Protecting DNS Infrastructure

Transcription

1 INFONETICS RESEARCH WHITE PAPER Protecting DNS Infrastructure An Internet Utility that Demands New Security Solutions November Campbell Technology Parkway Suite 200 Campbell California t f Silicon Valley, CA Boston, MA London, UK

2 Table of Contents DNS IS A MASSIVE PUBLIC UTILITY 1 EXPLORATION OF ATTACK TYPES 2 WHAT SECURITY SOLUTIONS ARE AVAILABLE TODAY? 3 VISIBILITY AND CORRELATION ARE A GOOD STARTING POINT 4 THE NEED FOR DEDICATED DNS SECURITY SOLUTIONS 6 WHITE PAPER AUTHOR 7 ABOUT INFONETICS RESEARCH 7 REPORT REPRINTS AND CUSTOM RESEARCH 7 List of Exhibits Exhibit 1 DNS Infrastructure Supports the Entire Internet 1 Exhibit 2 DNS Threat Landscape 2 Exhibit 3 Discovery Timeline for Cyber-Espionage 5 Protecting DNS Infrastructure: An Internet Utility that Demands new Security Solutions

3 DNS IS A MASSIVE PUBLIC UTILITY The DNS (Domain Name System) is the largest distributed database in the world, and every single device and application connected to the Internet is a DNS client. The original DNS was developed in the early 1970s to support communication on the ARPANET; internet pioneers figured out very quickly that alphabetic host names were much more useful (and much easier to remember) than long numeric addresses. In March 1974, it was declared that the Stanford Research Institute Network Information Center would be the official source of the master host file, and this worked well (more or less) for about a decade. By the early 80s, it became clear that the centralized system couldn t meet the dynamic scale requirements of the emerging Internet, and the true father of our modern distributed DNS was hatched in DNS infrastructure has grown and evolved significantly in the last 20 years, and as the chart below shows, today there are nearly 1 billion hostnames managed by the DNS, and nearly a quarter of a billion active websites. On the client side, the emergence of smartphones, tablets, and the ecosystem of the Internet of Things adds hundreds of millions (eventually billions) of new DNS clients hungrily looking 24/7 to connect to hosts. The scale of DNS infrastructure is almost unimaginable, but as users of the Internet, we have one basic expectation: DNS simply must work. The Internet is the application, data store, and service, and DNS is our only navigation system, so DNS problems have massive ramifications. Exhibit 1 DNS Infrastructure Supports the Entire Internet Source: Netcraft 1

4 In parallel to the development of the Internet and DNS infrastructure, we ve seen the development of a wide range of threats aimed at every device with an Internet connection. Buried in news about viruses and worms, massive data breaches, and a never-ending flood of DDoS attacks, there has been a quiet but consistent flow of attacks aimed at DNS infrastructure. It s not at all surprising that DNS would be a target; it s pervasive, it a key to the basic function of the Internet, and it was developed over 20 years ago with very little thought about security and then constantly retrofitted it s highly vulnerable to attack. EXPLORATION OF ATTACK TYPES There are different ways to look at the variety of attacks we see aimed at DNS, but for our purposes we ll group them based on where they fit in the collective consciousness of IT. Exhibit 2 DNS Threat Landscape Traditional Threats Cache poisoning TCP/UDP/ICMP floods Protocol Anomalies Top-of-Mind DDoS: reflection and amplification Hijacking What's Next? Tunneling Exfiltration Traditional threats are well-known; they ve been used in the past, and will be used in the future, either as standalone attacks or as vectors in blended threats, but on the whole the industry has a good handle on what to do about these attacks. Cache-poisoning, for example, is the primary focus of the DNSSEC effort, launched after the 2008 discovery of the Kaminsky bug that opened the industry s eyes to the possibilities of DNS cache poisoning. Also in 2008, the b-variant of the Conficker worm exploited DNS vulnerabilities as a self-defense mechanism. 2

