DDoS Defenders: Don't Take DNS for Granted A Seven-step Plan for Ensuring DNS Defenses in Service Provider Networks

Transcription

1 WHITE PAPER DDoS Defenders: Don't Take DNS for Granted A Seven-step Plan for Ensuring DNS Defenses in Service Provider Networks Rev. A, February 2014

2 2

3 Table of Contents Introduction... 4 Part I: Why is DDoS Targeting DNS?... 5 How DNS Works... 7 Attacks Growing More Complex and Diversified... 8 Part II: What Can be Done to Defend the DNS?... 8 Components of Essential DNS Testing... 9 Part III: Putting DNS Defenses to the Test: A Proven Test Topology...10 When to Run Tests...10 DNS Defense Testing Topologies...10 The 7-Step Test Methodology Part IV: About Two Leading Solutions...13 Conclusion

4 Introduction In most network infrastructures, the squeaky wheel gets the grease while reliable elements that appear to be working fine may not always get much attention, until they stop working. DNS (Domain Name System) servers, for example, have been deployed in service provider networks for some twenty-five years, doing what they re expected to do. In recent years, however, DNS has started to make some noise as the complexities of network performance, security, and scalability have all skyrocketed. The explosive growth of mobile devices and applications has given rise to unprecedented volumes of DNS traffic, causing exponentially more servers to be deployed. Surges in traffic can cause these servers to become overwhelmed more easily, resulting in error messages and actual failures both of which can prompt demanding subscribers to switch providers. The openness and global reach of DNS makes it the perfect target for DDoS and other sophisticated attacks. Of equal concern is the growing link between DNS and network security. The openness and global reach of DNS makes it the perfect target for Distributed Denial of Service (DDoS) and other sophisticated attacks. Front-page campaigns such as the Spamhaus attack (one of the largest publicly announced DDoS attacks in history) exploit potential vulnerabilities by bombarding servers with queries that ultimately overwhelm DNS services. DNS is the #2 Attack Vector Protocol HTTP 87% DNS SMTP HTTPS SIP/VOIP IRC Other 7% 11% 19% 25% 24% 67% 0% 20% 40% 60% 80% 100% Source: Arbor Networks Reacting after the fact can have costly consequences such as revenue loss, dissatisfied customers, and a negative impact on brand reputation. Nor does the traditional solution throwing more server capacity at the problem suffice as this approach fails to scale, contributes to poor performance, and can even introduce new points of vulnerability. Going forward, service providers and enterprises alike must adopt comprehensive, proactive strategies for evaluating the performance, scalability, and robustness of a DNS server s security capabilities. Within certification labs, more attention must be placed on modeling real-world scenarios, recreating field issues, and simulating security threats to assess and optimize performance over time. 4

5 Part I: Why is DDoS Targeting DNS? Many research studies have explored the impact of unforeseen downtime on businesses, and it isn t pretty. One study by Ponemon Institute estimates the average revenue impact for a single hour of downtime as nearly $80,000 per hour. 1 For DDoS attacks, we can multiply this by 38, the average attack duration. 2 The number then becomes a staggering $2,990,000+. At this rate, recovering even 1 minute earlier from an outage would save a company more than $1,300. For more than a decade, DDoS and other cyber-attacks have been growing rapidly, causing disruption wherever they strike. In service provider networks, exploits have gradually migrated toward a soft target the Domain Name System. Why is DNS an Ideal Attack Target? DNS is the cornerstone of the Internet, used by every business, government, and service provider ://DNS DNS protocol is stateless and hence vulnerable DNS as a protocol is easy to exploit ISPs, mobile operators, and cloud providers all rely heavily on DNS, partly as an essential connectivity component, and partly as a service they offer customers, implicitly or explicitly. Along with preserving their own reputations, it s crucial that service providers protect this vital asset for the sake of subscribers who rely on stable, always-on Internet connectivity. Along with preserving their own reputations, it's crucial that service providers protect vital DNS assets for the sake of subscribers relying on stable, always-on Internet connectivity. 1 Emerson Network Power, "Understanding the Cost of Data Center Downtime," Prolexic Q Global DDoS Attack Report 5

