SlideShare a Scribd company logo

Make the internet safe with DNS Firewall

Bangladesh Network Operators Group
Bangladesh Network Operators Group

Over 91% percent malware uses DNS(As Cisco 2016 Annual Cyber security report).Nearly all the cryptominer stuffs uses DNS based C&C(As Cisco 2016 Annual Cyber security report) RPZ allows a recursive server to control the behavior of responses to queries.Administrator to overlay custom information on top of the global DNS to provide alternate responses to queries. RPZ data is supplied as a DNS zone, and can be loaded from a file or retrieved over the network by AXFR/IXFR.It works like firewall on cloud.DNS RPZ will block DNS resolution, machines connecting to the C&C via IP add

Internet
1 of 48
Download to read offline
All Rights Reserved © 2019 Make the internet safe with DNS Firewall Implementation Case Study at a Major ISP Suman Kumar Saha AmberIT Limited suman@amberit.com.bd
Safe Internet for ‘ALL’ Started brainstorming to find a suitable way to provide a secure internet to all of our users: Considerations: Easy implementation without deploying any hardware or without any change in CPE devices. Possible ways: • Router ACLs • Web proxy filter • Content-aware firewall • DNS Response Policy Zone (RPZ)
DNS Response Policy Zone ● Over 91% percent malware uses DNS(As Cisco 2016 Annual Cyber security report) ● Nearly all the cryptominer stuffs uses DNS based C&C(As Cisco 2016 Annual Cyber security report) ● RPZ allows a recursive server to control the behavior of responses to queries. ● Administrator to overlay custom information on top of the global DNS to provide alternate responses to queries. ● RPZ data is supplied as a DNS zone, and can be loaded from a file or retrieved over the network by AXFR/IXFR. ● It works like firewall on cloud. ● DNS RPZ will block DNS resolution, machines connecting to the C&C via IP address will not be blocked.
DNS Response Policy Zone(RPZ) ● “DNS Firewall gives you the most bang for your buck” -Paul Vixie ● Reputation data is packaged into Response Policy Zones (RPZs) ● RPZ include both the filter criteria, and a response policy action ● BIND evaluates whether its response matches a filter in the RPZ and applies the policy specified ● RFC: https://tools.ietf.org/html/draft-ietf-dnsop-dns-rpz-00
Core DNS Principles Master/ Primary DNS Slave/ Secondary DNS Caching Resolver DNS .org bdnog.org www.bdnog.org AXFR TSIG IXFR TSIG AXFR - Full Zone Transfers IXFR - Incremental Zone Transfers TSIG - Transaction SIGnature used to secure the AXFR/IXFR What is the IP for www.bdnog.org? Who is in charge of www.bdnog.org? www.bdnog.org is 202.4.96.213 .root
.org bdnog.o rg .root DNS RPZ Master DNS RPZ Feed AXF R IXFR What is the IP for www.bdnog.org? Who is in charge of bdnog.org? www.bdnog.org www.bdnog.org is 202.4.96.213 RPZ Caching Resolver DNS * RPZ capability on the DNS Cashing Resolver allows zone transfers to be pushed out in seconds. Security Company
DNS RPZ in Action Master DNS RPZ Feed RPZ Caching Resolver DNS AXF R IXFR What is the IP for badguys.com? badguys.co m To find the bad guysSecurity Company What is the IP for badguys.com? SPAM Computer looks up Xyzbadness. com
How is DNS RPZ Different? Master DNS RPZ Feed RPZ Caching Resolver DNS AXFR IXFR Security Company DNS RBL Some RBL User Update zone files Query Every time
How is DNS RPZ Different? • DNS RPZ allows for multiple feeds. • Allows for industry incident feeds. • Allows for local incident management feeds. Resolver DNS RPZ Zone Files RPZ Feed Malware AXFR IXFR RPZ Feed C&C Hosts AXFR IXFR OPSEC AXFR IXFR InfoSec AXFR IXFR IXFR www.baddomain.com
Components of the Criminal Cloud ● Spam Botnet ● Command & Control ● Drive-by Domains ● Malware ● Secondary Malware ● Proxy ● Payment Processors ● Mule Operations ● Packer ● TLD Domain ● Name Servers Mirai Avalanche Blackhole Zeus Cryptojackers Passwords Ransomware Malware Rootkit Call home
Malicious Redirects E-commerce / Payments Security Updates Legitimate Abused antvirus.updates.com DNS
Scanning, Worming, & Spreading Bot Herder Email SMS SNS Vulnerable Malicious Infected Devices DNS C&C Botnet Step 1 Step 2 Step 3
We can see the bot herders traffic. Domains are known to be malicious! Spam/Phish Maliciou s Domains Infected Devices Cryptojacke rs Command & Control DNS
DNS RPZ would have stopped this attack! With RPZ you can detect, alert, block, and protect users. Spam/Phish Maliciou s Domains Infected Devices Cryptojacke rs Command & Control DNS rpz NSDNAME NXDOMAIN rewrite ns1.apple.com rpz QNAME NXDOMAIN rewrite botnet.com rpz QNAME NXDOMAIN rewrite malciousdomain.com
Real Sample today
Possible Uses Examples • Enterprise : Detect and stop malicious activities. • ISP : Investigate infected customer hosts. • SOC : Alert SOC team about malicious access • OEM : Protect IoT devices • ALL : Detect and sanitize your networks
RPZ supported DNS Applications RPZ is native in several of the industry’s leading DNS platforms, including: ● BIND V9.8 (or greater) ● Power DNS recursor Numerous appliance vendors have enabled RPZ as well, including: ● Infoblox ● Efficient IP ● Bluecoat and many more
RPZ Rule Let’s we want to rewrite any DNS queries for a specific hostname, but allow lookups to the domain and other hosts in that domain: host.filter.com IN CNAME . This result in an NXDOMAIN (Non existence) response for a query for “host.filter.com”
Response Policy Triggers The rules in a Response Policy Zone consist of triggers or filters that identify what responses to modify, and policy actions to apply to these responses. Each rule can use one of five policy triggers and specify one of eight policy actions. QNAME RPZ-IP RPZ-NSDNAME RPZ-CLIENT-IPRPZ-NSIP
Response Policy Actions GIVEN CNAME TCP-ONLY DROP PASSTHROUGH NXDOMAIN DISABLED NODATA Is the default action and define no overrides Name exists but there are no records of the requested type To redirect the user with a CNAME to a walled garden. Forces the resolver to use TCP for the query. Drop the query without any response to the client. Exempt the response from further policy processing. Domain does not exist.Most common policy used. All Policy Actions for this zone are disabled but all items are logged
RPZ Logging Since we’re running RPZ, we definitely want to log any RPZ rewrites. To do that, we need to set up two things under the “logging” header. channel rpzlog { file "rpz.log" versions unlimited size 1000m; print-time yes; print-category yes; print-severity yes; severity info; }; category rpz { rpzlog; };
Before Implementation ● At first implement on logging mode for at least for a week ● Restricted RPZ recursive server to use within the ACL ● Restricted users from using other recursive resolver servers ● Redirected DNS traffic to DNA RPZ recursive resolver (That’s important to bring users in safety net)
RPZ Feed Providers ● Spamhaus ● Deteque ● PIPELINE Security ● Farsight security ● SURBL ● Threat Stop
DNS Firewall: Implementation Case Study in an ISP ● Implemented RPZ in Amber IT that is one of the Major ISP in Bangladesh. ● Using RPZ feed from Spamhaus Deteque through Pipeline Security ,Japan. ● Used with BIND 9.11.3 Extended Support Version(ESV). ● Also tested with Powerdns recursor. ● Redirected all DNS recursive request from PoP routers to DNS RPZ enabled recursive name server to avoid adding new DNS server on every CPE. ● Added forwarder in current recursive DNS and forwarded all the recursive request to RPZ enabled name server. ● Used as RPZ passthrough
Resources used for the implementation And one System Admin to cook those things One server for Bind LXD Container with Ubuntu 18.04 vCPU:8 cores,Memory : 8GB,Storage:100GB Second server ELK stack for data visualization. LXD Container with Ubuntu 18.04 vCPU:4 cores,Memory : 4GB,Storage:100GB RPZ zones Data feed from RPZ feed provider Any feed provider you can test free for one month .We have used from Spamhaus/deteque.
Simple Installation:Bind Required time : Not more than 60 minutes From Bind 9.8 Bind is compatible and comes with RPZ support. For this case we have used ubuntu 18.04LTS. Installed bind with apt and no special patches needed for RPZ.
Simple Installation:Adding RPZ zones Following RPZ zones were added at the end of the /etc/bind/named.conf.options using the response-policy.Bind currently has a 32 zone limit response-policy { zone "rpz.local"; ### 11 Standard Feeds zone "adware.host.dtq" policy passthru; zone "badrep.host.dtq" policy passthru; zone "bad-nameservers.ip.dtq" policy passthru ; zone "bad-nameservers.host.dtq" policy passthru; zone "bogons.ip.dtq"; zone "botnetcc.host.dtq"; zone "botnet.host.dtq" policy passthru; zone "botnetcc.ip.dtq" policy passthru; zone "dga.host.dtq" policy passthru; zone "malware.host.dtq"; zone "phish.host.dtq" policy passthru; ### Edited Feeds zone "adware.edit.host.dtq"; zone "badrep.edit.host.dtq"; zone "botnetcc.edit.host.dtq"; zone "botnet.edit.host.dtq"; zone "malware.edit.host.dtq"; zone "phish.edit.host.dtq"; ### Premium Feeds zone "zrd.host.dtq"; ### Free Feeds zone "drop.ips.dtq" policy passthru; ### Service Feeds zone "coinblock.srv"; zone "torblock.srv" policy passthru; };
Simple Installation:Get RPZ data from provider RPZ zones will be downloaded from feed provided as a slave zone. zone "malware.edit.host.dtq" { type slave; file "dbx.malware.edit.host.dtq"; masters {199.168.xx.xx;199.168.xx.xx;199.168.xx.xx; }; allow-transfer { none; }; };
Simple Installation:RPZ Incident Log Since we’re running RPZ, we definitely want to log any RPZ rewrites. To do that, we need to set up two things under the “logging” header. Add the RPZ log in /etc/bind/named.conf logging { channel null { null; }; channel bindlog { file "bind.log"; print-time yes; print-category yes; print-severity yes; severity info; };
Bind Installation:Generating Log channel rpzlog { file "rpz.log" versions unlimited size 1000m; print-time yes; print-category yes; print-severity yes; severity info;}; category config { bindlog; };category xfer-in { bindlog; };category xfer-out { bindlog; }; category network { bindlog; };category update { bindlog; };category update-security { bindlog; }; category delegation-only { bindlog; }; category rpz { rpzlog; }; };
RPZ Logs RPZ log take logs the queries to RPZ zones. ● The threat source IP ● destination of the for threat ● Categorization of the threat 27-Feb-2019 03:21:15.920 rpz: info: client @0x7f87f4094f60 118.179.89.xxx#60543 (qpxrg.com): rpz QNAME NXDOMAIN rewrite qpxrg.com via qpxrg.com.malware.host.dtq
Whitelisting ● rpz.local placed in top among the RPZ zones for custom configuration in bind. ● On any false positive or on any issue we can whitelist a domain or IP or client IP if require. Some source/domains/IP whitelisted on user requirement : 32.xx.19x.179.118.rpz-ip IN CNAME rpz-passthru. 32.xx.19x.179.118.rpz-client-ip IN CNAME rpz-passthru. 32.xx.19x.179.118.rpz-nsip IN CNAME rpz-passthru. binance.com CNAME rpz-passthru. *.binance.com CNAME rpz-passthru. cryptonator.com CNAME rpz-passthru. *.cryptonator.com CNAME rpz-passthru.
Monitoring Incidents with The ELK stack The ELK stack is a collection of three open source tools - Elasticsearch + Logstash + Kibana
Monitoring Incidents with ELK stack ● Logs: Server logs that need to be analyzed are identified ● Logstash: Collect logs and events data. It even parses and transforms data ● ElasticSearch: The transformed data from Logstash is Store, Search, and indexed. ● Kibana: Kibana uses Elasticsearch DB to Explore, Visualize, and Share ● Beats: Use to transport logs to the ELK stack
Day 1 - Over 1.3M Queries to RPZ Zones
Day 1 - Top 5 Results
RPZ logs from Various Nodes
Top Categories of threats
Top Catagories of threats
Top threats by Hostname
hosted by DNS of a malicious domain (coppersurfer.tk) 0--0.ml 0-00.ml 0-21.tk 000-daviotek.tk 000-default.tk 000000.ga 0002.tk 000web.tk 0010.ga 00gg.tk 00up.cf 0101.tk 0111.gq 022gay.com 028video.gq 02reg.tk 03essay.cf 0443622812.ga 05291123.tk 0599.tk 0815netz.tk 0900alternatieven.co m 091617.cf 0ang3el.ml 0jav.cf 0jav.ga 0network.tk 0nlyyou.tk And many thousands
Vulnerable Nodes with potential treats
Deep Dive in a incident:pubyun.com pubyun.com was one of the top destination from monitoring and DNS RPZ filtered the traffic. A news from 2012 .But still it is active in the live network. https://www.techinasia.com/microsoft-lawsuit-chinese-malware It is also in the Sophos malaware analysis https://www.sophos.com/en-us/threat-center/t hreat-analyses/viruses-and-spyware/Troj~MSIL- DXC/detailed-analysis.aspx
Deep dive in a incident:pubyun.com https://www.joesandbox.com/analysis/37219/0/executive Pubyun.com actually a hosting provider before that they operated as 3322.org that hosted many malwares ,cryptomiers and used for malicious activities.Here is a sample of malware that used pubyun.com.
Top malware destinations from infected nodes
RPZ Incident monitoring dashboard with Kibana
Resources https://www.slideshare.net/BarryRGreene/binds-new-secur ity-feature-dnsrpz-the-quotdns-firewallquot https://www.deteque.com/app/uploads/2018/04/Spamhau s-DNS-RPZ-DROP-Setup-v.2.pdf https://www.netcon-consulting.com
All Rights Reserved © 2019 Safe Internet Access with DNS Firewall Implementation Case Study at a Major ISP Suman Kumar Saha AmberIT Limited suman@amberit.com.bd Allan Watanabe PIPELINE Security www.pipelinesecurity.jp THANK YOU!

