DNS Security Threats and Solutions

1 | © 2013 Infoblox Inc. All Rights Reserved. 1 | © 2013 Infoblox Inc. All Rights Reserved.

DNS Security: Threats and SolutionsCricket Liu, Chief DNS ArchitectIrving, Texas | April 16, 2015


Outline

• Threat: Distributed Denial of Service and DNS

• Solutions: Monitoring DNS Traffic, Anycast and Response Rate Limiting, Advanced DNS Protection

• Threat: Cache Poisoning

• Solutions: Query Port Randomization and DNSSEC

• Threat: Malware Propagation, Command and Control, Tunneling

• Solution: Response Policy Zones


DDoS and DNS• DDoS attacks are twice the

threat to DNS DDoS attacks target name

servers DDoS attacks use name

servers


DDoS Attacks Target Name Servers

• Authoritative name servers are obviously a critical resource

Without them, your customers can’t get to your web site, send you email

• Authoritative name servers are easy to finddig ns company.example.

– ”…big increase in proportion of attacks targeting DNS in Q2” – Arbor Networks

–Up from 8% to 13.3%

– Recent DNS query flooding attack against a Prolexic customer: 119 Gbps


And DDoS Attacks Use Name Servers• Why? Because name servers make surprisingly good amplifiers

This one goes to eleven…


DDoS Illustrated

Open recursive name servers

Evil resolver Target

Responseto spoofed

address

Spoofedquery


$ dig @sfba.sns-pb.isc.org. any isc.org. +norec +dnssec

; <<>> DiG 9.9.1-P1 <<>> @sfba.sns-pb.isc.org. any isc.org. +norec +dnssec; (2 servers found);; global options: +cmd;; Got answer:;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 34036;; flags: qr aa; QUERY: 1, ANSWER: 26, AUTHORITY: 0, ADDITIONAL: 15

;; OPT PSEUDOSECTION:; EDNS: version: 0, flags: do; udp: 4096;; QUESTION SECTION:;isc.org. IN ANY

