Transcript the Presentation

Securing DNS Infrastructure
Srikrupa Srivatsan | Senior Product Marketing Manager
August 2014
1 | © 2013 Infoblox Inc. All Rights Reserved.
Agenda
Infoblox Overview
DNS Security Challenges
Securing the DNS Platform
Defending Against DNS Attacks
Malware/APT Exploits of DNS
Infoblox Secure DNS Solution
2 | © 2013 Infoblox Inc. All Rights Reserved.
About Infoblox
Total Revenue
Founded in 1999
(Fiscal Year Ending July 31)
Headquartered in Santa Clara, CA
with global operations in 25 countries
$250
Leader in technology
for network control
$200
($MM)
$225.0
$169.2
Market leadership
$150
$132.8
• DDI Market Leader (Gartner)
• 50% DDI Market Share (IDC)
7,300+ customers
74,000+ systems shipped to 100
countries
$102.2
$100
$56.0
$50
$61.7
$35.0
45 patents, 27 pending
IPO April 2012: NYSE BLOX
3 | © 2013 Infoblox Inc. All Rights Reserved.
$0
FY2007
FY2008
FY2009
FY2010
FY2011
FY2012
FY2013
Infoblox : Technology for Network Control
VIRTUAL MACHINES
PRIVATE CLOUD
APPLICATIONS
NETWORK
INFRASTRUCTURE
CONTROL PLANE
APPS &
END-POINTS
END POINTS
Infrastructure
Security
Historical / Real-time
Reporting & Control
Infoblox GridTM w/ Real-time
Network Database
FIREWALLS
4 | © 2013 Infoblox Inc. All Rights Reserved.
SWITCHES
ROUTERS
WEB PROXY
LOAD BALANCERS
Why is DNS an Ideal Target?
DNS is the
cornerstone of the
Internet used by
every business/
Government
DNS as a Protocol
is easy to exploit
Traditional
protection is
ineffective against
evolving threats
DNS Outage = Business Downtime
5 | © 2013 Infoblox Inc. All Rights Reserved.
DNS Security Challenges
1
Securing the DNS Platform
2
Defending Against DNS Attacks
3
Preventing Malware from using DNS
6 | © 2013 Infoblox Inc. All Rights Reserved.
Securing the DNS
Platform
7 | © 2013 Infoblox Inc. All Rights Reserved.
Hacks of DNS – 2013 & 2014
8 | © 2013 Infoblox Inc. All Rights Reserved.
Security Risks with Conventional Approach
DNS installed on off-the-shelf server
– Many open ports subject to attack
– Users have OS-level account
privileges on server
– No visibility into good vs. bad traffic
– Requires time-consuming manual
updates
– Requires multiple applications for
device management
9 | © 2013 Infoblox Inc. All Rights Reserved.
Multiple
Open Ports
Secure DNS - Purpose Built Appliance and OS
• Minimal attack surfaces
• Active/Active HA & DR recovery
• Common Criteria Certification
• FIPS 140-2 Compliance
• Encrypted Inter-appliance
Communication
10 | © 2013 Infoblox Inc. All Rights Reserved.
• Centralized management with
role-based control
• Secured Access, communication
& API
• Detailed audit logging
• Fast/easy upgrades
Defending Against DNS
Attacks
11 | © 2013 Infoblox Inc. All Rights Reserved.
The Rising Tide of DNS Threats
Top Industries Targeted4
Financial impact is huge
In the last
year alone
there has been
an increase of
200%
58%
DNS attacks1 DDoS attacks1
5%
Public Sector
$27
million
With possible amplification up to
17%
100x
Government
33M
28M
22% Retail
Number of open
-$13.6M
recursive DNS servers2
Technology
company
13% Financial
Services
Media &
Entertainment
7%
The average loss for a 24-hour
High Tech
outage from a DDoS attack3
Pose a significant threat
to the global network
2% Consumer
infrastructure and can Goods
Avg estimated loss per DDoS event in 20123
be easily utilized in 5%
DNSHotels
amplification attacks2
-$7.7M
on a DNS attack, the
amount of traffic delivered
to a victim can be huge
-$17M
42%
2M29%
Enterprise
Commerce
2% Healthcare
1% Automotive
With enterprise level businesses receiving an
Miscellaneous
average of 2 million DNS queries5%
every
single
day, the threat of attack is significant
Financial services
1. Develop
3.
QuarterlyAGlobal
Two-Phased
DDoS Attack
DDoS Report,
Mitigation
Prolexic,
Strategy,
4th Forrester
Quarter, 2013
Research,
2. www.openresolverproject.org
Inc. May 17, 2013 4. State of the Internet, Akamai, 2nd Quarter, 2013
12 | © 2013 Infoblox Inc. All Rights Reserved.
21% Business
Services
Anatomy of an Attack
Distributed Reflection DoS Attack (DrDoS)
How the attack works
Combines reflection and amplification
Internet
Uses third-party open resolvers in
the Internet (unwitting accomplice)
Attacker sends spoofed queries
to the open recursive servers
Uses queries specially crafted to
result in a very large response
Attacker
Causes DDoS on the victim’s server
Target Victim
13 | © 2013 Infoblox Inc. All Rights Reserved.