6 6

7 How DNS Works DNS is the means by which computers find vital addressing information for all kinds of IP-based communications over the public Internet. In its simplest form, DNS is the Internet phone book translating a name (such as ) into an IP address. The definitive source of this addressing information is the authoritative DNS server for a given URL. When a user attempts to reach that URL, his or her computer sends a DNS request to a local DNS server. The server may have the IP addresses of common domains already stored in its cache, or it may need to locate the IP address through a process known as recursion, using a DNS query across the Internet to locate the authoritative server for that domain. The DNS response from that server contains the IP address for the domain or URL in question. DNS represents a critical element of all data center services if DNS fails, IP connectivity across the Internet fails. With the rapid growth in Internet traffic, DNS traffic volumes have risen exponentially in recent years, placing significant strain on ISP resources. DNS, originally a low-volume source of traffic, has now become a high-profile element within the Internet infrastructure. Why It's Vulnerable DNS traffic is always allowed to pass through firewalls via port 53. This has not escaped the attention of criminal elements who increasingly are exploiting the lack of defenses for DNS infrastructure. Beyond simple and sophisticated denial of service attacks that use techniques such as reflection and amplification, various additional exploits also target DNS, including cache poisoning attacks and DNS tunneling, which can lead to data theft and revenue loss for carriers. DNS traffic is always allowed to pass through firewalls via port 53. This has not escaped the attention of criminal elements. Two critical areas that require protection inside a service provider network are: DNS caching servers Authoritative DNS servers The DNS caching layer holds cached query responses for commonly accessed websites and other URLs, all of which are critical to ensuring a smooth Internet connectivity experience among customers. This layer proves vital to establishing a rapid response to DNS queries, and in turn acceptable response times. Authoritative DNS servers reside in various locations within the provider s network. These servers provide authoritative responses to DNS queries and connectivity requests from the operator s subscriber base. Authoritative DNS servers enable the web presence, e-commerce functions, and location of multiple network components for IP connectivity, including roaming and gateway location in operator networks. 7

8 Attacks Growing More Complex and Diversified Today s DDoS attackers are extremely creative, with powerful tools at their disposal and time on their side. Volumetric threats continue to grow more complex and coordinated in nature, targeting multiple points in the DNS process. DDoS Attacks Diversifying DNS reflection/ddos attacks DNS amplification DNS-based exploits TCP/UDP/ICMP floods DNS cache poisoning Protocol anomalies DNS tunneling Use third-party DNS servers (open resolvers) to propagate DDoS attacks Use specially-crafted queries to create an amplified response to flood the victim with traffic Exploit vulnerabilities in the DNS software Bring networks or services down by flooding them with large amounts of traffic; leads to denial of service on layer 3/4 Corrupt the DNS cache data with a rogue IP address Send malformed packets and queries that cause services to crash Achieve data exfiltration by tunneling another protocol through DNS To stay a step ahead and avoid costly incidents, providers can follow evolving best practices for assessing and bolstering DNS defenses. To stay a step ahead and avoid costly incidents, providers can follow evolving best practices for assessing and bolstering their defenses. Part II: What Can be Done to Defend the DNS? Obviously, networks vary greatly and operators worldwide have addressed DNS in very different ways. Some do so through architecture, placing load balancers in front of the DNS, or adding IPS as a screen. Others may use Anycast, while still others simply overprovision networks to take up the slack. New techniques introduce advanced, hardwarebased deep packet inspection (DPI) inside the DNS server to identify malicious traffic and filter it out while responding only to legitimate DNS requests. Whatever their approach, operators must thoroughly assess and address the vulnerabilities of their own unique DNS defenses. With the threat landscape changing rapidly, lab testing designed to ensure performance and stability must also evolve. Service providers must assume greater control and be increasingly proactive as they deploy equipment into their networks. Equipment vendors perform testing before releasing new platforms, but these efforts may be based on default configurations that produce best case performance data. Rather than rely on data sheets, IT departments need to broaden and tailor testing to reflect the requirements and challenges of their own individual networks. Pre-deployment testing needs to model individual network configurations, simulating real-world traffic conditions and user behavior at scale. In addition, foreseeable threat conditions and environments also must be recreated in the lab with a variety of attacks and exploits generated to assess defenses. Finally, testing should encompass established DNS solutions as well as prospective new devices and strategies. 8

