August 14th, 2018 PRESENTED BY:

Similar documents
TOP TEN DNS ATTACKS PROTECTING YOUR ORGANIZATION AGAINST TODAY S FAST-GROWING THREATS

The DNS of Things. A. 2001:19b8:10 1:2::f5f5:1d Q. WHERE IS Peter Silva Sr. Technical Marketing

BIG-IP DNS Services: Implementations. Version 12.1

BIG-IP DNS Services: Implementations. Version 12.0

Are You Fully Prepared to Withstand DNS Attacks?

DNS: Useful tool or just a hammer? Paul DNS-OARC 06 Oct 2013, Phoenix

snoc Snoc DDoS Protection Fast Secure Cost effective Introduction Snoc 3.0 Global Scrubbing Centers Web Application DNS Protection

(DNS, and DNSSEC and DDOS) Geoff Huston APNIC

F5 Synthesis Information Session. April, 2014

Estrategias de mitigación de amenazas a las aplicaciones bancarias. Carlos Valencia Sales Engineer - LATAM

Intelligent and Secure Network

Cloudflare Advanced DDoS Protection

A custom excerpt from Frost & Sullivan s Global DDoS Mitigation Market Research Report (NDD2-72) July, 2014 NDD2-74

ERT Threat Alert New Risks Revealed by Mirai Botnet November 2, 2016

The F5 Intelligent DNS Scale Reference Architecture

Imma Chargin Mah Lazer

Architecture: Consolidated Platform. Eddie Augustine Major Accounts Manager: Federal

Comprehensive datacenter protection

An Introduction to DDoS attacks trends and protection Alessandro Bulletti Consulting Engineer, Arbor Networks

Designing a Secure DNS Architecture

Security Whitepaper. DNS Resource Exhaustion

What s next for your data center? Power Your Evolution with Physical and Virtual ADCs. Jeppe Koefoed Wim Zandee Field sales, Nordics

DNS Authentication-as-a-Service Preventing Amplification Attacks

WEB DDOS PROTECTION APPLICATION PROTECTION VIA DNS FORWARDING

Optimize DNS, Secure and Ensure Availability, and Monetize Usage

FRNOG 25 Meeting: BIND9 Recursive Client Rate limiting

DNS Firewall with Response Policy Zone. Suman Kumar Saha bdcert Amber IT Limited

F5 comprehensive protection against application attacks. Jakub Sumpich Territory Manager Eastern Europe

haltdos - Web Application Firewall

Imperva Incapsula Product Overview

Update on experimental BIND features to rate-limit recursive queries

Prompta volumus denique eam ei, mel autem

Herding Cats. Carl Brothers, F5 Field Systems Engineer

F5 IPv6 Solutions. Ariel Santa Cruz FSE SoLA F5 Networks Inc. F5 Networks, Inc.

Data Communication. Chapter # 5: Networking Threats. By: William Stalling

Improving DNS Security and Resiliency. Carlos Vicente Network Startup Resource Center

The Dynamic DNS Infrastructure

SAMPLE REPORTS. Infoblox Reporting and Analytics Infoblox Reporting and Analytics Sample Report Book

Protecting DNS Critical Infrastructure Solution Overview. Radware Attack Mitigation System (AMS) - Whitepaper

DNS Security. Ch 1: The Importance of DNS Security. Updated

THE AUTHORITATIVE GUIDE TO DNS TERMINOLOGY

The Interactive Guide to Protecting Your Election Website

Re-engineering the DNS One Resolver at a Time. Paul Wilson Director General APNIC channeling Geoff Huston Chief Scientist

Enterprise Overview. Benefits and features of Cloudflare s Enterprise plan FLARE

Protect vital DNS assets and identify malware

Intrusion Detection System For Denial Of Service Flooding Attacks In Sip Communication Networks

UDP-based Amplification Attacks and its Mitigations

Cybersecurity. Anna Chan, Marketing Director, Akamai Technologies

2nd SIG-NOC meeting and DDoS Mitigation Workshop Scrubbing Away DDOS Attacks. 9 th November 2015

IxLoad-Attack TM : Network Security Testing

Application Security. Rafal Chrusciel Senior Security Operations Analyst, F5 Networks

