aacks'against'the'dns,'...
TRANSCRIPT
A"acks'Against'The'DNS,'
DNS'Monitoring'&'Countermeasures'
'Dave'Piscitello'
VP'Security'and'ICT'CoordinaAon'
27'June'2016'
| 2
Introduction
• VP'Security'and'ICT'CoordinaAon,'ICANN'
• 40'year'network'and'security'pracAAoner'
• Roles'at'ICANN:'
• Technology'Advisor'
• Threat'responder'
• InvesAgator'
• Researcher'
| 3
Agenda
• Overview'of'the'DNS'a"ack'landscape'• A"ack'miAgaAons'and'countermeasures'
• DNS'Monitoring''
| 4
Attacks Against Name Servers Or Recursors
• “Exploit'to'fail”'Denial'of'Service'(DOS)'a"ack'• “Exploit'to'own”'DOS'a"ack'• ReflecAon'a"ack'• AmplificaAon'a"ack'
• Distributed'DOS'a"ack'• Cache'Poisoning'a"ack'• Resource'DepleAon'(ExhausAon)'a"acks'
| 5
Attacks Involving Stub Resolvers
• Query'intercepAon'a"ack'• DNS'Response'modificaAon''
• ConfiguraAon'poisoning'a"ack'• DNS'hostname'overflow'a"ack'
• DNS'as'a'Covert'ExfiltraAon'Channel'• DNS'as'a'Covert'Malware'Channel'
| 6
Summary
1 The'DNS'is'an'open'system'and'open%also%to%abuse%
2 The'DNS'is'a'criAcal'Internet'database'
and'thus'a'target'for'a"ack'
3 Any'element'of'the'DNS'may'be'exploited'to'facilitate'other'a"acks'
| 7
Agenda
• Overview'of'the'DNS'a"ack'landscape'• A"ack'miAgaAons'and'countermeasures'
• DNS'Monitoring''
| 8
Begin With Resource And People Planning
• Inventory'assets''• Assess'and'miAgate'risks''
– IdenAfy'threats,'vulnerabiliAes'and'bo"lenecks'• Plan'
– IniAal'Response'and'Abatement'
– EscalaAon'• Conduct'ongoing'intelligence'
– InformaAon'to'help'you'idenAfy'whether'you'or'
your'industry'are'potenAal'target,'and'why'
| 9
Resource And Relationship Management
• Know'your'allies:'Maintain'points'of'contact'for'
– MiAgaAon'providers'
– Upstream'ISPs'
– HosAng'providers'– Vendors'and'security'service'technical'support'– CERTs'– Friendlies,'e.g.,'security'community''
– Law'enforcement'
– Regulatory'authoriAes'(if'applicable)'
| 10
Configuration Management
• Keep'so`ware'or'firmware'up'to'date'
– OperaAng'systems'
– Name'server'so`ware'
– Security'and'network'systems''
• Validate'and'archive''– “last'known'working”'configuraAons'– zone'data'– Infrastructure'topology'
| 11
Domain Name Registration Protection
• Maintain'complete/accurate'points'of'contact'
• Monitor'Whois'record'for'unauthorized'change'
• In'case'of'unauthorized'transfer,'keep'records'– Domain'names,'proofs'of'payments,'registrar'
correspondence'
– DemonstraAons'of'use:'system/web'logs,'site'archives'
– Legal'documents:'proofs'of'incorporaAon,'tax'filings,'
passport,'other'proofs'of'idenAty'
– Any'documentaAon'that'demonstrates'an'associaAon'
between'the'domain'name'and'you'
| 12
Be A Good Citizen
Don’t%let%criminals%use%your%resources%to%a6ack%others%• Eliminate'IPdspoofing'(BCP'38)'
– Only'allow'traffic'to'exit'your'networks'that''
uses'addresses'from'blocks'you'use'
• Eliminate'open'resolvers'(BCP'140)'
– Configure'your'resolvers'to'only'process'DNS''queries'from'your'networks'and'hosts'
• Add'Response'Policy'Zones'to'your'resolver'– RPZs'are'lists'of'domain'names'that'your'name''
servers'should'not'resolve'
'
'
| 13
Deploy DNS Defenses in Depth
Interpose'layers'of'defense'between'a"ackers'
and'your'DNS'infrastructure'
Mitigation providers and upstream ISPs
Firewall
DNS proxy, DDoS,
or DNS protection
Appliance(s)
Name servers, recursors
Attackers
| 14
Add Redundancy To Your DNS: Fail Over
DNS server DNS server
Firewall, Switch
Primary'
processes'
100%'of'traffic'
Secondary'
processes'
0%'of'traffic'
DNS server DNS server
Firewall, Switch
Secondary'
processes'
100%'of'traffic'
X
| 15
Add Redundancy To Your DNS: Load Balancing
DNS server DNS server
Firewall, Switch
Primary'
processes'
n'%'of'traffic'
When'traffic'
exceeds'n%secondary%is%
added%%
Where else can redundancy or
diversity be implemented?
