39
1 | © 2014 Infoblox Inc. All Rights Reserved. Infoblox Advanced DNS Protection Case Study Adam Obszyński | CEE SE PLNOG13 2014.09.29

PLNOG 13: Adam Obszyński: Case Study – Infoblox Advanced DNS Protection

  • Upload
    proidea

  • View
    318

  • Download
    3

Embed Size (px)

DESCRIPTION

Adam Obszyński – pracuje w Infoblox jako Senior Systems Engineer odpowiedzialny za CEE. Wcześniej pracował w Cisco, u kilku integratorów (NXO, MCX, ATM) i operatorów (ATMAN, Polbox, Multinet). Posiada doświadczenie w projektowaniu i wdrażaniu rozwiązań sieciowych i aplikacyjnych. W branży od 20 lat. Certyfikowany inżynier CCIE #8557 oraz CISSP. Prowadził prezentacje i warsztaty na wielu konferencjach w kraju i za granicą (m.in. Cisco Live US & EU, Cisco Forum, Cisco Expo, PLNOG). Temat prezentacji:Case Study – Infoblox Advanced DNS Protection Język prezentacji: Polski Abstrakt: Słyszałeś o typach ataków wymienionych poniżej? A może doświadczyłeś ich w swojej sieci? Phantom domain attack NXDomain attack DNS reflection/DrDoS attacks DNS amplification DNS cache poisoning Protocol anomalies DNS tunneling DNS hijacking Na poprzednim PLNOG mówiłem o unikalnej ochronie DNS za pomocą Infoblox ADP. Tym razem opowiem o tym co nowego zrobiliśmy w ramach ochrony DNS oraz zaprezentuje przypadki ze środowisk sieciowych naszych klientów. Opowiem co się działo w sieci klientów i jak uporaliśmy się z problemami ataków na DNS. Rozwiązanie Advanced DNS Protection od Infoblox dostarcza kompleksowe rozwiązanie do ochrony przed wieloma atakami na usługi DNS. System w inteligentny sposób odróżnia poprawny ruch DNS od złośliwego ruchu DDoS generowanego przez atakujących, takich jak DNS, exploity i słabości. Automatycznie usuwa ruch atakujący podczas gdy z pełną wydajnością odpowiada na poprawny ruch DNS. Ponadto, Advanced DNS Protection otrzymuje automatyczne aktualizacje swoich polityk/reguł, zapewniając stałą ochronę przed wszelkimi nowościami w tej dziedzinie. Infoblox jest pierwszym i jedynym producentem, który oferuje tak wyjątkowe i unkalne rozwiązanie dla najwyższej ochrony krytycznych usług DNS. Więcej szczegółów o rozwiązaniach dla operatorów: www.infoblox.com/sp

Citation preview

  • 1. Infoblox Advanced DNS ProtectionCase StudyAdam Obszyski | CEE SEPLNOG13 2014.09.291 2013 Infoblox | 2014 IInncc.. AAllll RRiigghhttss RReesseerrvveedd..

