1 | © 2013 infoblox inc. all rights reserved. 1 | © 2014 infoblox inc. all rights reserved. domain...
TRANSCRIPT
1 | © 2013 Infoblox Inc. All Rights Reserved. 1 | © 2013 Infoblox Inc. All Rights Reserved. 1 | © 2014 Infoblox Inc. All Rights Reserved.
Domain Name System (DNS)Network Security Asset or Achilles Heel?
Arya Barirani, VP Product Marketing / InfobloxNovember 2014
2 | © 2013 Infoblox Inc. All Rights Reserved. 2 | © 2013 Infoblox Inc. All Rights Reserved. 2 | © 2014 Infoblox Inc. All Rights Reserved.
Agenda
• What is DNS and How Does it Work?• Threat Landscape Trends • Common Attack Vectors
5Anatomy of an attack: DNS Hijacking5Anatomy of an attack: Reflection Attack5Anatomy of an attack: DNS DDoS
• How To Protect Yourself?• Q & A
3 | © 2013 Infoblox Inc. All Rights Reserved. 3 | © 2013 Infoblox Inc. All Rights Reserved. 3 | © 2014 Infoblox Inc. All Rights Reserved.
• Address book for all of internet• Translates “google.com” to 173.194.115.96• Invented in 1983 by Paul Mokapetris (UC Irvine)
What is the Domain Name System (DNS)?
Without DNS, The Internet & Network Communications Would Stop
4 | © 2013 Infoblox Inc. All Rights Reserved. 4 | © 2013 Infoblox Inc. All Rights Reserved. 4 | © 2014 Infoblox Inc. All Rights Reserved.
How Does DNS Work?
ISP DNS SERVER
ROOT DNSSERVER
WWW.GOOGLE.COM173.194.115.96
“I need directions to www.google.com”
“That domain is not in my server, I will ask
another DNS Server”
“That’s in my cache, it maps to:
173.194.115.96
173.194.115.96“Great, I’ll put that in
my cache in case I get another request”
173.194.115.96
“Great, now I know how to get to
www.google.com”
5 | © 2013 Infoblox Inc. All Rights Reserved. 5 | © 2013 Infoblox Inc. All Rights Reserved. 5 | © 2014 Infoblox Inc. All Rights Reserved.
For Bad Guys, DNS Is a Great Target
DNS is the cornerstone of the Internet used by every business/
Government
DNS is fairly easy to exploit
DNS Outage = Business Downtime
Traditional protection is
ineffective against evolving threats
6 | © 2013 Infoblox Inc. All Rights Reserved. 6 | © 2013 Infoblox Inc. All Rights Reserved. 6 | © 2014 Infoblox Inc. All Rights Reserved.
The Rising Tide of DNS ThreatsAre You Prepared?
In the last year alone there has been an increase of
200%DNS attacks1
58%DDoS attacks1
With possible amplification up to
100x on a DNS attack, the amount of traffic delivered to a victim can be huge
28MPose a significant threat to the global network infrastructure and can be easily utilized in DNS amplification attacks2
33M Number of openrecursive DNS servers2
With enterprise level businesses receiving an average of 2 million DNS queries every single day, the threat of attack is significant
2M
1. Quarterly Global DDoS Attack Report, Prolexic, 1st Quarter, 2013 2. www.openresolverproject.org
7 | © 2013 Infoblox Inc. All Rights Reserved. 7 | © 2013 Infoblox Inc. All Rights Reserved. 7 | © 2014 Infoblox Inc. All Rights Reserved.
The Rising Tide of DNS Threats
DNS attacks are rising for 3 reasons:
2 Asymmetricamplification
3 High-valuetarget
Countries of origin for the most DDoS attacks in the last year
China
USBrazil
Russia
FranceIndia
GermanyKoreaEgyptTaiwan
1 Easy to spoof
8 | © 2013 Infoblox Inc. All Rights Reserved. 8 | © 2013 Infoblox Inc. All Rights Reserved. 8 | © 2014 Infoblox Inc. All Rights Reserved.
DNS Attack Vectors
9 | © 2013 Infoblox Inc. All Rights Reserved. 9 | © 2013 Infoblox Inc. All Rights Reserved. 9 | © 2014 Infoblox Inc. All Rights Reserved.
