Download presentation
Presentation is loading. Please wait.
1
Securing DNS Infrastructure
Matt Gowarty | Senior Product Marketing Manager, Infoblox August 2014
2
Agenda Infoblox Overview DNS Security Challenges
Securing the DNS Platform Defending Against DNS Attacks Preventing Malware from using DNS Sample Case Study: Acme Corp.
3
Infoblox Overview & Business Update
Total Revenue (Fiscal Year Ending July 31) Founded in 1999 Headquartered in Santa Clara, CA with global operations in 25 countries ($MM) Leader in technology for network control Market leadership Gartner “Strong Positive” rating 50%+ Market Share (DDI) 30% CAGR 7,100+ customers, 65,000+ systems shipped Infoblox is not a start-up. The company was started more than a dozen years ago – our technology is mature and field proven The company HQ is in the heart of Silicon Valley with global operations in all major geographies – We do business in 3 regions (Americas, EMEA, APJ) We have sales, support and development operations in 25 countries and we do business in over 70 countries around the world Infoblox makes essential technology to control networks – we’ll dig into that a bit later in the We are a market leader in the space that we serve – with Strong Positive ratings from Gartner (3 years in a row) and 40% market share (Note: Gartner Market Scope and market share stat is specific to DDI) Infoblox has a massive customer base – our latest count is 6,900 different companies- we have shipped 64,000 systems We are innovative, with a formal patent program for our employees. As of right now we own 32 patents and 25 more pending Last but not least – the company did a successful IPO in April We now share our financial results publicly – which can be seen on the right. 38 patents, 25 pending IPO April 2012: NYSE BLOX
4
Infoblox : Technology for Network Control
APPS & END-POINTS End points VIRTUAL MACHINES Private cloud applications Essential Network Control Functions: DNS, DHCP, IPAM (DDI) CONTROL PLANE Infoblox GridTM w/ Real-time Network Database Infrastructure Security Historical / Real-time Reporting & Control Discovery, Real-time Configuration & Change, Compliance Infoblox can help organizations deal with the risks and expenses associated with key trends in the world of networks… Let’s take a look at how: Click: The modern network is made up of the infrastructure layer, which is all the devices you’re very familiar with (switches, routers, firewalls, load balancers, web proxy’s etc.) Click: These devices exist to support this layer – your Apps and Endpoints. Ranging from Voice Over IP Phones to tablets and smart phones, to all the VM’s and private clouds, all servicing the applications that drive the business. Click: Infoblox plays in the middle. In the control plane. We put our technology on high performance, highly available and secure platform (we call this the Grid). The grid has a very powerful, distributed network database that keeps all the information in one place So what does Infoblox do? Click: We deliver Discovery, Real-time Configuration & Change management, and compliance for this layer Click: And we deliver Essential Network Control functions like DNS, DHCP and IPAM (known as DDI) for this layer Click: Since we’re the new threat vectors are targeted at the network, specially the DNS architecture, we offers security solutions for risk mitigation And since we touch all these devices and capture real-time data in a single place… Click: we can do some amazing real-time and historical reporting as well as advanced control NETWORK INFRASTRUCTURE firewalls switches routers Web proxy Load balancers
5
Why is DNS an Ideal Target?
DNS is the cornerstone of the Internet used by every business/ Government DNS as a Protocol is easy to exploit Traditional protection is ineffective against evolving threats Networks are constantly being exploited using DNS for a variety of criminal purposes today. DNS is the cornerstone of the internet and attackers know that DNS is a high-value target. Without their DNS functioning properly, enterprises cannot conduct business online. DNS protocol is stateless which means attackers also cannot be traced easily. The DNS protocol can be exploited easily. It is easy to craft DNS queries that can cause the DNS server to crash or respond with a much amplified response that can congest the bandwidth. The queries can be spoofed which means attackers can direct huge amounts of traffic to its victim with the help of unsuspecting accomplices. (open resolvers on the internet) Traditional protection like firewalls leave port 53 open and don’t do much in terms of preventing DNS attacks. All these reasons make the DNS an ideal attack target. DNS Outage = Business Downtime
6
The DNS Security Challenge
Securing the DNS Platform 1 Defending Against DNS Attacks 2 We are a critical component of the customer infrastructure and a target for many of these attacks. Big issue using DNS as a open global communication mechanism that is not well secured.. not a well protected channel. Customers can use our purpose built hardware and best practices to ensure infrastructure is safe. The DNS also needs to be protected against attacks that try to bring down the DNS and IT infrastructure. Malware communicates using DNS to resolve the name to malicious domains and networks. Preventing Malware from using DNS 3
7
The Infoblox Solution: Secure DNS
Infoblox DNS Firewall Prevents Malware/APT from Using DNS Infoblox Advanced DNS Protection Defend Against DNS Attacks Hardened Appliance & OS Secure the DNS Platform The Infoblox Secure DNS solution address the DNS security challenge. It includes our hardened appliance and OS for securing the platform, Advanced DNS Protection to defend against attacks that target the DNS and try to bring it down and finally DNS Firewall to block malware and APT from exploiting DNS to communicate with its command and control site.
