ENOG-7 27 May 2014 Moscow Marriott Grand Hotel, Moscow, Russia IPv6 Golden Networks Jeroen Massar, Farsight Security, Inc. A watchful eye.

Slides:

Advertisements

Similar presentations

Enabling Secure Internet Access with ISA Server

Advertisements

Updates to ‘dnscap’ Duane Wessels DNS-OARC Workshop Dublin May 12, 2013.

Sergei Komarov. DNS  Mechanism for IP hostname resolution  Globally distributed database  Hierarchical structure  Comprised of three components.

Umut Girit  One of the core members of the Internet Protocol Suite, the set of network protocols used for the Internet. With UDP, computer.

MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 6 Managing and Administering DNS in Windows Server 2008.

2.1 Installing the DNS Server Role Overview of the Domain Name System Role Overview of the DNS Namespace DNS Improvements for Windows Server 2008 Considerations.

Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.

Web Server Administration

1 © 2003, Cisco Systems, Inc. All rights reserved. CCNA 1 v3.0 Module 11 TCP/IP Transport and Application Layers.

Hands-On Microsoft Windows Server 2003 Networking Chapter 6 Domain Name System.

Investigations into BIND Dynamic Update with OpenSSL by David Wilkinson.

1 DNS Name Service based on Secure Multicast DNS for IPv6 Mobile Ad-hoc Network Jaehoon Jeong, ETRI ICACT.

MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 5 Introduction to DNS in Windows Server 2008.

Lesson 1: Configuring Network Load Balancing

Lesson 19: Configuring Windows Firewall

TCP/IP Protocol Suite 1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 19 Domain Name System (DNS)

25.1 Chapter 25 Domain Name System Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display.

Maintaining and Updating Windows Server 2008

Understanding Active Directory

1 Enabling Secure Internet Access with ISA Server.

Event Viewer Was of getting to event viewer Go to –Start –Control Panel, –Administrative Tools –Event Viewer Go to –Start.

Peter Janssen, EURid.eu Ljubljana, RIPE 64, 2012 Peter Janssen, EURid.eu Ljubljana, RIPE 64, April

Module 3 DNS Types.

Ch 8-3 Working with domains and Active Directory.

Firewalls CS432. Overview  What are firewalls?  Types of firewalls Packet filtering firewalls Packet filtering firewalls Sateful firewalls Sateful firewalls.

DNS and Active Directory Integration

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.1 ISP Responsibility Working at a Small-to-Medium Business or ISP – Chapter 8.

Module 7: Configuring TCP/IP Addressing and Name Resolution.

Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 8 – Denial of Service.

Name Resolution Domain Name System.

Microsoft Windows Server 2003 TCP/IP Protocols and Services Technical Reference Slide: 1 Lesson 17 Domain Name System (DNS)

Distributed IDS The implementation of a Distributed Intrusion Detection System over a medium scale open network where the focus is availability of services.

25.1 Chapter 25 Domain Name System Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display.

Chapter 17 Domain Name System

Cybersecurity Coordination and Cooperation Colloquium (f41lf3st 2015) 17 June 2015 Tallinna Tehnickaülikool, Tallinn, Estonia IPv6 Golden Networks Jeroen.

25.1 Chapter 25 Domain Name System Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display.

Zone Properties. Zone Properties Continued Aging allows zone to remove “stale” or “old” records for clients who have not updated within a certain period.

Domain Name System CH 25 Aseel Alturki

October 8, 2015 University of Tulsa - Center for Information Security Microsoft Windows 2000 DNS October 8, 2015.

2012 4th International Conference on Cyber Conflict C. Czosseck, R. Ottis, K. Ziolkowski (Eds.) 2012 © NATO CCD COE Publications, Tallinn 朱祐呈.

Module 3: Designing IP Addressing. Module Overview Designing an IPv4 Addressing Scheme Designing DHCP Implementation Designing DHCP Configuration Options.

Deploying a Web Application Presented By: Muhammad Naveed Date:

DNS Security Pacific IT Pros Nov. 5, Topics DoS Attacks on DNS Servers DoS Attacks by DNS Servers Poisoning DNS Records Monitoring DNS Traffic Leakage.

Distributed IDS The implementation of a Distributed Intrusion Detection System over a medium scale open network where the focus is availability of services.

CSCI 530 Lab Intrusion Detection Systems IDS. A collection of techniques and methodologies used to monitor suspicious activities both at the network and.

Naming March 8, Networks What is naming?  Associations between some elements in a set of names and some elements in a set of values  Binding.

Maintaining and Updating Windows Server Monitoring Windows Server It is important to monitor your Server system to make sure it is running smoothly.

TCP/IP Protocol Suite 1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 19 Domain Name System (DNS)

Module 10: Windows Firewall and Caching Fundamentals.

Linux Operations and Administration

Introduction to Active Directory

Firewalls A brief introduction to firewalls. What does a Firewall do? Firewalls are essential tools in managing and controlling network traffic Firewalls.

Operated by Los Alamos National Security, LLC for NNSA U N C L A S S I F I E D Slide 1 Managing Network Threat Information  Giri Raichur, Network Services.

THE LARGEST NAME SERVICE ACTING AS A PHONE BOOK FOR THE INTERNET The Domain Name System click here to next page 1.

How to fix Error code 0x80072ee2 in Windows 8.1? Fix%20%20Update%20Error%200x80072EE2%20in%20Windows%20 8.1,%20Windows%2010!%20-%20Fix%20PC%20Errors.htm.

This courseware is copyrighted © 2016 gtslearning. No part of this courseware or any training material supplied by gtslearning International Limited to.

Maintaining and Updating Windows Server 2008 Lesson 8.

