Upload File

aacks'against'the'dns,'...

  • Home
  • Documents
  • Aacks'Against'The'DNS,' DNS'Monitoring'&'Countermeasures' · 2016-06-28 · [email protected] @securityskeptic about.me/davepiscitello Thank You and Questions QuesAons?' Contact'ICANN:
31
A"acks Against The DNS, DNS Monitoring & Countermeasures Dave Piscitello VP Security and ICT CoordinaAon 27 June 2016 [email protected]

Upload: others

Post on 05-Mar-2020

1 views

Category:

Documents


0 download

Report

TRANSCRIPT

Page 1: Aacks'Against'The'DNS,' DNS'Monitoring'&'Countermeasures' · 2016-06-28 · dave.piscitello@icann.org @securityskeptic about.me/davepiscitello Thank You and Questions QuesAons?' Contact'ICANN:

A"acks'Against'The'DNS,'

DNS'Monitoring'&'Countermeasures'

'Dave'Piscitello'

VP'Security'and'ICT'CoordinaAon'

27'June'2016'

[email protected]'

Page 2: Aacks'Against'The'DNS,' DNS'Monitoring'&'Countermeasures' · 2016-06-28 · dave.piscitello@icann.org @securityskeptic about.me/davepiscitello Thank You and Questions QuesAons?' Contact'ICANN:

| 2

Introduction

•  VP'Security'and'ICT'CoordinaAon,'ICANN'

•  40'year'network'and'security'pracAAoner'

•  Roles'at'ICANN:'

•  Technology'Advisor'

•  Threat'responder'

•  InvesAgator'

•  Researcher'

Page 3: Aacks'Against'The'DNS,' DNS'Monitoring'&'Countermeasures' · 2016-06-28 · dave.piscitello@icann.org @securityskeptic about.me/davepiscitello Thank You and Questions QuesAons?' Contact'ICANN:

| 3

Agenda

•  Overview'of'the'DNS'a"ack'landscape'•  A"ack'miAgaAons'and'countermeasures'

•  DNS'Monitoring''

Page 4: Aacks'Against'The'DNS,' DNS'Monitoring'&'Countermeasures' · 2016-06-28 · dave.piscitello@icann.org @securityskeptic about.me/davepiscitello Thank You and Questions QuesAons?' Contact'ICANN:

| 4

Attacks Against Name Servers Or Recursors

•  “Exploit'to'fail”'Denial'of'Service'(DOS)'a"ack'•  “Exploit'to'own”'DOS'a"ack'•  ReflecAon'a"ack'•  AmplificaAon'a"ack'

•  Distributed'DOS'a"ack'•  Cache'Poisoning'a"ack'•  Resource'DepleAon'(ExhausAon)'a"acks'

Page 5: Aacks'Against'The'DNS,' DNS'Monitoring'&'Countermeasures' · 2016-06-28 · dave.piscitello@icann.org @securityskeptic about.me/davepiscitello Thank You and Questions QuesAons?' Contact'ICANN:

| 5

Attacks Involving Stub Resolvers

•  Query'intercepAon'a"ack'•  DNS'Response'modificaAon''

•  ConfiguraAon'poisoning'a"ack'•  DNS'hostname'overflow'a"ack'

•  DNS'as'a'Covert'ExfiltraAon'Channel'•  DNS'as'a'Covert'Malware'Channel'

Page 6: Aacks'Against'The'DNS,' DNS'Monitoring'&'Countermeasures' · 2016-06-28 · dave.piscitello@icann.org @securityskeptic about.me/davepiscitello Thank You and Questions QuesAons?' Contact'ICANN:

| 6

Summary

1 The'DNS'is'an'open'system'and'open%also%to%abuse%

2 The'DNS'is'a'criAcal'Internet'database'

and'thus'a'target'for'a"ack'

3 Any'element'of'the'DNS'may'be'exploited'to'facilitate'other'a"acks'

Page 7: Aacks'Against'The'DNS,' DNS'Monitoring'&'Countermeasures' · 2016-06-28 · dave.piscitello@icann.org @securityskeptic about.me/davepiscitello Thank You and Questions QuesAons?' Contact'ICANN:

| 7

Agenda

•  Overview'of'the'DNS'a"ack'landscape'•  A"ack'miAgaAons'and'countermeasures'

•  DNS'Monitoring''

Page 8: Aacks'Against'The'DNS,' DNS'Monitoring'&'Countermeasures' · 2016-06-28 · dave.piscitello@icann.org @securityskeptic about.me/davepiscitello Thank You and Questions QuesAons?' Contact'ICANN:

| 8

Begin With Resource And People Planning

•  Inventory'assets''•  Assess'and'miAgate'risks''

–  IdenAfy'threats,'vulnerabiliAes'and'bo"lenecks'•  Plan'

–  IniAal'Response'and'Abatement'

– EscalaAon'•  Conduct'ongoing'intelligence'

–  InformaAon'to'help'you'idenAfy'whether'you'or'

your'industry'are'potenAal'target,'and'why'

Page 9: Aacks'Against'The'DNS,' DNS'Monitoring'&'Countermeasures' · 2016-06-28 · dave.piscitello@icann.org @securityskeptic about.me/davepiscitello Thank You and Questions QuesAons?' Contact'ICANN:

| 9

Resource And Relationship Management

•  Know'your'allies:'Maintain'points'of'contact'for'

– MiAgaAon'providers'

– Upstream'ISPs'

– HosAng'providers'– Vendors'and'security'service'technical'support'– CERTs'– Friendlies,'e.g.,'security'community''

– Law'enforcement'

– Regulatory'authoriAes'(if'applicable)'

Page 10: Aacks'Against'The'DNS,' DNS'Monitoring'&'Countermeasures' · 2016-06-28 · dave.piscitello@icann.org @securityskeptic about.me/davepiscitello Thank You and Questions QuesAons?' Contact'ICANN:

| 10

Configuration Management

•  Keep'so`ware'or'firmware'up'to'date'

– OperaAng'systems'

– Name'server'so`ware'

– Security'and'network'systems''

•  Validate'and'archive''– “last'known'working”'configuraAons'– zone'data'–  Infrastructure'topology'

Page 11: Aacks'Against'The'DNS,' DNS'Monitoring'&'Countermeasures' · 2016-06-28 · dave.piscitello@icann.org @securityskeptic about.me/davepiscitello Thank You and Questions QuesAons?' Contact'ICANN:

| 11

Domain Name Registration Protection

•  Maintain'complete/accurate'points'of'contact'

•  Monitor'Whois'record'for'unauthorized'change'

•  In'case'of'unauthorized'transfer,'keep'records'–  Domain'names,'proofs'of'payments,'registrar'

correspondence'

–  DemonstraAons'of'use:'system/web'logs,'site'archives'

–  Legal'documents:'proofs'of'incorporaAon,'tax'filings,'

passport,'other'proofs'of'idenAty'

–  Any'documentaAon'that'demonstrates'an'associaAon'

between'the'domain'name'and'you'

Page 12: Aacks'Against'The'DNS,' DNS'Monitoring'&'Countermeasures' · 2016-06-28 · dave.piscitello@icann.org @securityskeptic about.me/davepiscitello Thank You and Questions QuesAons?' Contact'ICANN:

| 12

Be A Good Citizen

Don’t%let%criminals%use%your%resources%to%a6ack%others%•  Eliminate'IPdspoofing'(BCP'38)'

– Only'allow'traffic'to'exit'your'networks'that''

uses'addresses'from'blocks'you'use'

•  Eliminate'open'resolvers'(BCP'140)'

–  Configure'your'resolvers'to'only'process'DNS''queries'from'your'networks'and'hosts'

•  Add'Response'Policy'Zones'to'your'resolver'–  RPZs'are'lists'of'domain'names'that'your'name''

servers'should'not'resolve'

'

'

Page 13: Aacks'Against'The'DNS,' DNS'Monitoring'&'Countermeasures' · 2016-06-28 · dave.piscitello@icann.org @securityskeptic about.me/davepiscitello Thank You and Questions QuesAons?' Contact'ICANN:

| 13

Deploy DNS Defenses in Depth

Interpose'layers'of'defense'between'a"ackers'

and'your'DNS'infrastructure'

Mitigation providers and upstream ISPs

Firewall

DNS proxy, DDoS,

or DNS protection

Appliance(s)

