SlideShare a Scribd company logo

Cloudshield_DNS Tips_032014

L
Laura L. Adams
1 of 11
Download to read offline
CloudShield DNS Security Tip Guide, Rev 121113 | Page 1 Enhance your DNS (Domain Name Services) security management by reading this guide that covers these three topics: security layering, DNS traffic management to mitigate DDoS (Distributed Denial of Service) attacks, and understanding the role DNS plays in the growing problem of advanced malware attacks. This is a must-read for DNS security professionals that manage large networks. DNS Security Tip Guide THREE AREAS FOR BETTER DNS PROTECTION
CloudShield DNS Security Tip Guide, Rev 121113 | Page 2 OVERVIEW DNS security tips to consider In this guide, we’ll cover three main areas of DNS protection. Security Layering Having outer, middle, and inner layer defense mechanisms in place provides in-depth DNS protection. DNS Traffic Management to Mitigate DDoS Attacks Security administrators must have a way to manage DNS traffic under heavy load conditions to keep the DNS infrastructure working under its designed conditions. The Interaction of DNS and Advanced Malware Attacks DNS is becoming increasingly known as a vector for advanced malware attacks. It’s imperative for DNS and security administrators to understand the role of DNS in the growing problem of advanced malware attacks. 1 2 3 DNS protection is crucial The DNS (Domain Name Services) protocol was created in 1982 as a method to implement a scalable system capable of automatically mapping the growing number of host numerical addresses to text-based names. You might know that DNS was created to replace or supplant the hosts.txt file. At the time DNS was created, security was not a core design consideration. Protocols and services dependent on the DNS architecture are still evolving rapidly, as evidenced by the issuance of RFC 7075 in November 2013. Periodically, various security solutions have been proposed, such as DNSSEC (DNS Security Extensions), which provides authenticity. DNS is core to the fabric of the Internet and is your Achilles’ heel. Without DNS service, there is no Skype, no Facebook, no Twitter, no Instagram, no CNN, and no Google. Without DNS, there is no Internet. As critical as DNS is to the Internet, it remains insufficiently secure and in many cases, insufficiently robust in the face of protocol-specific and denial of service attacks. This needs to change. No silver bullet Security professionals are familiar with the three main pillars of information or network security:  Availability: The information must be available at all times  Integrity: The information shall not be tampered by non-authorized persons  Authenticity: The information must come from authentic sources DNS should be no different and should follow these same pillars. DNS service must be available provided with integrity and authenticity. How can this be achieved? One thing we must accept up-front; there is no silver bullet for DNS protection. It is a layered approach including people, process, and technology. Security professionals need to understand the type of infrastructure they are trying to protect, their business needs, and the threats targeted against their systems. They must design the infrastructure accordingly and have skilled people to monitor and manage it.
CloudShield DNS Security Tip Guide, Rev 121113 | Page 3 SECURITY LAYERING DNS security strategy Your general DNS security strategy should include in-depth protection and a variety of options at each line of defense. Choose solutions that match your business needs, risk adversity level, and budget. Several companies that had major customer-impacting DNS outages thought they could handle attack situations through a combination of DDoS filtering solutions and over-provisioning. Sadly, this is not enough. Consider how you will protect your outer, middle, and inner DNS infrastructure. Layer 1 Outer layer DNS defense tactics There are at least two successful outer layer defense tactics that have proven successful. 1. If your IT infrastructure includes multiple data centers, consider spreading out your DNS servers and using Anycast as a network-wide load balancer. 2. Use a commercial DDoS filtering or cleaning vendor. This will reduce the volume of DDoS traffic, but understand that such solutions seldom completely stop attacks. These approaches, both proven successful with ISPs, can benefit larger enterprises. Layer 2 Middle layer DNS defense tactics A middle layer of defense may pertain to a wide range of verticals depending on the size and scale of their Internet-facing infrastructure, such as mail and web servers. This method involves configuring routers to allow traffic only from approved IP ranges. This defense may be impractical if legitimate traffic can come from many public sources. It is possible to configure routers to not pass or limit certain kinds of traffic or allow slower link traffic from likely attacking countries. The administrative costs of keeping traffic policies current is a potential downside of this tactic.
CloudShield DNS Security Tip Guide, Rev 121113 | Page 4 Layer 3 Inner layer DNS defense tactics Your inner layer defense is your last stand. A typical large scale DDoS attack can generate 20- to 300Gb of attack traffic spread across multiple sources. Assuming that your edge routers can forward this amount of traffic, multiple gigabytes of DDoS traffic will penetrate your outer and middle defenses. Your inner DNS layer of defense must handle the attack. For example, assume a typical 100 byte DNS query. A 1Gb link has roughly 1,000,000 queries per second (QPS) capacity. When under attack, DDoS query traffic will skyrocket from thousands to millions of QPS. Your recursive DNS servers can typically handle 50,000 to 100,000 QPS. Your DNS servers will be overwhelmed and unable to respond properly. Much of your business might stop when your DNS servers stop working. Multiple, redundant 1Gb links compound the problem. There are solutions to protect your inner layer. A truly effective DNS solution will examine traffic before any DNS processing takes place. All the rejection and limiting of attack traffic should happen before hitting your DNS servers. To do this, you need a specialized DNS firewall that can: 1. Handle higher volume traffic than your DNS servers 2. Improve DNS response times (some solutions are performance neutral or add latency) 3. Add stateful tracking to recursive UDP (User Datagram Protocol) DNS queries to prevent amplification attacks and cache poisoning 4. Validate DNS traffic Specialized DNS firewalls Just as boundary and application firewalls have evolved to offload security functions from the applications they protect, it is now time for specialized DNS firewalls to do the same. As attack methods get more sophisticated, your DNS protection needs to be several steps ahead. The DNS security layering method will help better prepare and strengthen your infrastructure.
CloudShield DNS Security Tip Guide, Rev 121113 | Page 5 Popular methods Overprovisioning and traffic management with rate limiting are two of the most popular methods used by network administrators to protect against distributed denial-of-service (DDoS) attacks powered by techniques like DNS amplification and DNS reflection. Overprovisioning can be as simple as deploying more machines to increase the capacity of the DNS server farm in order to support regular traffic load and absorb peak load generated by an attack. Although this approach is interesting from the DNS application or hardware vendor point of view, in many cases this is not true for the DNS provider. The reason is that overprovisioning doesn’t mean simply more DNS servers. It means more rack space, power consumption, cooling, and additional complexity and resources for operating and managing the DNS infrastructure – a big capital outlay. To really make it work right, additional capital might be required for load balancing. At the end of the day, you’re just putting more soldiers out to be harmed instead of arming them to improve their effectiveness. The economic factor aside, overprovisioning can create negative technical impacts. A sample side effect of adding machines is reduction of overall cache hit rate and the consequent increase in DNS latency. DNS rate limiting is commonly considered the most effective defense against DDoS attacks since it gives network operators some control on the traffic reaching and leaving the DNS server farm. DNS TRAFFIC MANAGEMENT Rate limiting by source IP address allows setting the number of DNS queries per time slot that can be accepted from a particular IP or subnet, blocking any attack or misuse that sends DNS requests above the configured threshold. This throttling mechanism will require the attacker to spoof a much larger IP address range in order to reach the query rate necessary for the attack to succeed. Before enforcing the rate limit rules on your network, you should test these rules in monitor or test modes where potentially offending requests are not actually dropped, only logged. Testing will help identify the traffic patterns of your network and provide confidence that the rate-limiting rules will not harm legitimate traffic. Simple rate limiting in this form might not work for authoritative DNS servers since the source IP addresses that can reach your DNS server are unknown. This form is best suited for recursive servers. For authoritative DNS servers, we recommend DNS response rate limiting, available in BIND9. Aggregate rate limits can also be used to prevent surges in DNS traffic from flowing through the DNS network. Method 1 Rate limit by source IP address 3 ways to use DNS traffic management with rate limiting for protection
