Topic Thread

Expand all | Collapse all

udp_dst_session DoS rule triggering on our own DNS servers

  • 1.  udp_dst_session DoS rule triggering on our own DNS servers

     
    Posted 28 days ago
    Edited by Gustave Nylander 28 days ago
    This is an interesting anomaly, since the "DoS" is originating from inside the network. The traffic looks technically legit, as it's UDP DNS traffic towards internet name servers, but the rates are immense. We have 1,000's of devices concurrently operating, but they are spread across a handful of DNS servers. It'll arrive like a storm, where suddenly a number of the DNS servers begin triggering the DoS rule. If left unblocked, it nearly DoS's my FortiGate 600D with the session rate.

    I've discussed this with the DNS admins, pointing out that this is a bit anomalous, but they brush it off as "there's a lot of clients" and claim I'm blocking their servers' DNS resolutions when I do knock this suspect traffic down. Has anybody seen something similar in their environments?

    Thanks!

    ------------------------------
    Gustave
    ------------------------------


  • 2.  RE: udp_dst_session DoS rule triggering on our own DNS servers

     
    Posted 25 days ago
    Dear,

    Since its a UDP destination session threshold, its normal of you have a large number of client. Because this criteria check the destination session of the UDP packet and since all clients are connection to the DNS server this will result a high number of DNS queries with same destination address.
    I would suggest that you enable udp source session and put a low threshold, this way you can detect if any of the client is launching a DoS attack.
    I already experienced similar behavior in a Telco Environment where clients are connection to DNS server.

    Regards
    Rony

    ------------------------------
    Rony Moussa
    Fortinet NSE Certified: Level 8
    ------------------------------



  • 3.  RE: udp_dst_session DoS rule triggering on our own DNS servers

     
    Posted 17 days ago
    Thanks for the response, Rony. I've enabled source UDP session detection in pass mode, let's see how things look. I'm hoping to get some more insight that way.

    Gus