1 | © 2013 infoblox inc. all rights reserved. securing dns infrastructure srikrupa srivatsan |...

1 | © 2013 Infoblox Inc. All Rights Reserved. 1 | © 2013 Infoblox Inc. All Rights Reserved.

Securing DNS InfrastructureSrikrupa Srivatsan | Senior Product Marketing ManagerAugust 2014


Agenda

Securing the DNS Platform

Defending Against DNS Attacks

Malware/APT Exploits of DNS

DNS Security Challenges

Infoblox Overview

Infoblox Secure DNS Solution


About Infoblox

($MM)

Founded in 1999

Headquartered in Santa Clara, CA with global operations in 25 countries

Market leadership• DDI Market Leader (Gartner)

• 50% DDI Market Share (IDC)

7,300+ customers74,000+ systems shipped to 100 countries

45 patents, 27 pending

IPO April 2012: NYSE BLOX

Leader in technologyfor network control

Total Revenue (Fiscal Year Ending July 31)

FY2007 FY2008 FY2009 FY2010 FY2011 FY2012 FY2013$0

$50

$100

$150

$200

$250

$35.0

$56.0$61.7

$102.2

$132.8

$169.2

$225.0

30%

CAGR


InfrastructureSecurity

Infoblox : Technology for Network ControlN

ET

WO

RK

INF

RA

ST

RU

CT

UR

E

FIREWALLS SWITCHES ROUTERS WEB PROXY LOAD BALANCERS

Discovery, Real-time Configuration & Change, Compliance

Historical / Real-time Reporting & Control

AP

PS

&

EN

D-P

OIN

TS

END POINTS VIRTUAL MACHINES PRIVATE CLOUD APPLICATIONS

Essential Network Control Functions: DNS, DHCP, IPAM (DDI)

CO

NT

RO

L P

LA

NE

Infoblox GridTM w/ Real-timeNetwork Database


Why is DNS an Ideal Target?

DNS is the cornerstone of the Internet used by every business/

Government

DNS as a Protocol is easy to exploit

DNS Outage = Business Downtime

Traditional protection is

ineffective against evolving threats


DNS Security Challenges

Defending Against DNS Attacks2

Preventing Malware from using DNS3

Securing the DNS Platform1


Securing the DNS Platform


Hacks of DNS – 2013 & 2014


Security Risks with Conventional ApproachDNS installed on off-the-shelf server

– Many open ports subject to attack

– Users have OS-level account privileges on server

– No visibility into good vs. bad traffic

– Requires time-consuming manual updates

– Requires multiple applications for device management

Multiple Open Ports


Secure DNS - Purpose Built Appliance and OS

• Minimal attack surfaces

• Active/Active HA & DR recovery

• Common Criteria Certification

• FIPS 140-2 Compliance

• Encrypted Inter-appliance Communication

• Centralized management with role-based control

• Secured Access, communication & API

• Detailed audit logging

• Fast/easy upgrades


Defending Against DNS Attacks


The Rising Tide of DNS Threats

In the last year alone there has been an increase of

200%DNS attacks1

58%DDoS attacks1

With possible amplification up to

100x on a DNS attack, the amount of traffic delivered to a victim can be huge

28MPose a significant threat to the global network infrastructure and can be easily utilized in DNS amplification attacks2

33M Number of openrecursive DNS servers2

With enterprise level businesses receiving an average of 2 million DNS queries every single day, the threat of attack is significant

2M

1. Quarterly Global DDoS Attack Report, Prolexic, 4th Quarter, 2013 2. www.openresolverproject.org

Financial servicesTechnologycompanyGovernment

Financial impact is huge

Avg estimated loss per DDoS event in 20123

-$7.7M-$13.6M

-$17M

The average loss for a 24-houroutage from a DDoS attack3

42%Enterprise

29%Commerce

Miscellaneous5%

Automotive1%

Healthcare2%

BusinessServices

21%

Financial Services

13%

Public Sector

5%

Media &Entertainment

17%

High Tech

7%

Consumer Goods

2%

Hotels5%

Retail22%

Top Industries Targeted4

$27million

3. Develop A Two-Phased DDoS Mitigation Strategy, Forrester Research, Inc. May 17, 2013 4. State of the Internet, Akamai, 2nd Quarter, 2013


Anatomy of an AttackDistributed Reflection DoS Attack (DrDoS)

How the attack works

Attacker

Internet

Spoofed

Queries

Open Recursive Servers

Am

plified

Reflected

Packets

Target Victim

Combines reflection and amplification

Uses third-party open resolvers in the Internet (unwitting accomplice)

Attacker sends spoofed queries to the open recursive servers

Uses queries specially crafted to result in a very large response

Causes DDoS on the victim’s server


DNS Protection is Not Just About DDoSDNS reflection/DrDoS attacks

Using third-party DNS servers (mostly open resolvers) to propagate a DoS or DDoS attack

DNS amplificationUsing a specially crafted query to create an amplified response to flood the victim with traffic

TCP/UDP/ICMP floodsDenial of service on layer 3 or 4 by bringing a network or service down by flooding it with large amounts of traffic

