DNS od użytkownika do Internetu jest dzisiaj całkowicie poza kontrolą. Z tego faktu cieszą się Ci którzy potrafią wykorzystać zapytania DNS do wypływu (exfiltracji) danych.
Zapraszam na opowieść o tym co złego może spotkać, wasze firmy i waszych klientów.
Jeżeli nie będzie generała na sali – będzie pokaz na żywo prostego przykładu jak za pomocą pytań DNS wytransferować dane na zewnątrz.
Jeżeli nie będzie na sali 2 generałów – powinno udać się pokazać na żywo jak łatwo taki wyciek wykryć i zablokować.
So let’s take a look at why securing DNS is so important.
Firstly, many times, attackers know that DNS is the cornerstone of the internet. All businesses need DNS to function, for having your web site online, for email communication, VoIP, etc. It is critical networking infrastructure, connecting all users, applications and devices on the internet.
Second, DNS as a protocol is easy to exploit and attacks are prevalent today. DNS is a UDP based protocol that was developed 30 odd years ago, and nobody thought DNS would be used as a way to attack a network. Because DNS wasn’t designed with security in mind, the protocol itself is easy to exploit. Today, DNS attacks are higher than ever. DNS is the number-one protocol used in reflection/amplification attacks (81 percent).
DNS is tied with HTTP (75%) for the top targeted service of application-layer DDoS attacks.
Furthermore, advanced persistent threats or APTs and Malware Use DNS as C&C Channel to Avoid Detection (Source: http://www.pcworld.com/article/250971/malware_increasingly_uses_dns_as_command_and_control_channel_to_avoid_detection_experts_say.html).
The third key point is that traditional protection is ineffective. The products don’t have a complete understanding of DNS and hence, may either lack or just bolt-on some DNS security. So, traditional protection is actually not effective enough against DNS based attack vectors. It’s a gap that needs to be filled.
The bottom line is: Unprotected, DNS increases risk to Critical Infrastructure and Data.
CryptoLocker example of malware, also called Ransomware
Once it affects an endpoint it runs an encryption algorithm and encrypts all the data and files on that endpoint. It asks for a ransom and you have to pay up to get your data back.
So CryptoLocker actually uses DNS as a way to connect to its Command & Control site, download the encryption software, run it, and then encrypt the data.
If you can use the DNS RPZ feed to detect and block and prevent the encryption from actually happening, you save your data from the ill effects of CryptoLocker.
And that’s exactly what DNS Firewall does, as I will explain further in the presentation.
Gameover Zeus (GOZ), another highly publicized botnet, mainly targets Financial industries
A peer-to-peer botnet that uses P2P communications to control infected devices, used as a way to drop CryptoLocker in many of those devices.
Significant loss, with hundreds of millions of dollars stolen.
Again, the botnet and communications happen through DNS. You can use DNS to disrupt these types of botnets and malicious software.
For protecting against malware and APT, Infoblox offers a DNS RPZ feed based protection named DNS Firewall. This is a software that can run on Infoblox appliances. It has intelligence on known malicious domains and networks.
Let me walk you through an example of how this works.
When an infected device is brought onto the network, it tries to communicate to its command and control site using DNS.
The infected endpoint sends a DNS query to DNS Firewall. It will compare the destination information with its list of known malicious destinations received from the threat intelligence service. The feed is highly scalable, highly available (utilizes Anycast) and customizable. The product leverages intelligence on the top domains that host malicious activity. After checking the query and determining it is to a bad site or IP address, it will then take administrator defined action such as blocking the communication of that endpoint to the known malicious destination or redirecting the traffic to a landing page or “walled garden” site defined by the network administrator.
3. It will also report on the malicious activity. With Infoblox Reporting, you can find out the user associated with the device that tried to make the malicious communications. You can also find out the endpoint IP address, endpoint MAC Address, and what type of device it is. With DHCP fingerprinting, you can find out if it’s an iPad, a smart phone, a PC, or a MAC. So you get more intelligence on the infected endpoint, so you can easily go and clean it up.
DNS Firewall is updated every 2 hours with information on newly discovered malicious domain destinations, IPs, etc. It uses a regularly updated RPZ feed that is based on malware data from multiple public and private sources.
5. DNS Firewall can also receive and act on threat intelligence from outside Infoblox. For example, it works with FireEye Adapter, a mechanism that enables intelligence from FireEye on zero day malware to be used to block with our product. As you may know, FireEye is a sandboxing technology for detecting zero day malware, basically advanced persistent threats or APTs. If you don’t have FireEye deployed inline, the FireEye appliance would just give you alerts and you would have to go and take action on them. But our product takes those alerts and intelligence from FireEye, and it actually takes action. It blocks and disrupts those APT communications that the FireEye detects. So it’s one step further. It’s a complete solution for APT mitigation.
