Scale your DNS Infrastructure Ensure App and Service Availability. Nigel Ashworth Solution Architect EMEA

Transcription

1 Scale your DNS Infrastructure Ensure App and Service Availability Nigel Ashworth Solution Architect EMEA

2 Agenda DNS and F5 Use Cases - The top four Firewall for DNS or a DNS Firewall? DNS Reputational Intelligence Competitive Comparisons DNS Mitigation Test framework Context and DNS F5 Agility

3 DNS and F5

4 F5 DNS GSLB to DNS Delivery 11.1 / VISIBILITY AND REPORTING 10.X COMPREHENSIVE GSLB HIGH PERFORMANCE DNS DELIVERY. HIGH PERFORMANCE CACHING & RESOLVING. F5 Agility

5 F5 DNS Secure High Performance DNS SECURITY AND ELASTIC SCALABILITY. EASE OF USE. EASE OF DEPLOYMENT. SERVICE PROVIDER ENHANCEMENTS. CURRENT RELEASE F5 Agility

6 F5 DNS Secure High Performance DNS 11.4 SECURITY AND ELASTIC SCALABILITY EASE OF USE. EASE OF DEPLOYMENT. SERVICE PROVIDER ENHANCEMENTS. CURRENT RELEASE 11.6 SECURI TY DOS F5 Agility

7 F5 DNS Key Drivers Performance and Consolidation Service Providers need scale to support millions of subscribers. Internet CONVENTIONAL DNS THINKING External Firewall DNS Load Balancing Array of DNS Servers Internal Firewall Hidden Master DNS F5 DNS products have unprecedented scale in virtual, appliances and chassis versions. F5 DNS integrates an ICSA certified firewall into the same footprint. Integrate with other F5 modules running on the same hardware. DMZ Datacenter Security F5 PARADIGM SHIFT DNS Protocol Validation scrubs the incoming DNS queries to only answer valid clients. Massive scale allows BIG-IP to absorb large attacks. Query type filtering and rate limiting features can further protect DNS resources. Flexible GSLB Integrated with LTM Internet BIG-IP Global Traffic Manager Master DNS Infrastructure 30M RPS GTM provides the best answer for DC availability through Intelligent DNS. Base answers on topology, geo-location, health and more. Addresses Key Customer Pain Points, reducing OpEx and CapEx F5 DNS Solutions can scale existing DNS installations. Scale without impacting operations. Optimized Service Provider DNS solutions maximize uptime and match core resources with customer demand. F5 Agility

8 Use Cases The top four

9 1 Local DNS Where is F5 Agility

10 1 Local DNS Where is 2 Authoritative DNS Where is F5 Agility

11 1 Local DNS 3 GSLB DNS Where is Data Center Data Center Where is the closest service 2 Authoritative DNS Where is F5 Agility

12 1 Local DNS 3 GSLB DNS Where is Data Center Data Center Where is the closest service 2 Authoritative DNS 4 GGSN / PGW Mobile Core DNS and GSLB GGSN/ PGW MME Where is (e)node B SGW/ SGSN BIG-IP Platform F5 Agility

13 1 Local DNS! DNS Firewall 3 GSLB DNS Where is Data Center Data Center Where is the closest service 2 Authoritative DNS 4 GGSN / PGW Mobile Core DNS and GSLB GGSN/ PGW MME Where is (e)node B SGW/ SGSN BIG-IP Platform F5 Agility

14 Firewall for DNS or a DNS Firewall?

15 Anatomy of a DNS Firewall IP Anycast Pre filter Packet inspection Performance Scaling resolution DNSsec and Validation Reporting and Automation DNS Reputational Intelligence DNS scrubbing Hardware sizing Certification F5 Agility

