290 likes | 537 Views
Securing External & Internal DNS. Edward O’Connell | Sr. Product Marketing Manager. February 2014. Agenda. Infoblox Overview. Security Challenge. Attacks on DNS Malware / APT. Infoblox Secure DNS Solutions. Infoblox Overview & Business Update. Total Revenue (Fiscal Year Ending July 31).
E N D
Securing External & Internal DNS Edward O’Connell | Sr. Product Marketing Manager February 2014
Agenda Infoblox Overview Security Challenge Attacks on DNS Malware / APT Infoblox Secure DNS Solutions
Infoblox Overview & Business Update Total Revenue (Fiscal Year Ending July 31) Founded in 1999 Headquartered in Santa Clara, CA with global operations in 25 countries ($MM) Leader in technologyfor network control • Market leadership • Gartner “Strong Positive” rating • 40%+ Market Share (DDI) 30% CAGR 6,900+ customers, 55,000+ systems shipped 35 patents, 29 pending IPO April 2012: NYSE BLOX
Infoblox : Technology for Network Control Load balancers End points Web proxy firewalls switches routers VIRTUAL MACHINES Private cloud applications APPS & END-POINTS InfrastructureSecurity Historical / Real-time Reporting & Control CONTROL PLANE Infoblox GridTM w/ Real-timeNetwork Database Essential Network Control Functions: DNS, DHCP, IPAM (DDI) Discovery, Real-time Configuration & Change, Compliance NETWORKINFRASTRUCTURE
DNS – Cornerstone of the Internet DNS not working?!... Your applications won’t work as well…
Another View of DNS…1st 30 seconds of starting up a iPhone…. iTunes App store MAPS Weather startup 12 50 4 7 68* Updating 1 App Check mail Reading a MSG Stocks 16 3 12 3 Facebook Twitter Concur 15 37 10
Why DNS an Ideal Target? Maximum impact with minimum effort Traditional protection is ineffective against evolving threats DNS as a Protocol is easy to exploit DNS is the cornerstone of the Internet used by every business/ Government
Today’s Security Challenges Attacks target DNS to bring down IT infrastructure APT / malware exploits DNS to steal data 2 1
2013 – DNS Threat is Significant • Attacks against DNS infrastructure growing • DNS-specific attacks up 216% in 2013 • ICMP, SYN, UDP attacks ACK: 2.81% ICMP: 9.71% RESET: 1.4% SYN PUSH: 0.38% UDP FRAGMENT: 17.11% TCP FRAGMENT: 0.13% CHARGEN: 6.39% SYN: 14.56% RP: 0.26% FIN PUSH: 1.28% UDP FLOODS: 13.15% DNS: 9.58% Source: Arbor Networks Infrastructure Layer: 76.76% Source: Prolexic Quarterly Global DDoS Attack Report Q4 2013
Security Breaches Using Malware / APT 2014 2013 Q1 Q2 Q3 Q4
Infoblox DNS Attack MitigationAdvanced DNS Protection Unique Detection and Mitigation • Intelligently distinguishes legitimate DNS traffic from attack traffic like DDoS, DNS exploits, tunneling • Mitigates attacks by dropping malicious traffic and responding to legitimate DNS requests Centralized Visibility • Centralized view of all attacks happening across the network through detailed reports • Intelligence needed to take action Ongoing Protection Against Evolving Threats • Regular automatic threat-rule updates based on threat analysis and research • Helps mitigate attacks sooner vs. waiting for patch updates
External DNS - Mitigation of Attacks How does it work? Legitimate Traffic Reconnaissance DNS Exploits Legitimate Traffic Legitimate Traffic Amplification Cache Poisoning Legitimate Traffic New Block DNS attacks Automatic updates Infoblox Threat-rule Server Grid-wide rule distribution Infoblox Advanced DNS Protection (External Auth.) Infoblox Advanced DNS Protection (Internal Recursive) New Data for Reports GRID Master Reporting Server Reports on attack types, severity
Attacks We Protect Against Using third-party DNS servers(open resolvers) to propagate a DOS or DDOS attack DNS reflection/DrDoS attacks Using a specially crafted query to create an amplified response to flood the victim with traffic DNS amplification DNS-based exploits Attacks that exploit vulnerabilities in the DNS software Denial of service on layer 3 by bringing a network or service down by flooding it with large amounts of traffic TCP/UDP/ICMP floods DNS cache poisoning Corruption of the DNS cache data with a rogue address Causing the server to crash by sending malformed packets and queries Protocol anomalies Attempts by hackers to get information on the network environment before launching a DDoSor other type of attack Reconnaissance Tunneling of another protocol through DNS for data exfiltration DNS tunneling
Anatomy of an AttackNTP-based DDoS • NTP syncs time between machines on the network; uses UDP over port 123 • Attackers exploit Network Time Protocol (NTP) • Similar to DNS reflection attack - small spoofed packets requesting a large amount of data sent to the victim’s IP address causing DDoS • Attacks spiked in mid-December • 15,000 IP addresses affected • Abuses “monlist” command in older NTP versions. • Advanced DNS Protection ensures that DNS does not participate in NTP attacks How the attack works Internet Servers with older/ misconfigured NTP Spoofed queries Reflected Amplified packets Attacker Target Victim
How Infoblox helps protect against NTP-based attacks Infoblox Advanced DNS ProtectionProtects against being an unwanted accomplice to NTP-based DDoS Reconnaissance followed by NTP-based attacks come interspersed with legitimate traffic. Reconnaissance Legitimate Traffic Legitimate Traffic NTP-based attacks 3 2 1 1 4 2 This rule monitors NTP responses and drops them if the packet rate seems abnormal. Advanced DNS Protection already has a threat-mitigation rule when NTP is enabled. Infoblox Advanced DNS Protection The rule blocks traffic from any source IP address for a specified period of time if it sends more packets than a pre-defined value. Advanced DNS Protection blocks the reconnaissance traffic and NTP-based attack traffic and responds only to legitimate traffic. Reports on attacks 3 Infoblox Threat Rule Server Advanced DNS Protection logs the reconnaissance events and NTP-based attack events to facilitate early detection and mitigation. 4
