Presentation is loading. Please wait.

Presentation is loading. Please wait.

Domain Name System (DNS) Network Security Asset or Achilles Heel?

Similar presentations

Presentation on theme: "Domain Name System (DNS) Network Security Asset or Achilles Heel?"— Presentation transcript:

1 Domain Name System (DNS) Network Security Asset or Achilles Heel?
Seema Kathuria, Sr. Product Marketing Manager, Infoblox February 19, 2015

2 Session Overview/Speaker Info
Domain Name System (DNS) – Network Security Asset or Achilles Heel? Speaker: Seema Kathuria Session Abstract: The DNS is a key building block of the Internet which is fast becoming one of the top-rated vectors for external (“outside-in”) attacks on the infrastructure and internal (“inside out”) attacks from malware. Most IT professionals know very little about the DNS and, subsequently, have done little to protect this critical asset. This session will discuss common vulnerabilities and attack surfaces, different types of DNS threat vectors, and security strategies/techniques to mitigate for this oft ignored security threat to network architecture. If built into a project plan from inception, the right network architecture can be designed to protect against the multitude of DNS attack vectors. Speaker Bio: Seema has 10 years of experience in technology product marketing at various technology and network security companies, including Check Point Software and Imperva. Currently, she is responsible for product messaging and positioning, competitive intelligence, and bringing to market Infoblox’s Secure DNS solutions that protect critical network infrastructure.  Seema is responsible for creating market awareness on DNS security through thought leadership assets, presentations at security trade shows, and customer events. Immediately prior to Infoblox, Seema led product marketing and sales enablement activities at Juniper Networks for its high-end firewall and threat intelligence security solutions. © 2015 Infoblox Inc. All Rights Reserved.

3 Agenda What is DNS and How Does It Work? Threat Landscape Trends
Common Attack Vectors Anatomy of an attack: DNS Hijacking Anatomy of an attack: Reflection Attack Anatomy of an attack: Data Exfiltration via DNS Tunneling How to Protect Yourself? Q&A © 2015 Infoblox Inc. All Rights Reserved.

4 What is the Domain Name System (DNS)?
Address book for The Internet Translates “” to Invented in 1983 by Paul Mokapetris (UC Irvine) The Domain Name System or DNS is essentially the address book for the entire Internet. For any domain name such as, there is an IP address in this case DNS was invented in 1983 by Paul Mokapetris, an American computer scientist and Internet pioneer. DNS is essential. Without it, the Internet and Network Communications would basically come to a halt. Without DNS, The Internet & Network Communications Would Stop DNS Outage = Business Downtime © 2015 Infoblox Inc. All Rights Reserved.

5 How Does DNS Work? Root DNS Server ISP DNS SERVER
Root DNS Server “That’s in my cache, it maps to: “Great, now I know how to get to “Great, I’ll put that in my cache in case I get another request” “That domain is not in my server, I will ask another DNS Server” So how does DNS work? Whereas humans have an easy time remembering domain names such as,, and so forth, computers use machine readable IP addresses to find the relevant server for the requested domains. When a computer user enters a particular domain name into a Web browser, such as the computer will need the IP address basically the “directions” to reach that domain. First, this request is sent to the local ISP DNS server shown in red on the diagram. Since this domain is not known, the DNS server forwards this request to another server, known as the Root DNS server. This DNS server has the IP address stored in its cache. This is shown in yellow. The IP address is then sent back to the local ISP DNS server and will be placed in its cache, so that if any other user sends the exact same DNS request, it can respond directly. This IP address is also sent back to the original requestor. Now, the user can view the content served by “I need directions to ISP DNS SERVER © 2015 Infoblox Inc. All Rights Reserved.

