1 | © 2013 Infoblox Inc. All Rights Reserved. 1 | © 2015 Infoblox Inc. All Rights Reserved. CONFIDENTIAL DNS Security with AntiDDoS and AntiMalware for YOUR subscribers Only with Infoblox hardware appliances Adam Obszyński,

2 | © 2013 Infoblox Inc. All Rights Reserved. 2 | © 2015 Infoblox Inc. All Rights Reserved. CONFIDENTIAL Why Securing DNS is Critical Unprotected, DNS increases risk to critical infrastructure and data # 1 protocol for volumetric reflection/ amplification attacks DNS is critical networking infrastructure DNS protocol is easy to exploit and attacks are prevalent Traditional security is ineffective against evolving threats

3 | © 2013 Infoblox Inc. All Rights Reserved. 3 | © 2015 Infoblox Inc. All Rights Reserved. CONFIDENTIAL One of the fastest growing attack vectors Easy-to-exploit protocol Firewalls and IDS/IPS devices not focused on DNS threats Proliferation of BYOD devices and mobile users, meaning threats may be inside the firewall DNS security layer needed to complement existing security solutions DNS Security Gap

4 | © 2013 Infoblox Inc. All Rights Reserved. 4 | © 2015 Infoblox Inc. All Rights Reserved. CONFIDENTIAL DNS Security Challenges Stopping APTs/malware from using DNS (Recursive) 2 Defending against DNS DDoS attacks (Authoritative + Recursive) 1 Preventing data exfiltration via DNS (Recursive) 3

5 | © 2013 Infoblox Inc. All Rights Reserved. 5 | © 2015 Infoblox Inc. All Rights Reserved. CONFIDENTIAL Malicious traffic is visible on 100% of corporate networks 1 Every minute a host accesses a malicious website 1 The question isn’t if, but when you will be attacked, and how effectively you can respond APTs rely on DNS at various stages of the cyber kill chain to infect devices, propagate malware, and exfiltrate data APTs: The New Threat Landscape Source: 1 Cisco 2014 Annual Security Report Organized and well funded Profile organizations using public data/social media Target key POI’s via spear phishing “Watering hole” target groups on trusted sites Leverage tried and true techniques like SQLi, DDoS & XSS Coordinated attacks, distract big, strike precisely Operational sophistication

6 | © 2013 Infoblox Inc. All Rights Reserved. 6 | © 2015 Infoblox Inc. All Rights Reserved. CONFIDENTIAL Evolution of DNS DDoS Attacks DNS based DDoS attacks are constantly evolving and affect both external and internal DNS servers Methods range from amplification/reflection, floods and simple NXDOMAIN to highly sophisticated attacks involving botnets, chain reactions and misbehaving domains DNS Tunneling DNS Hijacking Floods Cache Poisoning DrDoS Random Sub- domain CPE Botnet Based Domain Lock-up Basic NXDOMAIN Phantom Domain

7 | © 2013 Infoblox Inc. All Rights Reserved. 7 | © 2015 Infoblox Inc. All Rights Reserved. CONFIDENTIAL DNS Caching Protection against attacks on caching servers Advanced DNS Protection can secure DNS Caching Servers from DNS Floods and other threats Large number of bots make more requests of the DNS server than it can handle Causes the DNS server to drop inbound DNS requests

8 | © 2013 Infoblox Inc. All Rights Reserved. 8 | © 2015 Infoblox Inc. All Rights Reserved. CONFIDENTIAL How Infoblox Secures DNS

9 | © 2013 Infoblox Inc. All Rights Reserved. 9 | © 2015 Infoblox Inc. All Rights Reserved. CONFIDENTIAL Infoblox and Service Providers 9 Dedicated SP Business Unit Dedicated Sales, SEs, Marketing, Engineering, Product Mgmt Market leadership #1 in DNS Caching; First DNS Firewall Competition in decline IPO April 2012 NYSE (BLOX) $225M Revenue; $2B Market Cap Dedicated SP product line Leads Industry with >1M DNS qps and Advanced DDoS protection Carrier-grade solution adopted at major Tier 1 providers 230+ Service Providers; 55,000+ systems shipped; Enterprises Total Revenue (Fiscal Year Ending July 31) 28% CAGR

