DNS Caching Krytyczna infrastruktura operatora i ostatni element układanki

Size: px
Start display at page:

Download "DNS Caching Krytyczna infrastruktura operatora i ostatni element układanki"

Transcription

1 DNS Caching Krytyczna infrastruktura operatora i ostatni element układanki Adam Obszyński, CISSP, CCIE #8557 Regional Sales Engineer Eastern Europe 1

2 Dawno temu AD

3 Two kind of External DNS Servers? Authoritative Name Servers hosting company.com (corporate web site : Internet users > BIND DNS Internet Webserver Mailserver ETHERNET BIND DNS ETHERNET Forwarders (aka resolvers, dns cache) Enable web surfing, sending s, etc. Internal applications Internal users >

4 O Czym my tu dzisiaj? Który element puzzle nas interesuje? Dlaczego myślimy o DNS Cache? Jak można to zrobić lepiej a może najlepiej? S Jak zrobili to inni?

5 O Czym my tu dzisiaj? Który element puzzle nas interesuje? Dlaczego myślimy o DNS Cache? Jak można to zrobić lepiej a może najlepiej? S Jak zrobili to inni?

6 Bandwidth -> Core Cisco.com

7 Bandwidth -> Access

8 Serialization -> Access It was true in 1999 and 2000 Not today :-) Cisco.com

9 DNS: Scale Number of Queries YES Cause of Increase DNS prefetching function 28-times increase in one year FireFox -> enabled * Auto Update Web History NTT Information Sharing Platform Laboratories

10 O Czym my tu dzisiaj? Który element puzzle nas interesuje? Dlaczego myślimy o DNS Cache? Jak można to zrobić lepiej a może najlepiej? S Jak zrobili to inni?

11 DNS Not Just Glue...

12 Web Prefetching Srinivas Krishnan and Fabian Monrose Department of Computer Science University of North Carolina at Chapel Hill

13 Web Delay Sample Fast Web Performance Starts with DNS 300 objects domains

14 Web Delay Sample 2 Fast Web Performance Starts with DNS Two components to DNS latency: Latency Client <-> Server Caches <-> name servers Cache misses Under provisioning Malicious traffic https://developers.google.com/

15 DNS Challenges Data traffic explosion drives increasing DNS load Rise of applications such as Facebook and Mobile devices are causing huge growth in DNS traffic Customer satisfaction is critical Unsatisfied mobile customers readily switch providers Distributed DNS approach places caching servers closer to the customer - Because response time is critical to the customer experience - But centralized management now becomes a critical requirement 4

16 Costs of Maintaining DNS Infrastructure are on the Rise More DNS servers = Higher management costs Security vulnerability patching costs are high Securing DNS infrastructure requires additional equipment and skills High availability implementations require significant expenses and skills TASK: Update the DNS software on 15 name servers % Faster BIND: Min. Infoblox: 5-20 Min. TIME

17 How ISPs Deal with DNS Today* Increase the number of DNS servers Use faster underlying server hardware Use load balancers to handle load and IPS s to handle vulnerabilities Code expensive customized changes into DNS software

18 O Czym my tu dzisiaj? Który element puzzle nas interesuje? Dlaczego myślimy o DNS Cache? Jak można to zrobić lepiej a może najlepiej? S Jak zrobili to inni?

19 Mitigations of DNS Cache problems Over-provisioning Caching DNS resolvers demand a lot of network input/output highly vulnerable to cache poisoning (cache miss rate) Prepare for DoS/DDoS (over-provision with many machines) Load-balancing for shared caching Possible backfire -> reduce the cache hit rate (independent caches) Load-balance without fragmentation Think about 2 levels close to the user -> small cache with most popular names 2 nd level -> distributed per names Distributed clusters for geographical coverage Closer to your users -> less latency DNS Anycast (details later) BUT, Centralized HUGE servers can help with fragmentation! Low latency from user do DataCenter needed 19

20 DNS Anycast Anycast address: Routing advertisement DNS Cache Routing advertisements Query to Query to Routing advertisements Routing advertisement DNS Cache Anycast address: Infoblox Inc. All Rights Reserved.

21 DNS Anycast Anycast address: Routing advertisement DNS Cache Routing advertisements Query to Query to Routing advertisements Routing advertisement DNS Cache Anycast address: Infoblox Inc. All Rights Reserved.

22 DNS Anycast Anycast address: Routing advertisement DNS Cache Queries automatically re-routed to next nearest Routing advertisements Query to Query to Route removed Routing advertisement DNS Cache Anycast address: Infoblox Inc. All Rights Reserved.

23 Don t use risky (or old) DNS software (TCP Case) 41.53: Flags [S], seq , win 65535, options [mss 1460,nop,wscale 4,nop,nop,TS val ecr 0,sackOK,eol], length : Flags [S.], seq , ack , win 65535, options [mss 1460,nop,wscale 3,sackOK,TS val ecr ], 41.53: Flags [.], ack 1, win 8235, options [nop,nop,ts val ecr ], length : Flags [P.], seq 1:20, ack 1, win 8235, options [nop,nop,ts val ecr ], length SOA?. (17) 49744: Flags [P.], seq 1:748, ack 20, win 8326, options [nop,nop,ts val ecr ], length *- 1/13/22 SOA ( : Flags [.], ack 748, win 8188, options [nop,nop,ts val ecr ], length : Flags [F.], seq 20, ack 748, win 8192, options [nop,nop,ts val ecr ], length : Flags [.], ack 21, win 8326, options [nop,nop,ts val ecr ], length : Flags [.], ack 748, win 8192, options [nop,nop,ts val ecr ], length : Flags [F.], seq 748, ack 21, win 8326, options [nop,nop,ts val ecr ], length : Flags [.], ack 749, win 8192, options [nop,nop,ts val ecr ], length : Flags [S], seq , win 65535, options [mss 1460,nop,wscale 4,nop,nop,TS val ecr 0,sackOK,eol], length : Flags [S.], seq , ack , win 5792, options [mss 1460,sackOK,TS val ecr ,nop,wscale 2], 29.53: Flags [.], ack 1, win 8235, options [nop,nop,ts val ecr ], length : Flags [P.], seq 1:20, ack 1, win 8235, options [nop,nop,ts val ecr ], length SOA?. (17) 49743: Flags [.], ack 20, win 1448, options [nop,nop,ts val ecr ], length : Flags [P.], seq 1:3, ack 20, win 1448, options [nop,nop,ts val ecr ], length : Flags [.], ack 3, win 8235, options [nop,nop,ts val ecr ], length : Flags [P.], seq 3:748, ack 20, win 1448, options [nop,nop,ts val ecr ], length [b2&3=0x1] [13a] [ 29.53: Flags [.], ack 748, win 8188, options [nop,nop,ts val ecr ], length : Flags [F.], seq 20, ack 748, win 8192, options [nop,nop,ts val ecr ], length : Flags [F.], seq 748, ack 21, win 1448, options [nop,nop,ts val ecr ], length : Flags [.], ack 749, win 8192, options [nop,nop,ts val ecr ], length 0 https://labs.ripe.net/