Monitoring, analyzing and cleaning DNS configuration errors across European NRENs Slavko Gajin University of Belgrade, Serbia

Swiss NREN protection with DNS RPZ

11 DEPLOYING AN UPDATE MANAGEMENT INFRASTRUCTURE Chapter 6.

Central Management of 300 Firewalls and Access-Lists Fabian Mauchle TNC 2012 Reykjavík, 21-May-2012.

All the fun one can have with DNS

Working at a Small-to-Medium Business or ISP – Chapter 8

Paul Vixie, Ph.D CEO, Farsight Security

Securing the Network Perimeter with ISA 2004

Chapter 19 Domain Name System (DNS)

RPZ Configuration DNS RPZ Configuration Lecturer: Ron Aitchison

Chapter 25 Domain Name System

Chapter 25 Domain Name System

Presentation transcript:

ENOG-7 27 May 2014 Moscow Marriott Grand Hotel, Moscow, Russia IPv6 Golden Networks Jeroen Massar, Farsight Security, Inc. A watchful eye on DNS Image:

Jeroen Massar – ENOG-7 ::2 Farsight Security, Inc. CEO: Dr. Paul Vixie Team based in US, Canada and Switzerland Security defense and insight based on DNS Major projects: –SIE (Security Information Exchange) –DNSDB (DNS Database)

Jeroen Massar – ENOG-7 ::3 Simplified DNS Overview

Jeroen Massar – ENOG-7 ::4 Response Rate Limiting (RRL) NTP DDoS attacks are common and big as amplification factor is large, large number of open recursors, large number of networks that allow spoofing RRL Limits the number of unique responses returned by a DNS server per eg IPv4 /24, or IPv6 /48 RRL makes informed decision, simple IP-based rate limiting would just randomly drop queries Implemented in: NSD, BIND, Knot, more coming Credits: Paul Vixie & Vernon Schryver More details:

Jeroen Massar – ENOG-7 ::5 RRL Example BIND Configuration in options section of configuration: rate-limit { responses-per-second 15; window 5; }; Graph courtesy of Peter Losher / ISC F-Root, when they enabled RRL on their Amsterdam node

Jeroen Massar – ENOG-7 ::6 BCP38

Jeroen Massar – ENOG-7 ::7 Response Policy Zone (RPZ) Website with more details: Also dubbed “DNS Firewalls” Rules are carried in standard DNS zones Using IXFR, NOTIFY, TSIG zone updates are distributed automatically and efficiently to stealth secondaries Depending on rule, a different response might be returned than the real one

Jeroen Massar – ENOG-7 ::8 RPZ: Rule Types Rules: If the name being looked up is W. If the response contains any IP address in range X. If a listed name server name is Y. If any returned name server IP address is in range Z.

Jeroen Massar – ENOG-7 ::9 RPZ Actions Synthesize NXDOMAIN. CNAME. Synthesize NODATA: CNAME *. Synthesize an answer. CNAME AAAA 2001:db8::42 Answer with the truth by not having an entry.

Jeroen Massar – ENOG-7 ::10 RPZ Examples BIND configuration options to enable 3 RPZ feeds: response-policy { zone "dns-policy.vix.com"; zone "rpz.deteque.com”; zone “rpz.surbl.org”; zone “rpz.spamhaus.org”; zone “rpz.iidrpz.net”; }; Note that RPZ servers are ACLd, hence need permission of operator to get access to the data

Jeroen Massar – ENOG-7 ::11 DNS Query collection Useful for determining what sites are visited/looked-up Can indicate that a client in the network is connecting to a known C&C Botnet when using DNS

Jeroen Massar – ENOG-7 ::12 Query Logging DNS Server logs queries to disk (file or syslog) Slows DNS server itself down as syslog/file-writing is typically a blocking operation Text-based, thus requires formatting/parsing and the overhead of ASCII Lose all details not logged

Jeroen Massar – ENOG-7 ::13 Passive DNS Use a hub/mirror-port etc to sniff the interface of the DNS server collection DNS responses Full packet details, which need to be parsed Requires TCP reassembly and UDP fragment reassembly No performance impact on the actual DNS server Can be done below and above the recursive

Jeroen Massar – ENOG-7 ::14 dnstap The best of Query Logging + Passive DNS: dnstap Patch the DNS server to support logging using dnstap Duplicates the internal parsed DNS format message Uses circular queues & non-blocking logging techniques: minimal performance hit on DNS server Implemented in Bind, Unbound, Knot DNS and more Documentation / Tutorials / Mailinglist / Code: Design & Implementation: Robert Edmonds

Jeroen Massar – ENOG-7 ::15 DNSTap Big Overview

Jeroen Massar – ENOG-7 ::16 DNS Database (DNSDB) Central repository from Passive DNS collectors data Web-based query interface API access for integration in various investigative tools /

Jeroen Massar – ENOG-7 ::17

Jeroen Massar – ENOG-7 ::18

Jeroen Massar – ENOG-7 ::19 Malicious Domains Lifecycle RegistrationHostingPropagation Payload Delivery Blocking

Jeroen Massar – ENOG-7 ::20 Newly Observed Domains Zone File Access (ZFA) as provided by TLD operator (ICANN Base Registry Agreement) ZFA is not available for eg ccTLDs,.mil etc ZFA is only published every 24 hours Might miss domains that are registered and removed inside that period again (eg domain tasting) Hence: look at DNSDB, as it knows what is being queried. If domain not seen for last 10 days: Newly Observed Domain! Newly Observed Domains (NOD) are published as RPZ zone

Jeroen Massar – ENOG-7 ::21 Questions? Jeroen Massar