Transcription
Hardening DNS: How to Configure Your DNSInfrastructure to Defend Itself
Hardening DNS: How to Configure Your DNSInfrastructure to Defend Itself Panel Moderator:Srikrupa Srivatsan, Senior Product Marketing Manager, Infoblox Panel:Victor Mejia, BestelWayne Dake, Fidelity National Information ServicesPhilip Parker, Senior Technical Marketing Engineer, Infoblox
The Volumetric Challenge to DNS InfrastructureHow a DNS attack worksDNS attacks78%The most common service targeted byapplication layer attacks is now, for thefirst time, DNS 184%Of reflection/amplification attacks use DNS 1XX 500 1.5MA distributed reflection attack uses third-party openresolvers on the Internet to unwittingly participate inattacks against a target. These types of attacks usereflection and amplification techniques to spoof theiridentity and increase the magnitude and effectiveness ofan attack. Authoritative name servers can also be used forthis attack. Attackers send their spoofed queries tomultiple open recursive servers—sometimes thousands ofservers at a time. Each query is designed to elicit a largeresponse and send an overwhelming amount of data tothe victim’s IP address. When a victim is hit by the attack, itcan cause slow performance or site outages that can shutdown important business processes.Per minute cost of internet downtime due toDDoS attack 1Average total cost per year to deal withdenial of service attacks 2Sources:1.Arbor WISR2016 report2. Ponemon Institute Study – The cost of denial-of-services attacks, March 20155
Advanced DNS Protection - DDoS and Attack MitigationInfoblox Protocol Server Purpose-built deep packet inspectionhardware examines each protocol query All protocols, including OSPF and BGP foranycastBehavioral AnalyticsDNS FirewallXAttackerDNS DDoS attacksdetected and droppedADP Detects malformed “packets of death” andother exploits Sophisticated rate limiting algorithmsdetect and discard DDoS attack traffic No impact on appliance, regardless ofattack volume, up to line rate. Successfully stops volumetric DNStunnels designed to bypass paywalls, andISP enforced data caps.
Infoblox ADP Appliances The following hardware Appliances have the ADP feature set. PT-1400, PT-2200, PT-4000 IB-4030 These appliance are particular suited to survive volumetric attacks
ADP Deployments Multiple Infoblox appliance deployment methods within Enterprise internal recursiveEnterprise external authoritative environmentsService Provider recursiveService Provider authoritative (MSSP) Mixed use case – look at a Hospital System Internal Authoritative/Recursive for Staff Internal Authoritative/Recursive for Equipment Authoritative/Recursive for Patients and Guests
ADP Rule Categories BGP DNS Message Types BLACKLIST DROP TCP IP prior torate limiting DNS Protocol Anomalies BLACKLIST DROP UDP IP prior torate limiting DNS Tunneling Default Pass/Drop BLACKLIST TCP FQDN lookup General DDoS BLACKLIST UDP FQDN lookup HA Support DHCP DNS Amplification and Reflection DNS Cache Poisoning DNS DDoS DNS Malware ICMP NTP OSPF Potential DDoS related Domains RATE LIMITED TCP FQDNlookupRATE LIMITED TCP IPRATE LIMITED UDP IPReconnaissanceTCP/UDP FloodsWHITELIST PASS TCP IP priorto rate limitingWHITELIST PASS UDP IP priorto rate limitingWHITELIST TCP domainWHITELIST UDP domain
WARN & DROP DoS DNS possiblereflection/amplification attack attempts
RATELIMIT UDP high rate inbound largeDNS queries (anti tunneling)
WARN & BLOCK high rate inbound UDPDNS queries
DNSSEC The DNS Security Extensions, or DNSSEC, use asymmetric cryptographyto “digitally sign” DNS zone data This provides Authentication of DNS data (“Was this data signed by the administrator of thezone?”) Integrity checking of DNS data (“Is this the same data that was signed by theadministrator of the zone?”) This protects against Cache Poisoning But anything else
DNSSEC Validation In DNSSEC validation, a recursive name server verifies all of the signatures from the answer back to theclosest trust anchor (a public key it knows and trusts) When DNSSEC is fully deployed, the only trust anchor necessary will be the root’s public key Validation can take a lot of steps, assuming a cold cache, www.isc.orgA record forwww.isc.orgRRSIG record coveringwww.isc.org/Ais signed byRRSIG record coveringisc.org/DNSKEYis verified byRRSIG recordcovering isc.org/DSis verified by(KSK) DNSKEYrecord for orgis verified by(ZSK) DNSKEYrecord for .is signed byis verified by(KSK) DNSKEYrecord for isc.org(ZSK) DNSKEYrecord for orgDS recordfor orgis verified byis signed byis signed byRRSIG recordcovering ./DNSKEY(ZSK) DNSKEYrecord for isc.orgis verified byDS recordfor isc.orgis signed byis signed byRRSIG recordcovering org/DNSKEYRRSIG recordcovering org/DS(KSK) DNSKEYrecord for .is verified byis verified by
DNSSEC Validation In DNSSEC validation, a recursive name server verifies all of the signatures from the answer back to the closest trust anchor (a public key it knows and trusts) When DNSSEC is fully deployed, the only trust anchor necessary will be the root's public key
