1 | © 2013 infoblox inc. all rights reserved. 1 | © 2015 infoblox inc. all rights reserved....
Post on 17-Jan-2016
221 Views
Preview:
TRANSCRIPT
1 | © 2013 Infoblox Inc. All Rights Reserved. 1 | © 2015 Infoblox Inc. All Rights Reserved. CONFIDENTIAL
DNS Security with AntiDDoS and AntiMalware for YOUR subscribersOnly with Infoblox hardware appliances
Adam Obszyński, aobszynski@infoblox.com
2 | © 2013 Infoblox Inc. All Rights Reserved. 2 | © 2015 Infoblox Inc. All Rights Reserved. CONFIDENTIAL
Why Securing DNS is Critical
Unprotected, DNS increases risk to critical infrastructure and data
#1 protocol for volumetric reflection/
amplification attacks
DNS is critical networking
infrastructure
DNS protocol is easy to exploit and
attacks are prevalent
Traditional security is ineffective against
evolving threats
3 | © 2013 Infoblox Inc. All Rights Reserved. 3 | © 2015 Infoblox Inc. All Rights Reserved. CONFIDENTIAL
• One of the fastest growing attack vectors• Easy-to-exploit protocol• Firewalls and IDS/IPS devices not focused
on DNS threats• Proliferation of BYOD devices and mobile
users, meaning threats may be inside the firewall
• DNS security layer needed to complement existing security solutions
DNS Security Gap
4 | © 2013 Infoblox Inc. All Rights Reserved. 4 | © 2015 Infoblox Inc. All Rights Reserved. CONFIDENTIAL
DNS Security Challenges
Stopping APTs/malware from using DNS(Recursive)
2
Defending against DNS DDoS attacks(Authoritative + Recursive)
1
Preventing data exfiltration via DNS(Recursive)
3
5 | © 2013 Infoblox Inc. All Rights Reserved. 5 | © 2015 Infoblox Inc. All Rights Reserved. CONFIDENTIAL
• Malicious traffic is visible on 100% of corporate networks1
• Every minute a host accesses a malicious website1
• The question isn’t if, but when you will be attacked, and how effectively you can respond
• APTs rely on DNS at various stages of the cyber kill chain to infect devices, propagate malware, and exfiltrate data
APTs: The New Threat Landscape
Source: 1 Cisco 2014 Annual Security Report
Organized and well funded
Profile organizations using public data/social media
Target key POI’s via spear phishing
“Watering hole” target groups on trusted sites
Leverage tried and truetechniques like SQLi, DDoS & XSS
Coordinated attacks, distract big, strike precisely
Operationalsophistication
6 | © 2013 Infoblox Inc. All Rights Reserved. 6 | © 2015 Infoblox Inc. All Rights Reserved. CONFIDENTIAL
Evolution of DNS DDoS Attacks• DNS based DDoS attacks are constantly evolving and affect both external and internal DNS
servers• Methods range from amplification/reflection, floods and simple NXDOMAIN to highly
sophisticated attacks involving botnets, chain reactions and misbehaving domains
DNS Tunneling
DNS Hijacking
Floods
Cache Poisoning
DrDoSRandom Sub-
domain
CPE Botnet Based
Domain Lock-up
Basic NXDOMAIN
Phantom Domain
7 | © 2013 Infoblox Inc. All Rights Reserved. 7 | © 2015 Infoblox Inc. All Rights Reserved. CONFIDENTIAL
DNS CachingProtection against attacks on caching servers
Advanced DNS Protection can secure DNS Caching Servers from DNS Floods and other threats
• Large number of bots make more requests of the DNS server than it can handle
• Causes the DNS server to drop inbound DNS requests
8 | © 2013 Infoblox Inc. All Rights Reserved. 8 | © 2015 Infoblox Inc. All Rights Reserved. CONFIDENTIAL
How Infoblox Secures DNS
9 | © 2013 Infoblox Inc. All Rights Reserved. 9 | © 2015 Infoblox Inc. All Rights Reserved. CONFIDENTIAL
Infoblox and Service Providers
9
Dedicated SP Business Unit• Dedicated Sales, SEs, Marketing,
Engineering, Product Mgmt
Market leadership• #1 in DNS Caching; First DNS Firewall
• Competition in decline
IPO April 2012 NYSE (BLOX) $225M Revenue; $2B Market Cap
Dedicated SP product line• Leads Industry with >1M DNS qps and
Advanced DDoS protection
• Carrier-grade solution adopted at major Tier 1 providers
230+ Service Providers; 55,000+ systems shipped; 6800+ Enterprises
Total Revenue (Fiscal Year Ending July 31)
FY2007
FY2008
FY2009
FY2010
FY2011
FY2012
FY2013
FY2014
$0
$50
$100
$150
$200
$250
$300
3556 62
102
133
169
225
250
28%
CAGR
10 | © 2013 Infoblox Inc. All Rights Reserved. 10 | © 2015 Infoblox Inc. All Rights Reserved. CONFIDENTIAL
Dedicated hardware with no unnecessary logical or physical ports
No OS-level user accounts—only admin accts Immediate updates to new security threatsSecure HTTPS-based access to device managementNo SSH or root-shell access Encrypted device-to-device communicationHardware based Security & DNS Acceleration
• Many open ports are subject to attack.
