Domain Name System (DNS)
Network Security Asset or Achilles Heel?
1
Arya Barirani, VP Product Marketing / Infoblox
November 2014
| © 2013
2014 Infoblox Inc. All Rights Reserved.
Agenda
• What is DNS and How Does it Work?
• Threat Landscape Trends
• Common Attack Vectors
̶ Anatomy of an attack: DNS Hijacking
̶ Anatomy of an attack: Reflection Attack
̶ Anatomy of an attack: DNS DDoS
• How To Protect Yourself?
• Q&A
2 | © 2013
2014 Infoblox Inc. All Rights Reserved.
What is the Domain Name System (DNS)?
• Address book for all of internet
• Translates “google.com” to 173.194.115.96
• Invented in 1983 by Paul Mokapetris (UC Irvine)
Without DNS, The Internet & Network Communications Would Stop
3 | © 2013
2014 Infoblox Inc. All Rights Reserved.
How Does DNS Work?
WWW.GOOGLE.COM
“That’s in my cache,
it maps to:
173.194.115.96
“Great, now I know how
to get to
www.google.com”
ROOT DNS
SERVER
173.194.115.96
“Great, I’ll put that in
my cache in case I get
another request”
“That domain is not in
my server, I will ask
another DNS Server”
173.194.115.96
“I need directions to
www.google.com”
4 | © 2013
2014 Infoblox Inc. All Rights Reserved.
ISP
DNS SERVER
For Bad Guys, DNS Is a Great Target
DNS is the
cornerstone of the
Internet used by
every business/
Government
DNS is fairly easy
to exploit
Traditional
protection is
ineffective against
evolving threats
DNS Outage = Business Downtime
5 | © 2013
2014 Infoblox Inc. All Rights Reserved.
The Rising Tide of DNS Threats
Are You Prepared?
In the last
year alone
there has been
an increase of
200%
58%
DNS attacks1 DDoS attacks1
28M
Pose a significant threat
to the global network
infrastructure and can
be easily utilized in DNS
amplification attacks2
of open
33M Number
recursive DNS servers
2
1. Quarterly Global DDoS Attack Report, Prolexic, 1st Quarter, 2013 2. www.openresolverproject.org
6 | © 2013
2014 Infoblox Inc. All Rights Reserved.
With possible amplification up to
100x
on a DNS attack, the
amount of traffic delivered
to a victim can be huge
2M
With enterprise level businesses receiving an
average of 2 million DNS queries every single
day, the threat of attack is significant
The Rising Tide of DNS Threats
DNS attacks are rising
for 3 reasons:
1 Easy to spoof
2
Asymmetric
amplification
3
High-value
target
7 | © 2013
2014 Infoblox Inc. All Rights Reserved.
Countries of origin for the most DDoS attacks in
the last year
China
US
Brazil
Russia
France
India
Germany
Korea
Egypt
Taiwan
DNS Attack Vectors
8 | © 2013
2014 Infoblox Inc. All Rights Reserved.
The DNS Security Challenges
1
Securing the DNS Platform
2
Defending Against DNS Attacks
DDoS / Cache Poisoning
3
Preventing Malware from using DNS
9 | © 2013
2014 Infoblox Inc. All Rights Reserved.
Anatomy of an Attack
Syrian Electronic Army
10 | © 2013
2014 Infoblox Inc. All Rights Reserved.
Anatomy of an Attack
Distributed Reflection DoS Attack (DrDoS)
How the attack works
Combines reflection and amplification
Internet
Uses third-party open resolvers in
the Internet (unwitting accomplice)
Attacker sends spoofed queries
to the open recursive servers
Uses queries specially crafted to
result in a very large response
Attacker
Causes DDoS on the victim’s server
Target Victim
11 | © 2013
2014 Infoblox Inc. All Rights Reserved.
Anatomy of an Attack
DNS DDoS For Hire
• DDoS attacks against major
U.S financial institutions
• Launching (DDoS) taking
advantage of Server bandwidth
• 4 types of DDoS attacks:
̶ DNS amplification,
̶ Spoofed SYN,
̶ Spoofed UDP
̶ HTTP+ proxy support
• Script offered for $800
12 | © 2013
2014 Infoblox Inc. All Rights Reserved.
The Rising Tide of DNS Threats
TCP/UDP/ICMP floods:
DNS amplification:
Flood victim’s network with large
amounts of traffic
Use amplification in DNS reply to
flood victim
DNS cache poisoning:
Protocol anomalies:
Corruption of a DNS cache
database with a rogue address
Malformed DNS packets causing
server to crash
Top
DNS tunneling:
Tunneling of another protocol
through DNS for data ex-filtration
10
DNS attacks
DNS hijacking:
Subverting resolution of DNS queries
to point to rogue DNS server
DNS based exploits:
Reconnaissance:
Exploit vulnerabilities in
DNS software
Probe to get information on network
environment before launching attack
DNS reflection/DrDos:
Fragmentation:
Use third party DNS servers to
propagate DDoS attack
Traffic with lots of small out of
order fragments
13 | © 2013
2014 Infoblox Inc. All Rights Reserved.
Protection Best Practices
14 | © 2013
2014 Infoblox Inc. All Rights Reserved.
Help Is On the Way!