2. Agenda1 DNS in the news2 DNS: How to prepare?3 ADP Whats new?4 ADP Stories2 2013 Infoblox | 2014 IInncc.. AAllll RRiigghhttss RReesseerrvveedd.. 3. Infoblox and Service ProvidersDedicated SP product line Leads Industry with >1M DNS qps andAdvanced DDoS protection Carrier-grade solution adopted at majorTier 1 providers220+ Service Providers; 55,000+systems shipped; 7000+ Enterprises3 2013 Infoblox | 2014 IInncc.. AAllll RRiigghhttss RReesseerrvveedd..3Dedicated SP Business Unit EVP from Juniper, Cisco carrier sales Dedicated Sales, SEs, Marketing,Engineering, Product MgmtMarket leadership #1 in DNS Caching; First DNS Firewall Competition in declineIPO April 2012 NYSE (BLOX)$225M Revenue; $2B Market CapTotal Revenue(Fiscal Year Ending July 31)$35.0$56.0$61.7$102.2$132.8$169.2$225.0$250$200$150$100$50$0FY2007 FY2008 FY2009 FY2010 FY2011 FY2012 FY2013 4. The ProblemDNS is one of thefastest growingattack vectors4 2013 Infoblox | 2014 IInncc.. AAllll RRiigghhttss RReesseerrvveedd..Traditionalprotection isineffective againstevolving threatsDNS outage causesnetwork downtime,loss of revenue,and negativebrand impactUnprotected DNS infrastructure introduces security risks 5. DNS Hijackings: 2013 & 20145 2013 Infoblox | 2014 IInncc.. AAllll RRiigghhttss RReesseerrvveedd.. 6. How DNS DDoS is Becoming EasierAttack Apps Being Built DDoS attacks against majorU.S. financial institutions Launching (DDoS)taking advantage ofserver bandwidth 4 types of DDoS attacks: DNS amplification Spoofed SYN Spoofed UDP HTTP+ proxy support Script offered for $600-8006 2013 Infoblox | 2014 IInncc.. AAllll RRiigghhttss RReesseerrvveedd.. 7. Malware/APT Requires DNSEvery step of malware life cycle relies on DNSInfection Download Exfiltration7 2013 Infoblox | 2014 IInncc.. AAllll RRiigghhttss RReesseerrvveedd..DNS serverQuery amaliciousdomainQuery thecall home server QueryExfiltrationdestinations 8. The Rising Tide of DNS ThreatsAre You Prepared?8 2013 Infoblox | 2014 IInncc.. AAllll RRiigghhttss RReesseerrvveedd..The bottom line isOrganizations should invest inprotecting their DNS infrastructure. Gartner55. Leverage Your Network Design to Mitigate DDoS Attacks, Report ID G00253330, Gartner, July 2013 9. Advanced DNS Protection:Defend Against DNS AttacksProtection against the Widest Range of DNS AttacksThreat Adapt Technology9 2013 Infoblox | 2014 IInncc.. AAllll RRiigghhttss RReesseerrvveedd.. Intelligently defends against widest range of attacks toensure secure, resilient, and trustworthy DNS services Blocks attacks while continuing to respond to legitimateDNS requests Continuously adapts to evolving threats; automaticallyupdates protection without patching or downtime Uses latest threat intelligence from analysis and research,and new threats seen in customer networks Morphs protection to reflect DNS configuration changesQuick Deployment Deploys easily and runs in any environment Immediately starts blocking attackseven if an attackis already in progress 10. Infoblox Differentiation and ValueInfoblox AdvancedDNS Protection10 2013 Infoblox | 2014 IInncc.. AAllll RRiigghhttss RReesseerrvveedd..LoadBalancersPureDDoSNext-genFirewallsIPS CloudDedicated compute forthreat mitigationGeneral DDoSDNS DDoSDNS amplificationDNS reflectionDNS server OS andapplication vulnerabilitiesDNS semantic attacksCache poisoningDNS tunnelingDNS hijackingVolumetric/DDoS AttacksDNS-specific Exploits 11. DNS Protection is Not Just About DDoSDNS reflection/DrDoS attacks11 2013 Infoblox | 2014 IInncc.. AAllll RRiigghhttss RReesseerrvveedd..Using third-party DNS servers (mostly open resolvers) to propagatea DoS or DDoS attackDNS amplificationUsing a specially crafted query to create an amplified response toflood the victim with trafficTCP/UDP/ICMP floodsDenial of service on layer 3 or 4 by bringing a network or service downby flooding it with large amounts of trafficDNS-based exploits Attacks that exploit bugs or vulnerabilities in the DNS softwareDNS cache poisoning Corruption of DNS server cache data with a rogue domain or IPProtocol anomaliesCausing the server to crash by sending malformed DNS packetsand queriesReconnaissanceAttempts by hackers to get information on the network environmentbefore launching a DDoS or other type of attackDNS tunnelingTunneling of another protocol through DNS port 53 for malwareinsertion and/or data exfiltrationVolumetric/DDoS AttacksDNS hijackingModifying the DNS record settings to point to a rogue DNSserver or domainNXDomain attackAttacks that flood DNS server with requests for non-existent domains,causing it to send NXDomain (non-existent domain) responsesPhantom domain attackAttacks where a DNS resolver is forced to resolve multiple non-existentdomains, causing it to consume resources while waiting for responsesDNS-specific Exploits 12. 