The DNS Security Challenges
Defending Against DNS AttacksDDoS / Cache Poisoning
2
Preventing Malware from using DNS3
Securing the DNS Platform1
10 | © 2013 Infoblox Inc. All Rights Reserved. 10 | © 2013 Infoblox Inc. All Rights Reserved. 10 | © 2014 Infoblox Inc. All Rights Reserved.
Anatomy of an AttackSyrian Electronic Army
11 | © 2013 Infoblox Inc. All Rights Reserved. 11 | © 2013 Infoblox Inc. All Rights Reserved. 11 | © 2014 Infoblox Inc. All Rights Reserved.
Anatomy of an AttackDistributed Reflection DoS Attack (DrDoS)
How the attack works
Attacker
Internet
Spoofed
Queries
Open Recursive Servers
Am
plified
Reflected
Packets
Target Victim
Combines reflection and amplification
Uses third-party open resolvers in the Internet (unwitting accomplice)
Attacker sends spoofed queries to the open recursive servers
Uses queries specially crafted to result in a very large response
Causes DDoS on the victim’s server
12 | © 2013 Infoblox Inc. All Rights Reserved. 12 | © 2013 Infoblox Inc. All Rights Reserved. 12 | © 2014 Infoblox Inc. All Rights Reserved.
• DDoS attacks against major U.S financial institutions
• Launching (DDoS) taking advantage of Server bandwidth
• 4 types of DDoS attacks:5DNS amplification, 5Spoofed SYN, 5Spoofed UDP5HTTP+ proxy support
• Script offered for $800
Anatomy of an AttackDNS DDoS For Hire
13 | © 2013 Infoblox Inc. All Rights Reserved. 13 | © 2013 Infoblox Inc. All Rights Reserved. 13 | © 2014 Infoblox Inc. All Rights Reserved.
The Rising Tide of DNS Threats
10Top
DNS attacks
DNS amplification:Use amplification in DNS reply to flood victim
Protocol anomalies:Malformed DNS packets causing server to crash
DNS hijacking:Subverting resolution of DNS queries to point to rogue DNS server
Reconnaissance:Probe to get information on network environment before launching attack
Fragmentation:Traffic with lots of small out of order fragments
TCP/UDP/ICMP floods:Flood victim’s network with large amounts of traffic
DNS cache poisoning:Corruption of a DNS cache database with a rogue address
DNS tunneling:Tunneling of another protocol through DNS for data ex-filtration
DNS based exploits:Exploit vulnerabilities in DNS software
DNS reflection/DrDos:Use third party DNS servers to propagate DDoS attack
14 | © 2013 Infoblox Inc. All Rights Reserved. 14 | © 2013 Infoblox Inc. All Rights Reserved. 14 | © 2014 Infoblox Inc. All Rights Reserved.
Protection Best Practices
15 | © 2013 Infoblox Inc. All Rights Reserved. 15 | © 2013 Infoblox Inc. All Rights Reserved. 15 | © 2014 Infoblox Inc. All Rights Reserved.
Help Is On the Way!
Collaboration DedicatedAppliances
Monitoring
DNSSEC
RPZ
AdvancedDNS
Protection
16 | © 2013 Infoblox Inc. All Rights Reserved. 16 | © 2013 Infoblox Inc. All Rights Reserved. 16 | © 2014 Infoblox Inc. All Rights Reserved.
Get the Teams Talking – Questions to Ask:• Who in your org is responsible for DNS Security? • What methods, procedures, tools do you have in place to detect and
mitigate DNS attacks?• Would you know if an attack was happening, would you know how to
stop it?
Ne
two
rk
Team
Se
curity
Te
am
IT A
pp
s Te
am
IT O
PS
Te
am
17 | © 2013 Infoblox Inc. All Rights Reserved. 17 | © 2013 Infoblox Inc. All Rights Reserved. 17 | © 2014 Infoblox Inc. All Rights Reserved.
Hardened DNS Appliances
Dedicated hardware with no unnecessary logical or physical ports
No OS-level user accounts – only admin accts Immediate updates to new security threats Secure HTTPS-based access to device
management No SSH or root-shell access Encrypted device to device communication
– Many open ports subject to attack
– Users have OS-level account privileges on server
– Requires time-consuming manual updates
Conventional Server Approach Hardened Appliance Approach
Multiple Open Ports
Limited Port Access
ThreatUpdate Service
SecureAccess
17
18 | © 2013 Infoblox Inc. All Rights Reserved. 18 | © 2013 Infoblox Inc. All Rights Reserved. 18 | © 2014 Infoblox Inc. All Rights Reserved.
