THE GAME HAS CHANGED

Introducing Infoblox Universal DDI ManagementTM

Watch the launch to discover the new era of management for critical network services. Watch Now

General Security & Cybersecurity Ecosystem

Reply

Block DNS traffic
jauling
Techie
Posts: 8

‎12-05-2022 07:48 AM

3188     0

From my experience, it looks like the Blackhole feature in the grid does not block DNS traffic, but just stops responding to networks/hosts that are defined in the ACLs. At least that is what my packet captures are seeing.

We have identified a few suspicious networks that look to be attempting to DDOS our DNS servers. We have a couple instances per day of a couple minutes of DNS service interruption and CPU spiking, and looking for ways to easily block these networks from the Grid. Is this possible? The alternative would be to define these ACLs on the VPN side in AWS. Thanks.

Reply
0 Kudos

Re: Block DNS traffic
jauling
Techie
Posts: 8

‎12-07-2022 07:15 AM

3189     0

It seems just simply firewalling this traffic is also futile, as its distributed and the attacks just then use other networks.

 

What I have found in my logs are the following messages, which indicate that the attacks generally last for a little over 5minutes:

Possible DNS attack ongoing. Abnormal conditions: UDPv4 errors at 85%
Possible DNS attack ongoing. Abnormal conditions: UDPv4 errors at 81%
Possible DNS attack ongoing. Abnormal conditions: UDPv4 errors at 78%
DNS attack conditions have ended.

I see the Grid has mitigation specifically for NX Domain attacks, and it can also track UDP dropped packets, which is what is generating the above logging, but I don't see any explicit functionality in the standard Grid package to mitigate these sort of attacks, is this true? The closest I see is RRL, right?

Reply
0 Kudos
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Recommended for You

Latest Annoucements