6 For Bad Guys, DNS Is a Great Target
DNS is the cornerstone of the Internet used by every business and government DNS as a protocol is easy to exploit Traditional protection is ineffective against evolving threats Now that you understand at a high level how DNS works, let’s take a look at why DNS is an ideal target. A lot of times, attackers know that DNS is the cornerstone of the Internet. All businesses need DNS to function, for having your web site online, for communication, VoIP, etc. So basically if the DNS is down, your business is offline. And it can really affect the bottom line. The second point is that DNS as a protocol is very trusting. It is a UDP based protocol. At the time it was developed, nobody thought DNS would be used as a way to attack a network. So the protocol itself is easy to exploit. So we’ll take a look at what you can do to make sure that you secure the DNS. The third key point is that traditional protection like firewalls and IPS devices typically leave port 53 open for the DNS traffic to come in. They don’t focus on DNS from a security standpoint and hence aren’t that effective enough against DNS based attack vectors. So it’s a gap that needs to be filled, and we’ll take a look at how you can do that with Infoblox’s solutions. But the bottom line is: a DNS outage means your business is down. DNS Outage = Business Downtime © 2015 Infoblox Inc. All Rights Reserved.

7 Defense-in-Depth and DNS Security Gap
Firewalls and IDS/IPS devices don’t effectively address DNS security threats Proliferation of BYOD devices, mobile users means threats may be inside the firewall DNS technology is ideal for defending against threats and disrupting APT/malware communications from infected devices Traditional security products generally don’t focus on DNS DNS security layer needed to fill gap Defense in depth is a common methodology used to address network vulnerabilities; and most organizations now have several firewalls and IPS solutions to address the #1 attack vector, HTTP and #2 attack vector, HTTPS. However, according to the Arbor Networks Infrastructure Report, DNS is the #3 most common attack vector and Port 53 is typically wide open, even with advanced firewalls in place. At the same time, it is inevitable that the network perimeter will be disappearing in lieu of corporate employees and end users using mobile devices to access sensitive data. As a result, increasingly threats may be originating from inside the firewall, not just from outside. DNS is an ideal technology for detecting and blocking threats both from outside-in and inside-out including DNS specific threats as well as APT/malware related threats that infect devices inside the network which will then try to reach Command and Control sites or botnets for further instructions. Traditional security products generally don’t focus tightly on DNS. Hence, a DNS security layer is needed to fill the gap. © 2015 Infoblox Inc. All Rights Reserved.

8 The DNS Security Challenges
Securing the DNS platform 1 Defending against DNS attacks including data exfiltration via DNS tunneling 2 DNS is an open global communication mechanism that is not well secured nor a well protected channel. The platform on which DNS services are run can be a challenge to secure, especially if that platform is also running other applications with no stringent access control to the OS. The DNS needs to be protected against attacks that try to bring it and the IT infrastructure down. Malware communicates to its command and control site/domain using DNS to resolve the name. Preventing malware from using DNS to communicate to malicious domains 3 © 2015 Infoblox Inc. All Rights Reserved.

9 DNS Attack Vectors © 2015 Infoblox Inc. All Rights Reserved.

10 Anatomy of an Attack Syrian Electronic Army
August 27th, 2013 SEA hacked the DNS registries for NY Times & Twitter at a Service Provider in Australia. The hack redirected users to SEA-controlled websites which contained malware. © 2015 Infoblox Inc. All Rights Reserved.

11 Open Recursive Servers
Anatomy of an Attack Distributed Reflection DoS Attack (DrDoS) How the attack works Combines reflection and amplification Internet Uses third-party open resolvers in the Internet (unwitting accomplice) Open Recursive Servers Spoofed Queries Attacker sends spoofed queries to the open recursive servers Reflected Amplified Packets Uses queries specially crafted to result in a very large response Another attack is a Distributed Reflection attack. And this one is actually using many open resolvers on the Internet. So this attack combines reflection and amplification. And what it does is the malicious agent sends spoofed queries to many of the open resolvers on the Internet. And by spoofed I mean that they change the destination IP to be the IP address of the target victim, and writes the queries in such a way that the responses are amplified maybe even up to 100 times. So now, this target victim is getting a whole bunch of reflected and amplified traffic from the open resolvers and the victim gets overwhelmed, gets DDoSed and their server crashes. Attacker Causes DDoS on the victim’s server Target Victim © 2015 Infoblox Inc. All Rights Reserved.