Monitoring & Alert on Aggregate Query Rate
19 | © 2013 Infoblox Inc. All Rights Reserved. 19 | © 2013 Infoblox Inc. All Rights Reserved. 19 | © 2014 Infoblox Inc. All Rights Reserved.
DNSSEC• Fixes Kaminsky Vulnerability• DNS Security Extensions• Uses public key cryptography to verify the authenticity of
DNS zone data (records)5DNSSEC zone data is digitally signed using a private key for that
zone
5A DNS server receiving DNSSEC signed zone data can verify the origin and integrity of the data by checking the signature using the public key for that zone
20 | © 2013 Infoblox Inc. All Rights Reserved. 20 | © 2013 Infoblox Inc. All Rights Reserved. 20 | © 2014 Infoblox Inc. All Rights Reserved.
Advanced DNS Protection
ReportingServer
Automatic updates
Updated Threat-
Intelligence Server
Advanced DNS Protection
(External DNS)
Reports on attack types, severity
Amplif
icationCache Poisoning
Legitimate Traffic
Legi
timat
e Tr
affic
Le
git
ima
te T
raff
ic
Legitimate Traffic
Rec
on
nai
ssan
ceDN
S E
xploits
Advanced DNS Protection
(Internal DNS)
Grid-wide rule
distribution
Dat
a fo
r R
epo
rts
21 | © 2013 Infoblox Inc. All Rights Reserved. 21 | © 2013 Infoblox Inc. All Rights Reserved. 21 | © 2014 Infoblox Inc. All Rights Reserved.
Response Policy Zones - RPZBlocking Queries to Malicious Domains An infected device brought
into the office. Malware spreads to other devices on network.
1
2
3
Malware makes a DNS query to find “home.” (botnet / C&C). DNS Server detects & blocks DNS query to malicious domain
Malicious domains
DNS Server with RPZ Capability Blocked attempt
sent to Syslog
Malware / APT
1
2
Malware / APT spreads within network; Calls home
4
Query to malicious domain loggedsecurity teams can now identify requesting end-point and attmept
remediation
RPZ regularly updated with malicious domain data using available reputational feeds
4
Reputational Feed: IPs, Domains, etc.
of Bad Servers
Internet
Intranet
3
2
22 | © 2013 Infoblox Inc. All Rights Reserved. 22 | © 2013 Infoblox Inc. All Rights Reserved. 22 | © 2014 Infoblox Inc. All Rights Reserved.
Call to Action
• DNS security vulnerabilities pose a significant threat
• Raise the awareness of DNS and DNS security vulnerabilities in your organization
• There are multitudes of resources available to help
• Seek help if needed to protect DNS
23 | © 2013 Infoblox Inc. All Rights Reserved. 23 | © 2013 Infoblox Inc. All Rights Reserved. 23 | © 2014 Infoblox Inc. All Rights Reserved.
Take the DNS Security Risk Assessment
1. Analyzes your organization’s DNS setup to assess level of risk of exposure to DNS threats
2. Provides DNS Security Risk Score and analysis based on answers given
3. www.infoblox.com/dnssecurityscore
Higher score = higher DNS security risk!!
24 | © 2013 Infoblox Inc. All Rights Reserved. 24 | © 2013 Infoblox Inc. All Rights Reserved. 24 | © 2014 Infoblox Inc. All Rights Reserved.
About Infoblox
($MM)
Founded in 1999
Headquartered in Santa Clara, CA with global operations in 25 countries
Market leadership• DDI Market Leader (Gartner)
• 50% DDI Market Share (IDC)
7,500+ customers74,000+ systems shipped to 100 countries
55 patents, 29 pending
IPO April 2012: NYSE BLOX
Leader in technologyfor network control
Total Revenue (Fiscal Year Ending July 31)
FY2007 FY2008 FY2009 FY2010 FY2011 FY2012 FY2013 FY2014$0
$50
$100
$150
$200
$250
$300
$35.0
$56.0 $61.7
$102.2
$132.8
$169.2
$225.0
$250.3
28%
CAGR
25 | © 2013 Infoblox Inc. All Rights Reserved. 25 | © 2013 Infoblox Inc. All Rights Reserved. 25 | © 2014 Infoblox Inc. All Rights Reserved.
Thank you!
For more information www.infoblox.com