2014 Infoblox Inc. All Rights Reserved.

How Does DNS Work?

ISP DNS SERVER

ROOT DNSSERVER

WWW.GOOGLE.COM173.194.115.96

“I need directions to www.google.com”

“That domain is not in my server, I will ask

another DNS Server”

“That’s in my cache, it maps to:

173.194.115.96

173.194.115.96“Great, I’ll put that in

my cache in case I get another request”

173.194.115.96

“Great, now I know how to get to

www.google.com”

Page 5: 1 | © 2013 Infoblox Inc. All Rights Reserved. 1 | © 2014 Infoblox Inc. All Rights Reserved. Domain Name System (DNS) Network Security Asset or Achilles

5 | © 2013 Infoblox Inc. All Rights Reserved. 5 | © 2013 Infoblox Inc. All Rights Reserved. 5 | © 2014 Infoblox Inc. All Rights Reserved.

For Bad Guys, DNS Is a Great Target

DNS is the cornerstone of the Internet used by every business/

Government

DNS is fairly easy to exploit

DNS Outage = Business Downtime

Traditional protection is

ineffective against evolving threats

Page 6: 1 | © 2013 Infoblox Inc. All Rights Reserved. 1 | © 2014 Infoblox Inc. All Rights Reserved. Domain Name System (DNS) Network Security Asset or Achilles

6 | © 2013 Infoblox Inc. All Rights Reserved. 6 | © 2013 Infoblox Inc. All Rights Reserved. 6 | © 2014 Infoblox Inc. All Rights Reserved.

The Rising Tide of DNS ThreatsAre You Prepared?

In the last year alone there has been an increase of

200%DNS attacks1

58%DDoS attacks1

With possible amplification up to

100x on a DNS attack, the amount of traffic delivered to a victim can be huge

28MPose a significant threat to the global network infrastructure and can be easily utilized in DNS amplification attacks2

33M Number of openrecursive DNS servers2

With enterprise level businesses receiving an average of 2 million DNS queries every single day, the threat of attack is significant

2M

1. Quarterly Global DDoS Attack Report, Prolexic, 1st Quarter, 2013 2. www.openresolverproject.org

Page 7: 1 | © 2013 Infoblox Inc. All Rights Reserved. 1 | © 2014 Infoblox Inc. All Rights Reserved. Domain Name System (DNS) Network Security Asset or Achilles

7 | © 2013 Infoblox Inc. All Rights Reserved. 7 | © 2013 Infoblox Inc. All Rights Reserved. 7 | © 2014 Infoblox Inc. All Rights Reserved.

The Rising Tide of DNS Threats

DNS attacks are rising for 3 reasons:

2 Asymmetricamplification

3 High-valuetarget

Countries of origin for the most DDoS attacks in the last year

China

USBrazil

Russia

FranceIndia

GermanyKoreaEgyptTaiwan

1 Easy to spoof

Page 8: 1 | © 2013 Infoblox Inc. All Rights Reserved. 1 | © 2014 Infoblox Inc. All Rights Reserved. Domain Name System (DNS) Network Security Asset or Achilles

8 | © 2013 Infoblox Inc. All Rights Reserved. 8 | © 2013 Infoblox Inc. All Rights Reserved. 8 | © 2014 Infoblox Inc. All Rights Reserved.

DNS Attack Vectors

Page 9: 1 | © 2013 Infoblox Inc. All Rights Reserved. 1 | © 2014 Infoblox Inc. All Rights Reserved. Domain Name System (DNS) Network Security Asset or Achilles

9 | © 2013 Infoblox Inc. All Rights Reserved. 9 | © 2013 Infoblox Inc. All Rights Reserved. 9 | © 2014 Infoblox Inc. All Rights Reserved.

