DNS Security with AntiDDoS and AntiMalware for YOUR subscribers Only with Infoblox hardware appliances 1 1 Adam Obszyński, aobszynski@infoblox.com CONFIDENTIAL || ©©2015 Infoblox Inc. All Rights 2013 Infoblox Inc. All Reserved. Rights Reserved. Why Securing DNS is Critical #1 protocol for volumetric reflection/ amplification attacks DNS is critical networking infrastructure DNS protocol is easy to exploit and attacks are prevalent Traditional security is ineffective against evolving threats Unprotected, DNS increases risk to critical infrastructure and data 2 2 || ©©2015 Infoblox Inc. All Rights 2013 Infoblox Inc. All Reserved. Rights Reserved. CONFIDENTIAL DNS Security Gap • One of the fastest growing attack vectors • Easy-to-exploit protocol • Firewalls and IDS/IPS devices not focused on DNS threats • Proliferation of BYOD devices and mobile users, meaning threats may be inside the firewall • DNS security layer needed to complement existing security solutions 3 3 || ©©2015 Infoblox Inc. All Rights 2013 Infoblox Inc. All Reserved. Rights Reserved. CONFIDENTIAL DNS Security Challenges 4 4 1 Defending against DNS DDoS attacks 2 Stopping APTs/malware from using DNS 3 Preventing data exfiltration via DNS (Authoritative + Recursive) (Recursive) (Recursive) || ©©2015 Infoblox Inc. All Rights 2013 Infoblox Inc. All Reserved. Rights Reserved. CONFIDENTIAL APTs: The New Threat Landscape • • Profile organizations using public data/social media Organized and well funded • Target key POI’s via spear phishing Operational sophistication Coordinated attacks, distract big, strike precisely • Malicious traffic is visible on 100% of corporate networks1 Every minute a host accesses a malicious website1 The question isn’t if, but when you will be attacked, and how effectively you can respond APTs rely on DNS at various stages of the cyber kill chain to infect devices, propagate malware, and exfiltrate data “Watering hole” target groups on trusted sites Leverage tried and true techniques like SQLi, DDoS & XSS Source: 1 Cisco 2014 Annual Security Report 5 5 || ©©2015 Infoblox Inc. All Rights 2013 Infoblox Inc. All Reserved. Rights Reserved. CONFIDENTIAL Evolution of DNS DDoS Attacks • • 6 6 DNS based DDoS attacks are constantly evolving and affect both external and internal DNS servers Methods range from amplification/reflection, floods and simple NXDOMAIN to highly sophisticated attacks involving botnets, chain reactions and misbehaving domains DrDoS Random Subdomain Cache Poisoning Basic NXDOMAIN Floods CPE Botnet Based DNS Tunneling Domain Lock-up DNS Hijacking Phantom Domain || ©©2015 Infoblox Inc. All Rights 2013 Infoblox Inc. All Reserved. Rights Reserved. CONFIDENTIAL DNS Caching Protection against attacks on caching servers • • Large number of bots make more requests of the DNS server than it can handle Causes the DNS server to drop inbound DNS requests Advanced DNS Protection can secure DNS Caching Servers from DNS Floods and other threats 7 7 || ©©2015 Infoblox Inc. All Rights 2013 Infoblox Inc. All Reserved. Rights Reserved. CONFIDENTIAL How Infoblox Secures DNS 8 8 || ©©2015 Infoblox Inc. All Rights 2013 Infoblox Inc. All Reserved. Rights Reserved. CONFIDENTIAL Infoblox and Service Providers Dedicated SP Business Unit Total Revenue • Dedicated Sales, SEs, Marketing, Engineering, Product Mgmt (Fiscal Year Ending July 31) $300 Market leadership 250 $250 225 • #1 in DNS Caching; First DNS Firewall • Competition in decline $200 169 Dedicated SP product line • Leads Industry with >1M DNS qps and Advanced DDoS protection $150 • Carrier-grade solution adopted at major Tier 1 providers $100 230+ Service Providers; 55,000+ systems shipped; 6800+ Enterprises 102 56 $50 || ©©2015 Infoblox Inc. All Rights 2013 Infoblox Inc. All Reserved. Rights Reserved. 