The Dyn DDoS Attack

Cricket Liu | Chief DNS Architect
2nd November 2016
1
1 || ©©2016
2013 Infoblox
Infoblox Inc.
Inc. All All Reserved.
Rights Rights Reserved.
Agenda

• The Dyn DDoS attack – What Happened and What Can We Do?

• Infoblox Authoritative DNS and DDoS Protection Solutions

• Questions and Answers

2
2 || ©©2016
2013 Infoblox
Infoblox Inc.
Inc. All All Reserved.
Rights Rights Reserved.
Friday, October 21st: Mirai botnet Used to
Attack Dyn’s Name Servers
Mirai Botnet
• Consists of compromised
“Internet of Things” (IoT) devices
̶ IP CCTV cameras
̶ Digital video recorders
• Previously used in a DDoS attack
against krebsonsecurity.com
̶ Peaked at 620 Gbps
̶ Used GRE traffic

3
3 || ©©2016
2013 Infoblox
Infoblox Inc.
Inc. All All Reserved.
Rights Rights Reserved.
Friday, October 21st: Mirai botnet Used to
Attack Dyn’s Name Servers
Impact

• Hurled traffic at Dyn’s name servers
̶ Said to peak at 1.2 Tbps
̶ Unclear whether it was junk traffic (e.g.,
SYN, GRE) or legitimate DNS queries
̶ Name servers rendered unresponsive
• High-profile Dyn customers
impacted
̶ A.K.A., the Web

4
4 || ©©2016
2013 Infoblox
Infoblox Inc.
Inc. All All Reserved.
Rights Rights Reserved.
How Did It Happen?
• Mirai botnet estimated to include ~1.5 million IoT devices
• Many IoT devices in the botnet ship with a default password
̶ In some cases, the default password cannot be changed easily, or at all
• Mirai source code was released publicly in early October

5
5 || ©©2016
2013 Infoblox
Infoblox Inc.
Inc. All All Reserved.
Rights Rights Reserved.
IoT Devices: Easy to Build a Big,
Powerful Botnet
• Some require high bandwidth
• IoT devices are cheap & plentiful
̶ Such as IP CCTV cameras
̶ Because they’re cheap, manufacturers
skimp on security • Some must be accessible over
the Internet
̶ Such as IP CCTV cameras
̶ And are therefore easily targeted

6
6 || ©©2016
2013 Infoblox
Infoblox Inc.
Inc. All All Reserved.
Rights Rights Reserved.
What Can We Do?
• Use a mixed set of authoritative
name servers
̶ On-premises name servers
̶ Hosted name servers
̶ If your DNS hosting provider or one of its
customers is attacked, recursive name servers
on the Internet will notice that they’re not
responding and will favor your on-premises
name servers
• But beware proprietary features!
̶ For example, load balancing

7
7 || ©©2016
2013 Infoblox
Infoblox Inc.
Inc. All All Reserved.
Rights Rights Reserved.
Homogeneous Authoritative Name Servers

Malware DNS hosting
provider

Malware

Legitimate
querier

ns1 ns2
Normal RTT 17 ms 12 ms
Duress RTT 999 ms 911 ms

8
8 || ©©2016
2013 Infoblox
Infoblox Inc.
Inc. All All Reserved.
Rights Rights Reserved.
Heterogeneous Authoritative Name Servers

Malware DNS hosting
provider

Malware

ns1.provider ns2.provider ns1.corp ns2.corp

Normal RTT 17 ms 12 ms 53 ms 61 ms

Duress RTT 999 ms 911 ms 53 ms 61 ms

9
9 || ©©2016
2013 Infoblox
Infoblox Inc.
Inc. All All Reserved.
Rights Rights Reserved.
What Else Can We Do?
• Use authoritative name servers that
resist DDoS attacks
̶ These can resist non-volumetric attacks
̶ More on these later

• Use Response Policy Zones to cut off
infected devices from command-and-
control servers
̶ Do your part!

• Use Response Policy Zones to hardwire
critical name-to-address mappings in the
event of another DDoS attack

10 | | ©©2016
10 2013 Infoblox
Infoblox Inc.
Inc. All All Reserved.
Rights Rights Reserved.
Infoblox Authoritative DNS and DDOS
Protection Solutions

11 | | ©©2016
11 2013 Infoblox
Infoblox Inc.
Inc. All All Reserved.
Rights Rights Reserved.
DNS Attacks Are Making Your Infrastructure
Work Against You

78% 84% >$500 $1.5M
The most common Of reflection/ Per minute cost of Average total cost per
service targeted by amplification attacks Internet downtime year to deal with denial
application layer use DNS1 due to DDoS attacks2 of service attacks2
attacks is now, for the
first time DNS1

• DDoS attacks can significantly affect service and application availability
• Recovery is often complex and labor-intensive
1. Source: Arbor WISR2016 Report 2. Ponemon Institute Study – The Cost of Denial-of-Service Attacks. March 2015

