Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Networking

DNS Security with AntiDDoS and AntiMalware for YOUR

DNS Security with AntiDDoS and AntiMalware for YOUR subscribers
Only with Infoblox hardware appliances
1
1
Adam Obszyński, aobszynski@infoblox.com
CONFIDENTIAL
|| ©©2015
Infoblox
Inc. All
Rights
2013
Infoblox
Inc.
All Reserved.
Rights Reserved.
Why Securing DNS is Critical
#1
protocol for
volumetric
reflection/
amplification
attacks
DNS is critical
networking
infrastructure
DNS protocol is
easy to exploit and
attacks are
prevalent
Traditional security
is ineffective against
evolving threats
Unprotected, DNS increases risk to critical infrastructure and data
2
2
|| ©©2015
Infoblox
Inc. All
Rights
2013
Infoblox
Inc.
All Reserved.
Rights Reserved.
CONFIDENTIAL
DNS Security Gap
• One of the fastest growing attack vectors
• Easy-to-exploit protocol
• Firewalls and IDS/IPS devices not focused
on DNS threats
• Proliferation of BYOD devices and mobile
users, meaning threats may be inside the
firewall
• DNS security layer needed to complement
existing security solutions
3
3
|| ©©2015
Infoblox
Inc. All
Rights
2013
Infoblox
Inc.
All Reserved.
Rights Reserved.
CONFIDENTIAL
DNS Security Challenges
4
4
1
Defending against DNS DDoS attacks
2
Stopping APTs/malware from using DNS
3
Preventing data exfiltration via DNS
(Authoritative + Recursive)
(Recursive)
(Recursive)
|| ©©2015
Infoblox
Inc. All
Rights
2013
Infoblox
Inc.
All Reserved.
Rights Reserved.
CONFIDENTIAL
APTs: The New Threat Landscape
•
•
Profile organizations using
public data/social media
Organized and
well funded
•
Target key POI’s
via spear phishing
Operational
sophistication
Coordinated attacks,
distract big, strike precisely
•
Malicious traffic is visible on 100% of corporate
networks1
Every minute a host accesses a malicious
website1
The question isn’t if, but when you will be
attacked, and how effectively you can respond
APTs rely on DNS at various stages of the
cyber kill chain to infect devices, propagate
malware, and exfiltrate data
“Watering hole” target
groups on trusted sites
Leverage tried and true
techniques like SQLi, DDoS & XSS
Source: 1 Cisco 2014 Annual Security Report
5
5
|| ©©2015
Infoblox
Inc. All
Rights
2013
Infoblox
Inc.
All Reserved.
Rights Reserved.
CONFIDENTIAL
Evolution of DNS DDoS Attacks
•
•
6
6
DNS based DDoS attacks are constantly evolving and affect both external and internal DNS
servers
Methods range from amplification/reflection, floods and simple NXDOMAIN to highly
sophisticated attacks involving botnets, chain reactions and misbehaving domains
DrDoS
Random Subdomain
Cache Poisoning
Basic
NXDOMAIN
Floods
CPE Botnet
Based
DNS Tunneling
Domain Lock-up
DNS Hijacking
Phantom Domain
|| ©©2015
Infoblox
Inc. All
Rights
2013
Infoblox
Inc.
All Reserved.
Rights Reserved.
CONFIDENTIAL
DNS Caching
Protection against attacks on caching servers
•
•
Large number of bots make more requests of the DNS server than it can
handle
Causes the DNS server to drop inbound DNS requests
Advanced DNS Protection can secure DNS Caching Servers from DNS Floods
and other threats
7
7
|| ©©2015
Infoblox
Inc. All
Rights
2013
Infoblox
Inc.
All Reserved.
Rights Reserved.
CONFIDENTIAL
How Infoblox Secures DNS
8
8
|| ©©2015
Infoblox
Inc. All
Rights
2013
Infoblox
Inc.
All Reserved.
Rights Reserved.
CONFIDENTIAL
Infoblox and Service Providers
Dedicated SP Business Unit
Total Revenue
• Dedicated Sales, SEs, Marketing,
Engineering, Product Mgmt
(Fiscal Year Ending July 31)
$300
Market leadership
250
$250
225
• #1 in DNS Caching; First DNS Firewall
• Competition in decline
$200
169
Dedicated SP product line
• Leads Industry with >1M DNS qps and
Advanced DDoS protection
$150
• Carrier-grade solution adopted at major
Tier 1 providers
$100
230+ Service Providers; 55,000+
systems shipped; 6800+ Enterprises
102
56
$50
|| ©©2015
Infoblox
Inc. All
Rights
2013
Infoblox
Inc.
All Reserved.
Rights Reserved.
