Diese Präsentation wurde erfolgreich gemeldet.
Die SlideShare-Präsentation wird heruntergeladen. ×

DNS Security Presentation ISSA

Anzeige
Anzeige
Anzeige
Anzeige
Anzeige
Anzeige
Anzeige
Anzeige
Anzeige
Anzeige
Anzeige
Anzeige
Wird geladen in …3
×

Hier ansehen

1 von 27 Anzeige
Anzeige

Weitere Verwandte Inhalte

Diashows für Sie (20)

Andere mochten auch (20)

Anzeige

Ähnlich wie DNS Security Presentation ISSA (20)

Aktuellste (20)

Anzeige

DNS Security Presentation ISSA

  1. 1. Domain Name System (DNS) Network Security Asset or Achilles Heel? Srikrupa Srivatsan, Sr. Product Marketing Manager, Infoblox September 19, 2014 1 © 2013 Infoblox | 20134 IInc.. Allll Riightts Reserrved..
  2. 2. Agenda • What is DNS and How Does it Work? • Threat Landscape Trends • Common Attack Vectors ̶ Anatomy of an attack: DNS Hijacking ̶ Anatomy of an attack: Reflection Attack ̶ Anatomy of an attack: DNS DDoS • How To Protect Yourself? • Q & A 3 © 2013 Infoblox | 20134 IInc.. Allll Riightts Reserrved..
  3. 3. What is the Domain Name System (DNS)? • Address book for all of internet • Translates “google.com” to 173.194.115.96 • Invented in 1983 by Paul Mokapetris (UC Irvine) Without DNS, The Internet & Network Communications Would Stop 4 © 2013 Infoblox | 20134 IInc.. Allll Riightts Reserrved..
  4. 4. How Does DNS Work? 5 © 2013 Infoblox | 20134 IInc.. Allll Riightts Reserrved.. ISP DNS SERVER ROOT DNS SERVER WWW.GOOGLE.COM 173.194.115.96 “I need directions to www.google.com” “That domain is not in my server, I will ask another DNS Server” “That’s in my cache, it maps to: 173.194.115.96 “Great, I’ll put that in my cache in case I get another request” 173.194.115.96 “Great, now I know how to get to www.google.com”
  5. 5. For Bad Guys, DNS Is a Great Target DNS is the cornerstone of the Internet used by every business/ Government 6 © 2013 Infoblox | 20134 IInc.. Allll Riightts Reserrved.. DNS is fairly easy to exploit Traditional protection is ineffective against evolving threats DNS Outage = Business Downtime
  6. 6. The Rising Tide of DNS Threats Are You Prepared? In the last year alone there has been an increase of 200% DNS attacks1 7 © 2013 Infoblox | 20134 IInc.. Allll Riightts Reserrved.. 58% DDoS attacks1 With possible amplification up to 100x on a DNS attack, the amount of traffic delivered to a victim can be huge 28M Pose a significant threat to the global network infrastructure and can be easily utilized in DNS amplification attacks2 33M Number of open recursive DNS servers2 2M With enterprise level businesses receiving an average of 2 million DNS queries every single day, the threat of attack is significant 1. Quarterly Global DDoS Attack Report, Prolexic, 1st Quarter, 2013 2. www.openresolverproject.org
  7. 7. The Rising Tide of DNS Threats ? DNS attacks are rising for 3 reasons: 2 Asymmetric amplification 3 High-value target 8 © 2013 Infoblox | 20134 IInc.. Allll Riightts Reserrved.. Countries of origin for the most DDoS attacks in the last year China US Brazil Russia France India Germany Korea Egypt Taiwan 1 Easy to spoof
  8. 8. The Rising Tide of DNS Threats Financial impact is huge The average loss for a 24-hour outage from a DDoS attack3 Avg estimated loss per DDoS event in 20123 -$7.7M -$13.6M 9 © 2013 Infoblox | 20134 IInc.. Allll Riightts Reserrved.. Financial services Technology Government company -$17M 42% Enterprise 29% Commerce Financial Services Business Services 13% 21% 2% Healthcare 1% Automotive 5% Miscellaneous 5% Public Sector 17% Media & Entertainment 7% High Tech Consumer Goods 2% 5% Hotels 22% Retail Top Industries Targeted4 $27 million 3. Develop A Two-Phased DDoS Mitigation Strategy, Forrester Research, Inc. May 17, 2013 4. State of the Internet, Akamai, 2nd Quarter, 2013
  9. 9. DNS Attack Vectors 10 © 2013 Infoblox | 20134 IInc.. Allll Riightts Reserrved..
  10. 10. The DNS Security Challenges 1 Securing the DNS Platform Defending Against DNS Attacks DDoS / Cache Poisoning 2 3 Preventing Malware from using DNS 11 © 2013 Infoblox | 20134 IInc.. Allll Riightts Reserrved..
  11. 11. Anatomy of an Attack Syrian Electronic Army 12 © 2013 Infoblox | 20134 IInc.. Allll Riightts Reserrved..
  12. 12. Anatomy of an Attack Distributed Reflection DoS Attack (DrDoS) 13 © 2013 Infoblox | 20134 IInc.. Allll Riightts Reserrved.. How the attack works Internet Attacker Target Victim Combines reflection and amplification Uses third-party open resolvers in the Internet (unwitting accomplice) Attacker sends spoofed queries to the open recursive servers Uses queries specially crafted to result in a very large response Causes DDoS on the victim’s server
  13. 13. Anatomy of an Attack DNS DDoS For Hire • DDoS attacks against major U.S financial institutions • Launching (DDoS) taking advantage of Server bandwidth • 4 types of DDoS attacks: ̶ DNS amplification, ̶ Spoofed SYN, ̶ Spoofed UDP ̶ HTTP+ proxy support • Script offered for $800 14 © 2013 Infoblox | 20134 IInc.. Allll Riightts Reserrved..