CloudShield DNS Security Tip Guide, Rev 121113 | Page 6 Implementing traffic management with rate limiting CloudShield DNS Defender® offers several mechanisms for rate-limiting, including those discussed above. Since rate limiting carries risk, DNS Defender supports monitor or log-only modes so that rules can be safely tested and the results on real traffic analyzed before being actually enforced on the network. The monitor mode and rule set modifications can be applied in seconds with minimal impact on traffic. Flexibility is essential No matter which type of rate limit you want to use or how you implement it, it’s important to have a DNS defense infrastructure with the ability to offer and combine all types of rate limiting. This will provide you the flexibility to use any combination to better protect your DNS service from the ever-changing DNS attack landscape. The destination IP address rate limit is useful when the operational load limit of a DNS server is known and you don’t want to reach this limit in order to avoid unpredictable and undesirable behaviors caused by an overloaded DNS server. By using this type of rate limiting, you can specify the maximum number of queries that can reach each DNS server in the server farm, dropping any additional traffic above this threshold (that would be discarded anyway), and thus protecting the DNS server from being overwhelmed by receiving more queries than it can handle. Destination rate limiting is also a key to being an upright member of the community. It prevents you from becoming an unlimited amplifier in reflection DDoS (RDDoS) attacks by limiting the amount of upstream traffic that is sent out. When more fine-tuned rate limiting is necessary, specify rules based on DNS query type. There are different types of DNS queries; some of them are much more common than others, for example, type A, AAAA, and pointer (PTR) queries. This type of rate limiting can be used to block critical deviations from the average DNS query type distribution that can be considered an important indication of an attack. It’s possible, for example, to specify rules to enforce that a particular IP address or subnet can only send five requests of type A, two requests of type AAAA, two requests of type PTR, and one request of the remaining types. In this last example, the query type rate limit is used in conjunction with source IP address rate limiting in order to have fine-grained control over the DNS traffic. As mentioned with the source IP address rate limit, running the rules in monitor or test mode before enforcement mode is strongly recommended. Method 2 Rate limit by destination IP address Method 3 Rate limit by DNS query type
CloudShield DNS Security Tip Guide, Rev 121113 | Page 7 DNS & ADVANCED MALWARE ATTACKS 1- Initial Recon 2- Initial compromise 3- Establish foothold 4- Escalate privileges 5- Internal recon 6- Move laterally 7- Data exfiltration Use of DNS for advanced malware attacks Hype around advanced malware attacks, sometimes referred to as APT, or Advanced Persistent Threats, got some boost in February 2013 following the release of the APT1 report by security company, Mandiant. Based on seven years of research, data collection, and analysis of information from nearly 150 organizations all around the world, the report concludes that the APT1 group behind the long-running and extensive cyber-espionage campaign is likely sponsored by the Chinese government. Not surprisingly, this report has a whole section regarding Domain Name System (DNS), revealing the domain names and zones registered and used by the group during the attack. An important piece of the puzzle Almost every step on the advanced malware life cycle relies on some sort of DNS manipulation. Although DNS is mainly used to hide the IP addresses of the remote servers used by the attacker, its use goes far beyond that. From source of information to an available channel for external communication, there are several malicious ways of using DNS in an APT attack. Figure 1 The figure to the left shows the steps of an advanced malware attack using the DNS protocol.
CloudShield DNS Security Tip Guide, Rev 121113 | Page 8 1 Initial reconnaissance The fact that DNS stores the addresses of important elements of the network infrastructure, like mail and web servers, makes it an important source of information for attackers to help map the victim network and identify possible targets. In some cases, due to misconfigurations or vulnerabilities on the DNS server, attackers may also access internal information about the network and its devices. 2 Initial compromise For the initial compromise step, the most common tactic is email phishing. An email with a specially crafted message is sent to specific individuals in a targeted organization that contains a malicious attachment, downloadable file, or link to a website. In all this cases, DNS is used to find the IP address associated with the link in the email or embedded on the malicious document, pointing to the remote server where the malware is located. 3 Establish foothold This step is accomplished by installing backdoors and making an outbound connection to establish a command and control (C&C) channel back to the attacker’s computer outside the network. C&C channels can leverage several techniques to stay under the radar, like the use of well-known and commonly used UDP/TCP ports, by encoding or encrypting the communication and also using “non- suspect” protocols like HTTP and DNS. 6 Move laterally With some credentials in hand, the attacker expands control over other machines on the network, moving closer to systems with access to target or valuable information. 5 Internal reconnaissance After expanding control over the initially compromised machine, the attacker needs to perform an internal reconnaissance to locate the targets. Again, DNS can play a malicious role by providing useful information for the attacker to help identify and locate important resources on the network. 4 Escalate privileges After initial access to the victim machine, the attacker uses operational system commands and other tools to gather information on both the machine and the network. The goal is to find credentials to bypass systems controls and allow access to other resources on the network.
CloudShield DNS Security Tip Guide, Rev 121113 | Page 9 How can you turn DNS into an ally against APTs? Ironically, the fact that attackers rely heavily on DNS to accomplish several tasks during an advanced malware incursion is exactly what allows it to be used as an important defense against this type of attack. DNS data analysis, domain name blacklisting powered by external threat intelligence feeds, and policy enforcement for DNS traffic are some of the techniques that can be used to detect and block malicious activities on the network. Advanced malware attacks are complex and always evolving. A comprehensive set of resources is required on the defensive side to provide the capabilities to detect and defend. Specialized DNS firewalls like CloudShield DNS Defender® , coupled with advanced data analysis tools, are an important piece of this defense strategy. Summary The DNS Security Tips Guide has covered the importance of DNS and three ways to help mitigate the risk of business- disrupting attacks on your DNS infrastructure: 1. A layered DNS security strategy 2. DNS traffic management to handle Distributed Denial of Service (DDoS) attacks, and 3. The role of DNS in the growing problem of advanced malware attacks. Understanding these will enable you to be a better DNS and/or security administrator and determine ways to ensure the strength and resilience of the DNS technology upon which your business depends. With this information in hand, you can search for solutions to enhance your DNS infrastructure. 7 Data exfiltration The final goal of the attacker is to get access to sensitive or confidential information, like intellectual property, personally identifiable information (PII), and credentials. When this information is finally found, the attacker needs to find a way to send it outside the network. Standard protocols like FTP and custom protocols can be used to accomplish this task. DNS is one available protocol that can also be used for this purpose.
CloudShield DNS Security Tip Guide, Rev 121113 | Page 10 DNS DEFENDER CloudShield DNS Defender® is an enterprise and carrier-grade DNS security and performance enhancement solution. Unlike traditional firewalls or other network security appliances, DNS Defender is specifically designed to protect against DNS attacks, enhance overall DNS performance, and have the flexibility to add custom security counter measures for carriers, ISPs, and large organizations. The best defense policy that protects your Achilles’ heel, or DNS, must be intelligent and go beyond surface-level security. DNS Defender is engineered with 6 layers of DNS security. Each layer is uniquely specialized to protect against specific types of DNS attacks. PERFORMANCE DNS Defender accelerates DNS performance with responses to valid queries from a fast cache, answering DNS queries at line speed up to 250,000 requests per second. If volume exceeds cache capacity, queries are dropped with no impact on DNS servers. Your DNS solution should help mitigate attack risk by allowing you to add security counter measures as needed. DNS Defender enables you to build custom defenses against real and potential cyber assaults you may see coming through your threat operation centers. SECURITY ® FLEXIBILITY BENEFITS Performance = Competitive advantage  Can reduce the size and complexity of DNS server farms  Postpones or eliminates DNS infrastructure upgrades  Provides DNS security without expensive equipment redundancy BENEFITS Flexibility = Rapid threat response  Rapidly mitigate risk within hours by identifying, understanding, and defending against the threat with custom security countermeasures  Configurable DNS-oriented access control lists (ACLs)  Enables administrative management of specify query type, DNS flags, and domain names subject to blocking, filtering, or redirection BENEFITS Security = Peace of mind  The dollar value of preventing just one attack can provide immediate return on investment  Can reduce costs and risks of liability, extortion, and other impacts from attacks and intrusion  Can slash support costs from customers caused by DNS slow- downs and outages
CloudShield DNS Security Tip Guide, Rev 121113 | Page 11 Get more information » Cybersecurity Blog: Experts share tips, advice, and opinions. » DNS Use Cases: Four customers share their stories. » Comparison Chart: See the differences between technologies. » Infographic: Tells the story of the DNS vulnerability problem. Talk to us If you have questions about CloudShield DNS Defender and want to speak with our team, please fill out our Contact Us form online. NEXT STEPS…

