Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

DNS Security Presentation ISSA

4,440 views

Published on

DNS is critical network infrastructure and securing it against attacks like DDoS, NXDOMAIN, hijacking and Malware/APT is very important to protecting any business.

Published in: Technology
  • Be the first to comment

DNS Security Presentation ISSA

  1. 1. Domain Name System (DNS) Network Security Asset or Achilles Heel? Srikrupa Srivatsan, Sr. Product Marketing Manager, Infoblox September 19, 2014 1 © 2013 Infoblox | 20134 IInc.. Allll Riightts Reserrved..
  2. 2. Agenda • What is DNS and How Does it Work? • Threat Landscape Trends • Common Attack Vectors ̶ Anatomy of an attack: DNS Hijacking ̶ Anatomy of an attack: Reflection Attack ̶ Anatomy of an attack: DNS DDoS • How To Protect Yourself? • Q & A 3 © 2013 Infoblox | 20134 IInc.. Allll Riightts Reserrved..
  3. 3. What is the Domain Name System (DNS)? • Address book for all of internet • Translates “google.com” to 173.194.115.96 • Invented in 1983 by Paul Mokapetris (UC Irvine) Without DNS, The Internet & Network Communications Would Stop 4 © 2013 Infoblox | 20134 IInc.. Allll Riightts Reserrved..
  4. 4. How Does DNS Work? 5 © 2013 Infoblox | 20134 IInc.. Allll Riightts Reserrved.. ISP DNS SERVER ROOT DNS SERVER WWW.GOOGLE.COM 173.194.115.96 “I need directions to www.google.com” “That domain is not in my server, I will ask another DNS Server” “That’s in my cache, it maps to: 173.194.115.96 “Great, I’ll put that in my cache in case I get another request” 173.194.115.96 “Great, now I know how to get to www.google.com”
  5. 5. For Bad Guys, DNS Is a Great Target DNS is the cornerstone of the Internet used by every business/ Government 6 © 2013 Infoblox | 20134 IInc.. Allll Riightts Reserrved.. DNS is fairly easy to exploit Traditional protection is ineffective against evolving threats DNS Outage = Business Downtime
  6. 6. The Rising Tide of DNS Threats Are You Prepared? In the last year alone there has been an increase of 200% DNS attacks1 7 © 2013 Infoblox | 20134 IInc.. Allll Riightts Reserrved.. 58% DDoS attacks1 With possible amplification up to 100x on a DNS attack, the amount of traffic delivered to a victim can be huge 28M Pose a significant threat to the global network infrastructure and can be easily utilized in DNS amplification attacks2 33M Number of open recursive DNS servers2 2M With enterprise level businesses receiving an average of 2 million DNS queries every single day, the threat of attack is significant 1. Quarterly Global DDoS Attack Report, Prolexic, 1st Quarter, 2013 2. www.openresolverproject.org
  7. 7. The Rising Tide of DNS Threats ? DNS attacks are rising for 3 reasons: 2 Asymmetric amplification 3 High-value target 8 © 2013 Infoblox | 20134 IInc.. Allll Riightts Reserrved.. Countries of origin for the most DDoS attacks in the last year China US Brazil Russia France India Germany Korea Egypt Taiwan 1 Easy to spoof
  8. 8. The Rising Tide of DNS Threats Financial impact is huge The average loss for a 24-hour outage from a DDoS attack3 Avg estimated loss per DDoS event in 20123 -$7.7M -$13.6M 9 © 2013 Infoblox | 20134 IInc.. Allll Riightts Reserrved.. Financial services Technology Government company -$17M 42% Enterprise 29% Commerce Financial Services Business Services 13% 21% 2% Healthcare 1% Automotive 5% Miscellaneous 5% Public Sector 17% Media & Entertainment 7% High Tech Consumer Goods 2% 5% Hotels 22% Retail Top Industries Targeted4 $27 million 3. Develop A Two-Phased DDoS Mitigation Strategy, Forrester Research, Inc. May 17, 2013 4. State of the Internet, Akamai, 2nd Quarter, 2013
  9. 9. DNS Attack Vectors 10 © 2013 Infoblox | 20134 IInc.. Allll Riightts Reserrved..
  10. 10. The DNS Security Challenges 1 Securing the DNS Platform Defending Against DNS Attacks DDoS / Cache Poisoning 2 3 Preventing Malware from using DNS 11 © 2013 Infoblox | 20134 IInc.. Allll Riightts Reserrved..
  11. 11. Anatomy of an Attack Syrian Electronic Army 12 © 2013 Infoblox | 20134 IInc.. Allll Riightts Reserrved..
  12. 12. Anatomy of an Attack Distributed Reflection DoS Attack (DrDoS) 13 © 2013 Infoblox | 20134 IInc.. Allll Riightts Reserrved.. How the attack works Internet Attacker Target Victim Combines reflection and amplification Uses third-party open resolvers in the Internet (unwitting accomplice) Attacker sends spoofed queries to the open recursive servers Uses queries specially crafted to result in a very large response Causes DDoS on the victim’s server
  13. 13. Anatomy of an Attack DNS DDoS For Hire • DDoS attacks against major U.S financial institutions • Launching (DDoS) taking advantage of Server bandwidth • 4 types of DDoS attacks: ̶ DNS amplification, ̶ Spoofed SYN, ̶ Spoofed UDP ̶ HTTP+ proxy support • Script offered for $800 14 © 2013 Infoblox | 20134 IInc.. Allll Riightts Reserrved..