The DNS Security Challenges

Defending Against DNS AttacksDDoS / Cache Poisoning

2

Preventing Malware from using DNS3

Securing the DNS Platform1

Page 10: 1 | © 2013 Infoblox Inc. All Rights Reserved. 1 | © 2014 Infoblox Inc. All Rights Reserved. Domain Name System (DNS) Network Security Asset or Achilles

10 | © 2013 Infoblox Inc. All Rights Reserved. 10 | © 2013 Infoblox Inc. All Rights Reserved. 10 | © 2014 Infoblox Inc. All Rights Reserved.

Anatomy of an AttackSyrian Electronic Army

Page 11: 1 | © 2013 Infoblox Inc. All Rights Reserved. 1 | © 2014 Infoblox Inc. All Rights Reserved. Domain Name System (DNS) Network Security Asset or Achilles

11 | © 2013 Infoblox Inc. All Rights Reserved. 11 | © 2013 Infoblox Inc. All Rights Reserved. 11 | © 2014 Infoblox Inc. All Rights Reserved.

Anatomy of an AttackDistributed Reflection DoS Attack (DrDoS)

How the attack works

Attacker

Internet

Spoofed

Queries

Open Recursive Servers

Am

plified

Reflected

Packets

Target Victim

Combines reflection and amplification

Uses third-party open resolvers in the Internet (unwitting accomplice)

Attacker sends spoofed queries to the open recursive servers

Uses queries specially crafted to result in a very large response

Causes DDoS on the victim’s server

Page 12: 1 | © 2013 Infoblox Inc. All Rights Reserved. 1 | © 2014 Infoblox Inc. All Rights Reserved. Domain Name System (DNS) Network Security Asset or Achilles

12 | © 2013 Infoblox Inc. All Rights Reserved. 12 | © 2013 Infoblox Inc. All Rights Reserved. 12 | © 2014 Infoblox Inc. All Rights Reserved.

• DDoS attacks against major U.S financial institutions

• Launching (DDoS) taking advantage of Server bandwidth

• 4 types of DDoS attacks:5DNS amplification, 5Spoofed SYN, 5Spoofed UDP5HTTP+ proxy support

• Script offered for $800

Anatomy of an AttackDNS DDoS For Hire

Page 13: 1 | © 2013 Infoblox Inc. All Rights Reserved. 1 | © 2014 Infoblox Inc. All Rights Reserved. Domain Name System (DNS) Network Security Asset or Achilles

13 | © 2013 Infoblox Inc. All Rights Reserved. 13 | © 2013 Infoblox Inc. All Rights Reserved. 13 | © 2014 Infoblox Inc. All Rights Reserved.

The Rising Tide of DNS Threats

10Top

DNS attacks

DNS amplification:Use amplification in DNS reply to flood victim

Protocol anomalies:Malformed DNS packets causing server to crash

DNS hijacking:Subverting resolution of DNS queries to point to rogue DNS server

Reconnaissance:Probe to get information on network environment before launching attack

Fragmentation:Traffic with lots of small out of order fragments

TCP/UDP/ICMP floods:Flood victim’s network with large amounts of traffic

DNS cache poisoning:Corruption of a DNS cache database with a rogue address

DNS tunneling:Tunneling of another protocol through DNS for data ex-filtration

DNS based exploits:Exploit vulnerabilities in DNS software

DNS reflection/DrDos:Use third party DNS servers to propagate DDoS attack

Page 14: 1 | © 2013 Infoblox Inc. All Rights Reserved. 1 | © 2014 Infoblox Inc. All Rights Reserved. Domain Name System (DNS) Network Security Asset or Achilles

14 | © 2013 Infoblox Inc. All Rights Reserved. 14 | © 2013 Infoblox Inc. All Rights Reserved. 14 | © 2014 Infoblox Inc. All Rights Reserved.

Protection Best Practices

Page 15: 1 | © 2013 Infoblox Inc. All Rights Reserved. 1 | © 2014 Infoblox Inc. All Rights Reserved. Domain Name System (DNS) Network Security Asset or Achilles

15 | © 2013 Infoblox Inc. All Rights Reserved. 15 | © 2013 Infoblox Inc. All Rights Reserved. 15 | © 2014 Infoblox Inc. All Rights Reserved.