62 35 $0 IPO April 2012 NYSE (BLOX) $225M Revenue; $2B Market Cap 9 9 133 FY2007 CONFIDENTIAL FY2009 FY2011 FY2013 9 Hardened DNS Appliances Hardened Appliance Approach Conventional Server Approach Secure Access Update Service Multiple Open Ports Limited Port Access Dedicated hardware with no unnecessary logical or physical ports No OS-level user accounts—only admin accts Immediate updates to new security threats • Many open ports are subject to attack. Secure HTTPS-based access to device management • Users have OS-level account privileges on server. No SSH or root-shell access • Requires time-consuming manual updates. Hardware based Security & DNS Acceleration 10 Infoblox Inc. All Rights 10 | | ©©2015 2013 Infoblox Inc. All Reserved. Rights Reserved. Encrypted device-to-device communication CONFIDENTIAL DNS Protection is Not Only About DDoS DNS reflection DNS-based exploits DNS amplification DNS cache poisoning TCP/UDP/ICMP floods DNS tunneling NXDOMAIN attack Protocol anomalies Phantom domain attack Reconnaissance Random subdomain attack DNS hijacking Domain lockup attack Domain lockup attack Volumetric/DDoS Attacks 11 Infoblox Inc. All Rights 11 | | ©©2015 2013 Infoblox Inc. All Reserved. Rights Reserved. DNS-specific Exploits CONFIDENTIAL Protection Against DNS Attacks DNS reflection Infoblox Automated Threat Intelligence Service DNS amplification TCP/UDP/ICMP floods INTERNET NXDOMAIN attack ENTERPRISE Firewall Phantom domain attack Infoblox Internal DNS Security Domain lockup attack DNS Tunneling Legitimate Traffic DNS DDoS Legitimate Traffic Random subdomain attack x x DNS attacks detected & dropped DNS-based exploits DNS cache poisoning DNS tunneling Malformed DHCP requests 12 Infoblox Inc. All Rights 12 | | ©©2015 2013 Infoblox Inc. All Reserved. Rights Reserved. CONFIDENTIAL Security Built-in to the DNS Infrastructure Use Cases Internet • Enterprise Customers ̶ ̶ External authoritative DNS server Internal DNS- Enterprise / Universities with open networks Security DNS Server DNS Server DNS Server Infoblox PTAppliances Protection against DNS threats Serve DNS queries under attack • Service Providers ̶ ̶ Recursive Caching Authoritative DNS services Traditional security appliances mitigate only partial attacks against DNS 13 Infoblox Inc. All Rights 13 | | ©©2015 2013 Infoblox Inc. All Reserved. Rights Reserved. CONFIDENTIAL Protection Against APTs/Malware DNS Firewall Malicious Domains Infoblox threat update device IPs, Domains, ect. of Bad Servers INTERNET Malware/APT INTRANET Blocked communication attempt sent to Syslog Malware/APT spreads within network; calls home infected device brought into the office. 1 An Malware spreads to other devices on network. makes a DNS query to find “home” (botnet / 2 Malware C&C). DNS Firewall looks at the DNS response and takes admin-defined action (disallows communication to malware site or redirects traffic to a landing page or “walled garden” site). 14 Infoblox Inc. All Rights 14 | | ©©2015 2013 Infoblox Inc. All Reserved. Rights Reserved. 3 Pinpoint. Infoblox Reporting lists DNS Firewall action as well as the: • • • • • • • Device IP address Device MAC address Device type/OS (DHCP fingerprint) Device host name Device lease history AD login name Switch/port/VLAN CONFIDENTIAL 4 An update will occur every 2 hours (or more often for significant threat). DNS can make huge difference! 15 Infoblox Inc. All Rights 15 | | ©©2015 2013 Infoblox Inc. All Reserved. Rights Reserved. CONFIDENTIAL Web Delay – Sample Fast Web Performance Starts with DNS… • http://techcrunch.com/ ̶ 300 objects++ ̶ 60++ domains © http://blog.catchpoint.com/ 16 Infoblox Inc. All Rights 16 | | ©©2015 2013 Infoblox Inc. All Reserved. Rights Reserved. CONFIDENTIAL Web Delay – Sample 2 Fast Web Performance Starts with DNS… • Two components to DNS latency: ̶ Latency Client <-> Server ̶ Caches <-> name servers - Cache misses - Under provisioning - Malicious traffic © https://developers.google.com/ 17 Infoblox Inc. All Rights 17 | | ©©2015 2013 Infoblox Inc. All Reserved. Rights Reserved. CONFIDENTIAL Devices vs Solutions • Self made vs Dedicated. Dedicated DNS Cache appliance does not stop answering queries from cache when capacity limits are reached for cache misses, NX Domain Qs etc. Avg. Latency (Seconds) a Bind 18 Infoblox Inc. All Rights 18 | | ©©2015 2013 Infoblox Inc. All Reserved. Rights Reserved. Infoblox 4030 DNS Cache CONFIDENTIAL 18 Advanced Appliances Come in Four Physical Platforms Performance: 50 000 qps SP & Enterprise 143 000 qps 200 000 qps SP / ISP Subscribers DNS Caching Hardware based! 19 Infoblox Inc. All Rights 19 | | ©©2015 2013 Infoblox Inc. All Reserved. Rights Reserved. 300k / 600k / 5 000 000 qps Advanced Appliances have next-generation programmable processors that provide dedicated compute for threat mitigation. The appliances offer both AC and DC power supply options. CONFIDENTIAL Test US! Find DNS Threats in your Network 20 Infoblox Inc. All Rights 20 | | ©©2015 2013 Infoblox Inc. All Reserved. Rights Reserved. CONFIDENTIAL Send Us Your PCAP Files • Infoblox analyzes and provides insights on malicious activity in seconds • Report on findings to take back to management 21 Infoblox Inc. All Rights 21 | | ©©2015 2013 Infoblox Inc. All Reserved. Rights Reserved. CONFIDENTIAL How to deploy + Case Study from Poland 22 Infoblox Inc. All Rights 22 | | ©©2015 2013 Infoblox Inc. All Reserved. Rights Reserved. CONFIDENTIAL Cable SP Huge attacks Press info about ISP being down for 8 days! 23 Infoblox Inc. All Rights 23 | | ©©2015 2013 Infoblox Inc. All Reserved. Rights Reserved. CONFIDENTIAL Design System topology 24 Infoblox Inc. All Rights 24 | | ©©2015 2013 Infoblox Inc. All Reserved. Rights Reserved. CONFIDENTIAL First month stats: Blocked 6M events with multiple risk level 25 Infoblox Inc. All Rights 25 | | ©©2015 2013 Infoblox Inc. All Reserved. Rights Reserved. CONFIDENTIAL CHR vs CPU vs User Experience User exp. == NO CHURN Resources Cache Hit Ratio 26 Infoblox Inc. All Rights 26 | | ©©2015 2013 Infoblox Inc. All Reserved. Rights Reserved. CONFIDENTIAL Secure DNS Deployment Infoblox Automated Threat Update Service External attacks INTERNET Rule updates for DNS-based attacks Firewall Block DNS attacks Infoblox External DNS Security External Authoritative Updates for DNS-based attacks and malicious domains Infoblox DNS Caching Server Caching Server DMZ INTRANET DNS Query Send data for reports Firewall Infoblox Reporting Server Infoblox Internal DNS Security Send data for reports Block attacks and Malware communication Internal Recursive Malware/ APT 27 Infoblox Inc. All Rights 27 | | ©©2015 2013 Infoblox Inc. All Reserved. Rights Reserved. CONFIDENTIAL Q&A 28 Infoblox Inc. All Rights 28 | | ©©2015 2013 Infoblox Inc. All Reserved. Rights Reserved. CONFIDENTIAL Infoblox Differentiation and Value Infoblox Advanced DNS Protection Load Balancers Dedicated compute for threat mitigation General DDoS DNS DDoS DNS amplification DNS reflection NXDOMAIN DNS server OS and application vulnerabilities DNS semantic attacks Cache poisoning DNS tunneling DNS hijacking DNS-specific Exploits 29 Infoblox Inc. All Rights 29 | | ©©2015 2013 Infoblox Inc. All Reserved. Rights Reserved. Volumetric/DDoS Attacks CONFIDENTIAL Pure DDoS Next-gen Firewalls IPS Cloud