12-05-2022 07:48 AM
From my experience, it looks like the Blackhole feature in the grid does not block DNS traffic, but just stops responding to networks/hosts that are defined in the ACLs. At least that is what my packet captures are seeing.
We have identified a few suspicious networks that look to be attempting to DDOS our DNS servers. We have a couple instances per day of a couple minutes of DNS service interruption and CPU spiking, and looking for ways to easily block these networks from the Grid. Is this possible? The alternative would be to define these ACLs on the VPN side in AWS. Thanks.
12-07-2022 07:15 AM
It seems just simply firewalling this traffic is also futile, as its distributed and the attacks just then use other networks.
What I have found in my logs are the following messages, which indicate that the attacks generally last for a little over 5minutes:
Possible DNS attack ongoing. Abnormal conditions: UDPv4 errors at 85% Possible DNS attack ongoing. Abnormal conditions: UDPv4 errors at 81% Possible DNS attack ongoing. Abnormal conditions: UDPv4 errors at 78% DNS attack conditions have ended.
I see the Grid has mitigation specifically for NX Domain attacks, and it can also track UDP dropped packets, which is what is generating the above logging, but I don't see any explicit functionality in the standard Grid package to mitigate these sort of attacks, is this true? The closest I see is RRL, right?