12 Anatomy of an Attack Data Exfiltration via DNS Tunneling File containing sensitive info converted to text, broken into chunks and exfiltrated via DNS Exfiltrated data put back together and decrypted to get the valuable information Used spoofed addresses This is simple data exfiltration where a file is taken, converted to text, chunked apart, then sent offsite via DNS.  This is done using spoofed IP addresses so the clients are coming from a range of IP addresses 1.x.x.x to 128.x.x.x making it impossible to alarm on or rate-limit the clients. © 2015 Infoblox Inc. All Rights Reserved.

13 The Rising Tide of DNS Threats
Are You Prepared? TCP/UDP/ICMP floods: Flood victim’s network with large amounts of traffic DNS amplification: Use amplification in DNS reply to flood victim DNS cache poisoning: Corruption of a DNS cache database with a rogue address Protocol anomalies: Malformed DNS packets causing server to crash DNS tunneling: Tunneling of another protocol through DNS for data ex-filtration DNS hijacking: Subverting resolution of DNS queries to point to rogue DNS server DNS Top attacks DNS based exploits: Exploit vulnerabilities in DNS software Reconnaissance: Probe to get information on network environment before launching attack The examples I just described are just a few of the many attacks that use DNS. Here is a list of some others also. There are a number of volumetric/DDoS types of DNS attacks such as TCP/UDP/ICMP floods, DNS amplification, reflection, and NXDOMAIN. But there are also many DNS-specific exploits such as DNS cache poisoning, DNS tunneling, and DNS hijacking. DNS reflection/DrDos: Use third party DNS servers to propagate DDoS attack Fragmentation: Traffic with lots of small out of order fragments Phantom Domain: Force DNS server to resolve multiple non-existent domains and wait for responses NXDOMAIN: Flood DNS server with requests for non-existent domains © 2015 Infoblox Inc. All Rights Reserved.

14 APT/Malware Examples CryptoLocker “Ransomware” and GameOver Zeus
Targets Windows-based computers Appears as attachment within seemingly legitimate Upon infection, encrypts files: local hard drive and mapped network drives Ransom: 72 hours to pay $300USD If not paid, encryption key deleted and data irretrievable Only way to stop (after executable has started) is by blocking outbound connection to encryption server GameOver Zeus: 500,000 to 1M infections worldwide Hundreds of millions of dollars stolen Highly sophisticated and hard to track Uses P2P communication to control infected devices or botnet Upon infection, it monitors machine for finance-related information Takes control of private online transactions and diverts funds to criminal accounts Responsible for distribution of CryptoLocker, and infected systems can be used for DDoS attacks APTs typically implant malware onto devices and then spread the malware by pointing those devices to C&C servers and botnets using DNS. Here are two examples. CryptoLocker: One example of Malware is CryptoLocker. This malware is also called Ransomware. Once it infects an endpoint it will run an encryption algorithm and encrypt all the data and files on that endpoint. It asks for a ransom and you have to pay up to get your data back. So CryptoLocker actually uses DNS as a way to connect to its Command & Control site, download the encryption software, run it, and then encrypt the data. So if you can use the DNS RPZ feed to detect and block and prevent the encryption from actually happening, you are actually saved from the ill effects of CryptoLocker. GameOver Zeus: Another famous botnet that was highly publicized is GameOver Zeus. This is a peer-to-peer botnet that uses P2P communications to control infected devices. It was used as a way to drop CryptoLocker in many of those devices. It mainly targeted Financial industries. There was some significant loss, with hundreds of millions of dollars stolen with GameOver Zeus bot. Again, the botnet and communications happen through DNS. You can use DNS to disrupt these types of botnets and malicious software. © 2015 Infoblox Inc. All Rights Reserved.

