Cisco Blogs


Cisco Blog > Architect & DE Discussions

Network wide Bonjour® – How would you support Bonjour across multiple VLANs?

As the saying goes, “every stick has two ends”. While laptops, smartphones and tablets have enabled us to be more mobile without compromising on being “connected,” with it comes challenges such as WIFI accessibility, power consumption and your ability to find network based services, like a printer wherever you happen to be.

To facilitate the ability for an end user to discover Services on a network, various Service Discovery protocols have been introduced. One of the most popular is DNS-SD (DNS-Service Discovery), which in conjunction with mDNS (multicast DNS) make up Apple’s offering called Bonjour. Bonjour enables end users to discover Services on their local network. While Bonjour is focused on smaller networks (e.g. Home Networks) with the advent of mobile customers wanting to discover services in close proximity, Bonjour becomes an ideal option to facilitate that. However, as Bonjour utilizes mDNS which is constrained to a single VLAN, customers are not able to discover services across multiple VLANs.

There are a few approaches being proposed to support Bonjour across multiple VLANs:

Read More »

Tags: , , , , ,

Real World DNS Abuse: Finding Common Ground

Prologue

The Domain Name System (DNS) is the protocol leveraged within the Internet´s distributed name and address database architecture. Originally implemented to make access to Internet-based resources human-friendly, DNS quickly became critical infrastructure in the intricate behind-the-scenes mechanics of the Internet, second only to routing in its importance. When DNS becomes inaccessible, the functionality of many common Internet-based applications such as e-mail, Web browsing, and e-commerce can be adversely affected—sometimes on a wide scale. This short blog post will explore some real-world examples of DNS abuse. I would like to welcome and thank Andrae Middleton for joining me as a co-author and presenting his expertise on this article.

There are a few different types of DNS attacks: cache poisoning, hijacking attacks, and denial of service (DoS) attacks (which primarily include reflection and amplification). In the news as of late are widespread and focused DoS attacks. Cisco Security Intelligence Operations (SIO), with its distributed sensors, is able observe and measure various aspects of the global DNS infrastructure. What follows are two vignettes detailing recent Internet DNS DoS attacks against the Internet’s DNS infrastructure. We will see that, though the attacks are different, the results are similar and the countermeasures and mitigations are the same.

Read More »

Tags: , , ,

Tracking Malicious Activity with Passive DNS Query Monitoring

Ask anyone in the information security field they will tell you:

Security is not fair. There is essentially an unlimited supply of attackers that can test your defenses with impunity until they eventually succeed.

As a member of the Cisco Computer Security Incident Response Team (CSIRT) I’ve seen this asymmetry up close, so I can tell you that good security is really hard. Besides the normal security practices like deploying firewalls, IDS sensors, antivirus (AV), and Web Security Appliances, CSIRT is increasingly looking to the network as a data source. We have been collecting NetFlow for years but we have always wanted additional context for the flow data. While it is true that the Internet is built on TCP/IP, Internet services—both good and bad—are found by name using the Domain Name System (DNS). For years infosec has been network-address-centric and the attackers have adapted. Today it is very common to see malware command and control (C&C) use domain generation algorithms (DGAs), Peer-to-Peer (P2P), or even fast-flux DNS to evade IP address-based detection and blocking. It has become absolutely clear that to keep up with the latest attacks and attackers you must have a view into the DNS activity on your network.

CSIRT has been struggling with limited DNS information for a while now, so I am pleased to say we finally have comprehensive visibility into the DNS activity on our network. Before I dive into how we tackled this problem I should back up and explain a bit more about DNS…

Read More »

Tags: , , , , ,

Distributed Denial of Service Attacks on Financial Institutions: A Cisco Security Intelligence Operations Perspective

The past few weeks have had many on heightened alert from the initial threats to the ongoing attacks surrounding U.S.-based financial institutions; to say folks have been busy would be quite the understatement.

These events spawned a collaborative effort throughout the Cisco Security Intelligence Operations (Cisco SIO) organization, as depicted in the diagram below.

 

* Note: As Cisco products have not been found to be vulnerable to these attacks the Cisco PSIRT (Product Security Incident Response Team) provides feedback and peer-review, hence the reason that no Cisco Security Advisory (SA) is present for this activity.

Read More »

Tags: , , , , , , , , ,

DHCPv6 in the Cloud – DHCP Performance Testing and Results

As service providers move to cloud-based services, their IP addressing management system must operate efficiently in the virtualized environment of the cloud.  And within the cloud environment, these systems for DHCP, DNS and IP address management must also be fast. For example, many organizations have expressed a concern that poor DHCP performance could be the weak link when thousands of customers come back online after a failure event.  If DHCP address requests are handled in a slow or scattered manner, servers will not be able to service all requests in a timely fashion.

Another requirement for IP address management systems is support for IPv6, as the depletion of IPv4 addresses has led to many organizations finding themselves facing a rather accelerated and mandatory migration to IPv6 (read: yesterday’s World IPv6 Launch). While one of IPv6’s promises was the elimination of the need for DHCP, the reality is that centralized network management has made DHCPv6 a necessity.  DHCP allows network devices to Read More »

Tags: , , , , , , , , , , , , , , , , , ,