  14. 14. The Rising Tide of DNS Threats 15 © 2013 Infoblox | 20134 IInc.. Allll Riightts Reserrved.. Top 10 DNS attacks DNS amplification: Use amplification in DNS reply to flood victim Protocol anomalies: Malformed DNS packets causing server to crash DNS hijacking: Subverting resolution of DNS queries to point to rogue DNS server Reconnaissance: Probe to get information on network environment before launching attack Fragmentation: Traffic with lots of small out of order fragments TCP/UDP/ICMP floods: Flood victim’s network with large amounts of traffic DNS cache poisoning: Corruption of a DNS cache database with a rogue address DNS tunneling: Tunneling of another protocol through DNS for data ex-filtration DNS based exploits: Exploit vulnerabilities in DNS software DNS reflection/DrDos: Use third party DNS servers to propagate DDoS attack
  15. 15. Protection Best Practices 16 © 2013 Infoblox | 20134 IInc.. Allll Riightts Reserrved..
  16. 16. Help Is On the Way! 17 © 2013 Infoblox | 20134 IInc.. Allll Riightts Reserrved.. Collaboration Dedicated Appliances Monitoring DNSSEC RPZ Advanced DNS Protection
  17. 17. Get the Teams Talking – Questions to Ask: • Who in your org is responsible for DNS Security? • What methods, procedures, tools do you have in place to detect and mitigate DNS attacks? • Would you know if an attack was happening, would you know how to stop it? Network Team 18 © 2013 Infoblox | 20134 IInc.. Allll Riightts Reserrved.. Security Team IT Apps Team IT OPS Team
  18. 18. Hardened DNS Appliances Conventional Server Approach Hardened Appliance Approach 19 © 2013 Infoblox | 20134 IInc.. Allll Riightts Reserrved..  Dedicated hardware with no unnecessary logical or physical ports  No OS-level user accounts – only admin accts  Immediate updates to new security threats  Secure HTTPS-based access to device management  No SSH or root-shell access  Encrypted device to device communication Multiple Open Ports – Many open ports subject to attack – Users have OS-level account privileges on server – Requires time-consuming manual updates Limited Port Access Update Secure Service Access 19
  19. 19. Monitoring & Alert on Aggregate Query Rate 20 © 2013 Infoblox | 20134 IInc.. Allll Riightts Reserrved..
  20. 20. DNSSEC • Fixes Kaminsky Vulnerability • DNS Security Extensions • Uses public key cryptography to verify the authenticity of DNS zone data (records) ̶ DNSSEC zone data is digitally signed using a private key for that zone ̶ A DNS server receiving DNSSEC signed zone data can verify the origin and integrity of the data by checking the signature using the public key for that zone 21 © 2013 Infoblox | 20134 IInc.. Allll Riightts Reserrved..
  21. 21. Advanced DNS Protection 22 © 2013 Infoblox | 20134 IInc.. Allll Riightts Reserrved.. Reporting Server Automatic updates Updated Threat- Intelligence Server Advanced DNS Protection (External DNS) Reports on attack types, severity Legitimate Traffic Advanced DNS Protection (Internal DNS) Data for Reports
  22. 22. Response Policy Zones - RPZ Blocking Queries to Malicious Domains An infected device brought into 23 © 2013 Infoblox | 20134 IInc.. Allll Riightts Reserrved.. the office. Malware spreads to other devices on network. 1 2 3 Malware makes a DNS query to find “home.” (botnet / C&C). DNS Server detects & blocks DNS query to malicious domain Malicious domains DNS Server with RPZ Capability Blocked attempt sent to Syslog Malware / APT 1 2 Malware / APT spreads within network; Calls home 4 Query to malicious domain logged security teams can now identify requesting end-point and attmept remediation RPZ regularly updated with malicious domain data using available reputational feeds 4 Reputational Feed: IPs, Domains, etc. of Bad Servers Internet Intranet 3 2
  23. 23. Take the DNS Security Risk Assessment 1. Analyzes your organization’s DNS setup to assess level of risk of exposure to DNS threats 2. Provides DNS Security Risk Score and analysis based on answers given 3. www.infoblox.com/dnssecurityscore Higher score = higher DNS security risk!! 24 © 2013 Infoblox | 20134 IInc.. Allll Riightts Reserrved..
  24. 24. Call to Action • DNS security vulnerabilities pose a significant threat • Raise the awareness of DNS and DNS security vulnerabilities in your organization • There are multitudes of resources available to help • Seek help if needed to protect DNS • Talk to Infoblox 25 © 2013 Infoblox | 20134 IInc.. Allll Riightts Reserrved..
  25. 25. Infoblox Overview & Business Update Leader in technology for network control 26 © 2013 Infoblox | 20134 IInc.. Allll Riightts Reserrved.. ($MM) Founded in 1999 Headquartered in Santa Clara, CA with global operations in 25 countries Market leadership • DDI Market Leader (Gartner) • 50% DDI Market Share (IDC) 7,300+ customers 74,000+ systems shipped 46 patents, 27 pending IPO April 2012: NYSE BLOX Total Revenue (Fiscal Year Ending July 31) $35.0 $56.0 $61.7 $102.2 $132.8 $169.2 $225.0 $250 $200 $150 $100 $50 $0 FY2007 FY2008 FY2009 FY2010 FY2011 FY2012 FY2013
  26. 26. IT Analyst Validation • Gartner: “usage of a commercial DDI solution can reduce (network) OPEX by 50% or more.” • IDC: Infoblox is the only major DDI vendor to gain market share over the past three years. • Gartner: “Infoblox is the DDI market leader in terms of mainstream brand awareness.” 27 © 2013 Infoblox | 20134 IInc.. Allll Riightts Reserrved.. Worldwide DDI Market Share – 2013
  27. 27. 28 © 2013 Infoblox | 20134 IInc.. Allll Riightts Reserrved.. Q&A

