Cyber attacks increasing – keep
your domain safe
20th anniversary of .LV
HOSTS: Institute of Mathematics and Computer Science
VENUE: Radisson Blu Daugava Hotel, Riga, Latvia.
19th April 2013.
Paul M Kane
Director,
www.CDNS.net
International Conference on DNS and Internet - 19th April 2013, Riga
Thank you to nic.LV
•
Inviting me and for working with us.
•
Congratulations on 20 reliable years, here’s to the
next 20 years.
•
For being an active member of the Domain Name
System Infrastructure Resilience (DIR) Task Force –
www.DIR.ORG
>
•
With financial support from the European Commission - Directorate-General
Justice, Freedom and Security; Prevention, Preparedness and Consequence
Management of Terrorism and other Security Related Risks Programme.
Cyber-Security is NOT sexy –we’re telling users they are
frequently the cause of problems –but being protected is
better for them, their employer and wider Internet.
2
International Conference on DNS and Internet - 19th April 2013, Riga
Agenda
•
What we do
>
•
Growth of Internet access
>
•
Using compromised devices is an efficient way to gain information, generate
revenue or cause disruption.
How resilient is the Internet
>
•
Compromised devises, attack vectors and Video – watch carefully, see if you
can see some of the tricks.
Why and how do the bad guys use YOU
>
•
Broadband access and speeds
Vulnerabilities and attack traffic
>
•
A word from our sponsors!
It is as safe as you make it!
References
>
Any questions.
3
International Conference on DNS and Internet - 19th April 2013, Riga
Real Time Data – 29th Nov 2010
•
12 billion
users per day
•
1,869 ISPs
host CDNS
servers.
•
160,731,688
names on
platform
•
636,707
updates on 8th
March 2013
•
Peaked at
193,000
transactions
per second
•
Capacity is
855 billion per
second!
4
www.CDNS.net/live_stats.html
International Conference on DNS and Internet - 19th April 2013, Riga
CDNS - Server Locations
55 locations, 48 Countries, 24x7x365 NOCs in UK, USA and Japan, monitoring, serving and
blocking malicious traffic for DNS, WEB and other applications
5
International Conference on DNS and Internet - 19th April 2013, Riga
DNS – Reflection attacks
• DDoS
Increasing
•
DNSSEC has much
larger payload
•
DNS Amplification
attacks increasing
•
23rd March 2012 7.6m
queries per sec peak,
>2m queries per sec
for approx 24 hour
•
Genuine traffic
<300,000 queries per
second
6
International Conference on DNS and Internet - 19th April 2013, Riga
Network monitoring for DNS and more
• Improving cyber-security for customers.
Managing Anycast cloud represents approximately 30% of the job
and is technically relatively easy.
> 70% is network monitoring, looking for “bad” guys who seek to
change DNS data or introduce anomalies for personal gain.
>
7
International Conference on DNS and Internet - 19th April 2013, Riga
European Broadband – July 2012
8
European Commission Communications Committee - Digital Agenda, July 2012
International Conference on DNS and Internet - 19th April 2013, Riga
Broadband lines by speed and country
9
European Commission Communications Committee - Digital Agenda, July 2012
International Conference on DNS and Internet - 19th April 2013, Riga
Mobile Broadband - Jan 2009 to July 2012
10
European Commission Communications Committee - Digital Agenda, July 2012
International Conference on DNS and Internet - 19th April 2013, Riga
Year on Year growth - 2011 v 2012
• Attack traffic is increasing dramatically.
11
European Commission DG INFSO, Unit C4: Economical and Statistical Analysis
International Conference on DNS and Internet - 19th April 2013, Riga
Total attack types 2012
12
European Commission DG INFSO, Unit C4: Economical and Statistical Analysis
International Conference on DNS and Internet - 19th April 2013, Riga
Home DSL Router vulnerability test results
• It works!! -
leave it alone
Majority of home
users buy their
router and do
not install
security
patches.
> UK – 19m DSL
Routers, 35%
compromised,
average
upstream say
0.5Mbps =
DDoS of 3.3Tbps
or 3325Gbps
>
13
International Conference on DNS and Internet - 19th April 2013, Riga
Cyber-espionage - You’ve got mail!