12 | | ©©2016
12 2013 Infoblox
Infoblox Inc.
Inc. All All Reserved.
Rights Rights Reserved.
Advanced DNS Protection • Detect and drop DNS-based
attacks such as amplification,
Maintaining Availability Even Under Attack reflection, NXDOMAIN

• Share events and alert data with
SIEMs via APIs, syslog and
SNMP
Cybersecurity Advanced
Ecosystem Solution DNS
Components Protection
Benefits
Infoblox Ecosystem
Products Products • Maximize service uptime and
application availability
Threat • Use advanced threat intelligence
Reporting & for automated and up-to date
Intelligence Analytics
Services protection
• Enrich security ecosystem
• Global visibility
SIEM

13 | | ©©2016
13 2013 Infoblox
Infoblox Inc.
Inc. All All Reserved.
Rights Rights Reserved.
Infoblox - Advanced DNS Protection (ADP)
Platform
Protection Against the Widest Range of DNS Attacks
Intelligently defends against widest range of attacks to ensure resilient and trustworthy
DNS services; blocks attacks while continuing to respond to legitimate DNS requests

Adaptation to Threats
Continuously adapts to evolving threats; automatically updates protection without
patching or downtime

Tunable Thresholds
Allows user to fine-tune limits and thresholds based on their unique traffic flow patterns

Global Visibility
Shows Grid members under attack and provides details on attack patterns and times
with reports

14 | | ©©2016
14 2013 Infoblox
Infoblox Inc.
Inc. All All Reserved.
Rights Rights Reserved.
Advanced DNS Protection - Fully Integrated
into the Infoblox Grid
1. Advanced DNS Protection receives
attacks interspersed with legitimate

Legitimate Traffic
queries from the Internet
Infoblox
Threat-rule
Server
2. It pre-processes the requests to
filter out attacks
Automatic Updates 3. It responds to legitimate DNS
(Threat Adapt) Infoblox
External DNS requests
Security Infoblox External
DNS Security
Grid-wide rule distribution
4. Attack information is sent to an
Grid Master Infoblox reporting server
Data for
Reports

5. Automatic updates from Infoblox on
Reporting
new threats are propagated to all
Server Advanced Appliances on the Grid
Reports on attack types, severity

15 | | ©©2016
15 2013 Infoblox
Infoblox Inc.
Inc. All All Reserved.
Rights Rights Reserved.
BIND vulnerability mitigation with Infoblox
• Infoblox’s partnership with ISC enables
Infoblox to stay ahead of vulnerabilities
• Tight focus on DNS-related threats means
fast turnaround on fixes
• Advanced DNS Protection (ADP)
• CVE-2015-5477: An error in handling TKEY
queries can cause named to exit with a
REQUIRE assertion failure
• ADP customers were protected by default by
existing signatures

16 | | ©©2016
16 2013 Infoblox
Infoblox Inc.
Inc. All All Reserved.
Rights Rights Reserved.
Threat Protection Rule Categories

DNS Cache Poisoning DNS Message Type General DDoS

DNS Protocol Anomalies DNS Amplification and Potential DDoS-Related
Reflection Domains

Reconnaissance DNS Malware NTP

DNS DDoS TCP/UDP Flood DNS Tunneling

ICMP BGP, OSPF DHCP

Custom Rules Blacklist Custom Rules Ratelimit Custom Rules Whitelist

17 | | ©©2016
17 2013 Infoblox
Infoblox Inc.
Inc. All All Reserved.
Rights Rights Reserved.
Global Visibility with Reporting
Intelligence Needed to Take Action

• Attack details by category, member, rule, severity, and time
• Visibility into source of attacks for blocking, to understand scope and severity
• Early identification and isolation of issues for corrective action

18 | | ©©2016
18 2013 Infoblox
Infoblox Inc.
Inc. All All Reserved.
Rights Rights Reserved.
Case Study - Large Insurance Company
Problem
• Experienced a malware-borne attack on DNS
with 1+ million queries per second
• Redundancy problems, DNS outages
• Wanted to get rid of Patch Tuesday
• Needed to enforce security intelligence

Solution Provided
• Maximize uptime and security on DNS
• Enforce security policies on firewalls
• Integrate threat intelligence feeds

19 | | ©©2016
19 2013 Infoblox
Infoblox Inc.
Inc. All All Reserved.
Rights Rights Reserved.
The attack on Dyn highlights the danger of
DNS homogeneity

The attack also demonstrates the danger
Internet of Things devices pose to the
Internet, and a new standard for large DDoS
attacks

Summary Infoblox offers a purpose-built platform
Key Takeaways designed to protect against a wide range of
DDoS attacks: Advanced DNS Protection

20 | | ©©2016
20 2013 Infoblox
Infoblox Inc.
Inc. All All Reserved.
Rights Rights Reserved.
Submit the survey questions,
and you will be entered to win
an autographed “DNS and
BIND” book by Cricket Liu.

21 | | ©©2016
21 2013 Infoblox
Infoblox Inc.
Inc. All All Reserved.
Rights Rights Reserved.
Q&A

22 | | ©©2016
22 2013 Infoblox
Infoblox Inc.
Inc. All All Reserved.
Rights Rights Reserved.