10 | © 2013 Infoblox Inc. All Rights Reserved. 10 | © 2015 Infoblox Inc. All Rights Reserved. CONFIDENTIAL  Dedicated hardware with no unnecessary logical or physical ports  No OS-level user accounts—only admin accts  Immediate updates to new security threats  Secure HTTPS-based access to device management  No SSH or root-shell access  Encrypted device-to-device communication  Hardware based Security & DNS Acceleration Many open ports are subject to attack. Users have OS-level account privileges on server. Requires time-consuming manual updates. Conventional Server Approach Hardened Appliance Approach Multiple Open Ports Limited Port Access Update Service Secure Access Hardened DNS Appliances

11 | © 2013 Infoblox Inc. All Rights Reserved. 11 | © 2015 Infoblox Inc. All Rights Reserved. CONFIDENTIAL DNS Protection is Not Only About DDoS Volumetric/DDoS AttacksDNS-specific Exploits DNS reflection DNS amplification TCP/UDP/ICMP floods NXDOMAIN attack Phantom domain attack Random subdomain attack Domain lockup attack DNS-based exploits DNS cache poisoning DNS tunneling Protocol anomalies Reconnaissance DNS hijacking Domain lockup attack

12 | © 2013 Infoblox Inc. All Rights Reserved. 12 | © 2015 Infoblox Inc. All Rights Reserved. CONFIDENTIAL DNS reflection DNS amplification TCP/UDP/ICMP floods NXDOMAIN attack Phantom domain attack Random subdomain attack Domain lockup attack DNS-based exploits DNS cache poisoning DNS tunneling Malformed DHCP requests Protection Against DNS Attacks Infoblox Internal DNS Security DNS attacks detected & dropped Legitimate Traffic DNS DDoS Legitimate TrafficDNS Tunneling x x Firewall Infoblox Automated Threat Intelligence Service INTERNET ENTERPRISE

13 | © 2013 Infoblox Inc. All Rights Reserved. 13 | © 2015 Infoblox Inc. All Rights Reserved. CONFIDENTIAL Security Built-in to the DNS Infrastructure 13 DNS Server Security DNS Server Infoblox PT- Appliances Protection against DNS threats Serve DNS queries under attack Internet Use Cases Enterprise Customers ̶ External authoritative DNS server ̶ Internal DNS- Enterprise / Universities with open networks Service Providers ̶ Recursive Caching ̶ Authoritative DNS services Traditional security appliances mitigate only partial attacks against DNS

14 | © 2013 Infoblox Inc. All Rights Reserved. 14 | © 2015 Infoblox Inc. All Rights Reserved. CONFIDENTIAL Protection Against APTs/Malware DNS Firewall An infected device brought into the office. Malware spreads to other devices on network. 1 Malware makes a DNS query to find “home” (botnet / C&C). DNS Firewall looks at the DNS response and takes admin-defined action (disallows communication to malware site or redirects traffic to a landing page or “walled garden” site). 2 Pinpoint. Infoblox Reporting lists DNS Firewall action as well as the: Device IP address Device MAC address Device type/OS (DHCP fingerprint) Device host name Device lease history AD login name Switch/port/VLAN 3 An update will occur every 2 hours (or more often for significant threat). 4 Malware/APT Malicious Domains Infoblox threat update device IPs, Domains, ect. of Bad Servers Blocked communication attempt sent to Syslog Malware/APT spreads within network; calls home INTERNET INTRANET

15 | © 2013 Infoblox Inc. All Rights Reserved. 15 | © 2015 Infoblox Inc. All Rights Reserved. CONFIDENTIAL DNS can make huge difference!