Name servers, recursors

Attackers

Page 14: Aacks'Against'The'DNS,' DNS'Monitoring'&'Countermeasures' · 2016-06-28 · dave.piscitello@icann.org @securityskeptic about.me/davepiscitello Thank You and Questions QuesAons?' Contact'ICANN:

| 14

Add Redundancy To Your DNS: Fail Over

DNS server DNS server

Firewall, Switch

Primary'

processes'

100%'of'traffic'

Secondary'

processes'

0%'of'traffic'

DNS server DNS server

Firewall, Switch

Secondary'

processes'

100%'of'traffic'

X

Page 15: Aacks'Against'The'DNS,' DNS'Monitoring'&'Countermeasures' · 2016-06-28 · dave.piscitello@icann.org @securityskeptic about.me/davepiscitello Thank You and Questions QuesAons?' Contact'ICANN:

| 15

Add Redundancy To Your DNS: Load Balancing

DNS server DNS server

Firewall, Switch

Primary'

processes'

n'%'of'traffic'

When'traffic'

exceeds'n%secondary%is%

added%%

Where else can redundancy or

diversity be implemented?

Page 16: Aacks'Against'The'DNS,' DNS'Monitoring'&'Countermeasures' · 2016-06-28 · dave.piscitello@icann.org @securityskeptic about.me/davepiscitello Thank You and Questions QuesAons?' Contact'ICANN:

| 16

Recommended DoS Mitigation Measures

•  Anycast'rouAng'•  DNS'service'segregaAon''•  DNS'intrusion'defenses'•  Redundancy'and'diversity'measures'

•  Overdprovisioning?'

Page 17: Aacks'Against'The'DNS,' DNS'Monitoring'&'Countermeasures' · 2016-06-28 · dave.piscitello@icann.org @securityskeptic about.me/davepiscitello Thank You and Questions QuesAons?' Contact'ICANN:

| 17

Anycast Routing For Name Servers

•  Unicast:'one'DNS'host,'one'IP'address'•  Anycast:'many'DNS'hosts,'one'IP'address'

– RouAng'forwards'to'closest'available'

192.168.11.1

192.168.11.1

192.168.11.1

Internet user

X If'this'DNS'server'is'

unreachable,'names'

are'resolved'using'

another'with'same'IP''

Page 18: Aacks'Against'The'DNS,' DNS'Monitoring'&'Countermeasures' · 2016-06-28 · dave.piscitello@icann.org @securityskeptic about.me/davepiscitello Thank You and Questions QuesAons?' Contact'ICANN:

| 18

•  Diversity:'– Geography'– Hardware'– So`ware'– Bandwidth'– AdministraAon'

•  Redundancy'– Failover'– Load'balancing'– Anycast'IP'

Example: Root Name System

18'

Page 19: Aacks'Against'The'DNS,' DNS'Monitoring'&'Countermeasures' · 2016-06-28 · dave.piscitello@icann.org @securityskeptic about.me/davepiscitello Thank You and Questions QuesAons?' Contact'ICANN:

| 19

DNS Service Segregation

•  Design'network'topology'so'that'criAcal'infrastructure'is'protected'against'side'a"acks'

•  Run'DNS'services'on'separate'network'segments'from'other'services'

•  Run'authoritaAves'on'separate'network'segments'from'recursors'

•  Separate'client'networks'from'services'

•  Customized'defenses'for'each'segment'

Page 20: Aacks'Against'The'DNS,' DNS'Monitoring'&'Countermeasures' · 2016-06-28 · dave.piscitello@icann.org @securityskeptic about.me/davepiscitello Thank You and Questions QuesAons?' Contact'ICANN:

| 20

DNS'Security'(DNSSEC)'

•  Protects'DNS'data'against'forgery'•  Uses'public'key'cryptography'to'sign'authoritaAve'zone'data'

– Assures'that'the'data'origin'is'authenAc'– Assures'that'the'data'are'what'the'authenAcated'data'originator'published'

•  Trust'model'also'uses'public'key'cryptography'

– Parent'zones'sign'public'keys'of'child'zone'(root'signs'TLDs,'TLDs'sign'registered'domains…)'

20'

Page 21: Aacks'Against'The'DNS,' DNS'Monitoring'&'Countermeasures' · 2016-06-28 · dave.piscitello@icann.org @securityskeptic about.me/davepiscitello Thank You and Questions QuesAons?' Contact'ICANN:

| 21

Public Key Cryptography in DNSSEC

•  Authority'signs'DNS'data'with'private'key'

–  AuthoriAes'must'keep'private'keys'secret!'