24 Cache Poisoning Checklist by Cricket Liu Use dedicated Forwarders Run the most robust server code Split external/internal and forwarders Filter traffic to/from your forwarders 24

25 Other cases For DNSSEC size is important :-) TCP Check your ACLs EDNS/DNSSEC Check your Firewalls Spoofing - check RFC 5452 for Security DNS Cache Pollution RFC1918 ranges (AS112).local &.localhost domains Flood Educate your users! Newest concepts: DNS Cache server per user? Hardened OS 25

26 Devices v Solutions Dedicated vs Self made. Dedicated DNS Cache appliance does not stop answering queries from cache when capacity limits are reached for cache misses Avg. Latency (Seconds) a Bind 9.8 HW DNS Cache 26

27 Focus. Dedicated vs Self made. Note how the response rate drops off at 35k queries per second. This is a result of the total number of outstanding recursive requests hitting the processing limit. a 27

28 O Czym my tu dzisiaj? Który element puzzle nas interesuje? Dlaczego myślimy o DNS Cache? Jak można to zrobić lepiej a może najlepiej? S Jak zrobili to inni?

29 / Servers 29

30 Google, OpenDNS and more 30

31 Removed 31

32 Removed 32

33 Removed 33

34 Removed 34

35 Removed 35

36 Removed 36

37 Number of Servers/Appliances Needed to Reach 500K and 1M DNS QPS # of servers/appliances needed to reach 500K DNS QPS # of servers/appliances needed to reach 1M DNS QPS BIND HW DNS Appliance 1 1 An Hardware DNS appliance can achieve over 1 M DNS QPS BIND require 13 servers to reach 500K DNS QPS and 25 servers to achieve 1M DNS QPS 37

38 DNS Challenges They had ISPs need reliable, high performance DNS servers Limited options for carrier-grade server hardware Needs field replaceable, hot swap-able PSU/Fan/HDD DNS Queries/sec performance needs to be high Avoid buying and managing large number of servers Reduce support cost Protection against network threats is a growing concern Traditional ISP DNS uses BIND software on generic servers Extensive maintenance burden Customers want to move away from software-only solutions Need high performance appliance, plus ease of management No field software installs to customer units SLA 38

39 Pytania? 39

40 Anti DoS/DDoS Techniques TCP-SYN Flood Tracks the number of SYN requests per second, if the number of SYN requests goes above a threshold the code examines the requests to see if the clients are responding with ACK's if not the clients are added to a temp gray list and any pending connections are torn down. UDP Flood If it detects that a high number of packets with a very small payload are being received from a client or pool of clients, the client I.P address will be placed on a gray list All traffic from addresses on the gray list will be dropped for 60 seconds then removed from the gray list Spoofed Source Addresses The attack involves sending a spoofed TCP SYN packet (connection initiation) with the target host's IP address to an open port as both source and destination. 40

F5 Intelligent DNS Scale. Philippe Bogaerts Senior Field Systems Engineer mailto: p.bogaerts@f5.com Mob.: +32 473 654 689

F5 Intelligent DNS Scale. Philippe Bogaerts Senior Field Systems Engineer mailto: p.bogaerts@f5.com Mob.: +32 473 654 689 F5 Intelligent Scale Philippe Bogaerts Senior Field Systems Engineer mailto: p.bogaerts@f5.com Mob.: +32 473 654 689 Intelligent and scalable PROTECTS web properties and brand reputation IMPROVES web application

More information

BEST PRACTICES FOR IMPROVING EXTERNAL DNS RESILIENCY AND PERFORMANCE

BEST PRACTICES FOR IMPROVING EXTERNAL DNS RESILIENCY AND PERFORMANCE BEST PRACTICES FOR IMPROVING EXTERNAL DNS RESILIENCY AND PERFORMANCE BEST PRACTICES FOR IMPROVING EXTERNAL DNS RESILIENCY AND PERFORMANCE Your external DNS is a mission critical business resource. Without

More information

Availability Digest. www.availabilitydigest.com. @availabilitydig. Surviving DNS DDoS Attacks November 2013

Availability Digest. www.availabilitydigest.com. @availabilitydig. Surviving DNS DDoS Attacks November 2013 the Availability Digest @availabilitydig Surviving DNS DDoS Attacks November 2013 DDoS attacks are on the rise. A DDoS attack launches a massive amount of traffic to a website to overwhelm it to the point

More information

DNS Architecture Case Study: Resiliency and Disaster Recovery

DNS Architecture Case Study: Resiliency and Disaster Recovery DNS Architecture Case Study: Resiliency and Disaster Recovery Cricket Liu VP, Architecture Infoblox Company Background Large U.S.-based company, Company Co. (company.com) Three categories of sites Headquarters