Help Is On the Way!

Collaboration DedicatedAppliances

Monitoring

DNSSEC

RPZ

AdvancedDNS

Protection

Page 16: 1 | © 2013 Infoblox Inc. All Rights Reserved. 1 | © 2014 Infoblox Inc. All Rights Reserved. Domain Name System (DNS) Network Security Asset or Achilles

16 | © 2013 Infoblox Inc. All Rights Reserved. 16 | © 2013 Infoblox Inc. All Rights Reserved. 16 | © 2014 Infoblox Inc. All Rights Reserved.

Get the Teams Talking – Questions to Ask:• Who in your org is responsible for DNS Security? • What methods, procedures, tools do you have in place to detect and

mitigate DNS attacks?• Would you know if an attack was happening, would you know how to

stop it?

Ne

two

rk

Team

Se

curity

Te

am

IT A

pp

s Te

am

IT O

PS

Te

am

Page 17: 1 | © 2013 Infoblox Inc. All Rights Reserved. 1 | © 2014 Infoblox Inc. All Rights Reserved. Domain Name System (DNS) Network Security Asset or Achilles

17 | © 2013 Infoblox Inc. All Rights Reserved. 17 | © 2013 Infoblox Inc. All Rights Reserved. 17 | © 2014 Infoblox Inc. All Rights Reserved.

Hardened DNS Appliances

Dedicated hardware with no unnecessary logical or physical ports

No OS-level user accounts – only admin accts Immediate updates to new security threats Secure HTTPS-based access to device

management No SSH or root-shell access Encrypted device to device communication

– Many open ports subject to attack

– Users have OS-level account privileges on server

– Requires time-consuming manual updates

Conventional Server Approach Hardened Appliance Approach

Multiple Open Ports

Limited Port Access

ThreatUpdate Service

SecureAccess

17

Page 18: 1 | © 2013 Infoblox Inc. All Rights Reserved. 1 | © 2014 Infoblox Inc. All Rights Reserved. Domain Name System (DNS) Network Security Asset or Achilles

18 | © 2013 Infoblox Inc. All Rights Reserved. 18 | © 2013 Infoblox Inc. All Rights Reserved. 18 | © 2014 Infoblox Inc. All Rights Reserved.

Monitoring & Alert on Aggregate Query Rate

Page 19: 1 | © 2013 Infoblox Inc. All Rights Reserved. 1 | © 2014 Infoblox Inc. All Rights Reserved. Domain Name System (DNS) Network Security Asset or Achilles

19 | © 2013 Infoblox Inc. All Rights Reserved. 19 | © 2013 Infoblox Inc. All Rights Reserved. 19 | © 2014 Infoblox Inc. All Rights Reserved.

DNSSEC• Fixes Kaminsky Vulnerability• DNS Security Extensions• Uses public key cryptography to verify the authenticity of

DNS zone data (records)5DNSSEC zone data is digitally signed using a private key for that

zone

5A DNS server receiving DNSSEC signed zone data can verify the origin and integrity of the data by checking the signature using the public key for that zone

Page 20: 1 | © 2013 Infoblox Inc. All Rights Reserved. 1 | © 2014 Infoblox Inc. All Rights Reserved. Domain Name System (DNS) Network Security Asset or Achilles

20 | © 2013 Infoblox Inc. All Rights Reserved. 20 | © 2013 Infoblox Inc. All Rights Reserved. 20 | © 2014 Infoblox Inc. All Rights Reserved.

Advanced DNS Protection

ReportingServer

Automatic updates

Updated Threat-

Intelligence Server

Advanced DNS Protection

(External DNS)

Reports on attack types, severity

Amplif

icationCache Poisoning

Legitimate Traffic

Legi

timat

e Tr

affic

Le

git

ima

te T

raff

ic

Legitimate Traffic

Rec

on

nai

ssan

ceDN

S E

xploits

Advanced DNS Protection

(Internal DNS)

Grid-wide rule

distribution

Dat

a fo

r R

epo

rts

Page 21: 1 | © 2013 Infoblox Inc. All Rights Reserved. 1 | © 2014 Infoblox Inc. All Rights Reserved. Domain Name System (DNS) Network Security Asset or Achilles

21 | © 2013 Infoblox Inc. All Rights Reserved. 21 | © 2013 Infoblox Inc. All Rights Reserved. 21 | © 2014 Infoblox Inc. All Rights Reserved.

