1 / 26

Securing DNS Infrastructure

Securing DNS Infrastructure. Srikrupa Srivatsan | Senior Product Marketing Manager. August 2014. Agenda. Infoblox Overview. DNS Security Challenges. Securing the DNS Platform Defending A gainst DNS Attacks Malware/APT Exploits of DNS. Infoblox Secure DNS Solution. About Infoblox.

edwinh
Download Presentation

Securing DNS Infrastructure

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Securing DNS Infrastructure Srikrupa Srivatsan | Senior Product Marketing Manager August 2014

  2. Agenda Infoblox Overview DNS Security Challenges Securing the DNS Platform Defending Against DNS Attacks Malware/APT Exploits of DNS Infoblox Secure DNS Solution

  3. About Infoblox Total Revenue (Fiscal Year Ending July 31) Founded in 1999 Headquartered in Santa Clara, CA with global operations in 25 countries ($MM) Leader in technologyfor network control • Market leadership • DDI Market Leader (Gartner) • 50% DDI Market Share (IDC) 30% CAGR 7,300+ customers 74,000+ systems shipped to 100 countries 45 patents, 27 pending IPO April 2012: NYSE BLOX

  4. Infoblox : Technology for Network Control Load balancers End points Web proxy firewalls switches routers VIRTUAL MACHINES Private cloud applications APPS & END-POINTS InfrastructureSecurity Historical / Real-time Reporting & Control CONTROL PLANE Infoblox GridTM w/ Real-timeNetwork Database Essential Network Control Functions: DNS, DHCP, IPAM (DDI) Discovery, Real-time Configuration & Change, Compliance NETWORKINFRASTRUCTURE

  5. Why is DNS an Ideal Target? DNS Outage = Business Downtime Traditional protection is ineffective against evolving threats DNS as a Protocol is easy to exploit DNS is the cornerstone of the Internet used by every business/ Government

  6. DNS Security Challenges Securing the DNS Platform Defending Against DNS Attacks 2 3 1 Preventing Malware from using DNS

  7. Securing the DNS Platform

  8. Hacks of DNS – 2013 & 2014

  9. Security Risks with Conventional ApproachDNS installed on off-the-shelf server Multiple Open Ports • Many open ports subject to attack • Users have OS-level account privileges on server • No visibility into good vs. bad traffic • Requires time-consuming manual updates • Requires multiple applications for device management

  10. Secure DNS - Purpose Built Appliance and OS • Minimal attack surfaces • Active/Active HA & DR recovery • Common Criteria Certification • FIPS 140-2 Compliance • Encrypted Inter-appliance Communication • Centralized management with role-based control • Secured Access, communication & API • Detailed audit logging • Fast/easy upgrades

  11. Defending Against DNS Attacks

  12. The Rising Tide of DNS Threats Financial impact is huge Top Industries Targeted4 200% 58% In the lastyear alone there has been an increase of With possible amplification up to 100x 5% DNS attacks1 DDoS attacks1 on a DNS attack, the amount of traffic delivered to a victim can be huge $27 2M Public Sector 17% FinancialServices 13% Media &Entertainment million 42% 28M 7% BusinessServices 21% The average loss for a 24-houroutage from a DDoS attack3 Enterprise High Tech 29% Pose a significant threat to the global network infrastructure and can be easily utilized in DNS amplification attacks2 Commerce 2% Consumer Goods 2% Healthcare Avg estimated loss per DDoS event in 20123 5% Hotels 1% Automotive With enterprise level businesses receiving an average of 2 million DNS queries every single day, the threat of attack is significant -$7.7M 22% Retail 33M 5% Miscellaneous Number of openrecursive DNS servers2 -$13.6M -$17M Technologycompany Government Financialservices 3. Develop A Two-Phased DDoS Mitigation Strategy, Forrester Research, Inc. May 17, 2013 4. State of the Internet, Akamai, 2nd Quarter, 2013 • 1. Quarterly Global DDoS Attack Report,Prolexic, 4th Quarter, 2013 2. www.openresolverproject.org

  13. Anatomy of an Attack Distributed Reflection DoS Attack (DrDoS) How the attack works Combines reflection and amplification Uses third-party open resolvers in the Internet (unwitting accomplice) Internet Open Recursive Servers Spoofed Queries Attacker sends spoofed queries to the open recursive servers Uses queries specially crafted to result in a very large response Amplified Reflected Packets Attacker Causes DDoS on the victim’s server Target Victim

