scale-your-dns-infrastructure-to-ensure-app-and-service-availability.pdf
TRANSCRIPT
Scale your DNS Infrastructure Ensure App and Service Availability
Nigel Ashworth
Solution Architect EMEA
+44 77 88 436 325
F5 Agility 2014 2
• DNS and F5• Use Cases - The top four• Firewall for DNS or a DNS Firewall ?• DNS Reputational Intelligence• Competitive Comparisons• DNS Mitigation Test framework• Context and DNS
Agenda
F5 Agility 2014 4
F5 DNSGSLB to DNS Delivery
10.XCOMPREHENSIVE
GSLB.
11.0
HIGH PERFORMANCE DNS DELIVERY.
11.1 / 11.2
HIGH PERFORMANCE CACHING &
RESOLVING.
11.3
VISIBILITY AND REPORTING
F5 Agility 2014 5
11.4SECURITY
AND ELASTIC
SCALABILITY.
11.5
EASE OF USE.EASE OF DEPLOYMENT.
SERVICE PROVIDER ENHANCEMENTS.
F5 DNSSecure High Performance DNS
CURRENT RELEASE
F5 Agility 2014 6
11.4SECURITY
AND ELASTIC
SCALABILITY.
11.5
EASE OF USE.EASE OF DEPLOYMENT.
SERVICE PROVIDER ENHANCEMENTS.
11.6
SECURITY
DOS
F5 DNSSecure High Performance DNS
CURRENT RELEASE
F5 Agility 2014 7
F5 DNS Key DriversPerformance and ConsolidationService Providers need scale to support millions of subscribers.F5 DNS products have unprecedented scale in virtual, appliances and chassis versions.F5 DNS integrates an ICSA certified firewall into the same footprint.Integrate with other F5 modules running on the same hardware.
Security DNS Protocol Validation scrubs the incoming DNS queries to only answer valid clients.Massive scale allows BIG-IP to absorb large attacks. Query type filtering and rate limiting features can further protect DNS resources.
Flexible GSLB Integrated with LTMGTM provides the best answer for DC availability through Intelligent DNS.Base answers on topology, geo-location, health and more.
Addresses Key Customer Pain Points, reducing OpEx and CapExF5 DNS Solutions can scale existing DNS installations. Scale without impacting operations.Optimized Service Provider DNS solutions maximize uptime and match core resources with customer demand.
CONVENTIONAL DNS THINKING
Internet External Firewall
DNS Load Balancing
Array of DNS Servers Internal Firewall Hidden Master
DNS
DMZ Datacenter
F5 PARADIGM SHIFT
Internet Master DNS Infrastructure
BIG-IP Global Traffic Manager
30M RPS
F5 Agility 2014 11
1 Local DNS
2 Authoritative DNS
3 GSLB DNS
Where is www.f5.com?
Where is www.bell.co.za?
Where is the closest service
Data Center
Data Center
F5 Agility 2014 12
1 Local DNS
2 Authoritative DNS
3 GSLB DNS
Where is www.f5.com?
Where is www.bell.co.za?
Where is the closest service
Data Center
Data Center
4 GGSN / PGW
SGW/SGSN
MME
Mobile Core GGSN/PGW
BIG-IP Platform
DNS and GSLB
(e)NodeB
F5 Agility 2014 13
1 Local DNS
2 Authoritative DNS
3 GSLB DNS
Where is www.f5.com?
Where is www.bell.co.za?
Where is the closest service
Data Center
Data Center
!
DNS Firewall
4 GGSN / PGW
SGW/SGSN
MME
Mobile Core GGSN/PGW
BIG-IP Platform
DNS and GSLB
(e)NodeB
F5 Agility 2014 15
Anatomy of a DNS Firewall
• IP Anycast• Pre filter• Packet inspection• Performance• Scaling resolution• DNSsec and Validation• Reporting and Automation• DNS Reputational Intelligence• DNS scrubbing• Hardware sizing• Certification
F5 Agility 2014 16
Anatomy of a DNS Firewall
• IP Anycast• Pre filter• Packet inspection• Performance• Scaling resolution• DNSsec and Validation• Reporting and Automation• DNS Reputational Intelligence• DNS scrubbing• Hardware sizing• Certification
Clients
IPv4
/ IP
v6
TCP
/ U
DP
Prot
ocol
Va
lidat
ion
+ A
CL
iRul
es
DN
SSEC
GSL
B
6 4
GSL
B iR
ules
DN
S Ex
pres
s
6 4
DN
SSEC
RPZ
/Cac
he /
R
esol
ver
DN
S 6
-4
DN
S LB
Po
ol
DNS Server Pool
iRul
es
Loca
l BIN
D
RequestResponseAXFR RequestAXFR Response
Zone XFR
Zone XFR
F5 Agility 2014 17
Anatomy of a DNS Firewall
• IP Anycast• Pre filter• Packet inspection• Performance• Scaling resolution• DNSsec and Validation• Reporting and Automation• DNS Reputational Intelligence• DNS scrubbing• Hardware sizing• Certification Pe
rfor
ma
nce
Time
TMOS
SingleProcess
or
SMP
8x
4x2x
F5 Agility 2014 18
Anatomy of a DNS Firewall
• IP Anycast• Pre filter• Packet inspection• Performance• Scaling resolution• DNSsec and Validation• Reporting and Automation• DNS Reputational Intelligence• DNS scrubbing• Hardware sizing• Certification
F5 Agility 2014 19
Anatomy of a DNS Firewall
• IP Anycast• Pre filter• Packet inspection• Performance• Scaling resolution• DNSsec and Validation• Reporting and Automation• DNS Reputational Intelligence• DNS scrubbing• Hardware sizing• Certification
Advanced DNS Analytics– Applications– Virtual Servers– Query Name– Query Type– Client IP
F5 Agility 2014 20
Anatomy of a DNS Firewall
• IP Anycast• Pre filter• Packet inspection• Performance• Scaling resolution• DNSsec and Validation• Reporting and Automation• DNS Reputational Intelligence• DNS scrubbing• Hardware sizing• Certification
RESPONSE POLICY ZONES*
URL FILTERING
IP INTELLIGENCE
Screens a DNS request against domain names with a bad reputation.
Categorize the FQDN from the request & make a decision.
Categorize the IP address from the response & make a decision.
MITIGATES THREATS BY FQDN
POLICY CONTROL BY FQDN
Ingress DNS path
Any IP Protocol with iRules
HTTP, HTTPS and DNS with iRules
MITIGATES THREATS BY FQDN
MITIGATES THREATS BY FQDN
F5 Agility 2014 21
Anatomy of a DNS Firewall
• IP Anycast• Pre filter• Packet inspection• Performance• Scaling resolution• DNSsec and Validation• Reporting and Automation• DNS Reputational Intelligence• DNS scrubbing• Hardware sizing• Certification
LegitimateUsers
Threat Feed Intelligence
DDoSAttacker
ISPa/b
CloudScrubbing
Service
Scanner
Anonymous
Proxies
Anonymous
Requests
Botnet Attackers
Network attacks:
ICMP flood,UDP flood,SYN flood
DNS attacks:
DNS amplificatio
n,query flood,dictionary
attack,DNS
poisoning
IPS
Next-Generation Firewall
Tier 2
SSL attacks:SSL
renegotiation,
SSL flood
HTTP attacks:
Slowloris,slow POST,
recursive POST/GET
Application
Corporate Users
FinancialServices
E-Commerce
Subscriber
Tier 2
Threat Feed Intelligence
Strategic Point of Control
Multiple ISP
strategy
Network and DNS
Tier 1
Access Control, Policy
Enforcement
F5 Agility 2014 22
Anatomy of a DNS Firewall
• IP Anycast• Pre filter• Packet inspection• Performance• Scaling resolution• DNSsec and Validation• Reporting and Automation• DNS Reputational Intelligence• DNS scrubbing• Hardware sizing• Certification
VIPRION 4800
VIPRION 44xx Chassis
VIPRION 2400 Chassis
BIG‐IP 10x00
BIG‐IP 7x00
BIG‐IP 5x00
BIG‐IP 4x00
Platforms
F5 Agility 2014 23
Anatomy of a DNS Firewall
• IP Anycast• Pre filter• Packet inspection• Performance• Scaling resolution• DNSsec and Validation• Reporting and Automation• DNS Reputational Intelligence• DNS scrubbing• Hardware sizing• Certification
CONVENTIONAL DNS THINKING
Internet External Firewall
DNS Load Balancing
Array of DNS Servers Internal Firewall Hidden Master
DNS
DMZ Datacenter
F5 PARADIGM SHIFT
Internet Master DNS Infrastructure
BIG-IP Global Traffic Manager
30M RPS
F5 Agility 2014 24
Anatomy of a DNS Firewall
• IP Anycast• Pre filter• Packet inspection• Performance• Scaling resolution• DNSsec and Validation• Reporting and Automation• DNS Reputational Intelligence• DNS scrubbing• Hardware sizing• Certification
F5 Agility 2014 26
Protecting the ClientThe internet isn’t an altogether safe place
MALICIOUS THREATS UNDESIRABLE CONTENT DUPING THE USER
BotNetsInadvertently downloaded and used to mount distributed attacks.
VirusesOnce installed, causes malicious activity on end-user device, sometimes for ransom.
OS VulnerabilitiesUnprotected, unpatched devices are extremely vulnerable.
Phishing scams and Man in the MiddleWebsites which impersonate real websites, often linked from email or a website.
Scammers aim to capture credentials.
Site redirectionDNS traffic is captured and sent to a malicious DNS server serving bad DNS results (such as a compromised CPE).
OffensiveContent may violate HR or local rules.Violation of decency standards.Be age inappropriate.
IrrelevantDistractive content incompatible with job function or policy.
Illegal contentFile sharing or sites identified as hosting banned material.
F5 Agility 2014 27
DNS IP and Name Reputation Choices
RESPONSE POLICY ZONES*
URL FILTERING
IP INTELLIGENCE
Screens a DNS request against domain names with a bad reputation.
Categorize the FQDN from the request & make a decision.
Categorize the IP address from the response & make a decision.
MITIGATES THREATS BY FQDN
POLICY CONTROL BYFQDN
Ingress DNS path
Any IP Protocol with iRules
HTTP, HTTPS and DNS with iRules
MITIGATES THREATS BY FQDN
MITIGATES THREATS BY FQDN
*Response Policy Zones (RPZ) are a form of DNS firewall in which the rule sets are expressed as specially constructed DNS zones.In this case, using RPZ means subscribing to commercial threat feeds that provide the up-to-date RPZ lists of bad domains.
F5 Agility 2014 28
Technical Use Cases
http://www.badsite.com
http://194.71.107.15
http://www.facebook.com
IP INTELLIGENCE
URLFILTERINGNature of Threat
Protect users from accessing malicious websites. DNS lookup required.
Protect users from accessing a malicious website by IP address.*No DNS lookup issued
Social networkingAgainst corp policy.
RPZ
No DNS lookup to filter.
Cover malicious content only.
Limited to IP address reputation.
Limited to IP address reputation.
No URL or FQDN to examine.
*IPI blocks both the bad IP address (http://194.71.107.15) AND the domain name (www.badsite.com) mapped to the bad IP address.
F5 Agility 2014 29
Prevent malware and sites hosting malicious content from ever communicating with a client.
Internet activity starts with a DNS request. Inhibit the threat at the earliest opportunity.
Updates
CA
CH
E
RE
SO
LVE
R
PR
OTO
CO
L VA
LID
ATIO
N
IRU
LES
IPV
4/V
6 LI
STE
NE
R
REPUTATION
DATABASE
SPECIAL HANDLING
BIG-IP GTM
Use Case – Client ProtectionPrevent subscribers from reaching known bad domains
RPZ feed
F5 Agility 2014 30
Use Case – Parental or Enterprise Behavior ControlsCustomized DNS decisions based on domain categories
QUERY: WWW.DOMAIN.COM
SOCIALPARKED DOMAINGAMES
DNS iRules
BUSINESS
ALL OTHERSLOG
CA
CH
E
RE
SO
LVE
R
iControl iQuery
Subscriber Policy
SUBSCRIBER DATAGROUPS
• Determine subscriber policies and use the iControl API to furnish these into iRules.• Classify client traffic by source and retrieve their specific policy for categories and permissions.• Block or provide walled garden responses according to subscriber preferences.• Provided through the URL Filtering license and DNS iRules.
URL Feed
F5 Agility 2014 31
Use Case – Layered Client Protection
QUERY:WWW.DOMAIN.COM
DNS iRules (Request / Response)
CA
CH
E
RE
SO
LVE
R
iControl iQuery
Subscriber Policy
RP
ZR
PZ
IP IntelligenceIP Intelligence
URL FilteringURL Filtering
EGRESS DNS PATH
INGRESS DNSPATH
• Response Policy Zones (RPZ) filters out and provides NXDOMAIN / Redirect for know bad doma• URL Filtering further provides granular policy controls using categories.• IP Intelligence blocks based on the resolved IP.
• It can also be used in the data path for other protocols.
RPZ Feed IPI Feed URL Feed
iRuleDNS Request Path
DNS Response Path
F5 Agility 2014 33
A word on terminology
DNS EXPRESS
DNS CACHING
A high performance Authoritative DNS Slave.Zone transfer from an existing DNS server and get scale and security.
Place the F5 BIG-IP in front of a DNS Resolver and massively increase DNS performance by caching responses.
DNS RESOLVER Use the high performance DNS resolver in BIG-IP to consolidate all DNS and firewall functions into one platform.
F5 Agility 2014 34
DNS Authoritative on F5 BIG-IP AppliancesDNS Express is Utilized for BIG-IP Numbers
0
200000
400000
600000
800000
1000000
1200000
1400000
1600000
1800000
2000S 2200S 4000S 5000S 4200V 7000S 10000S 5200V 10200V 7200V
11.4 11.5
Res
pons
es p
er S
econ
d
F5 Agility 2014 35
DNS Authoritative on F5 VIPRIONDNS Express is Utilized for BIG-IP Numbers
0
5000000
10000000
15000000
20000000
25000000
B2150Blade
B2100Blade
B2250Blade
B4200Blade
B4300Blade
2400w/B2100
2400w/B2250
4480w/B4300
4800w/B4300
11.4 11.5
Res
pons
es p
er S
econ
d
F5 Agility 2014 36
DNS Caching on F5 BIG-IP Appliances
0
200000
400000
600000
800000
1000000
1200000
1400000
2000S 2200S 4000S 4200V 10000S 5000S 7000S 10200V 5200V 7200V
11.4 11.5
Res
pons
es p
er S
econ
d
1.3M RPS
F5 Agility 2014 37
DNS Caching on F5 VIPRION
0
2000000
4000000
6000000
8000000
10000000
12000000
14000000
16000000
18000000
B2150Blade
B2100Blade
B4300Blade
B2250Blade
2400w/B2100
4480Chassis
2400w/B2250
4800Chassis
11.4 11.5
Res
pons
es p
er S
econ
d
15.5M RPS
F5 Agility 2014 38
DNS CachingCost per 1K RPS F5 versus Infoblox
0
200
400
600
800
1000
1200
1400
1600 Enterprise & SPCaching/Resolving Inc.Authoritative Inc.GSLB Inc.
EnterpriseCaching/Resolving Inc.Authoritative Inc.
SPCaching/Resolving Inc.Authoritative Inc.
SPCaching/Resolving Inc.
Included FunctionsC
ost i
n U
SD
bas
ed o
n lis
t
F5 Agility 2014 39
DNS AuthoritativeCost per 1K RPS F5 versus Infoblox
0
200
400
600
800
1000
1200
1400
1600 Enterprise & SPCaching/Resolving Inc.Authoritative Inc.GSLB Inc.
EnterpriseCaching/Resolving Inc.Authoritative Inc.
SPCaching/Resolving Inc.Authoritative Inc.
SPCaching/Resolving Inc.
Included FunctionsC
ost i
n U
SD
bas
ed o
n lis
t
F5 Agility 2014 40
DNS Cache PerformanceInfoblox Platform by Platform Comparison with F5
0
200000
400000
600000
800000
1000000
1200000
1400000
2000S InfobloxTrinzic1420
2200S InfobloxTrinzic2210
4000S InfobloxTrinzic2220
7000S InfobloxTrinzic4010
7200V InfobloxTrinzic4030 Platforms are grouped by like pricing
RP
S
F5 Agility 2014 41
0
200000
400000
600000
800000
1000000
1200000
1400000
1600000
1800000
2000S InfobloxTrinzic1420
2200S InfobloxTrinzic2210
4000S InfobloxTrinzic2220
7000S InfobloxTrinzic4010
7200V InfobloxTrinzic4030
DNS Authoritative PerformanceInfoblox Platform by Platform Comparison with F5
Platforms are grouped by like pricing
RP
S
F5 Agility 2014 43
• Three major Components• Traffic Generation (Internal and External)• DNS server Caching Resolver (Mid Platform
BIG-IP 2400 loaded with 4 blades)• Traffic Responses (External)
Test Rig – Mid platform 2400
VIPRION 4800
VIPRION 44xx Chassis
VIPRION 2400 Chassis
BIG‐IP 10x00
BIG‐IP 7x00
BIG‐IP 5x00
BIG‐IP 4x00
VIPRION 2400 Chassis
Platforms
10 / 40 Gb interfaces and network
Traffic Generator10M DNS requests
Traffic generator and Responder10M DNS requests / responses
F5 Agility 2014 44
• First what to de Risk? Two areas • (they are very different and open to different types of attacks)
• Cache in a DNS server• Resolver in a DNS server
• Types of attacks – Many types• Volumetric
• Bad protocol / Floods / Amplification / Reflective• Zero ttl – consuming resources• DNSsec - Poisoning
• Functional• Malware – internal and external RPZ lists• Banned lists – ACL’s against a domain list• DNS tunnelling – remove free loaders
Tests to be performed and Why
VIPRION 4800
VIPRION 44xx Chassis
VIPRION 2400 Chassis
BIG‐IP 10x00
BIG‐IP 7x00
BIG‐IP 5x00
BIG‐IP 4x00
Platforms
F5 Agility 2014 45
• 10M requests per second as internal user requests, broken down as:• 50% Malware (50/50 customer list and feed lists)• 20% bad protocol requests• 10% Valid users• 10% DNS tunnelling• 10% Zero TTL on domains (queue protection for the resolver)
• 10 or 40Gb interfaces for scalability
• Can be split across multiple sources / servers
Traffic Generation for Caching mitigation
F5 Agility 2014 46
• Internal Traffic generation and responder on the external side:
• 200K (Turn cache off so all requests go to the resolver) requests per second as internal user requests as All Valid users going to the internet
• External Traffic generation:
• 10M requests per second as attacker requests, broken down as:• 10% Bad IP addresses – Webroot addresses• 40% Reflective attackers• 40% Amplification attackers• 10% bad protocol requests – DNS flood
• 10 or 40Gb interfaces for scalability
• Can be split across multiple sources / servers
Traffic Generation for Resolver mitigation
F5 Agility 2014 47
DNSTest Framework
Response Policy Zone (RPZ)
CA
CH
E
RE
SO
LVE
R
PR
OTO
CO
L VA
LID
ATIO
N
IRU
LES
IPV
4/V
6 LI
STE
NE
R
REPUTATION DATABASE
SPECIAL HANDLING
BIG-IP GTM and AFM
AC
L O
N IP
FR
OM
AFM
RESPONSE PAGE
IP INTELLIGENC
E
?Scanners
Splunk Logging
IP Intelligence ServiceFeed
SU
BS
CR
IBE
R R
ATE
M
AN
AG
EM
EN
T
SPECIAL HANDLING
AC
L O
N IP
FR
OM
AFM
IRU
LES
SU
BS
CR
IBE
R R
ATE
M
AN
AG
EM
EN
T
F5 Agility 2014 48
• Agree Measurement for:
• Baseline the users performance and that the DNS is available, confidential and has integrity for Cache and Resolver
• Measure that the attacks do not affect the users and that the DNS is available, confidential and has integrity, compare to baseline
• It is about Risk Management to the business • while under DNS attack.
Outcomes
F5 Agility 2014 50
DNS over UDP doesn’t prove Identity• UDP is the primary transport mechanism for DNS because it’s low
latency and fast for client resolution
• UDP is stateless and trivial to spoof
• A hacker client often doesn’t care about the response
• A hacker client can choose to use the most expensive response
• A hacker client can be a random nobody
• A hacker client can IMPERSONATE legitimate clients
• Techniques to identify clients utilize too much CPU
• Big DNS DDoS problem:
• No easy way to identify good vs bad clients
F5 Agility 2014 51
Preventing DNS AbuseDNS Tunneling – Prevent it with iRules
Clie
nt A
Clie
nt B
Clie
nt C
Clie
nt D
Clie
nt E
Clie
nt F
DropThreshold
Classify the trafficMobile or fixed. Determine the SLA for RPS and allowed response size.
When a client sends in a queryIs the query for a blocked domain? (A tunnel host)Is the query rate above allowed rate? Increment score.
Client previously above allowed rate? Increment score.Resolve request and analyze response.
- Factor in the response size to the score.
Take an actionIs the client above the score threshold?
- Drop the request- Suspend DNS service for a period.
SuspendThreshold
RESPONSE SIZE
SCORING
QUERY RATE SCORING
F5 Agility 2014 52
DNS Service ProtectionPolicing Requests for Fairness and Availability
SERVICE PROVIDER
PrimaryCustomers
CSP
Service Providers need to ensure availability of DNS services to customers according to their service level.
Intelligent per-Client IP Rate Limiting gives SPs the tools to inhibit bad actors including DNS tunneling, without adversely affecting performance.
MALICIOUS ACTOR
COMPROMISED CLIENT
REGULAR CLIENT
SUSPEND DNS SERVICE
RATE LIMIT CLIENT
LOG MALICIOUS IDENTITY
ACTIONS
CA
CH
E
RE
SO
LVE
R
Per-client DNS rates
Rate limits
DN
SR
ATE
LI
MIT
ER
F5 Agility 2014 53
PATENTS: Issued Patents
• US Patent No 8,261,351 Inventors: Lisa Golden; Peter Thornewell Title: DNS Flood Protection Platform
for a Network Filed January 22, 2008
Issued September 4, 2012
F5 Agility 2014 55
DNS and GSLB in
CURRENT1. Cloud Bursting2. Cloud Migration3. DDoS Protection4. Intelligent DNS Scale5. Network Functions Virt.6. Security for Service Providers7. S/GI Network Simplification
FUTURE 8. Intelligent DNS for SPs9. Multi-Hybrid Data
Centers