Some times you have a mis-configured dns clients. Other times, you have someone trying todo your DNS server harm.
Here's a quick means for dropping a client that's trying to use your dns-server in a bad way. Typically these client will received a "DNS response such as the following"
Domain Name System (response)
[Request In: 9]
[Time: 0.000181000 seconds]
Transaction ID: 0xec12
Flags: 0x8115 (Standard query response, Refused)
1... .... .... .... = Response: Message is a response
.000 0... .... .... = Opcode: Standard query (0)
.... .0.. .... .... = Authoritative: Server is not an authority for domain
.... ..0. .... .... = Truncated: Message is not truncated
.... ...1 .... .... = Recursion desired: Do query recursively
.... .... 0... .... = Recursion available: Server can't do recursive queries
.... .... .0.. .... = Z: reserved (0)
.... .... ..0. .... = Answer authenticated: Answer/authority portion was not authenticated by the server
.... .... ...1 .... = Non-authenticated data: Acceptable
.... .... .... 0101 = Reply code: Refused (5)
So we will write a rule triggering off this DNS response of "refused" flags 0x8115.
1st here's the rule;
edit "DNS-refused"
set signature "F-SBID( --attack_id 1616; --revision 2; --name \"DNSQueryArefused\"; --protocol udp; --pattern |8115|; --flow from_server,reversed; --rate 30,60; --track dst_ip; --log dns_query;)"
next
2nd here my IPS sensor;
3rd, here's the firewall policy and protection profile applied to my DNS server policy;
The IPS sensor is enabled in my protection profile name "DNS-refusal-policy"
set ips-sensor-status enable
set ips-sensor "DNS-refusal"
NOTE: The referenced "DNS-refusal-policy"_fwpolicy has the dst address names DNS1 and DNS2 are my firewall address for the name-servers. I could have also included a adress group.
lastly, we can monitor via the GUI or command line for logs messages;
KeyPoints to take away;
- the fortigate has the ability to write custom sigantures.
- this ad-hoc method is simple to deploy
- in a true DNS flood, this will not do anything to save your bandwdith
- Adjust the quarantine time to best suit you needs
- always monitor the logs, graphs and performance impact
- use tshark and display filter to see the dns query/response
- you can log the query with the --log query option for later analysis
Ken Felix
Freelance Network/Security Engineer
kfelix -----a----t---- Socpuppets ---dot---com
^ ^
=( ~ ~ )=
@
/ \