Hinweis der Redaktion

  • Networks are constantly being exploited using DNS for a variety of criminal purposes today. DNS is the cornerstone of the internet and attackers know that DNS is a high-value target. Without their DNS functioning properly, enterprises cannot conduct business online.

    DNS protocol is stateless which means attackers also cannot be traced easily.

    The DNS protocol can be exploited easily. It is easy to craft DNS queries that can cause the DNS server to crash or respond with a much amplified response that can congest the bandwidth.

    The queries can be spoofed which means attackers can direct huge amounts of traffic to its victim with the help of unsuspecting accomplices. (open resolvers on the internet)

    Traditional protection like firewalls leave port 53 open and don’t do much in terms of preventing DNS attacks.

    All these reasons make the DNS an ideal attack target.
  • DNS Firewall – Case Study Example – SEA (Syrian Electronic Army)
    August 27th, 2013 SEA hacked the DNS registries for NY Times & Twitter at a Service Provider in Australia.
    The hack redirected users to SEA-controlled websites which contained malware.

    Infoblox DNS Firewall and its Subscription service helped protect our customers during this attack.
  • --Results in a large amount of data to be sent to the victim’s IP address
    --Uses multiple such open resolvers, often thousands of servers

  • The idea of controlling multiple, high-bandwidth empowered servers for launching DDoS attacks, compared to, for instance, controlling hundreds of thousands of malware-infected hosts, has always tempted cybercriminals to ‘innovate’ and seek pragmatic ‘solutions’ in order to achieve this particular objective.

    Among the most recent high profile example utilizing this server-based DDoS attack tactic is Operation Ababil, or Izz ad-Din al-Qassam a.k.a Qassam Cyber Fighters attacks against major U.S financial institutions, where the use of high-bandwidth servers was utilized by the attackers. This indicates that wishful thinking often tends to materialize.

    In this slide we’ll take a peek inside what appears to be a command and control PHP script in its early stages of development, which is capable of integrating multiple (compromised) servers for the purpose of launching distributed denial of service attacks (DDoS) taking advantage of their bandwidth.