Response Policy Zones - RPZBlocking Queries to Malicious Domains An infected device brought

into the office. Malware spreads to other devices on network.

1

2

3

Malware makes a DNS query to find “home.” (botnet / C&C). DNS Server detects & blocks DNS query to malicious domain

Malicious domains

DNS Server with RPZ Capability Blocked attempt

sent to Syslog

Malware / APT

1

2

Malware / APT spreads within network; Calls home

4

Query to malicious domain loggedsecurity teams can now identify requesting end-point and attmept

remediation

RPZ regularly updated with malicious domain data using available reputational feeds

4

Reputational Feed: IPs, Domains, etc.

of Bad Servers

Internet

Intranet

3

2

Page 22: 1 | © 2013 Infoblox Inc. All Rights Reserved. 1 | © 2014 Infoblox Inc. All Rights Reserved. Domain Name System (DNS) Network Security Asset or Achilles

22 | © 2013 Infoblox Inc. All Rights Reserved. 22 | © 2013 Infoblox Inc. All Rights Reserved. 22 | © 2014 Infoblox Inc. All Rights Reserved.

Call to Action

• DNS security vulnerabilities pose a significant threat

• Raise the awareness of DNS and DNS security vulnerabilities in your organization

• There are multitudes of resources available to help

• Seek help if needed to protect DNS

Page 23: 1 | © 2013 Infoblox Inc. All Rights Reserved. 1 | © 2014 Infoblox Inc. All Rights Reserved. Domain Name System (DNS) Network Security Asset or Achilles

23 | © 2013 Infoblox Inc. All Rights Reserved. 23 | © 2013 Infoblox Inc. All Rights Reserved. 23 | © 2014 Infoblox Inc. All Rights Reserved.

Take the DNS Security Risk Assessment

1. Analyzes your organization’s DNS setup to assess level of risk of exposure to DNS threats

2. Provides DNS Security Risk Score and analysis based on answers given

3. www.infoblox.com/dnssecurityscore

Higher score = higher DNS security risk!!

Page 24: 1 | © 2013 Infoblox Inc. All Rights Reserved. 1 | © 2014 Infoblox Inc. All Rights Reserved. Domain Name System (DNS) Network Security Asset or Achilles

24 | © 2013 Infoblox Inc. All Rights Reserved. 24 | © 2013 Infoblox Inc. All Rights Reserved. 24 | © 2014 Infoblox Inc. All Rights Reserved.

About Infoblox

($MM)

Founded in 1999

Headquartered in Santa Clara, CA with global operations in 25 countries

Market leadership• DDI Market Leader (Gartner)

• 50% DDI Market Share (IDC)

7,500+ customers74,000+ systems shipped to 100 countries

55 patents, 29 pending

IPO April 2012: NYSE BLOX

Leader in technologyfor network control

Total Revenue (Fiscal Year Ending July 31)

FY2007 FY2008 FY2009 FY2010 FY2011 FY2012 FY2013 FY2014$0

$50

$100

$150

$200

$250

$300

$35.0

$56.0 $61.7

$102.2

$132.8

$169.2

$225.0

$250.3

28%

CAGR

Page 25: 1 | © 2013 Infoblox Inc. All Rights Reserved. 1 | © 2014 Infoblox Inc. All Rights Reserved. Domain Name System (DNS) Network Security Asset or Achilles

25 | © 2013 Infoblox Inc. All Rights Reserved. 25 | © 2013 Infoblox Inc. All Rights Reserved. 25 | © 2014 Infoblox Inc. All Rights Reserved.

Thank you!

For more information www.infoblox.com