9 Components of Essential DNS Testing While actual DNS testing strategies may vary among providers, some critical components of validating security remain constant: Realism: the ability to model subscriber behavior, recreate realistic network configurations, and simulate extreme traffic conditions. For example, unlike normal network traffic, DDoS has some unique and significant properties. The test and evaluation environment should emulate the deployment environment as closely as possible, including directly-connected devices such as routers, switches, and firewalls that may impact packet loss, latency, and data integrity. Scalability is needed to simulate thousands of subscribers at high-load conditions. While a system might be able to detect and mitigate DDoS traffic when barely stressed, it may only detect half the malicious traffic under high load. Definitive measurement of infrastructure resiliency is needed to understand the impact different scenarios may have on the DNS server. Comprehensive, up-to-date Attack Portfolio: Testers must be able to generate a wide variety of attacks aimed at exploiting DNS, and stay on top of emerging threats. To this end, services like Ixia s Application and Threat Intelligence (ATI) deliver relevant and current threats. The ATI service provides updates to protocols, applications, and exploits every two weeks, and includes many prebuilt tests that can be used to test DNS-specific exploits. Combined Real and Attack Traffic: The general traffic profile of a DDoS attack consists of a large number of network sources directing traffic at a single point or small group of targets. In assessing security defenses, it s essential to create blended scenarios that include both legitimate DNS traffic and attack traffic DDoS, DNS exploits, tunneling. A successful defensive posture distinguishes between the two and mitigates attacks by dropping malicious traffic while continuing to respond to legitimate DNS requests. The objective, after all, is not so much thwarting attacks as maintaining high-performing services. In assessing security defenses, it's essential to create blended scenarios that include both attack traffic and legitimate traffic. Flexibility: As we ve said, one size does not fit all. While many elements of testing (and also measures of success) may be considered constants, all networks are unique. Test topologies and methodologies must be flexible enough to accommodate important variances like patterns of valid user queries, vulnerabilities inherent in DNS services and defenses, and ultimately, the level of DDoS exposure an organization views as acceptable. Because these combined capabilities are both essential and hard to build from scratch, purpose-built systems like the Ixia BreakingPoint test solution and Infoblox Advanced DNS Protection for production DNS server deployment introduce massive cost-efficiencies while improving the quality and reliability of results. This, in turn, works to ensure the highest possible customer experience. For example, performing a series of measurements using the Ixia BreakingPoint solution helps to isolate DNS vulnerabilities and validate that DNS DDoS defenses are secure and stable under a global, custom, and current mix of application and attack traffic. Similarly, the Infoblox Advanced DNS Protection solution enables operators to deploy a hardened, carrier-class DNS infrastructure that is highly resilient against all forms of attacks on DNS whether volumetric or exploit-based one that can be updated quickly and easily, without resorting to maintenance windows as threats evolve. 9

10 Part III: Putting DNS Defenses to the Test: A Proven Test Methodology To assess security, operator IT teams need to stress DNS servers and measure the impact on response times and total capacity under attack scenarios. This section provides a brief overview of when and how to test. When to Run Tests To improve DNS defenses over the long term, testing should occur at various junctures during the deployment life-cycle: Baseline assessments of existing DNS service and defenses aid in understanding how existing infrastructures will respond to the next inevitable attack. This helps in determining what actions to take to reach and maintain acceptable levels of DNS DDoS exposure. Testing begins with measuring queries only, and progresses to assessing the overall infrastructure. During Proof of Concepts (POCs) to ensure the best possible technology investments. Results are used to compare potential new vendor technologies using quantifiable data. As part of change control, testing assures patches and configuration changes do not increase the attack surface. Periodically to validate existing technologies will withstand attacks. DNS Defense Testing Topologies Best practices dictate starting testing in a closed environment where only the DNS elements are being evaluated. This eliminates network dependencies that may complicate and slow initial testing. Systems such as Ixia BreakingPoint can generate internal and external queries to the DNS server only, or to DNS and firewall elements as shown in the topology on the left in the diagram to the right. Alternatively, BreakingPoint can also add full stateful behavior of internal application servers to test all elements of the firewall or next-gen firewall DNS defenses as shown in the middle topology. To test the full DNS infrastucture that includes the interaction between DNS servers, firewalls, and application servers, a more complex testing topology must be built. Ixia BreakingPoint provides all the important elements, including internal and external DNS client simulation, as shown in the topology on the right. 10

11 DNS Server DNS Server BreakingPoint AppServer DNS Server App Server BreakingPoint Client DNS Queries BreakingPoint Client DNS and Defenses DNS Defense Test Topology To conduct comprehensive testing, some sophisticated operator IT departments have built pre-deployment labs featuring scaled-down replicas of their actual live networks As an alternative to maintaining a full lab, elements of the live network may be tested during maintenance windows. The 7-Step Test Methodology BreakingPoint Client DNS Infrastructure The recommended seven-step approach to assessing DNS performance and security progresses from measuring best case performance the capacity of the device with no threats to modeling target mixes of DNS features, DNS queries, user behavior, traffic volumes, DOS, and exploits. The more advanced stages of the methodology hinge on users ability to select the attack profiles of vulnerabilities most applicable to their unique network environments. No standard method of acceptance criteria exists. Each company must determine the capacity and level of responsiveness to valid user queries that is acceptable while under attack. No standard method of acceptance criteria exists. Each company must determine the capacity and level of responsiveness to valid user queries that is acceptable under attack. Step 1. Baseline Application Performance: Maximum Queries Here, we determine the maximum rate at which the DNS solution is able to respond to queries with only good traffic. This establishes a baseline to work from in order to better understand the impact of DDoS on the DNS solutions. The workload of legitimate queries should model the behavior of the network. For example, creating a single repetitive test query at high speed is easy to set up, but will cause unrealistically favorable results in terms of DNS queries. Other considerations in establishing a baseline to be used as a comparative metric while under attack include: What is the highest DNS query rate the server can handle without dropping queries? What is the DNS latency/response time? How does response time vary under load? 11