Recommended

Kipp berdiansky on network security
Kipp berdiansky on network securityKipp berdiansky on network security
Kipp berdiansky on network security
Kipp Berdiansky
 
DNS DDoS Attack and Risk
DNS DDoS Attack and RiskDNS DDoS Attack and Risk
DNS DDoS Attack and Risk
Sukbum Hong
 
PLNOG15 :DDOS Attacks & Collateral Damage. Can we avoid it? Asraf Ali
PLNOG15 :DDOS Attacks & Collateral Damage. Can we avoid it? Asraf AliPLNOG15 :DDOS Attacks & Collateral Damage. Can we avoid it? Asraf Ali
PLNOG15 :DDOS Attacks & Collateral Damage. Can we avoid it? Asraf Ali
Marta Pacyga
 
Is DNS a Part of Your Cyber Security Strategy?
Is DNS a Part of Your Cyber Security Strategy? Is DNS a Part of Your Cyber Security Strategy?
Is DNS a Part of Your Cyber Security Strategy?
Digital Transformation EXPO Event Series
 
DNS Security Presentation ISSA
DNS Security Presentation ISSADNS Security Presentation ISSA
DNS Security Presentation ISSA
Srikrupa Srivatsan
 
Ricardo de Oliveria Schmidt - DDoS Attacks on the Root DNS
Ricardo de Oliveria Schmidt - DDoS Attacks on the Root DNSRicardo de Oliveria Schmidt - DDoS Attacks on the Root DNS
Ricardo de Oliveria Schmidt - DDoS Attacks on the Root DNS
Michiel Cazemier
 
Infoblox White Paper - Top Five DNS Security Attack Risks and How to Avoid Them
Infoblox White Paper - Top Five DNS Security Attack Risks and How to Avoid ThemInfoblox White Paper - Top Five DNS Security Attack Risks and How to Avoid Them
Infoblox White Paper - Top Five DNS Security Attack Risks and How to Avoid Them
Jennifer Nichols
 
DNS Security
DNS SecurityDNS Security
DNS Security
johnmcclure00
 

Recommended

Kipp berdiansky on network security
Kipp berdiansky on network securityKipp berdiansky on network security
Kipp berdiansky on network security
Kipp Berdiansky
 
DNS DDoS Attack and Risk
DNS DDoS Attack and RiskDNS DDoS Attack and Risk
DNS DDoS Attack and Risk
Sukbum Hong
 
PLNOG15 :DDOS Attacks & Collateral Damage. Can we avoid it? Asraf Ali
PLNOG15 :DDOS Attacks & Collateral Damage. Can we avoid it? Asraf AliPLNOG15 :DDOS Attacks & Collateral Damage. Can we avoid it? Asraf Ali
PLNOG15 :DDOS Attacks & Collateral Damage. Can we avoid it? Asraf Ali
Marta Pacyga
 
Is DNS a Part of Your Cyber Security Strategy?
Is DNS a Part of Your Cyber Security Strategy? Is DNS a Part of Your Cyber Security Strategy?
Is DNS a Part of Your Cyber Security Strategy?
Digital Transformation EXPO Event Series
 
DNS Security Presentation ISSA
DNS Security Presentation ISSADNS Security Presentation ISSA
DNS Security Presentation ISSA
Srikrupa Srivatsan
 
Ricardo de Oliveria Schmidt - DDoS Attacks on the Root DNS
Ricardo de Oliveria Schmidt - DDoS Attacks on the Root DNSRicardo de Oliveria Schmidt - DDoS Attacks on the Root DNS
Ricardo de Oliveria Schmidt - DDoS Attacks on the Root DNS
Michiel Cazemier
 
Infoblox White Paper - Top Five DNS Security Attack Risks and How to Avoid Them
Infoblox White Paper - Top Five DNS Security Attack Risks and How to Avoid ThemInfoblox White Paper - Top Five DNS Security Attack Risks and How to Avoid Them
Infoblox White Paper - Top Five DNS Security Attack Risks and How to Avoid Them
Jennifer Nichols
 
DNS Security
DNS SecurityDNS Security
DNS Security
johnmcclure00
 
Water Torture: A Slow Drip DNS DDoS Attack on QTNet by Kei Nishida [APRICOT 2...
Water Torture: A Slow Drip DNS DDoS Attack on QTNet by Kei Nishida [APRICOT 2...Water Torture: A Slow Drip DNS DDoS Attack on QTNet by Kei Nishida [APRICOT 2...
Water Torture: A Slow Drip DNS DDoS Attack on QTNet by Kei Nishida [APRICOT 2...
APNIC
 
Introduction DNSSec
Introduction DNSSecIntroduction DNSSec
Introduction DNSSec
AFRINIC
 
Dns security threats and solutions
Dns security threats and solutionsDns security threats and solutions
Dns security threats and solutions
Frank Victory
 
IPv6 Threat Presentation
IPv6 Threat PresentationIPv6 Threat Presentation
IPv6 Threat Presentation
johnmcclure00
 
Monitoring for DNS Security
Monitoring for DNS SecurityMonitoring for DNS Security
Monitoring for DNS Security
ThousandEyes
 
Protect Websites against DDoS attacks with Reblaze
Protect Websites against DDoS attacks with ReblazeProtect Websites against DDoS attacks with Reblaze
Protect Websites against DDoS attacks with Reblaze
Jason Newell
 
DDoS Attack and Mitigation
DDoS Attack and MitigationDDoS Attack and Mitigation
DDoS Attack and Mitigation
Devang Badrakiya
 
Ntp in Amplification Inferno
Ntp in Amplification InfernoNtp in Amplification Inferno
Ntp in Amplification Inferno
Sriram Krishnan
 
Dnssec tutorial-crypto-defs
Dnssec tutorial-crypto-defsDnssec tutorial-crypto-defs
Dnssec tutorial-crypto-defs
AFRINIC
 
DNS Cache Poisoning
DNS Cache PoisoningDNS Cache Poisoning
DNS Cache Poisoning
Christiaan Ottow
 
The Anatomy of DDoS Attacks
The Anatomy of DDoS AttacksThe Anatomy of DDoS Attacks
The Anatomy of DDoS Attacks
Acquia
 
