1 | © 2013 infoblox inc. all rights reserved. 1 | © 2015 infoblox inc. all rights reserved....

1 | © 2013 Infoblox Inc. All Rights Reserved. 1 | © 2015 Infoblox Inc. All Rights Reserved. CONFIDENTIAL

DNS Security with AntiDDoS and AntiMalware for YOUR subscribersOnly with Infoblox hardware appliances

Adam Obszyński, [email protected]

mailto:[email protected]


Why Securing DNS is Critical

Unprotected, DNS increases risk to critical infrastructure and data

#1 protocol for volumetric reflection/

amplification attacks

DNS is critical networking

infrastructure

DNS protocol is easy to exploit and

attacks are prevalent

Traditional security is ineffective against

evolving threats


• One of the fastest growing attack vectors• Easy-to-exploit protocol• Firewalls and IDS/IPS devices not focused

on DNS threats• Proliferation of BYOD devices and mobile

users, meaning threats may be inside the firewall

• DNS security layer needed to complement existing security solutions

DNS Security Gap


DNS Security Challenges

Stopping APTs/malware from using DNS(Recursive)

2

Defending against DNS DDoS attacks(Authoritative + Recursive)

1

Preventing data exfiltration via DNS(Recursive)

3


• Malicious traffic is visible on 100% of corporate networks1

• Every minute a host accesses a malicious website1

• The question isn’t if, but when you will be attacked, and how effectively you can respond

• APTs rely on DNS at various stages of the cyber kill chain to infect devices, propagate malware, and exfiltrate data

APTs: The New Threat Landscape

Source: 1 Cisco 2014 Annual Security Report

Organized and well funded

Profile organizations using public data/social media

Target key POI’s via spear phishing

“Watering hole” target groups on trusted sites

Leverage tried and truetechniques like SQLi, DDoS & XSS

Coordinated attacks, distract big, strike precisely

Operationalsophistication


Evolution of DNS DDoS Attacks• DNS based DDoS attacks are constantly evolving and affect both external and internal DNS

servers• Methods range from amplification/reflection, floods and simple NXDOMAIN to highly

sophisticated attacks involving botnets, chain reactions and misbehaving domains

DNS Tunneling

DNS Hijacking

Floods

Cache Poisoning

DrDoSRandom Sub-

domain

CPE Botnet Based

Domain Lock-up

Basic NXDOMAIN

Phantom Domain


DNS CachingProtection against attacks on caching servers

Advanced DNS Protection can secure DNS Caching Servers from DNS Floods and other threats

• Large number of bots make more requests of the DNS server than it can handle

• Causes the DNS server to drop inbound DNS requests


How Infoblox Secures DNS


Infoblox and Service Providers

9

Dedicated SP Business Unit• Dedicated Sales, SEs, Marketing,

Engineering, Product Mgmt

Market leadership• #1 in DNS Caching; First DNS Firewall

• Competition in decline

IPO April 2012 NYSE (BLOX) $225M Revenue; $2B Market Cap

Dedicated SP product line• Leads Industry with >1M DNS qps and

Advanced DDoS protection

• Carrier-grade solution adopted at major Tier 1 providers

230+ Service Providers; 55,000+ systems shipped; 6800+ Enterprises

Total Revenue (Fiscal Year Ending July 31)

FY2007

FY2008

FY2009

FY2010

FY2011

FY2012

FY2013

FY2014

$0

$50

$100

$150

$200

$250

$300

3556 62

102

133

169

225

250

28%

CAGR


Dedicated hardware with no unnecessary logical or physical ports

No OS-level user accounts—only admin accts Immediate updates to new security threatsSecure HTTPS-based access to device managementNo SSH or root-shell access Encrypted device-to-device communicationHardware based Security & DNS Acceleration

• Many open ports are subject to attack.

• Users have OS-level account privileges on server.

• Requires time-consuming manual updates.