DNS-based exploits Attacks that exploit bugs or vulnerabilities in the DNS software

DNS cache poisoning Corruption of DNS server cache data with a rogue domain or IP

Protocol anomaliesCausing the server to crash by sending malformed DNS packets and queries

Reconnaissance Attempts by hackers to get information on the network environment before launching a DDoS or other type of attack

DNS tunneling Tunneling of another protocol through DNS port 53 for malware insertion and/or data exfiltration

Volumetric/DDoS Attacks

DNS hijackingModifying the DNS record settings to point to a rogue DNS server or domain

NXDomain attackAttacks that flood DNS server with requests for non-existent domains, causing it to send NXDomain (non-existent domain) responses

Phantom domain attack Attacks where a DNS resolver is forced to resolve multiple non-existent domains, causing it to consume resources while waiting for responses

DNS-specific Exploits


Defend Against Attacks

ReportingServer

Automatic Updates(Threat Adapt)

Infoblox Threat-rule

Server

Advanced DNS Protection

(External DNS)

Reports on attack types, severity

Amplif

icationCache Poisoning

Legitimate Traffic

Legi

timat

e Tr

affic

Le

git

ima

te T

raff

ic

Legitimate Traffic

Rec

on

nai

ssan

ceDN

S E

xploits


(Internal DNS)

Grid-wide rule distribution

Dat

a fo

r R

epo

rts


Legitim

ate Tra

ffic

Reconnaissance

Amplif

ication

Exploits

Cache P

oisoning

Legitim

ate Tra

ffic

Legitim

ate Tra

ffic

Legitim

ate Tra

ffic

Deployment Options

INTERNET

Grid Masterand Candidate (HA)


D M Z

INTRANET

DATACENTER CAMPUS/REGIONAL


EXTERNAL


Deployment Options

Grid Masterand Candidate (HA)

INTRANET

Endpoints

DATACENTER CAMPUS/REGIONAL



Amplificatio

n

Explo

its

Legitim

ate Tra

ffic

Legitim

ate Tra

ffic

INTERNAL


Preventing Malware from using DNS


Q1Q3Q2 Q4

Security Breaches Using Malware / APT2013 2014


Real World ExampleCryptolocker “Ransomware”

• Targets Windows-based computers

• Appears as an attachment to legitimate looking email

• Upon infection, encrypts files: local hard drive & mapped network drives

• Ransom: 72 hours to pay $300 US

• Fail to pay and the encryption key is deleted and data is gone forever

• Only way to stop (after executable has started) is to block outbound connection to encryption server


Anatomy of an AttackGameOver Zeus (GOZ)

• 500,000 to 1M infections worldwide

• Top countries affected: US (13%), Italy (12%), UAE (8%)

• Top Industry targeted: Financial Services

• Highly sophisticated and hard to track

• Uses peer-to-peer (P2P) communication to control infected devices or botnet

• Upon infection, it monitors the machine for finance-related information

• Takes control of private online transactions and diverts funds to criminal accounts

• Hundreds of millions of dollars stolen

• Responsible for distribution of Cryptolocker

• Infected systems can be used for DDoS attacks


Blocking Malware/APT

An infected device brought into the office. Malware spreads to other devices on network.

1

2

3

Malware makes a DNS query to find “home.” (botnet / C&C)

DNS Firewall blocks DNS query (by Domain name / IP Address)

Malicious domains

Infoblox DDI with DNS Firewall Blocked attempt

sent to Syslog

3

4

Malware / APT

1

2

Malware / APT spreads within network; Calls home

4Infoblox Reporting lists blocked attempts as well as the:

• IP address• MAC address• Device type (DHCP fingerprint)• Host name• DHCP lease history

Reputation data comes from:

• DNS Firewall Subscription Svc

• FireEye Adapter (NX Series)


Malware / APT We Block

DGA Domain generating algorithm malware that randomly generates domains to connect to malicious networks or botnets

Fast Flux Rapidly changing of domains & IP addresses by malicious domains to obfuscate identity and location

APT / Malware Malware designed to spread, morph and hide within IT infrastructure to perpetrate a long term attack (FireEye)

DNS Hijacking Hijacking DNS registry(s) & re-directing users to malicious domain(s)

Geo-Blocking Blocking access to geographies that have rates of malicious domains or Economic Sanctions by US Government


Take the DNS Security Risk Assessment

1. Analyzes your organization’s DNS setup to assess level of risk of exposure to DNS threats

2. Provides DNS Security Risk Score and analysis based on answers given

3. www.infoblox.com/dnssecurityscore

Higher score = higher DNS security risk!!

http://www.infoblox.com/dnssecurityscore


In Review

DNS is critical infrastructure

Unprotected DNS infrastructure introduces

serious security risks

Infoblox Secure DNS Solution protects critical

DNS services

Infoblox Advanced DNS ProtectionDefend Against DNS Attacks

Infoblox DNS FirewallPrevents Malware/APT from Using DNS

Hardened Appliance & OSSecure the DNS Platform


Thank you!

For more information www.infoblox.com

1 | © 2013 infoblox inc. all rights reserved. securing dns infrastructure srikrupa srivatsan |...

Documents