Ddos and mitigation methods.pptx
Ddos and mitigation methods.pptxDdos and mitigation methods.pptx
Ddos and mitigation methods.pptx
Ozkan E
 
Drilling Down Into DNS DDoS
Drilling Down Into DNS DDoSDrilling Down Into DNS DDoS
Drilling Down Into DNS DDoS
APNIC
 
DMARC and mailing list
DMARC and mailing listDMARC and mailing list
DMARC and mailing list
APNIC
 
Pseudo Random DNS Query Attacks and Resolver Mitigation Approaches
Pseudo Random DNS Query Attacks and Resolver Mitigation ApproachesPseudo Random DNS Query Attacks and Resolver Mitigation Approaches
Pseudo Random DNS Query Attacks and Resolver Mitigation Approaches
APNIC
 
DDoS 101: Attack Types and Mitigation
DDoS 101: Attack Types and MitigationDDoS 101: Attack Types and Mitigation
DDoS 101: Attack Types and Mitigation
Cloudflare
 
DNS Security WebTitan Web Filter - Stop Malware
DNS Security WebTitan Web Filter - Stop Malware DNS Security WebTitan Web Filter - Stop Malware
DNS Security WebTitan Web Filter - Stop Malware
Dryden Geary
 
Anatomy of DDoS - Builderscon Tokyo 2017
Anatomy of DDoS - Builderscon Tokyo 2017Anatomy of DDoS - Builderscon Tokyo 2017
Anatomy of DDoS - Builderscon Tokyo 2017
Suzanne Aldrich
 
How to launch and defend against a DDoS
How to launch and defend against a DDoSHow to launch and defend against a DDoS
How to launch and defend against a DDoS
jgrahamc
 
DDoS Open Threat Signaling (DOTS) Working Group Presentation on draft-ietf-do...
DDoS Open Threat Signaling (DOTS) Working Group Presentation on draft-ietf-do...DDoS Open Threat Signaling (DOTS) Working Group Presentation on draft-ietf-do...
DDoS Open Threat Signaling (DOTS) Working Group Presentation on draft-ietf-do...
ShortestPathFirst
 
Cloudshield-DNS_Defender-Data-Sheet
Cloudshield-DNS_Defender-Data-SheetCloudshield-DNS_Defender-Data-Sheet
Cloudshield-DNS_Defender-Data-Sheet
Chad Krantz
 
AWS re:Invent 2016: How Harvard University Improves Scalable Cloud Network Se...
AWS re:Invent 2016: How Harvard University Improves Scalable Cloud Network Se...AWS re:Invent 2016: How Harvard University Improves Scalable Cloud Network Se...
AWS re:Invent 2016: How Harvard University Improves Scalable Cloud Network Se...
Amazon Web Services
 

More Related Content

What's hot

IPv6 Threat Presentation
IPv6 Threat PresentationIPv6 Threat Presentation
IPv6 Threat Presentation
johnmcclure00
 
The Anatomy of DDoS Attacks
The Anatomy of DDoS AttacksThe Anatomy of DDoS Attacks
The Anatomy of DDoS Attacks
Acquia
 
How to launch and defend against a DDoS
How to launch and defend against a DDoSHow to launch and defend against a DDoS
How to launch and defend against a DDoS
jgrahamc
 

What's hot (20)

Water Torture: A Slow Drip DNS DDoS Attack on QTNet by Kei Nishida [APRICOT 2...
Water Torture: A Slow Drip DNS DDoS Attack on QTNet by Kei Nishida [APRICOT 2...Water Torture: A Slow Drip DNS DDoS Attack on QTNet by Kei Nishida [APRICOT 2...
Water Torture: A Slow Drip DNS DDoS Attack on QTNet by Kei Nishida [APRICOT 2...
 
Introduction DNSSec
Introduction DNSSecIntroduction DNSSec
Introduction DNSSec
 
Dns security threats and solutions
Dns security threats and solutionsDns security threats and solutions
Dns security threats and solutions
 
IPv6 Threat Presentation
IPv6 Threat PresentationIPv6 Threat Presentation
IPv6 Threat Presentation
 
Monitoring for DNS Security
Monitoring for DNS SecurityMonitoring for DNS Security
Monitoring for DNS Security
 
Protect Websites against DDoS attacks with Reblaze
Protect Websites against DDoS attacks with ReblazeProtect Websites against DDoS attacks with Reblaze
Protect Websites against DDoS attacks with Reblaze
 
DDoS Attack and Mitigation
DDoS Attack and MitigationDDoS Attack and Mitigation
DDoS Attack and Mitigation
 
Ntp in Amplification Inferno
Ntp in Amplification InfernoNtp in Amplification Inferno
Ntp in Amplification Inferno
 
Dnssec tutorial-crypto-defs
Dnssec tutorial-crypto-defsDnssec tutorial-crypto-defs
Dnssec tutorial-crypto-defs
 
DNS Cache Poisoning
DNS Cache PoisoningDNS Cache Poisoning
DNS Cache Poisoning
 
The Anatomy of DDoS Attacks
The Anatomy of DDoS AttacksThe Anatomy of DDoS Attacks
The Anatomy of DDoS Attacks
 
Ddos and mitigation methods.pptx
Ddos and mitigation methods.pptxDdos and mitigation methods.pptx
Ddos and mitigation methods.pptx
 
Drilling Down Into DNS DDoS
Drilling Down Into DNS DDoSDrilling Down Into DNS DDoS
Drilling Down Into DNS DDoS
 
DMARC and mailing list
DMARC and mailing listDMARC and mailing list
DMARC and mailing list
 
Pseudo Random DNS Query Attacks and Resolver Mitigation Approaches
Pseudo Random DNS Query Attacks and Resolver Mitigation ApproachesPseudo Random DNS Query Attacks and Resolver Mitigation Approaches
Pseudo Random DNS Query Attacks and Resolver Mitigation Approaches
 
DDoS 101: Attack Types and Mitigation
DDoS 101: Attack Types and MitigationDDoS 101: Attack Types and Mitigation
DDoS 101: Attack Types and Mitigation
 
DNS Security WebTitan Web Filter - Stop Malware
DNS Security WebTitan Web Filter - Stop Malware DNS Security WebTitan Web Filter - Stop Malware
DNS Security WebTitan Web Filter - Stop Malware
 
Anatomy of DDoS - Builderscon Tokyo 2017
Anatomy of DDoS - Builderscon Tokyo 2017Anatomy of DDoS - Builderscon Tokyo 2017
Anatomy of DDoS - Builderscon Tokyo 2017
 
How to launch and defend against a DDoS
How to launch and defend against a DDoSHow to launch and defend against a DDoS
How to launch and defend against a DDoS
 
DDoS Open Threat Signaling (DOTS) Working Group Presentation on draft-ietf-do...
DDoS Open Threat Signaling (DOTS) Working Group Presentation on draft-ietf-do...DDoS Open Threat Signaling (DOTS) Working Group Presentation on draft-ietf-do...
DDoS Open Threat Signaling (DOTS) Working Group Presentation on draft-ietf-do...
 