;; ANSWER SECTION:isc.org. 7200 IN SOA ns-int.isc.org. hostmaster.isc.org. 2013090300 7200 3600 24796800 3600isc.org. 7200 IN RRSIG SOA 5 2 7200 20131002233248 20130902233248 50012 isc.org. hUfqnG5gKbygAeVRHjP5As31lsheMKNPD7g9MJlWZTrmD2de6Z/eCwUX kQxRT5TV0lFWjtGFuA0a4svbCZ1qHS9d/rhWc7IMziu2u+L9tbho+c4j szvGAJ9kYvalNbgpmkHdm+wmOHWmiY3cYKcl5Ps8gs5N0Q1JdkaCARPF HQs=isc.org. 7200 IN NS sfba.sns-pb.isc.org.isc.org. 7200 IN NS ns.isc.afilias-nst.info.isc.org. 7200 IN NS ams.sns-pb.isc.org.isc.org. 7200 IN NS ord.sns-pb.isc.org.isc.org. 7200 IN RRSIG NS 5 2 7200 20131002233248 20130902233248 50012 isc.org. Fdfb5ND2XUlnk/nPcPOaNBCK6307LdrhC/dqdS+TMtBjKMmXU2NJBl0h D8fOnOdKbzlwNk1JLPXq25znMNBw+ZdjMekctR2r2jTO2Xm9mT+su4ff 8r1pMcUGhpsq73V6NjIbgA3LT6zfv4gWyFdos60Ma/Bsq26SmpECQFNA RpI=isc.org. 60 IN A 149.20.64.69isc.org. 60 IN RRSIG A 5 2 60 20131002233248 20130902233248 50012 isc.org. CkSV2VzLktJGH2PXEJl1QssxeyyUYM5pALjb06NMW0BC5vcFyuQYng2l NE/Z0J1XIHflWwGo9Gv1YZ0u/K6rGPXwgWmkl/6t0T8uNtk9u3XDhaMx QBg2P2ZAp1NEg6r3ccznGu9y+Q71g/IxcK+5Ok7gI8L18hBTi+vpCAKY q6A=isc.org. 7200 IN MX 10 mx.pao1.isc.org.isc.org. 7200 IN RRSIG MX 5 2 7200 20131002233248 20130902233248 50012 isc.org. fiALi/ebGauXvqfL4vHt5YzgIY/X0kh2WNE37wICVU6BYKkqDuWF2h5T 4ry2TmdcKj4pqVOJVSDF/A7zzRPkcpcwibTM8h5yDEMJzELAsSimj2mX BFsqTgFGtDXIGV9IU7qryFkVMrDlj9gcLkTlg1EZpyxwQH2y2XCT5BhA bQA=isc.org. 7200 IN TXT "v=spf1 a mx ip4:204.152.184.0/21 ip4:149.20.0.0/16 ip6:2001:04F8::0/32 ip6:2001:500:60::65/128 ~all"isc.org. 7200 IN TXT "$Id: isc.org,v 1.1845 2013-08-16 16:16:50 dmahoney Exp $"isc.org. 7200 IN RRSIG TXT 5 2 7200 20131002233248 20130902233248 50012 isc.org. J0UV7iIvQn7Pzu/itUN1JH4hLg8bjQo/73kBef/T/yzx/P8t6VX+MYDC ysyXNigSi1JPoWfYt7qu6eXcALQEwJ/Z156Rebefjls4R18wr+BttzWF ICb+zJ7K7o4meckc7ZQr12gIAXjij09dr9omYoObWo6/IH76S6N3Er4i xdg=isc.org. 60 IN AAAA 2001:4f8:0:2::69isc.org. 60 IN RRSIG AAAA 5 2 60 20131002233248 20130902233248 50012 isc.org. OBWafw6hmgueTvaL06Q3zzpKODW3OIWKxHr3Z30mag1vJW5ECwlkK3xI lPr4A1Rg6SZiJp78yewBWkDB0436cY1uCJ0yzsk9YWlLW/5hScy1ueaH s2tfymZD7UdOh0FuLs05gunsxK2Of3DCG3Zh3cD4FMnu8ju1CuLD2+dU W1U=isc.org. 7200 IN NAPTR 20 0 "S" "SIP+D2U" "" _sip._udp.isc.org.isc.org. 7200 IN RRSIG NAPTR 5 2 7200 20131002233248 20130902233248 50012 isc.org. s9cuc6O0e2kgBNffd6dyJyJH1Zm5Wd0pRO1q5aKMc7UsiKFUI7MI7Q8N VzTqwM/zWh2VzvtV/w1O3IHuSiXBN9k51Loy4WGHJSDcXs865PWjHJwJ jRqfz1bE+LsW/aZD2Ud/iGyhCoQPeZIOcqB6plB+keIf3mGR0bHkdjV+ Zw4=isc.org. 3600 IN NSEC _adsp._domainkey.isc.org. A NS SOA MX TXT AAAA NAPTR RRSIG NSEC DNSKEY SPFisc.org. 3600 IN RRSIG NSEC 5 2 3600 20131002233248 20130902233248 50012 isc.org. K3/RL0nn54FkFvcPnaecG26JjQVCZL1g41zB02YssxZnE/3lX9X4O8uk DrONRdvKEeMq51YUy8NBljWAlPOIRYD0lWUMrXuSNHMyGIFwHFIZqNrN CuQUl+24oPQXi3/wWX0TGH5XW9XF2IB+Dc1zdP/5qRHiKCjAnYDNE384 PAQ=isc.org. 7200 IN DNSKEY 257 3 5 BEAAAAOhHQDBrhQbtphgq2wQUpEQ5t4DtUHxoMVFu2hWLDMvoOMRXjGr hhCeFvAZih7yJHf8ZGfW6hd38hXG/xylYCO6Krpbdojwx8YMXLA5/kA+ u50WIL8ZR1R6KTbsYVMf/Qx5RiNbPClw+vT+U8eXEJmO20jIS1ULgqy3 47cBB1zMnnz/4LJpA0da9CbKj3A254T515sNIMcwsB8/2+2E63/zZrQz Bkj0BrN/9Bexjpiks3jRhZatEsXn3dTy47R09Uix5WcJt+xzqZ7+ysyL KOOedS39Z7SDmsn2eA0FKtQpwA6LXeG2w+jxmw3oA8lVUgEf/rzeC/bB yBNsO70aEFTdisc.org. 7200 IN DNSKEY 256 3 5 BQEAAAABwuHz9Cem0BJ0JQTO7C/a3McR6hMaufljs1dfG/inaJpYv7vH XTrAOm/MeKp+/x6eT4QLru0KoZkvZJnqTI8JyaFTw2OM/ItBfh/hL2lm Cft2O7n3MfeqYtvjPnY7dWghYW4sVfH7VVEGm958o9nfi79532Qeklxh x8pXWdeAaRU=isc.org. 7200 IN RRSIG DNSKEY 5 2 7200 20131002230127 20130902230127 12892 isc.org. ioYDVytf4YoAHCVxdz6U/fuQCaH2f2XVUExEexo48e55vLVSre5GkBG1 Wyn/4FeWLOUVWm5HElbL/hK2QEResp0csAwTnllU7W8fM65aS7pIO9JZ QWMvkPxQjsTYzEP1P2GA8NVGRUhz17RMLLSFgAJS9aEI7xK0fMwsd9U4 Az+B9J8xVz5GGMb8FStEXMYauE9r8Z5G4ZzRZUv619lXYH+Uhha5QUfq IcVYvtOt+QLlwdWV4Kt3fp3m6KveBAnIiorPSjOd40PfWZD3CQ4GqVIc EyYai55bKN1hVgtFRhL8MqGexvbPvU49RKekeJihf7pzfM6nlo5+Xqvj WBe+EQ==isc.org. 7200 IN RRSIG DNSKEY 5 2 7200 20131002230127 20130902230127 50012 isc.org. HFc6EpppK8DieQnYccCLEMuP3uhCFENhY9pwbqcwYh9fVOMMeEim/XSy QIk9FsVGZnXw2SgC946gSXnTkLdaogwibOZLq2oJ0UGbsF2+4SreLIx0 nv6EyJh1WSxfQrh7DCFtuMSBUMBleJjOfPC12zTzFetu2qgNM4hCov8p 3vA=isc.org. 7200 IN SPF "v=spf1 a mx ip4:204.152.184.0/21 ip4:149.20.0.0/16 ip6:2001:04F8::0/32 ip6:2001:500:60::65/128 ~all"isc.org. 7200 IN RRSIG SPF 5 2 7200 20131002233248 20130902233248 50012 isc.org. enxTFXMYwtZW9rmS2eZ0svQwlaRJn3whFCblQ2mpqjtT3BxuqpGcvlbC jwjLxNhn89x2Y2//pkN1EPvgwr2yd7lIBoLV9X/VnGCH/sBlNaRtckk2 SE75cuH2L7jkR1D6JCHCwLnQHpiHbYeLWWzW18yifj33TOrRU7HwUrha aN0=

