The Dyn DDoS Attack

Cricket Liu | Chief DNS Architect

2nd November 2016
1
1 || 2016
2013 Infoblox
Infoblox Inc.
Inc. All All Reserved.
Rights Rights Reserved.
 Agenda

The Dyn DDoS attack What Happened and What Can We Do?

Infoblox Authoritative DNS and DDoS Protection Solutions

Questions and Answers

2
2 || 2016
2013 Infoblox
Infoblox Inc.
Inc. All All Reserved.
Rights Rights Reserved.
Friday, October 21st: Mirai botnet Used to
Attack Dyns Name Servers
Mirai Botnet
Consists of compromised
Internet of Things (IoT) devices
IP CCTV cameras
Digital video recorders
Previously used in a DDoS attack
against krebsonsecurity.com
Peaked at 620 Gbps
Used GRE traffic

3
3 || 2016
2013 Infoblox
Infoblox Inc.
Inc. All All Reserved.
Rights Rights Reserved.
Friday, October 21st: Mirai botnet Used to
Attack Dyns Name Servers
Impact

Hurled traffic at Dyns name servers

Said to peak at 1.2 Tbps
Unclear whether it was junk traffic (e.g.,
SYN, GRE) or legitimate DNS queries
Name servers rendered unresponsive
High-profile Dyn customers
impacted
A.K.A., the Web

4
4 || 2016
2013 Infoblox
Infoblox Inc.
Inc. All All Reserved.
Rights Rights Reserved.
How Did It Happen?
Mirai botnet estimated to include ~1.5 million IoT devices
Many IoT devices in the botnet ship with a default password
In some cases, the default password cannot be changed easily, or at all
Mirai source code was released publicly in early October

5
5 || 2016
2013 Infoblox
Infoblox Inc.
Inc. All All Reserved.
Rights Rights Reserved.
IoT Devices: Easy to Build a Big,
Powerful Botnet
Some require high bandwidth
IoT devices are cheap & plentiful
Such as IP CCTV cameras
Because theyre cheap, manufacturers
skimp on security Some must be accessible over
the Internet
Such as IP CCTV cameras
And are therefore easily targeted

6
6 || 2016
2013 Infoblox
Infoblox Inc.
Inc. All All Reserved.
Rights Rights Reserved.
What Can We Do?
Use a mixed set of authoritative
name servers
On-premises name servers
Hosted name servers
If your DNS hosting provider or one of its
customers is attacked, recursive name servers
on the Internet will notice that theyre not
responding and will favor your on-premises
name servers
But beware proprietary features!
For example, load balancing

7
7 || 2016
2013 Infoblox
Infoblox Inc.
Inc. All All Reserved.
Rights Rights Reserved.
Homogeneous Authoritative Name Servers

Malware DNS hosting

provider

Malware

Legitimate
querier

ns1 ns2
Normal RTT 17 ms 12 ms
Duress RTT 999 ms 911 ms

8
8 || 2016
2013 Infoblox
Infoblox Inc.
Inc. All All Reserved.
Rights Rights Reserved.
Heterogeneous Authoritative Name Servers

Malware DNS hosting

provider

Malware

ns1.provider ns2.provider ns1.corp ns2.corp

Normal RTT 17 ms 12 ms 53 ms 61 ms

Duress RTT 999 ms 911 ms 53 ms 61 ms

9
9 || 2016
2013 Infoblox
Infoblox Inc.
Inc. All All Reserved.
Rights Rights Reserved.
What Else Can We Do?
Use authoritative name servers that
resist DDoS attacks
These can resist non-volumetric attacks
More on these later

Use Response Policy Zones to cut off

infected devices from command-and-
control servers
Do your part!

Use Response Policy Zones to hardwire

critical name-to-address mappings in the
event of another DDoS attack

10 | | 2016
10 2013 Infoblox
Infoblox Inc.
Inc. All All Reserved.
Rights Rights Reserved.
 Infoblox Authoritative DNS and DDOS
Protection Solutions

11 | | 2016
11 2013 Infoblox
Infoblox Inc.
Inc. All All Reserved.
Rights Rights Reserved.
DNS Attacks Are Making Your Infrastructure
Work Against You

78% 84% >$500 $1.5M

The most common Of reflection/ Per minute cost of Average total cost per
service targeted by amplification attacks Internet downtime year to deal with denial
application layer use DNS1 due to DDoS attacks2 of service attacks2
attacks is now, for the
first time DNS1

DDoS attacks can significantly affect service and application availability

Recovery is often complex and labor-intensive
1. Source: Arbor WISR2016 Report 2. Ponemon Institute Study The Cost of Denial-of-Service Attacks. March 2015

12 | | 2016
12 2013 Infoblox
Infoblox Inc.
Inc. All All Reserved.
Rights Rights Reserved.
 Advanced DNS Protection Detect and drop DNS-based
attacks such as amplification,
Maintaining Availability Even Under Attack reflection, NXDOMAIN