•  Authority'publishes'public'key'for'everyone'to'use'

'

21'

DNS'

Data''

Signed'DNS'

Data'

+'

Digital'

signatures''

Publish'

Sign with Private key

Authoritative server

Page 22: Aacks'Against'The'DNS,' DNS'Monitoring'&'Countermeasures' · 2016-06-28 · dave.piscitello@icann.org @securityskeptic about.me/davepiscitello Thank You and Questions QuesAons?' Contact'ICANN:

| 22

Public Key Cryptography in DNSSEC

•  Any'recipient'of'the'authority’s'DNS'data'can'use'the'public'key'to'verify'that'“the'data'are'

correct'and'came'from'the'right'place”'

22'

Authoritative server

Signed'

Zone'

Data'

Validating recursive

server

Validate with Public key

Page 23: Aacks'Against'The'DNS,' DNS'Monitoring'&'Countermeasures' · 2016-06-28 · dave.piscitello@icann.org @securityskeptic about.me/davepiscitello Thank You and Questions QuesAons?' Contact'ICANN:

| 23

How DNSSEC defeats data poisoning attacks

Authoritative server

Validating recursive

server

Valida;ng%recursor'rejects'a"acker’s'

DNS'data'as'

not'authenAc'

Stub%resolver'rejects'a"acker’s'

DNS'data'as'

not'validated'

Page 24: Aacks'Against'The'DNS,' DNS'Monitoring'&'Countermeasures' · 2016-06-28 · dave.piscitello@icann.org @securityskeptic about.me/davepiscitello Thank You and Questions QuesAons?' Contact'ICANN:

| 24

Agenda

•  Overview'of'the'DNS'a"ack'landscape'•  A"ack'miAgaAons'and'countermeasures'

•  DNS'Monitoring''

Page 25: Aacks'Against'The'DNS,' DNS'Monitoring'&'Countermeasures' · 2016-06-28 · dave.piscitello@icann.org @securityskeptic about.me/davepiscitello Thank You and Questions QuesAons?' Contact'ICANN:

| 25

Real Time Traffic Analysis & Policy Enforcement

•  Certain'a"acks'change'host''configuraAons'or'resolver'data'

–  DNSchanger'malware'

–  Cache'poisoners'•  Track'others'by'examining'DNS'traffic'

•  Enforce'DNS'behavior'using'access''controls'or'intrusion'detecAon'

•  Detect'or'drop'–'and'log''– DNS'malformed'traffic'

–  “Known'malicious”'or'suspicious'DNS'traffic'pa"erns'

– Name'error'responses' Image by dingcarrie

Page 26: Aacks'Against'The'DNS,' DNS'Monitoring'&'Countermeasures' · 2016-06-28 · dave.piscitello@icann.org @securityskeptic about.me/davepiscitello Thank You and Questions QuesAons?' Contact'ICANN:

| 26

Where to Look

•  Host'(device)'or'resolver'configuraAon'•  DNS'query'and'response'traffic'on'networks'

•  Resolver'and'authority'logs'•  Event'logs'

– Hosts,'Security'Systems,'Network'elements'

– ApplicaAons'(clients'or'servers)''•  Passive'DNS'replicaAon'(sensor'networks)'

6/28/16'Copyright'©2014'Dave'

Piscitello'

26'

Page 27: Aacks'Against'The'DNS,' DNS'Monitoring'&'Countermeasures' · 2016-06-28 · dave.piscitello@icann.org @securityskeptic about.me/davepiscitello Thank You and Questions QuesAons?' Contact'ICANN:

| 27

What To Look For

DNS$Access$Controls$$ DNS$Volumetric$A3ack$Detec6on$

Spoofed'source'addresses'Excessive'Name'errors'

Malformed'or'suspicious'queries'

Malformed'or'suspicious'responses'Atypical'DNS'message'sizes'

