Weitere ähnliche Inhalte Ähnlich wie PLNOG 13: Adam Obszyński: Case Study – Infoblox Advanced DNS Protection (20) Kürzlich hochgeladen (20) PLNOG 13: Adam Obszyński: Case Study – Infoblox Advanced DNS Protection1. Infoblox Advanced DNS Protection
Case Study
Adam Obszyński | CEE SE
PLNOG13 2014.09.29
1 © 2013 Infoblox | 2014 IInncc.. AAllll RRiigghhttss RReesseerrvveedd..
2. Agenda
1 DNS in the news
2 DNS: How to prepare?
3 ADP What’s new?
4 ADP Stories
2 © 2013 Infoblox | 2014 IInncc.. AAllll RRiigghhttss RReesseerrvveedd..
3. Infoblox and Service Providers
Dedicated SP product line
• Leads Industry with >1M DNS qps and
Advanced DDoS protection
• Carrier-grade solution adopted at major
Tier 1 providers
220+ Service Providers; 55,000+
systems shipped; 7000+ Enterprises
3 © 2013 Infoblox | 2014 IInncc.. AAllll RRiigghhttss RReesseerrvveedd..
3
Dedicated SP Business Unit
• EVP from Juniper, Cisco carrier sales
• Dedicated Sales, SEs, Marketing,
Engineering, Product Mgmt
Market leadership
• #1 in DNS Caching; First DNS Firewall
• Competition in decline
IPO April 2012 NYSE (BLOX)
$225M Revenue; $2B Market Cap
Total Revenue
(Fiscal Year Ending July 31)
$35.0
$56.0
$61.7
$102.2
$132.8
$169.2
$225.0
$250
$200
$150
$100
$50
$0
FY2007 FY2008 FY2009 FY2010 FY2011 FY2012 FY2013
4. The Problem
DNS is one of the
fastest growing
attack vectors
4 © 2013 Infoblox | 2014 IInncc.. AAllll RRiigghhttss RReesseerrvveedd..
Traditional
protection is
ineffective against
evolving threats
DNS outage causes
network downtime,
loss of revenue,
and negative
brand impact
Unprotected DNS infrastructure introduces security risks
5. DNS Hijackings: 2013 & 2014
5 © 2013 Infoblox | 2014 IInncc.. AAllll RRiigghhttss RReesseerrvveedd..
6. How DNS DDoS is Becoming Easier
Attack Apps Being Built
• DDoS attacks against major
U.S. financial institutions
• Launching (DDoS)
taking advantage of
server bandwidth
• 4 types of DDoS attacks:
̶ DNS amplification
̶ Spoofed SYN
̶ Spoofed UDP
̶ HTTP+ proxy support
• Script offered for $600-800
6 © 2013 Infoblox | 2014 IInncc.. AAllll RRiigghhttss RReesseerrvveedd..
7. Malware/APT Requires DNS
Every step of malware life cycle relies on DNS
Infection Download Exfiltration
7 © 2013 Infoblox | 2014 IInncc.. AAllll RRiigghhttss RReesseerrvveedd..
DNS server
Query a
malicious
domain
Query the
‘call home server’ Query
Exfiltration
destinations
8. The Rising Tide of DNS Threats
Are You Prepared?
8 © 2013 Infoblox | 2014 IInncc.. AAllll RRiigghhttss RReesseerrvveedd..
The bottom line is
“Organizations should invest in
protecting their DNS infrastructure.”
– Gartner5
5. Leverage Your Network Design to Mitigate DDoS Attacks, Report ID G00253330, Gartner, July 2013
9. Advanced DNS Protection:
Defend Against DNS Attacks
Protection against the Widest Range of DNS Attacks
Threat Adapt Technology
9 © 2013 Infoblox | 2014 IInncc.. AAllll RRiigghhttss RReesseerrvveedd..
• Intelligently defends against widest range of attacks to
ensure secure, resilient, and trustworthy DNS services
• Blocks attacks while continuing to respond to legitimate
DNS requests
• Continuously adapts to evolving threats; automatically
updates protection without patching or downtime
• Uses latest threat intelligence from analysis and research,
and new threats seen in customer networks
• Morphs protection to reflect DNS configuration changes
Quick Deployment
• Deploys easily and runs in any environment
• Immediately starts blocking attacks—even if an attack
is already in progress
10. Infoblox Differentiation and Value
Infoblox Advanced
DNS Protection
10 © 2013 Infoblox | 2014 IInncc.. AAllll RRiigghhttss RReesseerrvveedd..