Share events and alert data with

SIEMs via APIs, syslog and
SNMP
Cybersecurity Advanced
Ecosystem Solution DNS
Components Protection
Benefits
Infoblox Ecosystem
Products Products Maximize service uptime and
application availability
Threat Use advanced threat intelligence
Reporting & for automated and up-to date
Intelligence Analytics
Services protection
Enrich security ecosystem
Global visibility
SIEM

13 | | 2016
13 2013 Infoblox
Infoblox Inc.
Inc. All All Reserved.
Rights Rights Reserved.
Infoblox - Advanced DNS Protection (ADP)
Platform
Protection Against the Widest Range of DNS Attacks
Intelligently defends against widest range of attacks to ensure resilient and trustworthy
DNS services; blocks attacks while continuing to respond to legitimate DNS requests

Adaptation to Threats
Continuously adapts to evolving threats; automatically updates protection without
patching or downtime

Tunable Thresholds
Allows user to fine-tune limits and thresholds based on their unique traffic flow patterns

Global Visibility
Shows Grid members under attack and provides details on attack patterns and times
with reports

14 | | 2016
14 2013 Infoblox
Infoblox Inc.
Inc. All All Reserved.
Rights Rights Reserved.
 Advanced DNS Protection - Fully Integrated
into the Infoblox Grid
1. Advanced DNS Protection receives
attacks interspersed with legitimate

Legitimate Traffic
queries from the Internet
Infoblox
Threat-rule
Server
2. It pre-processes the requests to
filter out attacks
Automatic Updates 3. It responds to legitimate DNS
(Threat Adapt) Infoblox
External DNS requests
Security Infoblox External
DNS Security
Grid-wide rule distribution
4. Attack information is sent to an
Grid Master Infoblox reporting server
Data for
Reports

5. Automatic updates from Infoblox on

Reporting
new threats are propagated to all
Server Advanced Appliances on the Grid
Reports on attack types, severity

15 | | 2016
15 2013 Infoblox
Infoblox Inc.
Inc. All All Reserved.
Rights Rights Reserved.
BIND vulnerability mitigation with Infoblox
Infobloxs partnership with ISC enables
Infoblox to stay ahead of vulnerabilities
Tight focus on DNS-related threats means
fast turnaround on fixes
Advanced DNS Protection (ADP)
CVE-2015-5477: An error in handling TKEY
queries can cause named to exit with a
REQUIRE assertion failure
ADP customers were protected by default by
existing signatures

16 | | 2016
16 2013 Infoblox
Infoblox Inc.
Inc. All All Reserved.
Rights Rights Reserved.
Threat Protection Rule Categories

DNS Cache Poisoning DNS Message Type General DDoS

DNS Protocol Anomalies DNS Amplification and Potential DDoS-Related

Reflection Domains

Reconnaissance DNS Malware NTP

DNS DDoS TCP/UDP Flood DNS Tunneling

ICMP BGP, OSPF DHCP

Custom Rules Blacklist Custom Rules Ratelimit Custom Rules Whitelist

17 | | 2016
17 2013 Infoblox
Infoblox Inc.
Inc. All All Reserved.
Rights Rights Reserved.
Global Visibility with Reporting
Intelligence Needed to Take Action

Attack details by category, member, rule, severity, and time

Visibility into source of attacks for blocking, to understand scope and severity
Early identification and isolation of issues for corrective action

18 | | 2016
18 2013 Infoblox
Infoblox Inc.
Inc. All All Reserved.
Rights Rights Reserved.
Case Study - Large Insurance Company
Problem
Experienced a malware-borne attack on DNS
with 1+ million queries per second
Redundancy problems, DNS outages
Wanted to get rid of Patch Tuesday
Needed to enforce security intelligence

Solution Provided
Maximize uptime and security on DNS
Enforce security policies on firewalls
Integrate threat intelligence feeds

19 | | 2016
19 2013 Infoblox
Infoblox Inc.
Inc. All All Reserved.
Rights Rights Reserved.
 The attack on Dyn highlights the danger of
DNS homogeneity

The attack also demonstrates the danger

Internet of Things devices pose to the
Internet, and a new standard for large DDoS
attacks

Summary Infoblox offers a purpose-built platform

Key Takeaways designed to protect against a wide range of
DDoS attacks: Advanced DNS Protection

20 | | 2016
20 2013 Infoblox
Infoblox Inc.
Inc. All All Reserved.
Rights Rights Reserved.
 Submit the survey questions,
and you will be entered to win
an autographed DNS and
BIND book by Cricket Liu.

21 | | 2016
21 2013 Infoblox
Infoblox Inc.
Inc. All All Reserved.
Rights Rights Reserved.
Q&A

22 | | 2016
22 2013 Infoblox
Infoblox Inc.
Inc. All All Reserved.
Rights Rights Reserved.