1 | © 2013 infoblox inc. all rights reserved. securing dns infrastructure srikrupa srivatsan |...
TRANSCRIPT
1 | © 2013 Infoblox Inc. All Rights Reserved. 1 | © 2013 Infoblox Inc. All Rights Reserved.
Securing DNS InfrastructureSrikrupa Srivatsan | Senior Product Marketing ManagerAugust 2014
2 | © 2013 Infoblox Inc. All Rights Reserved. 2 | © 2013 Infoblox Inc. All Rights Reserved.
Agenda
Securing the DNS Platform
Defending Against DNS Attacks
Malware/APT Exploits of DNS
DNS Security Challenges
Infoblox Overview
Infoblox Secure DNS Solution
3 | © 2013 Infoblox Inc. All Rights Reserved. 3 | © 2013 Infoblox Inc. All Rights Reserved.
About Infoblox
($MM)
Founded in 1999
Headquartered in Santa Clara, CA with global operations in 25 countries
Market leadership• DDI Market Leader (Gartner)
• 50% DDI Market Share (IDC)
7,300+ customers74,000+ systems shipped to 100 countries
45 patents, 27 pending
IPO April 2012: NYSE BLOX
Leader in technologyfor network control
Total Revenue (Fiscal Year Ending July 31)
FY2007 FY2008 FY2009 FY2010 FY2011 FY2012 FY2013$0
$50
$100
$150
$200
$250
$35.0
$56.0$61.7
$102.2
$132.8
$169.2
$225.0
30%
CAGR
4 | © 2013 Infoblox Inc. All Rights Reserved. 4 | © 2013 Infoblox Inc. All Rights Reserved.
InfrastructureSecurity
Infoblox : Technology for Network ControlN
ET
WO
RK
INF
RA
ST
RU
CT
UR
E
FIREWALLS SWITCHES ROUTERS WEB PROXY LOAD BALANCERS
Discovery, Real-time Configuration & Change, Compliance
Historical / Real-time Reporting & Control
AP
PS
&
EN
D-P
OIN
TS
END POINTS VIRTUAL MACHINES PRIVATE CLOUD APPLICATIONS
Essential Network Control Functions: DNS, DHCP, IPAM (DDI)
CO
NT
RO
L P
LA
NE
Infoblox GridTM w/ Real-timeNetwork Database
5 | © 2013 Infoblox Inc. All Rights Reserved. 5 | © 2013 Infoblox Inc. All Rights Reserved.
Why is DNS an Ideal Target?
DNS is the cornerstone of the Internet used by every business/
Government
DNS as a Protocol is easy to exploit
DNS Outage = Business Downtime
Traditional protection is
ineffective against evolving threats
6 | © 2013 Infoblox Inc. All Rights Reserved. 6 | © 2013 Infoblox Inc. All Rights Reserved.
DNS Security Challenges
Defending Against DNS Attacks2
Preventing Malware from using DNS3
Securing the DNS Platform1
7 | © 2013 Infoblox Inc. All Rights Reserved. 7 | © 2013 Infoblox Inc. All Rights Reserved.
Securing the DNS Platform
8 | © 2013 Infoblox Inc. All Rights Reserved. 8 | © 2013 Infoblox Inc. All Rights Reserved.
Hacks of DNS – 2013 & 2014
9 | © 2013 Infoblox Inc. All Rights Reserved. 9 | © 2013 Infoblox Inc. All Rights Reserved.
Security Risks with Conventional ApproachDNS installed on off-the-shelf server
– Many open ports subject to attack
– Users have OS-level account privileges on server
– No visibility into good vs. bad traffic
– Requires time-consuming manual updates
– Requires multiple applications for device management
Multiple Open Ports
10 | © 2013 Infoblox Inc. All Rights Reserved. 10 | © 2013 Infoblox Inc. All Rights Reserved.
Secure DNS - Purpose Built Appliance and OS
• Minimal attack surfaces
• Active/Active HA & DR recovery
• Common Criteria Certification
• FIPS 140-2 Compliance
• Encrypted Inter-appliance Communication
• Centralized management with role-based control
• Secured Access, communication & API
• Detailed audit logging
• Fast/easy upgrades
11 | © 2013 Infoblox Inc. All Rights Reserved. 11 | © 2013 Infoblox Inc. All Rights Reserved.
Defending Against DNS Attacks
12 | © 2013 Infoblox Inc. All Rights Reserved. 12 | © 2013 Infoblox Inc. All Rights Reserved.