Load
Balancers
Pure
DDoS
Next-gen
Firewalls
IPS Cloud
Dedicated compute for
threat mitigation
General DDoS
DNS DDoS
DNS amplification
DNS reflection
DNS server OS and
application vulnerabilities
DNS semantic attacks
Cache poisoning
DNS tunneling
DNS hijacking
Volumetric/DDoS Attacks
DNS-specific Exploits
11. DNS Protection is Not Just About DDoS
DNS reflection/DrDoS attacks
11 © 2013 Infoblox | 2014 IInncc.. AAllll RRiigghhttss RReesseerrvveedd..
Using third-party DNS servers (mostly open resolvers) to propagate
a DoS or DDoS attack
DNS amplification
Using a specially crafted query to create an amplified response to
flood the victim with traffic
TCP/UDP/ICMP floods
Denial of service on layer 3 or 4 by bringing a network or service down
by flooding it with large amounts of traffic
DNS-based exploits Attacks that exploit bugs or vulnerabilities in the DNS software
DNS cache poisoning Corruption of DNS server cache data with a rogue domain or IP
Protocol anomalies
Causing the server to crash by sending malformed DNS packets
and queries
Reconnaissance
Attempts by hackers to get information on the network environment
before launching a DDoS or other type of attack
DNS tunneling
Tunneling of another protocol through DNS port 53 for malware
insertion and/or data exfiltration
Volumetric/DDoS Attacks
DNS hijacking
Modifying the DNS record settings to point to a rogue DNS
server or domain
NXDomain attack
Attacks that flood DNS server with requests for non-existent domains,
causing it to send NXDomain (non-existent domain) responses
Phantom domain attack
Attacks where a DNS resolver is forced to resolve multiple non-existent
domains, causing it to consume resources while waiting for responses
DNS-specific Exploits
12. 12 © 2013 Infoblox | 2014 IInncc.. AAllll RRiigghhttss RReesseerrvveedd..
13. Advanced Appliances - Four Models
Performance:
50 000 qps
143 000 qps
200 000 qps
Authoritative & Cache
HW Protect
HW Protect
HW Protect
Caching / Recursive ONLY
Done in Hardware
Advanced Appliances have next-generation programmable processors
that provide dedicated compute for threat mitigation.
The appliances offer both AC and DC power supply options.
13 © 2013 Infoblox | 2014 IInncc.. AAllll RRiigghhttss RReesseerrvveedd..
500 000 qps (ADP)
1 000 000 qps HW Caching & HW Protect
14. Deployment Options
14 © 2013 Infoblox | 2014 IInncc.. AAllll RRiigghhttss RReesseerrvveedd..
1
Enterprise
External
Authoritative
Caching &
Internal
Service
Provider
Caching
Hosted/Ext.
Authoritative
• Advanced appliances PT-1400,
PT-2200, PT-4000 can be used in
both authoritative and recursive
DNS deployments
• 4030 appliances offer ‘DNS
Hardware Cache Acceleration’
for Caching/Recursive and offer
protection against attacks on
caching servers
15. DNS Caching
Protection against Attacks on DNS Caching Servers
Data Center
GRID Master
and Candidate (HA)
INTERNET
Advanced DNS Protection can secure the DNS Caching layer against internal or
15 © 2013 Infoblox | 2014 IInncc.. AAllll RRiigghhttss RReesseerrvveedd..
externally generated threats
INFRASTRUCTURE
- Data Center,
- Disaster recovery site(s)
Endpoints
IB-4030 + Advanced
DNS Protection
IB-4030 + Advanced
DNS Protection
16. DNS Caching
Protection against attacks on caching servers
• Large number of bots make more requests of the DNS server than it can handle
• Causes the DNS server to drop inbound DNS requests
Advanced DNS Protection can secure DNS Caching Servers from DNS Floods
16 © 2013 Infoblox | 2014 IInncc.. AAllll RRiigghhttss RReesseerrvveedd..
and other threats
17. Internal DNS (Service Provider IT)
Protection against Internal Attacks on Recursive Servers
Advanced DNS Protection can secure internal DNS environments where internal
17 © 2013 Infoblox | 2014 IInncc.. AAllll RRiigghhttss RReesseerrvveedd..
user traffic is hostile
Data Center
GRID Master
and Candidate (HA)
INTRANET
- Campus office
- Regional office(s)
- Disaster recovery site(s)
Endpoints
Advanced DNS
Protection
Advanced DNS
Protection
19. Centralized Visibility: Reporting
Intelligence Needed to Take Action
• Attack details by category, member, rule, severity, and time
• Visibility into source of attacks for blocking, to understand scope and severity
• Early identification and isolation of issues for corrective action
19 © 2013 Infoblox | 2014 IInncc.. AAllll RRiigghhttss RReesseerrvveedd..