16 Anatomy of a DNS Firewall IP Anycast Pre filter Packet inspection Performance Scaling resolution DNSsec and Validation Reporting and Automation DNS Reputational Intelligence DNS scrubbing Hardware sizing Certification Clients IPv4 / IPv6 TCP / UDP Protocol Validatio n + ACL DNSSEC irules irules DNSSEC GSLB 6 4 GSLB irules 6 4 DNS Express RPZ /Cache / Resolver DNS Server Pool DNS 6-4 Zone XFR DNS LB Pool Request Response AXFR Request AXFR Response Local BIND Zone XFR F5 Agility

17 Anatomy of a DNS Firewall IP Anycast Pre filter Packet inspection Performance Scaling resolution DNSsec and Validation Reporting and Automation DNS Reputational Intelligence DNS scrubbing Hardware sizing Certification Performa nce 2x 4x 8x Single Process or SMP TMOS F5 Agility Time

18 Anatomy of a DNS Firewall IP Anycast Pre filter Packet inspection Performance Scaling resolution DNSsec and Validation Reporting and Automation DNS Reputational Intelligence DNS scrubbing Hardware sizing Certification F5 Agility

19 Anatomy of a DNS Firewall IP Anycast Pre filter Packet inspection Performance Scaling resolution DNSsec and Validation Reporting and Automation DNS Reputational Intelligence DNS scrubbing Hardware sizing Certification Advanced DNS Analytics Applications Virtual Servers Query Name Query Type Client IP F5 Agility

20 Anatomy of a DNS Firewall IP Anycast Pre filter Packet inspection Performance Scaling resolution DNSsec and Validation Reporting and Automation DNS Reputational Intelligence DNS scrubbing Hardware sizing Certification RESPONSE POLICY ZONES* MITIGATES THREATS BY FQDN IP INTELLIGENCE MITIGATES THREATS BY FQDN URL FILTERING MITIGATES THREATS BY FQDN POLICY CONTROL BY FQDN Ingress DNS path Screens a DNS request against domain names with a bad reputation. Any IP Protocol with irules Categorize the IP address from the response & make a decision. HTTP, HTTPS and DNS with irules Categorize the FQDN from the request & make a decision. F5 Agility

21 Anatomy of a DNS Firewall IP Anycast Pre filter Packet inspection Performance Scaling resolution DNSsec and Validation Reporting and Automation DNS Reputational Intelligence DNS scrubbing Hardware sizing Certification Legitimate Users DDoS Attacker Multiple ISP strategy ISPa/b Cloud Scrubbing Service Threat Feed Intelligence Network attacks: ICMP flood, UDP flood, SYN flood DNS attacks: DNS amplificatio n, query flood, dictionary attack, DNS poisoning Tier 1 Network and DNS Next-Generation Firewall IPS SSL attacks: SSL renegotiatio n, SSL flood Access Control, Policy Enforcemen t HTTP attacks: Slowloris, slow POST, recursive POST/GET Tier 2 Applicatio n Corporate Users Financial Services E- Commerce Subscriber Scann er Anonym ous Proxies Anonym ous Request s Botnet Attack ers Strategic Point of Control F5 Agility

22 Anatomy of a DNS Firewall Platforms IP Anycast Pre filter Packet inspection Performance Scaling resolution DNSsec and Validation Reporting and Automation DNS Reputational Intelligence DNS scrubbing Hardware sizing Certification VIPRION 4800 VIPRION 44xx Chassis VIPRION 2400 Chassis BIG IP 10x00 BIG IP 7x00 BIG IP 5x00 BIG IP 4x00 F5 Agility

23 Anatomy of a DNS Firewall IP Anycast Pre filter Packet inspection Performance Scaling resolution DNSsec and Validation Reporting and Automation DNS Reputational Intelligence DNS scrubbing Hardware sizing Certification Internet Internet CONVENTIONAL DNS THINKING External Firewall DNS Load Balancing BIG-IP Global Traffic Manager DMZ Array of DNS Servers F5 PARADIGM SHIFT Master DNS Infrastructure Internal Firewall Hidden Master DNS Datacenter 30M RPS F5 Agility

