240 likes | 469 Views
Securing DNS Infrastructure. Steven Barber | Principle Sales Engineer. April 2014. Agenda. Infoblox Overview. DNS Security Challenges. Securing the DNS Platform Defending A gainst DNS Attacks Preventing Malware from using DNS. Securing DNS Infrastructure.
E N D
Securing DNS Infrastructure Steven Barber | Principle Sales Engineer April 2014
Agenda Infoblox Overview DNS Security Challenges Securing the DNS Platform Defending Against DNS Attacks Preventing Malware from using DNS Securing DNS Infrastructure
Infoblox Overview & Business Update Total Revenue (Fiscal Year Ending July 31) Founded in 1999 Headquartered in Santa Clara, CA with global operations in 25 countries ($MM) Leader in technologyfor network control • Market leadership • Gartner “Strong Positive” rating • 40%+ Market Share (DDI) 30% CAGR 6,900+ customers, 64,000+ systems shipped 38patents, 25 pending IPO April 2012: NYSE BLOX
Infoblox : Technology for Network Control Load balancers End points Web proxy firewalls switches routers VIRTUAL MACHINES Private cloud applications APPS & END-POINTS InfrastructureSecurity Historical / Real-time Reporting & Control CONTROL PLANE Infoblox GridTM w/ Real-timeNetwork Database Essential Network Control Functions: DNS, DHCP, IPAM (DDI) Discovery, Real-time Configuration & Change, Compliance NETWORKINFRASTRUCTURE
Why is DNS an Ideal Target? DNS outage = business downtime Traditional protection is ineffective against evolving threats DNS as a Protocol is easy to exploit DNS is the cornerstone of the Internet used by every business/ Government
Today’s DNS Security Challenges Securing the DNS Platform Defending Against DNS Attacks 2 3 1 Preventing Malware from using DNS
Securing DNS Prevents Malware/APT from Using DNS Defend Against DNS Attacks Secure the DNS Platform
Securing DNS Prevents Malware/APT from Using DNS Defend Against DNS Attacks Secure the DNS Platform
Security Risks with Conventional ApproachDNS installed on off-the-shelf server Multiple Open Ports • Many open ports subject to attack • Users have OS-level account privileges on server • No visibility into good vs. bad traffic • Requires time-consuming manual updates • Requires multiple applications for device management
Secure DNS Servers – Hardware / OS / Application • Minimal attack surfaces • Active / Active HA & DR recovery • Fast/easy upgrades • Detailed audit logging • Centralized management with role-based control (No Root Access) • Encrypted Inter-appliance Communication • Secured Access, communication & API
DNSSEC - External DNS Security DNS Root Automatically Implement DNSSEC to mitigate hijacking threats such as the Kaminsky attack Cryptographically signed DNS data Trust Chain 2nd Level Domain nth Level Domain Implementing DNSSEC….. • Central configuration of all DNSSEC parameters • Automated key refresh • Automated maintenance • Automatic maintenance of signed zones
Securing DNS Prevents Malware/APT from Using DNS Defend Against DNS Attacks Secure the DNS Platform
DNS Attacks up 216% ~ 10% of infrastructure attacks targeted DNS ACK: 2.81% ICMP: 9.71% RESET: 1.4% SYN PUSH: 0.38% UDP FRAGMENT: 17.11% TCP FRAGMENT: 0.13% CHARGEN: 6.39% SYN: 14.56% RP: 0.26% FIN PUSH: 1.28% UDP FLOODS: 13.15% DNS: 9.58% Source: Prolexic Quarterly Global DDoS Attack Report Q4 2013 ~ 80% of organizations surveyed experienced application layer attacks on DNS Source: Arbor Networks Survey Respondents
Anatomy of an AttackDistributed Reflection DoS Attack (DrDoS) • Combines Reflection and Amplification • Use third-party open resolvers in the Internet (unwitting accomplice) • Attacker sends small spoofed packets to the open recursive servers, requesting a large amount of data to be sent to the victim’s IP address • Uses multiple such open resolvers, often thousands of servers • Queries specially crafted to result in a very large response • Causes DDoS on the victim’s server How the attack works Internet Open Recursive Servers Spoofed queries Amplified Reflected packets Attacker Target Victim
Protection against attacks Legitimate Traffic Reconnaissance DNS Exploits Legitimate Traffic Legitimate Traffic Amplification Cache Poisoning Legitimate Traffic Automatic updates External DNS Cloud-based Threat-rule Update Service Threat Rule Update Service Internal DNS Data for Reports Reporting Server Reports on attack types, severity
DNS Protection is not Just About DDoS Using third-party DNS servers(open resolvers) to propagate a DOS or DDOS attack DNS reflection/DrDoS attacks Using a specially crafted query to create an amplified response to flood the victim with traffic DNS amplification DNS-based exploits Attacks that exploit vulnerabilities in the DNS software Denial of service on layer 3 by bringing a network or service down by flooding it with large amounts of traffic TCP/UDP/ICMP floods DNS cache poisoning Corruption of the DNS cache data with a rogue address Causing the server to crash by sending malformed packets and queries Protocol anomalies Attempts by hackers to get information on the network environment before launching a DDoSor other type of attack Reconnaissance Tunneling of another protocol through DNS for data exfiltration DNS tunneling
Securing DNS Prevents Malware/APT from Using DNS Defend Against DNS Attacks Secure the DNS Platform
Anatomy of an AttackCryptolocker “Ransomware” • Targets Windows-based computers • Appears as an attachment to legitimate looking email • Upon infection, encrypts files: local hard drive & mapped network drives • Ransom: 72 hours to pay $300US • Fail to pay and the encryption key is deleted and data is gone forever • Only way to stop (after executable has started) is to block outbound connection to encryption server
Blocking Malware from using DNS An infected device brought into the office. Malware spreads to other devices on network. Malware Data Feed Service Malicious domains Malware makes a DNS query to find “home.” (botnet / C&C). DNS Server RPZ detects & blocks DNS query to malicious domain IPs, Domains, etc. of Bad Servers 2 1 2 2 3 3 4 4 1 Internet • DNS/DHCP/IPAM : Pinpoint Reporting /Syslogs should be • able to cross correlate the following: • IP address • MAC address • Host name • DHCP lease history Intranet Malware / APT DNS Sever with RPZ Blocked attempt sent to Syslog DNS server RPZ updated every 2 hours with blocking information from reliable service Malware / APT spreads within network; Calls home
Blocking APT from using DNS Detect - FireEye detects APT, alerts are sent to Infoblox. Malicious Domains 1 2 3 3 2 1 Disrupt –DNS Server RPZ with FireEye data disrupts malware DNS communication Internet Intranet Infoblox DDI with DNS Firewall Malware • DNS/DHCP/IPAM: Pinpoint Reporting/Syslogsshould be able to cross correlate the following: • IP address • MAC address • Host name • DHCP lease history Blocked attempt sent to Syslog Alerts FireEye NX Series Endpoint Attempting To Download Infected File FireEye detonates and detects malware
DNS RPZ Protects against….. Rapidly changing of domains & IP addresses by malicious domains to obfuscate identity and location Fast Flux Malware designed to spread, morph and hide within IT infrastructure to perpetrate a long term attack (FireEye) APT / Malware Hacking DNS registry(s) & re-directing users to malicious domain(s) DNS Hacking Blocking access to geographies that have rates of malicious domains or Economic Sanctions by US Government Geo-Blocking
Summary DNS is the cornerstone of the Internet Unprotected DNS infrastructure introduces security risks Securing DNS protects critical DNS services Prevents Malware/APT from Using DNS Defend Against DNS Attacks Secure the DNS Platform