Upload
srikrupa-srivatsan
View
1.023
Download
8
Embed Size (px)
DESCRIPTION
DNS is critical network infrastructure and securing it against attacks like DDoS, NXDOMAIN, hijacking and Malware/APT is very important to protecting any business.
Citation preview
1 | © 2013 Infoblox Inc. All Rights Reserved. 1 | © 2013 Infoblox Inc. All Rights Reserved. 1 | © 2014 Infoblox Inc. All Rights Reserved.
Domain Name System (DNS)Network Security Asset or Achilles Heel?
Srikrupa Srivatsan, Sr. Product Marketing Manager, Infoblox
September 19, 2014
3 | © 2013 Infoblox Inc. All Rights Reserved. 3 | © 2013 Infoblox Inc. All Rights Reserved. 3 | © 2014 Infoblox Inc. All Rights Reserved.
Agenda
• What is DNS and How Does it Work?
• Threat Landscape Trends
• Common Attack Vectors
Anatomy of an attack: DNS Hijacking
Anatomy of an attack: Reflection Attack
Anatomy of an attack: DNS DDoS
• How To Protect Yourself?
• Q & A
4 | © 2013 Infoblox Inc. All Rights Reserved. 4 | © 2013 Infoblox Inc. All Rights Reserved. 4 | © 2014 Infoblox Inc. All Rights Reserved.
• Address book for all of internet
• Translates “google.com” to 173.194.115.96
• Invented in 1983 by Paul Mokapetris (UC Irvine)
What is the Domain Name System (DNS)?
Without DNS, The Internet & Network Communications Would Stop
5 | © 2013 Infoblox Inc. All Rights Reserved. 5 | © 2013 Infoblox Inc. All Rights Reserved. 5 | © 2014 Infoblox Inc. All Rights Reserved.
How Does DNS Work?
ISP
DNS SERVER
ROOT DNS
SERVER
WWW.GOOGLE.COM173.194.115.96
“I need directions to
www.google.com”
“That domain is not in
my server, I will ask
another DNS Server”
“That’s in my cache,
it maps to:
173.194.115.96
“Great, I’ll put that in
my cache in case I get
another request”
173.194.115.96
“Great, now I know how
to get to
www.google.com”
6 | © 2013 Infoblox Inc. All Rights Reserved. 6 | © 2013 Infoblox Inc. All Rights Reserved. 6 | © 2014 Infoblox Inc. All Rights Reserved.
For Bad Guys, DNS Is a Great Target
DNS is the
cornerstone of the
Internet used by
every business/
Government
DNS is fairly easy
to exploit
DNS Outage = Business Downtime
Traditional
protection is
ineffective against
evolving threats
7 | © 2013 Infoblox Inc. All Rights Reserved. 7 | © 2013 Infoblox Inc. All Rights Reserved. 7 | © 2014 Infoblox Inc. All Rights Reserved.
The Rising Tide of DNS ThreatsAre You Prepared?
In the last
year alone
there has been
an increase of
200%DNS attacks1
58%DDoS attacks1
With possible amplification up to
100xon a DNS attack, the
amount of traffic delivered
to a victim can be huge
28MPose a significant threat
to the global network
infrastructure and can
be easily utilized in DNS
amplification attacks2
33M Number of open
recursive DNS servers2
With enterprise level businesses receiving an
average of 2 million DNS queries every single
day, the threat of attack is significant
2M
1. Quarterly Global DDoS Attack Report, Prolexic, 1st Quarter, 2013 2. www.openresolverproject.org
8 | © 2013 Infoblox Inc. All Rights Reserved. 8 | © 2013 Infoblox Inc. All Rights Reserved. 8 | © 2014 Infoblox Inc. All Rights Reserved.
The Rising Tide of DNS Threats
DNS attacks are rising
for 3 reasons:
2Asymmetric
amplification
3 High-value
target
?
Countries of origin for the most DDoS attacks in
the last year
China
US
Brazil
Russia
France
India
Germany
Korea
Egypt
Taiwan
1 Easy to spoof
9 | © 2013 Infoblox Inc. All Rights Reserved. 9 | © 2013 Infoblox Inc. All Rights Reserved. 9 | © 2014 Infoblox Inc. All Rights Reserved.
Financial services
Technology
companyGovernment
The Rising Tide of DNS Threats
Financial impact is huge
Avg estimated loss per DDoS event in 20123
-$7.7M-$13.6M
-$17M
The average loss for a 24-hour
outage from a DDoS attack3
42%Enterprise
29%Commerce
Miscellaneous5%
Automotive1%
Healthcare2%
Business
Services21%
Financial
Services13%
Public Sector
5%
Media &
Entertainment
17%
High Tech
7%
Consumer
Goods2%
Hotels5%
Retail22%
Top Industries Targeted4
$27million
3. Develop A Two-Phased DDoS Mitigation Strategy, Forrester Research, Inc. May 17, 2013 4. State of the Internet, Akamai, 2nd Quarter, 2013
10 | © 2013 Infoblox Inc. All Rights Reserved. 10 | © 2013 Infoblox Inc. All Rights Reserved. 10 | © 2014 Infoblox Inc. All Rights Reserved.
