1. 1 | © 2013 Infoblox Inc. All Rights Reserved. 1 | © 2014 Infoblox Inc. All Rights Reserved. Domain Name System (DNS) Network Security Asset or Achilles Heel? Arya Barirani, VP Product Marketing / Infoblox November 2014

2. 2 | © 2013 Infoblox Inc. All Rights Reserved. 2 | © 2014 Infoblox Inc. All Rights Reserved. Agenda What is DNS and How Does it Work? Threat Landscape Trends Common Attack Vectors ̶ Anatomy of an attack: DNS Hijacking ̶ Anatomy of an attack: Reflection Attack ̶ Anatomy of an attack: DNS DDoS How To Protect Yourself? Q & A

3. 3 | © 2013 Infoblox Inc. All Rights Reserved. 3 | © 2014 Infoblox Inc. All Rights Reserved. Address book for all of internet Translates “google.com” to 173.194.115.96 Invented in 1983 by Paul Mokapetris (UC Irvine) What is the Domain Name System (DNS)? Without DNS, The Internet & Network Communications Would Stop

4. 4 | © 2013 Infoblox Inc. All Rights Reserved. 4 | © 2014 Infoblox Inc. All Rights Reserved. How Does DNS Work? ISP DNS SERVER ROOT DNS SERVER WWW.GOOGLE.COM 173.194.115.96 “I need directions to www.google.com” “That domain is not in my server, I will ask another DNS Server” “That’s in my cache, it maps to: 173.194.115.96 “That’s in my cache, it maps to: 173.194.115.96 173.194.115.96 “Great, I’ll put that in my cache in case I get another request” 173.194.115.96 “Great, now I know how to get to www.google.com”

5. 5 | © 2013 Infoblox Inc. All Rights Reserved. 5 | © 2014 Infoblox Inc. All Rights Reserved. For Bad Guys, DNS Is a Great Target DNS is the cornerstone of the Internet used by every business/ Government DNS is fairly easy to exploit DNS Outage = Business Downtime Traditional protection is ineffective against evolving threats

6. 6 | © 2013 Infoblox Inc. All Rights Reserved. 6 | © 2014 Infoblox Inc. All Rights Reserved. The Rising Tide of DNS Threats Are You Prepared? In the last year alone there has been an increase of 200% DNS attacks 1 58% DDoS attacks 1 With possible amplification up to 100x on a DNS attack, the amount of traffic delivered to a victim can be huge 28M Pose a significant threat to the global network infrastructure and can be easily utilized in DNS amplification attacks 2 33M Number of open recursive DNS servers 2 With enterprise level businesses receiving an average of 2 million DNS queries every single day, the threat of attack is significant 2M2M 1. Quarterly Global DDoS Attack Report, Prolexic, 1 st Quarter, 2013 2. www.openresolverproject.org

7. 7 | © 2013 Infoblox Inc. All Rights Reserved. 7 | © 2014 Infoblox Inc. All Rights Reserved. The Rising Tide of DNS Threats DNS attacks are rising for 3 reasons: 2 Asymmetric amplification 3 High-value target Countries of origin for the most DDoS attacks in the last year China USBrazilRussiaFranceIndiaGermanyKoreaEgyptTaiwan 1 Easy to spoof

8. 8 | © 2013 Infoblox Inc. All Rights Reserved. 8 | © 2014 Infoblox Inc. All Rights Reserved. DNS Attack Vectors

9. 9 | © 2013 Infoblox Inc. All Rights Reserved. 9 | © 2014 Infoblox Inc. All Rights Reserved. The DNS Security Challenges Defending Against DNS Attacks DDoS / Cache Poisoning 2 Preventing Malware from using DNS 3 Securing the DNS Platform 1

10. 10 | © 2013 Infoblox Inc. All Rights Reserved. 10 | © 2014 Infoblox Inc. All Rights Reserved. Anatomy of an Attack Syrian Electronic Army

11. 11 | © 2013 Infoblox Inc. All Rights Reserved. 11 | © 2014 Infoblox Inc. All Rights Reserved. Anatomy of an Attack Distributed Reflection DoS Attack (DrDoS) How the attack works Attacker Internet Spoofed Queries Open Recursive Servers Amplified Reflected Packets Target Victim Combines reflection and amplification Uses third-party open resolvers in the Internet (unwitting accomplice) Attacker sends spoofed queries to the open recursive servers Uses queries specially crafted to result in a very large response Causes DDoS on the victim’s server

12. 12 | © 2013 Infoblox Inc. All Rights Reserved. 12 | © 2014 Infoblox Inc. All Rights Reserved. DDoS attacks against major U.S financial institutions Launching (DDoS) taking advantage of Server bandwidth 4 types of DDoS attacks: ̶ DNS amplification, ̶ Spoofed SYN, ̶ Spoofed UDP ̶ HTTP+ proxy support Script offered for $800 Anatomy of an Attack DNS DDoS For Hire