    Currently, the PHP script supports four types of DDoS attack tactics, namely DNS amplification, spoofed SYN, spoofed UDP, and HTTP+proxy support. The script also acts as a centralized command and control management interface for all the servers where it has been (secretly) installed on. It’s currently offered for $800.
    Just like we’ve seen in numerous other cybercrime-friendly underground market releases, in this case, the author of the PHP script is once again forwarding the responsibility for its use to potential customers, and surprisingly, in times when fake scanned IDs continue getting systematically abused by cybercriminals, is expressing his trust in the user legitimization methods applied by his payment processor of choice – WebMoney.
  • IN recent surveys, it turns out that there is no clear ownership of DNS security – mostly due to lack of awareness. The security teams see DNS as the Networking team’s responsibility, but networking teams are often looking to security teams for risk mitigation. Unclear roles and responsibilities cause the first layer of vulnerabilities…
  • Port 53 – Domain Name System (DNS)
    Port 25 – Simple Mail Transfer Protocol (SMTP) -- Email
    Port 80 – HTTP -- Web
    Port 110 – Post Office Protocol (POP3)
    Port 1503 – Windows Live Messenger
    Port 1801 – Microsoft Messaging


    Dedicated hardware with no extraneous ports open for attack.
    No association with enterprise domain logins or passwords, only admin login rights, no user rights even available
    Immediate updates to new security threats.
    Encryption based transactions to manage appliance.
  • The Adv Appliance can sit on the Grid. Now let’s see the Advanced DNS Protection in action.
    Regular GRID appliances like the GRID master and the reporting server sit on the GRID
    Let’s assume we have two Advanced Appliances, one external authoritative and the other functioning as an internal recursive server.
    DNS attacks come interspersed with legitimate DNS traffic at the external authoritative server.
    Advanced DNS Protection pre-processes the requests to filter out attacks
    It responds to legitimate DNS requests
    The attack types and patterns are sent to Infoblox Reporting server
    When Infoblox detects new threats, it creates rules and updates the Advanced Appliance. The rule updates are propagated to other Advanced Appliances on the Grid.
  • Infoblox DNS Firewall – How does it work?
    1. An infected mobile device is brought into the office. Upon connection, the malware starts to spread to other devices on the network.
    2. The malware makes a DNS query for “bad” domain to find “home.” The DNS Firewall has the “bad” domain in its table and blocks the connection.
    3. The DNS Server is continually updated by a reputational data feed service to reflect the rapidly changing list of malicious domains.
    4. Infoblox Reporting provides list of blocked attempts as well as the
    IP address
    MAC address
    Device type (DHCP fingerprint)
    Host Name
    DHCP Lease history (on/off network)
    5. Reputation data comes from:
    Infoblox DNS Firewall Subscription Service – blocking data on domains and IP addresses from 35+ sources throughout the world. Geo-blocking also apart of the service as well
    Infoblox DNS Firewall – FireEye Adapter – APT malware domains and IP addresses to be blocked communicated to DNS Firewall from from FireEye NX Series.
  • This is a new Security Risk Assessment you can point your customers to any time. It’s on the external web site and customers such as Pep Boys, Twitter, and K-Mart have run assessments.

    Some major observations about customers in this context:

    Most don’t perform any security analysis on DNS traffic
    No team or person chartered with looking specifically at DNS security
    For those with on-premise external DNS servers no knowledge of how to handle DNS-based DDoS attacks
    Most of them use conventional DNS services (Microsoft or BIND)
    Possibly other services running on them
    Lots of open ports (security risks)
  • DNS is critical infrastructure & not well understood
    DNS attacks are on the rise
    Traditional approaches are not sufficient
    There are a lot of good resources and technologies to help you protect DNS
  • Infoblox is not a start-up. The company was started more than a dozen years ago – our technology is mature and field proven
    The company HQ is in the heart of Silicon Valley with global operations in all major geographies –
    We do business in 3 regions (Americas, EMEA, APJ)
    We have sales, support and development operations in 25 countries and we do business in over 70 countries around the world
    Infoblox makes essential technology to control networks – we’ll dig into that a bit later in the
    We are a market leader in the space that we serve – with Strong Positive ratings from Gartner (3 years in a row) and 40% market share
    (Note: Gartner Market Scope and market share stat is specific to DDI)
    Infoblox has a massive customer base – our latest count is 6,900 different companies- we have shipped 64,000 systems
    We are innovative, with a formal patent program for our employees. As of right now we own 32 patents and 25 more pending
    Last but not least – the company did a successful IPO in April 2012. We now share our financial results publicly – which can be seen on the right.

×