1 | © 2013 Infoblox Inc. All Rights Reserved. Securing External & Internal DNS Edward O’Connell | Sr. Product Marketing Manager February 2014

2 | © 2013 Infoblox Inc. All Rights Reserved. Agenda Infoblox Secure DNS Solutions Security Challenge Infoblox Overview Attacks on DNS Malware / APT

3 | © 2013 Infoblox Inc. All Rights Reserved. Infoblox Overview & Business Update ($MM) Founded in 1999 Headquartered in Santa Clara, CA with global operations in 25 countries Market leadership Gartner “Strong Positive” rating 40%+ Market Share (DDI) 6,900+ customers, 55,000+ systems shipped 35 patents, 29 pending IPO April 2012: NYSE BLOX Leader in technology for network control Total Revenue (Fiscal Year Ending July 31) 30% CAGR

4 | © 2013 Infoblox Inc. All Rights Reserved. Infrastructure Security Infoblox : Technology for Network Control NETWORK INFRASTRUCTURE FIREWALLSSWITCHESROUTERSWEB PROXYLOAD BALANCERS Historical / Real-time Reporting & Control Historical / Real-time Reporting & Control APPS & END-POINTS END POINTSVIRTUAL MACHINESPRIVATE CLOUDAPPLICATIONS CONTROL PLANE Infoblox Grid TM w/ Real-time Network Database

5 | © 2013 Infoblox Inc. All Rights Reserved. DNS – Cornerstone of the Internet DNS not working?!... Your applications won’t work as well…

6 | © 2013 Infoblox Inc. All Rights Reserved. Another View of DNS… 1 st 30 seconds of starting up a iPhone…. WEATHER MAPS ITUNESAPP STORE STOCKS READING A MSG CHECK MAIL UPDATING 1 APP CONCURTWITTERFACEBOOK STARTUP

7 | © 2013 Infoblox Inc. All Rights Reserved. Why DNS an Ideal Target? DNS is the cornerstone of the Internet used by every business/ Government DNS as a Protocol is easy to exploit Maximum impact with minimum effort Traditional protection is ineffective against evolving threats

8 | © 2013 Infoblox Inc. All Rights Reserved. Today’s Security Challenges APT / malware exploits DNS to steal data 2 Attacks target DNS to bring down IT infrastructure 1

9 | © 2013 Infoblox Inc. All Rights Reserved – DNS Threat is Significant Attacks against DNS infrastructure growing ̶ DNS-specific attacks up 216% in 2013 ̶ ICMP, SYN, UDP attacks Source: Arbor Networks Source: Prolexic Quarterly Global DDoS Attack Report Q ACK: 2.81% CHARGEN: 6.39% FIN PUSH: 1.28% DNS: 9.58% ICMP: 9.71%RESET: 1.4% RP: 0.26% SYN: 14.56% TCP FRAGMENT: 0.13% SYN PUSH: 0.38% UDP FLOODS: 13.15% UDP FRAGMENT: 17.11% Infrastructure Layer: 76.76%

10 | © 2013 Infoblox Inc. All Rights Reserved. Q1Q3 Q2 Q4 Security Breaches Using Malware / APT

11 | © 2013 Infoblox Inc. All Rights Reserved. Attacks target DNS to bring down IT infrastructure

12 | © 2013 Infoblox Inc. All Rights Reserved. Infoblox DNS Attack Mitigation Advanced DNS Protection Unique Detection and Mitigation  Intelligently distinguishes legitimate DNS traffic from attack traffic like DDoS, DNS exploits, tunneling  Mitigates attacks by dropping malicious traffic and responding to legitimate DNS requests Centralized Visibility  Centralized view of all attacks happening across the network through detailed reports  Intelligence needed to take action Ongoing Protection Against Evolving Threats  Regular automatic threat-rule updates based on threat analysis and research  Helps mitigate attacks sooner vs. waiting for patch updates

13 | © 2013 Infoblox Inc. All Rights Reserved. External DNS - Mitigation of Attacks How does it work? Reporting Server Automatic updates Infoblox Threat-rule Server Infoblox Advanced DNS Protection (External Auth.) GRID Master Reports on attack types, severity New Amplification Cache Poisoning Legitimate Traffic Reconnaissance DNS Exploits Infoblox Advanced DNS Protection (Internal Recursive) New Block DNS attacks Grid-wide rule distribution Data for Reports

14 | © 2013 Infoblox Inc. All Rights Reserved. Attacks We Protect Against DNS reflection/DrDoS attacks Using third-party DNS servers(open resolvers) to propagate a DOS or DDOS attack DNS amplification Using a specially crafted query to create an amplified response to flood the victim with traffic DNS-based exploits Attacks that exploit vulnerabilities in the DNS software TCP/UDP/ICMP floods Denial of service on layer 3 by bringing a network or service down by flooding it with large amounts of traffic DNS cache poisoning Corruption of the DNS cache data with a rogue address Protocol anomalies Causing the server to crash by sending malformed packets and queries Reconnaissance Attempts by hackers to get information on the network environment before launching a DDoS or other type of attack DNS tunneling Tunneling of another protocol through DNS for data exfiltration

15 | © 2013 Infoblox Inc. All Rights Reserved. Anatomy of an Attack NTP-based DDoS NTP syncs time between machines on the network; uses UDP over port 123 Attackers exploit Network Time Protocol (NTP) Similar to DNS reflection attack - small spoofed packets requesting a large amount of data sent to the victim’s IP address causing DDoS Attacks spiked in mid-December 15,000 IP addresses affected Abuses “monlist” command in older NTP versions. Advanced DNS Protection ensures that DNS does not participate in NTP attacks How the attack works Attacker Internet Spoofed queries Servers with older/ misconfigured NTP Reflected Amplified packets Target Victim

16 | © 2013 Infoblox Inc. All Rights Reserved. Legitimate Traffic Reconnaissance followed by NTP- based attacks come interspersed with legitimate traffic. 1 This rule monitors NTP responses and drops them if the packet rate seems abnormal. How Infoblox helps protect against NTP-based attacks 2 Advanced DNS Protection already has a threat-mitigation rule when NTP is enabled. Infoblox Advanced DNS Protection Infoblox Threat Rule Server 2 31 Infoblox Advanced DNS Protection Protects against being an unwanted accomplice to NTP-based DDoS 4 The rule blocks traffic from any source IP address for a specified period of time if it sends more packets than a pre-defined value. Reports on attacks Legitimate Traffic Reconnaissance NTP-based attacks 3 Advanced DNS Protection blocks the reconnaissance traffic and NTP-based attack traffic and responds only to legitimate traffic. 4 Advanced DNS Protection logs the reconnaissance events and NTP-based attack events to facilitate early detection and mitigation.

17 | © 2013 Infoblox Inc. All Rights Reserved. APT / malware exploits DNS to steal data

18 | © 2013 Infoblox Inc. All Rights Reserved. Infoblox DNS Firewall Intelligent Detection & Protection  Detect and block malware queries for malicious domains and networks  Open architecture for reputation data; integration with FireEye NX Series for APT alerts Centralized Visibility  Detailed view on infected clients  IP & MAC address of infected device  Device Type / Host Name Automatic Threat Updates  Automatic updates to protect against evolving malicious domains and networks

19 | © 2013 Infoblox Inc. All Rights Reserved. Malware / APT Blocking How Does it Work? An infected device brought into the office. Malware spreads to other devices on network. 123 Malware makes a DNS query to find “home.” (botnet / C&C) DNS Firewall blocks DNS query (by Domain name / IP Address) Malicious domains Infoblox DDI with DNS Firewall Blocked attempt sent to Syslog 342 Calls home via DNS query 4 Infoblox Reporting lists blocked attempts as well as the IP address MAC address Device type (DHCP fingerprint) Host Name DHCP Lease Malware 1 Reputation data comes from: DNS Firewall Subscription FireEye Adapter (NX Series) Malware spreads within network

20 | © 2013 Infoblox Inc. All Rights Reserved. Securing DNS From Malware / APT DGA Domain generating algorithm malware that randomly generates domains to connect to malicious networks or botnets Fast Flux Rapidly changing of domains & IP addresses by malicious domains to obfuscate identity and location APT / Malware Malware designed to spread, morph and hide within IT infrastructure to perpetrate a long term attack (FireEye) DNS Hijacking Hijacking DNS registry(s) & re-directing users to malicious domain(s) Geo-Blocking Blocking access to geographies that have rates of malicious domains or Economic Sanctions by US Government

21 | © 2013 Infoblox Inc. All Rights Reserved. DNS Firewall Protection Cryptolocker “Ransomware” Targets Windows-based computers Appears as an attachment to legitimate looking Upon infection, encrypts files: local hard drive & mapped network drives Ransom: 72 hours to pay $300US Fail to pay and the encryption key is deleted and data is gone forever Only way to stop (after executable has started) is to block outbound connection to encryption server

22 | © 2013 Infoblox Inc. All Rights Reserved. September 13 – Trial Run Initial roll-out of Cryptolocker started. Limited distribution & payment testing. Oct. 8 th – Full Distribution via ‘Pay per infection’. 1 4 DNS Firewall logs all attempted connections with Cryptolocker servers complete with IP and MAC addresses, and device type to drive remediation Cryptolocker Timeline and Infoblox Response 3 Infoblox DNS Firewall now blocks Crypolocker encryption servers. 2 October 18 th - Crypolocker behavior fully characterized. Infoblox DNS Firewall Subscription updated with domains & IP addresses. Customers Protected. Infoblox DDI with DNS Firewall Infoblox Malware Data Feed Updated 2 Syslog Infoblox DNS Firewall Geo-blocks delivered ZERO-day protection against Cryptolocker by blocking Eastern Europe domains DNS Firewall Protection Protects Against Cryptolocker Malware

23 | © 2013 Infoblox Inc. All Rights Reserved. DNS Firewall Protection Yahoo! Ads iframes Re-direct Yahoo! Europe websites (Ads) – iframes injection - exploits older Java software Dec. 27 th – Jan. 3 rd. 27,000 users/hr. infected over 4+ days. 2.5M+ infected (estimated) Random Domains / sub-domains resolve to single network. IP: Installs the following Malware: ̶ ZeuS ̶ Andromeda ̶ Dorkbot/Ngrbot ̶ Advertisement clicking ̶ Tinba/Zusy ̶ Necurs Secure DNS blocks DNS resolution to IP address of domain server hosting Malware blistartoncom.org slaptonitkons.net original-filmsonline.com funnyboobsonline.org yagerass.org boxsdiscussing.net crisisreverse.net limitingbeyond.net Others Malware Installed iframes Redirect HTTP Redirect Path to Infection

24 | © 2013 Infoblox Inc. All Rights Reserved. December 27 th – Jan. 3 rd Yahoo! Ads infected with iframes Re-direction. Users re-directed to domains where Java is exploited to install malware. 27,000/hr. infected. IP Address for all sub-domains is DNS Firewall logs all attempted connections with complete with IP and MAC addresses, device type, Host name, DHCP lease history to drive remediation Yahoo! Ads Re-direction Timeline and Infoblox Response has been used previously for other attacks. DNS Firewall already has IP address in its table to block. Customers Protected. Infoblox DDI with DNS Firewall Infoblox Malware Data Feed Updated 2 Syslog 21 Infoblox DNS Firewall Subscription service Geo- blocks delivered ZERO-day protection against Yahoo! Malvertising by blocking Europe domains DNS Firewall Protection Protects Against Yahoo! Ads iframes Re-direct IP Address: Installs various malware: ZeuS Andromeda Dorkbot/Ngrbot Advertisement clicking Tinba/Zusy Necurs 3

25 | © 2013 Infoblox Inc. All Rights Reserved. Summary DNS is the cornerstone of the Internet Unprotected DNS infrastructure introduces security risks Infoblox Advanced DNS Protection ̶ Protects against DNS-based attacks like DDoS, cache poisoning, malformed packets and tunneling Infoblox DNS Firewall ̶ Detects & protects against APT / malware-based DNS queries designed to get around traditional security ̶ Pinpoints device to drive faster remediation (using Infoblox DDI)

26 | © 2013 Infoblox Inc. All Rights Reserved. Q&A

27 | © 2013 Infoblox Inc. All Rights Reserved. Thank you! For more information