24 Anatomy of a DNS Firewall IP Anycast Pre filter Packet inspection Performance Scaling resolution DNSsec and Validation Reporting and Automation DNS Reputational Intelligence DNS scrubbing Hardware sizing Certification F5 Agility

25 DNS Reputational Intelligence

26 Protecting the Client The internet isn t an altogether safe place MALICIOUS THREATS BotNets Inadvertently downloaded and used to mount distributed attacks. Viruses Once installed, causes malicious activity on end-user device, sometimes for ransom. OS Vulnerabilities Unprotected, unpatched devices are extremely vulnerable. UNDESIRABLE CONTENT Offensive Content may violate HR or local rules. Violation of decency standards. Be age inappropriate. Irrelevant Distractive content incompatible with job function or policy. Illegal content File sharing or sites identified as hosting banned material. DUPING THE USER Phishing scams and Man in the Middle Websites which impersonate real websites, often linked from or a website. Scammers aim to capture credentials. Site redirection DNS traffic is captured and sent to a malicious DNS server serving bad DNS results (such as a compromised CPE). F5 Agility

27 DNS IP and Name Reputation Choices RESPONSE POLICY ZONES* MITIGATES THREATS BY FQDN IP INTELLIGENCE MITIGATES THREATS BY FQDN Ingress DNS path Screens a DNS request against domain names with a bad reputation. Any IP Protocol with irules Categorize the IP address from the response & make a decision. URL FILTERING MITIGATES THREATS BY POLICY FQDN CONTROL BY FQDN HTTP, HTTPS and DNS with irules Categorize the FQDN from the request & make a decision. *Response Policy Zones (RPZ) are a form of DNS firewall in which the rule sets are expressed as specially constructed DNS zones. In this case, using RPZ means subscribing to commercial threat feeds that provide the up-to-date RPZ lists of bad domains. F5 Agility

28 Technical Use Cases Nature of Threat RPZ IP INTELLIGENCE URL FILTERING Protect users from accessing malicious websites. DNS lookup required. Limited to IP address reputation. Protect users from accessing a malicious website by IP address.* No DNS lookup issued No DNS lookup to filter. No URL or FQDN to examine. Social networking Against corp policy. Cover malicious content only. Limited to IP address reputation. *IPI blocks both the bad IP address ( AND the domain name ( mapped to the bad IP address. F5 Agility

29 Use Case Client Protection Prevent subscribers from reaching known bad domains Prevent malware and sites hosting malicious content from ever communicating with a client. Internet activity starts with a DNS request. Inhibit the threat at the earliest opportunity. RPZ feed Updates BIG-IP GTM IPV4/V6 LISTENER PROTOCOL VALIDATION IRULES CACHE REPUTATI ON DATABASE SPECIAL HANDLING RESOLVE R F5 Agility

30 Use Case Parental or Enterprise Behavior Controls Customized DNS decisions based on domain categories Determine subscriber policies and use the icontrol API to furnish these into irules. Classify client traffic by source and retrieve their specific policy for categories and permissions. Block or provide walled garden responses according to subscriber preferences. Provided through the URL Filtering license and DNS irules. URL Feed Subscriber Policy icontrol iquery QUERY: DNS irules SOCIAL PARKED DOMAIN GAMES BUSINESS CACHE RESOLVER SUBSCRIBER DATAGROUPS ALL OTHERS LOG F5 Agility

31 Use Case Layered Client Protection Response Policy Zones (RPZ) filters out and provides NXDOMAIN / Redirect for know bad doma URL Filtering further provides granular policy controls using categories. IP Intelligence blocks based on the resolved IP. It can also be used in the data path for other protocols. Subscriber RPZ Feed IPI Feed URL Feed Policy icontrol iquery QUERY: DNS irules (Request / Response) INGRESS DNS PATH RPZ DNS Request Path URL Filtering irule CACHE RESOLVER DNS Response Path IP Intelligence EGRESS DNS PATH F5 Agility