Recommended

Let's talk about routing security, Anurag Bhatia, Hurricane Electric
Let's talk about routing security, Anurag Bhatia, Hurricane ElectricLet's talk about routing security, Anurag Bhatia, Hurricane Electric
Let's talk about routing security, Anurag Bhatia, Hurricane ElectricBangladesh Network Operators Group
 
Preventing Traffic with Spoofed Source IP address
Preventing Traffic with Spoofed Source IP addressPreventing Traffic with Spoofed Source IP address
Preventing Traffic with Spoofed Source IP addressBangladesh Network Operators Group
 
Route Origin Validation - A MANRS Approach
Route Origin Validation - A MANRS ApproachRoute Origin Validation - A MANRS Approach
Route Origin Validation - A MANRS ApproachBangladesh Network Operators Group
 
Having Honeypot for Better Network Security Analysis
Having Honeypot for Better Network Security AnalysisHaving Honeypot for Better Network Security Analysis
Having Honeypot for Better Network Security AnalysisBangladesh Network Operators Group
 
Route Origin Validation With Routinator - A MANRS Approach for Operators
Route Origin Validation With Routinator - A MANRS Approach for OperatorsRoute Origin Validation With Routinator - A MANRS Approach for Operators
Route Origin Validation With Routinator - A MANRS Approach for OperatorsBangladesh Network Operators Group
 
