Protecting DNS Infrastructure Inside and Out

Transcription

1 Protecting DNS Infrastructure Inside and Out How to combat a pervasive threat that is doing serious harm to businesses every day

2 How to combat a pervasive threat that is doing serious harm to businesses every day With the rise of the Internet as a primary channel of commerce, government, and personal communication, Domain Name System (DNS) has become a critical protocol, used constantly by all sorts of organizations for essential functions. Unfortunately, it has been largely overlooked in efforts to protect IT infrastructures, and it is increasingly targeted for exploitation by hackers. Two basic kinds of attacks are prevalent. Outside-in attacks are aimed at disrupting network services or bringing them to a halt entirely. Inside-out threats use malware planted on an organization s own servers to steal sensitive information and send it to criminals. Many organizations today have elaborate traditional security measures in place, but most of them have very minimal DNS protection. These organizations are at increasing risk of damage to their reputations, declining customer loyalty, costly legal actions, and direct loss of revenue if their DNS goes down. This white paper explains in detail the type of hazards your networks face, summarizes industry research on trending threats, explains the techniques necessary to defend against DNS-based attacks, and describes the Infoblox solution for protecting your DNS infrastructure from both outside-in and inside-out threats. DNS Makes Everything Work and Puts Everything at Risk. Today nearly everything depends on the Internet, and the Internet depends on a protocol called the Domain Name System (DNS). DNS is used for external connections, such as consumers accessing ecommerce websites, and for internal connections, such as employees using , conferencing, and ERP applications. DNS is as ubiquitous and as essential as electricity today. But because it is an established industry-standard protocol that operates in the background, developers of security software have largely overlooked it. As a result, it is increasingly targeted for exploitation by hackers. Two basic kinds of attacks are prevalent denial-ofservice (DoS) attacks from outside the network, and malware that has infected clients inside a company s network. Many organizations have elaborate defense-in-depth or layered security systems in place that combine antivirus software, traditional firewalls, security information and event management (SIEM) systems, and other techniques to protect their IT infrastructures. But most of them have little DNS protection, or none at all. To be safe from the rising number of DNS-based attacks, these organizations need to protect DNS servers from both outside-in and inside-out threats by: Mitigating attacks on external authoritative servers by intelligently recognizing various attack types and dropping the attack traffic without disrupting legitimate queries Avoiding the theft of customer data and business assets by blocking malware queries that exploit DNS 1

3 Outside-in Attacks Assaults on the infrastructure launched from outside the victim s network use command-and-control servers or botnets to disrupt the functions of an organization or bring them to a stop entirely. If they succeed in taking down external DNS servers of the organization, the entire network is disconnected from the Internet. This kind of attack is usually launched by someone with an ax to grind such as hactivists, unscrupulous competitors, or hostile governments. Whether an outside-in attack shuts the network down completely or merely succeeds in reducing performance, it can result in revenue loss and damage to the brand. Inside-out Attacks Malware exploits are inside-out threats, using bugs planted on an organization s own servers to send information out via DNS query responses. Malware exploits are usually crimes for profit committed by criminal groups that combine the hierarchical organization of legal businesses with the distributed cell structure of terrorist networks. 1 These criminals use data-exfiltrating malware to steal information such as customer credit-card numbers and market it to lesser criminals who use it directly to commit theft. Or they hold data such as access codes hostage, demanding ransom from their victims. Number Two and Climbing When Arbor Networks conducted its ninth annual Worldwide Infrastructure Security Survey on application-layer (layer 7) attacks, 77 percent of the respondents said they had been hit with a DNS attack. Within the many attack vectors being exploited today, DNS is second. 2 DNS is #2 attack vector protocol HTTP 82% DNS 77% SMTP 25% HTTPS 54% SIP/VOIP 20% IRC 6% Other 9% 0% 20% 40% 60% 80% 100% Figure 1: Attack vectors experienced by surveyed respondents (source: 2014 Arbor Worldwide Infrastructure Security Report) 2