DNS Attack Vectors
11 | © 2013 Infoblox Inc. All Rights Reserved. 11 | © 2013 Infoblox Inc. All Rights Reserved. 11 | © 2014 Infoblox Inc. All Rights Reserved.
The DNS Security Challenges
Defending Against DNS Attacks
DDoS / Cache Poisoning2
Preventing Malware from using DNS3
Securing the DNS Platform1
12 | © 2013 Infoblox Inc. All Rights Reserved. 12 | © 2013 Infoblox Inc. All Rights Reserved. 12 | © 2014 Infoblox Inc. All Rights Reserved.
Anatomy of an AttackSyrian Electronic Army
13 | © 2013 Infoblox Inc. All Rights Reserved. 13 | © 2013 Infoblox Inc. All Rights Reserved. 13 | © 2014 Infoblox Inc. All Rights Reserved.
Anatomy of an AttackDistributed Reflection DoS Attack (DrDoS)
How the attack works
Attacker
Internet
Target Victim
Combines reflection and amplification
Uses third-party open resolvers in
the Internet (unwitting accomplice)
Attacker sends spoofed queries
to the open recursive servers
Uses queries specially crafted to
result in a very large response
Causes DDoS on the victim’s server
14 | © 2013 Infoblox Inc. All Rights Reserved. 14 | © 2013 Infoblox Inc. All Rights Reserved. 14 | © 2014 Infoblox Inc. All Rights Reserved.
• DDoS attacks against major
U.S financial institutions
• Launching (DDoS) taking
advantage of Server bandwidth
• 4 types of DDoS attacks:
DNS amplification,
Spoofed SYN,
Spoofed UDP
HTTP+ proxy support
• Script offered for $800
Anatomy of an AttackDNS DDoS For Hire
15 | © 2013 Infoblox Inc. All Rights Reserved. 15 | © 2013 Infoblox Inc. All Rights Reserved. 15 | © 2014 Infoblox Inc. All Rights Reserved.
The Rising Tide of DNS Threats
10Top
DNS attacks
DNS amplification:Use amplification in DNS reply to
flood victim
Protocol anomalies:Malformed DNS packets causing
server to crash
DNS hijacking:Subverting resolution of DNS queries
to point to rogue DNS server
Reconnaissance:Probe to get information on network
environment before launching attack
Fragmentation:Traffic with lots of small out of
order fragments
TCP/UDP/ICMP floods:Flood victim’s network with large
amounts of traffic
DNS cache poisoning:Corruption of a DNS cache
database with a rogue address
DNS tunneling:Tunneling of another protocol
through DNS for data ex-filtration
DNS based exploits:Exploit vulnerabilities in
DNS software
DNS reflection/DrDos:Use third party DNS servers to
propagate DDoS attack
16 | © 2013 Infoblox Inc. All Rights Reserved. 16 | © 2013 Infoblox Inc. All Rights Reserved. 16 | © 2014 Infoblox Inc. All Rights Reserved.
Protection Best Practices
17 | © 2013 Infoblox Inc. All Rights Reserved. 17 | © 2013 Infoblox Inc. All Rights Reserved. 17 | © 2014 Infoblox Inc. All Rights Reserved.
Help Is On the Way!
Collaboration Dedicated
Appliances
Monitoring
DNSSEC
RPZ
Advanced
DNS
Protection
18 | © 2013 Infoblox Inc. All Rights Reserved. 18 | © 2013 Infoblox Inc. All Rights Reserved. 18 | © 2014 Infoblox Inc. All Rights Reserved.
Get the Teams Talking – Questions to Ask:
• Who in your org is responsible for DNS Security?
• What methods, procedures, tools do you have in place to detect and
mitigate DNS attacks?
• Would you know if an attack was happening, would you know how to
stop it?
Ne
two
rk
Te
am
Secu
rity
Te
am
IT A
pp
s
Te
am
IT O
PS
Te
am
19 | © 2013 Infoblox Inc. All Rights Reserved. 19 | © 2013 Infoblox Inc. All Rights Reserved. 19 | © 2014 Infoblox Inc. All Rights Reserved.
Hardened DNS Appliances
Dedicated hardware with no unnecessary logical
or physical ports
No OS-level user accounts – only admin accts
Immediate updates to new security threats
Secure HTTPS-based access to device
management
No SSH or root-shell access
Encrypted device to device communication
– Many open ports subject to attack
– Users have OS-level account privileges on
server
– Requires time-consuming manual updates
Conventional Server Approach Hardened Appliance Approach
Multiple
Open Ports
Limited
Port Access
Update
ServiceSecure
Access
19
20 | © 2013 Infoblox Inc. All Rights Reserved. 20 | © 2013 Infoblox Inc. All Rights Reserved. 20 | © 2014 Infoblox Inc. All Rights Reserved.
Monitoring & Alert on Aggregate Query Rate
21 | © 2013 Infoblox Inc. All Rights Reserved. 21 | © 2013 Infoblox Inc. All Rights Reserved. 21 | © 2014 Infoblox Inc. All Rights Reserved.
DNSSEC
• Fixes Kaminsky Vulnerability
• DNS Security Extensions
• Uses public key cryptography to verify the authenticity of
DNS zone data (records)
DNSSEC zone data is digitally signed using a private key for that
zone
A DNS server receiving DNSSEC signed zone data can verify the
origin and integrity of the data by checking the signature using the
public key for that zone
22 | © 2013 Infoblox Inc. All Rights Reserved. 22 | © 2013 Infoblox Inc. All Rights Reserved. 22 | © 2014 Infoblox Inc. All Rights Reserved.
Advanced DNS Protection
ReportingServer
Automatic updates
Updated Threat-
Intelligence Server
Advanced DNS Protection
(External DNS)
Reports on attack types, severity
Le
git
ima
te T
raff
ic
Advanced DNS Protection
(Internal DNS)D
ata
fo
r R
ep
ort
s
23 | © 2013 Infoblox Inc. All Rights Reserved. 23 | © 2013 Infoblox Inc. All Rights Reserved. 23 | © 2014 Infoblox Inc. All Rights Reserved.
Response Policy Zones - RPZBlocking Queries to Malicious Domains An infected device brought into
the office. Malware spreads to
other devices on network.
1
2
3
Malware makes a DNS query
to find “home.” (botnet / C&C).
DNS Server detects & blocks
DNS query to malicious domain
Malicious
domains
DNS Server
with RPZ
Capability Blocked attempt
sent to Syslog
Malware /
APT
1
2
Malware / APT spreads
within network; Calls home
4
Query to malicious domain logged
security teams can now identify
requesting end-point and attmept
remediation
RPZ regularly updated with
malicious domain data using
available reputational feeds
4
Reputational Feed: IPs, Domains, etc.
of Bad Servers
Internet
Intranet
3
2
24 | © 2013 Infoblox Inc. All Rights Reserved. 24 | © 2013 Infoblox Inc. All Rights Reserved. 24 | © 2014 Infoblox Inc. All Rights Reserved.
Take the DNS Security Risk Assessment
1. Analyzes your organization’s DNS setup to assess level of risk
of exposure to DNS threats
2. Provides DNS Security Risk Score and analysis based on answers given
3. www.infoblox.com/dnssecurityscore
Higher score = higher DNS security risk!!
25 | © 2013 Infoblox Inc. All Rights Reserved. 25 | © 2013 Infoblox Inc. All Rights Reserved. 25 | © 2014 Infoblox Inc. All Rights Reserved.
Call to Action
• DNS security vulnerabilities pose a significant threat
• Raise the awareness of DNS and DNS security
vulnerabilities in your organization
• There are multitudes of resources available to help
• Seek help if needed to protect DNS
• Talk to Infoblox
26 | © 2013 Infoblox Inc. All Rights Reserved. 26 | © 2013 Infoblox Inc. All Rights Reserved. 26 | © 2014 Infoblox Inc. All Rights Reserved.
Infoblox Overview & Business Update
($MM)
Founded in 1999
Headquartered in Santa Clara, CA
with global operations in 25 countries
Market leadership
• DDI Market Leader (Gartner)
• 50% DDI Market Share (IDC)
7,300+ customers
74,000+ systems shipped
46 patents, 27 pending
IPO April 2012: NYSE BLOX
Leader in technology
for network control
Total Revenue (Fiscal Year Ending July 31)
$35.0
$56.0$61.7
$102.2
$132.8
$169.2
$225.0
$0
$50
$100
$150
$200
$250
FY2007 FY2008 FY2009 FY2010 FY2011 FY2012 FY2013
27 | © 2013 Infoblox Inc. All Rights Reserved. 27 | © 2013 Infoblox Inc. All Rights Reserved. 27 | © 2014 Infoblox Inc. All Rights Reserved.
IT Analyst Validation
• Gartner: “usage of a commercial
DDI solution can reduce (network)
OPEX by 50% or more.”
• IDC: Infoblox is the only major DDI
vendor to gain market share over the
past three years.
• Gartner: “Infoblox is the DDI
market leader in terms of mainstream
brand awareness.”
Worldwide DDI
Market Share – 2013
28 | © 2013 Infoblox Inc. All Rights Reserved. 28 | © 2013 Infoblox Inc. All Rights Reserved. 28 | © 2014 Infoblox Inc. All Rights Reserved.
Q&A