Presentation is loading. Please wait.

Presentation is loading. Please wait.

Domain Name System (DNS) Network Security Asset or Achilles Heel?

Published byChristopher Jonah Cannon Modified over 6 years ago

Similar presentations

Presentation on theme: "Domain Name System (DNS) Network Security Asset or Achilles Heel?"— Presentation transcript:

1 Domain Name System (DNS) Network Security Asset or Achilles Heel?
Arya Barirani, VP Product Marketing / Infoblox November 2014

2 Agenda What is DNS and How Does it Work? Threat Landscape Trends
Common Attack Vectors Anatomy of an attack: DNS Hijacking Anatomy of an attack: Reflection Attack Anatomy of an attack: DNS DDoS How To Protect Yourself? Q & A

3 What is the Domain Name System (DNS)?
Address book for all of internet Translates “google.com” to Invented in 1983 by Paul Mokapetris (UC Irvine) Without DNS, The Internet & Network Communications Would Stop

4 How Does DNS Work? www.google.com Root DNS Server ISP DNS SERVER
Root DNS Server “That’s in my cache, it maps to: “Great, now I know how to get to “Great, I’ll put that in my cache in case I get another request” “That domain is not in my server, I will ask another DNS Server” “I need directions to ISP DNS SERVER

5 For Bad Guys, DNS Is a Great Target
DNS is the cornerstone of the Internet used by every business/ Government DNS is fairly easy to exploit Traditional protection is ineffective against evolving threats DNS Outage = Business Downtime

6 The Rising Tide of DNS Threats
Are You Prepared? In the last year alone there has been an increase of 200% 58% With possible amplification up to 100x DNS attacks1 DDoS attacks1 on a DNS attack, the amount of traffic delivered to a victim can be huge 28M 2M Pose a significant threat to the global network infrastructure and can be easily utilized in DNS amplification attacks2 With enterprise level businesses receiving an average of 2 million DNS queries every single day, the threat of attack is significant 33M Number of open recursive DNS servers2 1. Quarterly Global DDoS Attack Report, Prolexic, 1st Quarter,

7 The Rising Tide of DNS Threats
DNS attacks are rising for 3 reasons: Countries of origin for the most DDoS attacks in the last year China 1 Easy to spoof US Brazil Russia France India 2 Asymmetric amplification Germany Korea Egypt Taiwan 3 High-value target

8 DNS Attack Vectors

9 The DNS Security Challenges
Securing the DNS Platform 1 Defending Against DNS Attacks DDoS / Cache Poisoning 2 Preventing Malware from using DNS 3

10 Anatomy of an Attack Syrian Electronic Army

11 Distributed Reflection DoS Attack (DrDoS)
Anatomy of an Attack Distributed Reflection DoS Attack (DrDoS) How the attack works Combines reflection and amplification Internet Uses third-party open resolvers in the Internet (unwitting accomplice) Open Recursive Servers Spoofed Queries Attacker sends spoofed queries to the open recursive servers Reflected Amplified Packets Uses queries specially crafted to result in a very large response Attacker Causes DDoS on the victim’s server Target Victim

12 Anatomy of an Attack DNS DDoS For Hire
DDoS attacks against major U.S financial institutions Launching (DDoS) taking advantage of Server bandwidth 4 types of DDoS attacks: DNS amplification, Spoofed SYN, Spoofed UDP HTTP+ proxy support Script offered for $800

13 The Rising Tide of DNS Threats
TCP/UDP/ICMP floods: Flood victim’s network with large amounts of traffic DNS amplification: Use amplification in DNS reply to flood victim DNS cache poisoning: Corruption of a DNS cache database with a rogue address Protocol anomalies: Malformed DNS packets causing server to crash Top 10 DNS tunneling: Tunneling of another protocol through DNS for data ex-filtration DNS hijacking: Subverting resolution of DNS queries to point to rogue DNS server DNS attacks DNS based exploits: Exploit vulnerabilities in DNS software Reconnaissance: Probe to get information on network environment before launching attack DNS reflection/DrDos: Use third party DNS servers to propagate DDoS attack Fragmentation: Traffic with lots of small out of order fragments