More information

DOMAIN NAME SECURITY EXTENSIONS

DOMAIN NAME SECURITY EXTENSIONS DOMAIN NAME SECURITY EXTENSIONS The aim of this paper is to provide information with regards to the current status of Domain Name System (DNS) and its evolution into Domain Name System Security Extensions

More information

DNS Best Practices. Mike Jager Network Startup Resource Center mike@nsrc.org

DNS Best Practices. Mike Jager Network Startup Resource Center mike@nsrc.org DNS Best Practices Mike Jager Network Startup Resource Center mike@nsrc.org This document is a result of work by the Network Startup Resource Center (NSRC at http://www.nsrc.org). This document may be

More information

Automated Mitigation of the Largest and Smartest DDoS Attacks

Automated Mitigation of the Largest and Smartest DDoS Attacks Datasheet Protection Automated Mitigation of the Largest and Smartest Attacks Incapsula secures websites against the largest and smartest types of attacks - including network, protocol and application

More information

Guide to DDoS Attacks December 2014 Authored by: Lee Myers, SOC Analyst

Guide to DDoS Attacks December 2014 Authored by: Lee Myers, SOC Analyst INTEGRATED INTELLIGENCE CENTER Technical White Paper William F. Pelgrin, CIS President and CEO Guide to DDoS Attacks December 2014 Authored by: Lee Myers, SOC Analyst This Center for Internet Security

More information

ANATOMY OF A DDoS ATTACK AGAINST THE DNS INFRASTRUCTURE

ANATOMY OF A DDoS ATTACK AGAINST THE DNS INFRASTRUCTURE ANATOMY OF A DDoS ATTACK AGAINST THE DNS INFRASTRUCTURE ANATOMY OF A DDOS ATTACK AGAINST THE DNS INFRASTRUCTURE The Domain Name System (DNS) is part of the functional infrastructure of the Internet and

More information

The story of dnsdist - or - Do we need a DNS Delivery Controller? http://dnsdist.org/

The story of dnsdist - or - Do we need a DNS Delivery Controller? http://dnsdist.org/ The story of dnsdist - or - Do we need a DNS Delivery Controller? http://dnsdist.org/ PowerDNS Very briefly so you know where we come from Open source nameserver, around since 2000, open source since 2002,

More information

The story of dnsdist - or - Do we need a DNS Delivery Controller? http://dnsdist.org/

The story of dnsdist - or - Do we need a DNS Delivery Controller? http://dnsdist.org/ The story of dnsdist - or - Do we need a DNS Delivery Controller? http://dnsdist.org/ PowerDNS Very briefly so you know where we come from Open source nameserver, around since 2000, open source since 2002,

More information

CloudFlare advanced DDoS protection

CloudFlare advanced DDoS protection CloudFlare advanced DDoS protection Denial-of-service (DoS) attacks are on the rise and have evolved into complex and overwhelming security challenges. 1 888 99 FLARE enterprise@cloudflare.com www.cloudflare.com

More information

DNS Cache Poisoning Vulnerability Explanation and Remedies Viareggio, Italy October 2008

DNS Cache Poisoning Vulnerability Explanation and Remedies Viareggio, Italy October 2008 DNS Cache Poisoning Vulnerability Explanation and Remedies Viareggio, Italy October 2008 Kim Davies Internet Assigned Numbers Authority Internet Corporation for Assigned Names & Numbers Agenda How do you

More information

DDoS Threat Report. Chris Beal Chief Security Architect MCNC chris.beal@mcnc.org @mcncsecurity on Twitter

DDoS Threat Report. Chris Beal Chief Security Architect MCNC chris.beal@mcnc.org @mcncsecurity on Twitter DDoS Threat Report Insights on Finding, Fighting, and Living with DDoS Attacks v1.1 Chris Beal Chief Security Architect MCNC chris.beal@mcnc.org @mcncsecurity on Twitter DDoS in the News - 2014 DDoS Trends

More information

Top Five DNS Security Attack Risks and How to Avoid Them

Top Five DNS Security Attack Risks and How to Avoid Them WHITEPAPER Top Five DNS Security Attack Risks and How to Avoid Them How to Effectively Scale, Secure, Manage, and Protect Your DNS Table of Contents Executive Overview 2 DNS Attacks Are on the Rise 2 External

More information

Automated Mitigation of the Largest and Smartest DDoS Attacks

Automated Mitigation of the Largest and Smartest DDoS Attacks Datasheet Protection Automated Mitigation of the Largest and Smartest Attacks Incapsula secures websites against the largest and smartest types of attacks - including network, protocol and application

More information

PowerDNS dnsdist. OX Summit 2015 All presentations will be on: https://www.powerdns.com/oxsummit

PowerDNS dnsdist. OX Summit 2015 All presentations will be on: https://www.powerdns.com/oxsummit PowerDNS dnsdist OX Summit 2015 All presentations will be on: https://www.powerdns.com/oxsummit Dnsdist "dnsdist is a highly DNS-, DoS- and abuse-aware loadbalancer. Its goal in life is to route traffic

More information

DISTRIBUTED DENIAL OF SERVICE OBSERVATIONS

DISTRIBUTED DENIAL OF SERVICE OBSERVATIONS : DDOS ATTACKS DISTRIBUTED DENIAL OF SERVICE OBSERVATIONS 1 DISTRIBUTED DENIAL OF SERVICE OBSERVATIONS NTT is one of the largest Internet providers in the world, with a significant share of the world s

More information

1 2013 Infoblox Inc. All Rights Reserved. Securing the critical service - DNS

1 2013 Infoblox Inc. All Rights Reserved. Securing the critical service - DNS 1 2013 Infoblox Inc. All Rights Reserved. Securing the critical service - DNS Dominic Stahl Systems Engineer Central Europe 11.3.2014 Agenda Preface Advanced DNS Protection DDOS DNS Firewall dynamic Blacklisting

More information

Acquia Cloud Edge Protect Powered by CloudFlare

Acquia Cloud Edge Protect Powered by CloudFlare Acquia Cloud Edge Protect Powered by CloudFlare Denial-of-service (DoS) Attacks Are on the Rise and Have Evolved into Complex and Overwhelming Security Challenges TECHNICAL GUIDE TABLE OF CONTENTS Introduction....