12 Step 2. Application Traffic with Botnet: DNS Query Single Domain Name Step 2 determines DNS performance and mitigation capabilities while under real application traffic loads, and when subjected to a flood of DNS queries for a single domain name. Step 3. Application Traffic with Botnet: DNS Query Multiple Domain Names Here, DNS performance and mitigation capabilities are determined while under real application traffic loads and subjected to a flood of DNS queries for multiple domain names. Step 4. Application Traffic with Botnet: DNS Query Random Domain Names This step determines DNS performance and mitigation capabilities while under real application traffic loads and subjected to a flood of DNS queries for random domain names. Step 5. Application Traffic with Botnet: DNS Susceptibility to Amplification Attacks DNS performance and mitigation capabilities are determined while under real application traffic loads and when subjected to a flood of spoofed queries to the caching nameserver. Step 6. Application Traffic with IP, UDP, and TCP Fuzzing This test determines the ability of the DNS defenses to handle malformed packets. The test system sends malformed IP, UDP, TCP and Ethernet packets produced by a fuzzing techniques to the DNS elements. The fuzzing technique will modify a part of the packet (checksum, protocol options, etc.) to generate corrupt data. Step 7. Application Traffic with DNS Server Infrastructure Vulnerabilities Finally, the security effectiveness of DNS infrastructures defending against known platform vulnerabilities is determined. At this stage, adequate patching and configuration settings for the DNS platform will be determined. 12

13 Part IV: About Two Leading Solutions Throughout this paper, we ve mentioned two leading solutions that combine to help mobile operators evaluate and improve their DNS defenses. This section provides insight into the capabilities and advantages provided by each. Infoblox Advanced DNS Protection Infoblox offers a completely integrated solution to provide the most comprehensive DNS protection for ISP, telco, cable, and mobile network infrastructures. Its new carrier-grade Advanced DNS Protection solution protects DNS against DDoS and other attacks. An all-new family of Advanced DNS appliance servers delivers carrier-grade protection to ensure DNS services are always available, even in the midst of an attack. The Infoblox Advanced DNS Protection Solution is able to: Separate legitimate DNS traffic from DDoS attacks Mitigate attacks by dropping DDoS queries and responding to legitimate DNS requests Maintain DNS service even during an attack Deliver network-wide reporting visibility of all attacks Support real-time automatic threat rule updates For more information please visit Ixia BreakingPoint Leading service providers, enterprises, and equipment manufacturers worldwide trust Ixia s BreakingPoint security test solution to harden and optimize new designs and ongoing defenses. BreakingPoint tests networks and infrastructure devices against the behavior of millions of simulated users downloading rich media content, placing calls, purchasing music, browsing the Web or unknowingly sharing the latest malware. A BreakingPoint solution replaces racks of equipment and complicated setup procedures with a single-chassis solution and single user interface. The system also delivers realistic city- or even nationwide scale. BreakingPoint has the unique ability to create large volumes of legitimate DNS queries mixed with malicious DNS activity. To aid in validation, BreakingPoint s ATI includes more than 80 DNS-specific attacks including DNS reflection and supports DNSSEC and DNS protocol fuzzing. Real-world applications Include: 200+ application protocols Social, peer-to-peer, voice, video, storage Web, enterprise applications, gaming Custom applications 13

14 Real attacks generated include: 6,000+ live security attacks 35,000+ pieces of live malware 180+ evasions DDoS and botnet simulation Custom attacks Updates every 2 weeks to keep databases current Ixia offers BreakingPoint on multiple hardware platforms to match the scale of your network. For DNS to keep doing its job, evaluation procedures and defense strategies must continue to evolve in response to the increased deployment and growing vulnerability of servers. Conclusion For DNS to keep doing its job, evaluation and defense strategies must continue to evolve in response to the increased deployment and growing vulnerability of servers. The approach described here will go a long way in helping operators assess new devices and techniques as well as their overall readiness, resilience, and ability to recover from attacks. As we've seen, new deployments must be tested against, then optimized for real-live network environments. From there, ongoing assessment allows adjustments to be made quickly to accommodate rising traffic volumes and meet the demands of the ever-changing threat landscape, and ever-more-demanding users. 14

15 15

16 WHITE PAPER Ixia Worldwide Headquarters Agoura Rd. Calabasas, CA (Toll Free North America) (Outside North America) (Fax) Ixia European Headquarters Ixia Technologies Europe Ltd Clarion House, Norreys Drive Maidenhead SL6 4FL United Kingdom Sales (Fax) Ixia Asia Pacific Headquarters 21 Serangoon North Avenue 5 #04-01 Singapore Sales Fax Rev. A, February 2014