16 | © 2013 Infoblox Inc. All Rights Reserved. 16 | © 2015 Infoblox Inc. All Rights Reserved. CONFIDENTIAL Web Delay – Sample Fast Web Performance Starts with DNS… © ̶ 300 objects++ ̶ 60++ domains ̶ 300 objects++ ̶ 60++ domains

17 | © 2013 Infoblox Inc. All Rights Reserved. 17 | © 2015 Infoblox Inc. All Rights Reserved. CONFIDENTIAL Web Delay – Sample 2 Fast Web Performance Starts with DNS… Two components to DNS latency: ̶ Latency Client Server ̶ Caches name servers -Cache misses -Under provisioning -Malicious traffic ©

18 | © 2013 Infoblox Inc. All Rights Reserved. 18 | © 2015 Infoblox Inc. All Rights Reserved. CONFIDENTIAL Devices vs Solutions Self made vs Dedicated. Dedicated DNS Cache appliance does not stop answering queries from cache when capacity limits are reached for cache misses, NX Domain Qs etc. 18 Bind Infoblox 4030 DNS Cache Avg. Latency (Seconds) a

19 | © 2013 Infoblox Inc. All Rights Reserved. 19 | © 2015 Infoblox Inc. All Rights Reserved. CONFIDENTIAL Advanced Appliances Come in Four Physical Platforms Advanced Appliances have next-generation programmable processors that provide dedicated compute for threat mitigation. The appliances offer both AC and DC power supply options. Performance: qps qps qps 300k / 600k / qps SP & Enterprise SP / ISP Subscribers DNS Caching Hardware based!

20 | © 2013 Infoblox Inc. All Rights Reserved. 20 | © 2015 Infoblox Inc. All Rights Reserved. CONFIDENTIAL Test US! Find DNS Threats in your Network

21 | © 2013 Infoblox Inc. All Rights Reserved. 21 | © 2015 Infoblox Inc. All Rights Reserved. CONFIDENTIAL Send Us Your PCAP Files Infoblox analyzes and provides insights on malicious activity in seconds Report on findings to take back to management

22 | © 2013 Infoblox Inc. All Rights Reserved. 22 | © 2015 Infoblox Inc. All Rights Reserved. CONFIDENTIAL How to deploy + Case Study from Poland

23 | © 2013 Infoblox Inc. All Rights Reserved. 23 | © 2015 Infoblox Inc. All Rights Reserved. CONFIDENTIAL Cable SP Huge attacks Press info about ISP being down for 8 days!

24 | © 2013 Infoblox Inc. All Rights Reserved. 24 | © 2015 Infoblox Inc. All Rights Reserved. CONFIDENTIAL Design System topology

25 | © 2013 Infoblox Inc. All Rights Reserved. 25 | © 2015 Infoblox Inc. All Rights Reserved. CONFIDENTIAL First month stats: Blocked 6M events with multiple risk level

26 | © 2013 Infoblox Inc. All Rights Reserved. 26 | © 2015 Infoblox Inc. All Rights Reserved. CONFIDENTIAL CHR vs CPU vs User Experience == NO CHURN Cache Hit Ratio Resources User exp.

27 | © 2013 Infoblox Inc. All Rights Reserved. 27 | © 2015 Infoblox Inc. All Rights Reserved. CONFIDENTIAL Secure DNS Deployment INTERNET DMZ INTRANET Infoblox Automated Threat Update Service Legitimate Traffic External attacks Firewall Block DNS attacks Infoblox Reporting Server External Authoritative Caching Server Infoblox DNS Caching Server Rule updates for DNS-based attacks Updates for DNS-based attacks and malicious domains Infoblox Internal DNS Security Send data for reports DNS Query Send data for reports Block attacks and Malware communication Internal Recursive Legitimate Traffic Data Exfiltration Attempt DNS DDoS Malware/APT Infoblox External DNS Security Legitimate Traffic DNS DDoS DNS Exploits

28 | © 2013 Infoblox Inc. All Rights Reserved. 28 | © 2015 Infoblox Inc. All Rights Reserved. CONFIDENTIAL Q&A

29 | © 2013 Infoblox Inc. All Rights Reserved. 29 | © 2015 Infoblox Inc. All Rights Reserved. CONFIDENTIAL Infoblox Differentiation and Value Infoblox Advanced DNS Protection Load Balancers Pure DDoS Next-gen Firewalls IPSCloud Dedicated compute for threat mitigation General DDoS DNS DDoS DNS amplification DNS reflection NXDOMAIN DNS server OS and application vulnerabilities DNS semantic attacks Cache poisoning DNS tunneling DNS hijacking Volumetric/DDoS Attacks DNS-specific Exploits