More information

Dateless and DNS Desperate! Stateless. Geoff Huston APNIC

Dateless and DNS Desperate! Stateless. Geoff Huston APNIC Dateless and DNS Desperate! Stateless Geoff Huston APNIC Can I do both at once? This is definitely a Bad Idea with that intriguing possibility that it just might be made to work making it a Useless Tool

More information

Network Security. Chapter 3. Cornelius Diekmann. Version: October 21, 2015. Lehrstuhl für Netzarchitekturen und Netzdienste Institut für Informatik

Network Security. Chapter 3. Cornelius Diekmann. Version: October 21, 2015. Lehrstuhl für Netzarchitekturen und Netzdienste Institut für Informatik Network Security Chapter 3 Cornelius Diekmann Lehrstuhl für Netzarchitekturen und Netzdienste Institut für Informatik Version: October 21, 2015 IN2101, WS 15/16, Network Security 1 Security Policies and

More information

Technical Series. A Prolexic White Paper. Firewalls: Limitations When Applied to DDoS Protection

Technical Series. A Prolexic White Paper. Firewalls: Limitations When Applied to DDoS Protection A Prolexic White Paper Firewalls: Limitations When Applied to DDoS Protection Introduction Firewalls are often used to restrict certain protocols during normal network situations and when Distributed Denial

More information

Content Distribution Networks (CDNs)

Content Distribution Networks (CDNs) 229 Content Distribution Networks (CDNs) A content distribution network can be viewed as a global web replication. main idea: each replica is located in a different geographic area, rather then in the

More information

Blocking DNS Messages is Dangerous

Blocking DNS Messages is Dangerous Blocking DNS Messages is Dangerous Florian Maury, Mathieu Feuillet October 5-6, 2013 F Maury, M Feuillet Blocking DNS Messages is Dangerous October 5-6, 2013 1/25 ANSSI Created in 2009, the ANSSI is the

More information

TDC s perspective on DDoS threats

TDC s perspective on DDoS threats TDC s perspective on DDoS threats DDoS Dagen Stockholm March 2013 Lars Højberg, Technical Security Manager, TDC TDC in Sweden TDC in the Nordics 9 300 employees (2012) Turnover: 26,1 billion DKK (2012)

More information

DNS Security: New Threats, Immediate Responses, Long Term Outlook. 2007 2008 Infoblox Inc. All Rights Reserved.

DNS Security: New Threats, Immediate Responses, Long Term Outlook. 2007 2008 Infoblox Inc. All Rights Reserved. DNS Security: New Threats, Immediate Responses, Long Term Outlook 2007 2008 Infoblox Inc. All Rights Reserved. A Brief History of the Recent DNS Vulnerability Kaminsky briefs key stakeholders (CERT, ISC,

More information

WHITEPAPER. Defeating DoS/DDoS Attacks in Real Time

WHITEPAPER. Defeating DoS/DDoS Attacks in Real Time WHITEPAPER Defeating DoS/DDoS Attacks in Real Time Abstract The vulnerability of DNS servers to DoS/DDoS attacks at communications service providers is real and growing at an astounding rate, placing their

More information

Firewalls. Securing Networks. Chapter 3 Part 1 of 4 CA M S Mehta, FCA

Firewalls. Securing Networks. Chapter 3 Part 1 of 4 CA M S Mehta, FCA Firewalls Securing Networks Chapter 3 Part 1 of 4 CA M S Mehta, FCA 1 Firewalls Learning Objectives Task Statements 1.3 Recognise function of Telecommunications and Network security including firewalls,..

More information

DNS Amplification Are YOU Part of the Problem?

DNS Amplification Are YOU Part of the Problem? DNS Amplification Are YOU Part of the Problem? (RIPE66 Dublin, Ireland - May 13, 2013) Merike Kaeo Security Evangelist, Internet Identity merike@internetidentity.com INTRO Statistics on DNS Amplification

More information

Securing an Internet Name Server

Securing an Internet Name Server Securing an Internet Name Server Cricket Liu cricket@verisign.com Securing an Internet Name Server Name servers exposed to the Internet are subject to a wide variety of attacks: Attacks against the name

More information

Use Domain Name System and IP Version 6

Use Domain Name System and IP Version 6 Use Domain Name System and IP Version 6 What You Will Learn The introduction of IP Version 6 (IPv6) into an enterprise environment requires some changes both in the provisioned Domain Name System (DNS)

More information

Application Firewalls

Application Firewalls Application Moving Up the Stack Advantages Disadvantages Example: Protecting Email Email Threats Inbound Email Different Sublayers Combining Firewall Types Firewalling Email Enforcement Application Distributed

More information

Global Service Loadbalancing & DNSSEC. Ralf Brünig Field Systems Engineer r.bruenig@f5.com DNSSEC

Global Service Loadbalancing & DNSSEC. Ralf Brünig Field Systems Engineer r.bruenig@f5.com DNSSEC Global Service Loadbalancing & DNSSEC Ralf Brünig Field Systems Engineer r.bruenig@f5.com DNSSEC F5 s Integrated Solution Users The F5 Solution Applications Mobile Phone PDA Laptop Desktop Application

More information

dnsperf DNS Performance Tool Manual

dnsperf DNS Performance Tool Manual dnsperf DNS Performance Tool Manual Version 2.0.0 Date February 14, 2012 Copyright 2002-2012, Inc. - All Rights Reserved This software and documentation is subject to and made available pursuant to the

More information

TECHNICAL WHITE PAPER. Infoblox and the Relationship between DNS and Active Directory

TECHNICAL WHITE PAPER. Infoblox and the Relationship between DNS and Active Directory TECHNICAL WHITE PAPER Infoblox and the Relationship between DNS and Active Directory Infoblox DNS in a Microsoft Environment Infoblox is the first, and currently only, DNS/DHCP/IP address management (DDI)