62
35
$0
IPO April 2012 NYSE (BLOX)
$225M Revenue; $2B Market Cap
9
9
133
FY2007
CONFIDENTIAL
FY2009
FY2011
FY2013
9
Hardened DNS Appliances
Hardened Appliance Approach
Conventional Server Approach
Secure
Access
Update
Service
Multiple
Open Ports
Limited
Port Access
 Dedicated hardware with no unnecessary logical or physical
ports
 No OS-level user accounts—only admin accts
 Immediate updates to new security threats
• Many open ports are subject to attack.
 Secure HTTPS-based access to device management
• Users have OS-level account privileges on
server.
 No SSH or root-shell access
• Requires time-consuming manual updates.
 Hardware based Security & DNS Acceleration
10
Infoblox
Inc. All
Rights
10 | | ©©2015
2013
Infoblox
Inc.
All Reserved.
Rights Reserved.
 Encrypted device-to-device communication
CONFIDENTIAL
DNS Protection is Not Only About DDoS
DNS reflection
DNS-based exploits
DNS amplification
DNS cache poisoning
TCP/UDP/ICMP floods
DNS tunneling
NXDOMAIN attack
Protocol anomalies
Phantom domain attack
Reconnaissance
Random subdomain attack
DNS hijacking
Domain lockup attack
Domain lockup attack
Volumetric/DDoS Attacks
11
Infoblox
Inc. All
Rights
11 | | ©©2015
2013
Infoblox
Inc.
All Reserved.
Rights Reserved.
DNS-specific Exploits
CONFIDENTIAL
Protection Against DNS Attacks
DNS reflection
Infoblox Automated
Threat Intelligence
Service
DNS amplification
TCP/UDP/ICMP floods
INTERNET
NXDOMAIN attack
ENTERPRISE Firewall
Phantom domain attack
Infoblox Internal
DNS Security
Domain lockup attack
DNS Tunneling
Legitimate Traffic
DNS DDoS
Legitimate Traffic
Random subdomain attack
x
x
DNS attacks
detected & dropped
DNS-based exploits
DNS cache poisoning
DNS tunneling
Malformed DHCP requests
12
Infoblox
Inc. All
Rights
12 | | ©©2015
2013
Infoblox
Inc.
All Reserved.
Rights Reserved.
CONFIDENTIAL
Security Built-in to the DNS Infrastructure
Use Cases
Internet
• Enterprise Customers
̶
̶
External authoritative DNS
server
Internal DNS- Enterprise /
Universities with open
networks
Security
DNS Server
DNS Server
DNS Server
Infoblox PTAppliances
Protection against
DNS threats
Serve DNS
queries under
attack
• Service Providers
̶
̶
Recursive Caching
Authoritative DNS services
Traditional security appliances mitigate only partial attacks against DNS
13
Infoblox
Inc. All
Rights
13 | | ©©2015
2013
Infoblox
Inc.
All Reserved.
Rights Reserved.
CONFIDENTIAL
Protection Against APTs/Malware
DNS Firewall
Malicious Domains
Infoblox threat
update device
IPs, Domains, ect. of
Bad Servers
INTERNET
Malware/APT
INTRANET
Blocked communication attempt
sent to Syslog
Malware/APT spreads within
network; calls home
infected device brought into the office.
1 An
Malware spreads to other devices on network.
makes a DNS query to find “home” (botnet /
2 Malware
C&C). DNS Firewall looks at the DNS response and
takes admin-defined action (disallows communication
to malware site or redirects traffic to a landing page or
“walled garden” site).
14
Infoblox
Inc. All
Rights
14 | | ©©2015
2013
Infoblox
Inc.
All Reserved.
Rights Reserved.
3
Pinpoint. Infoblox Reporting lists DNS Firewall
action as well as the:
•
•
•
•
•
•
•
Device IP address
Device MAC address
Device type/OS (DHCP fingerprint)
Device host name
Device lease history
AD login name
Switch/port/VLAN
CONFIDENTIAL
4
An update will occur every 2 hours (or more
often for significant threat).
DNS can make huge difference!
15
Infoblox
Inc. All
Rights
15 | | ©©2015
2013
Infoblox
Inc.
All Reserved.
Rights Reserved.
CONFIDENTIAL
Web Delay – Sample
Fast Web Performance Starts with DNS…
•
http://techcrunch.com/
̶ 300 objects++
̶ 60++ domains
© http://blog.catchpoint.com/
16
Infoblox
Inc. All
Rights
16 | | ©©2015
2013
Infoblox
Inc.
All Reserved.
Rights Reserved.
CONFIDENTIAL
Web Delay – Sample 2
Fast Web Performance Starts with DNS…
•
Two components to DNS latency:
̶ Latency Client <-> Server
̶ Caches <-> name servers
- Cache misses
- Under provisioning
- Malicious traffic
© https://developers.google.com/
17
Infoblox
Inc. All
Rights
17 | | ©©2015
2013
Infoblox
Inc.
All Reserved.
Rights Reserved.
CONFIDENTIAL
Devices vs Solutions
•
Self made vs Dedicated.
Dedicated DNS Cache appliance does not stop answering queries from cache
when capacity limits are reached for cache misses, NX Domain Qs etc.
