DNS is critical network infrastructure and securing it against attacks like DDoS, NXDOMAIN, hijacking and Malware/APT is very important to protecting any business.
Networks are constantly being exploited using DNS for a variety of criminal purposes today. DNS is the cornerstone of the internet and attackers know that DNS is a high-value target. Without their DNS functioning properly, enterprises cannot conduct business online.
DNS protocol is stateless which means attackers also cannot be traced easily.
The DNS protocol can be exploited easily. It is easy to craft DNS queries that can cause the DNS server to crash or respond with a much amplified response that can congest the bandwidth.
The queries can be spoofed which means attackers can direct huge amounts of traffic to its victim with the help of unsuspecting accomplices. (open resolvers on the internet)
Traditional protection like firewalls leave port 53 open and don’t do much in terms of preventing DNS attacks.
All these reasons make the DNS an ideal attack target.
DNS Firewall – Case Study Example – SEA (Syrian Electronic Army)
August 27th, 2013 SEA hacked the DNS registries for NY Times & Twitter at a Service Provider in Australia.
The hack redirected users to SEA-controlled websites which contained malware.
Infoblox DNS Firewall and its Subscription service helped protect our customers during this attack.
--Results in a large amount of data to be sent to the victim’s IP address
--Uses multiple such open resolvers, often thousands of servers
The idea of controlling multiple, high-bandwidth empowered servers for launching DDoS attacks, compared to, for instance, controlling hundreds of thousands of malware-infected hosts, has always tempted cybercriminals to ‘innovate’ and seek pragmatic ‘solutions’ in order to achieve this particular objective.
Among the most recent high profile example utilizing this server-based DDoS attack tactic is Operation Ababil, or Izz ad-Din al-Qassam a.k.a Qassam Cyber Fighters attacks against major U.S financial institutions, where the use of high-bandwidth servers was utilized by the attackers. This indicates that wishful thinking often tends to materialize.
In this slide we’ll take a peek inside what appears to be a command and control PHP script in its early stages of development, which is capable of integrating multiple (compromised) servers for the purpose of launching distributed denial of service attacks (DDoS) taking advantage of their bandwidth.
Currently, the PHP script supports four types of DDoS attack tactics, namely DNS amplification, spoofed SYN, spoofed UDP, and HTTP+proxy support. The script also acts as a centralized command and control management interface for all the servers where it has been (secretly) installed on. It’s currently offered for $800.
Just like we’ve seen in numerous other cybercrime-friendly underground market releases, in this case, the author of the PHP script is once again forwarding the responsibility for its use to potential customers, and surprisingly, in times when fake scanned IDs continue getting systematically abused by cybercriminals, is expressing his trust in the user legitimization methods applied by his payment processor of choice – WebMoney.
IN recent surveys, it turns out that there is no clear ownership of DNS security – mostly due to lack of awareness. The security teams see DNS as the Networking team’s responsibility, but networking teams are often looking to security teams for risk mitigation. Unclear roles and responsibilities cause the first layer of vulnerabilities…
Port 53 – Domain Name System (DNS)
Port 25 – Simple Mail Transfer Protocol (SMTP) -- Email
Port 80 – HTTP -- Web
Port 110 – Post Office Protocol (POP3)
Port 1503 – Windows Live Messenger
Port 1801 – Microsoft Messaging
Dedicated hardware with no extraneous ports open for attack.
No association with enterprise domain logins or passwords, only admin login rights, no user rights even available
Immediate updates to new security threats.
Encryption based transactions to manage appliance.
The Adv Appliance can sit on the Grid. Now let’s see the Advanced DNS Protection in action.
Regular GRID appliances like the GRID master and the reporting server sit on the GRID
Let’s assume we have two Advanced Appliances, one external authoritative and the other functioning as an internal recursive server.
DNS attacks come interspersed with legitimate DNS traffic at the external authoritative server.
Advanced DNS Protection pre-processes the requests to filter out attacks
It responds to legitimate DNS requests
The attack types and patterns are sent to Infoblox Reporting server
When Infoblox detects new threats, it creates rules and updates the Advanced Appliance. The rule updates are propagated to other Advanced Appliances on the Grid.
Infoblox DNS Firewall – How does it work?
1. An infected mobile device is brought into the office. Upon connection, the malware starts to spread to other devices on the network.
2. The malware makes a DNS query for “bad” domain to find “home.” The DNS Firewall has the “bad” domain in its table and blocks the connection.
3. The DNS Server is continually updated by a reputational data feed service to reflect the rapidly changing list of malicious domains.
4. Infoblox Reporting provides list of blocked attempts as well as the
IP address
MAC address
Device type (DHCP fingerprint)
Host Name
DHCP Lease history (on/off network)
5. Reputation data comes from:
Infoblox DNS Firewall Subscription Service – blocking data on domains and IP addresses from 35+ sources throughout the world. Geo-blocking also apart of the service as well
Infoblox DNS Firewall – FireEye Adapter – APT malware domains and IP addresses to be blocked communicated to DNS Firewall from from FireEye NX Series.
This is a new Security Risk Assessment you can point your customers to any time. It’s on the external web site and customers such as Pep Boys, Twitter, and K-Mart have run assessments.
Some major observations about customers in this context:
Most don’t perform any security analysis on DNS traffic
No team or person chartered with looking specifically at DNS security
For those with on-premise external DNS servers no knowledge of how to handle DNS-based DDoS attacks
Most of them use conventional DNS services (Microsoft or BIND)
Possibly other services running on them
Lots of open ports (security risks)
DNS is critical infrastructure & not well understood
DNS attacks are on the rise
Traditional approaches are not sufficient
There are a lot of good resources and technologies to help you protect DNS
Infoblox is not a start-up. The company was started more than a dozen years ago – our technology is mature and field proven
The company HQ is in the heart of Silicon Valley with global operations in all major geographies –
We do business in 3 regions (Americas, EMEA, APJ)
We have sales, support and development operations in 25 countries and we do business in over 70 countries around the world
Infoblox makes essential technology to control networks – we’ll dig into that a bit later in the
We are a market leader in the space that we serve – with Strong Positive ratings from Gartner (3 years in a row) and 40% market share
(Note: Gartner Market Scope and market share stat is specific to DDI)
Infoblox has a massive customer base – our latest count is 6,900 different companies- we have shipped 64,000 systems
We are innovative, with a formal patent program for our employees. As of right now we own 32 patents and 25 more pending
Last but not least – the company did a successful IPO in April 2012. We now share our financial results publicly – which can be seen on the right.