4 Infrastructure Layer: 76.76% The Q Prolexic Quarterly Global DDoS Attack Report says that the total number of distributed-denial-of-service (DDoS) attacks increased by percent between 2012 and More to the point, according to Prolexic, the use of DNS-based attacks is increasing, constituting 9.58 percent of infrastructure-layer attacks between Q3 and Q4 of Overall in 2013, there has been an increase of 216 percent in DNS-specific attacks. ACK: 2.81% CHARGEN: 6.39% FIN PUSH: 1.28% DNS: 9.58% ICMP: 9.71% RESET: 1.4% RP: 0.26% SYN: 14.56% SYN PUSH: 0.38% TCP Fragment: 0.13% UDP Floods: 13.15% UDP Fragment: 17.11% Application Layer: 23.24% Figure 2: Attack vectors by percentage of overall threat landscape (Source: Q Prolexic Quarterly Global DDoS Attack Report) HTTP GET: 19.91% HEAD: 0.64% NTP: 0.26% SSL POST: 0.13% PUSH: 0.77% HTTP POST: 1.53% To put these statistics into the context of the impact on businesses, Infoblox commissioned IDG Research to conduct a Network World Custom Solutions Group study that resulted in a report titled Market Pulse Research: DNS Protection. Our goal was to find out how organizations are protecting themselves from DNS-based attacks, how many of them have actually been victim to one, what the financial impacts were, and how confident organizations are that they can mitigate future attacks. One hundred and twenty-eight participants were recruited from among Network World s audience, all of them involved in the purchase, implementation, or management of network security solutions and services. 5 The findings painted a picture of a network management community that is aware of the danger of DNS-based attacks and concerned over the consequences, but largely unsure of how to recognize them (or even know whether they have occurred) and how to defend against them. 3

5 Nearly half of the participants said they are extremely concerned about downtime resulting from cyberattacks, but a widespread lack of visibility into DNS security events prevents them from having hard information to act on. Among participants who are sure they ve been attacked: A large majority 76 percent were victims of DNS DDoS attacks, with DNS cache poisoning coming in second at 33 percent. Half of these said the attack caused a DNS service interruption and/or diminished network service. The average length of service interruption was seven hours. The chief concern among respondents is downtime and inability to conduct business, followed by loss of sensitive data and brand damage. Type of DNS-based Attack Experienced DNS DDoS attack 76% DNS cache poisoning 33% DNS exploits UDP flood 29% 29% DNS tunneling Amplification 24% 24% Man-in-the-middle 14% Other 0% Don t Know 5% Figure 3: Among those who have experienced a DNS-based attack, the large majority report that they were the victims of a DNS DDoS attack. About one third were victims of DNS cache poisoning. 4

6 Level of Concern about Impact of DNS-Based Attack Downtime/Inability to conduct business Extremely / very concerned: 72% 38% 34% 20% 5% 3% Extremely / very concerned: 64% Loss of sensitive data 37% 27% 18% 14% 5% Negative impact on perception of your organization or brand Extremely / very concerned: 61% 30% 31% 22% 12% 5% Poor customer experience Extremely / very concerned: 57% 24% 33% 27% 9% 6% Extremely / very concerned: 55% Loss of revenue 27% 28% 26% 11% 9% Increased operational costs associated with remediation Extremely / very concerned: 55% 21% 34% 31% 10% 4% Extremely / very concerned: 45% Risk of noncompliance 21% 24% 26% 20% 9% Extremely concerned Very concerned Somewhat concerned Not very concerned Not at all concerned Figure 4: Most respondents are highly concerned about downtime and the inability to conduct business, loss of sensitive data, and a negative impact or perception of their organization or brand. A Few High-profile Examples These statistics are good for analyzing trends, but the impact of DNS-based attacks is apparent to anyone who follows IT-related news on line. There is nothing theoretical about the threat DNS vulnerability poses. Attacks are happening with increasing frequency and they re getting bigger. 6 Go Daddy In September of 2012, domain registrar and web-hosting firm Go Daddy experienced a six-hour outage during which many of the company s client sites went down as well. Rumors circulated that Go Daddy s DNS servers were not resolving, forcing many websites offline. Word spread that a hacker claiming ties to the hactivist group Anonymous was taking credit for the attack. 7 Go Daddy CEO Scott Wagner countered by denying the reports of hacking and saying that the service outage was due to a series of internal network events that corrupted router data tables. 8 Whether the outage was the result of an attack or of IT configuration problems, it is a dramatic illustration of what happens when DNS goes down. 5