8
The Infoblox Solution: Secure DNS
Infoblox DNS Firewall Prevents Malware/APT from Using DNS Infoblox Advanced DNS Protection Defend Against DNS Attacks Hardened Appliance & OS Secure the DNS Platform Lets look at the first layer.
9
Hacks of DNS – 2013 & 2014 Hacking of DNS servers is becoming more prevalent each day. For those bad actors with extensive hacking skills it’s a quick path to inflicting damage and getting a hold of mass amounts of traffic/users quickly. Just in the last 15 months there are have been hacks of DNS servers of LinkedIn, Google Malaysia, and MIT. Traffic to these sites, in the thousands of visitors per hour provide a great source of unwilling participants for Hackers.
10
Security Risks with Conventional Approach
Conventional Server Approach Infoblox Appliance Approach Limited Port Access Infoblox Update Service Secure Access Multiple Open Ports Port 53 – Domain Name System (DNS) Port 25 – Simple Mail Transfer Protocol (SMTP) -- Port 80 – HTTP -- Web Port 110 – Post Office Protocol (POP3) Port 1503 – Windows Live Messenger Port 1801 – Microsoft Messaging Dedicated hardware with no extraneous ports open for attack. No association with enterprise domain logins or passwords, only admin login rights, no user rights even available Immediate updates to new security threats. Encryption based transactions to manage appliance. Dedicated hardware with no unnecessary logical or physical ports No OS-level user accounts – only admin accts Immediate updates to new security threats Secure HTTPS-based access to device management No SSH or root-shell access Encrypted device to device communication Many open ports subject to attack Users have OS-level account privileges on server Requires time-consuming manual updates
11
Infoblox Purpose Built Appliance and OS
Minimal attack surfaces Active/Active HA & DR recovery Common Criteria Certification FIPS Compliance Encrypted Inter-appliance Communication Centralized management with role-based control Secured Access, communication & API Detailed audit logging Fast/easy upgrades Security – Purpose Built Appliances Infoblox has design, built and delivered hardened appliances from which secured DNS, DHCP, and IP Address management applications are delivered. For the appliances Infoblox has delivered: Minimal Attack Surface (Task specific hardware) – No extra or unused ports that could be used to access OS or power external devices – e.g. USB port for Wi-Fi access port. Active/Active HA & DR recovery Simple VRRP-based HA setup – Fail-over and fail-back to ensure availability. Active/active DR recovery – Ensure operations during a Disaster Tested & certified to highest Industry standards Common Criteria EAL-2 Cert. – Hardware/software and manufacturing processes verified. FIPS certification Secure Inter-appliance communication 128-bit AES Grid VPN comm. – All cross appliance communication is protected and cannot be intercepted. Centralized management with role-based control Central view of all appliances/processes & management. Role-based admin controls – Segment access, control, and management of applications or networks. Secured Access, communication & API 6 authentication methods Two factor Auth. (CAC/PKI) HTTPS Web access – Secured access SSL-Based REST/Perl API GSS-TSIG & TSIG Detailed audit logging – For tracking of changes and enabling un-do of incorrect changes. Fast/easy upgrades – Reduce downtime and risk of upgrades. ** NOT ON SLIDE ** Restrictive/hardened Linux OS – hardened OS. Non-essential processes not enabled. Root access disabled – Control over operations cannot be compromised.
