1 | © 2013 infoblox inc. all rights reserved. securing external & internal dns edward...

1 | © 2013 Infoblox Inc. All Rights Reserved. 1 | © 2013 Infoblox Inc. All Rights Reserved.

Securing External & Internal DNS Edward O’Connell | Sr. Product Marketing ManagerFebruary 2014


Agenda

Infoblox Secure DNS Solutions

Security Challenge

Infoblox Overview

Attacks on DNS

Malware / APT


Infoblox Overview & Business Update

($MM)

Founded in 1999

Headquartered in Santa Clara, CA with global operations in 25 countries

Market leadership• Gartner “Strong Positive” rating

• 40%+ Market Share (DDI)

6,900+ customers, 55,000+ systems shipped

35 patents, 29 pending

IPO April 2012: NYSE BLOX

Leader in technologyfor network control

Total Revenue (Fiscal Year Ending July 31)

FY2007 FY2008 FY2009 FY2010 FY2011 FY2012 FY2013$0

$50

$100

$150

$200

$250

$35.0

$56.0$61.7

$102.2

$132.8

$169.2

$225.0

30%

CAGR


InfrastructureSecurity

Infoblox : Technology for Network ControlN

ET

WO

RK

INF

RA

ST

RU

CT

UR

E

FIREWALLS SWITCHES ROUTERS WEB PROXY LOAD BALANCERS

Discovery, Real-time Configuration & Change, Compliance

Historical / Real-time Reporting & Control

AP

PS

&

EN

D-P

OIN

TS

END POINTS VIRTUAL MACHINES PRIVATE CLOUD APPLICATIONS

Essential Network Control Functions: DNS, DHCP, IPAM (DDI)

CO

NT

RO

L P

LA

NE

Infoblox GridTM w/ Real-timeNetwork Database


DNS – Cornerstone of the Internet

DNS not working?!...Your applications won’t work as well…


Another View of DNS…1st 30 seconds of starting up a iPhone….

4 7

16 3 12 3

37 10

68*

15

50 12WEATHER MAPS ITUNES APP STORE

STOCKSREADING

A MSGCHECK

MAILUPDATING

1 APP

CONCURTWITTERFACEBOOK

STARTUP


Why DNS an Ideal Target?

DNS is the cornerstone of the Internet used by every business/

Government

DNS as a Protocol is easy to exploit

Maximum impact with minimum effort

Traditional protection is

ineffective against evolving threats


Today’s Security Challenges

APT / malware exploits DNS to steal data

2

Attacks target DNS to bring down IT infrastructure

1


2013 – DNS Threat is Significant

• Attacks against DNS infrastructure growing̶NDNS-specific attacks

up 216% in 2013̶NICMP, SYN, UDP attacks

Source: Arbor Networks

Other

IRC

SIP/VOIP

HTTPS

SMTP

DNS

HTTP

0% 10% 20% 30% 40% 50% 60% 70% 80% 90%

9%

6%

20%

54%

25%

77%

82%

DNS is #2 attack vector protocol

Source: Prolexic Quarterly Global DDoS Attack Report Q4 2013

ACK: 2.81%

CHARGEN: 6.39%

FIN PUSH: 1.28%

DNS: 9.58%

ICMP: 9.71% RESET: 1.4%

RP: 0.26%SYN: 14.56%

TCP FRAGMENT: 0.13%SYN PUSH: 0.38%

UDP FLOODS: 13.15%

UDP FRAGMENT: 17.11%

Infrastructure Layer: 76.76%


Q1Q3Q2 Q4

Security Breaches Using Malware / APT2013 2014


Attacks target DNS to bring down IT infrastructure


Infoblox DNS Attack MitigationAdvanced DNS Protection

Unique Detection and Mitigation

Intelligently distinguishes legitimate DNS traffic from attack traffic like DDoS, DNS exploits, tunneling

Mitigates attacks by dropping malicious traffic and responding to legitimate DNS requests

Centralized Visibility Centralized view of all attacks happening across the

network through detailed reports Intelligence needed to take action

Ongoing Protection Against Evolving Threats

Regular automatic threat-rule updates based on threat analysis and research

Helps mitigate attacks sooner vs. waiting for patch updates


External DNS - Mitigation of Attacks How does it work?