| 16
Recommended DoS Mitigation Measures
• Anycast'rouAng'• DNS'service'segregaAon''• DNS'intrusion'defenses'• Redundancy'and'diversity'measures'
• Overdprovisioning?'
| 17
Anycast Routing For Name Servers
• Unicast:'one'DNS'host,'one'IP'address'• Anycast:'many'DNS'hosts,'one'IP'address'
– RouAng'forwards'to'closest'available'
192.168.11.1
192.168.11.1
192.168.11.1
Internet user
X If'this'DNS'server'is'
unreachable,'names'
are'resolved'using'
another'with'same'IP''
| 18
• Diversity:'– Geography'– Hardware'– So`ware'– Bandwidth'– AdministraAon'
• Redundancy'– Failover'– Load'balancing'– Anycast'IP'
Example: Root Name System
18'
| 19
DNS Service Segregation
• Design'network'topology'so'that'criAcal'infrastructure'is'protected'against'side'a"acks'
• Run'DNS'services'on'separate'network'segments'from'other'services'
• Run'authoritaAves'on'separate'network'segments'from'recursors'
• Separate'client'networks'from'services'
• Customized'defenses'for'each'segment'
| 20
DNS'Security'(DNSSEC)'
• Protects'DNS'data'against'forgery'• Uses'public'key'cryptography'to'sign'authoritaAve'zone'data'
– Assures'that'the'data'origin'is'authenAc'– Assures'that'the'data'are'what'the'authenAcated'data'originator'published'
• Trust'model'also'uses'public'key'cryptography'
– Parent'zones'sign'public'keys'of'child'zone'(root'signs'TLDs,'TLDs'sign'registered'domains…)'
20'
| 21
Public Key Cryptography in DNSSEC
• Authority'signs'DNS'data'with'private'key'
– AuthoriAes'must'keep'private'keys'secret!'
• Authority'publishes'public'key'for'everyone'to'use'
'
21'
DNS'
Data''
Signed'DNS'
Data'
+'
Digital'
signatures''
Publish'
Sign with Private key
Authoritative server
| 22
Public Key Cryptography in DNSSEC
• Any'recipient'of'the'authority’s'DNS'data'can'use'the'public'key'to'verify'that'“the'data'are'
correct'and'came'from'the'right'place”'
22'
Authoritative server
Signed'
Zone'
Data'
Validating recursive
server
Validate with Public key
| 23
How DNSSEC defeats data poisoning attacks
Authoritative server
Validating recursive
server
Valida;ng%recursor'rejects'a"acker’s'
DNS'data'as'
not'authenAc'
Stub%resolver'rejects'a"acker’s'
DNS'data'as'
not'validated'
| 24
Agenda
• Overview'of'the'DNS'a"ack'landscape'• A"ack'miAgaAons'and'countermeasures'
• DNS'Monitoring''
| 25
Real Time Traffic Analysis & Policy Enforcement
• Certain'a"acks'change'host''configuraAons'or'resolver'data'
– DNSchanger'malware'
– Cache'poisoners'• Track'others'by'examining'DNS'traffic'
• Enforce'DNS'behavior'using'access''controls'or'intrusion'detecAon'
• Detect'or'drop'–'and'log''– DNS'malformed'traffic'
– “Known'malicious”'or'suspicious'DNS'traffic'pa"erns'
– Name'error'responses' Image by dingcarrie
| 26
Where to Look
• Host'(device)'or'resolver'configuraAon'• DNS'query'and'response'traffic'on'networks'
• Resolver'and'authority'logs'• Event'logs'
– Hosts,'Security'Systems,'Network'elements'
– ApplicaAons'(clients'or'servers)''• Passive'DNS'replicaAon'(sensor'networks)'