• Users have OS-level account privileges on server.
• Requires time-consuming manual updates.
Conventional Server ApproachHardened Appliance Approach
Multiple Open Ports
Limited Port Access
Update ServiceSecure
Access
Hardened DNS Appliances
11 | © 2013 Infoblox Inc. All Rights Reserved. 11 | © 2015 Infoblox Inc. All Rights Reserved. CONFIDENTIAL
DNS Protection is Not Only About DDoS
Volumetric/DDoS Attacks DNS-specific Exploits
DNS reflection
DNS amplification
TCP/UDP/ICMP floods
NXDOMAIN attack
Phantom domain attack
Random subdomain attack
Domain lockup attack
DNS-based exploits
DNS cache poisoning
DNS tunneling
Protocol anomalies
Reconnaissance
DNS hijacking
Domain lockup attack
12 | © 2013 Infoblox Inc. All Rights Reserved. 12 | © 2015 Infoblox Inc. All Rights Reserved. CONFIDENTIAL
DNS reflection
DNS amplification
TCP/UDP/ICMP floods
NXDOMAIN attack
Phantom domain attack
Random subdomain attack
Domain lockup attack
DNS-based exploits
DNS cache poisoning
DNS tunneling
Malformed DHCP requests
Protection Against DNS Attacks
Infoblox InternalDNS Security
DNS attacksdetected & dropped
Leg
itim
ate
Tra
ffic
DN
S D
DoS
Leg
itim
ate
Tra
ffic
DN
S T
unn
elin
g
x x
Firewall
Infoblox Automated Threat Intelligence
Service
INTERNET
ENTERPRISE
13 | © 2013 Infoblox Inc. All Rights Reserved. 13 | © 2015 Infoblox Inc. All Rights Reserved. CONFIDENTIAL
Security Built-in to the DNS Infrastructure
13
DNS Server DNS Server
Security
DNS Server Infoblox PT-Appliances
Protection against DNS threats
Serve DNS queries under attack
Internet
Use Cases
• Enterprise CustomersU̶ External authoritative DNS
serverU̶ Internal DNS- Enterprise /
Universities with open networks
• Service Providers U̶ Recursive CachingU̶ Authoritative DNS services
Traditional security appliances mitigate only partial attacks against DNS
14 | © 2013 Infoblox Inc. All Rights Reserved. 14 | © 2015 Infoblox Inc. All Rights Reserved. CONFIDENTIAL
Protection Against APTs/MalwareDNS Firewall
An infected device brought into the office. Malware spreads to other devices on network.1Malware makes a DNS query to find “home” (botnet / C&C). DNS Firewall looks at the DNS response and takes admin-defined action (disallows communication to malware site or redirects traffic to a landing page or “walled garden” site).
2 Pinpoint. Infoblox Reporting lists DNS Firewall action as well as the:
• Device IP address• Device MAC address• Device type/OS (DHCP fingerprint)• Device host name• Device lease history• AD login name• Switch/port/VLAN
3 An update will occur every 2 hours (or more often for significant threat).4
Malware/APT
Malicious Domains
Infoblox threat update deviceIPs, Domains, ect. of Bad Servers
Blocked communication attempt sent to Syslog
Malware/APT spreads within network; calls home
INTERNET
INTRANET
15 | © 2013 Infoblox Inc. All Rights Reserved. 15 | © 2015 Infoblox Inc. All Rights Reserved. CONFIDENTIAL
DNS can make huge difference!
16 | © 2013 Infoblox Inc. All Rights Reserved. 16 | © 2015 Infoblox Inc. All Rights Reserved. CONFIDENTIAL
Web Delay – SampleFast Web Performance Starts with DNS…
© http://blog.catchpoint.com/
• http://techcrunch.com/U̶ 300 objects++
U̶ 60++ domains
17 | © 2013 Infoblox Inc. All Rights Reserved. 17 | © 2015 Infoblox Inc. All Rights Reserved. CONFIDENTIAL
Web Delay – Sample 2Fast Web Performance Starts with DNS…
• Two components to DNS latency:U̶ Latency Client <-> Server
U̶ Caches <-> name servers- Cache misses
- Under provisioning
- Malicious traffic
© https://developers.google.com/
18 | © 2013 Infoblox Inc. All Rights Reserved. 18 | © 2015 Infoblox Inc. All Rights Reserved. CONFIDENTIAL
Devices vs Solutions Self made vs Dedicated.
