Professional Documents
Culture Documents
Infoblox - Dyn Attack Webinar
Infoblox - Dyn Attack Webinar
The Dyn DDoS attack What Happened and What Can We Do?
2
2 || 2016
2013 Infoblox
Infoblox Inc.
Inc. All All Reserved.
Rights Rights Reserved.
Friday, October 21st: Mirai botnet Used to
Attack Dyns Name Servers
Mirai Botnet
Consists of compromised
Internet of Things (IoT) devices
IP CCTV cameras
Digital video recorders
Previously used in a DDoS attack
against krebsonsecurity.com
Peaked at 620 Gbps
Used GRE traffic
3
3 || 2016
2013 Infoblox
Infoblox Inc.
Inc. All All Reserved.
Rights Rights Reserved.
Friday, October 21st: Mirai botnet Used to
Attack Dyns Name Servers
Impact
4
4 || 2016
2013 Infoblox
Infoblox Inc.
Inc. All All Reserved.
Rights Rights Reserved.
How Did It Happen?
Mirai botnet estimated to include ~1.5 million IoT devices
Many IoT devices in the botnet ship with a default password
In some cases, the default password cannot be changed easily, or at all
Mirai source code was released publicly in early October
5
5 || 2016
2013 Infoblox
Infoblox Inc.
Inc. All All Reserved.
Rights Rights Reserved.
IoT Devices: Easy to Build a Big,
Powerful Botnet
Some require high bandwidth
IoT devices are cheap & plentiful
Such as IP CCTV cameras
Because theyre cheap, manufacturers
skimp on security Some must be accessible over
the Internet
Such as IP CCTV cameras
And are therefore easily targeted
6
6 || 2016
2013 Infoblox
Infoblox Inc.
Inc. All All Reserved.
Rights Rights Reserved.
What Can We Do?
Use a mixed set of authoritative
name servers
On-premises name servers
Hosted name servers
If your DNS hosting provider or one of its
customers is attacked, recursive name servers
on the Internet will notice that theyre not
responding and will favor your on-premises
name servers
But beware proprietary features!
For example, load balancing
7
7 || 2016
2013 Infoblox
Infoblox Inc.
Inc. All All Reserved.
Rights Rights Reserved.
Homogeneous Authoritative Name Servers
Malware
Legitimate
querier
ns1 ns2
Normal RTT 17 ms 12 ms
Duress RTT 999 ms 911 ms
8
8 || 2016
2013 Infoblox
Infoblox Inc.
Inc. All All Reserved.
Rights Rights Reserved.
Heterogeneous Authoritative Name Servers
Malware
Normal RTT 17 ms 12 ms 53 ms 61 ms
9
9 || 2016
2013 Infoblox
Infoblox Inc.
Inc. All All Reserved.
Rights Rights Reserved.
What Else Can We Do?
Use authoritative name servers that
resist DDoS attacks
These can resist non-volumetric attacks
More on these later
10 | | 2016
10 2013 Infoblox
Infoblox Inc.
Inc. All All Reserved.
Rights Rights Reserved.
Infoblox Authoritative DNS and DDOS
Protection Solutions
11 | | 2016
11 2013 Infoblox
Infoblox Inc.
Inc. All All Reserved.
Rights Rights Reserved.
DNS Attacks Are Making Your Infrastructure
Work Against You
12 | | 2016
12 2013 Infoblox
Infoblox Inc.
Inc. All All Reserved.
Rights Rights Reserved.
Advanced DNS Protection Detect and drop DNS-based
attacks such as amplification,
Maintaining Availability Even Under Attack reflection, NXDOMAIN
13 | | 2016
13 2013 Infoblox
Infoblox Inc.
Inc. All All Reserved.
Rights Rights Reserved.
Infoblox - Advanced DNS Protection (ADP)
Platform
Protection Against the Widest Range of DNS Attacks
Intelligently defends against widest range of attacks to ensure resilient and trustworthy
DNS services; blocks attacks while continuing to respond to legitimate DNS requests
Adaptation to Threats
Continuously adapts to evolving threats; automatically updates protection without
patching or downtime
Tunable Thresholds
Allows user to fine-tune limits and thresholds based on their unique traffic flow patterns
Global Visibility
Shows Grid members under attack and provides details on attack patterns and times
with reports
14 | | 2016
14 2013 Infoblox
Infoblox Inc.
Inc. All All Reserved.
Rights Rights Reserved.
Advanced DNS Protection - Fully Integrated
into the Infoblox Grid
1. Advanced DNS Protection receives
attacks interspersed with legitimate
Legitimate Traffic
queries from the Internet
Infoblox
Threat-rule
Server
2. It pre-processes the requests to
filter out attacks
Automatic Updates 3. It responds to legitimate DNS
(Threat Adapt) Infoblox
External DNS requests
Security Infoblox External
DNS Security
Grid-wide rule distribution
4. Attack information is sent to an
Grid Master Infoblox reporting server
Data for
Reports
15 | | 2016
15 2013 Infoblox
Infoblox Inc.
Inc. All All Reserved.
Rights Rights Reserved.
BIND vulnerability mitigation with Infoblox
Infobloxs partnership with ISC enables
Infoblox to stay ahead of vulnerabilities
Tight focus on DNS-related threats means
fast turnaround on fixes
Advanced DNS Protection (ADP)
CVE-2015-5477: An error in handling TKEY
queries can cause named to exit with a
REQUIRE assertion failure
ADP customers were protected by default by
existing signatures
16 | | 2016
16 2013 Infoblox
Infoblox Inc.
Inc. All All Reserved.
Rights Rights Reserved.
Threat Protection Rule Categories
17 | | 2016
17 2013 Infoblox
Infoblox Inc.
Inc. All All Reserved.
Rights Rights Reserved.
Global Visibility with Reporting
Intelligence Needed to Take Action
18 | | 2016
18 2013 Infoblox
Infoblox Inc.
Inc. All All Reserved.
Rights Rights Reserved.
Case Study - Large Insurance Company
Problem
Experienced a malware-borne attack on DNS
with 1+ million queries per second
Redundancy problems, DNS outages
Wanted to get rid of Patch Tuesday
Needed to enforce security intelligence
Solution Provided
Maximize uptime and security on DNS
Enforce security policies on firewalls
Integrate threat intelligence feeds
19 | | 2016
19 2013 Infoblox
Infoblox Inc.
Inc. All All Reserved.
Rights Rights Reserved.
The attack on Dyn highlights the danger of
DNS homogeneity
20 | | 2016
20 2013 Infoblox
Infoblox Inc.
Inc. All All Reserved.
Rights Rights Reserved.
Submit the survey questions,
and you will be entered to win
an autographed DNS and
BIND book by Cricket Liu.
21 | | 2016
21 2013 Infoblox
Infoblox Inc.
Inc. All All Reserved.
Rights Rights Reserved.
Q&A
22 | | 2016
22 2013 Infoblox
Infoblox Inc.
Inc. All All Reserved.
Rights Rights Reserved.