12
DNSSEC in 1-Click No scripts / Auto-Resigning / 1-click
Central configuration of all DNSSEC parameters Automatic maintenance of signed zones No scripts / Auto-Resigning / 1-click Central configuration of all DNSSEC parameters Automatic maintenance of signed zones
13
The Infoblox Solution: Secure DNS
Infoblox DNS Firewall Prevents Malware/APT from Using DNS Infoblox Advanced DNS Protection Defend Against DNS Attacks Hardened Appliance & OS Secure the DNS Platform
14
DNS Attacks up 216% ~ 10% of infrastructure attacks targeted DNS
Source: Prolexic Quarterly Global DDoS Attack Report Q4 2013 ACK: 2.81% CHARGEN: 6.39% FIN PUSH: 1.28% DNS: 9.58% ICMP: 9.71% RESET: 1.4% RP: 0.26% SYN: 14.56% TCP FRAGMENT: 0.13% SYN PUSH: 0.38% UDP FLOODS: 13.15% UDP FRAGMENT: 17.11% ~ 10% of infrastructure attacks targeted DNS Source: Arbor Networks ~ 80% of organizations surveyed experienced application layer attacks on DNS Survey Respondents DNS attacks have been up 216% in 2013 alone. Approximately 10% of all layer 3 and layer 4 attacks (infrastructure layer) were targeted at DNS and this number has been growing rapidly, according to Prolexic. Arbor conducted the Infrastructure Security Survey and got about 220 responses between Nov 2012 and October Among those who responded, 80% said they experienced a DNS application layer attack. So DNS is the number 2 attack vector protocol when it comes to layer 7 attacks.
15
Anatomy of an Attack Distributed Reflection DoS Attack (DrDoS)
How the attack works Combines Reflection and Amplification Use third-party open resolvers in the Internet (unwitting accomplice) Attacker sends spoofed queries to the open recursive servers Queries specially crafted to result in a very large response Causes DDoS on the victim’s server Internet Open Recursive Servers Spoofed queries Reflected Amplified packets Attacker --Results in a large amount of data to be sent to the victim’s IP address --Uses multiple such open resolvers, often thousands of servers Target Victim
16
Infoblox Advanced DNS Protection Protection against attacks
Amplification Cache Poisoning Legitimate Traffic Reconnaissance DNS Exploits Automatic updates Infoblox Threat-rule Server Advanced DNS Protection (External DNS) Grid-wide rule distribution Advanced DNS Protection (Internal DNS) Data for Reports The Adv Appliance can sit on the Grid. Now let’s see the Advanced DNS Protection in action. Regular GRID appliances like the GRID master and the reporting server sit on the GRID Let’s assume we have two Advanced Appliances, one external authoritative and the other functioning as an internal recursive server. DNS attacks come interspersed with legitimate DNS traffic at the external authoritative server. Advanced DNS Protection pre-processes the requests to filter out attacks It responds to legitimate DNS requests The attack types and patterns are sent to Infoblox Reporting server When Infoblox detects new threats, it creates rules and updates the Advanced Appliance. The rule updates are propagated to other Advanced Appliances on the Grid. Reporting Server Reports on attack types, severity
17
DNS Protection Is Not Just About DDoS
DNS reflection/DrDoS attacks Using third-party DNS servers(open resolvers) to propagate a DOS or DDOS attack DNS amplification Using a specially crafted query to create an amplified response to flood the victim with traffic DNS-based exploits Attacks that exploit vulnerabilities in the DNS software TCP/UDP/ICMP floods Denial of service on layer 3 by bringing a network or service down by flooding it with large amounts of traffic DNS cache poisoning Corruption of the DNS cache data with a rogue address Protocol anomalies Causing the server to crash by sending malformed packets and queries Here’s a high level categorization of the attacks that the Advanced DNS Protection protects against. These are just a high level categorization and there are several rules that are created of each of these attack types. Some of the key attacks we have seen growing in number in the last year or so are the DrDoS attacks that use a combination of reflection from multiple open recursive servers on the internet and amplification to really flood the target victim’s server. The reflection, amplification, floods all cause huge amounts of traffic to be sent to the target victim overwhelming the target server and eventually leading to a Denial of Service(DoS) attack. Detailed explanation of attacks (if more info is needed): DNS reflection/DrDoS attacks Reflection attacks are attacks that use a third party DNS server, mostly an open resolver, in the internet to propagate a DDoS attack on the victim’s server. A recursive server will process queries from any IP address and return responses. An attacker spoofs the DNS queries he sends to the recursive server by including the victim’s IP address as the source IP in the queries. So when the recursive name server receives the requests, it sends all the responses to the victim’s IP address. DrDoS or Distributed Reflection Denial of Service uses multiple such “host” machines or open resolvers in the internet, often thousands of servers, to launch an attack on the target victim. Amplification (described in the next row) can also be used while generating these queries to increase the impact on the victim. A high volume of such “reflected” traffic could overwhelm the victim server and bring down the victim’s site, thereby creating a Denial of Service (DoS). DNS amplification DNS amplification is an attack where a large number of specially crafted DNS queries are sent to the victim server. These specially crafted queries result in a very large response that can reach up to 70 times the size of the request. Since DNS relies on the User Datagram Protocol (UDP), the attacker can use a small volume of outbound traffic to cause the DNS server to generate a much larger volume. When the victim tries to respond to these specially crafted queries, the amplification congests the DNS server’s outbound bandwidth. This results in a Denial of Service (DoS). DNS-based exploits These are attacks that exploit vulnerabilities in the DNS software. This causes the DNS software to terminate abnormally, causing the server to stop responding or crash. TCP/UDP/ICMP floods These are volumetric attacks with massive numbers of packets that consume a network’s bandwidth and resources. TCP SYN floods consist of large volumes of half-opened TCP connections. This attack takes advantage of the way TCP establishes connections. The attacking software generates spoofed packets that appear to the server to be valid new connections. These packets enter the queue, but the connection is never completed—leaving false connections in the queue until they time out. The system under attack quits responding to new connections until the attack stops. This means the server is not responding to legitimate requests from clients to open new connections, resulting in a Denial of Service (DoS). UDP floods send large numbers of UDP packets to random ports on a remote server, which checks for applications listening to the port but doesn’t find them. The remote server is then forced to return a large number of ICMP Destination Unreachable packets to the attacker saying that the destination is unreachable. The attacker can also spoof the return IP address so that the replies don’t go to the attacker’s servers. Sending the replies exhausts the victim server’s resources and causes it to become unreachable. ICMP attacks use network devices like routers to send error messages when a requested service is not available or the remote server cannot be reached. Examples of ICMP attacks include ping floods, ping-of-death and smurf attacks. This overwhelms the victim server or causes it to crash due to overflow of memory buffers DNS cache poisoning Corruption of DNS cache data. It involves inserting a false address record for an Internet domain into the DNS query. If the DNS server accepts the record, subsequent requests for the address of the domain are answered with the address of a server controlled by the attacker. For as long as the false entry is cached, incoming web requests and s will go to the attacker’s address. New cache-poisoning attacks such as the “birthday paradox” use brute force, flooding DNS responses and queries at the same time, hoping to get a match on one of the responses and poison the cache. Cache poisoning prevents access or redirects the clients to a rogue address, preventing legitimate users from accessing the company’s site. Inducing a name server to cache bogus resource records Can redirect… web browsers to bogus replicas of web sites, where logins, passwords and credit card numbers are captured to hostile mail servers, where mail can be recorded or modified Protocol anomalies Send malformed DNS packets, including unexpected header and payload values, to the targeted server. They make use of software bugs in protocol parsing and processing implementation. The victim server stops responding by going into an infinite loop or crashes. Reconnaissance This attack consists of attempts to get information on the network environment before launching a large DDoS or other type of attack. Techniques include port scanning and finding versions and authors. These attacks exhibit abnormal behavior patterns that, if identified, can provide early warning. No direct effect on the server but indicates an impending attack. DNS tunneling This attack involves tunneling another protocol through DNS port 53—which is allowed if the firewall is configured to carry non-DNS traffic—for the purposes of data exfiltration. A free ISC-licensed tunneling application for forwarding IPv4 traffic through DNS servers is widely used in this kind of attack. Reconnaissance Attempts by hackers to get information on the network environment before launching a DDoS or other type of attack DNS tunneling Tunneling of another protocol through DNS for data exfiltration
18
Advanced DNS Protection Advanced DNS Protection
Deployment Options DNS Tunneling Exploits Reconnaissance Amplification EXTERNAL Legitimate Traffic Legitimate Traffic Legitimate Traffic Legitimate Traffic INTERNET Advanced DNS Protection Advanced DNS Protection D M Z INTRANET Enterprises can deploy the Adv DNS Protection either as an external authoritative server or a recursive/caching server inside their network. This diagram shows a typical deployment scenario in the external case and in the internal case. The first scenario helps to protect the network from external internet borne attacks that target the authoritative DNS. The second scenario is more common in education vertical where the university traffic can be as bad as the internet traffic. So Universities’ IT departments can use the Adv DNS Protection for their internal DNS server to ensure that the internal network is protected from attacks launched from within their network. Grid Master and Candidate (HA) DATACENTER CAMPUS/REGIONAL