Viewers also liked

Cloudshield-DNS_Defender-Data-Sheet
Cloudshield-DNS_Defender-Data-SheetCloudshield-DNS_Defender-Data-Sheet
Cloudshield-DNS_Defender-Data-Sheet
Chad Krantz
 
AWS re:Invent 2016: How Harvard University Improves Scalable Cloud Network Se...
AWS re:Invent 2016: How Harvard University Improves Scalable Cloud Network Se...AWS re:Invent 2016: How Harvard University Improves Scalable Cloud Network Se...
AWS re:Invent 2016: How Harvard University Improves Scalable Cloud Network Se...
Amazon Web Services
 
ACCOSCA's 7th Annual SACCO Operational Forum
ACCOSCA's 7th Annual SACCO Operational ForumACCOSCA's 7th Annual SACCO Operational Forum
ACCOSCA's 7th Annual SACCO Operational Forum
Jonea Agwa
 
CORREOS ELECTRÓNICOS
CORREOS ELECTRÓNICOSCORREOS ELECTRÓNICOS
CORREOS ELECTRÓNICOS
erika1698
 
Ellucian Student Success video script FINAL
Ellucian Student Success video script FINALEllucian Student Success video script FINAL
Ellucian Student Success video script FINAL
Laura L. Adams
 
FCPA Self-Reporting Pilot Program: Motivation to Self-Report?
FCPA Self-Reporting Pilot Program: Motivation to Self-Report?FCPA Self-Reporting Pilot Program: Motivation to Self-Report?
FCPA Self-Reporting Pilot Program: Motivation to Self-Report?
Brian Dickerson
 
Court Says NJ Took Too Long For Subpoenas In FCA Claim
Court Says NJ Took Too Long For Subpoenas In FCA ClaimCourt Says NJ Took Too Long For Subpoenas In FCA Claim
Court Says NJ Took Too Long For Subpoenas In FCA Claim
Brian Dickerson
 
Rick Hudson Resume August 2015
Rick Hudson Resume August 2015Rick Hudson Resume August 2015
Rick Hudson Resume August 2015
Rick Hudson
 

Viewers also liked (17)

Cloudshield-DNS_Defender-Data-Sheet
Cloudshield-DNS_Defender-Data-SheetCloudshield-DNS_Defender-Data-Sheet
Cloudshield-DNS_Defender-Data-Sheet
 
AWS re:Invent 2016: How Harvard University Improves Scalable Cloud Network Se...
AWS re:Invent 2016: How Harvard University Improves Scalable Cloud Network Se...AWS re:Invent 2016: How Harvard University Improves Scalable Cloud Network Se...
AWS re:Invent 2016: How Harvard University Improves Scalable Cloud Network Se...
 
Pitch
PitchPitch
Pitch
 
Trolls
TrollsTrolls
Trolls
 
ACCOSCA's 7th Annual SACCO Operational Forum
ACCOSCA's 7th Annual SACCO Operational ForumACCOSCA's 7th Annual SACCO Operational Forum
ACCOSCA's 7th Annual SACCO Operational Forum
 
CORREOS ELECTRÓNICOS
CORREOS ELECTRÓNICOSCORREOS ELECTRÓNICOS
CORREOS ELECTRÓNICOS
 
Power Point for Lawyers
Power Point for LawyersPower Point for Lawyers
Power Point for Lawyers
 
Ellucian Student Success video script FINAL
Ellucian Student Success video script FINALEllucian Student Success video script FINAL
Ellucian Student Success video script FINAL
 
FINAL GROUP
FINAL GROUPFINAL GROUP
FINAL GROUP
 
Kate Young - What we do
Kate Young - What we doKate Young - What we do
Kate Young - What we do
 
FisherBroyles Alert - Miami Pharmacies Charged with Submitting $26 Million in...
FisherBroyles Alert - Miami Pharmacies Charged with Submitting $26 Million in...FisherBroyles Alert - Miami Pharmacies Charged with Submitting $26 Million in...
FisherBroyles Alert - Miami Pharmacies Charged with Submitting $26 Million in...
 
Business Coaching | pavlosvouzoulidis.gr
Business Coaching | pavlosvouzoulidis.grBusiness Coaching | pavlosvouzoulidis.gr
Business Coaching | pavlosvouzoulidis.gr
 
The World Presentation new
The World Presentation newThe World Presentation new
The World Presentation new
 
FCPA Self-Reporting Pilot Program: Motivation to Self-Report?
FCPA Self-Reporting Pilot Program: Motivation to Self-Report?FCPA Self-Reporting Pilot Program: Motivation to Self-Report?
FCPA Self-Reporting Pilot Program: Motivation to Self-Report?
 
Court Says NJ Took Too Long For Subpoenas In FCA Claim
Court Says NJ Took Too Long For Subpoenas In FCA ClaimCourt Says NJ Took Too Long For Subpoenas In FCA Claim
Court Says NJ Took Too Long For Subpoenas In FCA Claim
 
Measuring Research Impact
Measuring Research ImpactMeasuring Research Impact
Measuring Research Impact
 
Rick Hudson Resume August 2015
Rick Hudson Resume August 2015Rick Hudson Resume August 2015
Rick Hudson Resume August 2015
 

Similar to Cloudshield_DNS Tips_032014

DNS Advanced Attacks and Analysis
DNS Advanced Attacks and AnalysisDNS Advanced Attacks and Analysis
DNS Advanced Attacks and Analysis
CSCJournals
 
The role of DDoS Providers
The role of DDoS ProvidersThe role of DDoS Providers
The role of DDoS Providers
Neil Hinton
 
The DNS of Things
The DNS of ThingsThe DNS of Things
The DNS of Things
F5 Networks
 
The DNS of Things
The DNS of ThingsThe DNS of Things
The DNS of Things
Peter Silva
 
A SURVEY OF TRENDS IN MASSIVE DDOS ATTACKS AND CLOUD-BASED MITIGATIONS
A SURVEY OF TRENDS IN MASSIVE DDOS ATTACKS AND CLOUD-BASED MITIGATIONSA SURVEY OF TRENDS IN MASSIVE DDOS ATTACKS AND CLOUD-BASED MITIGATIONS
A SURVEY OF TRENDS IN MASSIVE DDOS ATTACKS AND CLOUD-BASED MITIGATIONS
IJNSA Journal
 
A survey of trends in massive ddos attacks and cloud based mitigations
A survey of trends in massive ddos attacks and cloud based mitigationsA survey of trends in massive ddos attacks and cloud based mitigations
A survey of trends in massive ddos attacks and cloud based mitigations
IJNSA Journal
 
A survey of trends in massive ddos attacks and cloud based mitigations
A survey of trends in massive ddos attacks and cloud based mitigationsA survey of trends in massive ddos attacks and cloud based mitigations
A survey of trends in massive ddos attacks and cloud based mitigations
IJNSA Journal
 
DNSSEC - Domain Name System Security Extensions
DNSSEC - Domain Name System Security ExtensionsDNSSEC - Domain Name System Security Extensions
DNSSEC - Domain Name System Security Extensions
Peter R. Egli
 
Pmw2 k3ni 1-2b
Pmw2 k3ni 1-2bPmw2 k3ni 1-2b
Pmw2 k3ni 1-2b
hariclant1
 

Similar to Cloudshield_DNS Tips_032014 (20)

DNS Advanced Attacks and Analysis
DNS Advanced Attacks and AnalysisDNS Advanced Attacks and Analysis
DNS Advanced Attacks and Analysis
 
DNS Security (DNSSEC) With BIG-IP Global Traffic Manager
DNS Security (DNSSEC) With BIG-IP Global Traffic ManagerDNS Security (DNSSEC) With BIG-IP Global Traffic Manager
DNS Security (DNSSEC) With BIG-IP Global Traffic Manager
 
DNS spoofing/poisoning Attack Report (Word Document)
DNS spoofing/poisoning Attack Report (Word Document)DNS spoofing/poisoning Attack Report (Word Document)
DNS spoofing/poisoning Attack Report (Word Document)
 
ION Hangzhou - Why Deploy DNSSEC?
ION Hangzhou - Why Deploy DNSSEC?ION Hangzhou - Why Deploy DNSSEC?
ION Hangzhou - Why Deploy DNSSEC?
 