Threat Pragmatics. Target 6/19/ June 2018 PacNOG 22, Honiara, Solomon Islands Supported by:

DATACENTER SECURITY. Paul Deakin System Engineer, F5 Networks

Registry Vulnerabilities An Overview

F5 and Infoblox DNS Integrated Architecture: Offering a Complete Scalable, Secure DNS Solution

DNS Security Strategies

Network Security. Thierry Sans

Securing and Accelerating the InteropNOC with F5 Networks

Radware Attack Mitigation Solution (AMS) Protect Online Businesses and Data Centers Against Emerging Application & Network Threats - Whitepaper

CSE 565 Computer Security Fall 2018

DOMAIN NAME SECURITY EXTENSIONS

Basic Concepts in Intrusion Detection

BEST PRACTICES FOR IMPROVING EXTERNAL DNS RESILIENCY AND PERFORMANCE

DDoS Protector. Simon Yu Senior Security Consultant. Block Denial of Service attacks within seconds CISSP-ISSAP, MBCS, CEH

Fireware-Essentials. Number: Fireware Essentials Passing Score: 800 Time Limit: 120 min File Version: 7.

Cisco Systems Korea

Check Point DDoS Protector Introduction

AccessEnforcer Version 4.0 Features List

DEPLOYMENT GUIDE Version 1.1. DNS Traffic Management using the BIG-IP Local Traffic Manager

A10 DDOS PROTECTION CLOUD

A GUIDE TO DDoS PROTECTION

Our Narrow Focus Computer Networking Security Vulnerabilities. Outline Part II

Trends in IoT DDoSbotnets

CTS2134 Introduction to Networking. Module 08: Network Security

Attacks against the DNS. Dave Piscitello VP Security and ICT Coordination April 2015

Inline DDoS Protection versus Scrubbing Center Solutions. Solution Brief

KEEPING THE BAD GUYS OUT WHILE LETTING THE GOOD GUYS IN. Paul Deakin Federal Field Systems Engineer

AKAMAI CLOUD SECURITY SOLUTIONS

Global DDoS Threat Landscape

DDoS Detection&Mitigation: Radware Solution

Introduction to Security. Computer Networks Term A15

IBM Cloud Internet Services: Optimizing security to protect your web applications

DDoS Testing with XM-2G. Step by Step Guide

Cisco Firepower with Radware DDoS Mitigation

DNS SECURITY BENEFITS OF OUTSOURCING YOUR DNS TO AN IP ANYCAST+ PROVIDER

Cyber Attacks and Application - Motivation, Methods and Mitigation. Alfredo Vistola Solution Architect Security, EMEA

VERISIGN DISTRIBUTED DENIAL OF SERVICE TRENDS REPORT

SmartWall Threat Defense System - NTD1100

Arbor White Paper. DDoS: THE STAKES HAVE CHANGED. HAVE YOU? REVEALED: 3 dangerous myths about DDoS attacks

With turing you can: Identify, locate and mitigate the effects of botnets or other malware abusing your infrastructure

HOW TO HANDLE A RANSOM- DRIVEN DDOS ATTACK

DNSSEC From a protocol bug to a security advantage

Check Point DDoS Protector Simple and Easy Mitigation

THE BUSINESS CASE FOR OUTSIDE-IN DATA CENTER SECURITY

INTRODUCTION: DDOS ATTACKS GLOBAL THREAT INTELLIGENCE REPORT 2015 :: COPYRIGHT 2015 NTT INNOVATION INSTITUTE 1 LLC

Lecture 12. Application Layer. Application Layer 1

VERISIGN DISTRIBUTED DENIAL OF SERVICE TRENDS REPORT

DNS SECURITY BEST PRACTICES

ADC im Cloud - Zeitalter

Cloud DNS. High Performance under any traffic conditions from anywhere in the world. Reliable. Performance

Transcription:

August 14th, 2018 PRESENTED BY:

APPLICATION LAYER ATTACKS 100% 80% 60% 40% 20% 0% DNS is the second most targeted protocol after HTTP. DNS DoS techniques range from: Flooding requests to a given host. Reflection attacks against DNS infrastructure. Reflect / Amplification attacks. DNS Cache Poisoning attempts. Cybercrime is a persistent threat in today s world and, despite best efforts, no business is immune. Network Solutions TRADITIONAL DDoS MITIGATION 60% 50% 40% 30% 20% 10% 0% Of the customers that mitigate DDoS attacks, many choose a technique that inhibits the ability of DNS to do its job. DNS is based on UDP. DNS DDoS often uses spoofed sources. Using an ACL block legitimate clients. DNS attacks use massive volumes of source addresses, breaking many firewalls.