7 Spamhaus In March of 2013, the spam-filtering organization Spamhaus was hit by a record 300-Gbs DDoS attack that spread to multiple Internet exchanges and slowed traffic, primarily in Europe. The attack, apparently, was a revenge hacking carried out by a recently blacklisted concern called CyberBunker, whose anonymous host services are suspected to be a conduit for spam. According to Kelly Jackson Higgins, writing in Dark Reading, the attackers abused improperly configured or default-state DNS servers, also known as open DNS resolvers, in the attacks, and this was not a standard botnet-borne attack. This allowed for a bigger bandwidth attack with fewer machines since DNS servers are large and run on high-speed Internet connections a recipe that led to the recordbreaking DDoS level. Security experts estimate that there are around 21 million of these servers running on the Net. CloudFlare, the service Spamhaus hired to deflect the attack, determined that it was a DNS reflection attack launched by a handful of open DNS resolvers. When CloudFlare began to distribute the load across its own data centers, the attackers targeted bandwidth providers that use CloudFlare s services, affecting even more Internet exchanges. 9 Twitter and the New York Times In August of 2013 a gang of cyberterrorists calling themselves the Syrian Electronic Army (SEA) hacked into the systems of Melbourne IT, a web registrar in Australia. The hackers were able to change details of the New York Times and Twitter s registrations so that they pointed to servers controlled by SEA. Twitter s inline image service was still down hours after the hack. SEA broadcast its actions to world on Twitter, of course. 10 Microsoft SkyDrive As is almost always the case when consumer services are disrupted by an attack, users of Microsoft SkyDrive cloud services freely shared their displeasure via Twitter. The SkyDrive service, Microsoft s online Office suite, its Xbox site, and other sites went dark when a DNS patch failed. The outage hit the United States at night, but in Australia, it happened just as office staff were getting to work and trying to access documents stored in Microsoft s cloud. And soon after, the bad publicity began to get tweeted around the world in multiple languages. Although faulty DNS management rather than weak DNS security is indicated in this instance, it is yet another example of the severe consequences of DNS downtime. 11 China In January of 2014, a large portion of Internet traffic in China was redirected to servers run by a U. S. company. Internet users began to complain about being unable to access social media sites and search engines. Ultimately, two-thirds of the traffic in China was interrupted. 6

8 According to one security company, the problem was probably related to DNS servers, because people who tried to access sites were all sent to a single IP address, identified as that of the U. S. company. Since the company provides services to help people view content blocked by China s Great Firewall, it was immediately suspected to be the perpetrator, but the company s founder denied any involvement. 12 What Can You Do to Keep Your Organization Off the Front Pages? If anything disproves the axiom, there s no such thing as bad publicity, it s a successful DNS attack. No one wants to be the next internationally acclaimed hacking victim. And unfortunately, the DNS protocol and the commonly used utilities for managing DNS have inherent security vulnerabilities. Firewalls have to leave port 53 open to let DNS traffic through. And it is difficult to identify exploits and attacks, because DNS-management applications don t provide specific visibility into traffic types. In addition, traditional security measures such as next-generation firewalls, secure web gateways, incident-detection systems, and incident-prevention systems don t directly protect DNS infrastructure. Measures more specifically applicable to DNS, such as overprovisioning to withstand attacks and blacklists maintained manually by network administrators, can t keep up with evolving threats. So how do you protect against the loss of trust, possible lawsuits, remediation and compliance costs, and diminished revenue a successful attack can cause? How do you prevent DoS and DDoS attacks in the first place, and if they do occur, how do you keep your business processes running while you fight them? And if malware finds its way past your firewall, how do you keep it from exploiting DNS as a channel to send customer data and company assets off the network to criminals who hope to profit at your expense? At Infoblox we are well aware that to protect against DNS-based attacks, you must fight a war on two fronts, with outward-facing defenses against denial-of-service attacks and internal defenses to protect against malware exploits. Based on this knowledge, and on our extensive experience helping our customers around the world manage and secure DNS services, we offer a complete solution that protects you on both fronts. The Infoblox Secure DNS Solution The Secure DNS Solution comprises Infoblox Advanced DNS Protection, which protects networks from outside-in attacks, and Infoblox DNS Firewall, which blocks malware communication from within the network. Running on purpose-built DNS appliances, these solutions secure both fronts by protecting your external and internal DNS infrastructure. Unlike the products of all other DNS vendors, our solution has intelligent detection and mitigation built in to automatically address DNS attacks and malware-based DNS queries. In addition, it leverages continual, automatic updates to protect against new and evolving attacks and emerging malicious domains and networks. Infoblox is the first and only vendor to offer this level of security for DNS appliances. 7