  14. 14. The Rising Tide of DNS Threats 15 © 2013 Infoblox | 20134 IInc.. Allll Riightts Reserrved.. Top 10 DNS attacks DNS amplification: Use amplification in DNS reply to flood victim Protocol anomalies: Malformed DNS packets causing server to crash DNS hijacking: Subverting resolution of DNS queries to point to rogue DNS server Reconnaissance: Probe to get information on network environment before launching attack Fragmentation: Traffic with lots of small out of order fragments TCP/UDP/ICMP floods: Flood victim’s network with large amounts of traffic DNS cache poisoning: Corruption of a DNS cache database with a rogue address DNS tunneling: Tunneling of another protocol through DNS for data ex-filtration DNS based exploits: Exploit vulnerabilities in DNS software DNS reflection/DrDos: Use third party DNS servers to propagate DDoS attack
  15. 15. Protection Best Practices 16 © 2013 Infoblox | 20134 IInc.. Allll Riightts Reserrved..
  16. 16. Help Is On the Way! 17 © 2013 Infoblox | 20134 IInc.. Allll Riightts Reserrved.. Collaboration Dedicated Appliances Monitoring DNSSEC RPZ Advanced DNS Protection
  17. 17. Get the Teams Talking – Questions to Ask: • Who in your org is responsible for DNS Security? • What methods, procedures, tools do you have in place to detect and mitigate DNS attacks? • Would you know if an attack was happening, would you know how to stop it? Network Team 18 © 2013 Infoblox | 20134 IInc.. Allll Riightts Reserrved.. Security Team IT Apps Team IT OPS Team
  18. 18. Hardened DNS Appliances Conventional Server Approach Hardened Appliance Approach 19 © 2013 Infoblox | 20134 IInc.. Allll Riightts Reserrved..  Dedicated hardware with no unnecessary logical or physical ports  No OS-level user accounts – only admin accts  Immediate updates to new security threats  Secure HTTPS-based access to device management  No SSH or root-shell access  Encrypted device to device communication Multiple Open Ports – Many open ports subject to attack – Users have OS-level account privileges on server – Requires time-consuming manual updates Limited Port Access Update Secure Service Access 19
  19. 19. Monitoring & Alert on Aggregate Query Rate 20 © 2013 Infoblox | 20134 IInc.. Allll Riightts Reserrved..
  20. 20. DNSSEC • Fixes Kaminsky Vulnerability • DNS Security Extensions • Uses public key cryptography to verify the authenticity of DNS zone data (records) ̶ DNSSEC zone data is digitally signed using a private key for that zone ̶ A DNS server receiving DNSSEC signed zone data can verify the origin and integrity of the data by checking the signature using the public key for that zone 21 © 2013 Infoblox | 20134 IInc.. Allll Riightts Reserrved..
  21. 21. Advanced DNS Protection 22 © 2013 Infoblox | 20134 IInc.. Allll Riightts Reserrved.. Reporting Server Automatic updates Updated Threat- Intelligence Server Advanced DNS Protection (External DNS) Reports on attack types, severity Legitimate Traffic Advanced DNS Protection (Internal DNS) Data for Reports
  22. 22. Response Policy Zones - RPZ Blocking Queries to Malicious Domains An infected device brought into 23 © 2013 Infoblox | 20134 IInc.. Allll Riightts Reserrved.. the office. Malware spreads to other devices on network. 1 2 3 Malware makes a DNS query to find “home.” (botnet / C&C). DNS Server detects & blocks DNS query to malicious domain Malicious domains DNS Server with RPZ Capability Blocked attempt sent to Syslog Malware / APT 1 2 Malware / APT spreads within network; Calls home 4 Query to malicious domain logged security teams can now identify requesting end-point and attmept remediation RPZ regularly updated with malicious domain data using available reputational feeds 4 Reputational Feed: IPs, Domains, etc. of Bad Servers Internet Intranet 3 2
  23. 23. Take the DNS Security Risk Assessment 1. Analyzes your organization’s DNS setup to assess level of risk of exposure to DNS threats 2. Provides DNS Security Risk Score and analysis based on answers given 3. www.infoblox.com/dnssecurityscore Higher score = higher DNS security risk!! 24 © 2013 Infoblox | 20134 IInc.. Allll Riightts Reserrved..
  24. 24. Call to Action • DNS security vulnerabilities pose a significant threat • Raise the awareness of DNS and DNS security vulnerabilities in your organization • There are multitudes of resources available to help • Seek help if needed to protect DNS • Talk to Infoblox 25 © 2013 Infoblox | 20134 IInc.. Allll Riightts Reserrved..
  25. 25. Infoblox Overview & Business Update Leader in technology for network control 26 © 2013 Infoblox | 20134 IInc.. Allll Riightts Reserrved.. ($MM) Founded in 1999 Headquartered in Santa Clara, CA with global operations in 25 countries Market leadership • DDI Market Leader (Gartner) • 50% DDI Market Share (IDC) 7,300+ customers 74,000+ systems shipped 46 patents, 27 pending IPO April 2012: NYSE BLOX Total Revenue (Fiscal Year Ending July 31) $35.0 $56.0 $61.7 $102.2 $132.8 $169.2 $225.0 $250 $200 $150 $100 $50 $0 FY2007 FY2008 FY2009 FY2010 FY2011 FY2012 FY2013
  26. 26. IT Analyst Validation • Gartner: “usage of a commercial DDI solution can reduce (network) OPEX by 50% or more.” • IDC: Infoblox is the only major DDI vendor to gain market share over the past three years. • Gartner: “Infoblox is the DDI market leader in terms of mainstream brand awareness.” 27 © 2013 Infoblox | 20134 IInc.. Allll Riightts Reserrved.. Worldwide DDI Market Share – 2013
  27. 27. 28 © 2013 Infoblox | 20134 IInc.. Allll Riightts Reserrved.. Q&A

×