Infoblox DNS Firewall Intelligent Detection & Protection • Detect and block malware queries for malicious domains and networks • Open architecture for reputation data; integration with FireEye NX Series for APT alerts Centralized Visibility • Detailed view on infected clients • IP & MAC address of infected device • Device Type / Host Name Automatic Threat Updates • Automatic updates to protect against evolving malicious domains and networks
Malware / APT BlockingHow Does it Work? An infected device brought into the office. Malware spreads to other devices on network. Malicious domains Malware makes a DNS query to find “home.” (botnet / C&C) 4 2 3 4 3 2 1 1 DNS Firewall blocks DNS query (by Domain name / IP Address) Malware Infoblox DDI with DNS Firewall • Infoblox Reporting lists blocked attempts as well as the • IP address • MAC address • Device type (DHCP fingerprint) • Host Name • DHCP Lease Blocked attempt sent to Syslog • Reputation data comes from: • DNS Firewall Subscription • FireEye Adapter (NX Series) Calls home via DNS query Malware spreads within network
Securing DNS From Malware / APT Domain generating algorithm malware that randomly generates domains to connect to malicious networks or botnets DGA Rapidly changing of domains & IP addresses by malicious domains to obfuscate identity and location Fast Flux Malware designed to spread, morph and hide within IT infrastructure to perpetrate a long term attack (FireEye) APT / Malware Hijacking DNS registry(s) & re-directing users to malicious domain(s) DNS Hijacking Blocking access to geographies that have rates of malicious domains or Economic Sanctions by US Government Geo-Blocking
DNS Firewall ProtectionCryptolocker “Ransomware” • Targets Windows-based computers • Appears as an attachment to legitimate looking email • Upon infection, encrypts files: local hard drive & mapped network drives • Ransom: 72 hours to pay $300US • Fail to pay and the encryption key is deleted and data is gone forever • Only way to stop (after executable has started) is to block outbound connection to encryption server
Cryptolocker Timeline and Infoblox Response DNS Firewall ProtectionProtects Against Cryptolocker Malware September 13 – Trial Run Initial roll-out of Cryptolocker started. Limited distribution & payment testing. Oct. 8th – Full Distribution via ‘Pay per infection’. 3 4 1 2 1 2 4 3 October 18th - Crypolocker behavior fully characterized. Infoblox DNS Firewall Subscription updated with domains & IP addresses. Customers Protected. Infoblox DDI with DNS Firewall Infoblox DNS Firewall now blocks Crypolocker encryption servers. Syslog DNS Firewall logs all attempted connections with Cryptolocker servers complete with IP and MAC addresses, and device type to drive remediation Infoblox Malware Data Feed Updated Infoblox DNS Firewall Geo-blocks delivered ZERO-day protection against Cryptolocker by blocking Eastern Europe domains
Path toInfection DNS Firewall ProtectionYahoo! Ads iframes Re-direct • Yahoo! Europe websites (Ads) – iframes injection - exploits older Java software • Dec. 27th – Jan. 3rd. 27,000 users/hr. infected over 4+ days. 2.5M+ infected (estimated) • Random Domains / sub-domains resolve to single network. IP: 193.169.245.78 • Installs the following Malware: • ZeuS • Andromeda • Dorkbot/Ngrbot • Advertisement clicking • Tinba/Zusy • Necurs • Secure DNS blocks DNS resolution to IP address of domain server hosting Malware iframes Redirect • blistartoncom.org • slaptonitkons.net • original-filmsonline.com • funnyboobsonline.org • yagerass.org HTTP Redirect • boxsdiscussing.net • crisisreverse.net • limitingbeyond.net • Others • Malware Installed
Yahoo! Ads Re-direction Timeline and Infoblox Response DNS Firewall ProtectionProtects Against Yahoo! Ads iframes Re-direct December 27th – Jan. 3rd Yahoo! Ads infected with iframes Re-direction. Users re-directed to domains where Java is exploited to install malware. 27,000/hr. infected. IP Address for all sub-domains is 193.169.245.78 • IP Address: 193.169.245.78 • Installs various malware: • ZeuS • Andromeda • Dorkbot/Ngrbot • Advertisement clicking • Tinba/Zusy • Necurs 2 2 2 1 1 3 3 193.169.245.78 has been used previously for other attacks. DNS Firewall already has IP address in its table to block. Customers Protected. Infoblox DDI with DNS Firewall DNS Firewall logs all attempted connections with 193.169.245.78 complete with IP and MAC addresses, device type, Host name, DHCP lease history to drive remediation Syslog Infoblox Malware Data Feed Updated Infoblox DNS Firewall Subscription service Geo-blocks delivered ZERO-day protection against Yahoo! Malvertising by blocking Europe domains
Summary • DNS is the cornerstone of the Internet • Unprotected DNS infrastructure introduces security risks • Infoblox Advanced DNS Protection • Protects against DNS-based attacks like DDoS, cache poisoning, malformed packets and tunneling • Infoblox DNS Firewall • Detects & protects against APT / malware-based DNS queries designed to get around traditional security • Pinpoints device to drive faster remediation (using Infoblox DDI)