13. 13 | © 2013 Infoblox Inc. All Rights Reserved. 13 | © 2014 Infoblox Inc. All Rights Reserved. The Rising Tide of DNS Threats 10 Top DNS attacks DNS amplification: Use amplification in DNS reply to flood victim Protocol anomalies: Malformed DNS packets causing server to crash DNS hijacking: Subverting resolution of DNS queries to point to rogue DNS server Reconnaissance: Probe to get information on network environment before launching attack Fragmentation: Traffic with lots of small out of order fragments TCP/UDP/ICMP floods: Flood victim’s network with large amounts of traffic DNS cache poisoning: Corruption of a DNS cache database with a rogue address DNS tunneling: Tunneling of another protocol through DNS for data ex-filtration DNS based exploits: Exploit vulnerabilities in DNS software DNS reflection/DrDos: Use third party DNS servers to propagate DDoS attack

14. 14 | © 2013 Infoblox Inc. All Rights Reserved. 14 | © 2014 Infoblox Inc. All Rights Reserved. Protection Best Practices

15. 15 | © 2013 Infoblox Inc. All Rights Reserved. 15 | © 2014 Infoblox Inc. All Rights Reserved. Help Is On the Way! Collaboration Dedicated Appliances Monitoring DNSSEC RPZ Advanced DNS Protection

16. 16 | © 2013 Infoblox Inc. All Rights Reserved. 16 | © 2014 Infoblox Inc. All Rights Reserved. Get the Teams Talking – Questions to Ask: Who in your org is responsible for DNS Security? What methods, procedures, tools do you have in place to detect and mitigate DNS attacks? Would you know if an attack was happening, would you know how to stop it? Network Team Security Team IT Apps Team IT OPS Team

17. 17 | © 2013 Infoblox Inc. All Rights Reserved. 17 | © 2014 Infoblox Inc. All Rights Reserved. Hardened DNS Appliances  Dedicated hardware with no unnecessary logical or physical ports  No OS-level user accounts – only admin accts  Immediate updates to new security threats  Secure HTTPS-based access to device management  No SSH or root-shell access  Encrypted device to device communication –Many open ports subject to attack –Users have OS-level account privileges on server –Requires time-consuming manual updates Conventional Server ApproachHardened Appliance Approach Multiple Open Ports Limited Port Access Threat Update Service Secure Access 17

18. 18 | © 2013 Infoblox Inc. All Rights Reserved. 18 | © 2014 Infoblox Inc. All Rights Reserved. Monitoring & Alert on Aggregate Query Rate

19. 19 | © 2013 Infoblox Inc. All Rights Reserved. 19 | © 2014 Infoblox Inc. All Rights Reserved. DNSSEC Fixes Kaminsky Vulnerability DNS Security Extensions Uses public key cryptography to verify the authenticity of DNS zone data (records) ̶ DNSSEC zone data is digitally signed using a private key for that zone ̶ A DNS server receiving DNSSEC signed zone data can verify the origin and integrity of the data by checking the signature using the public key for that zone

20. 20 | © 2013 Infoblox Inc. All Rights Reserved. 20 | © 2014 Infoblox Inc. All Rights Reserved. Advanced DNS Protection Reporting Server Automatic updates Updated Threat- Intelligence Server Advanced DNS Protection (External DNS) Reports on attack types, severity Amplification Cache Poisoning Legitimate Traffic Reconnaissance DNS Exploits Advanced DNS Protection (Internal DNS) Grid-wide rule distribution Data for Reports

21. 21 | © 2013 Infoblox Inc. All Rights Reserved. 21 | © 2014 Infoblox Inc. All Rights Reserved. Response Policy Zones - RPZ Blocking Queries to Malicious Domains An infected device brought into the office. Malware spreads to other devices on network. 123 Malware makes a DNS query to find “home.” (botnet / C&C). DNS Server detects & blocks DNS query to malicious domain Malicious domains DNS Server with RPZ Capability Blocked attempt sent to Syslog Malware / APT 12 Malware / APT spreads within network; Calls home 4 Query to malicious domain logged security teams can now identify requesting end-point and attmept remediation RPZ regularly updated with malicious domain data using available reputational feeds 4 Reputational Feed: IPs, Domains, etc. of Bad Servers Internet Intranet 32

22. 22 | © 2013 Infoblox Inc. All Rights Reserved. 22 | © 2014 Infoblox Inc. All Rights Reserved. Call to Action DNS security vulnerabilities pose a significant threat Raise the awareness of DNS and DNS security vulnerabilities in your organization There are multitudes of resources available to help Seek help if needed to protect DNS

23. 23 | © 2013 Infoblox Inc. All Rights Reserved. 23 | © 2014 Infoblox Inc. All Rights Reserved. Take the DNS Security Risk Assessment 1.Analyzes your organization’s DNS setup to assess level of risk of exposure to DNS threats 2.Provides DNS Security Risk Score and analysis based on answers given 3.www.infoblox.com/dnssecurityscorewww.infoblox.com/dnssecurityscore Higher score = higher DNS security risk!!

24. 24 | © 2013 Infoblox Inc. All Rights Reserved. 24 | © 2014 Infoblox Inc. All Rights Reserved. About Infoblox ($MM) Founded in 1999 Headquartered in Santa Clara, CA with global operations in 25 countries Market leadership DDI Market Leader (Gartner) 50% DDI Market Share (IDC) 7,500+ customers 74,000+ systems shipped to 100 countries 55 patents, 29 pending IPO April 2012: NYSE BLOX Leader in technology for network control Total Revenue (Fiscal Year Ending July 31) 28% CAGR

25. 25 | © 2013 Infoblox Inc. All Rights Reserved. 25 | © 2014 Infoblox Inc. All Rights Reserved. Thank you! For more information www.infoblox.com