14 Protection Best Practices

15 Advanced DNS Protection
Help Is On the Way! DNSSEC Collaboration Dedicated Appliances RPZ Monitoring Advanced DNS Protection

16 Get the Teams Talking – Questions to Ask:
Who in your org is responsible for DNS Security? What methods, procedures, tools do you have in place to detect and mitigate DNS attacks? Would you know if an attack was happening, would you know how to stop it? Network Team Security Team IT Apps Team IT OPS Team

17 Hardened DNS Appliances
Conventional Server Approach Hardened Appliance Approach Limited Port Access Threat Update Service Secure Access Multiple Open Ports Dedicated hardware with no unnecessary logical or physical ports No OS-level user accounts – only admin accts Immediate updates to new security threats Secure HTTPS-based access to device management No SSH or root-shell access Encrypted device to device communication Many open ports subject to attack Users have OS-level account privileges on server Requires time-consuming manual updates

18 Monitoring & Alert on Aggregate Query Rate

19 DNSSEC Fixes Kaminsky Vulnerability DNS Security Extensions
Uses public key cryptography to verify the authenticity of DNS zone data (records) DNSSEC zone data is digitally signed using a private key for that zone A DNS server receiving DNSSEC signed zone data can verify the origin and integrity of the data by checking the signature using the public key for that zone

20 Advanced DNS Protection
Amplification Cache Poisoning Legitimate Traffic Reconnaissance DNS Exploits Automatic updates Updated Threat-Intelligence Server Advanced DNS Protection (External DNS) Grid-wide rule distribution Advanced DNS Protection (Internal DNS) Data for Reports Reporting Server Reports on attack types, severity

21 Response Policy Zones - RPZ Blocking Queries to Malicious Domains
An infected device brought into the office. Malware spreads to other devices on network. 1 4 Malicious domains Malware makes a DNS query to find “home.” (botnet / C&C). DNS Server detects & blocks DNS query to malicious domain 2 Reputational Feed: IPs, Domains, etc. of Bad Servers 2 Internet Query to malicious domain logged security teams can now identify requesting end-point and attmept remediation DNS Server with RPZ Capability 3 Intranet Malware / APT Blocked attempt sent to Syslog 1 RPZ regularly updated with malicious domain data using available reputational feeds 4 3 2 Malware / APT spreads within network; Calls home

22 Call to Action DNS security vulnerabilities pose a significant threat
Raise the awareness of DNS and DNS security vulnerabilities in your organization There are multitudes of resources available to help Seek help if needed to protect DNS

23 Take the DNS Security Risk Assessment
Analyzes your organization’s DNS setup to assess level of risk of exposure to DNS threats Provides DNS Security Risk Score and analysis based on answers given This is a new Security Risk Assessment you can point your customers to any time. It’s on the external web site and customers such as Pep Boys, Twitter, and K-Mart have run assessments. Some major observations about customers in this context: Most don’t perform any security analysis on DNS traffic No team or person chartered with looking specifically at DNS security For those with on-premise external DNS servers no knowledge of how to handle DNS-based DDoS attacks Most of them use conventional DNS services (Microsoft or BIND) Possibly other services running on them Lots of open ports (security risks) Higher score = higher DNS security risk!!

24 (Fiscal Year Ending July 31)
About Infoblox Total Revenue (Fiscal Year Ending July 31) Founded in 1999 Headquartered in Santa Clara, CA with global operations in 25 countries ($MM) Leader in technology for network control Market leadership DDI Market Leader (Gartner) 50% DDI Market Share (IDC) 28% CAGR 7,500+ customers 74,000+ systems shipped to 100 countries 55 patents, 29 pending IPO April 2012: NYSE BLOX

25 Thank you! For more information www.infoblox.com

Download ppt "Domain Name System (DNS) Network Security Asset or Achilles Heel?"