The Rising Tide of DNS Threats
In the last year alone there has been an increase of
200%DNS attacks1
58%DDoS attacks1
With possible amplification up to
100x on a DNS attack, the amount of traffic delivered to a victim can be huge
28MPose a significant threat to the global network infrastructure and can be easily utilized in DNS amplification attacks2
33M Number of openrecursive DNS servers2
With enterprise level businesses receiving an average of 2 million DNS queries every single day, the threat of attack is significant
2M
1. Quarterly Global DDoS Attack Report, Prolexic, 4th Quarter, 2013 2. www.openresolverproject.org
Financial servicesTechnologycompanyGovernment
Financial impact is huge
Avg estimated loss per DDoS event in 20123
-$7.7M-$13.6M
-$17M
The average loss for a 24-houroutage from a DDoS attack3
42%Enterprise
29%Commerce
Miscellaneous5%
Automotive1%
Healthcare2%
BusinessServices
21%
Financial Services
13%
Public Sector
5%
Media &Entertainment
17%
High Tech
7%
Consumer Goods
2%
Hotels5%
Retail22%
Top Industries Targeted4
$27million
3. Develop A Two-Phased DDoS Mitigation Strategy, Forrester Research, Inc. May 17, 2013 4. State of the Internet, Akamai, 2nd Quarter, 2013
13 | © 2013 Infoblox Inc. All Rights Reserved. 13 | © 2013 Infoblox Inc. All Rights Reserved.
Anatomy of an AttackDistributed Reflection DoS Attack (DrDoS)
How the attack works
Attacker
Internet
Spoofed
Queries
Open Recursive Servers
Am
plified
Reflected
Packets
Target Victim
Combines reflection and amplification
Uses third-party open resolvers in the Internet (unwitting accomplice)
Attacker sends spoofed queries to the open recursive servers
Uses queries specially crafted to result in a very large response
Causes DDoS on the victim’s server
14 | © 2013 Infoblox Inc. All Rights Reserved. 14 | © 2013 Infoblox Inc. All Rights Reserved.
DNS Protection is Not Just About DDoSDNS reflection/DrDoS attacks
Using third-party DNS servers (mostly open resolvers) to propagate a DoS or DDoS attack
DNS amplificationUsing a specially crafted query to create an amplified response to flood the victim with traffic
TCP/UDP/ICMP floodsDenial of service on layer 3 or 4 by bringing a network or service down by flooding it with large amounts of traffic
DNS-based exploits Attacks that exploit bugs or vulnerabilities in the DNS software
DNS cache poisoning Corruption of DNS server cache data with a rogue domain or IP
Protocol anomaliesCausing the server to crash by sending malformed DNS packets and queries
Reconnaissance Attempts by hackers to get information on the network environment before launching a DDoS or other type of attack
DNS tunneling Tunneling of another protocol through DNS port 53 for malware insertion and/or data exfiltration
Volumetric/DDoS Attacks
DNS hijackingModifying the DNS record settings to point to a rogue DNS server or domain
NXDomain attackAttacks that flood DNS server with requests for non-existent domains, causing it to send NXDomain (non-existent domain) responses
Phantom domain attack Attacks where a DNS resolver is forced to resolve multiple non-existent domains, causing it to consume resources while waiting for responses
DNS-specific Exploits
15 | © 2013 Infoblox Inc. All Rights Reserved. 15 | © 2013 Infoblox Inc. All Rights Reserved.
Defend Against Attacks
ReportingServer
Automatic Updates(Threat Adapt)
Infoblox Threat-rule
Server
Advanced DNS Protection
(External DNS)
Reports on attack types, severity
Amplif
icationCache Poisoning
Legitimate Traffic
Legi
timat
e Tr
affic
Le
git
ima
te T
raff
ic
Legitimate Traffic
Rec
on
nai
ssan
ceDN
S E
xploits
Advanced DNS Protection
(Internal DNS)
Grid-wide rule distribution
Dat
a fo
r R
epo
rts
16 | © 2013 Infoblox Inc. All Rights Reserved. 16 | © 2013 Infoblox Inc. All Rights Reserved.
Legitim
ate Tra
ffic
Reconnaissance
Amplif
ication
Exploits
Cache P
oisoning
Legitim
ate Tra
ffic
Legitim
ate Tra
ffic
Legitim
ate Tra
ffic
Deployment Options
INTERNET
Grid Masterand Candidate (HA)
Advanced DNS Protection
D M Z
INTRANET
DATACENTER CAMPUS/REGIONAL
Advanced DNS Protection
EXTERNAL
17 | © 2013 Infoblox Inc. All Rights Reserved. 17 | © 2013 Infoblox Inc. All Rights Reserved.