ReportingServer

Automatic updates

Infoblox Threat-rule Server

Infoblox Advanced DNS Protection(External Auth.)

GRID Master

Reports on attack types, severity

New

Amplif

icationCache Poisoning

Legitimate Traffic

Legi

timat

e Tr

affic

Le

git

ima

te T

raff

ic

Legitimate Traffic

Rec

on

nai

ssan

ceDN

S E

xploits

Infoblox Advanced DNS Protection

(Internal Recursive)New

Block DNS attacks Grid-wide rule

distribution

Dat

a fo

r R

epo

rts


Attacks We Protect Against

DNS reflection/DrDoS attacksUsing third-party DNS servers(open resolvers) to propagate a DOS or DDOS attack

DNS amplificationUsing a specially crafted query to create an amplified response to flood the victim with traffic

DNS-based exploits Attacks that exploit vulnerabilities in the DNS software

TCP/UDP/ICMP floodsDenial of service on layer 3 by bringing a network or service down by flooding it with large amounts of traffic

DNS cache poisoning Corruption of the DNS cache data with a rogue address

Protocol anomaliesCausing the server to crash by sending malformed packets and queries

ReconnaissanceAttempts by hackers to get information on the network environment before launching a DDoS or other type of attack

DNS tunnelingTunneling of another protocol through DNS for data exfiltration


Anatomy of an AttackNTP-based DDoS

• NTP syncs time between machines on the network; uses UDP over port 123

• Attackers exploit Network Time Protocol (NTP)

• Similar to DNS reflection attack - small spoofed packets requesting a large amount of data sent to the victim’s IP address causing DDoS

• Attacks spiked in mid-December

• 15,000 IP addresses affected

• Abuses “monlist” command in older NTP versions.

• Advanced DNS Protection ensures that DNS does not participate in NTP attacks

How the attack works

Attacker

Internet

Spoofed

queries

Servers with older/

misconfigured NTP

Reflected

Am

plified

packets

Target Victim


Legi

timat

e Tr

affic

Reconnaissance followed by NTP-based attacks come interspersed with legitimate traffic.

1

This rule monitors NTP responses and drops them if the packet rate seems abnormal.

How Infoblox helps protect against NTP-based attacks

2 Advanced DNS Protection already has a threat-mitigation rule when NTP is enabled.

Infoblox Advanced DNS Protection

Infoblox Threat Rule Server

2

3

1

Infoblox Advanced DNS ProtectionProtects against being an unwanted accomplice to NTP-based DDoS

4

The rule blocks traffic from any source IP address for a specified period of time if it sends more packets than a pre-defined value.

Reports on attacks

Legitimate Traffic

Reconnaissance

NTP-bas

ed a

ttack

s

3 Advanced DNS Protection blocks the reconnaissance traffic and NTP-based attack traffic and responds only to legitimate traffic.

4Advanced DNS Protection logs the reconnaissance events and NTP-based attack events to facilitate early detection and mitigation.


APT / malware exploitsDNS to steal data


Infoblox DNS Firewall

Intelligent Detection & Protection

Detect and block malware queries for malicious domains and networks

Open architecture for reputation data; integration with FireEye NX Series for APT alerts

Centralized Visibility Detailed view on infected clients IP & MAC address of infected device Device Type / Host Name

Automatic Threat Updates

Automatic updates to protect against evolving malicious domains and networks


Malware / APT BlockingHow Does it Work?

An infected device brought into the office. Malware spreads to other devices on network.

1

2

3

Malware makes a DNS query to find “home.” (botnet / C&C)

DNS Firewall blocks DNS query (by Domain name / IP Address)

Malicious domains

Infoblox DDI with DNS Firewall Blocked attempt

sent to Syslog

3

42

Calls home via DNS query

4Infoblox Reporting lists blocked attempts as well as the

• IP address• MAC address• Device type (DHCP fingerprint)• Host Name• DHCP Lease

Malware

1

Reputation data comes from:

• DNS Firewall Subscription• FireEye Adapter (NX Series)

Malware spreads within network


Securing DNS From Malware / APT

DGA Domain generating algorithm malware that randomly generates domains to connect to malicious networks or botnets

Fast Flux Rapidly changing of domains & IP addresses by malicious domains to obfuscate identity and location