6/28/16'Copyright'©2014'Dave'
Piscitello'
26'
| 27
What To Look For
DNS$Access$Controls$$ DNS$Volumetric$A3ack$Detec6on$
Spoofed'source'addresses'Excessive'Name'errors'
Malformed'or'suspicious'queries'
Malformed'or'suspicious'responses'Atypical'DNS'message'sizes'
Message'length'anomalies'
Known'bad/suspicious'traffic'origins'Atypical'use'of'TCP'
Known'bad/suspicious'domains'
Known'malicious/covert'traffic'pa"erns' DeviaAons'from'historical'or''
planned'traffic'volume'Network'traffic'anomaly'protecAon'
Source'or'connecAon'response'rate'
limiAng'
| 28
How to Look
• Use'traffic'analyzers,'Intrusion'DetecAon'
Systems,'or'Internet'firewalls'to'
– Detect'spoofing'– Enforce'egress'traffic'policy'
– Detect'a"empts'to'query'unauthorized'resolvers'
– NoAfy'if'excessive'name'resoluAon'errors'occur'
• Examine'criAcal'data'for'“correctness”'at'
DNS'zone'data'and'recursor'caches'
• Use'Passive'DNS'replicaAon'to'– Review'what'names'your'users'are'resolving'
– Populate'Resource'Policy'Zones,'domain'blocklists'
6/28/16'Copyright'©2014'Dave'
Piscitello'
28'
| 29
Summary
1 Implement'an'inddepth'defense'to'
miAgate'DNS'a"acks''%
2 Some'miAgaAons'require'allies'or'
broad'implementaAon'
3 Some'of'the'best'miAgaAons'are'
“so`”'(planning'or'administraAve)''
| 30
Reading List (Partial) Title$ URL$
Top'10'DNS'a"acks' h"p://www.networkworld.com/arAcle/2886283/security0/topd10ddnsda"acksdlikelydtodinfiltrated
yourdnetwork.html'
Manage'your'domain'poruolio' h"p://securityskepAc.typepad.com/thedsecuritydskepAc/2014/01/avoiddrisksdmanagedyourd
domaindporuolio.html'
Securing'open'DNS'resolvers' h"p://www.gtri.com/securingdopenddnsdresolversdagainstddenialdofdserviceda"acks/'
DNS'Tunneling' h"ps://www.cloudmark.com/releases/docs/whitepapers/dnsdtunnelingdv01.pdf'
DNS'cache'busAng' h"p://blog.cloudmark.com/2014/10/07/addnsdcachedbusAngdtechniquedfordddosdstyleda"acksd
againstdauthoritaAvednamedservers/'
DNS'Cache'Poisoning' h"p://www.securityskepAc.com/dnsdcachedpoisoning.html'
Anatomy'of'a'DDOS'a"ack' h"p://www.securityskepAc.com/anatomydofddnsdddosda"ack.html'
DNS'reflecAon'defense' h"ps://blogs.akamai.com/2013/06/dnsdreflecAonddefense.html'
Protect'the'world'from'your'network' h"p://securityskepAc.typepad.com/thedsecuritydskepAc/2013/04/protecAngdthedworlddfromdyourd
network.html'
DNS'Traffic'Monitoring'Series' h"p://www.securityskepAc.com/2014/09/dnsdtrafficdmonitoringdseriesdatddarkdreading.html'
Protect'your'DNS'servers'against'DDoS'
a"acks'
h"p://www.gtcomm.net/blog/protecAngdyourddnsdserverdagainstdddosda"acks/'
Fast'Flux'Botnet'DetecAon'in'RealAme' h"p://www.iis.sinica.edu.tw/~swc/pub/fast_flux_bot_detecAon.html'
DNS'resource'exhausAon' h"ps://www.cloudmark.com/releases/docs/whitepapers/dnsdresourcedexhausAondv01.pdf'
| 31
My Contact Info: [email protected] @securityskeptic www.securityskeptic.com about.me/davepiscitello
Thank You and Questions
QuesAons?'
Contact'ICANN:'
@icann'
icann.org'
safe.mn/icannsecurityteam'