Cisco Blogs


Cisco Blog > Security

Tracking Malicious Activity with Passive DNS Query Monitoring

Ask anyone in the information security field they will tell you:

Security is not fair. There is essentially an unlimited supply of attackers that can test your defenses with impunity until they eventually succeed.

As a member of the Cisco Computer Security Incident Response Team (CSIRT) I've seen this asymmetry up close, so I can tell you that good security is really hard. Besides the normal security practices like deploying firewalls, IDS sensors, antivirus (AV), and Web Security Appliances, CSIRT is increasingly looking to the network as a data source. We have been collecting NetFlow for years but we have always wanted additional context for the flow data. While it is true that the Internet is built on TCP/IP, Internet services—both good and bad—are found by name using the Domain Name System (DNS). For years infosec has been network-address-centric and the attackers have adapted. Today it is very common to see malware command and control (C&C) use domain generation algorithms (DGAs), Peer-to-Peer (P2P), or even fast-flux DNS to evade IP address-based detection and blocking. It has become absolutely clear that to keep up with the latest attacks and attackers you must have a view into the DNS activity on your network.

CSIRT has been struggling with limited DNS information for a while now, so I am pleased to say we finally have comprehensive visibility into the DNS activity on our network. Before I dive into how we tackled this problem I should back up and explain a bit more about DNS...

Read More »

Tags: , , , , ,

Distributed Denial of Service Attacks on Financial Institutions: A Cisco Security Intelligence Operations Perspective

The past few weeks have had many on heightened alert from the initial threats to the ongoing attacks surrounding U.S.-based financial institutions; to say folks have been busy would be quite the understatement.

These events spawned a collaborative effort throughout the Cisco Security Intelligence Operations (Cisco SIO) organization, as depicted in the diagram below.

 

* Note: As Cisco products have not been found to be vulnerable to these attacks the Cisco PSIRT (Product Security Incident Response Team) provides feedback and peer-review, hence the reason that no Cisco Security Advisory (SA) is present for this activity.

Read More »

Tags: , , , , , , , , ,

DHCPv6 in the Cloud – DHCP Performance Testing and Results

As service providers move to cloud-based services, their IP addressing management system must operate efficiently in the virtualized environment of the cloud.  And within the cloud environment, these systems for DHCP, DNS and IP address management must also be fast. For example, many organizations have expressed a concern that poor DHCP performance could be the weak link when thousands of customers come back online after a failure event.  If DHCP address requests are handled in a slow or scattered manner, servers will not be able to service all requests in a timely fashion.

Another requirement for IP address management systems is support for IPv6, as the depletion of IPv4 addresses has led to many organizations finding themselves facing a rather accelerated and mandatory migration to IPv6 (read: yesterday's World IPv6 Launch). While one of IPv6’s promises was the elimination of the need for DHCP, the reality is that centralized network management has made DHCPv6 a necessity.  DHCP allows network devices to Read More »

Tags: , , , , , , , , , , , , , , , , , ,

Networking 101: DNS Revealed

June 1, 2012 at 5:49 am PST

Two great new ‘Networking 101’ videos now available.  This series is great for anyone needing a quick refresh or touch up on the basics and these two both focus on DNS.

DNS is key to making the Internet accessible to us humans. It’s how we can connect to techwisetv.com without needing to know anything complex from anywhere in the world. How does it know how to do this? DNS can be a complicated topic but understanding the basics does not have to be.

Taking it a step further, DNSSEC is a suite of IETF specifications designed to guarantee the authenticity of data obtained from the domain name system (DNS). Although not designed for confidentiality of the data, this protocol is a great answer for many of the ills that threaten the simplicity of the Internet. Chief Geek Jimmy Ray Purser arms you with how it works and why deployment is not growing as fast as it should be.

Read More »

Tags: , , , ,

Launching a New Internet Protocol

In January 2011, Internet companies around the globe announced they would come together to perform the largest test of IPv6 deployment the world had ever seen. Cisco was among the first to proudly announce its official participation in World IPv6 Day, and after several months of preparation and an intense 24 hours in June, it was clear that we had witnessed a watershed moment in the move towards global deployment of IPv6.

So what next after this? As reports came in and logs were analyzed over the days and weeks after, it became increasingly clear that we didn't need just another global test. Instead, we needed to enable IPv6 once and for all. So, on June 6, 2012, the industry will again unite but not just for single day. This time, we turn it on and leave it on. We're calling this World IPv6 Launch, and it is now the largest commitment to full-scale production IPv6 deployment the world has ever seen.

For websites, the commitment is similar to last year in that reachability via IPv6 will be advertised within the global Domain Name System (DNS). This time, however, the DNS entry will remain indefinitely rather than disappear after a single day. In addition to websites, the Internet Society has setup requirements for participation by residential Internet Service Providers (ISPs) and makers of home networking equipment. The rationale for expanding to these two specific areas is that while IPv6 has been available in some models of consumer-grade networking equipment and from some ISPs for a number of years, it was very rarely enabled by default and as such very rarely in use despite the majority of internet devices being capable of IPv6.

In order to tackle these remaining barriers to deployment, new Internet subscriptions and consumer-grade home routers will begin to appear with IPv6 enabled by default as the normal course of doing business. Specifically, participating home networking equipment makers are committing to include IPv6 enabled by default through a wide range of their products (both "low end" and "high end" home routers) by June 6. For ISPs, websites will be measuring what percentage of users have IPv6 enabled, with a target of no less than 1% before the World IPv6 Launch deadline. The 1% is a "running start", such that after June 6 we'll be on a path of sustained growth in IPv6 deployment going forward.

Cisco is again pleased to announce its full participation and support, both by enabling IPv6 on www.cisco.com indefinitely and by enabling IPv6 by default in our new line of E-series home routers. In addition, we will be working with our customers, Cisco Services and development teams to ensure that as many companies as possible can participate and those that do are successful.

June 6, 2012. This is the year we Launch a new Internet Protocol.

Tags: , , , , , , ,