  14. DNS Protection is Not Just About DDoS Using third-party DNS servers (mostly open resolvers) to propagate a DoS or DDoS attack DNS reflection/DrDoS attacks Using a specially crafted query to create an amplified response to flood the victim with traffic DNS amplification Denial of service on layer 3 or 4 by bringing a network or service down by flooding it with large amounts of traffic TCP/UDP/ICMP floods Attacks that exploit bugs or vulnerabilities in the DNS software DNS-based exploits Corruption of DNS server cache data with a rogue domain or IP DNS cache poisoning Causing the server to crash by sending malformed DNS packets and queries Protocol anomalies Attempts by hackers to get information on the network environment before launching a DDoSor other type of attack Reconnaissance Tunneling of another protocol through DNS port 53 for malware insertion and/or data exfiltration DNS tunneling Modifying the DNS record settings to point to a rogue DNS server or domain DNS hijacking Attacks that flood DNS server with requests for non-existent domains, causing it to send NXDomain (non-existent domain) responses NXDomain attack Attacks where a DNS resolver is forced to resolve multiple non-existent domains, causing it to consume resources while waiting for responses Phantom domain attack DNS-specific Exploits Volumetric/DDoS Attacks

  15. Defend Against Attacks Legitimate Traffic DNS Exploits Reconnaissance Legitimate Traffic Legitimate Traffic Amplification Cache Poisoning Legitimate Traffic Automatic Updates (Threat Adapt) Infoblox Threat-rule Server Advanced DNS Protection (External DNS) Grid-wide rule distribution Advanced DNS Protection (Internal DNS) Data for Reports Reporting Server Reports on attack types, severity

  16. Deployment Options Amplification Cache Poisoning Reconnaissance Exploits EXTERNAL Legitimate Traffic Legitimate Traffic Legitimate Traffic Legitimate Traffic INTERNET Advanced DNS Protection Advanced DNS Protection D M Z INTRANET Grid Master and Candidate (HA) DATACENTER CAMPUS/REGIONAL

  17. Deployment Options INTERNAL INTRANET Grid Master and Candidate (HA) DATACENTER CAMPUS/REGIONAL Advanced DNS Protection Advanced DNS Protection Legitimate Traffic Legitimate Traffic Exploits Amplification Endpoints

  18. Preventing Malware from using DNS

  19. Security Breaches Using Malware / APT 2014 2013 Q1 Q2 Q3 Q4

  20. Real World ExampleCryptolocker “Ransomware” • Targets Windows-based computers • Appears as an attachment to legitimate looking email • Upon infection, encrypts files: local hard drive & mapped network drives • Ransom: 72 hours to pay $300 US • Fail to pay and the encryption key is deleted and data is gone forever • Only way to stop (after executable has started) is to block outbound connection to encryption server

  21. Anatomy of an AttackGameOver Zeus (GOZ) • 500,000 to 1M infections worldwide • Top countries affected: US (13%), Italy (12%), UAE (8%) • Top Industry targeted: Financial Services • Highly sophisticated and hard to track • Uses peer-to-peer (P2P) communication to control infected devices or botnet • Upon infection, it monitors the machine for finance-related information • Takes control of private online transactions and diverts funds to criminal accounts • Hundreds of millions of dollars stolen • Responsible for distribution of Cryptolocker • Infected systems can be used for DDoS attacks

  22. Blocking Malware/APT An infected device brought into the office. Malware spreads to other devices on network. Malicious domains Malware makes a DNS query to find “home.” (botnet / C&C) 4 2 4 1 3 2 1 3 DNS Firewall blocks DNS query (by Domain name / IP Address) Malware / APT Infoblox DDI with DNS Firewall • Infoblox Reporting lists blocked attempts as well as the: • IP address • MAC address • Device type (DHCP fingerprint) • Host name • DHCP lease history Blocked attempt sent to Syslog • Reputation data comes from: • DNS Firewall Subscription Svc • FireEye Adapter (NX Series) Malware / APT spreads within network; Calls home

  23. Malware / APT We Block Domain generating algorithm malware that randomly generates domains to connect to malicious networks or botnets DGA Rapidly changing of domains & IP addresses by malicious domains to obfuscate identity and location Fast Flux Malware designed to spread, morph and hide within IT infrastructure to perpetrate a long term attack (FireEye) APT / Malware Hijacking DNS registry(s) & re-directing users to malicious domain(s) DNS Hijacking Blocking access to geographies that have rates of malicious domains or Economic Sanctions by US Government Geo-Blocking

  24. Take the DNS Security Risk Assessment Higher score = higher DNS security risk!! Analyzes your organization’s DNS setup to assess level of risk of exposure to DNS threats Provides DNS Security Risk Score and analysis based on answers given www.infoblox.com/dnssecurityscore

  25. In Review DNS is critical infrastructure Unprotected DNS infrastructure introduces serious security risks Infoblox Secure DNS Solution protects critical DNS services Infoblox DNS Firewall Prevents Malware/APT from Using DNS Infoblox Advanced DNS Protection Defend Against DNS Attacks Hardened Appliance & OSSecure the DNS Platform

  26. Thank you!For more information www.infoblox.com

More Related