make the internet safe with dns firewall response policy
play

Make the Internet safe with DNS firewall Response Policy Zones (RPZ) - PowerPoint PPT Presentation

Jan 13, 2024 •370 likes •766 views

1 Make the Internet safe with DNS firewall Response Policy Zones (RPZ) SGNOG 7 2019 2 Great Asean Fastest Growing Area of Threats Over 200 Billion devices connected worldwide by 2020. Over 13 million active bots recorded for January 2019.

  1. 1 Make the Internet safe with DNS firewall Response Policy Zones (RPZ) SGNOG 7 2019

  2. 2 Great Asean Fastest Growing Area of Threats Over 200 Billion devices connected worldwide by 2020. Over 13 million active bots recorded for January 2019. Most activity coming from countries within the ASEAN region. SGNOG 7 2019

  3. 3 Phishing & BEC A report by the Cyber Security Agency of Singapore (CSA) In 2018: 6,179 cybercrime cases were reported 378 business email impersonation scams This led to businesses in Singapore suffering close to S$58 million (US$42 million) in losses. Council of Anti-Phishing Japan https://www.antiphishing.jp/news/alert/ SGNOG 7 2019

  4. 4 Malicious Downloads Ransomware Malware Root Kits www.Singaporeair.com.promotion.winner.Werzfwervjiaeirsvisatlserkvalesrebiajrsre.ga SGNOG 7 2019

  5. 5 Cryptojacking Servers Websites Mobile Applications SGNOG 7 2019

  6. DGA Domain Generating Algorithm 6 93b375dd6cd9f2704d613d1016dbe0f2.info 93b375dd6cd9f2704d613d1016dbe0f2.tk BOT 1 afcc0c1f4b9fd590a61ba1c24b49b525.ga afcc0c1f4b9fd590a61ba1c24b49b525.info afcc0c1f4b9fd590a61ba1c24b49b525.ml afcc0c1f4b9fd590a61ba1c24b49b525.online bbc16e2659b9b9b5128c2f7e5877d29b.cf bbc16e2659b9b9b5128c2f7e5877d29b.ga bbc16e2659b9b9b5128c2f7e5877d29b.gq f62b550a0e5e4f234fdd30c927665c91.xyz SGNOG 7 2019

  7. C2 Command & Control 7 Infected Nodes & Devices (Bots) C2 Command & Control Servers C&C SERVER BOT SGNOG 7 2019

  8. 8 BOTS BOT SGNOG 7 2019

  9. 9 Global Bots 14000000 12,927,176 12000000 10000000 8,051,914 8000000 2019 6000000 2017 4000000 2000000 BOT 0 2017 World 2019 World SGNOG 7 2019

  10. 10 Singapore Bots 200000 181,066 180000 160000 140000 120000 96780 100000 1 2019 80000 2017 60000 40000 BOT 20000 BOT BOT 0 SGNOG 7 2019

  11. 11 2017 Singapore Bot Data SGNOG 7 2019

  12. 12 2019 Singapore Bot Data SGNOG 7 2019

  13. 13 14 Years Old A.K.A Light Leafon SGNOG 7 2019

  14. 14 What do these threats have in common? SGNOG 7 2019

  15. 15 How can you detect this type of activity across your entire network? SGNOG 7 2019

  16. 16 What is DNS Response Policy Zones (RPZ)? Mechanism to introduce a customized policy in Domain Name System servers SGNOG 7 2019

  17. 17 A Treasure Trove of data in your DNS SGNOG 7 2019

  18. 18 How DNS works The Internet Address Book ISP . COM Query: www.google.co.jp Query: www.google.co.jp . CO.JP Cname: www.google.co.jp . NET Where is www.google.co.jp DNS Resolver Other DNS Servers Where is www.google.co.jp? Do you know www.google.co.jp? SGNOG 7 2019

  19. 19 Malicious activities also need DNS Malicious Activity also uses same DNS MALICIOUS ACTIVITY ISP . COM Query: www.goog1e.co.jp 1 Query: www.goog1e.co.jp . CO.JP BOT Cname: www.goog1e.co.jp . NET www.nttdocono.com www.badguys.com Dgaefcaseiwoweijvkajl.com Where is www.goog1e.co.jp? DNS Resolver Other DNS Servers Where is www.goog1e.co.jp? Do you know www.goog1e.co.jp? SGNOG 7 2019