;; ADDITIONAL SECTION:ams.sns-pb.isc.org. 7200 IN A 199.6.1.30ams.sns-pb.isc.org. 7200 IN AAAA 2001:500:60::30ord.sns-pb.isc.org. 7200 IN A 199.6.0.30ord.sns-pb.isc.org. 7200 IN AAAA 2001:500:71::30sfba.sns-pb.isc.org. 7200 IN A 149.20.64.3sfba.sns-pb.isc.org. 7200 IN AAAA 2001:4f8:0:2::19mx.pao1.isc.org. 3600 IN A 149.20.64.53mx.pao1.isc.org. 3600 IN AAAA 2001:4f8:0:2::2basterisk.isc.org. 300 IN A 149.20.32.15ams.sns-pb.isc.org. 7200 IN RRSIG A 5 4 7200 20131002233248 20130902233248 50012 isc.org. EyCDObCGhMVQeLsZEFsK6k72FT0Y0Ps3XhiZmusKDz/yl7K8eclF3+Zd y7u61A9nSEHbeLR7t3IbXuQgXOsBaYYEQBZ+YXwdpMQoSL02TbUsCa8t Qtap2EK9xJDajbfTR4kEYjCg6PtneOKGVCvQcC3Le2QEuM+aviEkWU6h Feo=ams.sns-pb.isc.org. 7200 IN RRSIG AAAA 5 4 7200 20131002233248 20130902233248 50012 isc.org. RFpmtA/CAZOExrl8Pc6tDW38Eoc/xXxtuoS634xllKoM77zhGLx6vLRR wiH3Ny1gW++hyj6b6LMDVbBEm7vAMVxrOQVYM5fWtYCF/cN4IHVlti33 /Hgiuk2SSdsZEgeAu57FgxgZIMaO0TsB6YkpI3cgb1H6usISSEE3Cgng 6gU=ord.sns-pb.isc.org. 7200 IN RRSIG A 5 4 7200 20131002233248 20130902233248 50012 isc.org. N/zYhIB9XSungjF+TaCdjtOnN5K8FCuRwMb3cjlr9DRU4hVJjFJOi8LP aNlBJQlWQKCirYsFqPw1/K0U9djvkEyU3W7JsdkE89Ep/4QX9M4Jt++w 9ZTFQO+e9SNPimQdjjEC5FbRYYfls7KX0V79gL9vG9dxqGMDNtGNJaFU NOE=ord.sns-pb.isc.org. 7200 IN RRSIG AAAA 5 4 7200 20131002233248 20130902233248 50012 isc.org. H5eByfYUHm4c8V12auNIl1QhQL4UA9MV9w1wQPJiU/Rtxbfvvrl3rlVj ulUP6v4R5NVO3lad7bsNPb9xMou1qOC5FL9fn0MVFqU+qCwQ7GIRxyA6 fQaFKBNrOL6iiVbC6LbE+2uZPR6Z0HTD8L7pgAaNJ9YmrVZCU/F5pHy9 cso=sfba.sns-pb.isc.org. 7200 IN RRSIG A 5 4 7200 20131002233248 20130902233248 50012 isc.org. sr0nh5ZbxmbnGaduo4ri1tHpPR4+D0Mf4WpEjzu21+iEBkgc3M1XdYCT gCpd8JRCEcz+gIu8wXQI5+29mUrK3QwPCIWJNx/AKol7TbIPxrYoKCiv pZv7yTwO2bC1SGfcNXZAm5UuKU0jl7jeIe2oIkHMrlPVFd2E6XKG9iWL ngA=