APT / Malware Malware designed to spread, morph and hide within IT infrastructure to perpetrate a long term attack (FireEye)

DNS Hijacking Hijacking DNS registry(s) & re-directing users to malicious domain(s)

Geo-Blocking Blocking access to geographies that have rates of malicious domains or Economic Sanctions by US Government


DNS Firewall ProtectionCryptolocker “Ransomware”

• Targets Windows-based computers

• Appears as an attachment to legitimate looking email

• Upon infection, encrypts files: local hard drive & mapped network drives

• Ransom: 72 hours to pay $300US

• Fail to pay and the encryption key is deleted and data is gone forever

• Only way to stop (after executable has started) is to block outbound connection to encryption server


September 13 – Trial Run Initial roll-out of Cryptolocker started. Limited distribution & payment testing.

Oct. 8th – Full Distribution via ‘Pay per infection’.

1

4 DNS Firewall logs all attempted connections with Cryptolocker servers complete with IP and MAC addresses, and device type to drive remediation

Cryptolocker Timeline and Infoblox Response

3 Infoblox DNS Firewall now blocks Crypolocker encryption servers.

2 October 18th - Crypolocker behavior fully characterized. Infoblox DNS Firewall Subscription updated with domains & IP addresses. Customers Protected.

Infoblox DDI with DNS Firewall

Infoblox Malware Data Feed Updated

2

Syslog4

3

1

Infoblox DNS Firewall Geo-blocks delivered ZERO-day protection against Cryptolocker by blocking Eastern Europe domains

DNS Firewall ProtectionProtects Against Cryptolocker Malware


DNS Firewall ProtectionYahoo! Ads iframes Re-direct

• Yahoo! Europe websites (Ads) – iframes injection - exploits older Java software

• Dec. 27th – Jan. 3rd. 27,000 users/hr. infected over 4+ days. 2.5M+ infected (estimated)

• Random Domains / sub-domains resolve to single network. IP: 193.169.245.78

• Installs the following Malware:

N̶ ZeuSN̶ AndromedaN̶ Dorkbot/NgrbotN̶ Advertisement clickingN̶ Tinba/ZusyN̶ Necurs

• Secure DNS blocks DNS resolution to IP address of domain server hosting Malware

• blistartoncom.org • slaptonitkons.net • original-filmsonline.com• funnyboobsonline.org• yagerass.org

• boxsdiscussing.net• crisisreverse.net• limitingbeyond.net• Others

Malware Installed

iframes Redirect

HTTP Redirect

Path to Infection


December 27th – Jan. 3rd

Yahoo! Ads infected with iframes Re-direction. Users re-directed to domains where Java is exploited to install malware. 27,000/hr. infected.IP Address for all sub-domains is 193.169.245.78

1

3 DNS Firewall logs all attempted connections with 193.169.245.78 complete with IP and MAC addresses, device type, Host name, DHCP lease history to drive remediation

Yahoo! Ads Re-direction Timeline and Infoblox Response

2 193.169.245.78 has been used previously for other attacks. DNS Firewall already has IP address in its table to block. Customers Protected.

Infoblox DDI with DNS Firewall

Infoblox Malware Data Feed Updated

2

Syslog

2

1

Infoblox DNS Firewall Subscription service Geo-blocks delivered ZERO-day protection against Yahoo! Malvertising by blocking Europe domains

DNS Firewall ProtectionProtects Against Yahoo! Ads iframes Re-direct

IP Address: 193.169.245.78

Installs various malware:• ZeuS• Andromeda• Dorkbot/Ngrbot• Advertisement clicking• Tinba/Zusy• Necurs

3


Summary

• DNS is the cornerstone of the Internet• Unprotected DNS infrastructure introduces security risks

• Infoblox Advanced DNS Protection̶NProtects against DNS-based attacks like DDoS, cache poisoning,

malformed packets and tunneling

• Infoblox DNS Firewall ̶NDetects & protects against APT / malware-based DNS queries

designed to get around traditional security̶NPinpoints device to drive faster remediation (using Infoblox DDI)


Q&A


Thank you!

For more information www.infoblox.com

1 | © 2013 infoblox inc. all rights reserved. securing external & internal dns edward...

Documents

dns threat

dns exploits

view of dns

internet dns

dns cornerstone

attacks target dns

dns malware apt slide

infrastructure slide