15 Security Breaches using APTs/Malware
2014 Q1 Q2 A key problem is that APTs/malware are used to drive security breaches around sensitive information or to steal money. In the recent news, you’ve seen a lot of highly publicized news items around malware and APT breaches. Before you on the screen right now is just some of those in In the USA, you’ve probably heard about retail chains such as Michaels and Kmart having been impacted by breaches. Also in the limelight were financial and banking organizations such as American Express and JPMorgan Chase. Multiple industries are being targeted including retail, Government, High-Tech, Education, and Finance. And a lot of times these breaches happen and malware and APTs actually use DNS as a communication mechanism for these breaches to happen. So, using DNS as a way to detect and mitigate these types of breaches is actually the best way to do it, and is the ideal choke point to disrupt malware and APT communication. Q1C2014: The University of Maryland was hit in mid-February by a cyberattack that exposed personal information of students, staff and faculty. American Express (AXP) discovered a data breach in March that exposed names and account numbers for roughly 76,000 customers. That same month, Sally Beauty shared that hackers had broken into the supplier’s network, stealing the payment data of up to 25,000 customers. Q2C2014 In March, the IRS reported that an unencrypted flash drive was plugged into an unsecured network, potentially leaking personal information for 20,000 IRS employees. In April, Michaels Stores (MIK) confirmed that its systems had been hit with a malware attack that affected as many as 2.6 million customers’ cards. That same month, AOL (AOL) discovered that “unauthorized access” to user account information was the cause of a sudden uptick in spam attacks. At the end of June, Butler University discovered that an attack from 2013 had exposed personal information for students, faculty, staff, alumni and even past applicants. Q3C2014: In July, Yahoo (YHOO) reported that 453,000 user names and passwords had been compromised in a data breach. UPS discovered in August that a malware attack had put names, addresses and payment information at risk for customers at some of its locations. In August, JPMorgan Chase yielded customer data in a large-scale attack that targeted major financial institutions. JP Morgan Chase confirmed that 76 million households and 7 million small businesses were impacted in a data breach in June and July. Customers who use, JPMorganOnline, Chase Mobile or JPMorgan Mobile may have had their contact information accessed, including names, addresses, phone numbers and address. Unlike in many breaches, JP Morgan Chase said customers don’t need to change passwords, monitor their credit, or get new credit cards, but the bank has warned customers to be wary of phishing attempts following the breach. Q4C2014: In the latest cyber attack on American retailers and restaurants, both Kmart and Dairy Queen said their computer systems were compromised in security intrusions involving customers’ credit and debit card information. Dairy Queen confirmed that malware installed on cash registers at some 395 stores resulted in the theft of customer credit and debit card information. And, just recently in November, the USPS announced in a statement that it recently fell victim to a “cyber intrusion incident” and that it was working with the Federal Bureau of Investigation (F.B.I.) to learn more about the attack. Roughly 800,000 employees were affected by the breach. Their names, dates of birth, Social Security numbers, addresses, emergency contact information and beginning and ending dates of employment may have been leaked as a result of the incident, according to the USPS. These are only some of the high-profile data breaches, part of a much larger group. According to the Identity Theft Resource Center, there have been over 600 data breaches so far this year, with over 81M exposed records. The impact on business is typically 3-fold. Clients will either stop giving business to or place less trust in the vendor/ institution. Typically, the victim organizations have to hire a 3rd party vendor or the government will step in to do forensics on their environment to find out what happened. (3) IT lost productivity because all servers and POS systems have to be checked, updated and cleaned. Sources: 1. 2. 3. 4. 5. 6. Q3 Q4 © 2015 Infoblox Inc. All Rights Reserved.

16 Protection Best Practices
© 2015 Infoblox Inc. All Rights Reserved.

17 Advanced DNS Protection
Help Is On The Way! DNSSEC Collaboration Dedicated Appliances RPZ Monitoring Advanced DNS Protection © 2015 Infoblox Inc. All Rights Reserved.

18 Get the Teams Talking – Questions to Ask:
Who in your organization is responsible for DNS Security? What methods, procedures, tools do you have in place to detect and mitigate DNS attacks? Would you know if an attack was happening? Would you know how to stop it? Network Team Security Team IT Apps Team IT OPS Team In recent surveys, it turns out that there is no clear ownership of DNS security – mostly due to lack of awareness. The security teams see DNS as the Networking team’s responsibility, but networking teams are often looking to security teams for risk mitigation. Unclear roles and responsibilities cause the first layer of vulnerabilities… © 2015 Infoblox Inc. All Rights Reserved.