14
International Conference on DNS and Internet - 19th April 2013, Riga
How mail system works….
Message:
Broken into
Packets,
Numbered
and
dispatched
Receiver:
Acknowledge
receipt, lost
packets are
resent,
Reassembled
in order
15
International Conference on DNS and Internet - 19th April 2013, Riga
Emailing your Bank – DNSSEC helps a bit
16
International Conference on DNS and Internet - 19th April 2013, Riga
2011 Denial of Service Attack Vectors
• UDP popular “hook” for initiating attacks as
is SYN – the TCP three way handshake
17
International Conference on DNS and Internet - 19th April 2013, Riga
2012 Attack vectors
• DNS Attacks almost tripled Q1 2011 to Q1
2013 from 2.35% to 4.67%
18
International Conference on DNS and Internet - 19th April 2013, Riga
Top 10 countries - sources of DDoS attacks
• UK – has almost 19million home/office
Broadband connections.
19
International Conference on DNS and Internet - 19th April 2013, Riga
2011 – Top 10 DDoS source countries.
20
International Conference on DNS and Internet - 19th April 2013, Riga
2012 – Top 10 DDoS source countries.
21
International Conference on DNS and Internet - 19th April 2013, Riga
Compromised Devices by Country
22
Source: Panda Security
International Conference on DNS and Internet - 19th April 2013, Riga
ASN – Most used ASN for DDoS
•
Counterfeit software is NOT patched by supplier
therefore vulnerable to compromise.
23
International Conference on DNS and Internet - 19th April 2013, Riga
Work - Bad guys “fish, where fish are!”
In US – 77% of employees use social media during
worktime.
• 33% of companies have been infected by malware
through social media channel
•
>
57% of companies have
Policies regulating use
>
81% have staff dedicated to
monitoring and
implementing Policies
>
62% do not allow these
sites to be accessed
>
Android smart phone are the
new target
37%
Panda Labs Q3 2012 Quarterly Report
24
International Conference on DNS and Internet - 19th April 2013, Riga
Why do they do it- Reason for cyber-crime
Panda Labs Q3 2012 Quarterly Report
25
International Conference on DNS and Internet - 19th April 2013, Riga
How the “bad guys” corrupt systems
26
International Conference on DNS and Internet - 19th April 2013, Riga
Botnets as a Service.
27
International Conference on DNS and Internet - 19th April 2013, Riga
How much to know your competitors?
28
International Conference on DNS and Internet - 19th April 2013, Riga
How Resilient is the Internet?
• Very – BUT …. Progress means things are
changing fast……..
>
To keep ahead of the bad-guys, needs careful monitoring
>
Need to check your DNS settings and services regularly
>
Do not rely on the Public Internet, make good use of private
VPN’s that use IP address (IPv4 and IPv6) rather than just
standard “name” resolution.
>
Encrypt private communications – PKI, like PGP etc
>
Periodically check for inconsistencies such as the way staff
terminals use the Internet.
>
Smart Phones are now the target, so they need scanning where
users interact with social media sites and may download viruses
to act as Trojan on home and work networks.
29
International Conference on DNS and Internet - 19th April 2013, Riga
References
•
PHP Vulnerability -Injection Attack
> http://security.radware.com/itsoknoproblembro/
•
SOAP Vulnerable Products:
> https://docs.google.com/spreadsheet/ccc?key=0ApUaRDtAei
07dGxkSHN1cEN3V2pmYW4yNkpZMlQ0Rmc#gid=0
•
Around 40-50 million network-enabled devices are at risk due to
vulnerabilities found in the Universal Plug and Play (UPnP)
protocol.
>
UPnP enables devices such as routers, printers, network-attached storage (NAS), media
players and smart TVs to communicate with each other.
http://www.defensecode.com/public/DefenseCode_Broadco
m_Security_Advisory.pdf
Java (again) - turn off Java Runtime Environment
>
•
https://blogs.oracle.com/security/entry/februar
y_2013_critical_patch_update
30
International Conference on DNS and Internet - 19th April 2013, Riga
Happy Birthday nic.LV!!!
Paul.Kane@CDNS.net
Thank you
31