Topic Thread

Expand all | Collapse all

udp_dst_session DoS rule triggering on our own DNS servers

  • 1.  udp_dst_session DoS rule triggering on our own DNS servers

     
    Posted 09-20-2018 12:52
    Edited by Gustave Nylander 09-20-2018 12:52
    This is an interesting anomaly, since the "DoS" is originating from inside the network. The traffic looks technically legit, as it's UDP DNS traffic towards internet name servers, but the rates are immense. We have 1,000's of devices concurrently operating, but they are spread across a handful of DNS servers. It'll arrive like a storm, where suddenly a number of the DNS servers begin triggering the DoS rule. If left unblocked, it nearly DoS's my FortiGate 600D with the session rate.

    I've discussed this with the DNS admins, pointing out that this is a bit anomalous, but they brush it off as "there's a lot of clients" and claim I'm blocking their servers' DNS resolutions when I do knock this suspect traffic down. Has anybody seen something similar in their environments?

    Thanks!

    ------------------------------
    Gustave
    ------------------------------


  • 2.  RE: udp_dst_session DoS rule triggering on our own DNS servers

     
    Posted 09-23-2018 11:16
    Dear,

    Since its a UDP destination session threshold, its normal of you have a large number of client. Because this criteria check the destination session of the UDP packet and since all clients are connection to the DNS server this will result a high number of DNS queries with same destination address.
    I would suggest that you enable udp source session and put a low threshold, this way you can detect if any of the client is launching a DoS attack.
    I already experienced similar behavior in a Telco Environment where clients are connection to DNS server.

    Regards
    Rony

    ------------------------------
    Rony Moussa
    Fortinet NSE Certified: Level 8
    ------------------------------



  • 3.  RE: udp_dst_session DoS rule triggering on our own DNS servers

     
    Posted 10-02-2018 07:13
    Thanks for the response, Rony. I've enabled source UDP session detection in pass mode, let's see how things look. I'm hoping to get some more insight that way.

    Gus