;; Query time: 35 msec;; SERVER: 2001:4f8:0:2::19#53(2001:4f8:0:2::19);; WHEN: Wed Sep 4 11:14:01 2013;; MSG SIZE rcvd: 4077

Amplification: They Go Past Eleven…

Query for isc.org/ANY53 bytes sent, 4077 bytes

received~77x amplification!


A Little Math• Say each bot has a measly 1 Mbps connection to the Internet It can send 1Mbps/53B =~ 2415 qps That generates 2415 pps * 4077B =~ 78 Mbps

• So 13 bots > 1 Gbps


Solution: Monitoring DNS Traffic• Monitor traffic to your name servers, including Aggregate query rate Top queriers

9


Monitoring Aggregate Query Rate

10


Setting an Alert on Aggregate Query Rate

11


Monitoring Top Clients

12


Solution: Anycast• Anycast allows multiple, distributed name servers to share a

single virtual IP address• Each name server advertises a route to that address to its

neighbors• Queries sent to that address are routed to the closest name

server instance


Anycast in Action

Router 2Router 2

Router 4Router 4Router 3Router 3

Router 1Router 1

Server instance AServer instance A

Server instance BServer instance B

ClientClient

DNS query to DNS query to 10.0.0.110.0.0.1 Routing table from Router 1:Routing table from Router 1:

Destination Mask Next-Hop DistanceDestination Mask Next-Hop Distance192.168.0.0 /29 127.0.0.1 0192.168.0.0 /29 127.0.0.1 010.0.0.1 /32 192.168.0.1 110.0.0.1 /32 192.168.0.1 110.0.0.1 /32 192.168.0.2 210.0.0.1 /32 192.168.0.2 2

192.168.0.1

192.168.0.2

10.0.0.1

10.0.0.1


Anycast in Action

Router 2Router 2

Router 4Router 4Router 3Router 3

Router 1Router 1

Server instance AServer instance A

Server instance BServer instance B

ClientClient

Routing table from Router 1:Routing table from Router 1:

Destination Mask Next-Hop DistanceDestination Mask Next-Hop Distance192.168.0.0 /29 127.0.0.1 0192.168.0.0 /29 127.0.0.1 010.0.0.1 /32 192.168.0.1 110.0.0.1 /32 192.168.0.1 110.0.0.1 /32 192.168.0.2 210.0.0.1 /32 192.168.0.2 2

192.168.0.1

192.168.0.2

10.0.0.1

10.0.0.1


How Does Anycast Address DDoS?• From any one location on the Internet, you can only see (and

hence attack) a single member of an anycast group at once• If you succeed in taking out that replica, routing will shift traffic

to another The first replica will probably recover It’s like Whac-A-Mole


Anycast Made Easy


Solution: Response Rate Limiting• Originally a patch to BIND 9 by Paul Vixie and Vernon Schryver Now included in BIND 9, other name servers

• Applies to authoritative name servers used in DDoS attacks against others

• Prevents these name servers from sending the same response to the same client too frequently


How RRL Works

isc.org/ANY[4077 byte response]

tokenbucket

Evil resolver Target

isc.org name servers


How Well Does RRL Work?• Pretty darn well


Threat: Cache Poisoning

• Inducing a name server to cache bogus resource records

• Can redirect… web browsers to bogus replicas of web sites, where logins, passwords and credit card numbers are captured email to hostile mail servers, where mail can be recorded or modified


The Kashpureff Attack• Exploited a flaw in the BIND name server

Cache

Recursive name server

Evil™resolver

alternic.netname server

Q: xxx.alternic.net/AQ: xxx.alternic.net/A

R: xxx.alternic.net A +www.internic.net A


Message IDs• Name servers use 16-bit message IDs to match responses

with queries

Message ID Message ID 3878938789

ns1 ns2

Message ID Message ID 3878938789


The Klein Vulnerability

• The pseudo-random number generator (PRNG) responsible for generating message IDs wasn’t random enough

If it generated an even message ID, the next message ID was one of 10 possibilities

If you could capture 13 to 15 consecutive message ID, you could reproduce the state of the PRNG


• Brute-force guessing of 65536 possible message IDs seems hard

• Actually, it’s not that hard - if you get a lot of guesses• In 2008, brute-force guessing was a Birthday Attack


The Birthday Paradox• 365 (or 366) possible birthdays in the year• Chances of two people chosen at random having different

birthdays:

• Chances of n people chosen at random having different birthdays:


So?

Number of replies Chances of correct guess

200 ~20%

300 ~40%

500 ~80%

600 ~90%

Number of people Chances two or more have same birthday

10 12%

20 41%

23 50.7%

30 70%

50 97%

100 99.99996%


The Kaminsky Vulnerability

paypal.comname servers

Recursivename server

Hacker

Q: q00001.paypal.com/A

Many, many spoofed responses

Q: q00001.paypal.com/A

R: NXDOMAIN


Yeah, But...

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 61718;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;;; QUESTION SECTION:;q00001.paypal.com. IN A;;; AUTHORITY SECTIONq00001.paypal.com. 86400 IN NS www.paypal.com.;;; ADDITIONAL SECTIONwww.paypal.com. 86400 IN A 10.0.0.1


Query Port Randomization

• To make spoofing responses more difficult, we use random query ports In addition to a random message ID Now you have to guess both the message ID and the query

port

• But this isn’t a complete solution It takes longer to guess, but it’s not impossible


Solution: DNSSEC

• The DNS Security Extensions, or DNSSEC, use asymmetric cryptography to allow

Administrators to “sign” zone data

Recursive name servers to validate signed zone data

• This provides

Authentication of DNS zone data

Integrity checking of DNS zone data


DNSSEC: The Cost

• To do this, DNSSEC...

Introduces new resource record types

Adds these records to signed zones

Introduces new fields to the DNS message header

Adds new administrative processes

- Key generation, signing, re-signing, DSset submission, key rollover...