20. 20 © 2013 Infoblox | 2014 IInncc.. AA2llll RRiigghhttss RReesseerrvveedd..
0
© 2013 Infoblox Inc. All Rights Reserved.
SIEM / Syslog LOGGING
• Threat Protection events are logged to syslog using
CEF format
e.g
2014-09-05T03:24:59+00:00 daemon (none) threat-protect-log[5986]: err
CEF:0|Infoblox|NIOS Threat|6.10.0-
225023|5053001|Blacklist:abc.com|7|src=10.32.2.52 spt=45242
dst=10.35.1.98 dpt=53 act="DROP" cat="BLACKLIST FQDN lookup UDP"
- Syslog severity: Error (Corresponds to rule severity “Major”)
- Device product: NIOS Threat
- NIOS version: 6.10.0-225023
- Rule ID: 5053001
- Rule name: Blacklist:abc.com
- CEF Severity: 7
- Source IP address: 10.32.2.52
- Source Port: 45242
- Destination IP address: 10.35.1.98
- Destination port: 53
- Action: Drop
- Rule category: Blacklist FQDN lookup UDP
20
21. 21 © 2013 Infoblox | 2014 IInncc.. AAllll RRiigghhttss RReesseerrvveedd..
Co NOWEGO?
22. Monitor mode
• What is it?
̶ This is like the ‘what-if’ mode where the product will function by
generating logs and dashboard to drop the packets that are malicious
and will trigger attack detection. However, it will not actually drop any
packets. So the result is as if the box is put in the monitor only mode.
̶ Caution: There is no actual mitigation for the attack. This is Passive
mode more/less like IDS.
22 © 2013 Infoblox | 2014 IInncc.. AAllll RRiigghhttss RReesseerrvveedd..
23. 4030 & PT-xxxx: NIC Failover
• Problem to be solved
̶ Provides port level protection on IB-4030/PT appliances
• Feature Description
̶ Allows user configure LAN1 and LAN2 in ACTIVE-PASSIVE mode:
- Provides port-level (layer-2) redundancy between LAN1 and LAN2 ports on
appliances.
- If a link to one of the ports fails, the appliance will fail over to the other port,
avoiding a service disruption.
• Benefit
̶ Improves the overall product resiliency
23 © 2013 Infoblox | 2014 IInncc.. AAllll RRiigghhttss RReesseerrvveedd..
24. High Availability Failover (VRRP) for 4030 & ADP
24 © 2013 Infoblox | © 20 124 I0nfo1bl3ox IInnIccn.. AAflloll RRbiigghhlottss xRRee ssIeenrrvveecdd... All
2
25. Nxdomain - Rate limiting
• What is it?
̶ There are attacks that cause the DNS servers in recursion mode to
be overwhelmed due to the need to do NXdomain for non existent
domain requests generated by the attacker.
̶ If a client has generated a large number of Nxdomain responses, we
block requests coming from that particular client for a configurable
period of time.
• How can NXdomain rate limiting help?
̶ Clients generating this response are blocked so other legit DNS
queries are addressed.
̶ Rate limiting on the NXdomain can prevent the outbound WAN
bandwidth choke in case the server is being used as an attacker.
25 © 2013 Infoblox | 2014 IInncc.. AAllll RRiigghhttss RReesseerrvveedd..
26. Black listed domain names
• What are black list domains?
̶ Independently, Infoblox research team that writes the threat rules receives Peta bytes
of traffic from various tap ports from different geo locations mine this data to figure out
the bad/phantom domains that showed symptoms of these types of attacks.
̶ As a result of this effort, we are updating Threat rules ruleset with these newly
identified bad domains.
• From customer's perspective
̶ All you need is to keep the subscription updates ON. This will automatically add new
domains to the rule set.
26 © 2013 Infoblox | 2014 IInncc.. AAllll RRiigghhttss RReesseerrvveedd..
27. DNS Integrity: Check
• What it is?
̶ Provides a way to check parent name servers to ensure that domains are not
hijacked ensuring DNS integrity.