32 Competitive Comparisons

33 A word on terminology DNS EXPRESS DNS CACHING DNS RESOLVER A high performance Authoritative DNS Slave. Zone transfer from an existing DNS server and get scale and security. Place the F5 BIG-IP in front of a DNS Resolver and massively increase DNS performance by caching responses. Use the high performance DNS resolver in BIG-IP to consolidate all DNS and firewall functions into one platform. F5 Agility

34 DNS Authoritative on F5 BIG-IP Appliances DNS Express is Utilized for BIG-IP Numbers Responses per Second S 2200S 4000S 5000S 4200V 7000S 10000S 5200V 10200V 7200V F5 Agility

35 DNS Authoritative on F5 VIPRION DNS Express is Utilized for BIG-IP Numbers Responses per Second B2150 Blade B2100 Blade B2250 Blade B4200 Blade B4300 Blade 2400 w/b w/b w/b w/b F5 Agility

36 DNS Caching on F5 BIG-IP Appliances Responses per Second M RPS S 2200S 4000S 4200V 10000S 5000S 7000S 10200V 5200V 7200V F5 Agility

37 DNS Caching on F5 VIPRION Responses per Second M RPS B2150 Blade B2100 Blade B4300 Blade B2250 Blade 2400 w/b Chassis 2400 w/b Chassis F5 Agility

38 DNS Caching Cost per 1K RPS F5 versus Infoblox Included Functions Cost in USD based on list Enterprise & SP Caching/Resolving Inc. Authoritative Inc. GSLB Inc. Enterprise Caching/Resolving Inc. Authoritative Inc. SP Caching/Resolving Inc. Authoritative Inc. SP Caching/Resolving Inc. 0 F5 Agility

39 DNS Authoritative Cost per 1K RPS F5 versus Infoblox Included Functions Cost in USD based on list Enterprise & SP Caching/Resolving Inc. Authoritative Inc. GSLB Inc. Enterprise Caching/Resolving Inc. Authoritative Inc. SP Caching/Resolving Inc. Authoritative Inc. SP Caching/Resolving Inc. 0 F5 Agility

40 DNS Cache Performance Infoblox Platform by Platform Comparison with F RPS S Infoblox Trinzic S Infoblox Trinzic S Infoblox Trinzic S Infoblox Trinzic V Infoblox Trinzic 4030 Platforms are grouped by like pricing F5 Agility

41 DNS Authoritative Performance Infoblox Platform by Platform Comparison with F RPS S Infoblox Trinzic S Infoblox Trinzic S Infoblox Trinzic S Infoblox Trinzic V Infoblox Trinzic 4030 Platforms are grouped by like pricing F5 Agility

42 DNS Mitigation Test framework

43 Test Rig Mid platform 2400 Platforms Three major Components Traffic Generation (Internal and External) DNS server Caching Resolver (Mid Platform BIG-IP 2400 loaded with 4 blades) Traffic Responses (External) Traffic Generator 10M DNS requests Traffic generator and Responder 10M DNS requests / responses VIPRION 4800 VIPRION 44xx Chassis VIPRION 2400 Chassis BIG IP 10x00 VIPRION 2400 Chassis 10 / 40 Gb interfaces and network BIG IP 7x00 BIG IP 5x00 BIG IP 4x00 F5 Agility

44 Tests to be performed and Why First what to de Risk? Two areas (they are very different and open to different types of attacks) Cache in a DNS server Resolver in a DNS server Types of attacks Many types Volumetric Bad protocol / Floods / Amplification / Reflective Zero ttl consuming resources DNSsec - Poisoning Functional Malware internal and external RPZ lists Banned lists ACL s against a domain list DNS tunnelling remove free loaders Platforms VIPRION 4800 VIPRION 44xx Chassis VIPRION 2400 Chassis BIG IP 10x00 BIG IP 7x00 BIG IP 5x00 BIG IP 4x00 F5 Agility