Avg. Latency (Seconds)
a
Bind
18
Infoblox
Inc. All
Rights
18 | | ©©2015
2013
Infoblox
Inc.
All Reserved.
Rights Reserved.
Infoblox 4030 DNS Cache
CONFIDENTIAL
18
Advanced Appliances Come in Four Physical Platforms
Performance:
50 000 qps
SP &
Enterprise
143 000 qps
200 000 qps
SP / ISP
Subscribers
DNS Caching
Hardware based!
19
Infoblox
Inc. All
Rights
19 | | ©©2015
2013
Infoblox
Inc.
All Reserved.
Rights Reserved.
300k / 600k /
5 000 000 qps
Advanced Appliances have next-generation programmable processors
that provide dedicated compute for threat mitigation.
The appliances offer both AC and DC power supply options.
CONFIDENTIAL
Test US!
Find DNS Threats in your Network
20
Infoblox
Inc. All
Rights
20 | | ©©2015
2013
Infoblox
Inc.
All Reserved.
Rights Reserved.
CONFIDENTIAL
Send Us Your PCAP Files
• Infoblox analyzes and
provides insights on
malicious activity in
seconds
• Report on findings to take
back to management
21
Infoblox
Inc. All
Rights
21 | | ©©2015
2013
Infoblox
Inc.
All Reserved.
Rights Reserved.
CONFIDENTIAL
How to deploy + Case Study from Poland
22
Infoblox
Inc. All
Rights
22 | | ©©2015
2013
Infoblox
Inc.
All Reserved.
Rights Reserved.
CONFIDENTIAL
Cable SP
Huge attacks
Press info about ISP being down for 8 days!
23
Infoblox
Inc. All
Rights
23 | | ©©2015
2013
Infoblox
Inc.
All Reserved.
Rights Reserved.
CONFIDENTIAL
Design
System topology
24
Infoblox
Inc. All
Rights
24 | | ©©2015
2013
Infoblox
Inc.
All Reserved.
Rights Reserved.
CONFIDENTIAL
First month stats:
 Blocked 6M events with multiple risk level
25
Infoblox
Inc. All
Rights
25 | | ©©2015
2013
Infoblox
Inc.
All Reserved.
Rights Reserved.
CONFIDENTIAL
CHR vs
CPU vs
User Experience
User exp.
== NO CHURN
Resources
Cache
Hit Ratio
26
Infoblox
Inc. All
Rights
26 | | ©©2015
2013
Infoblox
Inc.
All Reserved.
Rights Reserved.
CONFIDENTIAL
Secure DNS Deployment
Infoblox
Automated
Threat
Update
Service
External attacks
INTERNET
Rule updates
for DNS-based
attacks
Firewall
Block DNS attacks
Infoblox
External DNS Security
External Authoritative
Updates for DNS-based
attacks and malicious
domains
Infoblox DNS
Caching Server
Caching Server
DMZ
INTRANET
DNS Query
Send data
for reports
Firewall
Infoblox Reporting Server
Infoblox Internal DNS Security
Send data for reports
Block attacks and
Malware communication
Internal Recursive
Malware/ APT
27
Infoblox
Inc. All
Rights
27 | | ©©2015
2013
Infoblox
Inc.
All Reserved.
Rights Reserved.
CONFIDENTIAL
Q&A
28
Infoblox
Inc. All
Rights
28 | | ©©2015
2013
Infoblox
Inc.
All Reserved.
Rights Reserved.
CONFIDENTIAL
Infoblox Differentiation and Value
Infoblox Advanced
DNS Protection
Load
Balancers
Dedicated compute for
threat mitigation
General DDoS
DNS DDoS
DNS amplification
DNS reflection
NXDOMAIN
DNS server OS and
application vulnerabilities
DNS semantic attacks
Cache poisoning
DNS tunneling
DNS hijacking
DNS-specific Exploits
29
Infoblox
Inc. All
Rights
29 | | ©©2015
2013
Infoblox
Inc.
All Reserved.
Rights Reserved.
Volumetric/DDoS Attacks
CONFIDENTIAL
Pure
DDoS
Next-gen
Firewalls
IPS
Cloud
Related documents
Questions for Unit-7
Questions for Unit-7
HOMEWORK 1 • DNS stands for do not submit (1) DNS Make up a
HOMEWORK 1 • DNS stands for do not submit (1) DNS Make up a
Financial Institutions Improve Returns and Better Serve Clients
Financial Institutions Improve Returns and Better Serve Clients
Assignment-2_old Paper
Assignment-2_old Paper
Super G on Raven PTarmigan January15th, 2009 RACE JURY
Super G on Raven PTarmigan January15th, 2009 RACE JURY
DANONE - Infoblox
DANONE - Infoblox
PowerPoint Slides
PowerPoint Slides
Lab 11 - Personal Web Pages
Lab 11 - Personal Web Pages
What Is DNS, And Why Do I Care
What Is DNS, And Why Do I Care
Download