1 | © 2013 Infoblox Inc. All Rights Reserved. 1 | © 2014 Infoblox Inc. All Rights Reserved. Securing DNS Infrastructure Steven Barber | Principle Sales Engineer April 2014
2 | © 2013 Infoblox Inc. All Rights Reserved. 2 | © 2014 Infoblox Inc. All Rights Reserved. Agenda Securing DNS Infrastructure Securing the DNS Platform Defending Against DNS Attacks Preventing Malware from using DNS DNS Security Challenges Infoblox Overview
3 | © 2013 Infoblox Inc. All Rights Reserved. 3 | © 2014 Infoblox Inc. All Rights Reserved. Infoblox Overview & Business Update ($MM) Founded in 1999 Headquartered in Santa Clara, CA with global operations in 25 countries Market leadership Gartner “Strong Positive” rating 40%+ Market Share (DDI) 6,900+ customers, 64,000+ systems shipped 38 patents, 25 pending IPO April 2012: NYSE BLOX Leader in technology for network control Total Revenue (Fiscal Year Ending July 31) 30% CAGR
4 | © 2013 Infoblox Inc. All Rights Reserved. 4 | © 2014 Infoblox Inc. All Rights Reserved. Infrastructure Security Infoblox : Technology for Network Control NETWORK INFRASTRUCTURE FIREWALLSSWITCHESROUTERSWEB PROXYLOAD BALANCERS Historical / Real-time Reporting & Control Historical / Real-time Reporting & Control APPS & END-POINTS END POINTSVIRTUAL MACHINESPRIVATE CLOUDAPPLICATIONS CONTROL PLANE Infoblox Grid TM w/ Real-time Network Database
5 | © 2013 Infoblox Inc. All Rights Reserved. 5 | © 2014 Infoblox Inc. All Rights Reserved. Why is DNS an Ideal Target? DNS is the cornerstone of the Internet used by every business/ Government DNS as a Protocol is easy to exploit DNS outage = business downtime Traditional protection is ineffective against evolving threats
6 | © 2013 Infoblox Inc. All Rights Reserved. 6 | © 2014 Infoblox Inc. All Rights Reserved. Today’s DNS Security Challenges Defending Against DNS Attacks 2 Preventing Malware from using DNS 3 Securing the DNS Platform 1
7 | © 2013 Infoblox Inc. All Rights Reserved. 7 | © 2014 Infoblox Inc. All Rights Reserved. Securing DNS Defend Against DNS Attacks Prevents Malware/APT from Using DNS Secure the DNS Platform
8 | © 2013 Infoblox Inc. All Rights Reserved. 8 | © 2014 Infoblox Inc. All Rights Reserved. Defend Against DNS Attacks Prevents Malware/APT from Using DNS Secure the DNS Platform Securing DNS
9 | © 2013 Infoblox Inc. All Rights Reserved. 9 | © 2014 Infoblox Inc. All Rights Reserved. Hacks of DNS – 2013 & 2014
10 | © 2013 Infoblox Inc. All Rights Reserved. 10 | © 2014 Infoblox Inc. All Rights Reserved. Security Risks with Conventional Approach DNS installed on off-the-shelf server Many open ports subject to attack Users have OS-level account privileges on server No visibility into good vs. bad traffic Requires time-consuming manual updates Requires multiple applications for device management Multiple Open Ports
11 | © 2013 Infoblox Inc. All Rights Reserved. 11 | © 2014 Infoblox Inc. All Rights Reserved. Secure DNS Servers – Hardware / OS / Application Minimal attack surfaces Active / Active HA & DR recovery Fast/easy upgrades Detailed audit logging Centralized management with role- based control (No Root Access) Encrypted Inter-appliance Communication Secured Access, communication & API
12 | © 2013 Infoblox Inc. All Rights Reserved. 12 | © 2014 Infoblox Inc. All Rights Reserved. Cryptographically signed DNS data DNS Root 2 nd Level Domain nth Level Domain Automatically Implement DNSSEC to mitigate hijacking threats such as the Kaminsky attack Implementing DNSSEC….. Central configuration of all DNSSEC parameters Automated key refresh Automated maintenance Automatic maintenance of signed zones Trust Chain DNSSEC - External DNS Security
13 | © 2013 Infoblox Inc. All Rights Reserved. 13 | © 2014 Infoblox Inc. All Rights Reserved. Securing DNS Prevents Malware/APT from Using DNS Secure the DNS Platform Defend Against DNS Attacks
14 | © 2013 Infoblox Inc. All Rights Reserved. 14 | © 2014 Infoblox Inc. All Rights Reserved. DNS Attacks up 216% Source: Prolexic Quarterly Global DDoS Attack Report Q ACK: 2.81% CHARGEN: 6.39% FIN PUSH: 1.28% DNS: 9.58% ICMP: 9.71%RESET: 1.4% RP: 0.26% SYN: 14.56% TCP FRAGMENT: 0.13% SYN PUSH: 0.38% UDP FLOODS: 13.15% UDP FRAGMENT: 17.11% ~ 10% of infrastructure attacks targeted DNS Source: Arbor Networks ~ 80% of organizations surveyed experienced application layer attacks on DNS Survey Respondents
15 | © 2013 Infoblox Inc. All Rights Reserved. 15 | © 2014 Infoblox Inc. All Rights Reserved. Anatomy of an Attack Distributed Reflection DoS Attack (DrDoS) Combines Reflection and Amplification Use third-party open resolvers in the Internet (unwitting accomplice) Attacker sends small spoofed packets to the open recursive servers, requesting a large amount of data to be sent to the victim’s IP address Uses multiple such open resolvers, often thousands of servers Queries specially crafted to result in a very large response Causes DDoS on the victim’s server How the attack works Attacker Internet Spoofed queries Open Recursive Servers Amplified Reflected packets Target Victim