Similar presentations

Network Systems Sales LLC

Network Systems Sales LLC
Review iClickers. Ch 1: The Importance of DNS Security.

Review iClickers. Ch 1: The Importance of DNS Security.
1 | © 2013 Infoblox Inc. All Rights Reserved. 1 | © 2014 Infoblox Inc. All Rights Reserved. Securing DNS Infrastructure Steven Barber | Principle Sales.

1 | © 2013 Infoblox Inc. All Rights Reserved. 1 | © 2014 Infoblox Inc. All Rights Reserved. Securing DNS Infrastructure Steven Barber | Principle Sales.
© 2011 Infoblox Inc. All Rights Reserved. Infoblox – control, secure & automate Mike Carroll.

© 2011 Infoblox Inc. All Rights Reserved. Infoblox – control, secure & automate Mike Carroll.
Sergei Komarov. DNS  Mechanism for IP hostname resolution  Globally distributed database  Hierarchical structure  Comprised of three components.

Sergei Komarov. DNS  Mechanism for IP hostname resolution  Globally distributed database  Hierarchical structure  Comprised of three components.
SCADA Security, DNS Phishing

SCADA Security, DNS Phishing
Domain Name System (DNS) Network Security Asset or Achilles Heel?

Domain Name System (DNS) Network Security Asset or Achilles Heel?
1 | © 2013 Infoblox Inc. All Rights Reserved. Protecting Critical Network Infrastructure Krupa Srivatsan | Senior Product Marketing Manager January 2014.

1 | © 2013 Infoblox Inc. All Rights Reserved. Protecting Critical Network Infrastructure Krupa Srivatsan | Senior Product Marketing Manager January 2014.
1 | © 2013 Infoblox Inc. All Rights Reserved. Securing External & Internal DNS Edward O’Connell | Sr. Product Marketing Manager February 2014.

1 | © 2013 Infoblox Inc. All Rights Reserved. Securing External & Internal DNS Edward O’Connell | Sr. Product Marketing Manager February 2014.
1 | © 2013 Infoblox Inc. All Rights Reserved. 1 | © 2014 Infoblox Inc. All Rights Reserved. Domain Name System (DNS) Network Security Asset or Achilles.

1 | © 2013 Infoblox Inc. All Rights Reserved. 1 | © 2014 Infoblox Inc. All Rights Reserved. Domain Name System (DNS) Network Security Asset or Achilles.
Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.

Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.
© 2012 IBM Corporation IBM Security Systems 1 © 2014 IBM Corporation IBM Security Network Protection (XGS) Advanced Threat Protection Integration Framework.

© 2012 IBM Corporation IBM Security Systems 1 © 2014 IBM Corporation IBM Security Network Protection (XGS) Advanced Threat Protection Integration Framework.
Department Of Computer Engineering

Department Of Computer Engineering
Securing DNS Infrastructure

Securing DNS Infrastructure
Domain Name System | DNSSEC. 2  Internet Protocol address uniquely identifies laptops or phones or other devices  The Domain Name System matches IP.

Domain Name System | DNSSEC. 2  Internet Protocol address uniquely identifies laptops or phones or other devices  The Domain Name System matches IP.
Website Hardening HUIT IT Security | Sep 30 2011.

Website Hardening HUIT IT Security | Sep
Norman SecureSurf Protect your users when surfing the Internet.

Norman SecureSurf Protect your users when surfing the Internet.
Chapter 2 Information Security Overview The Executive Guide to Information Security manual.

Chapter 2 Information Security Overview The Executive Guide to Information Security manual.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 Basic Security Networking for Home and Small Businesses – Chapter 8.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 Basic Security Networking for Home and Small Businesses – Chapter 8.
B OTNETS T HREATS A ND B OTNETS DETECTION Mona Aldakheel 434920317 1.

B OTNETS T HREATS A ND B OTNETS DETECTION Mona Aldakheel

Similar presentations

Ads by Google