Message'length'anomalies'

Known'bad/suspicious'traffic'origins'Atypical'use'of'TCP'

Known'bad/suspicious'domains'

Known'malicious/covert'traffic'pa"erns' DeviaAons'from'historical'or''

planned'traffic'volume'Network'traffic'anomaly'protecAon'

Source'or'connecAon'response'rate'

limiAng'

Page 28: Aacks'Against'The'DNS,' DNS'Monitoring'&'Countermeasures' · 2016-06-28 · dave.piscitello@icann.org @securityskeptic about.me/davepiscitello Thank You and Questions QuesAons?' Contact'ICANN:

| 28

How to Look

•  Use'traffic'analyzers,'Intrusion'DetecAon'

Systems,'or'Internet'firewalls'to'

– Detect'spoofing'–  Enforce'egress'traffic'policy'

– Detect'a"empts'to'query'unauthorized'resolvers'

– NoAfy'if'excessive'name'resoluAon'errors'occur'

•  Examine'criAcal'data'for'“correctness”'at'

DNS'zone'data'and'recursor'caches'

•  Use'Passive'DNS'replicaAon'to'–  Review'what'names'your'users'are'resolving'

–  Populate'Resource'Policy'Zones,'domain'blocklists'

6/28/16'Copyright'©2014'Dave'

Piscitello'

28'

Page 29: Aacks'Against'The'DNS,' DNS'Monitoring'&'Countermeasures' · 2016-06-28 · dave.piscitello@icann.org @securityskeptic about.me/davepiscitello Thank You and Questions QuesAons?' Contact'ICANN:

| 29

Summary

1 Implement'an'inddepth'defense'to'

miAgate'DNS'a"acks''%

2 Some'miAgaAons'require'allies'or'

broad'implementaAon'

3 Some'of'the'best'miAgaAons'are'

“so`”'(planning'or'administraAve)''

Page 30: Aacks'Against'The'DNS,' DNS'Monitoring'&'Countermeasures' · 2016-06-28 · dave.piscitello@icann.org @securityskeptic about.me/davepiscitello Thank You and Questions QuesAons?' Contact'ICANN:

| 30

Reading List (Partial) Title$ URL$

Top'10'DNS'a"acks' h"p://www.networkworld.com/arAcle/2886283/security0/topd10ddnsda"acksdlikelydtodinfiltrated

yourdnetwork.html'

Manage'your'domain'poruolio' h"p://securityskepAc.typepad.com/thedsecuritydskepAc/2014/01/avoiddrisksdmanagedyourd

domaindporuolio.html'

Securing'open'DNS'resolvers' h"p://www.gtri.com/securingdopenddnsdresolversdagainstddenialdofdserviceda"acks/'

DNS'Tunneling' h"ps://www.cloudmark.com/releases/docs/whitepapers/dnsdtunnelingdv01.pdf'

DNS'cache'busAng' h"p://blog.cloudmark.com/2014/10/07/addnsdcachedbusAngdtechniquedfordddosdstyleda"acksd

againstdauthoritaAvednamedservers/'

DNS'Cache'Poisoning' h"p://www.securityskepAc.com/dnsdcachedpoisoning.html'

Anatomy'of'a'DDOS'a"ack' h"p://www.securityskepAc.com/anatomydofddnsdddosda"ack.html'

DNS'reflecAon'defense' h"ps://blogs.akamai.com/2013/06/dnsdreflecAonddefense.html'

Protect'the'world'from'your'network' h"p://securityskepAc.typepad.com/thedsecuritydskepAc/2013/04/protecAngdthedworlddfromdyourd

network.html'

DNS'Traffic'Monitoring'Series' h"p://www.securityskepAc.com/2014/09/dnsdtrafficdmonitoringdseriesdatddarkdreading.html'

Protect'your'DNS'servers'against'DDoS'

a"acks'

h"p://www.gtcomm.net/blog/protecAngdyourddnsdserverdagainstdddosda"acks/'

Fast'Flux'Botnet'DetecAon'in'RealAme' h"p://www.iis.sinica.edu.tw/~swc/pub/fast_flux_bot_detecAon.html'

DNS'resource'exhausAon' h"ps://www.cloudmark.com/releases/docs/whitepapers/dnsdresourcedexhausAondv01.pdf'

Page 31: Aacks'Against'The'DNS,' DNS'Monitoring'&'Countermeasures' · 2016-06-28 · dave.piscitello@icann.org @securityskeptic about.me/davepiscitello Thank You and Questions QuesAons?' Contact'ICANN:

| 31

My Contact Info: [email protected] @securityskeptic www.securityskeptic.com about.me/davepiscitello

Thank You and Questions

QuesAons?'