19
Advanced DNS Protection Advanced DNS Protection
Deployment Options INTERNAL INTRANET Grid Master and Candidate (HA) DATACENTER CAMPUS/REGIONAL Advanced DNS Protection Advanced DNS Protection Enterprises can deploy the Adv DNS Protection either as an external authoritative server or a recursive/caching server inside their network. This diagram shows a typical deployment scenario in the external case and in the internal case. The first scenario helps to protect the network from external internet borne attacks that target the authoritative DNS. The second scenario is more common in education vertical where the university traffic can be as bad as the internet traffic. So Universities’ IT departments can use the Adv DNS Protection for their internal DNS server to ensure that the internal network is protected from attacks launched from within their network. Amplification Cache Poisoning Legitimate Traffic Endpoints
20
The Infoblox Solution: Secure DNS
Infoblox DNS Firewall Prevents Malware/APT from Using DNS Infoblox Advanced DNS Protection Defend Against DNS Attacks Hardened Appliance & OS Secure the DNS Platform
21
Security Breaches Using Malware / APT
2013 2014 Before we talk about disrupting Malware which maybe random or targeted we need to understand the problem first. The problem is malware is used to drive security breaches around sensitive information or to steal money. Before you on the screen right now is just some of the breaches from CQ’ into CQ1’ 2014 that used Malware extensively. Let me go through a couple of examples. In the 1st quarter, the NY Times was hacked and information exfiltrated over a period of 4 months. An outside company was brought in at great expense to clean up the NY Times infrastructure. The outside vendor found 45 different malware instances only 1 of which was caught by Anti-Virus. Another example in the 1st quarter is Facebook. Facebook was infected via a Java-based malware that was accidentally download by several Facebook employees outside of the Facebook network and brought back into the network. Facebook found the Java-based malware because a DNS administrator found a sudden burst of DNS requests for domains in Russia. In the 2nd quarter it was announced that Malware was used to steal credit card numbers and other information from the likes of VISA, JC Penneys, NASDAQ and Carrefour which totaled $300 million. In the 3rd quarter of this year Adobe was hacked using malware and a outside security researcher discovered the breach when he found source code for 4 of Adobe’s products on a known hacker website. Finally – Retail was big target in late CQ4’ 2013 and early CQ’2014. Neiman Marcus, Target and several others were breached and credit card information for tens of millions were stolen. Target, Neiman Marcus, URM Stores (Washington State) found that their Credit Card Point-of-Sale (Windows) computers were breached and customer credit card data stolen. Each vendor had to announce it publicly. The impact on their business was 3-fold. (1) Customers shopped elsewhere because they lost faith in the retailers. (2) They also had to hire a 3rd party vendor to do forensics on their environment to find out what happened. (3) IT lost productivity because all servers and POS systems had to checked, updated and cleaned. Q2 Q3 Q4 Q1
22
Anatomy of an Attack Cryptolocker “Ransomware”
Targets Windows-based computers Appears as an attachment to legitimate looking Upon infection, encrypts files: local hard drive & mapped network drives Ransom: 72 hours to pay $300US Fail to pay and the encryption key is deleted and data is gone forever Only way to stop (after executable has started) is to block outbound connection to encryption server Here is one more example of Malware that DNS Firewall is effective against. Cryptolocker is a new name for a piece of malware (so called Ransomware) that has been updated and is now back in distribution. CryptoLocker is a Windows-based that is spread via various “pay per infection” methods. That is the crooks pay other crooks to infect you. Currently it is being spread by at least two different ways. One is where the attached Malware is disguised as a PDF or voic audio file. A second is via trojans already present on the machine which are commanded to download cryptolocker. Once CryptoLocker is on a Windows machine it enrypts the files on the local hard drive or shared drives by getting a encryption key from a internet based server. The encryption key is a 2048-bit RSA key. As you can see on the screen a pop-up windows informs you that your files are encrypted and you have 72 or 100 hours to pay $300 dollars or Euro’s to get access to your data. The only way to stop the encryption process is block access to the Encryption servers on the Internet. Infoblox DNS Firewall disrupts CryptoLocker by blocking DNS queries to the Encryption servers.