19 Hardened DNS Appliances
Conventional Server Approach Hardened Appliance Approach Limited Port Access Update Service Secure Access Multiple Open Ports Using a Conventional Server Approach means that there are a lot of open ports, there are a lot of other services running. If you run your DNS on an off the shelf server with other things running on it, you are basically being exposed to multiple attack surfaces. And a lot of times users in these conventional server approaches have multiple OS level privileges. A lot of these users have admin level privileges which means that they can inadvertently cause some configuration changes which might result in a security breach. And, a lot of times manual updates, security patches if you need to apply them to the DNS server or DNS appliance, it’s pretty time consuming. It can result in maintenance windows or restarting the DNS services, and so on. With a Hardened Appliance Approach, there is dedicated hardware that’s built with security in mind. It has no additional, unnecessary open ports. It only has ports necessary for DNS services to function. Everybody does not get admin level privileges. You have restricted access to the OS. There is encrypted device to device communication. Ports: Port 53 – Domain Name System (DNS) Port 25 – Simple Mail Transfer Protocol (SMTP) -- Port 80 – HTTP -- Web Port 110 – Post Office Protocol (POP3) Port 1503 – Windows Live Messenger Port 1801 – Microsoft Messaging Dedicated hardware with no extraneous ports open for attack. No association with enterprise domain logins or passwords, only admin login rights, no user rights even available Immediate updates to new security threats. Encryption based transactions to manage appliance. Dedicated hardware with no unnecessary logical or physical ports No OS-level user accounts—only admin accts Immediate updates to new security threats Secure HTTPS-based access to device management No SSH or root-shell access Encrypted device-to-device communication Many open ports are subject to attack Users have OS-level account privileges on server Requires time-consuming manual updates © 2015 Infoblox Inc. All Rights Reserved.

20 Advanced DNS Protection
Amplification Cache Poisoning Legitimate Traffic Reconnaissance DNS Exploits Automatic updates Updated Threat-Intelligence Server Advanced DNS Protection (External DNS) Rules distribution Advanced DNS Protection (Internal DNS) Data for Reports The Adv Appliance can sit on the Grid. Now let’s see the Advanced DNS Protection in action. Regular GRID appliances like the GRID master and the reporting server sit on the GRID Let’s assume we have two Advanced Appliances, one external authoritative and the other functioning as an internal recursive server. DNS attacks come interspersed with legitimate DNS traffic at the external authoritative server. Advanced DNS Protection pre-processes the requests to filter out attacks It responds to legitimate DNS requests The attack types and patterns are sent to Infoblox Reporting server When Infoblox detects new threats, it creates rules and updates the Advanced Appliance. The rule updates are propagated to other Advanced Appliances on the Grid. Reporting Server Reports on attack types, severity © 2015 Infoblox Inc. All Rights Reserved.

21 Response Policy Zones - RPZ
Blocking Responses from Malicious Domains 1 An infected device brought into the office. Malware spreads to other devices on network. 4 Malicious domains Reputational Feed: IPs, Domains, etc. of Bad Servers 2 Malware makes a DNS query to find “home” (botnet / C&C). DNS Server looks at the DNS response and blocks the connection to the malicious domain. 2 Internet DNS Server with RPZ capability Intranet Malware / APT Blocked communication attempt sent to Syslog Query to malicious domain logged; security teams can now identify requesting endpoint and attempt remediation 3 Response Policy Zones can be used to detect and block infected devices inside the network from calling ‘home’ to malicious destinations, such as C&C servers and botnets. How does this work? 1. First, an infected mobile device is brought into the office. Upon connection, the malware starts to spread to other devices on the network. 2. The malware makes a DNS query for “bad” domain to find “home.” The RPZ knows about the “bad” domain and the DNS Server blocks the connection. 3. The blocked communication attempt /endpoint query will be logged so that security teams can identify the endpoint and attempt remediation. 4. DNS Server is continually updated by a reputational data feed service to reflect the rapidly changing list of malicious domains. The reputation feeds may be available directly from the vendor, possibly from technology alliance partners and/or may also be customer selected and integrated. 1 3 2 RPZ regularly updated with malicious domain data using available reputational feeds 4 Malware / APT spreads within network; Calls home © 2015 Infoblox Inc. All Rights Reserved.