16 | © 2013 Infoblox Inc. All Rights Reserved. 16 | © 2014 Infoblox Inc. All Rights Reserved. Protection against attacks Reporting Server Automatic updates Cloud-based Threat-rule Update Service External DNS Reports on attack types, severity Amplification Cache Poisoning Legitimate Traffic Reconnaissance DNS Exploits Internal DNS Threat Rule Update Service Data for Reports
17 | © 2013 Infoblox Inc. All Rights Reserved. 17 | © 2014 Infoblox Inc. All Rights Reserved. DNS Protection is not Just About DDoS DNS reflection/DrDoS attacks Using third-party DNS servers(open resolvers) to propagate a DOS or DDOS attack DNS amplification Using a specially crafted query to create an amplified response to flood the victim with traffic DNS-based exploits Attacks that exploit vulnerabilities in the DNS software TCP/UDP/ICMP floods Denial of service on layer 3 by bringing a network or service down by flooding it with large amounts of traffic DNS cache poisoning Corruption of the DNS cache data with a rogue address Protocol anomalies Causing the server to crash by sending malformed packets and queries Reconnaissance Attempts by hackers to get information on the network environment before launching a DDoS or other type of attack DNS tunneling Tunneling of another protocol through DNS for data exfiltration
18 | © 2013 Infoblox Inc. All Rights Reserved. 18 | © 2014 Infoblox Inc. All Rights Reserved. Deployment Options Legitimate Traffic INTERNET External DNS D M Z INTRANET Reconnaissance Amplification Exploits DNS Tunneling Legitimate Traffic DATACENTERCAMPUS/REGIONAL INTRANET Endpoints Internal DNS Amplification Cache Poisoning Legitimate Traffic DATACENTER CAMPUS/REGIONAL EXTERNALINTERNAL
19 | © 2013 Infoblox Inc. All Rights Reserved. 19 | © 2014 Infoblox Inc. All Rights Reserved. Secure the DNS Platform Defend Against DNS Attacks Prevents Malware/APT from Using DNS Securing DNS
20 | © 2013 Infoblox Inc. All Rights Reserved. 20 | © 2014 Infoblox Inc. All Rights Reserved. Anatomy of an Attack Cryptolocker “Ransomware” Targets Windows-based computers Appears as an attachment to legitimate looking Upon infection, encrypts files: local hard drive & mapped network drives Ransom: 72 hours to pay $300US Fail to pay and the encryption key is deleted and data is gone forever Only way to stop (after executable has started) is to block outbound connection to encryption server
21 | © 2013 Infoblox Inc. All Rights Reserved. 21 | © 2014 Infoblox Inc. All Rights Reserved. Blocking Malware from using DNS An infected device brought into the office. Malware spreads to other devices on network. 123 Malware makes a DNS query to find “home.” (botnet / C&C). DNS Server RPZ detects & blocks DNS query to malicious domain Malicious domains DNS Sever with RPZ Blocked attempt sent to Syslog Malware / APT 12 Malware / APT spreads within network; Calls home 4 DNS/DHCP/IPAM : Pinpoint Reporting /Syslogs should be able to cross correlate the following: IP address MAC address Host name DHCP lease history DNS server RPZ updated every 2 hours with blocking information from reliable service Malware Data Feed Service 4 IPs, Domains, etc. of Bad Servers Internet Intranet 32
22 | © 2013 Infoblox Inc. All Rights Reserved. 22 | © 2014 Infoblox Inc. All Rights Reserved. Blocking APT from using DNS Detect - FireEye detects APT, alerts are sent to Infoblox. 123 Disrupt –DNS Server RPZ with FireEye data disrupts malware DNS communication DNS/DHCP/IPAM: Pinpoint Reporting/Syslogs should be able to cross correlate the following: IP address MAC address Host name DHCP lease history Malicious Domains Infoblox DDI with DNS Firewall Blocked attempt sent to Syslog 3 Malware 21 Alerts FireEye NX Series FireEye detonates and detects malware Internet Intranet Endpoint Attempting To Download Infected File
23 | © 2013 Infoblox Inc. All Rights Reserved. 23 | © 2014 Infoblox Inc. All Rights Reserved. DNS RPZ Protects against….. Fast Flux Rapidly changing of domains & IP addresses by malicious domains to obfuscate identity and location APT / Malware Malware designed to spread, morph and hide within IT infrastructure to perpetrate a long term attack (FireEye) DNS Hacking Hacking DNS registry(s) & re-directing users to malicious domain(s) Geo-Blocking Blocking access to geographies that have rates of malicious domains or Economic Sanctions by US Government
24 | © 2013 Infoblox Inc. All Rights Reserved. 24 | © 2014 Infoblox Inc. All Rights Reserved. Summary DNS is the cornerstone of the Internet Unprotected DNS infrastructure introduces security risks Securing DNS protects critical DNS services Defend Against DNS Attacks Prevents Malware/APT from Using DNS Secure the DNS Platform
25 | © 2013 Infoblox Inc. All Rights Reserved. 25 | © 2014 Infoblox Inc. All Rights Reserved. Thank you! For more information