More information

FortiBalancer: Global Server Load Balancing WHITE PAPER

FortiBalancer: Global Server Load Balancing WHITE PAPER FortiBalancer: Global Server Load Balancing WHITE PAPER FORTINET FortiBalancer: Global Server Load Balancing PAGE 2 Introduction Scalability, high availability and performance are critical to the success

More information

CSE 473 Introduction to Computer Networks. Exam 2 Solutions. Your name: 10/31/2013

CSE 473 Introduction to Computer Networks. Exam 2 Solutions. Your name: 10/31/2013 CSE 473 Introduction to Computer Networks Jon Turner Exam Solutions Your name: 0/3/03. (0 points). Consider a circular DHT with 7 nodes numbered 0,,...,6, where the nodes cache key-values pairs for 60

More information

PowerDNS dnsdist. NLUUG Najaarsconferentie 2015. Presentation is on: https://www.powerdns.com/nluug. http://dnsdist.org/

PowerDNS dnsdist. NLUUG Najaarsconferentie 2015. Presentation is on: https://www.powerdns.com/nluug. http://dnsdist.org/ PowerDNS dnsdist NLUUG Najaarsconferentie 2015 Presentation is on: https://www.powerdns.com/nluug http://dnsdist.org/ bert.hubert@powerdns.com / @powerdns_bert Outline PowerDNS/Open-Xchange/Dovecot/Bert

More information

Carrier/WAN SDN Brocade Flow Optimizer Making SDN Consumable

Carrier/WAN SDN Brocade Flow Optimizer Making SDN Consumable Brocade Flow Optimizer Making SDN Consumable Business And IT Are Changing Like Never Before Changes in Application Type, Delivery and Consumption Public/Hybrid Cloud SaaS/PaaS Storage Users/ Machines Device

More information

Scale your DNS Infrastructure Ensure App and Service Availability. Nigel Ashworth Solution Architect EMEA n.ashworth@f5.com +44 77 88 436 325

Scale your DNS Infrastructure Ensure App and Service Availability. Nigel Ashworth Solution Architect EMEA n.ashworth@f5.com +44 77 88 436 325 Scale your DNS Infrastructure Ensure App and Service Availability Nigel Ashworth Solution Architect EMEA n.ashworth@f5.com +44 77 88 436 325 Agenda DNS and F5 Use Cases - The top four Firewall for DNS

More information

CMPT 471 Networking II

CMPT 471 Networking II CMPT 471 Networking II Firewalls Janice Regan, 2006-2013 1 Security When is a computer secure When the data and software on the computer are available on demand only to those people who should have access

More information

2008 DNS Cache Poisoning Vulnerability Cairo, Egypt November 2008

2008 DNS Cache Poisoning Vulnerability Cairo, Egypt November 2008 2008 DNS Cache Poisoning Vulnerability Cairo, Egypt November 2008 Kim Davies Manager, Root Zone Services Internet Corporation for Assigned Names & Numbers How does the DNS work? A typical DNS query The

More information

F5 and Infoblox DNS Integrated Architecture Offering a Complete Scalable, Secure DNS Solution

F5 and Infoblox DNS Integrated Architecture Offering a Complete Scalable, Secure DNS Solution F5 and Infoblox DNS Integrated Architecture Offering a Complete Scalable, Secure DNS Solution As market leaders in the application delivery market and DNS, DHCP, and IP Address Management (DDI) market

More information

Introduction to Network. Topics

Introduction to Network. Topics Introduction to Security Chapter 3 The Internet 1 Topics The Internet Addressing Client Routing 2 The Internet User s View Internet 3 National, International, and large regionalisps ISP ISP ISP The Internet

More information

1. Introduction. 2. DoS/DDoS. MilsVPN DoS/DDoS and ISP. 2.1 What is DoS/DDoS? 2.2 What is SYN Flooding?

1. Introduction. 2. DoS/DDoS. MilsVPN DoS/DDoS and ISP. 2.1 What is DoS/DDoS? 2.2 What is SYN Flooding? Page 1 of 5 1. Introduction The present document explains about common attack scenarios to computer networks and describes with some examples the following features of the MilsGates: Protection against

More information

Building Nameserver Clusters with Free Software

Building Nameserver Clusters with Free Software Building Nameserver Clusters with Free Software Joe Abley, ISC NANOG 34 Seattle, WA, USA Starting Point Discrete, single-host authoritative nameservers several (two or more) several (two or more) geographically

More information

The secret life of a DNS query. Igor Sviridov 20120522

The secret life of a DNS query. Igor Sviridov <sia@nest.org> 20120522 The secret life of a DNS query Igor Sviridov 20120522 Preface Nowadays, when we type URL (or is it a search string? ;-) into a browser (or mobile device) many things happen. While most of

More information

Security of IPv6 and DNSSEC for penetration testers

Security of IPv6 and DNSSEC for penetration testers Security of IPv6 and DNSSEC for penetration testers Vesselin Hadjitodorov Master education System and Network Engineering June 30, 2011 Agenda Introduction DNSSEC security IPv6 security Conclusion Questions

More information

Securing External Name Servers

Securing External Name Servers WHITEPAPER Securing External s Cricket Liu, Vice President of Architecture This white paper discusses the critical nature of external name servers and examines the practice of using common makes of name

More information

1 2014 2013 Infoblox Inc. All Rights Reserved. Talks about DNS: architectures & security

1 2014 2013 Infoblox Inc. All Rights Reserved. Talks about DNS: architectures & security 1 2014 2013 Infoblox Inc. All Rights Reserved. Talks about DNS: architectures & security Agenda Increasing DNS availability using DNS Anycast Opening the internal DNS Enhancing DNS security DNS traffic

More information

Firewalls. Test your Firewall knowledge. Test your Firewall knowledge (cont) (March 4, 2015)