9 Protection against Outside-in Attacks Protection starts with the hardware Infoblox purpose-built appliances hardened for security during the manufacturing process and certified for Common Criteria Level EAL-2. One-click enablement and automatic key refresh eliminate the usual complexity of implementing DNS Security Extensions (DNSSEC), an effective protocol in preventing DNS hijackings and cache poisoning. Running on this robust platform, Infoblox Advanced DNS Protection continuously monitors, detects, and drops packets of DNS-based attacks including amplification, reflection, floods, exploits, tunneling, cache poisoning, and protocol anomalies and mitigates them, at the same time continuing to respond to legitimate traffic. This provides critical DNS services even when a network is under attack. The system also receives automatic updates based on threat analysis and research to provide protection against new and evolving DNS attacks as they emerge. Through comprehensive reports, the solution gives you a centralized view of attacks that have happened on your network and provides the intelligence you need to take action. These reports include details like number of events by category, rule, severity, member-trend analysis, and time-based analysis. And since every enterprise has different DNS traffic-flow patterns that can vary based on seasonality, time of day, or geography, the Infoblox Secure DNS Solution provides tunable traffic thresholds that you set, enabling you to fine-tune protection parameters based on your unique traffic patterns. This enhances the solution s ability to respond to good traffic without issues while blocking or dropping malicious traffic. Infoblox Threat Rule Server DNS Tunneling Legitimate Traffic Exploits Legitimate Traffic Reconnaissance Legitimate Traffic Amplification Legitimate Traffic INTERNET Automatic Threat Updates Block DNS attacks Grid-wide rule distribution Block DNS attacks Infoblox Advanced DNS Protection Infoblox Advanced DNS Protection D M Z INTRANET Send reports Send reports Grid Master and Candidate (HA) DATA CENTER Reporting Server CAMPUS / REGIONAL Figure 5: Protecting against outside-in threats 8

10 Key Features Smart rate thresholds put the brakes on DNS DDoS and flood attacks without denying services to legitimate users. Source-based throttling detects abnormal queries by source and causes bruteforce methods to fail. Destination-based throttling detects abnormal increases in traffic grouped by target domains. Next-generation programmable processors provide high-performance filtering of malicious and legitimate traffic. Detecting reconnaissance activity and reporting it helps your network team identify attacks and prepare for them before they are even launched. Analyzing packets for patterns of exploits that target specific vulnerabilities makes it possible to stop some attacks before they reach the DNS software. Centralized visibility and reporting enables your network team to recognize attacks happening in different parts of the network. Ongoing protection through automatic updates from Infoblox makes sure that your Secure DNS Solution evolves to handle the changing threat landscape. Blocking Inside-out Malware Threats While DNS has its inherent weaknesses, it also has a significant strong point: It is a natural ambush point for disrupting malware and advanced-persistent-threat (APT) communications to malicious command-and-control and botnet servers. The Infoblox DNS Firewall protects against malware-driven DNS-queries to malicious domains by proactively preventing clients from becoming infected and by disrupting the ability of infected clients to communicate with botnets or command-and-control servers. It prevents clients from going to a malware website, and hijacked DNS command-andcontrol requests are not executed, preventing botnets from operating. All inappropriate connection attempts are logged and correlated to help pinpoint infected clients. And as it does with intelligence on external attacks, the solution leverages comprehensive, accurate, and current data on rapidly evolving domains and networks to detect and block connections weeks to months sooner than you could if you had to use manually compiled blacklists. 9

11 DNS Firewall Subscription Service INTERNET Automatic Threat Updates D M Z Data Center INTRANET NX series Blocks bad DNS queries Play Malware Attack Reporting Server DNS Clients Figure 6: Protecting against inside-out threats Key Features Automated review and blocking of resolved DNS queries to bad domains from infected clients Logging of DNS transactions that can be used by third-party applications such as SIEMs Integration with Infoblox core DHCP and IP address management to give the industry s best visibility into infected devices by IP and MAC address and device type Automatic updates every two hours to reflect fast-flux changes of domains and IP addresses Geography-based blocking for rogue nations and known regions of hacking activity 10

12 Protection from Advanced Persistent Threats Infoblox Secure DNS Solution also benefits from the integration of DNS Firewall with the FireEye NX series of APT-detection software. The integration combines the power of FireEye APT detection and Infoblox DNS-level blocking and device fingerprinting to help network teams detect and disrupt APT malware communication and to pinpoint infected devices attempting to access malicious domains. Internal & External: FireEye + DNS Firewall Subscription A DNS Firewall Subscription Svc C & C Portals Infoblox Firewall Subscription Service B DNS Firewall - FireEye Adapter C & C Proxies A IPs/Oomains/etc. of bad servers C & C / Botnet Portal IP s , DNS Server with DNS Firewall INTERNET INTRANET B NX series Domain-name & Host IP address to be blocked Block/ Redirect DNS Query 3 Play Malware Attack Infected Enterprise End-point Detects and detonates advanced malware Malware DNS query to find and phone home Infoblox Reporting Server - ID infected device by IP/MAC address & device type Figure 7: Protecting against APTs Key Features Automatic DNS-level blocking of detected APTs to block DNS queries at the domain and IP level Flexible policy enforcement to pass through, block, or redirect queries so that administrators can act on them within specific security frameworks Identification of infected devices to expedite remediation and slow the expansion of attacks Reporting of malicious domains and IP addresses to give IT security personnel greater understanding of APT attacks 11

13 It s Time to Stop Losing Ground to Hackers and Thieves. What we hope we ve done with this white paper is raise your awareness of a serious threat to your company, your customers, and your success, and convince you that the health and well-being of your network could very well depend on how soon you reinforce your overall security infrastructure with the Infoblox Secure DNS Solution. DNS is the cornerstone of the Internet, but it has long been ignored when it comes to protection, and this has created a vulnerability that the criminal community is taking more advantage of every day. The only solution built with these facts in mind is the Infoblox Secure DNS Solution. Contact us today to find out more about this critical shield against the most dangerous threats your network faces. About Infoblox Infoblox (NYSE:BLOX) helps customers control their networks. Infoblox solutions help businesses automate complex network control functions to reduce costs and increase security and uptime. Our technology enables automatic discovery, real-time configuration and change management and compliance for network infrastructure, as well as critical network control functions such as DNS, DHCP, and IP address management (IPAM) for applications and endpoint devices. Infoblox solutions help over 6,900 enterprises and service providers in 25 countries control their networks. 1 Cybercrime and Organized Crime, The United Nations Crime and Justice Research Institute, Arbor Worldwide Infrastructure Security Report, Arbor Networks, Q Prolexic Quarterly Global DDoS Attack Report, p. 3, Prolexic Technologies, Inc., Prolexic, p Market Pulse Research: DNS Protection, a Network World Custom Solutions Group study conducted on behalf of Infoblox by IDG Research Services, December Prolexic, p Anonymous hacker claims Go Daddy attack: outage hits millions, ZDNet, 10 September, Go Daddy Site Outage Investigation Completed, Go Daddy News Releases, 11 September, Misconfigured, Open DNS Servers Used In Record-Breaking DDoS Attack, Kelly Jackson Higgins, Dark Reading, 27 March, Twitter and New York Times still patchy as registrar admits SEA hack, The Guardian, 28 August, Microsoft SkyDrive suffers outages, Chris Griffith, The Australian, 22 November, China Websites Hit with Disruptions, Paul Mosur, Wall Street Journal, 21 January,

14 A Dictionary from the Dark Side of IT A simple way to gauge the extent of the danger posed by DNS vulnerability is to look at the sheer number of attack types currently being launched. This is not all of them. And new ones are emerging. Direct DNS amplification attacks congest DNS server outbound bandwidth by sending a large number of DNS queries that provoke a response up to 70 times the size of the request. Reflection attacks use a third-party DNS server to send queries that include the victim s IP address as the source IP in the query, so responses flood the victim s address, bringing down the site. Distributed reflection DoS (DrDoS) attacks combine reflection and amplification to significantly increase the size of the response to the initial queries and the likelihood that the victim s server will be overwhelmed. TCP/UDP/ICMP flood attacks are volumetric attacks with massive numbers of packets that consume a network s bandwidth and resources. DNS-based exploits make use of software bugs in protocol parsing and processing implementation to exploit vulnerabilities in DNS server software. DNS cache poisoning consists of inserting a false address record into the DNS query, so that subsequent requests for the address of the domain are answered with the address of a server controlled by the attacker. Protocol anomalies send malformed DNS packets, including unexpected header and payload values, to the targeted server, making it stop responding or crash by causing an infinite loop in server threads. Reconnaissance consists of attempts to get information on the network environment before launching a large DDoS or other type of attack. DNS tunneling involves tunneling another protocol through DNS port 53 which is allowed if the firewall is configured to carry non-dns traffic for the purposes of data exfiltration. 13

15 Corporate Headquarters: (toll-free, U.S. and Canada) EMEA Headquarters: APAC Headquarters: Infoblox Inc. All rights reserved. infoblox-whitepaper-protecting-dns-infrastructure-inside-out-jan2014