The role of DDoS Providers
The role of DDoS ProvidersThe role of DDoS Providers
The role of DDoS Providers
 
Advanced DNS Protection
Advanced DNS ProtectionAdvanced DNS Protection
Advanced DNS Protection
 
DNS Over HTTPS by Michael Casadevall
DNS Over HTTPS by Michael CasadevallDNS Over HTTPS by Michael Casadevall
DNS Over HTTPS by Michael Casadevall
 
PLNOG16: DDOS SOLUTIONS – CUSTOMER POINT OF VIEW, Piotr Wojciechowski
PLNOG16: DDOS SOLUTIONS – CUSTOMER POINT OF VIEW, Piotr WojciechowskiPLNOG16: DDOS SOLUTIONS – CUSTOMER POINT OF VIEW, Piotr Wojciechowski
PLNOG16: DDOS SOLUTIONS – CUSTOMER POINT OF VIEW, Piotr Wojciechowski
 
BKNIX Peering Forum 2017 : DDoS Attack Trend and Defense Strategy
BKNIX Peering Forum 2017 : DDoS Attack Trend and Defense StrategyBKNIX Peering Forum 2017 : DDoS Attack Trend and Defense Strategy
BKNIX Peering Forum 2017 : DDoS Attack Trend and Defense Strategy
 
Filling the Gaps in Your DDoS Mitigation Strategy
Filling the Gaps in Your DDoS Mitigation StrategyFilling the Gaps in Your DDoS Mitigation Strategy
Filling the Gaps in Your DDoS Mitigation Strategy
 
The DNS of Things
The DNS of ThingsThe DNS of Things
The DNS of Things
 
The DNS of Things
The DNS of ThingsThe DNS of Things
The DNS of Things
 
Grey H@t - DNS Cache Poisoning
Grey H@t - DNS Cache PoisoningGrey H@t - DNS Cache Poisoning
Grey H@t - DNS Cache Poisoning
 
How DNS works and How to secure it: An Introduction
How DNS works and How to secure it: An IntroductionHow DNS works and How to secure it: An Introduction
How DNS works and How to secure it: An Introduction
 
A SURVEY OF TRENDS IN MASSIVE DDOS ATTACKS AND CLOUD-BASED MITIGATIONS
A SURVEY OF TRENDS IN MASSIVE DDOS ATTACKS AND CLOUD-BASED MITIGATIONSA SURVEY OF TRENDS IN MASSIVE DDOS ATTACKS AND CLOUD-BASED MITIGATIONS
A SURVEY OF TRENDS IN MASSIVE DDOS ATTACKS AND CLOUD-BASED MITIGATIONS
 
A survey of trends in massive ddos attacks and cloud based mitigations
A survey of trends in massive ddos attacks and cloud based mitigationsA survey of trends in massive ddos attacks and cloud based mitigations
A survey of trends in massive ddos attacks and cloud based mitigations
 
A survey of trends in massive ddos attacks and cloud based mitigations
A survey of trends in massive ddos attacks and cloud based mitigationsA survey of trends in massive ddos attacks and cloud based mitigations
A survey of trends in massive ddos attacks and cloud based mitigations
 
Best DNS Servers To Use Buy Server Memory Clearance.pptx
Best DNS Servers To Use Buy Server Memory Clearance.pptxBest DNS Servers To Use Buy Server Memory Clearance.pptx
Best DNS Servers To Use Buy Server Memory Clearance.pptx
 
DNSSEC - Domain Name System Security Extensions
DNSSEC - Domain Name System Security ExtensionsDNSSEC - Domain Name System Security Extensions
DNSSEC - Domain Name System Security Extensions
 
Pmw2 k3ni 1-2b
Pmw2 k3ni 1-2bPmw2 k3ni 1-2b
Pmw2 k3ni 1-2b
 

More from Laura L. Adams

Smart Identity_Exchange
Smart Identity_ExchangeSmart Identity_Exchange
Smart Identity_Exchange
Laura L. Adams
 
VRSN_Top5_DTM_WP_201404-web[1]
VRSN_Top5_DTM_WP_201404-web[1]VRSN_Top5_DTM_WP_201404-web[1]
VRSN_Top5_DTM_WP_201404-web[1]
Laura L. Adams
 
Enterprise_CRM_Naming_Considerations
Enterprise_CRM_Naming_ConsiderationsEnterprise_CRM_Naming_Considerations
Enterprise_CRM_Naming_Considerations
Laura L. Adams
 
NSM2012_Marketing010712
NSM2012_Marketing010712NSM2012_Marketing010712
NSM2012_Marketing010712
Laura L. Adams
 
Adams'NSM_Marketing_FINAL2013
Adams'NSM_Marketing_FINAL2013Adams'NSM_Marketing_FINAL2013
Adams'NSM_Marketing_FINAL2013
Laura L. Adams
 

More from Laura L. Adams (11)

Smart Identity_Exchange
Smart Identity_ExchangeSmart Identity_Exchange
Smart Identity_Exchange
 
VRSN_Top5_DTM_WP_201404-web[1]
VRSN_Top5_DTM_WP_201404-web[1]VRSN_Top5_DTM_WP_201404-web[1]
VRSN_Top5_DTM_WP_201404-web[1]
 
Enterprise_CRM_Naming_Considerations
Enterprise_CRM_Naming_ConsiderationsEnterprise_CRM_Naming_Considerations
Enterprise_CRM_Naming_Considerations
 
CiscoCS_2
CiscoCS_2CiscoCS_2
CiscoCS_2
 
NSM2012_Marketing010712
NSM2012_Marketing010712NSM2012_Marketing010712
NSM2012_Marketing010712
 
Adams'NSM_Marketing_FINAL2013
Adams'NSM_Marketing_FINAL2013Adams'NSM_Marketing_FINAL2013
Adams'NSM_Marketing_FINAL2013
 
