1 | © 2013 Infoblox Inc. All Rights Reserved. Securing DNS Infrastructure Srikrupa Srivatsan | Senior Product Marketing Manager August 2014

2 | © 2013 Infoblox Inc. All Rights Reserved. Agenda Securing the DNS Platform Defending Against DNS Attacks Malware/APT Exploits of DNS DNS Security Challenges Infoblox Overview Infoblox Secure DNS Solution

3 | © 2013 Infoblox Inc. All Rights Reserved. About Infoblox ($MM) Founded in 1999 Headquartered in Santa Clara, CA with global operations in 25 countries Market leadership DDI Market Leader (Gartner) 50% DDI Market Share (IDC) 7,300+ customers 74,000+ systems shipped to 100 countries 45 patents, 27 pending IPO April 2012: NYSE BLOX Leader in technology for network control Total Revenue (Fiscal Year Ending July 31) 30% CAGR

4 | © 2013 Infoblox Inc. All Rights Reserved. Infrastructure Security Infoblox : Technology for Network Control NETWORK INFRASTRUCTURE FIREWALLSSWITCHESROUTERSWEB PROXYLOAD BALANCERS Historical / Real-time Reporting & Control Historical / Real-time Reporting & Control APPS & END-POINTS END POINTSVIRTUAL MACHINESPRIVATE CLOUDAPPLICATIONS CONTROL PLANE Infoblox Grid TM w/ Real-time Network Database

5 | © 2013 Infoblox Inc. All Rights Reserved. Why is DNS an Ideal Target? DNS is the cornerstone of the Internet used by every business/ Government DNS as a Protocol is easy to exploit DNS Outage = Business Downtime Traditional protection is ineffective against evolving threats

6 | © 2013 Infoblox Inc. All Rights Reserved. DNS Security Challenges Defending Against DNS Attacks 2 Preventing Malware from using DNS 3 Securing the DNS Platform 1

7 | © 2013 Infoblox Inc. All Rights Reserved. Securing the DNS Platform

8 | © 2013 Infoblox Inc. All Rights Reserved. Hacks of DNS – 2013 & 2014

9 | © 2013 Infoblox Inc. All Rights Reserved. Security Risks with Conventional Approach DNS installed on off-the-shelf server –Many open ports subject to attack –Users have OS-level account privileges on server –No visibility into good vs. bad traffic –Requires time-consuming manual updates –Requires multiple applications for device management Multiple Open Ports

10 | © 2013 Infoblox Inc. All Rights Reserved. Secure DNS - Purpose Built Appliance and OS Minimal attack surfaces Active/Active HA & DR recovery Common Criteria Certification FIPS Compliance Encrypted Inter-appliance Communication Centralized management with role-based control Secured Access, communication & API Detailed audit logging Fast/easy upgrades

11 | © 2013 Infoblox Inc. All Rights Reserved. Defending Against DNS Attacks

12 | © 2013 Infoblox Inc. All Rights Reserved. The Rising Tide of DNS Threats In the last year alone there has been an increase of 200% DNS attacks 1 58% DDoS attacks 1 With possible amplification up to 100x on a DNS attack, the amount of traffic delivered to a victim can be huge 28M Pose a significant threat to the global network infrastructure and can be easily utilized in DNS amplification attacks 2 33M Number of open recursive DNS servers 2 With enterprise level businesses receiving an average of 2 million DNS queries every single day, the threat of attack is significant 2M2M 1. Quarterly Global DDoS Attack Report, Prolexic, 4 th Quarter, Financial services Technology company Government Financial impact is huge Avg estimated loss per DDoS event in $7.7M -$13.6M -$17M The average loss for a 24-hour outage from a DDoS attack 3 42% Enterprise 29% Commerce Miscellaneous5% Automotive1%1% Healthcare2%2% Business Services 21% Financial Services 13% Public Sector 5%5% Media & Entertainment 17% High Tech 7% Consumer Goods 2% Hotels 5% Retail 22% Top Industries Targeted 4 $27 million 3. Develop A Two-Phased DDoS Mitigation Strategy, Forrester Research, Inc. May 17, State of the Internet, Akamai, 2nd Quarter, 2013

13 | © 2013 Infoblox Inc. All Rights Reserved. Anatomy of an Attack Distributed Reflection DoS Attack (DrDoS) How the attack works Attacker Internet Spoofed Queries Open Recursive Servers Amplified Reflected Packets Target Victim Combines reflection and amplification Uses third-party open resolvers in the Internet (unwitting accomplice) Attacker sends spoofed queries to the open recursive servers Uses queries specially crafted to result in a very large response Causes DDoS on the victim’s server