22 Take the DNS Security Risk Assessment
Analyzes your organization’s DNS setup to assess level of risk of exposure to DNS threats Provides DNS Security Risk Score and analysis based on answers given This is a Security Risk Assessment you can take at any time. It’s on the external web site and customers such as Pep Boys, Twitter, and K-Mart have run assessments. Some major observations about customers in this context: Most don’t perform any security analysis on DNS traffic No team or person chartered with looking specifically at DNS security For those with on-premise external DNS servers they don’t have knowledge of how to handle DNS-based DDoS attacks Most of them use conventional DNS services (Microsoft or BIND) Possibly other services running on them Lots of open ports (security risks) Higher score = higher DNS security risk!! © 2015 Infoblox Inc. All Rights Reserved.

23 Try DNS Firewall Virtual Evaluation
Use DNS to Find Malware/APT Lurking in Your Network If you go to there is a 100% virtual DNS firewall that you can download. You don’t need Infoblox boxes for that. It runs on VMware infrastructure, it’s 100% virtual and it is non-disruptive for the production network. So what I mean by that is it does not fit inline on your production traffic. There are two options available for the virtual evaluation: Option 1 - Mirroring DNS traffic to DNS Firewall using span port: This option can analyze real time DNS traffic and detect any malicious activity. This option requires some configuration steps for port mirroring. Option 2 – Standalone DNS Firewall evaluation: This option allows you to upload pcap files or DNS log files for analysis. DNS Firewall will analyze these files and report on any malicious activity. This option doesn’t require any port mirroring configuration. In both options, the DNS Firewall can tell you through reports if there is any malicious activity going on. It is a 60 day trial and with the reports, you can quickly see (on your real-time DNS traffic) if there is any malicious communications going to known bad destinations. It also provides a list of top infected clients. It is a really easy way for you to try out the product. Two options: Port Span and Standalone No hardware (100% virtual) Non-disruptive to production network 60-day trial See Malware/APT activity with reports © 2015 Infoblox Inc. All Rights Reserved.

24 Call to Action DNS security vulnerabilities pose a significant threat
Raise the awareness of DNS and DNS security vulnerabilities in your organization There are many resources available to help Seek help if needed to protect DNS Talk to Infoblox DNS security vulnerabilities pose a significant threat Raise the awareness of DNS and DNS security vulnerabilities in your organization There are many resources available to help Seek help if needed to protect DNS Talk to Infoblox © 2015 Infoblox Inc. All Rights Reserved.

25 Infoblox Overview Founded in 1999
Headquartered in Santa Clara, CA with global operations in 25 countries Total Revenue (Fiscal Year Ending July 31) Leader in technology for network control 32% CAGR Market leadership DDI market leader (Gartner) 50% DDI market share (IDC) $MM 7,000+ customers 74,000+ systems shipped to 100 countries Infoblox is not a start-up. The company was started more than a dozen years ago – our technology is mature and field proven The company HQ is in the heart of Silicon Valley with global operations in all major geographies – We do business in 3 regions (Americas, EMEA, APJ) We have sales, support and development operations in 25 countries and we do business in over 70 countries around the world Infoblox makes essential technology to control networks We are a market leader in the space that we serve – with Strong Positive ratings from Gartner (3 years in a row) and 50% market share (Note: Gartner Market Scope and market share stat is specific to DDI) Infoblox has a massive customer base – our latest count is over 7,000 companies- we have shipped 74,000 systems We are innovative, with a formal patent program for our employees. As of right now we own 45 patents and 27 more pending Last but not least – the company did a successful IPO in April We now share our financial results publicly – which can be seen on the right. We have had revenue growth with a CAGR of 32% up through our last fiscal year 2014 that ended July 31st. 45 patents, 27 pending IPO April 2012: NYSE BLOX © 2015 Infoblox Inc. All Rights Reserved.

26 Worldwide DDI Market Share – 2013
IT Analyst Validation Worldwide DDI Market Share – 2013 Gartner: “usage of a commercial DDI solution can reduce (network) OPEX by 50% or more.” IDC: Infoblox is the only major DDI vendor to gain market share over the past three years. Gartner: “Infoblox is the DDI market leader in terms of mainstream brand awareness.” © 2015 Infoblox Inc. All Rights Reserved.

27 © 2015 Infoblox Inc. All Rights Reserved.

Download ppt "Domain Name System (DNS) Network Security Asset or Achilles Heel?"

Similar presentations

Ads by Google