Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Monitoring for DNS Security

424 views

Published on

Learn to recognize the many ways in which attackers can tamper with DNS servers and records, and the measures you can take to prevent this.

See the full webinar and the rest of the series at https://www.thousandeyes.com/resources/monitoring-for-dns-security-webinar

Published in: Technology
  • Be the first to comment

Monitoring for DNS Security

  1. 1. DNS Series Part 2:
 Monitoring for DNS Security Young Xu, Product Marketing Analyst
  2. 2. 2 •  November 15th 2016 •  An overview of the Domain Name System, resources, records, name resolution and name servers. DNS Webinar Series •  January 17th 2017 •  An in-depth view on how to monitor and alert on DNS availability, response time and record mappings. Intro to DNS Monitoring DNS Records and Servers •  December 13th 2016 •  Tips and examples covering DNS hijacking and DDoS attacks on DNS infrastructure. DNS Security
  3. 3. 3 About ThousandEyes ThousandEyes delivers visibility into every network your organization relies on. Founded by network experts; strong investor backing Relied on for " critical operations by leading enterprises Recognized as " an innovative " new approach 31 Fortune 500 5 top 5 SaaS Companies 4 top 6 US Banks
  4. 4. 4 Saturates network links, hardware or servers to deny service Two DNS Security Threats Spoofs DNS mappings to reroute traffic to a malicious endpoint DDoS DNS Hijacking & Poisoning
  5. 5. 5 Network Topology of a DDoS Attack Chicago, IL domain.comLondon Tokyo Atlanta Portland, OR Sydney Attackers flood your web service from around the world Internet Enterprise
  6. 6. 6 Cloud-Based DDoS Mitigation Chicago, IL domain.comLondon Tokyo Atlanta Portland, OR Sydney Internet Enterprise Scrubbing Center Traffic is rerouted, using DNS or BGP, to cloud-based scrubbing centers and ‘real’ traffic is routed back to your network
  7. 7. 7 Monitoring for DDoS Attacks Global Availability Mitigation Deployment Mitigation Performance Vendor Collaboration
  8. 8. 8 DNS Hijacking
  9. 9. 9 DNS Cache Poisoning Local DNS Cache Authoritative DNS Server dns.website.com Attacker www.website.com Attacker DNS Server dns.attack.com www.attack.com Attacker inserts a false record into the DNS cache Unsecured DNS server, no DNSSEC, no port randomization User 1 User requests DNS record for www.website.com 2 Looks up record on spoofed name server 3 User accesses spoofed URL 4
  10. 10. 10 Monitoring for DNS Hijacking & Poisoning Global Availability Verify Mappings DNSSEC Validation Alerting
  11. 11. 11 Monitoring for DNS Security Managed DNS Provider Internet 1 On-Premises DNS Local caching resolvers and self-hosted DNS 2 Hosted DNS 
 Authoritative, TLD and Root Name Servers Access Networks Cloud Agents & DNS+ Vantage Points Enterprise Agents Branch Data Center
  12. 12. 12 Alerting for DNS Security Scenario Test Type Threshold DDoS - Performance Impact DNS Server DNS+ Domain DNS+ Server Resolution Time ≥ _____ms DNS Server DNS Trace Error is present DNS+ Domain Availability ≤ _____% Reference Availability ≤ _____% DDoS - Mitigation Activation BGP Origin ASN in _____ Next Hop ASN in _____ Prefix not in _____ DNS Hijacking & Poisoning DNS Server DNS Trace Mapping not in _____ DNS+ Domain Mapping not in _____ % of Mappings > _____%
  13. 13. 13 •  Stay informed about new vulnerabilities •  Automated patch management Tips for Secure DNS Management •  Global DNS integrity monitoring with alerts •  DNSSEC Operational Protocol •  Service resiliency •  Avoid single points of failure •  Diversify DNS providers Architecture Read more: https://blog.thousandeyes.com/secure-dns-management-best-practices/
  14. 14. Demo
  15. 15. 15 DDoS: Dyn Sees Availability and Loss Issues Correlates with 100% packet loss Low of 0% availability
  16. 16. 16 DDoS: Dyn Traffic Terminates in Telia Anycast IP accessible from some locations Traffic terminating in Telia network
  17. 17. 17 DNS Hijack: Craigslist Records Compromised Spoofed mapping Vantage points with spoofed record Prevalence of spoofed mapping over time
  18. 18. 18 Networks with Records to Flush Breakdown available by country and network Number of vantage points with spoofed records
  19. 19. 19 See what you’re missing. Watch the webinar: https://www.thousandeyes.com/resources/monitoring-for-dns-security-webinar

×