5 The second attack group is top-of-mind; these attacks have received major coverage in the last year or so. The most obvious examples of top-of-mind attacks are the record-breaking 300G DNS amplification DDoS attack that hit Spamhaus in 2013, the Syrian Electronic Army s hijacking of twitter and the New York Times, and the ongoing hijacking attacks in Brazil, rewriting DNS settings on home routers and stealing banking credentials. The final group of attacks are the what s next? category. They re not pervasive today, but are happening, and they represent a shift in focus from exploiting vulnerabilities in protocols and infrastructure to actually tampering with the content of DNS traffic. In all areas of internet security, hackers eventually move up the stack into content, and content-based attacks are typically the most difficult to identify and stop. Tunneling involves converting TCIP/IP payloads into DNS traffic by a client/app, and then that traffic is sent over mobile networks. DNS traffic is rarely blocked or billed, so attackers can use tunneling to gain internet access without paying in WiFi and mobile environments. Exfiltration is the next logical step after tunneling; if TCP/IP content can be converted to DNS and then freely tunneled (never blocked, never inspected), DNS becomes a path for sneaking data out of a compromised environment. Looking at these attacks together, we see incredibly variety; some attacks take advantage of weaknesses in infrastructure, others attack features of the protocol itself, and the newest threats focus on the actual content of DNS traffic. Hackers can pick and choose what they want to exploit, and use DNS to launch large-scale, infrastructure-crippling attacks and to commit targeted data theft. WHAT SECURITY SOLUTIONS ARE AVAILABLE TODAY? There are security solutions for DNS available today, and the protection they provide is very much linked to the pedigree of the solution provider: Traditional network security platforms like firewalls, IPS, DDoS mitigation DNS resolver/authentication server infrastructure SIEM platforms and offline analysis tools Traditional network security platforms handle much of the heavy security lifting for a wide range of protocols, services, and applications, including DNS. In many cases though, they don t have the depth of protection required to cover all types of DNS threats, and they often lack the performance required to stop the largest DNS attacks (like the 300G Spamhaus DDoS attack). On the good side, they operate in-line, so they re in a position to block DNS attacks when correctly identified. However, dealing with a massive DNS event could affect their performance providing security for other attacks. These devices also lack context for domain behavior, usually with no access to historical information on domains and limited ability to do sophisticated layer-7 analysis for DNS. Most enterprises have firewalls, and may have IPS and DDoS mitigation solutions in place, and should investigate exactly what capability their existing devices have when it comes to DNS security. 3

6 Many vendors building and selling DNS resolver/authentication server infrastructure have built security tools into their resolver/authentication platforms, or are building specialized security tools to go alongside their resolver/authentication solutions. These vendors have deep experience in DNS but often no experience dealing with threats. Their platforms are defined to handle DNS requests very quickly, and will need to be re-architected to meet the additional performance demands of processing security data from Layer 3 up. To provide real-time protection from threats at all layers, DNS vendors will need to build in-house security expertise (or acquire it), which is costly and potentially expensive. In the meantime they typically consume third-party threat feeds to inform their security functionality, because they re not doing their own threat research. These vendors can add DNS security functionality into existing DNS platforms that customers have already invested in, and they can achieve very tight integration between the DNS resolver/authoritative infrastructure and the security solution. That very integration can lead to trouble though, as it may require a forklift upgrade to a new DNS infrastructure solution just to add security controls, and adding security could degrade overall DNS performance (particularly during attacks). SIEM and other offline analysis and correlation tools can provide many of the visibility and analysis capabilities required to provide a layer of DNS security, but they were never designed to be in-line, so they can t prevent or mitigate threats as they occur; rather they require trained analysts and lots of manual labor (or custom development) to build any kind of automated (or even just faster) response to DNS threat events. Like the network security platform vendors, DNS is just one of many protocols that SIEM and offline analysis solutions are dealing with, so the depth of information they can deliver for DNS security is really directly related to the amount of effort the customer puts into tuning the SIEM for DNS security. Many large customers have SIEM in place though, and as with their network security solutions and they should investigate their SIEM to see what specific protection for DNS it can provide. In all three cases, the solutions only cover a portion of the problem, and to be most effective would need to be tied together by some sort of management or orchestration solution to ensure the fastest response to attacks as they happen. VISIBILITY AND CORRELATION ARE A GOOD STARTING POINT Clearly, a utility protocol that provides basic functionality on the internet requires a different level of protection than many other protocols. For most enterprises and service providers having protection spread across disparate solutions handing different aspects of problem yields mediocre results. A great starting point for improving DNS security posture is to first have visibility into DNS infrastructure, and to continuously monitor DNS. If sophisticated content-based attacks like tunneling and exfiltration are the future, it s likely that they ll be used for a wide range of data theft attacks. Cyber-espionage is always an exciting topic; often the most sophisticated attacks are used to spy on entities and steal critical private information. In the 2014 Verizon Data Breach Investigations report, when looking to counter cyber-espionage attacks, Verizon found that in a typical cyberespionage event it was months before the threat was discovered. 4

7 Exhibit 3 Discovery Timeline for Cyber-Espionage Seconds 0% Minutes 0% Hours 9% Days 8% Weeks 16% Months 62% Years 5% Source: 2014 Verizon Data Breach Incident Report Regarding protecting yourself from these attacks, Verizon had this to say: Monitor and filter outbound traffic for suspicious connections and potential exfiltration of data to remote hosts. In order to recognize abnormal, you ll need to establish a good baseline of what normal looks like Monitor your DNS connection, among the single best sources of data within your organization. Compare these to your threat intelligence, and mine this data often. So visibility and monitoring is first, but the second statement is almost as important; compare DNS data to threat intelligence, and mine this new data. For many organizations, this is a manual process because there s no automated link between the tools that provide visibility into DNS traffic and events, and the security monitoring, enforcement, and threat research infrastructure. It s not just espionage attacks that have a long time to discovery and recovery; it s all types of attacks. The value of data leaked over months using DNS tunneling and exfiltration would be different for every event. DDoS attacks can take hours to mitigate even with a solutions in place, and can cost hundreds-of-thousands of dollars per hour, and services outages due to failures in the DNS infrastructure can affect huge groups of users causing massive frustration and lost productivity. 5

8 THE NEED FOR DEDICATED DNS SECURITY SOLUTIONS Given the critical nature of DNS infrastructure, its ubiquity and scale, and the laundry list of DNS vulnerabilities, it seems clear that visibility and protection for DNS should be consolidated into a dedicated platform. Managing multiple systems, some of which were never designed for security, others never designed to be in-line, and the rest handling DNS and a variety of other protocols, leaves too much room for procedural error--thus increasing the time it takes to identify an attack and restore service. If we ve learned anything from watching attacks on most protocols and services running on the internet, we know that DNS attacks will become more complex, will be used in conjunction with other attacks, and hackers will be ever-more persistent. If visibility and protection and protection aren t unified, connected to real-time threat intelligence, and put in-line so that some attacks can be blocked, it will be very difficult to stay ahead of the hackers. We believe companies looking at the next generation of DNS security platforms should look for platforms that: Focus specifically on DNS security, and do not mix DNS security with other security functions, or other DNS performance/management functions, because of the potential for performance impact during threat events Have access to dedicated threat research; the company that builds your DNS security platform should have-in house threat research capability as well as the ability to integrate external feeds Are massively scalable so they can handle huge increases the number of hosts, clients, and threat events Can provide protection from the full range of DNS threats: from localized hijacking and tunneling/exfiltration events to massive DDoS attacks 6

9 WHITE PAPER AUTHOR Jeff Wilson Principal Analyst, Security Infonetics Research Commissioned by Cloudmark to educate the industry about new DNS threats and the need for DNS security solutions, this paper was written autonomously by analyst Jeff Wilson based on Infonetics independent research. ABOUT INFONETICS RESEARCH Infonetics Research is an international market research and consulting analyst firm serving the communications industry since A leader in defining and tracking emerging and established technologies in all world regions, Infonetics helps clients plan, strategize, and compete more effectively. REPORT REPRINTS AND CUSTOM RESEARCH To learn about distributing excerpts from Infonetics reports or custom research, please contact: North America (West) and Asia Pacific Larry Howard, Vice President, larry@infonetics.com, North America (East, Midwest, Texas), Latin America, and EMEA Scott Coyne, Senior Account Director, scott@infonetics.com, Greater China, Southeast Asia, and India 大 中 华 区 及 东 南 亚 地 区 Jeffrey Song, Market Analyst 市 场 分 析 师 及 客 户 经 理 jeffrey@infonetics.com,