Contact'ICANN:'

[email protected]'

@icann'

icann.org'

safe.mn/icannsecurityteam'


Bloque III-Ambiente Virtual Nombres de Dominio ulima.edu.pe congreso.gob.pe wong.com.pe bembos.com.pe icann.org rcp.net.pe nic.pe

Ethical Hacking and CountermeasuresEthical Hacking and Countermeasures Copyright © by EC-Council Countermeasures

COUNTERMEASURES - Chemring Group/media/Files/C/Chemring-V2/PDFs/Countermeasures... Delivering global ... • Modelling including ‘CounterSim ... countermeasures business, we continually

The FBI WMD Chemical Countermeasures Corporate Outreach ... · The FBI WMD Chemical Countermeasures Corporate Outreach Program ... Just Pyrotechnics? ... WMD Countermeasures Unit

Lane Departure Countermeasures · Lane Departure Countermeasures •Countermeasures to reduce severity of crash once drivers depart the lane: •Select Tree (or other hazard) Removal

Sandbox Solutions for On Prem and O365. { About.Me() } IK spreek een beetje nederlands! I have travelled

Ethical Hacking and Countermeasures · Ethical Hacking and Countermeasures Exam 312-50

Countermeasures for Distraction

Ethical Hacking and Countermeasures Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker Course Outline Page | 3 Ethical Hacking and Countermeasures

IR countermeasures

Patricia sherwood about.me

Threats and Countermeasures for Network Security … · Threats and Countermeasures for Network Security ... Threats and Countermeasures for Network Security ... Computer Recreations

The About.Me Site as Digital Portfolio

Chemring - Countermeasures protection Expendable countermeasures for sea and air systems Countermeasures. 2 ... • Modelling including ‘CounterSim

CHE111 Sector Brochure Countermeasures ART - Home – … ·  · 2014-05-22Electronic and expendable countermeasures for land, sea and air systems. 1 ... Our advanced countermeasures

Threats and Countermeasures

Phishing Attack & Countermeasures

BARDA Thermal Burn Medical Countermeasures Program. CBRN... · BARDA Thermal Burn Medical Countermeasures Program Julio Barrera-Oro, Ph.D. Health Scientist Burn Medical Countermeasures

The Business Case for DNSSEC InterOp/ION Mumbai 2012 11 October 2012 [email protected]

About.me / Tackk.com / Weebly · About.me / Tackk.com / Weebly.com 2014 Southwest Technology and Computer Conference June 28, 2014. About.me • is a website service that offers free

HEC 23 Countermeasures

Web$Technologies.for.the.desktop. with.chameRIAbed-con.org/images/files/bed2011/bed2011-chameria.pdf · About.me.! Senior.So=ware.Engineer.at.akquinet.tech@spree,. Berlin – Member’of’the’Innovaon’Competence’Center’!

The Business Case for DNSSEC Tunis Tunisia 2013 22 April 2013 [email protected]

About.me Demo with Judy Baker

Why DNSSEC ? Midrand, South Africa 8-10 July 2015 [email protected]

DNSSEC Sample Implementation Module 1 LACNIC 18 28 October 2012, Montevideo [email protected]

Big Websites for Small Screens: ICANN.org Case Study

1. Michael Laine, President @mlaine (862) Get-LF8D – (862) 438-5383 [email protected] about.me/michaellaine

ICANN.org - Application & evaluation process

Fatigue Countermeasures in Aviation · PDF filefatigue countermeasures, ... Fatigue Countermeasures in Aviation ... striction aboard aircraft carriers led to somatic com

VIA EMAIL ([email protected]; akram.atallah@icann

Root Scaling Study - icann.org

Examples of About.me

Anti-Countermeasures & Counter-Countermeasures

Selecting Countermeasures