Conventional Server ApproachHardened Appliance Approach

Multiple Open Ports

Limited Port Access

Update ServiceSecure

Access

Hardened DNS Appliances


DNS Protection is Not Only About DDoS

Volumetric/DDoS Attacks DNS-specific Exploits

DNS reflection

DNS amplification

TCP/UDP/ICMP floods

NXDOMAIN attack

Phantom domain attack

Random subdomain attack

Domain lockup attack

DNS-based exploits

DNS cache poisoning

DNS tunneling

Protocol anomalies

Reconnaissance

DNS hijacking



DNS reflection

DNS amplification

TCP/UDP/ICMP floods

NXDOMAIN attack

Phantom domain attack

Random subdomain attack


DNS-based exploits

DNS cache poisoning

DNS tunneling

Malformed DHCP requests

Protection Against DNS Attacks

Infoblox InternalDNS Security

DNS attacksdetected & dropped

Leg

itim

ate

Tra

ffic

DN

S D

DoS

Leg

itim

ate

Tra

ffic

DN

S T

unn

elin

g

x x

Firewall

Infoblox Automated Threat Intelligence

Service

INTERNET

ENTERPRISE


Security Built-in to the DNS Infrastructure

13

DNS Server DNS Server

Security

DNS Server Infoblox PT-Appliances

Protection against DNS threats

Serve DNS queries under attack

Internet

Use Cases

• Enterprise CustomersU̶ External authoritative DNS

serverU̶ Internal DNS- Enterprise /

Universities with open networks

• Service Providers U̶ Recursive CachingU̶ Authoritative DNS services

Traditional security appliances mitigate only partial attacks against DNS


Protection Against APTs/MalwareDNS Firewall

An infected device brought into the office. Malware spreads to other devices on network.1Malware makes a DNS query to find “home” (botnet / C&C). DNS Firewall looks at the DNS response and takes admin-defined action (disallows communication to malware site or redirects traffic to a landing page or “walled garden” site).

2 Pinpoint. Infoblox Reporting lists DNS Firewall action as well as the:

• Device IP address• Device MAC address• Device type/OS (DHCP fingerprint)• Device host name• Device lease history• AD login name• Switch/port/VLAN

3 An update will occur every 2 hours (or more often for significant threat).4

Malware/APT

Malicious Domains

Infoblox threat update deviceIPs, Domains, ect. of Bad Servers

Blocked communication attempt sent to Syslog

Malware/APT spreads within network; calls home

INTERNET

INTRANET


DNS can make huge difference!


Web Delay – SampleFast Web Performance Starts with DNS…

© http://blog.catchpoint.com/

• http://techcrunch.com/U̶ 300 objects++

U̶ 60++ domains


Web Delay – Sample 2Fast Web Performance Starts with DNS…

• Two components to DNS latency:U̶ Latency Client <-> Server

U̶ Caches <-> name servers- Cache misses

- Under provisioning

- Malicious traffic

© https://developers.google.com/


Devices vs Solutions Self made vs Dedicated.

• Dedicated DNS Cache appliance does not stop answering queries from cache when capacity limits are reached for cache misses, NX Domain Qs etc.

18

Bind Infoblox 4030 DNS Cache

Avg. Latency (Seconds)

a


Advanced Appliances Come in Four Physical Platforms

Advanced Appliances have next-generation programmable processors that provide dedicated compute for threat mitigation.

The appliances offer both AC and DC power supply options.

Performance:

50 000 qps

143 000 qps

200 000 qps

300k / 600k / 5 000 000 qps

SP &Enterprise

SP / ISPSubscribersDNS CachingHardware based!


Test US!Find DNS Threats in your Network


Send Us Your PCAP Files

• Infoblox analyzes and provides insights on malicious activity in seconds

• Report on findings to take back to management


How to deploy + Case Study from Poland


Cable SP

Huge attacks

Press info about ISP being down for 8 days!


Design

System topology


First month stats:

Blocked 6M events with multiple risk level


CHR vs CPU vs User Experience

== NO CHURN

CacheHit Ratio

Resources

User exp.


Secure DNS Deployment

INTERNET

DMZ

INTRANET

InfobloxAutomated ThreatUpdate Service Leg

itim

ate

Traf

fic

External attacks

Firewall

Firewall

Block DNS attacks

Infoblox Reporting Server

External Authoritative Caching Server

Infoblox DNS Caching Server

Rule updates for DNS-basedattacks

Updates for DNS-based attacks and malicious domains

Infoblox Internal DNS Security

Send datafor reports

DNS Query

Send data for reports

Block attacks andMalware communication

Internal Recursive

Legiti

mat

e Tr

affic

Legi

timat

e Tr

affic

Data

Exfilt

ratio

n Atte

mpt

DNS DDoS

Mal

ware/

APT

Malware/ APT

Infoblox External DNS Security

Legiti

mat

e Tr

affic

DNS DDoS

DNS Exp

loits


Q&A


Infoblox Differentiation and ValueInfoblox Advanced

DNS ProtectionLoad

BalancersPure DDoS

Next-gen Firewalls

IPS Cloud

Dedicated compute for threat mitigation

General DDoS

DNS DDoS

DNS amplification

DNS reflection

NXDOMAIN

DNS server OS and application vulnerabilities

DNS semantic attacks

Cache poisoning

DNS tunneling

DNS hijacking

Volumetric/DDoS AttacksDNS-specific Exploits

1 | © 2013 infoblox inc. all rights reserved. 1 | © 2015 infoblox inc. all rights reserved....

Documents

dns attacks

securing dns

dns wasnt

dns services

malware use dns

complete understanding

prevalenttraditional

confidentialdns security