Monday, June 30, 2014

Fortigate IPS rule for blocking unauthorized clients sources for recursive lookups

Here's a Howto  for blocking  persistent  dns clients that's trying to use your dns server for recursive lookup,  by using the fortigate IPS UTM feature.

Some times you have a mis-configured dns clients. Other times, you  have someone trying todo your  DNS server harm.

Here's a quick means for dropping a client that's trying to use your dns-server in a bad way. Typically these client will received a "DNS response such as the following"

Domain Name System (response)
    [Request In: 9]
    [Time: 0.000181000 seconds]
    Transaction ID: 0xec12
    Flags: 0x8115 (Standard query response, Refused)
        1... .... .... .... = Response: Message is a response
        .000 0... .... .... = Opcode: Standard query (0)
        .... .0.. .... .... = Authoritative: Server is not an authority for domain
        .... ..0. .... .... = Truncated: Message is not truncated
        .... ...1 .... .... = Recursion desired: Do query recursively
        .... .... 0... .... = Recursion available: Server can't do recursive queries
        .... .... .0.. .... = Z: reserved (0)
        .... .... ..0. .... = Answer authenticated: Answer/authority portion was not authenticated by the server
        .... .... ...1 .... = Non-authenticated data: Acceptable
        .... .... .... 0101 = Reply code: Refused (5)

So we will write  a rule triggering off this DNS response of "refused" flags 0x8115.

1st here's the rule;

 edit "DNS-refused"
        set signature "F-SBID( --attack_id 1616;  --revision 2; --name \"DNSQueryArefused\";  --protocol udp; --pattern |8115|; --flow from_server,reversed; --rate 30,60; --track dst_ip; --log dns_query;)"

2nd here my  IPS sensor;

3rd,  here's  the  firewall policy and protection profile applied to my DNS server policy;

 The  IPS sensor is enabled in my  protection profile name "DNS-refusal-policy"

     set ips-sensor-status enable
     set ips-sensor "DNS-refusal"

NOTE:  The referenced "DNS-refusal-policy"_fwpolicy   has the dst address names DNS1 and DNS2 are my  firewall address for the name-servers. I could have also included a adress group.

lastly, we can monitor via the GUI or command line for logs messages;

KeyPoints to take away;
  •  the fortigate has the ability to  write custom sigantures.
  •  this ad-hoc method is simple to deploy
  •  in a true DNS flood, this will not do anything to save your bandwdith
  •  Adjust the quarantine time to best suit you needs
  •  always monitor the  logs, graphs and performance impact
  •  use tshark and  display filter to see the dns query/response
  • you can log the query with the --log query  option for later analysis

Ken Felix
Freelance Network/Security Engineer
kfelix  -----a----t---- Socpuppets ---dot---com

   ^    ^
=( ~ ~ )=
     /  \

No comments:

Post a Comment