12 2013 Infoblox | 2014 IInncc.. AAllll RRiigghhttss RReesseerrvveedd.. 13. Advanced Appliances - Four ModelsPerformance:50 000 qps143 000 qps200 000 qpsAuthoritative & CacheHW ProtectHW ProtectHW ProtectCaching / Recursive ONLYDone in HardwareAdvanced Appliances have next-generation programmable processorsthat provide dedicated compute for threat mitigation.The appliances offer both AC and DC power supply options.13 2013 Infoblox | 2014 IInncc.. AAllll RRiigghhttss RReesseerrvveedd..500 000 qps (ADP)1 000 000 qps HW Caching & HW Protect 14. Deployment Options14 2013 Infoblox | 2014 IInncc.. AAllll RRiigghhttss RReesseerrvveedd..1EnterpriseExternalAuthoritativeCaching &InternalServiceProviderCachingHosted/Ext.Authoritative Advanced appliances PT-1400,PT-2200, PT-4000 can be used inboth authoritative and recursiveDNS deployments 4030 appliances offer DNSHardware Cache Accelerationfor Caching/Recursive and offerprotection against attacks oncaching servers 15. DNS CachingProtection against Attacks on DNS Caching ServersData CenterGRID Masterand Candidate (HA)INTERNETAdvanced DNS Protection can secure the DNS Caching layer against internal or15 2013 Infoblox | 2014 IInncc.. AAllll RRiigghhttss RReesseerrvveedd..externally generated threatsINFRASTRUCTURE- Data Center,- Disaster recovery site(s)EndpointsIB-4030 + AdvancedDNS ProtectionIB-4030 + AdvancedDNS Protection 16. DNS CachingProtection against attacks on caching servers Large number of bots make more requests of the DNS server than it can handle Causes the DNS server to drop inbound DNS requestsAdvanced DNS Protection can secure DNS Caching Servers from DNS Floods16 2013 Infoblox | 2014 IInncc.. AAllll RRiigghhttss RReesseerrvveedd..and other threats 17. Internal DNS (Service Provider IT)Protection against Internal Attacks on Recursive ServersAdvanced DNS Protection can secure internal DNS environments where internal17 2013 Infoblox | 2014 IInncc.. AAllll RRiigghhttss RReesseerrvveedd..user traffic is hostileData CenterGRID Masterand Candidate (HA)INTRANET- Campus office- Regional office(s)- Disaster recovery site(s)EndpointsAdvanced DNSProtectionAdvanced DNSProtection 18. Secure DNS Deployment18 2013 Infoblox | 2014 IInncc.. AAllll RRiigghhttss RReesseerrvveedd.. 19. Centralized Visibility: ReportingIntelligence Needed to Take Action Attack details by category, member, rule, severity, and time Visibility into source of attacks for blocking, to understand scope and severity Early identification and isolation of issues for corrective action19 2013 Infoblox | 2014 IInncc.. AAllll RRiigghhttss RReesseerrvveedd.. 20. 20 2013 Infoblox | 2014 IInncc.. AA2llll RRiigghhttss RReesseerrvveedd..0 2013 Infoblox Inc. All Rights Reserved.SIEM / Syslog LOGGING Threat Protection events are logged to syslog usingCEF formate.g2014-09-05T03:24:59+00:00 daemon (none) threat-protect-log[5986]: errCEF:0|Infoblox|NIOS Threat|6.10.0-225023|5053001|Blacklist:abc.com|7|src=10.32.2.52 spt=45242dst=10.35.1.98 dpt=53 act="DROP" cat="BLACKLIST FQDN lookup UDP"- Syslog severity: Error (Corresponds to rule severity Major)- Device product: NIOS Threat- NIOS version: 6.10.0-225023- Rule ID: 5053001- Rule name: Blacklist:abc.com- CEF Severity: 7- Source IP address: 10.32.2.52- Source Port: 45242- Destination IP address: 10.35.1.98- Destination port: 53- Action: Drop- Rule category: Blacklist FQDN lookup UDP20 21. 21 2013 Infoblox | 2014 IInncc.. AAllll RRiigghhttss RReesseerrvveedd..Co NOWEGO? 22. Monitor mode What is it? This is like the what-if mode where the product will function bygenerating logs and dashboard to drop the packets that are maliciousand will trigger attack detection. However, it will not actually drop anypackets. So the result is as if the box is put in the monitor only mode. Caution: There is no actual mitigation for the attack. This is Passivemode more/less like IDS.22 2013 Infoblox | 2014 IInncc.. AAllll RRiigghhttss RReesseerrvveedd.. 23. 4030 & PT-xxxx: NIC Failover Problem to be solved Provides port level protection on IB-4030/PT appliances Feature Description Allows user configure LAN1 and LAN2 in ACTIVE-PASSIVE mode:- Provides port-level (layer-2) redundancy between LAN1 and LAN2 ports onappliances.- If a link to one of the ports fails, the appliance will fail over to the other port,avoiding a service disruption. Benefit Improves the overall product resiliency23 2013 Infoblox | 2014 IInncc.. AAllll RRiigghhttss RReesseerrvveedd.. 