Volumetric: Brute force / flood attacks. Protocol: Crafted to sit inside the RFCs as valid requests with a different motive. Malformed: Designed to consume CPU and misuse resources. Volumetric Protocol Malformed

Top 10 DNS Attacks 1. Phantom Domain Attacks 2. NX Domain Attacks 3. Random Subdomain Attacks 4. Lock Up Domain Attacks 5. Reflection Attacks 6. Amplification Attacks 7. DNS Tunneling Attacks 8. Malformed Packet Attacks 9. Cache Poisoning Attacks 10. UDP Flood Attacks

Attack: In a phantom domain attack, the DNS resolver is forced to resolve multiple domains that are phantom domains that have been setup as part of the attack. Phantom domains simply do not send responses, causing the server to consume resources while waiting for responses. Mitigation: BIG-IP will time out the connection and release the requests in the queue. Also, common requests to a domain name can be controlled by QPS per domain. This can be done by simple irules.

Attack: In this attack, a flood invalid requests cause a resolver s cache to fill up with NXDomain results, slowing DNS for other users. The DNS server also spends valuable resources as it keeps trying to repeat the recursive query to get a resolution result. Mitigation: These are valid requests so identify IP addresses whose requests are NXDomians and rate limit the number of requests per IP and globally. This is commonly done with an irule.

<randomstring>.www.example.com <anotherstring>.www.example.com Does not exist Exists [Target Site] Attackers Web Bots Open Resolvers Increased outbound NXDOMAIN and SERVFAIL responses Attack: Random subdomain attacks, the attacker commonly uses legitimate domains and tries to exhaust the number of outstanding concurrent DNS queries by flooding the DNS server with requests for multiple nonexistent domains using randomly generated sub domain strings. Mitigation: Can be mitigated via irule found here: https://devcentral.f5.com/wiki/irules.codeshare.ashx

Attack: Deliberately slow resolvers and domains are setup by attackers to establish TCP-based connections with DNS resolvers that request a response. These malicious resolvers instead keep the victim server engaged with random packets. Mitigation: Connection management can be set on the Resolver queue to expect responses within a defined time period (part of the DNS profile). Plus protocol validation will remove all malformed packets at the interface so they're never processed.

[Spamhaus] Attacker Web Bots Open Resolvers Attack: A Reflection attack was used against an anti-spam company called Spamhaus. The attacker was found to be a company called Cyberbunker. By spoofing Spamhaus s IP address, they were able to point nearly 300 gigs of traffic at them. Cyberbunker only used around a thousand bots to take Spamhaus down. Mitigation: Spamhaus hired Cloudflare to set up IP Anycast servers around Europe to spread the load.

By spoofing a UDP source address, attackers can target a common source. By requesting for large record types (ANY, DNSSEC, etc.), a 36 byte request can result in a response over 100 times larger. [Target Site] BIG-IP supports DNS type ACLs. Only allow DNS types you need to support. Drop all unsolicited responses (default behavior). Identify unusually high traffic patterns to specific clients via DNS DoS profiles. Attack: A sophisticated attack is the Amplification attack. The attacker researches what request will get the largest response. Some requests like the any record type or a DNSSEC request can yield responses 100 times larger. Once the query is chosen, the attacker spoofs the address of the target site and floods them with these responses. Mitigation: BIG-IP by default drops all unsolicited replies and allows custom DNS-type ACLs to only allow the types you need to support.

Attack: With DNS tunneling, another protocol is encapsulated in a DNS request/ answer. This can be used on nearly any protocol the hacker wished to use, but is most commonly used for HTTP traffic. DNS tunneling software can easily be found on the Internet. Mitigation: RPZ can be utilized to block traffic to known endpoints as well as an irule to look for oversized return traffic.

