Introducing SOC Insights for BloxOne Threat Defense: Boost your SOC efficiency with AI-driven insights to eliminate manual work and accelerate investigation and response times. Read the blog announcement here.

Trending KB Articles

april-1.jpg

Support Central: KB #3448: CLI commands to Mitigate Phantom Domain Attacks.

Customers that are being hit with Phantom domain attacks can now automatically mitigate these attacks by using several newly-available CLI commands in NIOS 6.12.x. We can execute one of the following commands on the recursive DNS servers during event and based on attack patterns. The following commands require no special licenses and can be used to mitigate phantom domain attacks.

 

set holddown command

 

 

Infoblox > set holddown

Incorrect number of arguments.

Synopsis

 

set holddown <time> <threshold> <min_timeout>

set holddown 0

set holddown off

set holddown on

 

 

Description

 

 

Turn on holddown timers for upstream servers with the following settings:

 

<time>: How long server will be held down (0-3600 seconds)

 

Once the specified trigger values are met, how long the non-responsive server should be held down.

 

<threshold>: number of consecutive timeouts before holding down a

server (1-1000)

 

<min_timeout>: minimum length of timeout that will count against a

server (0-10000 milliseconds)

Enabling this will cause non-responsive servers to be treated as lame and

ignored for <time> seconds.

 

set holddown 0 turns the feature off.

set holddown off turns the feature off.

set holddown on turns the feature on with last used values, or defaults.

 

 

Example

set holddown 60 5 1000

 

 

set holddown 5 1 10

 

5 - Held down the server for 5 seconds once triggered

 

1 - When query to a DNS server timeout for one time the server is held

 

10 - 10 milliseconds timeout value, if the server don't provide response within 10 millisecond the server is marked as a non-responsive server.

 

 

 

Test done for test33.com with 1 query every second:

 

 

dig @10.64.41.18 -f query.txt +retry=0 +timeout=1 +short

 

 

Logging

 

 

..daemon infoblox named[7444]: info adb: timeout: setting 5 second holddown for 192.203.230.10 after 2 timeouts

..daemon infoblox named[7444]: info adb: timeout: setting 5 second holddown for 192.112.36.4 after 2 timeouts

..daemon infoblox named[7444]: info adb: timeout: setting 5 second holddown for 199.7.83.42 after 2 timeouts

..daemon infoblox named[7444]: info adb: timeout: setting 5 second holddown for 192.5.5.241 after 2 timeouts

..daemon infoblox named[7444]: info adb: timeout: setting 5 second holddown for 192.36.148.17 after 2 timeouts

..daemon infoblox named[7444]: info adb: timeout: setting 5 second holddown for 192.58.128.30 after 2 timeouts

..daemon infoblox named[7444]: info adb: clearing holddown for 192.203.230.10

..daemon infoblox named[7444]: info adb: clearing holddown for 192.112.36.4

..daemon infoblox named[7444]: info adb: timeout: setting 5 second holddown for 199.7.91.13 after 2 timeouts

..daemon infoblox named[7444]: info adb: timeout: setting 5 second holddown for 128.63.2.53 after 2 timeouts

..daemon infoblox named[7444]: info adb: clearing holddown for 199.7.83.42

 

 

 

Notice the 5 second hold down for the server 192.203.230.10, 192.112.36.4. After 5 seconds logging the holddown is cleared.

 

NOTE:  The "set hold down" setting is now deprecated in favor of "fetches-per-server" and "fetches-per-zone".

 

 

 

 

set fetches_per_zone command

 

 

Infoblox > set fetches_per_zone on

DNS service is disabled. Changes will apply when it is started.

 

 

Infoblox > set fetches_per_zone 3

 

 

Ran query for test33.com with random host name as below:

 

 

dig @10.64.41.18 -f query.txt +retry=0 +timeout=1 +short

 

 

File - query.txt:

 

1.test33.com a

2.test33.com a

3.test33.com a

4.test33.com a

5.test33.com a

6.test33.com a

7.test33.com a

 

 

Logging

 

 

..daemon infoblox named[7444]: info too many simultaneous fetches for . (allowed 3, forced 0)

 

 

 


Fetches per Server definition

 

fetches-per-server is the maximum number of simultaneous iterative queries that the server will allow to be sent to a single upstream name server before blocking additional queries. This value should reflect how many fetches would normally be sent to any one server in the time it would take to resolve them. It should be smaller than "recursive-clients" zero (the default) disables the limitation.

The fetches-per-server quota is dynamically adjusted in response to detected congestion. As queries are sent to a server and are either answered or time out, an exponentially-weighted, moving average is calculated of the ratio of timeouts to responses.

  • If the current average timeout ratio rises above a "high" threshold, then fetches-per-server is reduced for that server.
  • If the timeout ratio drops below a "low" threshold, then fetches-per-server is increased.

 


The first argument is an integer value indicating how frequently to recalculate the moving average of the ratio of timeouts to responses for each server. The default is 100, meaning we recalculate the average ratio after every 100 queries have either been answered or timed out.

 


The remaining three arguments represent the "low" threshold (defaulting to a timeout ratio of 0.1), the "high" threshold (defaulting to a timeout ratio of 0.3), and the discount rate for the moving average (defaulting to 0.7). A higher discount rate causes recent events to weigh more heavily when calculating the moving average; a lower discount rate causes past events to weigh more heavily, smoothing out short-term blips in the timeout ratio. These arguments are all fixed-point numbers with precision of 1/100: at most two places after the decimal point are significant.

 

 

Command

 

 

Infoblox > set fetches_per_server

Incorrect number of arguments.

Synopsis

 

set fetches_per_server <fetches> <frequency>

set fetches_per_server 0

set fetches_per_server off

set fetches_per_server on

 

 

Description

 

 

Turn on fetches_per_server with the following settings:

 

 

<fetches>: maximum number of in-flight recursive queries that the server will

allow to be sent to a single upstream name server before blocking additional

queries to that server. (0-40000)

<frequency>: How often (in number of recursive responses) we recalculate the

timeout ratio (1-200000)

set fetches_per_server 0 turns the feature off.

set fetches_per_server off turns the feature off.

set fetches_per_server on turns the feature on with last used values, or defaults.

Example: set fetches_per_server 500 200

 

 

 

set recursion_query_timeout command

 

 

This command enables the user to change the overall query timeout from the default of 30s, down to a minimum of 10s (max is still 30)

 

 

Infoblox > set recursion_query_timeout

Usage: set recursion_query_timeout N [10 <= N <= 30, or 0 for default behavior]

 

Please refer CLI guide for the NIOS 6.12.x/ 7.x for more information and availablitiy of this command.

Showing results for 
Search instead for 
Did you mean: