DNS Security Presentation ISSA

1 | © 2013 Infoblox Inc. All Rights Reserved. 1 | © 2013 Infoblox Inc. All Rights Reserved. 1 | © 2014 Infoblox Inc. All Rights Reserved.

Domain Name System (DNS)Network Security Asset or Achilles Heel?

Srikrupa Srivatsan, Sr. Product Marketing Manager, Infoblox

September 19, 2014


Agenda

• What is DNS and How Does it Work?

• Threat Landscape Trends

• Common Attack Vectors

Anatomy of an attack: DNS Hijacking

Anatomy of an attack: Reflection Attack

Anatomy of an attack: DNS DDoS

• How To Protect Yourself?

• Q & A


• Address book for all of internet

• Translates “google.com” to 173.194.115.96

• Invented in 1983 by Paul Mokapetris (UC Irvine)

What is the Domain Name System (DNS)?

Without DNS, The Internet & Network Communications Would Stop


How Does DNS Work?

ISP

DNS SERVER

ROOT DNS

SERVER

WWW.GOOGLE.COM173.194.115.96

“I need directions to

www.google.com”

“That domain is not in

my server, I will ask

another DNS Server”

“That’s in my cache,

it maps to:

173.194.115.96

“Great, I’ll put that in

my cache in case I get

another request”

173.194.115.96

“Great, now I know how

to get to

www.google.com”


For Bad Guys, DNS Is a Great Target

DNS is the

cornerstone of the

Internet used by

every business/

Government

DNS is fairly easy

to exploit

DNS Outage = Business Downtime

Traditional

protection is

ineffective against

evolving threats


The Rising Tide of DNS ThreatsAre You Prepared?

In the last

year alone

there has been

an increase of

200%DNS attacks1

58%DDoS attacks1

With possible amplification up to

100xon a DNS attack, the

amount of traffic delivered

to a victim can be huge

28MPose a significant threat

to the global network

infrastructure and can

be easily utilized in DNS

amplification attacks2

33M Number of open

recursive DNS servers2

With enterprise level businesses receiving an

average of 2 million DNS queries every single

day, the threat of attack is significant

2M

1. Quarterly Global DDoS Attack Report, Prolexic, 1st Quarter, 2013 2. www.openresolverproject.org


The Rising Tide of DNS Threats

DNS attacks are rising

for 3 reasons:

2Asymmetric

amplification

3 High-value

target

?

Countries of origin for the most DDoS attacks in

the last year

China

US

Brazil

Russia

France

India

Germany

Korea

Egypt

Taiwan

1 Easy to spoof


Financial services

Technology

companyGovernment


Financial impact is huge

Avg estimated loss per DDoS event in 20123

-$7.7M-$13.6M

-$17M

The average loss for a 24-hour

outage from a DDoS attack3

42%Enterprise

29%Commerce

Miscellaneous5%

Automotive1%

Healthcare2%

Business

Services21%

Financial

Services13%

Public Sector

5%

Media &

Entertainment

17%

High Tech

7%

Consumer

Goods2%

Hotels5%

Retail22%

Top Industries Targeted4

$27million

3. Develop A Two-Phased DDoS Mitigation Strategy, Forrester Research, Inc. May 17, 2013 4. State of the Internet, Akamai, 2nd Quarter, 2013


DNS Attack Vectors


The DNS Security Challenges

Defending Against DNS Attacks

DDoS / Cache Poisoning2

Preventing Malware from using DNS3

Securing the DNS Platform1


Anatomy of an AttackSyrian Electronic Army


Anatomy of an AttackDistributed Reflection DoS Attack (DrDoS)

How the attack works

Attacker

Internet

Target Victim

Combines reflection and amplification

Uses third-party open resolvers in

the Internet (unwitting accomplice)

Attacker sends spoofed queries

to the open recursive servers

Uses queries specially crafted to

result in a very large response

Causes DDoS on the victim’s server


• DDoS attacks against major

U.S financial institutions

• Launching (DDoS) taking

advantage of Server bandwidth

• 4 types of DDoS attacks:

DNS amplification,

Spoofed SYN,

Spoofed UDP

HTTP+ proxy support

• Script offered for $800

Anatomy of an AttackDNS DDoS For Hire



10Top

DNS attacks

DNS amplification:Use amplification in DNS reply to

flood victim

Protocol anomalies:Malformed DNS packets causing

server to crash

DNS hijacking:Subverting resolution of DNS queries

to point to rogue DNS server

Reconnaissance:Probe to get information on network

environment before launching attack

Fragmentation:Traffic with lots of small out of

order fragments

TCP/UDP/ICMP floods:Flood victim’s network with large

amounts of traffic

DNS cache poisoning:Corruption of a DNS cache

database with a rogue address

DNS tunneling:Tunneling of another protocol

through DNS for data ex-filtration

DNS based exploits:Exploit vulnerabilities in

DNS software

DNS reflection/DrDos:Use third party DNS servers to

propagate DDoS attack


Protection Best Practices


Help Is On the Way!

Collaboration Dedicated

Appliances

Monitoring

DNSSEC

RPZ

Advanced

DNS

Protection


Get the Teams Talking – Questions to Ask:

• Who in your org is responsible for DNS Security?

• What methods, procedures, tools do you have in place to detect and

mitigate DNS attacks?

• Would you know if an attack was happening, would you know how to

stop it?

Ne

two

rk

Te

am

Secu

rity

Te

am

IT A

pp

s

Te

am

IT O

PS

Te

am


Hardened DNS Appliances

Dedicated hardware with no unnecessary logical

or physical ports

No OS-level user accounts – only admin accts

Immediate updates to new security threats

Secure HTTPS-based access to device

management

No SSH or root-shell access

Encrypted device to device communication

– Many open ports subject to attack

– Users have OS-level account privileges on

server

– Requires time-consuming manual updates

Conventional Server Approach Hardened Appliance Approach

Multiple

Open Ports

Limited

Port Access

Update

ServiceSecure

Access

19


Monitoring & Alert on Aggregate Query Rate


DNSSEC

• Fixes Kaminsky Vulnerability

• DNS Security Extensions

• Uses public key cryptography to verify the authenticity of

DNS zone data (records)

DNSSEC zone data is digitally signed using a private key for that

zone

A DNS server receiving DNSSEC signed zone data can verify the

origin and integrity of the data by checking the signature using the

public key for that zone


Advanced DNS Protection

ReportingServer

Automatic updates

Updated Threat-

Intelligence Server


(External DNS)

Reports on attack types, severity

Le

git

ima

te T

raff

ic


(Internal DNS)D

ata

fo

r R

ep

ort

s


Response Policy Zones - RPZBlocking Queries to Malicious Domains An infected device brought into

the office. Malware spreads to

other devices on network.

1

2

3

Malware makes a DNS query

to find “home.” (botnet / C&C).

DNS Server detects & blocks

DNS query to malicious domain

Malicious

domains

DNS Server

with RPZ

Capability Blocked attempt

sent to Syslog

Malware /

APT

1

2

Malware / APT spreads

within network; Calls home

4

Query to malicious domain logged

security teams can now identify

requesting end-point and attmept

remediation

RPZ regularly updated with

malicious domain data using

available reputational feeds

4

Reputational Feed: IPs, Domains, etc.

of Bad Servers

Internet

Intranet

3

2


Take the DNS Security Risk Assessment

1. Analyzes your organization’s DNS setup to assess level of risk

of exposure to DNS threats

2. Provides DNS Security Risk Score and analysis based on answers given

3. www.infoblox.com/dnssecurityscore

Higher score = higher DNS security risk!!

http://www.infoblox.com/dnssecurityscore


Call to Action

• DNS security vulnerabilities pose a significant threat

• Raise the awareness of DNS and DNS security

vulnerabilities in your organization

• There are multitudes of resources available to help

• Seek help if needed to protect DNS

• Talk to Infoblox


Infoblox Overview & Business Update

($MM)

Founded in 1999

Headquartered in Santa Clara, CA

with global operations in 25 countries

Market leadership

• DDI Market Leader (Gartner)

• 50% DDI Market Share (IDC)

7,300+ customers

74,000+ systems shipped

46 patents, 27 pending

IPO April 2012: NYSE BLOX

Leader in technology

for network control

Total Revenue (Fiscal Year Ending July 31)

$35.0

$56.0$61.7

$102.2

$132.8

$169.2

$225.0

$0

$50

$100

$150

$200

$250

FY2007 FY2008 FY2009 FY2010 FY2011 FY2012 FY2013


IT Analyst Validation

• Gartner: “usage of a commercial

DDI solution can reduce (network)

OPEX by 50% or more.”

• IDC: Infoblox is the only major DDI

vendor to gain market share over the

past three years.

• Gartner: “Infoblox is the DDI

market leader in terms of mainstream

brand awareness.”

Worldwide DDI

Market Share – 2013


Q&A

DNS Security Presentation ISSA

Technology

Transcript of DNS Security Presentation ISSA