DDoS Mitigation Tools and Techniques
DDoS Mitigation Tools and TechniquesDDoS Mitigation Tools and Techniques
DDoS Mitigation Tools and TechniquesBabak Farrokhi
 
Actual Condition Survey of Malware Download Sites for A Long Period
Actual Condition Survey of Malware Download Sites for A Long PeriodActual Condition Survey of Malware Download Sites for A Long Period
Actual Condition Survey of Malware Download Sites for A Long PeriodAPNIC
 
BGPalerter: BGP prefix monitoring
BGPalerter: BGP prefix monitoringBGPalerter: BGP prefix monitoring
BGPalerter: BGP prefix monitoringBangladesh Network Operators Group
 

Recommended

Let's talk about routing security, Anurag Bhatia, Hurricane Electric
Let's talk about routing security, Anurag Bhatia, Hurricane ElectricLet's talk about routing security, Anurag Bhatia, Hurricane Electric
Let's talk about routing security, Anurag Bhatia, Hurricane ElectricBangladesh Network Operators Group
 
Preventing Traffic with Spoofed Source IP address
Preventing Traffic with Spoofed Source IP addressPreventing Traffic with Spoofed Source IP address
Preventing Traffic with Spoofed Source IP addressBangladesh Network Operators Group
 
Route Origin Validation - A MANRS Approach
Route Origin Validation - A MANRS ApproachRoute Origin Validation - A MANRS Approach
Route Origin Validation - A MANRS ApproachBangladesh Network Operators Group
 
Having Honeypot for Better Network Security Analysis
Having Honeypot for Better Network Security AnalysisHaving Honeypot for Better Network Security Analysis
Having Honeypot for Better Network Security AnalysisBangladesh Network Operators Group
 
Route Origin Validation With Routinator - A MANRS Approach for Operators
Route Origin Validation With Routinator - A MANRS Approach for OperatorsRoute Origin Validation With Routinator - A MANRS Approach for Operators
Route Origin Validation With Routinator - A MANRS Approach for OperatorsBangladesh Network Operators Group
 
DDoS Mitigation Tools and Techniques
DDoS Mitigation Tools and TechniquesDDoS Mitigation Tools and Techniques
DDoS Mitigation Tools and TechniquesBabak Farrokhi
 
Actual Condition Survey of Malware Download Sites for A Long Period
Actual Condition Survey of Malware Download Sites for A Long PeriodActual Condition Survey of Malware Download Sites for A Long Period
Actual Condition Survey of Malware Download Sites for A Long PeriodAPNIC
 
BGPalerter: BGP prefix monitoring
BGPalerter: BGP prefix monitoringBGPalerter: BGP prefix monitoring
BGPalerter: BGP prefix monitoringBangladesh Network Operators Group
 
Secured Internet Gateway for ISP with pfsense & FRR
Secured Internet Gateway for ISP with pfsense & FRRSecured Internet Gateway for ISP with pfsense & FRR
Secured Internet Gateway for ISP with pfsense & FRRBangladesh Network Operators Group
 
Implementing BGP Flowspec at IP transit network
Implementing BGP Flowspec at IP transit networkImplementing BGP Flowspec at IP transit network
Implementing BGP Flowspec at IP transit networkPavel Odintsov
 
An Introduction to BGP Flow Spec
An Introduction to BGP Flow SpecAn Introduction to BGP Flow Spec
An Introduction to BGP Flow SpecShortestPathFirst
 
Обеспечение безопасности сети оператора связи с помощью BGP FlowSpec
Обеспечение безопасности сети оператора связи с помощью BGP FlowSpecОбеспечение безопасности сети оператора связи с помощью BGP FlowSpec
Обеспечение безопасности сети оператора связи с помощью BGP FlowSpecCisco Russia
 
Henrik Strøm - IPv6 from the attacker's perspective
Henrik Strøm - IPv6 from the attacker's perspectiveHenrik Strøm - IPv6 from the attacker's perspective
Henrik Strøm - IPv6 from the attacker's perspectiveIKT-Norge
 
MANRS for Network Operators - bdNOG12
MANRS for Network Operators - bdNOG12MANRS for Network Operators - bdNOG12
MANRS for Network Operators - bdNOG12Bangladesh Network Operators Group
 
Tech f42
Tech f42Tech f42
Tech f42SelectedPresentations
 
DeiC DDoS Prevention System - DDPS
DeiC DDoS Prevention System - DDPSDeiC DDoS Prevention System - DDPS
DeiC DDoS Prevention System - DDPSPavel Odintsov
 
Is IPv6 Security Still an Afterthought?
Is IPv6 Security Still an Afterthought?Is IPv6 Security Still an Afterthought?
Is IPv6 Security Still an Afterthought?APNIC
 
redGuardian DP100 large scale DDoS mitigation solution
redGuardian DP100 large scale DDoS mitigation solutionredGuardian DP100 large scale DDoS mitigation solution
redGuardian DP100 large scale DDoS mitigation solutionRedge Technologies
 
DDoS Defense Mechanisms for IXP Infrastructures
DDoS Defense Mechanisms for IXP InfrastructuresDDoS Defense Mechanisms for IXP Infrastructures
DDoS Defense Mechanisms for IXP InfrastructuresPavel Odintsov
 
Eric Vyncke - Layer-2 security, ipv6 norway
Eric Vyncke - Layer-2 security, ipv6 norwayEric Vyncke - Layer-2 security, ipv6 norway
Eric Vyncke - Layer-2 security, ipv6 norwayIKT-Norge
 
DDoS Threats Landscape : Countering Large-scale DDoS attacks
DDoS Threats Landscape : Countering Large-scale DDoS attacksDDoS Threats Landscape : Countering Large-scale DDoS attacks
DDoS Threats Landscape : Countering Large-scale DDoS attacksMyNOG
 
FastNetMon - ENOG9 speech about DDoS mitigation
FastNetMon - ENOG9 speech about DDoS mitigationFastNetMon - ENOG9 speech about DDoS mitigation
FastNetMon - ENOG9 speech about DDoS mitigationPavel Odintsov
 
Keeping your rack cool
Keeping your rack cool Keeping your rack cool
Keeping your rack cool Pavel Odintsov
 
NetFlow Monitoring for Cyber Threat Defense
NetFlow Monitoring for Cyber Threat DefenseNetFlow Monitoring for Cyber Threat Defense
NetFlow Monitoring for Cyber Threat DefenseCisco Canada
 
Ripe71 FastNetMon open source DoS / DDoS mitigation
Ripe71 FastNetMon open source DoS / DDoS mitigationRipe71 FastNetMon open source DoS / DDoS mitigation
Ripe71 FastNetMon open source DoS / DDoS mitigationPavel Odintsov
 
9534715
95347159534715
9534715Pavel Odintsov
 
FastNetMonを試してみた
FastNetMonを試してみたFastNetMonを試してみた
FastNetMonを試してみたYutaka Ishizaki
 
FastNetMon Advanced DDoS detection tool
FastNetMon Advanced DDoS detection toolFastNetMon Advanced DDoS detection tool
FastNetMon Advanced DDoS detection toolPavel Odintsov
 
Make Internet Safer with DNS Firewall - Implementation Case Study at a Major ISP
Make Internet Safer with DNS Firewall - Implementation Case Study at a Major ISPMake Internet Safer with DNS Firewall - Implementation Case Study at a Major ISP
Make Internet Safer with DNS Firewall - Implementation Case Study at a Major ISPAPNIC
 
PLNOG 5: Paul Vixie - Response Policy Zones for the Domain Name System (DNS RPZ)
PLNOG 5: Paul Vixie - Response Policy Zones for the Domain Name System (DNS RPZ)PLNOG 5: Paul Vixie - Response Policy Zones for the Domain Name System (DNS RPZ)
PLNOG 5: Paul Vixie - Response Policy Zones for the Domain Name System (DNS RPZ)PROIDEA
 

