monitoring for dns security
TRANSCRIPT
2
• November 15th 2016 • An overview of the Domain Name System, resources,
records, name resolution and name servers.
DNS Webinar Series
• January 17th 2017 • An in-depth view on how to monitor and alert on DNS
availability, response time and record mappings.
Intro to DNS
Monitoring DNS Records and Servers
• December 13th 2016 • Tips and examples covering DNS hijacking and DDoS
attacks on DNS infrastructure. DNS Security
3
About ThousandEyes ThousandEyes delivers visibility into every network your organization relies on.
Founded by network experts; strong
investor backing
Relied on for "critical operations by leading enterprises
Recognized as "an innovative "
new approach
31 Fortune 500
5 top 5 SaaS Companies 4 top 6 US Banks
4
Saturates network links, hardware or servers to
deny service
Two DNS Security Threats
Spoofs DNS mappings to
reroute traffic to a malicious endpoint
DDoS DNS Hijacking & Poisoning
5
Network Topology of a DDoS Attack
Chicago, IL
domain.com London
Tokyo
Atlanta
Portland, OR
Sydney
Attackers flood your web service from around the world
Internet Enterprise
6
Cloud-Based DDoS Mitigation
Chicago, IL
domain.com London
Tokyo
Atlanta
Portland, OR
Sydney
Internet Enterprise Scrubbing Center
Traffic is rerouted, using DNS or BGP, to cloud-based scrubbing centers and ‘real’ traffic is routed back to your network
7
Monitoring for DDoS Attacks Global Availability Mitigation Deployment
Mitigation Performance Vendor Collaboration
9
DNS Cache Poisoning
Local DNS Cache
Authoritative DNS Server
dns.website.com
Attacker
www.website.com
Attacker DNS Server
dns.attack.com
www.attack.com
Attacker inserts a false record into the
DNS cache
Unsecured DNS server, no DNSSEC, no port
randomization
User
1
User requests DNS record for
www.website.com
2
Looks up record on spoofed
name server
3
User accesses spoofed URL
4
10
Monitoring for DNS Hijacking & Poisoning Global Availability Verify Mappings
DNSSEC Validation Alerting
11
Monitoring for DNS Security Managed DNS
Provider
Internet
1 On-Premises DNS Local caching resolvers and self-hosted DNS
2 Hosted DNS Authoritative, TLD and Root Name Servers
Access Networks
Cloud Agents & DNS+ Vantage Points
Enterprise Agents
Branch
Data Center
12
Alerting for DNS Security Scenario Test Type Threshold
DDoS - Performance Impact DNS Server DNS+ Domain DNS+ Server
Resolution Time ≥ _____ms
DNS Server DNS Trace Error is present
DNS+ Domain Availability ≤ _____% Reference Availability ≤ _____%
DDoS - Mitigation Activation BGP Origin ASN in _____ Next Hop ASN in _____ Prefix not in _____
DNS Hijacking & Poisoning DNS Server DNS Trace Mapping not in _____
DNS+ Domain Mapping not in _____ % of Mappings > _____%
13
• Stay informed about new vulnerabilities
• Automated patch management
Tips for Secure DNS Management
• Global DNS integrity monitoring with alerts
• DNSSEC
Operational Protocol
• Service resiliency
• Avoid single points of failure
• Diversify DNS providers
Architecture
Read more: https://blog.thousandeyes.com/secure-dns-management-best-practices/
15
DDoS: Dyn Sees Availability and Loss Issues
Correlates with 100% packet
loss
Low of 0% availability
16
DDoS: Dyn Traffic Terminates in Telia
Anycast IP accessible from some locations
Traffic terminating in Telia network
17
DNS Hijack: Craigslist Records Compromised
Spoofed mapping
Vantage points with spoofed
record
Prevalence of spoofed mapping over time
18
Networks with Records to Flush Breakdown available by
country and network
Number of vantage points with spoofed records