• Where it is application
̶ This is a feature that is useful for all our authoritative DNS server use cases.
̶ This feature applies to authoritative servers and only checks for top level
domains (TLDs).
• Notification provided by
̶ Syslog
̶ Email notification
̶ SNMP notification
̶ Dashboard
27 © 2013 Infoblox | 2014 IInncc.. AAllll RRiigghhttss RReesseerrvveedd..
28. DNS Integrity: Types of alerts
• There may be different types of discrepancies between the parent and
the authoritative NS RRs. They could be of type:
̶ CRITICAL- Where the authoritative and the delegated NS RRsets are completely
disjoint (the New York Times attack use case). Disjoint set- {A} {D}
̶ SEVERE- Authoritative and delegated NS RRsets overlap but are different. (This is a
use case of partial compromise or honest mistake of broken delegation.) Slight
overlap- {A {overlap} D}
̶ WARNING- Authoritative NS RRset is a subset of the delegated RRset. (Possibility of
someone adding the wrong IP address to the list at the registrar) A as a subset of D-
{D(A)}
̶ INFORMATIONAL- Delegated NS RRset is a subset of the authoritative RRset. (Use
case where there is a delay in registration.) D as a subset of A- {A(D)}
28 © 2013 Infoblox | 2014 IInncc.. AAllll RRiigghhttss RReesseerrvveedd..
29. Czas na opowieść
29 © 2013 Infoblox | 2014 IInncc.. AAllll RRiigghhttss RReesseerrvveedd..
http://mlpeters.com
30. For Whom the Bell Tolls?
• Support ticket for DNS under stress?
• Name of the company in the news
• Compliance requirements?
̶ Finance and Banking!
• Insurance & Risk
30 © 2013 Infoblox | 2014 IInncc.. AAllll RRiigghhttss RReesseerrvveedd..
31. If not ADP - Options Today?
• Over provisioning infrastructure
̶ Costly, in-efficient
• Put an IPS device or a next-gen firewall in front of DNS
server
̶ +1 point of failure, turning on so many services is compute
intensive
̶ No deep understanding of DNS protocol
̶ No deep DNS specific attack coverage
• Cloud based solutions
̶ Basic rate limiting, focused on volumetric attacks
̶ Privacy concerns (and data mining concerns)
̶ Latency
31 © 2013 Infoblox | 2014 IInncc.. AAllll RRiigghhttss RReesseerrvveedd..
32. A jaka będzie twoja
32 © 2013 Infoblox | 2014 IInncc.. AAllll RRiigghhttss RReesseerrvveedd..
historia?
http://mlpeters.com
33. Zapraszam na sesję o DNSSEC.
Wtorek:
33 © 2013 Infoblox | 2014 IInncc.. AAllll RRiigghhttss RReesseerrvveedd..
34. Plotki w sieci.
Czyli gdzie warto zajrzeć?
34 © 2013 Infoblox | 2014 IInncc.. AAllll RRiigghhttss RReesseerrvveedd..
35. DNS Security Risk Assessment
1. Analyzes an organization’s DNS setup to assess level of risk of exposure to
DNS threats
2. Provides DNS Security Risk Score and analysis based on answers given
3. www.infoblox.com/dnssecurityscore
Higher the score, higher the DNS Security Risk!!
35 © 2013 Infoblox | 2014 IInncc.. AAllll RRiigghhttss RReesseerrvveedd..
36. Best Practices Poster
http://www.infoblox.com/downloads/resources/securing-dns-best-practices
36 © 2013 Infoblox | 2014 IInncc.. AAllll RRiigghhttss RReesseerrvveedd..
37. 37 © 2013 Infoblox | 2014 IInncc.. AAllll RRiigghhttss RReesseerrvveedd..
38. Videos
38 © 2013 Infoblox | 2014 IInncc.. AAllll RRiigghhttss RReesseerrvveedd..
• Advanced DNS Protection Demo
• Provide technical validation –
show what UI looks like before
and during simulated attacks,
• Show fine-tuning capabilities and
reports
• https://www.youtube.com/watch?v=Mg6jC7ljtnw
• Executive Video
• Provide technical validation –
show that Advanced DNS
Protection responds to all of the
“good” DNS queries even under
attack, while BIND and Microsoft
get overwhelmed
• https://www.youtube.com/watch?v=PR6Sv-buoP8
39. 39 © 2013 Infoblox | 2014 IInncc.. AAllll RRiigghhttss RReesseerrvveedd..
Q&A