More Related Content

What's hot

Implementing BGP Flowspec at IP transit network
Implementing BGP Flowspec at IP transit networkImplementing BGP Flowspec at IP transit network
Implementing BGP Flowspec at IP transit networkPavel Odintsov
 
An Introduction to BGP Flow Spec
An Introduction to BGP Flow SpecAn Introduction to BGP Flow Spec
An Introduction to BGP Flow SpecShortestPathFirst
 
Обеспечение безопасности сети оператора связи с помощью BGP FlowSpec
Обеспечение безопасности сети оператора связи с помощью BGP FlowSpecОбеспечение безопасности сети оператора связи с помощью BGP FlowSpec
Обеспечение безопасности сети оператора связи с помощью BGP FlowSpecCisco Russia
 
Henrik Strøm - IPv6 from the attacker's perspective
Henrik Strøm - IPv6 from the attacker's perspectiveHenrik Strøm - IPv6 from the attacker's perspective
Henrik Strøm - IPv6 from the attacker's perspectiveIKT-Norge
 
DeiC DDoS Prevention System - DDPS
DeiC DDoS Prevention System - DDPSDeiC DDoS Prevention System - DDPS
DeiC DDoS Prevention System - DDPSPavel Odintsov
 
Is IPv6 Security Still an Afterthought?
Is IPv6 Security Still an Afterthought?Is IPv6 Security Still an Afterthought?
Is IPv6 Security Still an Afterthought?APNIC
 
redGuardian DP100 large scale DDoS mitigation solution
redGuardian DP100 large scale DDoS mitigation solutionredGuardian DP100 large scale DDoS mitigation solution
redGuardian DP100 large scale DDoS mitigation solutionRedge Technologies
 
DDoS Defense Mechanisms for IXP Infrastructures
DDoS Defense Mechanisms for IXP InfrastructuresDDoS Defense Mechanisms for IXP Infrastructures
DDoS Defense Mechanisms for IXP InfrastructuresPavel Odintsov
 
Eric Vyncke - Layer-2 security, ipv6 norway
Eric Vyncke - Layer-2 security, ipv6 norwayEric Vyncke - Layer-2 security, ipv6 norway
Eric Vyncke - Layer-2 security, ipv6 norwayIKT-Norge
 
DDoS Threats Landscape : Countering Large-scale DDoS attacks
DDoS Threats Landscape : Countering Large-scale DDoS attacksDDoS Threats Landscape : Countering Large-scale DDoS attacks
DDoS Threats Landscape : Countering Large-scale DDoS attacksMyNOG
 
FastNetMon - ENOG9 speech about DDoS mitigation
FastNetMon - ENOG9 speech about DDoS mitigationFastNetMon - ENOG9 speech about DDoS mitigation
FastNetMon - ENOG9 speech about DDoS mitigationPavel Odintsov
 
Keeping your rack cool
Keeping your rack cool Keeping your rack cool
Keeping your rack cool Pavel Odintsov
 
NetFlow Monitoring for Cyber Threat Defense
NetFlow Monitoring for Cyber Threat DefenseNetFlow Monitoring for Cyber Threat Defense
NetFlow Monitoring for Cyber Threat DefenseCisco Canada
 
Ripe71 FastNetMon open source DoS / DDoS mitigation
Ripe71 FastNetMon open source DoS / DDoS mitigationRipe71 FastNetMon open source DoS / DDoS mitigation
Ripe71 FastNetMon open source DoS / DDoS mitigationPavel Odintsov
 
FastNetMonを試してみた
FastNetMonを試してみたFastNetMonを試してみた
FastNetMonを試してみたYutaka Ishizaki
 
FastNetMon Advanced DDoS detection tool
FastNetMon Advanced DDoS detection toolFastNetMon Advanced DDoS detection tool
FastNetMon Advanced DDoS detection toolPavel Odintsov
 

What's hot (20)

Secured Internet Gateway for ISP with pfsense & FRR
Secured Internet Gateway for ISP with pfsense & FRRSecured Internet Gateway for ISP with pfsense & FRR
Secured Internet Gateway for ISP with pfsense & FRR
 
Implementing BGP Flowspec at IP transit network
Implementing BGP Flowspec at IP transit networkImplementing BGP Flowspec at IP transit network
Implementing BGP Flowspec at IP transit network
 
An Introduction to BGP Flow Spec
An Introduction to BGP Flow SpecAn Introduction to BGP Flow Spec
An Introduction to BGP Flow Spec
 
Обеспечение безопасности сети оператора связи с помощью BGP FlowSpec
Обеспечение безопасности сети оператора связи с помощью BGP FlowSpecОбеспечение безопасности сети оператора связи с помощью BGP FlowSpec
Обеспечение безопасности сети оператора связи с помощью BGP FlowSpec
 
Henrik Strøm - IPv6 from the attacker's perspective
Henrik Strøm - IPv6 from the attacker's perspectiveHenrik Strøm - IPv6 from the attacker's perspective
Henrik Strøm - IPv6 from the attacker's perspective
 
MANRS for Network Operators - bdNOG12
MANRS for Network Operators - bdNOG12MANRS for Network Operators - bdNOG12
MANRS for Network Operators - bdNOG12
 
Tech f42
Tech f42Tech f42
Tech f42
 
DeiC DDoS Prevention System - DDPS
DeiC DDoS Prevention System - DDPSDeiC DDoS Prevention System - DDPS
DeiC DDoS Prevention System - DDPS
 
Is IPv6 Security Still an Afterthought?
Is IPv6 Security Still an Afterthought?Is IPv6 Security Still an Afterthought?
Is IPv6 Security Still an Afterthought?
 
redGuardian DP100 large scale DDoS mitigation solution
redGuardian DP100 large scale DDoS mitigation solutionredGuardian DP100 large scale DDoS mitigation solution
redGuardian DP100 large scale DDoS mitigation solution
 
DDoS Defense Mechanisms for IXP Infrastructures
DDoS Defense Mechanisms for IXP InfrastructuresDDoS Defense Mechanisms for IXP Infrastructures
DDoS Defense Mechanisms for IXP Infrastructures
 
Eric Vyncke - Layer-2 security, ipv6 norway
Eric Vyncke - Layer-2 security, ipv6 norwayEric Vyncke - Layer-2 security, ipv6 norway
Eric Vyncke - Layer-2 security, ipv6 norway
 
DDoS Threats Landscape : Countering Large-scale DDoS attacks
DDoS Threats Landscape : Countering Large-scale DDoS attacksDDoS Threats Landscape : Countering Large-scale DDoS attacks
DDoS Threats Landscape : Countering Large-scale DDoS attacks
 
FastNetMon - ENOG9 speech about DDoS mitigation
FastNetMon - ENOG9 speech about DDoS mitigationFastNetMon - ENOG9 speech about DDoS mitigation
FastNetMon - ENOG9 speech about DDoS mitigation
 
Keeping your rack cool
Keeping your rack cool Keeping your rack cool
Keeping your rack cool
 
NetFlow Monitoring for Cyber Threat Defense
NetFlow Monitoring for Cyber Threat DefenseNetFlow Monitoring for Cyber Threat Defense
NetFlow Monitoring for Cyber Threat Defense
 
Ripe71 FastNetMon open source DoS / DDoS mitigation
Ripe71 FastNetMon open source DoS / DDoS mitigationRipe71 FastNetMon open source DoS / DDoS mitigation
Ripe71 FastNetMon open source DoS / DDoS mitigation
 
9534715
95347159534715
9534715
 
FastNetMonを試してみた
FastNetMonを試してみたFastNetMonを試してみた
FastNetMonを試してみた
 
FastNetMon Advanced DDoS detection tool
FastNetMon Advanced DDoS detection toolFastNetMon Advanced DDoS detection tool
FastNetMon Advanced DDoS detection tool
 

Similar to Make the internet safe with DNS Firewall

Make Internet Safer with DNS Firewall - Implementation Case Study at a Major ISP
Make Internet Safer with DNS Firewall - Implementation Case Study at a Major ISPMake Internet Safer with DNS Firewall - Implementation Case Study at a Major ISP
Make Internet Safer with DNS Firewall - Implementation Case Study at a Major ISPAPNIC
 
PLNOG 5: Paul Vixie - Response Policy Zones for the Domain Name System (DNS RPZ)
PLNOG 5: Paul Vixie - Response Policy Zones for the Domain Name System (DNS RPZ)PLNOG 5: Paul Vixie - Response Policy Zones for the Domain Name System (DNS RPZ)
PLNOG 5: Paul Vixie - Response Policy Zones for the Domain Name System (DNS RPZ)PROIDEA
 
Getting Started with a DNS Firewall
Getting Started with a DNS FirewallGetting Started with a DNS Firewall
Getting Started with a DNS FirewallAPNIC
 
DNS Survival Guide.
DNS Survival Guide.DNS Survival Guide.
DNS Survival Guide.Qrator Labs
 
DNS Survival Guide
DNS Survival GuideDNS Survival Guide
DNS Survival GuideAPNIC
 
Infoblox - turning DNS from security target to security tool
Infoblox - turning DNS from security target to security toolInfoblox - turning DNS from security target to security tool
Infoblox - turning DNS from security target to security toolJisc
 
Dns security threats and solutions
Dns security threats and solutionsDns security threats and solutions
Dns security threats and solutionsFrank Victory
 
Denial of Service - Service Provider Overview
Denial of Service - Service Provider OverviewDenial of Service - Service Provider Overview
Denial of Service - Service Provider OverviewMarketingArrowECS_CZ
 
Near Real-Time Network Anomaly Detection and Traffic Analysis using Spark bas...
Near Real-Time Network Anomaly Detection and Traffic Analysis using Spark bas...Near Real-Time Network Anomaly Detection and Traffic Analysis using Spark bas...
Near Real-Time Network Anomaly Detection and Traffic Analysis using Spark bas...DataWorks Summit/Hadoop Summit
 
PLNOG15 :Scale and Secure the Internet of Things with Intelligent DNS Services
PLNOG15 :Scale and Secure the Internet of Things with Intelligent DNS ServicesPLNOG15 :Scale and Secure the Internet of Things with Intelligent DNS Services
PLNOG15 :Scale and Secure the Internet of Things with Intelligent DNS ServicesPROIDEA
 
COSCUP 2019 - CDN in an Edge Box
COSCUP 2019 - CDN in an Edge BoxCOSCUP 2019 - CDN in an Edge Box
COSCUP 2019 - CDN in an Edge BoxShihta Kuan
 
DNS как линия защиты/DNS as a Defense Vector
DNS как линия защиты/DNS as a Defense VectorDNS как линия защиты/DNS as a Defense Vector
DNS как линия защиты/DNS as a Defense VectorPositive Hack Days
 
DNSSEC: What a Registrar Needs to Know
DNSSEC: What a Registrar Needs to KnowDNSSEC: What a Registrar Needs to Know
DNSSEC: What a Registrar Needs to Knowlaurenrprice
 
THOTCON - The War over your DNS Queries
THOTCON - The War over your DNS QueriesTHOTCON - The War over your DNS Queries
THOTCON - The War over your DNS QueriesJohn Bambenek
 
Internet Week 2018: 1.1.1.0/24 A report from the (anycast) trenches
Internet Week 2018: 1.1.1.0/24 A report from the (anycast) trenchesInternet Week 2018: 1.1.1.0/24 A report from the (anycast) trenches
Internet Week 2018: 1.1.1.0/24 A report from the (anycast) trenchesAPNIC
 
DNS Related Technical Terms
DNS Related Technical TermsDNS Related Technical Terms
DNS Related Technical TermsHTS Hosting
 

Similar to Make the internet safe with DNS Firewall (20)

Make Internet Safer with DNS Firewall - Implementation Case Study at a Major ISP
Make Internet Safer with DNS Firewall - Implementation Case Study at a Major ISPMake Internet Safer with DNS Firewall - Implementation Case Study at a Major ISP
Make Internet Safer with DNS Firewall - Implementation Case Study at a Major ISP
 
PLNOG 5: Paul Vixie - Response Policy Zones for the Domain Name System (DNS RPZ)
PLNOG 5: Paul Vixie - Response Policy Zones for the Domain Name System (DNS RPZ)PLNOG 5: Paul Vixie - Response Policy Zones for the Domain Name System (DNS RPZ)
PLNOG 5: Paul Vixie - Response Policy Zones for the Domain Name System (DNS RPZ)
 
Getting Started with a DNS Firewall
Getting Started with a DNS FirewallGetting Started with a DNS Firewall
Getting Started with a DNS Firewall
 
DNS Survival Guide.
DNS Survival Guide.DNS Survival Guide.
DNS Survival Guide.
 
DNS Survival Guide
DNS Survival GuideDNS Survival Guide
DNS Survival Guide
 
Infoblox - turning DNS from security target to security tool
Infoblox - turning DNS from security target to security toolInfoblox - turning DNS from security target to security tool
Infoblox - turning DNS from security target to security tool
 
DNSSEC - WHAT IS IT ? INSTALL AND CONFIGURE IN CHROOT JAIL
DNSSEC - WHAT IS IT ? INSTALL AND CONFIGURE IN CHROOT JAILDNSSEC - WHAT IS IT ? INSTALL AND CONFIGURE IN CHROOT JAIL
DNSSEC - WHAT IS IT ? INSTALL AND CONFIGURE IN CHROOT JAIL
 
Dns security threats and solutions
Dns security threats and solutionsDns security threats and solutions
Dns security threats and solutions
 
Denial of Service - Service Provider Overview
Denial of Service - Service Provider OverviewDenial of Service - Service Provider Overview
Denial of Service - Service Provider Overview
 
Near Real-Time Network Anomaly Detection and Traffic Analysis using Spark bas...
Near Real-Time Network Anomaly Detection and Traffic Analysis using Spark bas...Near Real-Time Network Anomaly Detection and Traffic Analysis using Spark bas...
Near Real-Time Network Anomaly Detection and Traffic Analysis using Spark bas...
 
DNS - MCSE 2019
DNS - MCSE 2019DNS - MCSE 2019
DNS - MCSE 2019
 
DNSTap Webinar
DNSTap WebinarDNSTap Webinar
DNSTap Webinar
 
PLNOG15 :Scale and Secure the Internet of Things with Intelligent DNS Services
PLNOG15 :Scale and Secure the Internet of Things with Intelligent DNS ServicesPLNOG15 :Scale and Secure the Internet of Things with Intelligent DNS Services
PLNOG15 :Scale and Secure the Internet of Things with Intelligent DNS Services
 
Quad9 and DNS Privacy
Quad9 and DNS PrivacyQuad9 and DNS Privacy
Quad9 and DNS Privacy
 
COSCUP 2019 - CDN in an Edge Box
COSCUP 2019 - CDN in an Edge BoxCOSCUP 2019 - CDN in an Edge Box
COSCUP 2019 - CDN in an Edge Box
 
DNS как линия защиты/DNS as a Defense Vector
DNS как линия защиты/DNS as a Defense VectorDNS как линия защиты/DNS as a Defense Vector
DNS как линия защиты/DNS as a Defense Vector
 
DNSSEC: What a Registrar Needs to Know
DNSSEC: What a Registrar Needs to KnowDNSSEC: What a Registrar Needs to Know
DNSSEC: What a Registrar Needs to Know
 
THOTCON - The War over your DNS Queries
THOTCON - The War over your DNS QueriesTHOTCON - The War over your DNS Queries
THOTCON - The War over your DNS Queries
 
Internet Week 2018: 1.1.1.0/24 A report from the (anycast) trenches
Internet Week 2018: 1.1.1.0/24 A report from the (anycast) trenchesInternet Week 2018: 1.1.1.0/24 A report from the (anycast) trenches
Internet Week 2018: 1.1.1.0/24 A report from the (anycast) trenches
 
DNS Related Technical Terms
DNS Related Technical TermsDNS Related Technical Terms
DNS Related Technical Terms
 

More from Bangladesh Network Operators Group

Accelerating Hyper-Converged Enterprise Virtualization using Proxmox and Ceph
Accelerating Hyper-Converged Enterprise Virtualization using Proxmox and CephAccelerating Hyper-Converged Enterprise Virtualization using Proxmox and Ceph
Accelerating Hyper-Converged Enterprise Virtualization using Proxmox and CephBangladesh Network Operators Group
 
Contents Localization Initiatives to get better User Experience
Contents Localization Initiatives to get better User ExperienceContents Localization Initiatives to get better User Experience
Contents Localization Initiatives to get better User ExperienceBangladesh Network Operators Group
 
Re-define network visibility for capacity planning & forecasting with Grafana
Re-define network visibility for capacity planning & forecasting with GrafanaRe-define network visibility for capacity planning & forecasting with Grafana
Re-define network visibility for capacity planning & forecasting with GrafanaBangladesh Network Operators Group
 

More from Bangladesh Network Operators Group (20)

Accelerating Hyper-Converged Enterprise Virtualization using Proxmox and Ceph
Accelerating Hyper-Converged Enterprise Virtualization using Proxmox and CephAccelerating Hyper-Converged Enterprise Virtualization using Proxmox and Ceph
Accelerating Hyper-Converged Enterprise Virtualization using Proxmox and Ceph
 
Recent IRR changes by Yoshinobu Matsuzaki, IIJ
Recent IRR changes by Yoshinobu Matsuzaki, IIJRecent IRR changes by Yoshinobu Matsuzaki, IIJ
Recent IRR changes by Yoshinobu Matsuzaki, IIJ
 
Fact Sheets : Network Status in Bangladesh
Fact Sheets : Network Status in BangladeshFact Sheets : Network Status in Bangladesh
Fact Sheets : Network Status in Bangladesh
 
AI Driven Wi-Fi for the Bottom of the Pyramid
AI Driven Wi-Fi for the Bottom of the PyramidAI Driven Wi-Fi for the Bottom of the Pyramid
AI Driven Wi-Fi for the Bottom of the Pyramid
 
IPv6 Security Overview by QS Tahmeed, APNIC RCT
IPv6 Security Overview by QS Tahmeed, APNIC RCTIPv6 Security Overview by QS Tahmeed, APNIC RCT
IPv6 Security Overview by QS Tahmeed, APNIC RCT
 
Network eWaste : Community role to manage end of life Product
Network eWaste : Community role to manage end of life ProductNetwork eWaste : Community role to manage end of life Product
Network eWaste : Community role to manage end of life Product
 
A plenarily integrated SIEM solution and it’s Deployment
A plenarily integrated SIEM solution and it’s DeploymentA plenarily integrated SIEM solution and it’s Deployment
A plenarily integrated SIEM solution and it’s Deployment
 
IPv6 Deployment in South Asia 2022
IPv6 Deployment in South Asia 2022IPv6 Deployment in South Asia 2022
IPv6 Deployment in South Asia 2022
 
Introduction to Software Defined Networking (SDN)
Introduction to Software Defined Networking (SDN)Introduction to Software Defined Networking (SDN)
Introduction to Software Defined Networking (SDN)
 
RPKI Deployment Status in Bangladesh
RPKI Deployment Status in BangladeshRPKI Deployment Status in Bangladesh
RPKI Deployment Status in Bangladesh
 
An Overview about open UDP Services
An Overview about open UDP ServicesAn Overview about open UDP Services
An Overview about open UDP Services
 
12 Years in DNS Security As a Defender
12 Years in DNS Security As a Defender12 Years in DNS Security As a Defender
12 Years in DNS Security As a Defender
 
Contents Localization Initiatives to get better User Experience
Contents Localization Initiatives to get better User ExperienceContents Localization Initiatives to get better User Experience
Contents Localization Initiatives to get better User Experience
 
BdNOG-20220625-MT-v6.0.pptx
BdNOG-20220625-MT-v6.0.pptxBdNOG-20220625-MT-v6.0.pptx
BdNOG-20220625-MT-v6.0.pptx
 
Route Leak Prevension with BGP Community
Route Leak Prevension with BGP CommunityRoute Leak Prevension with BGP Community
Route Leak Prevension with BGP Community
 
Tale of a New Bangladeshi NIX
Tale of a New Bangladeshi NIXTale of a New Bangladeshi NIX
Tale of a New Bangladeshi NIX
 
MANRS for Network Operators
MANRS for Network OperatorsMANRS for Network Operators
MANRS for Network Operators
 
Re-define network visibility for capacity planning & forecasting with Grafana
Re-define network visibility for capacity planning & forecasting with GrafanaRe-define network visibility for capacity planning & forecasting with Grafana
Re-define network visibility for capacity planning & forecasting with Grafana
 
RPKI ROA updates
RPKI ROA updatesRPKI ROA updates
RPKI ROA updates
 
Blockchain Demystified
Blockchain DemystifiedBlockchain Demystified
Blockchain Demystified
 

Recently uploaded

TRENDS Enabling and inhibiting dimensions.pptx
TRENDS Enabling and inhibiting dimensions.pptxTRENDS Enabling and inhibiting dimensions.pptx
TRENDS Enabling and inhibiting dimensions.pptxAndrieCagasanAkio
 
『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书
『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书
『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书rnrncn29
 
IP addressing and IPv6, presented by Paul Wilson at IETF 119
IP addressing and IPv6, presented by Paul Wilson at IETF 119IP addressing and IPv6, presented by Paul Wilson at IETF 119
IP addressing and IPv6, presented by Paul Wilson at IETF 119APNIC
 
Film cover research (1).pptxsdasdasdasdasdasa
Film cover research (1).pptxsdasdasdasdasdasaFilm cover research (1).pptxsdasdasdasdasdasa
Film cover research (1).pptxsdasdasdasdasdasa494f574xmv
 
SCM Symposium PPT Format Customer loyalty is predi
SCM Symposium PPT Format Customer loyalty is prediSCM Symposium PPT Format Customer loyalty is predi
SCM Symposium PPT Format Customer loyalty is predieusebiomeyer
 
ETHICAL HACKING dddddddddddddddfnandni.pptx
ETHICAL HACKING dddddddddddddddfnandni.pptxETHICAL HACKING dddddddddddddddfnandni.pptx
ETHICAL HACKING dddddddddddddddfnandni.pptxNIMMANAGANTI RAMAKRISHNA
 
Company Snapshot Theme for Business by Slidesgo.pptx
Company Snapshot Theme for Business by Slidesgo.pptxCompany Snapshot Theme for Business by Slidesgo.pptx
Company Snapshot Theme for Business by Slidesgo.pptxMario
 
『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书
『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书
『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书rnrncn29
 
Unidad 4 – Redes de ordenadores (en inglés).pptx
Unidad 4 – Redes de ordenadores (en inglés).pptxUnidad 4 – Redes de ordenadores (en inglés).pptx
Unidad 4 – Redes de ordenadores (en inglés).pptxmibuzondetrabajo
 
办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书
办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书
办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书zdzoqco
 
Top 10 Interactive Website Design Trends in 2024.pptx
Top 10 Interactive Website Design Trends in 2024.pptxTop 10 Interactive Website Design Trends in 2024.pptx
Top 10 Interactive Website Design Trends in 2024.pptxDyna Gilbert
 

Recently uploaded (11)

TRENDS Enabling and inhibiting dimensions.pptx
TRENDS Enabling and inhibiting dimensions.pptxTRENDS Enabling and inhibiting dimensions.pptx
TRENDS Enabling and inhibiting dimensions.pptx
 
『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书
『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书
『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书
 
IP addressing and IPv6, presented by Paul Wilson at IETF 119
IP addressing and IPv6, presented by Paul Wilson at IETF 119IP addressing and IPv6, presented by Paul Wilson at IETF 119
IP addressing and IPv6, presented by Paul Wilson at IETF 119
 
Film cover research (1).pptxsdasdasdasdasdasa
Film cover research (1).pptxsdasdasdasdasdasaFilm cover research (1).pptxsdasdasdasdasdasa
Film cover research (1).pptxsdasdasdasdasdasa
 
SCM Symposium PPT Format Customer loyalty is predi
SCM Symposium PPT Format Customer loyalty is prediSCM Symposium PPT Format Customer loyalty is predi
SCM Symposium PPT Format Customer loyalty is predi
 
ETHICAL HACKING dddddddddddddddfnandni.pptx
ETHICAL HACKING dddddddddddddddfnandni.pptxETHICAL HACKING dddddddddddddddfnandni.pptx
ETHICAL HACKING dddddddddddddddfnandni.pptx
 
Company Snapshot Theme for Business by Slidesgo.pptx
Company Snapshot Theme for Business by Slidesgo.pptxCompany Snapshot Theme for Business by Slidesgo.pptx
Company Snapshot Theme for Business by Slidesgo.pptx
 
『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书
『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书
『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书
 
Unidad 4 – Redes de ordenadores (en inglés).pptx
Unidad 4 – Redes de ordenadores (en inglés).pptxUnidad 4 – Redes de ordenadores (en inglés).pptx
Unidad 4 – Redes de ordenadores (en inglés).pptx
 
办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书
办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书
办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书
 
Top 10 Interactive Website Design Trends in 2024.pptx
Top 10 Interactive Website Design Trends in 2024.pptxTop 10 Interactive Website Design Trends in 2024.pptx
Top 10 Interactive Website Design Trends in 2024.pptx
 

Make the internet safe with DNS Firewall

  • 1. All Rights Reserved © 2019 Make the internet safe with DNS Firewall Implementation Case Study at a Major ISP Suman Kumar Saha AmberIT Limited suman@amberit.com.bd
  • 2. Safe Internet for ‘ALL’ Started brainstorming to find a suitable way to provide a secure internet to all of our users: Considerations: Easy implementation without deploying any hardware or without any change in CPE devices. Possible ways: • Router ACLs • Web proxy filter • Content-aware firewall • DNS Response Policy Zone (RPZ)
  • 3. DNS Response Policy Zone ● Over 91% percent malware uses DNS(As Cisco 2016 Annual Cyber security report) ● Nearly all the cryptominer stuffs uses DNS based C&C(As Cisco 2016 Annual Cyber security report) ● RPZ allows a recursive server to control the behavior of responses to queries. ● Administrator to overlay custom information on top of the global DNS to provide alternate responses to queries. ● RPZ data is supplied as a DNS zone, and can be loaded from a file or retrieved over the network by AXFR/IXFR. ● It works like firewall on cloud. ● DNS RPZ will block DNS resolution, machines connecting to the C&C via IP address will not be blocked.
  • 4. DNS Response Policy Zone(RPZ) ● “DNS Firewall gives you the most bang for your buck” -Paul Vixie ● Reputation data is packaged into Response Policy Zones (RPZs) ● RPZ include both the filter criteria, and a response policy action ● BIND evaluates whether its response matches a filter in the RPZ and applies the policy specified ● RFC: https://tools.ietf.org/html/draft-ietf-dnsop-dns-rpz-00
  • 5. Core DNS Principles Master/ Primary DNS Slave/ Secondary DNS Caching Resolver DNS .org bdnog.org www.bdnog.org AXFR TSIG IXFR TSIG AXFR - Full Zone Transfers IXFR - Incremental Zone Transfers TSIG - Transaction SIGnature used to secure the AXFR/IXFR What is the IP for www.bdnog.org? Who is in charge of www.bdnog.org? www.bdnog.org is 202.4.96.213 .root
  • 6. .org bdnog.o rg .root DNS RPZ Master DNS RPZ Feed AXF R IXFR What is the IP for www.bdnog.org? Who is in charge of bdnog.org? www.bdnog.org www.bdnog.org is 202.4.96.213 RPZ Caching Resolver DNS * RPZ capability on the DNS Cashing Resolver allows zone transfers to be pushed out in seconds. Security Company
  • 7. DNS RPZ in Action Master DNS RPZ Feed RPZ Caching Resolver DNS AXF R IXFR What is the IP for badguys.com? badguys.co m To find the bad guysSecurity Company What is the IP for badguys.com? SPAM Computer looks up Xyzbadness. com
  • 8. How is DNS RPZ Different? Master DNS RPZ Feed RPZ Caching Resolver DNS AXFR IXFR Security Company DNS RBL Some RBL User Update zone files Query Every time
  • 9. How is DNS RPZ Different? • DNS RPZ allows for multiple feeds. • Allows for industry incident feeds. • Allows for local incident management feeds. Resolver DNS RPZ Zone Files RPZ Feed Malware AXFR IXFR RPZ Feed C&C Hosts AXFR IXFR OPSEC AXFR IXFR InfoSec AXFR IXFR IXFR www.baddomain.com
  • 10. Components of the Criminal Cloud ● Spam Botnet ● Command & Control ● Drive-by Domains ● Malware ● Secondary Malware ● Proxy ● Payment Processors ● Mule Operations ● Packer ● TLD Domain ● Name Servers Mirai Avalanche Blackhole Zeus Cryptojackers Passwords Ransomware Malware Rootkit Call home
  • 11. Malicious Redirects E-commerce / Payments Security Updates Legitimate Abused antvirus.updates.com DNS
  • 12. Scanning, Worming, & Spreading Bot Herder Email SMS SNS Vulnerable Malicious Infected Devices DNS C&C Botnet Step 1 Step 2 Step 3
  • 13. We can see the bot herders traffic. Domains are known to be malicious! Spam/Phish Maliciou s Domains Infected Devices Cryptojacke rs Command & Control DNS
  • 14. DNS RPZ would have stopped this attack! With RPZ you can detect, alert, block, and protect users. Spam/Phish Maliciou s Domains Infected Devices Cryptojacke rs Command & Control DNS rpz NSDNAME NXDOMAIN rewrite ns1.apple.com rpz QNAME NXDOMAIN rewrite botnet.com rpz QNAME NXDOMAIN rewrite malciousdomain.com
  • 16. Possible Uses Examples • Enterprise : Detect and stop malicious activities. • ISP : Investigate infected customer hosts. • SOC : Alert SOC team about malicious access • OEM : Protect IoT devices • ALL : Detect and sanitize your networks
  • 17. RPZ supported DNS Applications RPZ is native in several of the industry’s leading DNS platforms, including: ● BIND V9.8 (or greater) ● Power DNS recursor Numerous appliance vendors have enabled RPZ as well, including: ● Infoblox ● Efficient IP ● Bluecoat and many more
  • 18. RPZ Rule Let’s we want to rewrite any DNS queries for a specific hostname, but allow lookups to the domain and other hosts in that domain: host.filter.com IN CNAME . This result in an NXDOMAIN (Non existence) response for a query for “host.filter.com”
  • 19. Response Policy Triggers The rules in a Response Policy Zone consist of triggers or filters that identify what responses to modify, and policy actions to apply to these responses. Each rule can use one of five policy triggers and specify one of eight policy actions. QNAME RPZ-IP RPZ-NSDNAME RPZ-CLIENT-IPRPZ-NSIP
  • 20. Response Policy Actions GIVEN CNAME TCP-ONLY DROP PASSTHROUGH NXDOMAIN DISABLED NODATA Is the default action and define no overrides Name exists but there are no records of the requested type To redirect the user with a CNAME to a walled garden. Forces the resolver to use TCP for the query. Drop the query without any response to the client. Exempt the response from further policy processing. Domain does not exist.Most common policy used. All Policy Actions for this zone are disabled but all items are logged
  • 21. RPZ Logging Since we’re running RPZ, we definitely want to log any RPZ rewrites. To do that, we need to set up two things under the “logging” header. channel rpzlog { file "rpz.log" versions unlimited size 1000m; print-time yes; print-category yes; print-severity yes; severity info; }; category rpz { rpzlog; };
  • 22. Before Implementation ● At first implement on logging mode for at least for a week ● Restricted RPZ recursive server to use within the ACL ● Restricted users from using other recursive resolver servers ● Redirected DNS traffic to DNA RPZ recursive resolver (That’s important to bring users in safety net)
  • 23. RPZ Feed Providers ● Spamhaus ● Deteque ● PIPELINE Security ● Farsight security ● SURBL ● Threat Stop
  • 24. DNS Firewall: Implementation Case Study in an ISP ● Implemented RPZ in Amber IT that is one of the Major ISP in Bangladesh. ● Using RPZ feed from Spamhaus Deteque through Pipeline Security ,Japan. ● Used with BIND 9.11.3 Extended Support Version(ESV). ● Also tested with Powerdns recursor. ● Redirected all DNS recursive request from PoP routers to DNS RPZ enabled recursive name server to avoid adding new DNS server on every CPE. ● Added forwarder in current recursive DNS and forwarded all the recursive request to RPZ enabled name server. ● Used as RPZ passthrough
  • 25. Resources used for the implementation And one System Admin to cook those things One server for Bind LXD Container with Ubuntu 18.04 vCPU:8 cores,Memory : 8GB,Storage:100GB Second server ELK stack for data visualization. LXD Container with Ubuntu 18.04 vCPU:4 cores,Memory : 4GB,Storage:100GB RPZ zones Data feed from RPZ feed provider Any feed provider you can test free for one month .We have used from Spamhaus/deteque.
  • 26. Simple Installation:Bind Required time : Not more than 60 minutes From Bind 9.8 Bind is compatible and comes with RPZ support. For this case we have used ubuntu 18.04LTS. Installed bind with apt and no special patches needed for RPZ.
  • 27. Simple Installation:Adding RPZ zones Following RPZ zones were added at the end of the /etc/bind/named.conf.options using the response-policy.Bind currently has a 32 zone limit response-policy { zone "rpz.local"; ### 11 Standard Feeds zone "adware.host.dtq" policy passthru; zone "badrep.host.dtq" policy passthru; zone "bad-nameservers.ip.dtq" policy passthru ; zone "bad-nameservers.host.dtq" policy passthru; zone "bogons.ip.dtq"; zone "botnetcc.host.dtq"; zone "botnet.host.dtq" policy passthru; zone "botnetcc.ip.dtq" policy passthru; zone "dga.host.dtq" policy passthru; zone "malware.host.dtq"; zone "phish.host.dtq" policy passthru; ### Edited Feeds zone "adware.edit.host.dtq"; zone "badrep.edit.host.dtq"; zone "botnetcc.edit.host.dtq"; zone "botnet.edit.host.dtq"; zone "malware.edit.host.dtq"; zone "phish.edit.host.dtq"; ### Premium Feeds zone "zrd.host.dtq"; ### Free Feeds zone "drop.ips.dtq" policy passthru; ### Service Feeds zone "coinblock.srv"; zone "torblock.srv" policy passthru; };
  • 28. Simple Installation:Get RPZ data from provider RPZ zones will be downloaded from feed provided as a slave zone. zone "malware.edit.host.dtq" { type slave; file "dbx.malware.edit.host.dtq"; masters {199.168.xx.xx;199.168.xx.xx;199.168.xx.xx; }; allow-transfer { none; }; };
  • 29. Simple Installation:RPZ Incident Log Since we’re running RPZ, we definitely want to log any RPZ rewrites. To do that, we need to set up two things under the “logging” header. Add the RPZ log in /etc/bind/named.conf logging { channel null { null; }; channel bindlog { file "bind.log"; print-time yes; print-category yes; print-severity yes; severity info; };
  • 30. Bind Installation:Generating Log channel rpzlog { file "rpz.log" versions unlimited size 1000m; print-time yes; print-category yes; print-severity yes; severity info;}; category config { bindlog; };category xfer-in { bindlog; };category xfer-out { bindlog; }; category network { bindlog; };category update { bindlog; };category update-security { bindlog; }; category delegation-only { bindlog; }; category rpz { rpzlog; }; };
  • 31. RPZ Logs RPZ log take logs the queries to RPZ zones. ● The threat source IP ● destination of the for threat ● Categorization of the threat 27-Feb-2019 03:21:15.920 rpz: info: client @0x7f87f4094f60 118.179.89.xxx#60543 (qpxrg.com): rpz QNAME NXDOMAIN rewrite qpxrg.com via qpxrg.com.malware.host.dtq
  • 32. Whitelisting ● rpz.local placed in top among the RPZ zones for custom configuration in bind. ● On any false positive or on any issue we can whitelist a domain or IP or client IP if require. Some source/domains/IP whitelisted on user requirement : 32.xx.19x.179.118.rpz-ip IN CNAME rpz-passthru. 32.xx.19x.179.118.rpz-client-ip IN CNAME rpz-passthru. 32.xx.19x.179.118.rpz-nsip IN CNAME rpz-passthru. binance.com CNAME rpz-passthru. *.binance.com CNAME rpz-passthru. cryptonator.com CNAME rpz-passthru. *.cryptonator.com CNAME rpz-passthru.
  • 33. Monitoring Incidents with The ELK stack The ELK stack is a collection of three open source tools - Elasticsearch + Logstash + Kibana
  • 34. Monitoring Incidents with ELK stack ● Logs: Server logs that need to be analyzed are identified ● Logstash: Collect logs and events data. It even parses and transforms data ● ElasticSearch: The transformed data from Logstash is Store, Search, and indexed. ● Kibana: Kibana uses Elasticsearch DB to Explore, Visualize, and Share ● Beats: Use to transport logs to the ELK stack
  • 35. Day 1 - Over 1.3M Queries to RPZ Zones
  • 36. Day 1 - Top 5 Results
  • 37. RPZ logs from Various Nodes
  • 38. Top Categories of threats
  • 39. Top Catagories of threats
  • 40. Top threats by Hostname
  • 41. hosted by DNS of a malicious domain (coppersurfer.tk) 0--0.ml 0-00.ml 0-21.tk 000-daviotek.tk 000-default.tk 000000.ga 0002.tk 000web.tk 0010.ga 00gg.tk 00up.cf 0101.tk 0111.gq 022gay.com 028video.gq 02reg.tk 03essay.cf 0443622812.ga 05291123.tk 0599.tk 0815netz.tk 0900alternatieven.co m 091617.cf 0ang3el.ml 0jav.cf 0jav.ga 0network.tk 0nlyyou.tk And many thousands
  • 42. Vulnerable Nodes with potential treats
  • 43. Deep Dive in a incident:pubyun.com pubyun.com was one of the top destination from monitoring and DNS RPZ filtered the traffic. A news from 2012 .But still it is active in the live network. https://www.techinasia.com/microsoft-lawsuit-chinese-malware It is also in the Sophos malaware analysis https://www.sophos.com/en-us/threat-center/t hreat-analyses/viruses-and-spyware/Troj~MSIL- DXC/detailed-analysis.aspx
  • 44. Deep dive in a incident:pubyun.com https://www.joesandbox.com/analysis/37219/0/executive Pubyun.com actually a hosting provider before that they operated as 3322.org that hosted many malwares ,cryptomiers and used for malicious activities.Here is a sample of malware that used pubyun.com.
  • 45. Top malware destinations from infected nodes
  • 46. RPZ Incident monitoring dashboard with Kibana
  • 48. All Rights Reserved © 2019 Safe Internet Access with DNS Firewall Implementation Case Study at a Major ISP Suman Kumar Saha AmberIT Limited suman@amberit.com.bd Allan Watanabe PIPELINE Security www.pipelinesecurity.jp THANK YOU!