Firewalls. Test your Firewall knowledge. Test your Firewall knowledge (cont) (March 4, 2015) s (March 4, 2015) Abdou Illia Spring 2015 Test your knowledge Which of the following is true about firewalls? a) A firewall is a hardware device b) A firewall is a software program c) s could be hardware

More information

Enterprise Buyer Guide

Enterprise Buyer Guide Enterprise Buyer Guide Umbrella s Secure Cloud Gateway vs. Web Proxies or Firewall Filters Evaluating usability, performance and efficacy to ensure that IT teams and end users will be happy. Lightweight

More information

IPV6 SERVICES DEPLOYMENT

IPV6 SERVICES DEPLOYMENT IPV6 SERVICES DEPLOYMENT LINX IPv6 Technical Workshop - March 2009 Jaco Engelbrecht Group Platforms Manager, clara.net DNS root zone goes AAAA! On 4 th February 2008 IANA added AAAA records for the A,

More information

Are You Fully Prepared to Withstand DNS Attacks?

Are You Fully Prepared to Withstand DNS Attacks? WHITEPAPER Are You Fully Prepared to Withstand DNS Attacks? Fortifying Mission-Critical DNS Infrastructure Are You Fully Prepared to Withstand DNS Attacks? Fortifying Mission-Critical DNS Infrastructure

More information

DEPLOYMENT GUIDE Version 1.1. DNS Traffic Management using the BIG-IP Local Traffic Manager

DEPLOYMENT GUIDE Version 1.1. DNS Traffic Management using the BIG-IP Local Traffic Manager DEPLOYMENT GUIDE Version 1.1 DNS Traffic Management using the BIG-IP Local Traffic Manager Table of Contents Table of Contents Introducing DNS server traffic management with the BIG-IP LTM Prerequisites

More information

DDoS attacks on electronic payment systems. Sean Rijs and Joris Claassen Supervisor: Stefan Dusée

DDoS attacks on electronic payment systems. Sean Rijs and Joris Claassen Supervisor: Stefan Dusée DDoS attacks on electronic payment systems Sean Rijs and Joris Claassen Supervisor: Stefan Dusée Scope High volume DDoS attacks Electronic payment systems Low bandwidth requirements: 5 from account X to

More information

Akamai CDN, IPv6 and DNS security. Christian Kaufmann Akamai Technologies DENOG 5 14 th November 2013

Akamai CDN, IPv6 and DNS security. Christian Kaufmann Akamai Technologies DENOG 5 14 th November 2013 Akamai CDN, IPv6 and DNS security Christian Kaufmann Akamai Technologies DENOG 5 14 th November 2013 Agenda Akamai Introduction Who s Akamai? Intelligent Platform & Traffic Snapshot Basic Technology Akamai

More information

Huawei Traffic Cleaning Solution

Huawei Traffic Cleaning Solution Huawei Traffic Cleaning Solution Copyright Huawei Technologies Co., Ltd. 2011. All rights reserved. No part of this document may be reproduced or transmitted in any form or by any means without prior written

More information

Proxy Server, Network Address Translator, Firewall. Proxy Server

Proxy Server, Network Address Translator, Firewall. Proxy Server Proxy Server, Network Address Translator, Firewall 1 Proxy Server 2 1 Introduction What is a proxy server? Acts on behalf of other clients, and presents requests from other clients to a server. Acts as

More information

CS 356 Lecture 16 Denial of Service. Spring 2013

CS 356 Lecture 16 Denial of Service. Spring 2013 CS 356 Lecture 16 Denial of Service Spring 2013 Review Chapter 1: Basic Concepts and Terminology Chapter 2: Basic Cryptographic Tools Chapter 3 User Authentication Chapter 4 Access Control Lists Chapter

More information

Protect your network: planning for (DDoS), Distributed Denial of Service attacks

Protect your network: planning for (DDoS), Distributed Denial of Service attacks Protect your network: planning for (DDoS), Distributed Denial of Service attacks Nov 19, 2015 2015 CenturyLink. All Rights Reserved. The CenturyLink mark, pathways logo and certain CenturyLink product

More information

5 DNS Security Risks That Keep You Up At Night (And How To Get Back To Sleep)

5 DNS Security Risks That Keep You Up At Night (And How To Get Back To Sleep) 5 DNS Security Risks That Keep You Up At Night (And How To Get Back To Sleep) survey says: There are things that go bump in the night, and things that go bump against your DNS security. You probably know

More information

Firewalls. Firewalls. Idea: separate local network from the Internet 2/24/15. Intranet DMZ. Trusted hosts and networks. Firewall.

Firewalls. Firewalls. Idea: separate local network from the Internet 2/24/15. Intranet DMZ. Trusted hosts and networks. Firewall. Firewalls 1 Firewalls Idea: separate local network from the Internet Trusted hosts and networks Firewall Intranet Router DMZ Demilitarized Zone: publicly accessible servers and networks 2 1 Castle and

More information

CSE 127: Computer Security. Network Security. Kirill Levchenko

CSE 127: Computer Security. Network Security. Kirill Levchenko CSE 127: Computer Security Network Security Kirill Levchenko December 4, 2014 Network Security Original TCP/IP design: Trusted network and hosts Hosts and networks administered by mutually trusted parties

More information

Seminar Computer Security

Seminar Computer Security Seminar Computer Security DoS/DDoS attacks and botnets Hannes Korte Overview Introduction What is a Denial of Service attack? The distributed version The attacker's motivation Basics Bots and botnets Example

More information

Combating DoS/DDoS Attacks Using Cyberoam

Combating DoS/DDoS Attacks Using Cyberoam White paper Combating DoS/DDoS Attacks Using Cyberoam Eliminating the DDoS Threat by Discouraging the Spread of Botnets www.cyberoam.com Introduction Denial of Service (DoS) and Distributed Denial of Service

More information

Load Balancing. Final Network Exam LSNAT. Sommaire. How works a "traditional" NAT? Un article de Le wiki des TPs RSM.