An Unsigned Zone

$TTL 1hfoo.example. IN SOA bigmo.nxdomain.com. root.bigmo.nxdomain.com. (20 21600 3600 2592000 900 ) IN NS bigmo.nxdomain.com. IN MX 0 bigmo.nxdomain.com. IN A 10.0.0.1www IN CNAME @


The Same Zone, Signed; File written on Mon Jan 4 14:26:13 2010; dnssec_signzone version 9.7.0rc1foo.example. 900 IN SOA bigmo.nxdomain.com. root.bigmo.nxdomain.com. ( 20 ; serial 21600 ; refresh (6 hours) 3600 ; retry (1 hour) 2592000 ; expire (4 weeks 2 days) 900 ; minimum (15 minutes) ) 900 RRSIG SOA 5 2 900 20100203212613 ( 20100104212613 24480 foo.example. vIWxKd/x4nd+B/7fwWBNVEJL2s4eQEQPrW31 QdgqhBYFF92glVRKjB5te0n07AI9zPQ7JOJq 8DxlfuOGWWdATA== ) 900 NS bigmo.nxdomain.com. 900 RRSIG NS 5 2 900 20100203212613 ( 20100104212613 24480 foo.example. jj+8qj9oO5zOJVx/itXHiYwoDar+SMubMxqi CuEj1lQVOOLrpulHpertQlKO2lG7n+bEgT6W fzS5FTMCZrLS7Q== ) 900 A 10.0.0.1 900 RRSIG A 5 2 900 20100203212613 ( 20100104212613 24480 foo.example. x9HhmPc9ORCNvTaXTUVIrcQ2jG/wIPjSYE6D +0plW2JVC3jVRRRRX9xL050mZuCfX6/28Jtg DkCiv5Vq1CZEbg== ) 900 MX 0 bigmo.nxdomain.com. 900 RRSIG MX 5 2 900 20100203212613 ( 20100104212613 24480 foo.example. pmSNnHDWagatKcW2YFSu6ha1qp9IDq+Ta9th SIaXrZdZhV0+FFGU3bgg/Y2R8O4laX5AM3dw 1PgTinwF8w5IVw== ) 900 NSEC www.foo.example. A NS SOA MX RRSIG NSEC DNSKEY


The Same Zone, Signed (continued) 900 RRSIG NSEC 5 2 900 20100203212613 ( 20100104212613 24480 foo.example. UWJ12tRC53aagZ2xbyI7Q01ph8sjTqNhhRRv qCLe3cqq+nMkDTTHd4Thc/ofjsItVZQ9tphN HLjCGHytn6UZLg== ) 900 DNSKEY 256 3 5 ( AwEAAcfYFU1yZfzMVZI1mmr3IhvFQGN5qqqP GB/35m0Kq+KVad8nY2Gr+14KexBBEJIuFwAm KT7IpFVhSt2YMUjr4sc= ) ; key id = 24480 900 DNSKEY 257 3 5 ( AwEAAa1Z3PzmmTQ8wBty0RHb3/FVpw+fRXNh /pxA6EQ8rcnNHbQDGkd50iTRXBphgZTrcAgd HvSn8IIYylQe9Euu750= ) ; key id = 29062 900 RRSIG DNSKEY 5 2 900 20100203212613 ( 20100104212613 24480 foo.example. MK70q4hHghxQElcVuPx9dQwV7Y/MXd82z8A8 B5ZWq5bMax0DLEDk4vYaWL0XjuiPuSTI9mNb UNj5EtB272azBA== ) 900 RRSIG DNSKEY 5 2 900 20100203212613 ( 20100104212613 29062 foo.example. GDH51truQbh3HIR/FvuoIlZ6N+WxtbhpR/zY OIM3LkRlCd6yVLaYVSVS8p6RMJFGSjh40xE/ S0jvtCfH+4XYqw== )www.foo.example. 900 IN CNAME foo.example. 900 RRSIG CNAME 5 3 900 20100203212613 ( 20100104212613 24480 foo.example. PbHHMlRdxSwFnhn3Dgg32DTsWBLLcbMW84Mn ZFUHtordYu3Im6+NliLi9HWb6gQHRo/q2JyU btEF65jJDZBuqQ== ) 900 NSEC foo.example. CNAME RRSIG NSEC 900 RRSIG NSEC 5 3 900 20100203212613 ( 20100104212613 24480 foo.example. PhWf9HC5MfAcSFtwJ8Qmb2JuxDzf5ECQ7hw1 0V4jfdUmp3TOgh2a7lyJhh06aYg29ZPSZR7F 0I/6Ptva2oKrug== )


How to Conduct a Key Rollover


What Does This Mean to You?