• Dedicated DNS Cache appliance does not stop answering queries from cache when capacity limits are reached for cache misses, NX Domain Qs etc.
18
Bind Infoblox 4030 DNS Cache
Avg. Latency (Seconds)
a
19 | © 2013 Infoblox Inc. All Rights Reserved. 19 | © 2015 Infoblox Inc. All Rights Reserved. CONFIDENTIAL
Advanced Appliances Come in Four Physical Platforms
Advanced Appliances have next-generation programmable processors that provide dedicated compute for threat mitigation.
The appliances offer both AC and DC power supply options.
Performance:
50 000 qps
143 000 qps
200 000 qps
300k / 600k / 5 000 000 qps
SP &Enterprise
SP / ISPSubscribersDNS CachingHardware based!
20 | © 2013 Infoblox Inc. All Rights Reserved. 20 | © 2015 Infoblox Inc. All Rights Reserved. CONFIDENTIAL
Test US!Find DNS Threats in your Network
21 | © 2013 Infoblox Inc. All Rights Reserved. 21 | © 2015 Infoblox Inc. All Rights Reserved. CONFIDENTIAL
Send Us Your PCAP Files
• Infoblox analyzes and provides insights on malicious activity in seconds
• Report on findings to take back to management
22 | © 2013 Infoblox Inc. All Rights Reserved. 22 | © 2015 Infoblox Inc. All Rights Reserved. CONFIDENTIAL
How to deploy + Case Study from Poland
23 | © 2013 Infoblox Inc. All Rights Reserved. 23 | © 2015 Infoblox Inc. All Rights Reserved. CONFIDENTIAL
Cable SP
Huge attacks
Press info about ISP being down for 8 days!
24 | © 2013 Infoblox Inc. All Rights Reserved. 24 | © 2015 Infoblox Inc. All Rights Reserved. CONFIDENTIAL
Design
System topology
25 | © 2013 Infoblox Inc. All Rights Reserved. 25 | © 2015 Infoblox Inc. All Rights Reserved. CONFIDENTIAL
First month stats:
Blocked 6M events with multiple risk level
26 | © 2013 Infoblox Inc. All Rights Reserved. 26 | © 2015 Infoblox Inc. All Rights Reserved. CONFIDENTIAL
CHR vs CPU vs User Experience
== NO CHURN
CacheHit Ratio
Resources
User exp.
27 | © 2013 Infoblox Inc. All Rights Reserved. 27 | © 2015 Infoblox Inc. All Rights Reserved. CONFIDENTIAL
Secure DNS Deployment
INTERNET
DMZ
INTRANET
InfobloxAutomated ThreatUpdate Service Leg
itim
ate
Traf
fic
External attacks
Firewall
Firewall
Block DNS attacks
Infoblox Reporting Server
External Authoritative Caching Server
Infoblox DNS Caching Server
Rule updates for DNS-basedattacks
Updates for DNS-based attacks and malicious domains
Infoblox Internal DNS Security
Send datafor reports
DNS Query
Send data for reports
Block attacks andMalware communication
Internal Recursive
Legiti
mat
e Tr
affic
Legi
timat
e Tr
affic
Data
Exfilt
ratio
n Atte
mpt
DNS DDoS
Mal
ware/
APT
Malware/ APT
Infoblox External DNS Security
Legiti
mat
e Tr
affic
DNS DDoS
DNS Exp
loits
28 | © 2013 Infoblox Inc. All Rights Reserved. 28 | © 2015 Infoblox Inc. All Rights Reserved. CONFIDENTIAL
Q&A
29 | © 2013 Infoblox Inc. All Rights Reserved. 29 | © 2015 Infoblox Inc. All Rights Reserved. CONFIDENTIAL
Infoblox Differentiation and ValueInfoblox Advanced
DNS ProtectionLoad
BalancersPure DDoS
Next-gen Firewalls
IPS Cloud
Dedicated compute for threat mitigation
General DDoS
DNS DDoS
DNS amplification
DNS reflection
NXDOMAIN
DNS server OS and application vulnerabilities
DNS semantic attacks
Cache poisoning
DNS tunneling
DNS hijacking
Volumetric/DDoS AttacksDNS-specific Exploits
top related