45 Traffic Generation for Caching mitigation 10M requests per second as internal user requests, broken down as: 50% Malware (50/50 customer list and feed lists) 20% bad protocol requests 10% Valid users 10% DNS tunnelling 10% Zero TTL on domains (queue protection for the resolver) 10 or 40Gb interfaces for scalability Can be split across multiple sources / servers F5 Agility

46 Traffic Generation for Resolver mitigation Internal Traffic generation and responder on the external side: 200K (Turn cache off so all requests go to the resolver) requests per second as internal user requests as All Valid users going to the internet External Traffic generation: 10M requests per second as attacker requests, broken down as: 10% Bad IP addresses Webroot addresses 40% Reflective attackers 40% Amplification attackers 10% bad protocol requests DNS flood 10 or 40Gb interfaces for scalability Can be split across multiple sources / servers F5 Agility

47 DNS Test Framework? Scanners Response Policy Zone (RPZ) IP Intelligence Service Feed BIG-IP GTM and AFM IPV4/V6 LISTENER PROTOCOL VALIDATION IRULES CACHE RESOLVE R REPUTATION DATABASE IP INTELLIGENC E ACL ON IP FROM AFM SUBSCRIBE R RATE MANAGEME NT IRULES SUBSCRIBE R RATE MANAGEME NT ACL ON IP FROM AFM RESPONSE PAGE SPECIAL HANDLING SPECIAL HANDLING Splunk Logging F5 Agility

48 Outcomes Agree Measurement for: Baseline the users performance and that the DNS is available, confidential and has integrity for Cache and Resolver Measure that the attacks do not affect the users and that the DNS is available, confidential and has integrity, compare to baseline It is about Risk Management to the business while under DNS attack. F5 Agility

49 Context and DNS

50 DNS over UDP doesn t prove Identity UDP is the primary transport mechanism for DNS because it s low latency and fast for client resolution UDP is stateless and trivial to spoof A hacker client often doesn t care about the response A hacker client can choose to use the most expensive response A hacker client can be a random nobody A hacker client can IMPERSONATE legitimate clients Techniques to identify clients utilize too much CPU Big DNS DDoS problem: No easy way to identify good vs bad clients F5 Agility

51 Preventing DNS Abuse DNS Tunneling Prevent it with irules Suspend Threshold Classify the traffic Mobile or fixed. Determine the SLA for RPS and allowed response size. Drop Threshold When a client sends in a query Is the query for a blocked domain? (A tunnel host) Is the query rate above allowed rate? Increment score. Client previously above allowed rate? Increment score. Resolve request and analyze response. - Factor in the response size to the score. QUERY RATE SCORING RESPONSE SIZE SCORING Take an action Is the client above the score threshold? - Drop the request Client A Client B Client C Client D Client E Client F - Suspend DNS service for a period. F5 Agility

52 DNS Service Protection Policing Requests for Fairness and Availability SERVICE PROVIDER Primary Customers CSP Service Providers need to ensure availability of DNS services to customers according to their service level. Intelligent per-client IP Rate Limiting gives SPs the tools to inhibit bad actors including DNS tunneling, without adversely affecting performance. MALICIOUS ACTOR Rate limits Per-client DNS rates ACTION S SUSPEND DNS SERVICE COMPROMISE DCLIENT DNS RATE LIMITER RATE LIMIT CLIENT LOG MALICIOUS IDENTITY CACHE RESOLVE R REGULAR CLIENT F5 Agility

53 PATENTS: Issued Patents US Patent No 8,261,351 Inventors: Lisa Golden; Peter Thornewell Title: DNS Flood Protection Platform for a Network Filed January 22, 2008 Issued September 4, 2012 F5 Agility

54 DNS Reference Architectures

55 DNS and GSLB in CURRENT 1. Cloud Bursting 2. Cloud Migration 3. DDoS Protection 4. Intelligent DNS Scale 5. Network Functions Virt. 6. Security for Service Providers 7. S/GI Network Simplification FUTURE 8. Intelligent DNS for SPs 9. Multi-Hybrid Data Centers F5 Agility

56