Now We Pause for This Brief Commercial Interruption

One-step signing!

Automated...Re-signing!

(ZSK) Rollover!

Now with NIST 800-81!


Threat: Malware Uses DNS• Malware infects clients when they visit malicious web sites,

whose names are resolved using DNS• Malware rendezvous with command-and-control channels

using hardwired domain names and rapidly changing IP addresses

• Malware tunnels new malicious code through DNS


Solution: Response Policy Zones• Many organizations on the Internet track malicious activity

They know which web sites are malicious

They know which domain names malware look up to rendezvous with command-and-control servers

• Response Policy Zones are funny-looking zones that embed rules instead of records

The rules say, “If someone looks up a record for this [malicious] domain name, or that points to this [malicious] IP address, do this.”

This is generally “return an error” or “return the address of this walled garden” instead


How Response Policy Zones Work

Infected client

Local recursivename server

Master nameserver (run by

RPZ feed provider)

RPZ data viazone transferQuery for

malicious domainname

Error orredirect

log


Where Do I Get One of These Newfangled RPZs?• From Infoblox!• From a provider such as Spamhaus or SURBL• From a commercial provider such as Internet Identity or

Farsight Security


Managing Response Policy Zones


Managing Response Policy Zones (continued)


Infoblox-FireEye Integration

Detection: FireEye has ability to detect APTs. Alerts are sent

to Infoblox.

1

2

3

Disruption: DNS Firewall disrupts malware communication

Pinpointing: Infoblox Reporting provides list of blocked

attempts as well as the

•IP address•MAC address

•Device type (DHCP fingerprint)

Malicious domains

Infoblox DDI with DNS Firewall Blocked attempt

sent to Syslog3

Malware

2

Infected device

1 Alerts

FireEye MPS appliance


Advanced DNS Protection from Infoblox

47

Rate limiting

Network flood protection

Automatic updates to protect

against the newest threats

5353

Secure access

Limited port

access

Infoblox Update Service


• Protects the DNS infrastructure against incoming DNS-based attacks

and floods

• Eliminates the need for costly over-provisioning of bandwidth to DNS

servers

• Intelligently distinguishes legitimate traffic from attack traffic

• Regular, automated threat updates provided the latest protection

• Real-time centralized visibility via the Infoblox GUI and Reporting appliances

Self-Protecting Authoritative DNS

INTERNET

Advanced DNS Protection

Advanced DNS Protection

DMZ

INTRANET

DATACENTER

CAMPUS/REGIONAL


Which Attacks Does ADP Protect Against?

49

DOS/DDoS Attacks

Amplification and reflection Using the name server to propagate a DoS/DDoS attack. We rate-limit large responses to queries.

Flooding Attacks

Floods UDP, TCP, ICMP

Unexpected header values Land attack

IGMP flood Invalid input Moyari13

OS and BIND Vulnerabilities

Linux- and BIND-based exploits

Example: 2013-4854: A specially-crafted query can cause BIND to terminate abnormally.

Protocol Anomaly-based Attacks

Impersonation attacks SmackLarge packets Ping of DeathInvalid fragments Nestea, TearDrop, Jolt

DNS-specific Attacks

Cache poisoning Birthday attacks (Message ID guessing)

DNS Message type Block specific queries by record type

DNS Tunneling Iodine

Multi-pronged Security •Dedicated compute capacity from an additional network processor card so name server can continue operation under attack•Signature-based attack detection for known vulnerabilities and exploits •Dynamic throttling to mitigate flood-based, DDoS reflection and amplification DNS attacks•Fine-grained filters to allow/block specific DNS record types•Reports provide greater visibility into DNS traffic

• Assists in early detection of reconnaissance activities


Here Comes the Cavalry!• Anycast*• Response Rate Limiting• The DNS Security Extensions*• Response Policy Zones*• Advanced DNS Protection*


Questions?


Thank you!

DNS Security Threats and Solutions

Technology

Transcript of DNS Security Threats and Solutions