scan0044
scan0044scan0044
scan0044
 
scan0043
scan0043scan0043
scan0043
 
scan0042
scan0042scan0042
scan0042
 
scan0037
scan0037scan0037
scan0037
 
scan0038
scan0038scan0038
scan0038
 

Cloudshield_DNS Tips_032014

  • 1. CloudShield DNS Security Tip Guide, Rev 121113 | Page 1 Enhance your DNS (Domain Name Services) security management by reading this guide that covers these three topics: security layering, DNS traffic management to mitigate DDoS (Distributed Denial of Service) attacks, and understanding the role DNS plays in the growing problem of advanced malware attacks. This is a must-read for DNS security professionals that manage large networks. DNS Security Tip Guide THREE AREAS FOR BETTER DNS PROTECTION
  • 2. CloudShield DNS Security Tip Guide, Rev 121113 | Page 2 OVERVIEW DNS security tips to consider In this guide, we’ll cover three main areas of DNS protection. Security Layering Having outer, middle, and inner layer defense mechanisms in place provides in-depth DNS protection. DNS Traffic Management to Mitigate DDoS Attacks Security administrators must have a way to manage DNS traffic under heavy load conditions to keep the DNS infrastructure working under its designed conditions. The Interaction of DNS and Advanced Malware Attacks DNS is becoming increasingly known as a vector for advanced malware attacks. It’s imperative for DNS and security administrators to understand the role of DNS in the growing problem of advanced malware attacks. 1 2 3 DNS protection is crucial The DNS (Domain Name Services) protocol was created in 1982 as a method to implement a scalable system capable of automatically mapping the growing number of host numerical addresses to text-based names. You might know that DNS was created to replace or supplant the hosts.txt file. At the time DNS was created, security was not a core design consideration. Protocols and services dependent on the DNS architecture are still evolving rapidly, as evidenced by the issuance of RFC 7075 in November 2013. Periodically, various security solutions have been proposed, such as DNSSEC (DNS Security Extensions), which provides authenticity. DNS is core to the fabric of the Internet and is your Achilles’ heel. Without DNS service, there is no Skype, no Facebook, no Twitter, no Instagram, no CNN, and no Google. Without DNS, there is no Internet. As critical as DNS is to the Internet, it remains insufficiently secure and in many cases, insufficiently robust in the face of protocol-specific and denial of service attacks. This needs to change. No silver bullet Security professionals are familiar with the three main pillars of information or network security:  Availability: The information must be available at all times  Integrity: The information shall not be tampered by non-authorized persons  Authenticity: The information must come from authentic sources DNS should be no different and should follow these same pillars. DNS service must be available provided with integrity and authenticity. How can this be achieved? One thing we must accept up-front; there is no silver bullet for DNS protection. It is a layered approach including people, process, and technology. Security professionals need to understand the type of infrastructure they are trying to protect, their business needs, and the threats targeted against their systems. They must design the infrastructure accordingly and have skilled people to monitor and manage it.
  • 3. CloudShield DNS Security Tip Guide, Rev 121113 | Page 3 SECURITY LAYERING DNS security strategy Your general DNS security strategy should include in-depth protection and a variety of options at each line of defense. Choose solutions that match your business needs, risk adversity level, and budget. Several companies that had major customer-impacting DNS outages thought they could handle attack situations through a combination of DDoS filtering solutions and over-provisioning. Sadly, this is not enough. Consider how you will protect your outer, middle, and inner DNS infrastructure. Layer 1 Outer layer DNS defense tactics There are at least two successful outer layer defense tactics that have proven successful. 1. If your IT infrastructure includes multiple data centers, consider spreading out your DNS servers and using Anycast as a network-wide load balancer. 2. Use a commercial DDoS filtering or cleaning vendor. This will reduce the volume of DDoS traffic, but understand that such solutions seldom completely stop attacks. These approaches, both proven successful with ISPs, can benefit larger enterprises. Layer 2 Middle layer DNS defense tactics A middle layer of defense may pertain to a wide range of verticals depending on the size and scale of their Internet-facing infrastructure, such as mail and web servers. This method involves configuring routers to allow traffic only from approved IP ranges. This defense may be impractical if legitimate traffic can come from many public sources. It is possible to configure routers to not pass or limit certain kinds of traffic or allow slower link traffic from likely attacking countries. The administrative costs of keeping traffic policies current is a potential downside of this tactic.
  • 4. CloudShield DNS Security Tip Guide, Rev 121113 | Page 4 Layer 3 Inner layer DNS defense tactics Your inner layer defense is your last stand. A typical large scale DDoS attack can generate 20- to 300Gb of attack traffic spread across multiple sources. Assuming that your edge routers can forward this amount of traffic, multiple gigabytes of DDoS traffic will penetrate your outer and middle defenses. Your inner DNS layer of defense must handle the attack. For example, assume a typical 100 byte DNS query. A 1Gb link has roughly 1,000,000 queries per second (QPS) capacity. When under attack, DDoS query traffic will skyrocket from thousands to millions of QPS. Your recursive DNS servers can typically handle 50,000 to 100,000 QPS. Your DNS servers will be overwhelmed and unable to respond properly. Much of your business might stop when your DNS servers stop working. Multiple, redundant 1Gb links compound the problem. There are solutions to protect your inner layer. A truly effective DNS solution will examine traffic before any DNS processing takes place. All the rejection and limiting of attack traffic should happen before hitting your DNS servers. To do this, you need a specialized DNS firewall that can: 1. Handle higher volume traffic than your DNS servers 2. Improve DNS response times (some solutions are performance neutral or add latency) 3. Add stateful tracking to recursive UDP (User Datagram Protocol) DNS queries to prevent amplification attacks and cache poisoning 4. Validate DNS traffic Specialized DNS firewalls Just as boundary and application firewalls have evolved to offload security functions from the applications they protect, it is now time for specialized DNS firewalls to do the same. As attack methods get more sophisticated, your DNS protection needs to be several steps ahead. The DNS security layering method will help better prepare and strengthen your infrastructure.
  • 5. CloudShield DNS Security Tip Guide, Rev 121113 | Page 5 Popular methods Overprovisioning and traffic management with rate limiting are two of the most popular methods used by network administrators to protect against distributed denial-of-service (DDoS) attacks powered by techniques like DNS amplification and DNS reflection. Overprovisioning can be as simple as deploying more machines to increase the capacity of the DNS server farm in order to support regular traffic load and absorb peak load generated by an attack. Although this approach is interesting from the DNS application or hardware vendor point of view, in many cases this is not true for the DNS provider. The reason is that overprovisioning doesn’t mean simply more DNS servers. It means more rack space, power consumption, cooling, and additional complexity and resources for operating and managing the DNS infrastructure – a big capital outlay. To really make it work right, additional capital might be required for load balancing. At the end of the day, you’re just putting more soldiers out to be harmed instead of arming them to improve their effectiveness. The economic factor aside, overprovisioning can create negative technical impacts. A sample side effect of adding machines is reduction of overall cache hit rate and the consequent increase in DNS latency. DNS rate limiting is commonly considered the most effective defense against DDoS attacks since it gives network operators some control on the traffic reaching and leaving the DNS server farm. DNS TRAFFIC MANAGEMENT Rate limiting by source IP address allows setting the number of DNS queries per time slot that can be accepted from a particular IP or subnet, blocking any attack or misuse that sends DNS requests above the configured threshold. This throttling mechanism will require the attacker to spoof a much larger IP address range in order to reach the query rate necessary for the attack to succeed. Before enforcing the rate limit rules on your network, you should test these rules in monitor or test modes where potentially offending requests are not actually dropped, only logged. Testing will help identify the traffic patterns of your network and provide confidence that the rate-limiting rules will not harm legitimate traffic. Simple rate limiting in this form might not work for authoritative DNS servers since the source IP addresses that can reach your DNS server are unknown. This form is best suited for recursive servers. For authoritative DNS servers, we recommend DNS response rate limiting, available in BIND9. Aggregate rate limits can also be used to prevent surges in DNS traffic from flowing through the DNS network. Method 1 Rate limit by source IP address 3 ways to use DNS traffic management with rate limiting for protection
