Topic Thread

Next Generation Firewall (NGFW)

 View Only
Expand all | Collapse all

udp_dst_session DoS rule triggering on our own DNS servers

  Thread closed by the administrator. It is viewable, but not accepting new replies.
  • 1.  udp_dst_session DoS rule triggering on our own DNS servers

    Posted Sep 20, 2018 12:52 PM
    No replies, thread closed.
    This is an interesting anomaly, since the "DoS" is originating from inside the network. The traffic looks technically legit, as it's UDP DNS traffic towards internet name servers, but the rates are immense. We have 1,000's of devices concurrently operating, but they are spread across a handful of DNS servers. It'll arrive like a storm, where suddenly a number of the DNS servers begin triggering the DoS rule. If left unblocked, it nearly DoS's my FortiGate 600D with the session rate.

    I've discussed this with the DNS admins, pointing out that this is a bit anomalous, but they brush it off as "there's a lot of clients" and claim I'm blocking their servers' DNS resolutions when I do knock this suspect traffic down. Has anybody seen something similar in their environments?

    Thanks!

    ------------------------------
    Gustave
    ------------------------------


  • 2.  RE: udp_dst_session DoS rule triggering on our own DNS servers

     
    Posted Sep 23, 2018 11:16 AM
    No replies, thread closed.
    Dear,

    Since its a UDP destination session threshold, its normal of you have a large number of client. Because this criteria check the destination session of the UDP packet and since all clients are connection to the DNS server this will result a high number of DNS queries with same destination address.
    I would suggest that you enable udp source session and put a low threshold, this way you can detect if any of the client is launching a DoS attack.
    I already experienced similar behavior in a Telco Environment where clients are connection to DNS server.

    Regards
    Rony

    ------------------------------
    Rony Moussa
    Fortinet NSE Certified: Level 8
    ------------------------------



  • 3.  RE: udp_dst_session DoS rule triggering on our own DNS servers

    Posted Oct 02, 2018 07:13 AM
    No replies, thread closed.
    Thanks for the response, Rony. I've enabled source UDP session detection in pass mode, let's see how things look. I'm hoping to get some more insight that way.

    Gus