Key Benefits of DNS Firewall + FireEye Adapter solution:
Blocks internet malware and internal APT DNS communications to malicious domains and networks
Automatic updates to stay protected against constantly evolving threat landscape.
Easily pinpoint infected devices and associated users based on DHCP fingerprint and lease information combined with Infoblox Identity Mapping
Easily lookup threat severity and reputation of malware that has been blocked
With DNS Firewall, you can customize the utilized threat intelligence feed according to your business needs. We provide seven pre-defined threat feeds, basically collections of domains that differ by category such as malware dropping sites, botnets, and geographical blocks. You can tune the feed to be as specific or broad as needed. You can also customize the RPZ policy definition based on threat type, geo, severity, source and reputation. Furthermore, you can specify custom RPZ actions (pass-through, drop, substitute policy) on a per client basis. The benefits of this automated and customizable threat intelligence are flexibility and performance so that you can continue business as usual.
These are some of the key attacks we’ve seen growing in number in the last year…
This list is always growing as malware architects find new ways and workarounds to exploit vulnerabilities in DNS protocols.
The blue font indicates Volumetric or DDoS DNS attacks, such as amplification or reflection where a victim’s device is flooded with an overwhelming amount of traffic.
Some in-line devices and cloud vendors can rate-limit to slow down these attacks– they will try to scale out their infrastructure to meet the firepower of the DDoS attack itself.
But the attackers always seem to find a way to launch a bigger attack. If you remember from earlier in the course, most DDoS attacks today are exceeding 200Gb in size!
The red font indicates DNS specific exploits. These attacks are very difficult for IPS, DPI devices, and Next Gen firewalls to mitigate because they’re not designed for DNS protocol.
See your power point notes to learn more about each of these attacks, and how Infoblox External DNS Security protects against ALL of them.
<name each one>
<Additional Information>
DNS reflection/DrDoS attacks
Reflection attacks are attacks that use a third party DNS server, mostly an open resolver in the internet, to propagate a DDoS attack on the victim’s server. A recursive server will process queries from any IP address and return responses. An attacker spoofs the DNS queries he sends to the recursive server by including the victim’s IP address as the source IP in the queries. So when the recursive name server receives the requests, it sends all the responses to the victim’s IP address.
DrDoS or Distributed Reflection Denial of Service uses multiple such open resolvers, thereby creating a Denial of Service (DoS).
DNS amplification
DNS amplification is an attack where a large number of specially crafted DNS queries are sent to the victim server. These result in a very large response that can reach up to 70 times the size of the request. Since DNS relies on the User Datagram Protocol (UDP), the attacker can use a small volume of outbound traffic to cause the DNS server to generate a much larger volume. The the amplification of outbound responses congests the DNS server’s outbound bandwidth. This results in a Denial of Service (DoS).
DNS-based exploits
These are attacks that exploit vulnerabilities in the DNS software. This causes the DNS software to terminate abnormally, causing the server to stop responding or crash.
TCP/UDP/ICMP floods
These are volumetric attacks with massive numbers of packets that consume a network’s bandwidth and resources. Attackers can also use BGP, OSPF, NTP, or ICMP (Ping of Death, Smurf) protocols to bring down servers or network devices.
-------------------------------------
Additional attack types with more detailed descriptions:
TCP SYN floods consist of large volumes of half-opened TCP connections. This attack takes advantage of the way TCP establishes connections. The attacking software generates spoofed packets that appear to the server to be valid new connections. These packets enter the queue, but the connection is never completed—leaving false connections in the queue until they time out. The system under attack quits responding to new connections until the attack stops. This means the server is not responding to legitimate requests from clients to open new connections, resulting in a Denial of Service (DoS).
UDP floods send large numbers of UDP packets to random ports on a remote server, which checks for applications listening to the port but doesn’t find them. The remote server is then forced to return a large number of ICMP Destination Unreachable packets to the attacker saying that the destination is unreachable. The attacker can also spoof the return IP address so that the replies don’t go to the attacker’s servers. Sending the replies exhausts the victim server’s resources and causes it to become unreachable.
ICMP attacks use network devices like routers to send error messages when a requested service is not available or the remote server cannot be reached. Examples of ICMP attacks include ping floods, ping-of-death and smurf attacks. This overwhelms the victim server or causes it to crash due to overflow of memory buffers
DNS cache poisoning
Corruption of DNS cache data. It involves inserting a false address record for an Internet domain into the DNS query. If the DNS server accepts the record, subsequent requests for the address of the domain are answered with the address of a server controlled by the attacker. For as long as the false entry is cached, incoming web requests and emails will go to the attacker’s address. New cache-poisoning attacks such as the “birthday paradox” use brute force, flooding DNS responses and queries at the same time, hoping to get a match on one of the responses and poison the cache. Cache poisoning prevents access or helps to redirect the clients to a rogue address (hijacking), preventing legitimate users from accessing the company’s site.