  • 6. CloudShield DNS Security Tip Guide, Rev 121113 | Page 6 Implementing traffic management with rate limiting CloudShield DNS Defender® offers several mechanisms for rate-limiting, including those discussed above. Since rate limiting carries risk, DNS Defender supports monitor or log-only modes so that rules can be safely tested and the results on real traffic analyzed before being actually enforced on the network. The monitor mode and rule set modifications can be applied in seconds with minimal impact on traffic. Flexibility is essential No matter which type of rate limit you want to use or how you implement it, it’s important to have a DNS defense infrastructure with the ability to offer and combine all types of rate limiting. This will provide you the flexibility to use any combination to better protect your DNS service from the ever-changing DNS attack landscape. The destination IP address rate limit is useful when the operational load limit of a DNS server is known and you don’t want to reach this limit in order to avoid unpredictable and undesirable behaviors caused by an overloaded DNS server. By using this type of rate limiting, you can specify the maximum number of queries that can reach each DNS server in the server farm, dropping any additional traffic above this threshold (that would be discarded anyway), and thus protecting the DNS server from being overwhelmed by receiving more queries than it can handle. Destination rate limiting is also a key to being an upright member of the community. It prevents you from becoming an unlimited amplifier in reflection DDoS (RDDoS) attacks by limiting the amount of upstream traffic that is sent out. When more fine-tuned rate limiting is necessary, specify rules based on DNS query type. There are different types of DNS queries; some of them are much more common than others, for example, type A, AAAA, and pointer (PTR) queries. This type of rate limiting can be used to block critical deviations from the average DNS query type distribution that can be considered an important indication of an attack. It’s possible, for example, to specify rules to enforce that a particular IP address or subnet can only send five requests of type A, two requests of type AAAA, two requests of type PTR, and one request of the remaining types. In this last example, the query type rate limit is used in conjunction with source IP address rate limiting in order to have fine-grained control over the DNS traffic. As mentioned with the source IP address rate limit, running the rules in monitor or test mode before enforcement mode is strongly recommended. Method 2 Rate limit by destination IP address Method 3 Rate limit by DNS query type
  • 7. CloudShield DNS Security Tip Guide, Rev 121113 | Page 7 DNS & ADVANCED MALWARE ATTACKS 1- Initial Recon 2- Initial compromise 3- Establish foothold 4- Escalate privileges 5- Internal recon 6- Move laterally 7- Data exfiltration Use of DNS for advanced malware attacks Hype around advanced malware attacks, sometimes referred to as APT, or Advanced Persistent Threats, got some boost in February 2013 following the release of the APT1 report by security company, Mandiant. Based on seven years of research, data collection, and analysis of information from nearly 150 organizations all around the world, the report concludes that the APT1 group behind the long-running and extensive cyber-espionage campaign is likely sponsored by the Chinese government. Not surprisingly, this report has a whole section regarding Domain Name System (DNS), revealing the domain names and zones registered and used by the group during the attack. An important piece of the puzzle Almost every step on the advanced malware life cycle relies on some sort of DNS manipulation. Although DNS is mainly used to hide the IP addresses of the remote servers used by the attacker, its use goes far beyond that. From source of information to an available channel for external communication, there are several malicious ways of using DNS in an APT attack. Figure 1 The figure to the left shows the steps of an advanced malware attack using the DNS protocol.
  • 8. CloudShield DNS Security Tip Guide, Rev 121113 | Page 8 1 Initial reconnaissance The fact that DNS stores the addresses of important elements of the network infrastructure, like mail and web servers, makes it an important source of information for attackers to help map the victim network and identify possible targets. In some cases, due to misconfigurations or vulnerabilities on the DNS server, attackers may also access internal information about the network and its devices. 2 Initial compromise For the initial compromise step, the most common tactic is email phishing. An email with a specially crafted message is sent to specific individuals in a targeted organization that contains a malicious attachment, downloadable file, or link to a website. In all this cases, DNS is used to find the IP address associated with the link in the email or embedded on the malicious document, pointing to the remote server where the malware is located. 3 Establish foothold This step is accomplished by installing backdoors and making an outbound connection to establish a command and control (C&C) channel back to the attacker’s computer outside the network. C&C channels can leverage several techniques to stay under the radar, like the use of well-known and commonly used UDP/TCP ports, by encoding or encrypting the communication and also using “non- suspect” protocols like HTTP and DNS. 6 Move laterally With some credentials in hand, the attacker expands control over other machines on the network, moving closer to systems with access to target or valuable information. 5 Internal reconnaissance After expanding control over the initially compromised machine, the attacker needs to perform an internal reconnaissance to locate the targets. Again, DNS can play a malicious role by providing useful information for the attacker to help identify and locate important resources on the network. 4 Escalate privileges After initial access to the victim machine, the attacker uses operational system commands and other tools to gather information on both the machine and the network. The goal is to find credentials to bypass systems controls and allow access to other resources on the network.
  • 9. CloudShield DNS Security Tip Guide, Rev 121113 | Page 9 How can you turn DNS into an ally against APTs? Ironically, the fact that attackers rely heavily on DNS to accomplish several tasks during an advanced malware incursion is exactly what allows it to be used as an important defense against this type of attack. DNS data analysis, domain name blacklisting powered by external threat intelligence feeds, and policy enforcement for DNS traffic are some of the techniques that can be used to detect and block malicious activities on the network. Advanced malware attacks are complex and always evolving. A comprehensive set of resources is required on the defensive side to provide the capabilities to detect and defend. Specialized DNS firewalls like CloudShield DNS Defender® , coupled with advanced data analysis tools, are an important piece of this defense strategy. Summary The DNS Security Tips Guide has covered the importance of DNS and three ways to help mitigate the risk of business- disrupting attacks on your DNS infrastructure: 1. A layered DNS security strategy 2. DNS traffic management to handle Distributed Denial of Service (DDoS) attacks, and 3. The role of DNS in the growing problem of advanced malware attacks. Understanding these will enable you to be a better DNS and/or security administrator and determine ways to ensure the strength and resilience of the DNS technology upon which your business depends. With this information in hand, you can search for solutions to enhance your DNS infrastructure. 7 Data exfiltration The final goal of the attacker is to get access to sensitive or confidential information, like intellectual property, personally identifiable information (PII), and credentials. When this information is finally found, the attacker needs to find a way to send it outside the network. Standard protocols like FTP and custom protocols can be used to accomplish this task. DNS is one available protocol that can also be used for this purpose.
  • 10. CloudShield DNS Security Tip Guide, Rev 121113 | Page 10 DNS DEFENDER CloudShield DNS Defender® is an enterprise and carrier-grade DNS security and performance enhancement solution. Unlike traditional firewalls or other network security appliances, DNS Defender is specifically designed to protect against DNS attacks, enhance overall DNS performance, and have the flexibility to add custom security counter measures for carriers, ISPs, and large organizations. The best defense policy that protects your Achilles’ heel, or DNS, must be intelligent and go beyond surface-level security. DNS Defender is engineered with 6 layers of DNS security. Each layer is uniquely specialized to protect against specific types of DNS attacks. PERFORMANCE DNS Defender accelerates DNS performance with responses to valid queries from a fast cache, answering DNS queries at line speed up to 250,000 requests per second. If volume exceeds cache capacity, queries are dropped with no impact on DNS servers. Your DNS solution should help mitigate attack risk by allowing you to add security counter measures as needed. DNS Defender enables you to build custom defenses against real and potential cyber assaults you may see coming through your threat operation centers. SECURITY ® FLEXIBILITY BENEFITS Performance = Competitive advantage  Can reduce the size and complexity of DNS server farms  Postpones or eliminates DNS infrastructure upgrades  Provides DNS security without expensive equipment redundancy BENEFITS Flexibility = Rapid threat response  Rapidly mitigate risk within hours by identifying, understanding, and defending against the threat with custom security countermeasures  Configurable DNS-oriented access control lists (ACLs)  Enables administrative management of specify query type, DNS flags, and domain names subject to blocking, filtering, or redirection BENEFITS Security = Peace of mind  The dollar value of preventing just one attack can provide immediate return on investment  Can reduce costs and risks of liability, extortion, and other impacts from attacks and intrusion  Can slash support costs from customers caused by DNS slow- downs and outages
  • 11. CloudShield DNS Security Tip Guide, Rev 121113 | Page 11 Get more information » Cybersecurity Blog: Experts share tips, advice, and opinions. » DNS Use Cases: Four customers share their stories. » Comparison Chart: See the differences between technologies. » Infographic: Tells the story of the DNS vulnerability problem. Talk to us If you have questions about CloudShield DNS Defender and want to speak with our team, please fill out our Contact Us form online. NEXT STEPS…