  20. 20 Malicious activities also need DNS Many things connect to the internet MALICIOUS ACTIVITY ISP . COM Query: www.goog1e.co.jp 1 Query: www.goog1e.co.jp . CO.JP BOT Cname: www.goog1e.co.jp . NET DNS LOGS? www.nttdocono.com www.badguys.com Dgaefcaseiwoweijvkajl.com Where is www.goog1e.co.jp? DNS Resolver Other DNS Servers Where is www.goog1e.co.jp? Do you know www.goog1e.co.jp? SGNOG 7 2019

  21. 21 DNS Logs + ELK Stack Malicious Activity ISP 1 Query: www.goog1e.co.jp Level Source Threat T ype BOT Critical 10.24.31.13 C2 Comm Cname: www.goog1e.co.jp Critical 131.31.23.13 Malware Domain NXDomain Cname High 34.123.22.41 Ransomware Sinkhole High 51.1.31.44 DGA Domain RPZ Data Where is www.goog1e.co.jp? Log Report DNS Resolver Where is www.goog1e.co.jp? Who accessed goog1e.co.jp? SGNOG 7 2019

  22. 22 IoT and Infected Devices Infected Devices ISP 1 Query: CCdomains.co.jp Level Source Threat T ype Critical 10.24.31.13 C2 Comm Cname: CCdomains.co.jp Critical 131.31.23.13 Malware Domain High 34.123.22.41 Ransomware High 51.1.31.44 DGA Domain RPZ Data Where is Ccdomains.co.jp? Log Report DNS Resolver Where is Ccdomains.co.jp ? Who accessed CCdomains.co.jp? SGNOG 7 2019

  23. 23 Internal Malicious Activity Malicious User DNS Query: Corporate AD Level Source Threat T ype Critical 10.13.22.31 Active Directory Critical 10.13.22.31 Active Directory Active High 10.13.22.31 MS Exchange Directory Low 51.1.31.44 Other AD Mail Server Where is company AD server? Log Report DNS Resolver Who accessed AD Server? Scan for AD or other Internal Servers SGNOG 7 2019

  24. 24 We already have a firewall. We have a proxy/web filter. We use endpoint security. We have a SIEM. SGNOG 7 2019

  25. 25 DNS RPZ - Detect, protect, and, analyze ● Due to HTTPs filtering on proxy is almost no point of use. ● DNS Firewall works on recursive DNS servers ● Its easy to classify threats based on threat intelligence ● Over 91% percent malware uses DNS(As Cisco 2016 Annual Cyber security report) ● Use Of DNS Firewalls Could Reduce 33% Of All Cybersecurity Breaches, New Global Cyber Alliance Research Finds. According to the study, DNS firewalls might have prevented $10 billion in data breach losses from the 11,000 incidents in the past five years. https://finance.yahoo.com/news/dns-firewalls-could- reduce-33-140000777.html ● No new instrustruce needed to implement ● All open source tools used ● Easy to handle false positive ● RFC: https://tools.ietf.org/html/draft-ietf-dnsop-dns-rpz-00 SGNOG 7 2019

  26. 26 Use Case: Implementation at a major ISP One Recursive DNS server for Bind : LXD Container with Ubuntu 18.04 , vCPU:8 cores,Memory : 8GB,Storage:100GB. We used Bind.Unbound ,PowerDNS recursor also support RPZ for DNS firewall. Second server ELK stack for data visualization. LXD Container with Ubuntu 18.04 vCPU:4 cores,Memory : 4GB,Storage:100GB RPZ zones Data feed from RPZ feed provider Any feed provider. You can also test for 1 month with trial. . SGNOG 7 2019

  27. 27 Using Open Source Tools to Monitor Your DNS Activity The ELK stack is a collection of three open source tools - E lasticsearch + L ogstash + K ibana along with log shipper SGNOG 7 2019

  28. 28 Classified Threats and Policy Zones Following RPZ zones were added at the end of the /etc/bind/named.conf.options using the response-policy.Bind currently has a 32 zone limit response-policy { Extemely easy to setup. zone "rpz.local"; Sample Configuration ### 11 Standard Feeds 5 Min Install Classified threats include. zone "adware.host.dtq"; zone "badrep.host.dtq"; Phishing zone "bad-nameservers.ip.dtq" ; Malware zone "bad-nameservers.host.dtq"; Criminal Networks zone "bogons.ip.dtq"; Bad Nameservers zone "botnetcc.host.dtq"; Malicious Adware zone "botnet.host.dtq"; Cryptominer zone "botnetcc.ip.dtq"; CryptJacker zone "dga.host.dtq"; And more. zone "malware.host.dtq"; zone "phish.host.dtq"; SGNOG 7 2019

  29. 29 Simple Configuration : Get RPZ data from Masters and Genrating RPZ logs RPZ zones will be downloaded from feed provided as a slave zone. zone "malware.edit.host.dtq" { type slave; file "dbx.malware.edit.host.dtq"; masters {199.168.xx.xx;199.168.xx.xx;199.168.xx.xx; }; allow-transfer { none; }; }; Bind RPZ Logging: channel rpzlog { file "rpz.log" versions unlimited size 1000m; print-time yes; print-category yes; print-severity yes; severity info;}; category rpz { rpzlog; }; SGNOG 7 2019

  30. 30 How to parse/filter logs with Logstash..1 filter { if [source] == "/var/cache/bind/rpz.log" { grok { match => [ "message", "%{DATA:NC_timestamp} %{DATA} %{GREEDYDATA}info: %{DATA:X_client} %{GREEDYDATA:X_step2}" ] } date { match => [ "timestamp", "MMM dd HH:mm:ss", "MMM dd HH:mm:ss" ] } #### drop unneeded events by X_client if [X_client] != "client"{ drop { } } mutate { remove_field => [ "X_client" ] } #### Filter X_step2 grok { match => [ "X_step2", "%{DATA} %{DATA:NC_srcip}#%{GREEDYDATA} \(%{DATA:NC_hostname}\): %{DATA:X_rpz} %{GREEDYDATA:X_step3}" ] } SGNOG 7 2019

  31. 31 How to parse/filter logs with Logstash..2 #### drop unneeded events by X_rpz if [X_rpz] != "rpz"{ drop { } } mutate { remove_field => [ "X_rpz", "X_step2" ] } #### Filter X_step3 grok { match => [ "X_step3", "%{GREEDYDATA} via %{GREEDYDATA:X_type}" ] } mutate { remove_field => [ "X_step3" ] } SGNOG 7 2019

  32. 32 How to parse/filter logs with Logstash..3 #### RPZ-Type if [X_type] =~ "rpz.local" { mutate { add_field => [ "NC_rpz_type", "rpz.local" ] } } else if [X_type] =~ "adware.host.dtq" { mutate { add_field => [ "NC_rpz_type", "adware.host.dtq" ] } } else if [X_type] =~ "badrep.host.dtq" { mutate { add_field => [ "NC_rpz_type", "badrep.host.dtq" ] } } else if [X_type] =~ "bad-nameservers.ip.dtq" { mutate { add_field => [ "NC_rpz_type", "bad-nameservers.ip.dtq" ] } } SGNOG 7 2019

  33. 33 DNS Firewall Use Case SGNOG 7 2019

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

(11-14) How much do you know about the internet? Make sure you stay SAFE AND SECURE ONLINE YOU

(11-14) How much do you know about the internet? Make sure you stay SAFE AND SECURE ONLINE YOU

(11-14) How much do you know about the internet? Make sure you stay SAFE AND SECURE ONLINE YOU KNOW EMAIL YOU KNOW SOCIAL NETWORKING YOU KNOW INSTANT MESSAGING YOU KNOW DOWNLOADS YOU KNOW GAMING MAKE SURE YOU Know Your World Make the

781 views • 28 slides
Sophos XG Firewall IP Partners ICT Systems & Services www.ippartners.gr XG Firewall

Sophos XG Firewall IP Partners ICT Systems & Services www.ippartners.gr XG Firewall

Sophos XG Firewall IP Partners ICT Systems & Services www.ippartners.gr XG Firewall Overview Todays top firewall problems What IT managers say about their existing firewall Firewall Satisfaction Survey (Spiceworks 2017) Top

548 views • 52 slides
Ultra Clean Technology Stifel Technology, Internet & Media Conference June 7, 2016 Safe

Ultra Clean Technology Stifel Technology, Internet & Media Conference June 7, 2016 Safe

Ultra Clean Technology Stifel Technology, Internet & Media Conference June 7, 2016 Safe Harbor This presentation may contain forward-looking statements and management may make additional forward- looking statements in response to your

553 views • 18 slides
Safe Browsing at SIIT Here is the web page containing your news feeds Response Response

Safe Browsing at SIIT Here is the web page containing your news feeds Response Response

Safe Browsing at SIIT Here is the web page containing your news feeds Response Response http://www.facebook.com/ Send me the web page of my news feeds the Internet Request Request wsiit Login as 5722123456 with mysEcretpassw0rd the

568 views • 14 slides
Internet Safety Click Clever. Click Safe. Internet safety guidelines for children to follow and

Internet Safety Click Clever. Click Safe. Internet safety guidelines for children to follow and

Internet Safety Click Clever. Click Safe. Internet safety guidelines for children to follow and learn. The internet is amazing when used safely and correctly. Here are some simple rules that will help you make sure it stays amazing so that it

328 views • 11 slides
Firewall and IDS/IPS What is a firewall? firewall = wall to protect against fire propagation

Firewall and IDS/IPS What is a firewall? firewall = wall to protect against fire propagation

Firewall and IDS/IPS What is a firewall? firewall = wall to protect against fire propagation controlled connection between networks at different security levels = boundary protection ( L1 > L2 ) network at network at security

1.07k views • 67 slides
Firewall Builder Vadim Kurland vadim@fwbuilder.org http://www.fwbuilder.org Challenges of

Firewall Builder Vadim Kurland vadim@fwbuilder.org http://www.fwbuilder.org Challenges of

Firewall Builder Vadim Kurland vadim@fwbuilder.org http://www.fwbuilder.org Challenges of firewall configuration complexity leads to errors coordinated changes on many devices are hard multi-vendor environments make the job even

314 views • 28 slides
Firewall Architectures for High-Speed Networks Errin W. Fulp DOE Network Research PI Meeting

Firewall Architectures for High-Speed Networks Errin W. Fulp DOE Network Research PI Meeting

Firewall Architectures for High-Speed Networks Errin W. Fulp DOE Network Research PI Meeting September 28, 2005 1 Project Objectives Methods that improve network firewall performance 1. Develop policy optim ization techniques Formal

221 views • 9 slides
Firewalls in FreeBSD and OpenBSD What is firewall? firewall is a method of protecting hosts

Firewalls in FreeBSD and OpenBSD What is firewall? firewall is a method of protecting hosts

Firewalls in FreeBSD and OpenBSD What is firewall? firewall is a method of protecting hosts and networks connected to other hosts and networks against attacks from the outside and from the inside. a firewall is a network security system

440 views • 30 slides
Class Session 4 Firewalls Exercise 1 You are asked to design the firewall policy for the

Class Session 4 Firewalls Exercise 1 You are asked to design the firewall policy for the

Class Session 4 Firewalls Exercise 1 You are asked to design the firewall policy for the following network. Note that these are stateful , bidirectional firewalls . The only flags you need to worry about are SYN and SYN-ACK. The following

415 views • 3 slides
Policy and Technology Drivers in Policy and Technology Drivers in the Internet of Things the

Policy and Technology Drivers in Policy and Technology Drivers in the Internet of Things the

Policy and Technology Drivers in Policy and Technology Drivers in the Internet of Things the Internet of Things Grald Santucci Head of Unit Networked enterprise & Radio Frequency Identification (RFID) Internet of Things 2008, Zurich

732 views • 28 slides
Lane ESD Technology Services Core Firewall Overview Districts Behind Firewall Blachly

Lane ESD Technology Services Core Firewall Overview Districts Behind Firewall Blachly

Lane ESD Technology Services Core Firewall Overview Districts Behind Firewall Blachly Creswell Crow-Applegate-Lorane Fern Ridge Junction City Lowell Mapleton Screened, but exempt from policies Marcola

539 views • 15 slides
The Internet: How To Be Safe and Smart 1 Whos On The Internet? 2 Youre not alone! There

The Internet: How To Be Safe and Smart 1 Whos On The Internet? 2 Youre not alone! There

The Internet: How To Be Safe and Smart 1 Whos On The Internet? 2 Youre not alone! There are 3.5 BILLION people who are on the Internet in some form or fashion. Thats a LOT of people! 3 Why Should I Worry? 4 Did you know? 86%

980 views • 35 slides
Firewall vs. Scrambling 2 1 Review of Firewall argument Review of Hayden-Preskill 4 3

Firewall vs. Scrambling 2 1 Review of Firewall argument Review of Hayden-Preskill 4 3

Firewall vs. Scrambling 2 1 Review of Firewall argument Review of Hayden-Preskill 4 3 State-independent interior operators Interior operator from HP recovery 6 5 Resolution of the puzzle Effect of infalling observer 7 Discussions Beni

1.61k views • 106 slides
Verified Firewall Policy Transformations for Test Case Generation Achim D. Brucker 1 ugger 2

Verified Firewall Policy Transformations for Test Case Generation Achim D. Brucker 1 ugger 2

Verified Firewall Policy Transformations for Test Case Generation Achim D. Brucker 1 ugger 2 Lukas Br Paul Kearney 3 Burkhart Wolff 4 1 SAP Research, Germany 2 Information Security, ETH Z urich, Switzerland 3 Security Futures Practice, BT

629 views • 29 slides
FIREMAN: A Toolkit for FIREwall Modeling and ANalysis Michael Lin All about firewalls A

FIREMAN: A Toolkit for FIREwall Modeling and ANalysis Michael Lin All about firewalls A

FIREMAN: A Toolkit for FIREwall Modeling and ANalysis Michael Lin All about firewalls A firewall is only as good as its configuration Big deal, it should be easy to configure a firewall, right? Basically... no. A Quantitative

507 views • 14 slides
ACA Webinar Maximizing Display ROI An Update On Auditing Best Practices Hello! I a am m

ACA Webinar Maximizing Display ROI An Update On Auditing Best Practices Hello! I a am m

ACA Webinar Maximizing Display ROI An Update On Auditing Best Practices Hello! I a am m Fearga gal C Conno nnor. I I am the C CEO a and F Found nder o of M Mediaopt ptimise. Founded i in 2011 i in Montr treal al, C Canad

728 views • 55 slides
DIGITAL ADVERTISING TRANSPARENCY, CONTROL, CONSENT March 2018 Technical standard in development

DIGITAL ADVERTISING TRANSPARENCY, CONTROL, CONSENT March 2018 Technical standard in development

DIGITAL ADVERTISING TRANSPARENCY, CONTROL, CONSENT March 2018 Technical standard in development and subject to change. Agenda Issue: EU Regulatory Challenges Solutions Closed Ecosystem Open Framework within an independent and

1.66k views • 25 slides
Capital Market Presentation Segments of operations, results for 2018 and Q4 2018. April 2019

Capital Market Presentation Segments of operations, results for 2018 and Q4 2018. April 2019

Capital Market Presentation Segments of operations, results for 2018 and Q4 2018. April 2019 website e-mail www.somoto.com investors@somoto.net The presentation contains data, including results, estimates, forecasts, including forecasts

216 views • 21 slides
POWERING DIGITAL ADVERTISING German Equity Forum Fyber N.V. 28 November 2017 THE FYBER GROUP

POWERING DIGITAL ADVERTISING German Equity Forum Fyber N.V. 28 November 2017 THE FYBER GROUP

POWERING DIGITAL ADVERTISING German Equity Forum Fyber N.V. 28 November 2017 THE FYBER GROUP 15 140 15 LONDON Publicly Traded BERLIN BEIJING 25 45 FBEN Frankfurt 80 SAN NEW YORK FRANCISCO TEL AVIV 6 Offices Tel Aviv | New York

325 views • 29 slides
1 Agenda 1 2 3 4 2016 Half-year Group Business Outlook 2016 2016 highlights financials

1 Agenda 1 2 3 4 2016 Half-year Group Business Outlook 2016 2016 highlights financials

1 Agenda 1 2 3 4 2016 Half-year Group Business Outlook 2016 2016 highlights financials update 2 Highlights Record interim operating results +3.2 % 2,878 million 1.00 87 % Revenue Cash conversion rate Interim dividend 20.2

827 views • 24 slides
Effective Automated Windows Lab Deployment Fons Mijnen Vincent van Dongen February 6, 2017 Fons

Effective Automated Windows Lab Deployment Fons Mijnen Vincent van Dongen February 6, 2017 Fons

Effective Automated Windows Lab Deployment Fons Mijnen Vincent van Dongen February 6, 2017 Fons Mijnen, Vincent van Dongen Effective Automated Windows Lab Deployment February 6, 2017 1 / 33 Problem part 1 IT professionals, students, and

351 views • 34 slides
Tracing Cross Border Web Tracking Costas Iordanou Georgios Smaragdakis Ingmar Poese

Tracing Cross Border Web Tracking Costas Iordanou Georgios Smaragdakis Ingmar Poese

Tracing Cross Border Web Tracking Costas Iordanou Georgios Smaragdakis Ingmar Poese Nikolaos Laoutaris We Web adver)sing fuels the w fuels the web eb 1 The r Th e rise of e of t targeted ed a ads Why Targeted ads? How it

584 views • 42 slides
Windows Server 2003 Windows Server 2008 Windows Server 2012 Hardwar are Innovat ation ion

Windows Server 2003 Windows Server 2008 Windows Server 2012 Hardwar are Innovat ation ion

Windows Server 2003 Windows Server 2008 Windows Server 2012 Hardwar are Innovat ation ion Hardwar are Innovat ation ion X86 Symmetric X64 Servers Multi-Processor Multi-Core Servers (2- (SMP) Servers 4 cores per socket)

504 views • 34 slides

More recommend