Load Balancing. Final Network Exam LSNAT. Sommaire. How works a traditional NAT? Un article de Le wiki des TPs RSM. Load Balancing Un article de Le wiki des TPs RSM. PC Final Network Exam Sommaire 1 LSNAT 1.1 Deployement of LSNAT in a globally unique address space (LS-NAT) 1.2 Operation of LSNAT in conjunction with

More information

WAN Traffic Management with PowerLink Pro100

WAN Traffic Management with PowerLink Pro100 Whitepaper WAN Traffic Management with PowerLink Pro100 Overview In today s Internet marketplace, optimizing online presence is crucial for business success. Wan/ISP link failover and traffic management

More information

OLD VULNERABILITIES IN NEW PROTOCOLS? HEADACHES ABOUT IPV6 FRAGMENTS

OLD VULNERABILITIES IN NEW PROTOCOLS? HEADACHES ABOUT IPV6 FRAGMENTS OLD VULNERABILITIES IN NEW PROTOCOLS? HEADACHES ABOUT IPV6 FRAGMENTS Eric Vyncke (@evyncke) Cisco Session ID: ARCH W01 Session Classification: Advanced Agenda Status of WorldWide IPv6 Deployment IPv6 refresher:

More information

This Lecture. The Internet and Sockets. The Start 1969. If everyone just sends a small packet of data, they can all use the line at the same.

This Lecture. The Internet and Sockets. The Start 1969. If everyone just sends a small packet of data, they can all use the line at the same. This Lecture The Internet and Sockets Computer Security Tom Chothia How the Internet works. Some History TCP/IP Some useful network tools: Nmap, WireShark Some common attacks: The attacker controls the

More information

DNS and IPv6 (and some IPv4 depletion statistics) Stephan Lagerholm, Senior DNS Architect Secure64 Software Corp.

DNS and IPv6 (and some IPv4 depletion statistics) Stephan Lagerholm, Senior DNS Architect Secure64 Software Corp. DNS and IPv6 (and some IPv4 depletion statistics) Stephan Lagerholm, Senior DNS Architect Secure64 Software Corp. Secure64 Software Corporation Privately funded, Colorado-based corporation, founded in

More information

Final Network Exam 01-02

Final Network Exam 01-02 1 ENSTB ITAM Final Network Exam 01-02 This exam is focused on Load balancing mechanisms. First part is related to "RFC 2391 : Load Sharing using IP Network Address Translation (LSNAT)" that was previously

More information

2014 Foley & Lardner LLP Attorney Advertising Prior results do not guarantee a similar outcome Models used are not clients but may be representative

2014 Foley & Lardner LLP Attorney Advertising Prior results do not guarantee a similar outcome Models used are not clients but may be representative 2014 Foley & Lardner LLP Attorney Advertising Prior results do not guarantee a similar outcome Models used are not clients but may be representative of clients 321 N. Clark Street, Suite 2800, Chicago,

More information

Overview. Firewall Security. Perimeter Security Devices. Routers

Overview. Firewall Security. Perimeter Security Devices. Routers Overview Firewall Security Chapter 8 Perimeter Security Devices H/W vs. S/W Packet Filtering vs. Stateful Inspection Firewall Topologies Firewall Rulebases Lecturer: Pei-yih Ting 1 2 Perimeter Security

More information

20-CS-6053-00X Network Security Spring, 2014. An Introduction To. Network Security. Week 1. January 7

20-CS-6053-00X Network Security Spring, 2014. An Introduction To. Network Security. Week 1. January 7 20-CS-6053-00X Network Security Spring, 2014 An Introduction To Network Security Week 1 January 7 Attacks Criminal: fraud, scams, destruction; IP, ID, brand theft Privacy: surveillance, databases, traffic

More information

page 1 DNS Rate Limiting W. Matthijs Mekking matthijs@nlnetlabs.nl http://www.nlnetlabs.nl/ 28 Feb 2013 Stichting NLnet Labs

page 1 DNS Rate Limiting W. Matthijs Mekking matthijs@nlnetlabs.nl http://www.nlnetlabs.nl/ 28 Feb 2013 Stichting NLnet Labs page 1 DNS Rate Limiting W. Matthijs Mekking matthijs@nlnetlabs.nl page 2 One slide DNS Root www.nlnetlabs.nl A Referral: nl NS www.nlnetlabs.nl A 213.154.224.1 www.nlnetlabs.nl A www.nlnetlabs.nl A 213.154.224.1

More information

Firewalls. Ahmad Almulhem March 10, 2012

Firewalls. Ahmad Almulhem March 10, 2012 Firewalls Ahmad Almulhem March 10, 2012 1 Outline Firewalls The Need for Firewalls Firewall Characteristics Types of Firewalls Firewall Basing Firewall Configurations Firewall Policies and Anomalies 2

More information

2012 Infrastructure Security Report. 8th Annual Edition Kleber Carriello Consulting Engineer

2012 Infrastructure Security Report. 8th Annual Edition Kleber Carriello Consulting Engineer 2012 Infrastructure Security Report 8th Annual Edition Kleber Carriello Consulting Engineer Key Findings in the Survey* Advanced Persistent Threats (APT) a top concern for service providers and enterprises

More information

How do I get to www.randomsite.com?

