Text 14 April 2016

Internet Identifiers

Your most undervalued and at

risk assets?

Andrea Beccalli
Senior Manager Stakeholder Engagement
Agenda
Text

What are Internet Identifiers?

Why do you call identifiers assets?
Why are my identifiers at risk?
How can I mitigate these risks?
How can I monitor for changes
in risk?
Evolution of Global Identifiers
Text

What are Internet

Identifiers?
Part of the plumbing
Text plumbing still matters!
and
The Internet is a mesh of networks whose
operators agree to communicate using
predefined protocols (TCP/IP)
Networks use identifiers to name or number
individual computers (hosts) so that these
can communicate
o IP addresses identify Internets streets
and house numbers
o Autonomous System Numbers identify the
Internets neighborhoods
o Domain Names provide user friendly ways
to remember addresses
Identifiers
Text
are evolving
Apps,
Domain Siri
Search
IP Names
Addresses arguments

LAN
MACOS
and MAC
Address
Addresses
es
Evolution of Global Identifiers
Text

Why do you call Internet

Identifiers assets?
Text
Identifiers
Text
are your presence on the Internet

IP Addresses and AS
numbers allow other
networks to find your network
Domain names are used by
your customers to find you on
the Internet
You cant operate your physical world
business without reliable street addresses
or phone numbers in the real world.
The same is true for Internet Identifiers.
They are of similar asset value.
Text

Why are my Internet

Identifiers at risk?
Identifiers
Text
are targets for loss, misuse or abuse
Internet Identifier Attack Consequence

Domain Name Loss of web service

Public defacement
Name Service (DNS) Disruption of email
Exfiltration of email
Disruption of commerce
Network disruption
IP addresses Data exfiltration

Disruption of global
Autonomous System Numbers communications
Large scale loss of
commercial hosting
Can
Text
you give me examples?

Domain Hijacking

Denial of Service

Data Exfiltration
Domain
Text
Name Hijacking

Attacker compromises domain

name registration account
Compromise gives attacker administrative control
over domains registered under this account
Attacker modifies/adds name server record for
compromised domain
Attacker points the DNS away from legitimate
hosts to his phishing, fraud or defacement servers
 Denial
Text
of Service Attacks (Dos, DDoS)

Attacker sends
Open Recursor DNS messages
Attacker to recursor from
DNS Query spoofed IP
address of target
Recursor sends
LARGE
Spoof source IP responses to
of target: 10.0.0.1 targeted host
Amplified
responses
delivered to
targeted host
consume
Targeted host resources faster
IP: 10.0.0.1
Covert
Text
channels for data exfiltration

Infected PC sends DNS messages

sensitive data to C&C manipulated to
over DNS
forward sensitive data
botnet from infected PC
C&C through firewall to
botnet command and
control (C&C)
Infected PC Proof of concept:
bot Firewall allows exfiltrate results of
outbound DNS
SQL injection attacks
Text

How can I mitigate these

risks?
Mitigate
Text
Risk!

Your Identifiers are assets

Apply standard risk management practices
Assess the value of your identifier assets
Assess the threat landscape:
how are you vulnerable?
Assess and prioritize your risks
Weight mitigation techniques against costs
Mitigate risks based on your decisions
Repeat exercise risk regularly
Text

How can I monitor for

changes in risk?
DNS and Address Data are
Text
powerful allies
Nearly all applications on the Internet
use the DNS
There is a wealth of intelligence in your
DNS traffic
o Anomalies in DNS message traffic
o Changes in DNS traffic volume
o Changes in DNS query destinations
Similar intelligence can be obtained
monitoring your address assignments
and usage
Periodic
Text
analysis is a strong defense

Examine critical data for

correctness
DNS zone data
Recursor caches
Passive DNS replication
Review what names
your users are resolving
Review name errors
Text
Resource and Relationship Management
Play
Text Critical Roles in Risk Mitigation

Know your allies. Keep points of contact for

Mitigation providers, Upstream ISPs, Hosting
providers, Registries, Registrars, Vendors.
Security service technical support. CERTs, Law
enforcement, Regulatory authorities (if
applicable)
Domain name registration protection
Text

Maintain complete/accurate points of contact

Monitor Whois record for unauthorized change
In case of unauthorized transfer, keep records
Domain names, proofs of payments,
registrar correspondence
Demonstrations of use or association
Legal documents: proofs of incorporation,
tax filings, passport, other proofs of identity
Monitoring your address assignments, too!
Use
Text
DNSSEC

Protects DNS data against forgery

Uses public key cryptography to sign
authoritative zone data
Assures that the data origin is authentic
Assures that the data are what the
authenticated data originator published
Trust model also uses public key
cryptography
Parent zones sign public keys of child zone
(root signs TLDs, TLDs sign registered
domains)
Questions?
Text
 Reading:
Text
Title
Top 10 DNS attacks
Manage your domain portfolio
Securing open DNS resolvers
DNS Tunneling
DNS cache busting
DNS Cache Poisoning
Anatomy of a DDOS attack
DNS reflection defense
Protect the world from your network
DNS Traffic Monitoring Series
Protect your DNS servers against
DDoS attacks
Fast Flux Botnet Detection in
Realtime
DNS resource exhaustion
URL
http://www.networkworld.com/article/2886283/security0/top-10-dns-attacks-likely-to-
infiltrate-your-network.html
http://securityskeptic.typepad.com/the-security-skeptic/2014/01/avoid-risks-manage-
your-domain-portfolio.html
http://www.gtri.com/securing-open-dns-resolvers-against-denial-of-service-attacks/
https://www.cloudmark.com/releases/docs/whitepapers/dns-tunneling-v01.pdf
http://blog.cloudmark.com/2014/10/07/a-dns-cache-busting-technique-for-ddos-style-
attacks-against-authoritative-name-servers/
http://www.securityskeptic.com/dns-cache-poisoning.html
http://www.securityskeptic.com/anatomy-of-dns-ddos-attack.html
https://blogs.akamai.com/2013/06/dns-reflection-defense.html
http://securityskeptic.typepad.com/the-security-skeptic/2013/04/protecting-the-world-
from-your-network.html
http://www.securityskeptic.com/2014/09/dns-traffic-monitoring-series-at-dark-
reading.html
http://www.gtcomm.net/blog/protecting-your-dns-server-against-ddos-attacks/
http://www.iis.sinica.edu.tw/~swc/pub/fast_flux_bot_detection.html
https://www.cloudmark.com/releases/docs/whitepapers/dns-resource-exhaustion-v01.pdf