Clients The BIG-IP system drops malformed DNS packets, and allows you to configure how you track such attacks. IPv4 / IPv6 TCP / UDP Protocol Validation + ACL DNSSEC irules irules DNSSEC GSLB GSLB irules DNS Express Caching Resolver DNS 6-4 DNS LB Pool BIND Attack: Malformed packets can be used as an attack. The attacker sends these malformed packets hoping to consume CPU cycles on the DNS server, limiting or completely interrupting its ability to answer legitimate queries. Mitigation: BIG-IP thwarts these attempts by using a protocol validation engine at the very beginning of the HUD filter. There is also configurable logging to allow the customer to track such attempts.

Implement F5 DNS Express Authoritative DNS DNS Servers Devices Answer DNS Query DNS Express BIG-IP Answer DNS Query Answer DNS Query OS Manage DNS Records Admin Auth Roles Internet Answer DNS Query Answer DNS Query NIC Dynamic DNS DHCP

Scale DNS 200% for App Growth and Denial of Service Protection TRADITIONAL DNS DELIVERY HIGH PERFORMANCE DNS DELIVERY Internet Firewall Local Load Balancing DNS Servers Internet BIG-IP Master DNS 75,000 RPS per DNS server 20M RPS 50M RPS Traditional way to increase DNS capacity Add more DNS servers Load balance between them Only 75K RPS and a lot of OpEx when using BIND F5 Paradigm Shift: DNS Delivery Reimagined DNS Zone transfer for Auth. DNS Hyper-Scale up to 200% with Rapid Response Up to 200x a premium DNS server 500x performance of BIND

Problem: Users disrupt DNS infrastructure Malicious behavior sending DNS DDoS Unintentional / unknowingly via bots and malware Slow response times and high latency Solution: Data Center DMZ Authoritative Zone Transfer Primary DNS Internet BIG-IP App App

Devices DMZ Data Center example.com example.com DNS Servers 123.123.123.123 +Public Key LDNS 123.123.123.123 +Public Key BIG-IP Apps Simple DNSSEC: Protection from cache poisoning and reduce management costs Ensure trusted DNS queries with real-time or static signed responses Implement BIG-IP DNS in front of existing DNS servers Replicate DNS Express and DNSSEC to any BIG-IP w/dns or any other DNS service.

15 steps!!

Regional control improves user experience Data Center DMZ BIG-IP DNS with IP geolocation database BIG-IP BIG-IP BIG-IP DNS BIG-IP Local Traffic Manager Cloud Hosted Apps

Select Your Service or create your own list Response Policy Zone (RPZ) Live Feed Domain Reputation Live updates BIG-IP Mitigate DNS threats by blocking access to malicious IPs. Reduce malware and virus infections. Prevent malware and sites hosting malicious content from ever communicating with a client. Inhibit the threat at the earliest opportunity. Internet activity starts with a DNS request.

BIG-IP DNS and IP Anycast Integration

devcentral.f5.com/codeshare

updated every 5 minutes. Prevents bot command centers.

High-level usage data and inflight DNS query volume information. Customizable fields for log output.

Drill-down capability to identify per-profile query volumes. Covers IPv4, IPv6, and DNS64. Statistics for each engine; DNS Express, Cache, DNS64 and unhandled queries Statistics for each type of DNS query Statistics can be monitored through: GUI SNMP icontrol TMSH BIG-IQ

Advanced DNS Analytics Applications Virtual Servers Query Name Query Type Client IP

PROBLEM: Greater threats and volume loads on DNS infrastructure. 26% increase in DDoS attacks, 40% increase in UDP/DNS attacks* CURRENT SOLUTION: Buy more DNS servers to handle the volumes. Buy better DNS load balancing. App and site outage affects business viability and revenue. $27mil. avg. loss for 24hr. outage from DDoS** Route DNS DDoS volumes to external cloud scrubbing service but unaware of what s dropped.?? Cloud Services Enterprises desire to block user access to IPs with malware and viruses. Some vendors offer DNS Firewall but only one list/no access to DB. Organizations should invest in protecting their DNS infrastructure. Gartner***

DNS BIG-IP DNS (formerly Global Traffic Manager)

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback