Paul M KaneDirector,

www.CDNS.net

20th anniversary of .LVHOSTS: Institute of Mathematics and Computer ScienceVENUE: Radisson Blu Daugava Hotel, Riga, Latvia.19th April 2013.

Cyber attacks increasing – keep your domain safe

International Conference on DNS and Internet - 19th April 2013, Riga

2

Thank you to nic.LV

• Inviting me and for working with us.

• Congratulations on 20 reliable years, here’s to the next 20 years.

• For being an active member of the Domain Name System Infrastructure Resilience (DIR) Task Force – www.DIR.ORG> With financial support from the European Commission - Directorate-General

Justice, Freedom and Security; Prevention, Preparedness and Consequence Management of Terrorism and other Security Related Risks Programme.

• Cyber-Security is NOT sexy –we’re telling users they are frequently the cause of problems –but being protected is better for them, their employer and wider Internet.

International Conference on DNS and Internet - 19th April 2013, Riga

3

Agenda

• What we do> A word from our sponsors!

• Growth of Internet access> Broadband access and speeds

• Vulnerabilities and attack traffic> Compromised devises, attack vectors and Video – watch carefully, see if you

can see some of the tricks.

• Why and how do the bad guys use YOU> Using compromised devices is an efficient way to gain information, generate

revenue or cause disruption.

• How resilient is the Internet> It is as safe as you make it!

• References> Any questions.

International Conference on DNS and Internet - 19th April 2013, Riga

4

Real Time Data – 29th Nov 2010

• 12 billion users per day

• 1,869 ISPs host CDNS servers.

• 160,731,688 names on platform

• 636,707 updates on 8th March 2013

• Peaked at 193,000 transactions per second

• Capacity is 855 billion per second!

www.CDNS.net/live_stats.html

International Conference on DNS and Internet - 19th April 2013, Riga

5

CDNS - Server Locations

55 locations, 48 Countries, 24x7x365 NOCs in UK, USA and Japan, monitoring, serving and blocking malicious traffic for DNS, WEB and other applications

International Conference on DNS and Internet - 19th April 2013, Riga

6

DNS – Reflection attacks

• DDoS Increasing

• DNSSEC has much larger payload

• DNS Amplification attacks increasing

• 23rd March 2012 7.6m queries per sec peak, >2m queries per sec for approx 24 hour

• Genuine traffic <300,000 queries per second

International Conference on DNS and Internet - 19th April 2013, Riga

7

Network monitoring for DNS and more

• Improving cyber-security for customers.> Managing Anycast cloud represents approximately 30% of the job

and is technically relatively easy.> 70% is network monitoring, looking for “bad” guys who seek to

change DNS data or introduce anomalies for personal gain.

International Conference on DNS and Internet - 19th April 2013, Riga

8

European Broadband – July 2012

European Commission Communications Committee - Digital Agenda, July 2012

International Conference on DNS and Internet - 19th April 2013, Riga

9

Broadband lines by speed and country

European Commission Communications Committee - Digital Agenda, July 2012

International Conference on DNS and Internet - 19th April 2013, Riga

10

Mobile Broadband - Jan 2009 to July 2012

European Commission Communications Committee - Digital Agenda, July 2012

International Conference on DNS and Internet - 19th April 2013, Riga

11

Year on Year growth - 2011 v 2012

• Attack traffic is increasing dramatically.

European Commission DG INFSO, Unit C4: Economical and Statistical Analysis

International Conference on DNS and Internet - 19th April 2013, Riga

12

Total attack types 2012

European Commission DG INFSO, Unit C4: Economical and Statistical Analysis

International Conference on DNS and Internet - 19th April 2013, Riga

13

Home DSL Router vulnerability test results

• It works!! -leave it alone> Majority of home

users buy their router and do not install security patches.

> UK – 19m DSL Routers, 35% compromised, average upstream say 0.5Mbps = DDoS of 3.3Tbpsor 3325Gbps

International Conference on DNS and Internet - 19th April 2013, Riga

14

Cyber-espionage - You’ve got mail!