How do I get to www.randomsite.com? Networking Primer* *caveat: this is just a brief and incomplete introduction to networking to help students without a networking background learn Network Security. How do I get to www.randomsite.com? Local

More information

Avaya P333R-LB. Load Balancing Stackable Switch. Load Balancing Application Guide

Avaya P333R-LB. Load Balancing Stackable Switch. Load Balancing Application Guide Load Balancing Stackable Switch Load Balancing Application Guide May 2001 Table of Contents: Section 1: Introduction Section 2: Application 1 Server Load Balancing Section 3: Application 2 Firewall Load

More information

Global Server Load Balancing

Global Server Load Balancing White Paper Overview Many enterprises attempt to scale Web and network capacity by deploying additional servers and increased infrastructure at a single location, but centralized architectures are subject

More information

EECS 489 Winter 2010 Midterm Exam

EECS 489 Winter 2010 Midterm Exam EECS 489 Winter 2010 Midterm Exam Name: This is an open-book, open-resources exam. Explain or show your work for each question. Your grade will be severely deducted if you don t show your work, even if

More information

Application centric Datacenter Management. Ralf Brünig, F5 Networks GmbH Field Systems Engineer March 2014

Application centric Datacenter Management. Ralf Brünig, F5 Networks GmbH Field Systems Engineer March 2014 Application centric Datacenter Management Ralf Brünig, F5 Networks GmbH Field Systems Engineer March 2014 Index Application Deliver Controller (ADC) Proxy ADC Advanced Feature Application Management Optional:

More information

Web Drive Limited TERMS AND CONDITIONS FOR THE SUPPLY OF SERVER HOSTING

Web Drive Limited TERMS AND CONDITIONS FOR THE SUPPLY OF SERVER HOSTING Web Drive Limited TERMS AND CONDITIONS FOR THE SUPPLY OF SERVER HOSTING Application of Terms Agreement to these terms requires agreement to Web Drive s Standard Terms & Conditions located online at the

More information

Predictability of Windows DNS resolver. ing. Roberto Larcher - http://webteca.altervista.org - robertolarcher@hotmail.com

Predictability of Windows DNS resolver. ing. Roberto Larcher - http://webteca.altervista.org - robertolarcher@hotmail.com Predictability of Windows DNS resolver ing. Roberto Larcher - http://webteca.altervista.org - robertolarcher@hotmail.com rev. 1 - March 11, 2004 Abstract The main DNS security issues have very often focused

More information

DDoS attacks in CESNET2

DDoS attacks in CESNET2 DDoS attacks in CESNET2 Ondřej Caletka 15th March 2016 Ondřej Caletka (CESNET) DDoS attacks in CESNET2 15th March 2016 1 / 22 About CESNET association of legal entities, est. 1996 public and state universities

More information

CLE202 Introduction to ServerIron ADX Application Switching and Load Balancing

CLE202 Introduction to ServerIron ADX Application Switching and Load Balancing Introduction to ServerIron ADX Application Switching and Load Balancing Student Guide Revision : Introduction to ServerIron ADX Application Switching and Load Balancing Corporate Headquarters - San

More information

CSCE 465 Computer & Network Security

CSCE 465 Computer & Network Security CSCE 465 Computer & Network Security Instructor: Dr. Guofei Gu http://courses.cse.tamu.edu/guofei/csce465/ Vulnerability Analysis 1 Roadmap Why vulnerability analysis? Example: TCP/IP related vulnerabilities

More information

Project 4: (E)DoS Attacks

Project 4: (E)DoS Attacks Project4 EDoS Instructions 1 Project 4: (E)DoS Attacks Secure Systems and Applications 2009 Ben Smeets (C) Dept. of Electrical and Information Technology, Lund University, Sweden Introduction A particular

More information

DNS ROUND ROBIN HIGH-AVAILABILITY LOAD SHARING

DNS ROUND ROBIN HIGH-AVAILABILITY LOAD SHARING PolyServe High-Availability Server Clustering for E-Business 918 Parker Street Berkeley, California 94710 (510) 665-2929 wwwpolyservecom Number 990903 WHITE PAPER DNS ROUND ROBIN HIGH-AVAILABILITY LOAD

More information

DDoS Protection. How Cisco IT Protects Against Distributed Denial of Service Attacks. A Cisco on Cisco Case Study: Inside Cisco IT

DDoS Protection. How Cisco IT Protects Against Distributed Denial of Service Attacks. A Cisco on Cisco Case Study: Inside Cisco IT DDoS Protection How Cisco IT Protects Against Distributed Denial of Service Attacks A Cisco on Cisco Case Study: Inside Cisco IT 1 Overview Challenge: Prevent low-bandwidth DDoS attacks coming from a broad

More information

TCP Session Load-balancing in Active-Active HA Cluster

TCP Session Load-balancing in Active-Active HA Cluster TCP Session Load-balancing in Active-Active HA Cluster Nishit Shah Jimit Mahadevia Agenda Defining Active-Active HA Cluster Packet Flow Load-Balancing ARP Problem To Do Questions/Discussion Credits Thank

More information

How Cisco IT Protects Against Distributed Denial of Service Attacks

How Cisco IT Protects Against Distributed Denial of Service Attacks How Cisco IT Protects Against Distributed Denial of Service Attacks Cisco Guard provides added layer of protection for server properties with high business value. Cisco IT Case Study / < Security and VPN

More information

Chapter 8 Security Pt 2

Chapter 8 Security Pt 2 Chapter 8 Security Pt 2 IC322 Fall 2014 Computer Networking: A Top Down Approach 6 th edition Jim Kurose, Keith Ross Addison-Wesley March 2012 All material copyright 1996-2012 J.F Kurose and K.W. Ross,

More information

VLAN und MPLS, Firewall und NAT,

VLAN und MPLS, Firewall und NAT, Internet-Technologien (CS262) VLAN und MPLS, Firewall und NAT, 15.4.2015 Christian Tschudin Departement Mathematik und Informatik, Universität Basel 6-1 Wiederholung Unterschied CSMA/CD und CSMA/CA? Was

More information

Proxy Server, Network Address Translator, Firewall

Proxy Server, Network Address Translator, Firewall For Summer Training on Computer Networking visit Proxy Server, Network Address Translator, Firewall Prepared by : Swapan Purkait Director Nettech Private Limited swapan@nettech.in + 91 93315 90003 Proxy

More information

Defending your DNS in a post-kaminsky world. Paul Wouters

Defending your DNS in a post-kaminsky world. Paul Wouters <paul@xelerance.com> Defending your DNS in a post-kaminsky world Paul Wouters Overview History of DNS and the Kaminsky attack Various DNS problems explained Where to address the DNS problem Nameservers,

More information