14 | © 2013 Infoblox Inc. All Rights Reserved. DNS Protection is Not Just About DDoS DNS reflection/DrDoS attacks Using third-party DNS servers (mostly open resolvers) to propagate a DoS or DDoS attack DNS amplification Using a specially crafted query to create an amplified response to flood the victim with traffic TCP/UDP/ICMP floods Denial of service on layer 3 or 4 by bringing a network or service down by flooding it with large amounts of traffic DNS-based exploits Attacks that exploit bugs or vulnerabilities in the DNS software DNS cache poisoning Corruption of DNS server cache data with a rogue domain or IP Protocol anomalies Causing the server to crash by sending malformed DNS packets and queries Reconnaissance Attempts by hackers to get information on the network environment before launching a DDoS or other type of attack DNS tunneling Tunneling of another protocol through DNS port 53 for malware insertion and/or data exfiltration Volumetric/DDoS Attacks DNS hijacking Modifying the DNS record settings to point to a rogue DNS server or domain NXDomain attack Attacks that flood DNS server with requests for non-existent domains, causing it to send NXDomain (non-existent domain) responses Phantom domain attack Attacks where a DNS resolver is forced to resolve multiple non-existent domains, causing it to consume resources while waiting for responses DNS-specific Exploits

15 | © 2013 Infoblox Inc. All Rights Reserved. Defend Against Attacks Reporting Server Automatic Updates (Threat Adapt) Infoblox Threat-rule Server Advanced DNS Protection (External DNS) Reports on attack types, severity Amplification Cache Poisoning Legitimate Traffic Reconnaissance DNS Exploits Advanced DNS Protection (Internal DNS) Grid-wide rule distribution Data for Reports

16 | © 2013 Infoblox Inc. All Rights Reserved. Legitimate Traffic Reconnaissance Amplification Exploits Cache Poisoning Legitimate Traffic Deployment Options INTERNET Grid Master and Candidate (HA) Advanced DNS Protection D M Z INTRANET DATACENTERCAMPUS/REGIONAL Advanced DNS Protection EXTERNAL

17 | © 2013 Infoblox Inc. All Rights Reserved. Deployment Options Grid Master and Candidate (HA) INTRANET Endpoints DATACENTERCAMPUS/REGIONAL Advanced DNS Protection Amplification Exploits Legitimate Traffic INTERNAL

18 | © 2013 Infoblox Inc. All Rights Reserved. Preventing Malware from using DNS

19 | © 2013 Infoblox Inc. All Rights Reserved. Q1Q3 Q2 Q4 Security Breaches Using Malware / APT

20 | © 2013 Infoblox Inc. All Rights Reserved. Real World Example Cryptolocker “Ransomware” Targets Windows-based computers Appears as an attachment to legitimate looking Upon infection, encrypts files: local hard drive & mapped network drives Ransom: 72 hours to pay $300 US Fail to pay and the encryption key is deleted and data is gone forever Only way to stop (after executable has started) is to block outbound connection to encryption server

21 | © 2013 Infoblox Inc. All Rights Reserved. Anatomy of an Attack GameOver Zeus (GOZ) 500,000 to 1M infections worldwide Top countries affected: US (13%), Italy (12%), UAE (8%) Top Industry targeted: Financial Services Highly sophisticated and hard to track Uses peer-to-peer (P2P) communication to control infected devices or botnet Upon infection, it monitors the machine for finance-related information Takes control of private online transactions and diverts funds to criminal accounts Hundreds of millions of dollars stolen Responsible for distribution of Cryptolocker Infected systems can be used for DDoS attacks

22 | © 2013 Infoblox Inc. All Rights Reserved. Blocking Malware/APT An infected device brought into the office. Malware spreads to other devices on network. 123 Malware makes a DNS query to find “home.” (botnet / C&C) DNS Firewall blocks DNS query (by Domain name / IP Address) Malicious domains Infoblox DDI with DNS Firewall Blocked attempt sent to Syslog 34 Malware / APT 12 Malware / APT spreads within network; Calls home 4 Infoblox Reporting lists blocked attempts as well as the: IP address MAC address Device type (DHCP fingerprint) Host name DHCP lease history Reputation data comes from: DNS Firewall Subscription Svc FireEye Adapter (NX Series)

23 | © 2013 Infoblox Inc. All Rights Reserved. Malware / APT We Block DGA Domain generating algorithm malware that randomly generates domains to connect to malicious networks or botnets Fast Flux Rapidly changing of domains & IP addresses by malicious domains to obfuscate identity and location APT / Malware Malware designed to spread, morph and hide within IT infrastructure to perpetrate a long term attack (FireEye) DNS Hijacking Hijacking DNS registry(s) & re-directing users to malicious domain(s) Geo-Blocking Blocking access to geographies that have rates of malicious domains or Economic Sanctions by US Government

24 | © 2013 Infoblox Inc. All Rights Reserved. Take the DNS Security Risk Assessment 1.Analyzes your organization’s DNS setup to assess level of risk of exposure to DNS threats 2.Provides DNS Security Risk Score and analysis based on answers given 3. Higher score = higher DNS security risk!!

25 | © 2013 Infoblox Inc. All Rights Reserved. In Review DNS is critical infrastructure Unprotected DNS infrastructure introduces serious security risks Infoblox Secure DNS Solution protects critical DNS services Infoblox Advanced DNS Protection Defend Against DNS Attacks Infoblox Advanced DNS Protection Defend Against DNS Attacks Infoblox DNS Firewall Prevents Malware/APT from Using DNS Infoblox DNS Firewall Prevents Malware/APT from Using DNS Hardened Appliance & OS Secure the DNS Platform

26 | © 2013 Infoblox Inc. All Rights Reserved. Thank you! For more information