International Conference on DNS and Internet - 19th April 2013, Riga

15

How mail system works….

Message:Broken intoPackets,Numberedanddispatched

Receiver:Acknowledge

receipt, lost packets are

resent, Reassembled

in order

International Conference on DNS and Internet - 19th April 2013, Riga

16

Emailing your Bank – DNSSEC helps a bit

International Conference on DNS and Internet - 19th April 2013, Riga

17

2011 Denial of Service Attack Vectors

• UDP popular “hook” for initiating attacks as is SYN – the TCP three way handshake

International Conference on DNS and Internet - 19th April 2013, Riga

18

2012 Attack vectors

• DNS Attacks almost tripled Q1 2011 to Q1 2013 from 2.35% to 4.67%

International Conference on DNS and Internet - 19th April 2013, Riga

19

Top 10 countries - sources of DDoS attacks

• UK – has almost 19million home/office Broadband connections.

International Conference on DNS and Internet - 19th April 2013, Riga

20

2011 – Top 10 DDoS source countries.

International Conference on DNS and Internet - 19th April 2013, Riga

21

2012 – Top 10 DDoS source countries.

International Conference on DNS and Internet - 19th April 2013, Riga

22

Compromised Devices by Country

Source: Panda Security

International Conference on DNS and Internet - 19th April 2013, Riga

23

ASN – Most used ASN for DDoS

• Counterfeit software is NOT patched by supplier therefore vulnerable to compromise.

International Conference on DNS and Internet - 19th April 2013, Riga

24

Work - Bad guys “fish, where fish are!”

37%

• In US – 77% of employees use social media during worktime.

• 33% of companies have been infected by malware through social media channel

Panda Labs Q3 2012 Quarterly Report

> 57% of companies have Policies regulating use

> 81% have staff dedicated to monitoring and implementing Policies

> 62% do not allow these sites to be accessed

> Android smart phone are the new target

International Conference on DNS and Internet - 19th April 2013, Riga

25

Why do they do it- Reason for cyber-crime

Panda Labs Q3 2012 Quarterly Report

International Conference on DNS and Internet - 19th April 2013, Riga

26

How the “bad guys” corrupt systems

International Conference on DNS and Internet - 19th April 2013, Riga

27

Botnets as a Service.

International Conference on DNS and Internet - 19th April 2013, Riga

28

How much to know your competitors?

International Conference on DNS and Internet - 19th April 2013, Riga

29

How Resilient is the Internet?

• Very – BUT …. Progress means things are changing fast……..

> To keep ahead of the bad-guys, needs careful monitoring

> Need to check your DNS settings and services regularly

> Do not rely on the Public Internet, make good use of private VPN’s that use IP address (IPv4 and IPv6) rather than just standard “name” resolution.

> Encrypt private communications – PKI, like PGP etc

> Periodically check for inconsistencies such as the way staff terminals use the Internet.

> Smart Phones are now the target, so they need scanning where users interact with social media sites and may download viruses to act as Trojan on home and work networks.

International Conference on DNS and Internet - 19th April 2013, Riga

30

References

• PHP Vulnerability -Injection Attack> http://security.radware.com/itsoknoproblembro/

• SOAP Vulnerable Products:> https://docs.google.com/spreadsheet/ccc

?key=0ApUaRDtAei07dGxkSHN1cEN3V2pmYW4yNkpZMlQ0Rmc#gid=0

• Around 40-50 million network-enabled devices are at risk due to vulnerabilities found in the Universal Plug and Play (UPnP) protocol. > UPnP enables devices such as routers, printers, network-attached storage (NAS), media players

and smart TVs to communicate with each other.

> http://www.defensecode.com/public/DefenseCode_Broadcom_Security_Advisory.pdf

• Java (again) - turn off Java Runtime Environment

https://blogs.oracle.com/security/entry/february_2013_critical_patch_update

International Conference on DNS and Internet - 19th April 2013, Riga

31

Happy Birthday nic.LV!!!

Paul.Kane@CDNS.net

Thank you