DNSSEC
Dedicated
Appliances
Collaboration
RPZ
Monitoring
Advanced
DNS
Protection
15 | © 2013
2014 Infoblox Inc. All Rights Reserved.
Get the Teams Talking – Questions to Ask:
• Who in your org is responsible for DNS Security?
• What methods, procedures, tools do you have in place to detect and
mitigate DNS attacks?
• Would you know if an attack was happening, would you know how to
stop it?
IT OPS
Team
IT Apps
Team
Security
Team
Network
Team
16 | © 2013
2014 Infoblox Inc. All Rights Reserved.
Hardened DNS Appliances
Conventional Server Approach
Hardened Appliance Approach
Threat
Update
Service
Secure
Access
Multiple
Open Ports
Limited
Port Access
 Dedicated hardware with no unnecessary logical
or physical ports
– Many open ports subject to attack
– Users have OS-level account privileges on
server
– Requires time-consuming manual updates
 No OS-level user accounts – only admin accts
 Immediate updates to new security threats
 Secure HTTPS-based access to device
management
 No SSH or root-shell access
 Encrypted device to device communication
17 | © 2013
2014 Infoblox Inc. All Rights Reserved.
17
Monitoring & Alert on Aggregate Query Rate
18 | © 2013
2014 Infoblox Inc. All Rights Reserved.
DNSSEC
• Fixes Kaminsky Vulnerability
• DNS Security Extensions
• Uses public key cryptography to verify the authenticity of
DNS zone data (records)
̶ DNSSEC zone data is digitally signed using a private key for that
zone
̶ A DNS server receiving DNSSEC signed zone data can verify the
origin and integrity of the data by checking the signature using the
public key for that zone
19 | © 2013
2014 Infoblox Inc. All Rights Reserved.
Legitimate Traffic
Advanced DNS Protection
Automatic
updates
Advanced DNS
Protection
(External DNS)
Data for
Reports
Updated
ThreatIntelligence
Server
Advanced DNS
Protection
(Internal DNS)
Reporting
Server
Reports on attack types, severity
20 | © 2013
2014 Infoblox Inc. All Rights Reserved.
Response Policy Zones - RPZ
Blocking Queries to Malicious Domains
1
An infected device brought into
the office. Malware spreads to
other devices on network.
4
2
Malicious
domains
Reputational Feed:
IPs, Domains, etc.
of Bad Servers
2
Malware makes a DNS query
to find “home.” (botnet / C&C).
DNS Server detects & blocks
DNS query to malicious domain
Internet
Query to malicious domain logged
Malware /
APT
Intranet
3 security teams can now identify
requesting end-point and attmept
DNS Server
with RPZ
Capability
Blocked attempt
sent to Syslog
remediation
1
RPZ regularly updated with
3
2
Malware / APT spreads
within network; Calls home
21 | © 2013
2014 Infoblox Inc. All Rights Reserved.
4 malicious domain data using
available reputational feeds
Call to Action
• DNS security vulnerabilities pose
a significant threat
• Raise the awareness of DNS and
DNS security vulnerabilities in
your organization
• There are multitudes of
resources available to help
• Seek help if needed to protect
DNS
22 | © 2013
2014 Infoblox Inc. All Rights Reserved.
Take the DNS Security Risk Assessment
1. Analyzes your organization’s DNS setup to assess level of risk
of exposure to DNS threats
2. Provides DNS Security Risk Score and analysis based on answers given
3. www.infoblox.com/dnssecurityscore
Higher score = higher DNS security risk!!
23 | © 2013
2014 Infoblox Inc. All Rights Reserved.
About Infoblox
Total Revenue
Founded in 1999
(Fiscal Year Ending July 31)
Headquartered in Santa Clara, CA
with global operations in 25 countries
$300
($MM)
$250.3
Leader in technology
for network control
$250
Market leadership
$200
$225.0
$169.2
• DDI Market Leader (Gartner)
• 50% DDI Market Share (IDC)
7,500+ customers
74,000+ systems shipped to 100
countries
55 patents, 29 pending
IPO April 2012: NYSE BLOX
24 | © 2013
2014 Infoblox Inc. All Rights Reserved.
$150
$132.8
$102.2
$100
$56.0
$50
$61.7
$35.0
$0
FY2007 FY2008 FY2009 FY2010 FY2011 FY2012 FY2013 FY2014
Thank you!
For more information
www.infoblox.com
25 | © 2013
2014 Infoblox Inc. All Rights Reserved.