23
Infoblox DNS Firewall Blocking Malware
An infected device brought into the office. Malware spreads to other devices on network. 1 Infoblox Malware Data Feed Service 4 Malicious domains Malware makes a DNS query to find “home.” (botnet / C&C). DNS Firewall detects & blocks DNS query to malicious domain 2 IPs, Domains, etc. of Bad Servers 2 Internet Pinpoint. Infoblox Reporting lists blocked attempts as well as the: IP address MAC address Device type (DHCP fingerprint) Host name DHCP lease history Infoblox DDI with DNS Firewall 3 Intranet Malware / APT Blocked attempt sent to Syslog 1 Infoblox DNS Firewall – How does it work? 1. An infected mobile device is brought into the office. Upon connection, the malware starts to spread to other devices on the network. 2. The malware makes a DNS query for “bad” domain to find “home.” The DNS Firewall has the “bad” domain in its table and blocks the connection. 3. The DNS Server is continually updated by a reputational data feed service to reflect the rapidly changing list of malicious domains. 4. Infoblox Reporting provides list of blocked attempts as well as the IP address MAC address Device type (DHCP fingerprint) Host Name DHCP Lease history (on/off network) 5. Reputation data comes from: Infoblox DNS Firewall Subscription Service – blocking data on domains and IP addresses from 35+ sources throughout the world. Geo-blocking also apart of the service as well Infoblox DNS Firewall – FireEye Adapter – APT malware domains and IP addresses to be blocked communicated to DNS Firewall from from FireEye NX Series. 3 2 DNS Firewall is updated every 2 hours with blocking information from Infoblox DNS Firewall Subscription Service 4 Malware / APT spreads within network; Calls home
24
Infoblox DNS Firewall - FireEye Adapter Blocking APT
Malicious Domains 1 Detect - FireEye detects APT, alerts are sent to Infoblox. Malware 2 Disrupt – Infoblox DNS Firewall disrupts malware DNS communication Internet 2 Infoblox DDI with DNS Firewall Intranet 3 Pin Point - Infoblox Reporting provides list of blocked attempts as well as the IP address MAC address Device type (DHCP fingerprint) DHCP Lease (on/off network) Host Name Blocked attempt sent to Syslog 3 Blocks internet malware and internal APT DNS communications to malicious domains and networks Automatic updates to stay protected against constantly evolving threat landscape. Easily pinpoint infected devices based on DHCP fingerprint and lease information Easily lookup threat severity and reputation of malware that has been blocked Alerts 1 Endpoint Attempting To Download Infected File FireEye NX Series FireEye detonates and detects malware
25
Infoblox Advanced DNS Protection
In Review Infoblox Advanced DNS Protection Defend Against DNS Attacks Infoblox DNS Firewall Prevents Malware/APT from Using DNS Hardened Appliance & OS Secure the DNS Platform DNS is critical infrastructure Unprotected DNS infrastructure introduces serious security risks Infoblox Secure DNS Solution protects critical DNS services
26
Thank you! This concludes the Infoblox Webinar - Protect DNS from Being an Accomplice to Malware. We hope it has been informative for you. If you’d like to find out more you can: Contact Infoblox Sales at or go to the infoblox website at
Similar presentations
© 2025 SlidePlayer.com. Inc.
All rights reserved.