DNS Protection is Not Just About DDoS
DNS reflection/DrDoS attacks
Using third-party DNS servers (mostly open resolvers) to propagate
a DoS or DDoS attack
DNS amplification
Using a specially crafted query to create an amplified response to
flood the victim with traffic
TCP/UDP/ICMP floods
Denial of service on layer 3 or 4 by bringing a network or service down
by flooding it with large amounts of traffic
DNS-based exploits
Attacks that exploit bugs or vulnerabilities in the DNS software
DNS cache poisoning
Corruption of DNS server cache data with a rogue domain or IP
Protocol anomalies
Causing the server to crash by sending malformed DNS packets
and queries
Reconnaissance
Attempts by hackers to get information on the network environment
before launching a DDoS or other type of attack
DNS tunneling
Tunneling of another protocol through DNS port 53 for malware
insertion and/or data exfiltration
DNS hijacking
Modifying the DNS record settings to point to a rogue DNS
server or domain
NXDomain attack
Attacks that flood DNS server with requests for non-existent domains,
causing it to send NXDomain (non-existent domain) responses
Phantom domain attack
Attacks where a DNS resolver is forced to resolve multiple non-existent
domains, causing it to consume resources while waiting for responses
DNS-specific Exploits
Volumetric/DDoS Attacks
14 | © 2013 Infoblox Inc. All Rights Reserved.
Legitimate Traffic
Defend Against Attacks
Automatic Updates
(Threat Adapt)
Advanced DNS
Protection
(External DNS)
Data for
Reports
Infoblox
Threat-rule
Server
Advanced DNS
Protection
(Internal DNS)
Reporting
Server
Reports on attack types, severity
15 | © 2013 Infoblox Inc. All Rights Reserved.
Deployment Options
EXTERNAL
INTERNET
Advanced DNS
Protection
Advanced DNS
Protection
DMZ
INTRANET
Grid Master
and Candidate (HA)
DATACENTER
16 | © 2013 Infoblox Inc. All Rights Reserved.
CAMPUS/REGIONAL
Deployment Options
INTERNAL
INTRANET
Grid Master
and Candidate (HA)
DATACENTER
CAMPUS/REGIONAL
Advanced DNS
Protection
Advanced DNS
Protection
Endpoints
17 | © 2013 Infoblox Inc. All Rights Reserved.
Preventing Malware
from using DNS
18 | © 2013 Infoblox Inc. All Rights Reserved.
Security Breaches Using Malware / APT
2014
2013
Q2
19 | © 2013 Infoblox Inc. All Rights Reserved.
Q3
Q4
Q1
Real World Example
Cryptolocker “Ransomware”
• Targets Windows-based computers
• Appears as an attachment to legitimate
looking email
• Upon infection, encrypts files: local hard
drive & mapped network drives
• Ransom: 72 hours to pay $300 US
• Fail to pay and the encryption key is
deleted and data is gone forever
• Only way to stop (after executable has
started) is to block outbound connection to
encryption server
20 | © 2013 Infoblox Inc. All Rights Reserved.
Anatomy of an Attack
GameOver Zeus (GOZ)
•
500,000 to 1M infections worldwide
•
Top countries affected: US (13%), Italy (12%),
UAE (8%)
•
Top Industry targeted: Financial Services
•
Highly sophisticated and hard to track
•
Uses peer-to-peer (P2P) communication to
control infected devices or botnet
•
Upon infection, it monitors the machine for
finance-related information
•
Takes control of private online transactions and
diverts funds to criminal accounts
•
Hundreds of millions of dollars stolen
•
Responsible for distribution of Cryptolocker
•
Infected systems can be used for DDoS attacks
21 | © 2013 Infoblox Inc. All Rights Reserved.
Blocking Malware/APT
Malicious
domains
3
1
An infected device brought into
the office. Malware spreads to
other devices on network.
2
Malware makes a DNS query
to find “home.” (botnet / C&C)
DNS Firewall blocks DNS query
Malware /
APT
3 (by Domain name / IP Address)
Infoblox DDI
with DNS
Firewall
Blocked attempt
sent to Syslog
1
2
4
Infoblox Reporting lists blocked
4 attempts as well as the:
•
•
•
•
•
IP address
MAC address
Device type (DHCP fingerprint)
Host name
DHCP lease history
Reputation data comes from:
Malware / APT spreads
within network; Calls home
22 | © 2013 Infoblox Inc. All Rights Reserved.
• DNS Firewall Subscription Svc
• FireEye Adapter (NX Series)
Malware / APT We Block
DGA
Fast Flux
Domain generating algorithm malware that randomly generates
domains to connect to malicious networks or botnets
Rapidly changing of domains & IP addresses by malicious
domains to obfuscate identity and location
APT / Malware
Malware designed to spread, morph and hide within IT
infrastructure to perpetrate a long term attack (FireEye)
DNS Hijacking
Hijacking DNS registry(s) & re-directing users to malicious
domain(s)
Geo-Blocking
Blocking access to geographies that have rates of malicious
domains or Economic Sanctions by US Government
23 | © 2013 Infoblox Inc. All Rights Reserved.
Take the DNS Security Risk Assessment
1. Analyzes your organization’s DNS setup to assess level of risk
of exposure to DNS threats
2. Provides DNS Security Risk Score and analysis based on answers given
3. www.infoblox.com/dnssecurityscore
Higher score = higher DNS security risk!!
24 | © 2013 Infoblox Inc. All Rights Reserved.
In Review
DNS is critical
infrastructure
Infoblox DNS Firewall
Prevents Malware/APT from Using DNS
Unprotected DNS
infrastructure introduces
serious security risks
Infoblox Advanced DNS Protection
Defend Against DNS Attacks
Infoblox Secure DNS
Solution protects critical
DNS services
25 | © 2013 Infoblox Inc. All Rights Reserved.
Hardened Appliance & OS
Secure the DNS Platform
Thank you!
For more information
www.infoblox.com
26 | © 2013 Infoblox Inc. All Rights Reserved.