Protocol anomalies
Send malformed DNS packets, including unexpected header and payload values, to the targeted server. Even though the packet size may be the same, the payload contents may not. Attackers make use of software bugs in protocol parsing and processing implementation. The victim server stops responding by going into an infinite loop or crashes.
Reconnaissance
This attack consists of attempts to get information on the network environment before launching a large DDoS or other type of attack. Techniques include port scanning and finding versions and authors. These attacks exhibit abnormal behavior patterns that, if identified, can provide early warning. No direct effect on the server but indicates an impending attack.
DNS tunneling
This attack involves tunneling another protocol through DNS port 53—which is allowed if the firewall is configured to carry non-DNS traffic—for the purposes of malware insertion and/or data exfiltration. A free ISC-licensed tunneling application for forwarding IPv4 traffic through DNS servers is widely used in this kind of attack.
How Infoblox protects against these attacks:
Smart rate thresholds can put the brakes on DNS DDoS and flood attacks— without denying services to legitimate users. Smart rate thresholds use External DNS Security’s ability to discriminate between different query types and rates associated with them. For example, a downstream DNS caching server might generate 100 times base traffic compared to a normal desktop source, and this traffic might be legitimate. An HTTP or mail proxy server has a higher DNS traffic demand, which is legitimate. So basic rate limiting is ineffective (they either cause too much false positive, or provide too large a gap). The key to flood control is smart rate thresholds.
Source-based throttling detects abnormal query rate increase by source IP and applying rate limits. There is a counter per IP address and if we get too many operations per second from that IP, rate limits will be applied to that traffic.
Destination-based throttling detects abnormal increases in traffic grouped by target domains.
For anomalies and exploits, External DNS Security ensures the packets are valid DNS packets and then analyzes those packets for patterns of exploits that target specific vulnerabilities before they reach the DNS software. The definition of a good packet has been tightened based on extensive analysis. Input validation failures include: DNS UDP packets when the DNS question name or label is too long, invalid question count, invalid number of entries in the question section, invalid question class or resource record. It also drops DNS UDP packets when incremental zone transfer requests contain zero or more than one authority or an invalid authority.
For cache poisoning, External DNS Security can reduce the window of DNS resolver response acceptance and uses rate limiting and packet response matching to mitigate this attack. This rule passes DNS UDP response packets from upstream DNS servers or external DNS primaries if the packet rate is less than the packets per second value setting. If any source IP sends packets over this value, the appliance blocks all such traffic from this source IP for a certain period of time. It offers similar mitigation for DNS ACK packets from NIOS initiated connections.
For reconnaissance, External DNS Security drops UDP packets requesting information on authors and/or version information.
For tunneling, the anti-tunneling rule passes a large amount of inbound UDP DNS queries if the packet rate is less than the packets per second value (default = 2). If any source IP sends packets over this value, the appliance blocks all such traffic from this source IP for a certain period of time.
DNS Threat Analytics automatically blocks communications to destinations associated with data exfiltration attempts
Adds the destinations associated with data exfiltration automatically to the blacklist in DNS Firewall or Internal DNS Security
Scales enforcement to all parts of the network through grid wide update to all Infoblox members with DNS firewalling/RPZ capability
Unlike approaches that analyze log data in batches and after the compromise, DNS Threat Analytics is built directly into the DNS appliance, which is in the path of exfiltration, and provides real-time detection and blocking. There is no need for additional network infrastructure, agents or new inline appliances.
Infoblox DNS Threat Analytics is a patented technology that uses machine learning and performs real-time streaming analytics on live DNS queries to detect data exfiltration.
Examines host.subdomain and TXT records in DNS queries
Uses entropy, lexical analysis and time series to determine presence of data in queries
Pinpoints infected devices or potential rogue employees that try to steal data
Provides identifying information like user name, device IP and MAC address, device type etc
Infoblox and ISE exchange valuable networking, user, device, and security-event information, enriching both Infoblox DDI and ISE data. The integration via the pxGrid creates a unified solution that enhances security response accuracy and timeliness; expands visibility of networks, users, and devices; and improves overall IT operations by sharing information between network and security teams.
Infoblox takes in user / identity, device, and authorization data enriching the Infoblox authoritative IPAM database
CLICK
Infoblox publishes valuable DHCP, DNS, and IPAM data for pxGrid members to leverage the network context and create a single source for refined network policy
CLICK
And lastly Infoblox DNS Security, particularly DNS Firewall, notifies ISE of Indicators of Compromise so ISE can take the actions defined in those refined policies
Let’s look at each of these in a bit more detail…
Use Case: Obviously, we’re stopping/mitigating attacks of the NXdomain family, and have brought the configuration into the GUI, as well as adding the ability to protect the cache from NX pollution