Deployment Options
Grid Masterand Candidate (HA)
INTRANET
Endpoints
DATACENTER CAMPUS/REGIONAL
Advanced DNS Protection
Advanced DNS Protection
Amplificatio
n
Explo
its
Legitim
ate Tra
ffic
Legitim
ate Tra
ffic
INTERNAL
18 | © 2013 Infoblox Inc. All Rights Reserved. 18 | © 2013 Infoblox Inc. All Rights Reserved.
Preventing Malware from using DNS
19 | © 2013 Infoblox Inc. All Rights Reserved. 19 | © 2013 Infoblox Inc. All Rights Reserved.
Q1Q3Q2 Q4
Security Breaches Using Malware / APT2013 2014
20 | © 2013 Infoblox Inc. All Rights Reserved. 20 | © 2013 Infoblox Inc. All Rights Reserved.
Real World ExampleCryptolocker “Ransomware”
• Targets Windows-based computers
• Appears as an attachment to legitimate looking email
• Upon infection, encrypts files: local hard drive & mapped network drives
• Ransom: 72 hours to pay $300 US
• Fail to pay and the encryption key is deleted and data is gone forever
• Only way to stop (after executable has started) is to block outbound connection to encryption server
21 | © 2013 Infoblox Inc. All Rights Reserved. 21 | © 2013 Infoblox Inc. All Rights Reserved.
Anatomy of an AttackGameOver Zeus (GOZ)
• 500,000 to 1M infections worldwide
• Top countries affected: US (13%), Italy (12%), UAE (8%)
• Top Industry targeted: Financial Services
• Highly sophisticated and hard to track
• Uses peer-to-peer (P2P) communication to control infected devices or botnet
• Upon infection, it monitors the machine for finance-related information
• Takes control of private online transactions and diverts funds to criminal accounts
• Hundreds of millions of dollars stolen
• Responsible for distribution of Cryptolocker
• Infected systems can be used for DDoS attacks
22 | © 2013 Infoblox Inc. All Rights Reserved. 22 | © 2013 Infoblox Inc. All Rights Reserved.
Blocking Malware/APT
An infected device brought into the office. Malware spreads to other devices on network.
1
2
3
Malware makes a DNS query to find “home.” (botnet / C&C)
DNS Firewall blocks DNS query (by Domain name / IP Address)
Malicious domains
Infoblox DDI with DNS Firewall Blocked attempt
sent to Syslog
3
4
Malware / APT
1
2
Malware / APT spreads within network; Calls home
4Infoblox Reporting lists blocked attempts as well as the:
• IP address• MAC address• Device type (DHCP fingerprint)• Host name• DHCP lease history
Reputation data comes from:
• DNS Firewall Subscription Svc
• FireEye Adapter (NX Series)
23 | © 2013 Infoblox Inc. All Rights Reserved. 23 | © 2013 Infoblox Inc. All Rights Reserved.
Malware / APT We Block
DGA Domain generating algorithm malware that randomly generates domains to connect to malicious networks or botnets
Fast Flux Rapidly changing of domains & IP addresses by malicious domains to obfuscate identity and location
APT / Malware Malware designed to spread, morph and hide within IT infrastructure to perpetrate a long term attack (FireEye)
DNS Hijacking Hijacking DNS registry(s) & re-directing users to malicious domain(s)
Geo-Blocking Blocking access to geographies that have rates of malicious domains or Economic Sanctions by US Government
24 | © 2013 Infoblox Inc. All Rights Reserved. 24 | © 2013 Infoblox Inc. All Rights Reserved.
Take the DNS Security Risk Assessment
1. Analyzes your organization’s DNS setup to assess level of risk of exposure to DNS threats
2. Provides DNS Security Risk Score and analysis based on answers given
3. www.infoblox.com/dnssecurityscore
Higher score = higher DNS security risk!!
25 | © 2013 Infoblox Inc. All Rights Reserved. 25 | © 2013 Infoblox Inc. All Rights Reserved.
In Review
DNS is critical infrastructure
Unprotected DNS infrastructure introduces
serious security risks
Infoblox Secure DNS Solution protects critical
DNS services
Infoblox Advanced DNS ProtectionDefend Against DNS Attacks
Infoblox DNS FirewallPrevents Malware/APT from Using DNS
Hardened Appliance & OSSecure the DNS Platform
26 | © 2013 Infoblox Inc. All Rights Reserved. 26 | © 2013 Infoblox Inc. All Rights Reserved.
Thank you!
For more information www.infoblox.com