24. High Availability Failover (VRRP) for 4030 & ADP24 2013 Infoblox | 20 124 I0nfo1bl3ox IInnIccn.. AAflloll RRbiigghhlottss xRRee ssIeenrrvveecdd... All2 25. Nxdomain - Rate limiting What is it? There are attacks that cause the DNS servers in recursion mode tobe overwhelmed due to the need to do NXdomain for non existentdomain requests generated by the attacker. If a client has generated a large number of Nxdomain responses, weblock requests coming from that particular client for a configurableperiod of time. How can NXdomain rate limiting help? Clients generating this response are blocked so other legit DNSqueries are addressed. Rate limiting on the NXdomain can prevent the outbound WANbandwidth choke in case the server is being used as an attacker.25 2013 Infoblox | 2014 IInncc.. AAllll RRiigghhttss RReesseerrvveedd.. 26. Black listed domain names What are black list domains? Independently, Infoblox research team that writes the threat rules receives Peta bytesof traffic from various tap ports from different geo locations mine this data to figure outthe bad/phantom domains that showed symptoms of these types of attacks. As a result of this effort, we are updating Threat rules ruleset with these newlyidentified bad domains. From customer's perspective All you need is to keep the subscription updates ON. This will automatically add newdomains to the rule set.26 2013 Infoblox | 2014 IInncc.. AAllll RRiigghhttss RReesseerrvveedd.. 27. DNS Integrity: Check What it is? Provides a way to check parent name servers to ensure that domains are nothijacked ensuring DNS integrity. Where it is application This is a feature that is useful for all our authoritative DNS server use cases. This feature applies to authoritative servers and only checks for top leveldomains (TLDs). Notification provided by Syslog Email notification SNMP notification Dashboard27 2013 Infoblox | 2014 IInncc.. AAllll RRiigghhttss RReesseerrvveedd.. 28. DNS Integrity: Types of alerts There may be different types of discrepancies between the parent andthe authoritative NS RRs. They could be of type: CRITICAL- Where the authoritative and the delegated NS RRsets are completelydisjoint (the New York Times attack use case). Disjoint set- {A} {D} SEVERE- Authoritative and delegated NS RRsets overlap but are different. (This is ause case of partial compromise or honest mistake of broken delegation.) Slightoverlap- {A {overlap} D} WARNING- Authoritative NS RRset is a subset of the delegated RRset. (Possibility ofsomeone adding the wrong IP address to the list at the registrar) A as a subset of D-{D(A)} INFORMATIONAL- Delegated NS RRset is a subset of the authoritative RRset. (Usecase where there is a delay in registration.) D as a subset of A- {A(D)}28 2013 Infoblox | 2014 IInncc.. AAllll RRiigghhttss RReesseerrvveedd.. 29. Czas na opowie29 2013 Infoblox | 2014 IInncc.. AAllll RRiigghhttss RReesseerrvveedd..http://mlpeters.com 30. For Whom the Bell Tolls? Support ticket for DNS under stress? Name of the company in the news Compliance requirements? Finance and Banking! Insurance & Risk30 2013 Infoblox | 2014 IInncc.. AAllll RRiigghhttss RReesseerrvveedd.. 31. If not ADP - Options Today? Over provisioning infrastructure Costly, in-efficient Put an IPS device or a next-gen firewall in front of DNSserver +1 point of failure, turning on so many services is computeintensive No deep understanding of DNS protocol No deep DNS specific attack coverage Cloud based solutions Basic rate limiting, focused on volumetric attacks Privacy concerns (and data mining concerns) Latency31 2013 Infoblox | 2014 IInncc.. AAllll RRiigghhttss RReesseerrvveedd.. 32. A jaka bdzie twoja32 2013 Infoblox | 2014 IInncc.. AAllll RRiigghhttss RReesseerrvveedd..historia?http://mlpeters.com 33. Zapraszam na sesj o DNSSEC.Wtorek:33 2013 Infoblox | 2014 IInncc.. AAllll RRiigghhttss RReesseerrvveedd.. 34. Plotki w sieci.Czyli gdzie warto zajrze?34 2013 Infoblox | 2014 IInncc.. AAllll RRiigghhttss RReesseerrvveedd.. 35. DNS Security Risk Assessment1. Analyzes an organizations DNS setup to assess level of risk of exposure toDNS threats2. Provides DNS Security Risk Score and analysis based on answers given3. www.infoblox.com/dnssecurityscoreHigher the score, higher the DNS Security Risk!!35 2013 Infoblox | 2014 IInncc.. AAllll RRiigghhttss RReesseerrvveedd.. 36. Best Practices Posterhttp://www.infoblox.com/downloads/resources/securing-dns-best-practices36 2013 Infoblox | 2014 IInncc.. AAllll RRiigghhttss RReesseerrvveedd.. 37. 37 2013 Infoblox | 2014 IInncc.. AAllll RRiigghhttss RReesseerrvveedd.. 38. Videos38 2013 Infoblox | 2014 IInncc.. AAllll RRiigghhttss RReesseerrvveedd.. Advanced DNS Protection Demo Provide technical validation show what UI looks like beforeand during simulated attacks, Show fine-tuning capabilities andreports https://www.youtube.com/watch?v=Mg6jC7ljtnw Executive Video Provide technical validation show that Advanced DNSProtection responds to all of thegood DNS queries even underattack, while BIND and Microsoftget overwhelmed https://www.youtube.com/watch?v=PR6Sv-buoP8 39. 39 2013 Infoblox | 2014 IInncc.. AAllll RRiigghhttss RReesseerrvveedd..Q&A