Description
This article provides information about creating a custom IPS signature to detect / block a high rate of DNS requests to non-existing domains.
Scope
FortiGate
Solution
Network setup:
[ client (192.168.3.20) ] --- [ FortiGate ] -- [ DNS server(s) ]
Requirement:
To block or detect any DNS requests for non-existing domain originated by the client.
This can be detected by inspecting the DNS server's response, by checking the "Flags:" value.
The image below is an excerpt of a DNS response Flags.
The last digit, '3', is providing the status = 'no such name'. For the purpose of this example, the IPS signature will be using the full flag value here below : '83'.
Important note: if the quarantine options is used in the IPS sensor, the traffic from the client to the DNS server will be blocked for period configured. This may also impact the legitimate traffic from this client to the DNS servers. If this is not desired, an alternate option is to only detect and log this attack.
Configuration:
CLI configuration example (only relevant part provided)
# config ips custom
edit "DNS rate limit dst"
set signature "limit dst F-SBID( --attack_id 4455; --name dns.rate.limit.dst; --protocol udp; --service DNS; --pattern "|83|" ; --distance 3,packet ; -- within 1,packet; --flow from_server,reversed; --rate 10,60; --track dst_ip;) "
next
end
Note : 10,60 in the signature means '10 patterns detected in 60 seconds'
# config ips sensor
edit "DNS"
config override
edit 4455
set action block
set log enable
set quarantine both
set quarantine-expiry 10
next
end
next
end
# config firewall policy
edit 1
set srcintf "to_client"
set dstintf "to_server"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ANY"
set profile-status enable
set profile "DNS"
set nat enable
next
end
Verification
To verify the behavior, send from the client continuous DNS requests to www.aabbccddeeffgg.com.
Once the threshold in the IPS signature is reached, the traffic from the client to the DNS server is blocked
- 1st : check the user BAN list :
FGT # get user ban list
| id cause src-ip-addr dst-ip-addr expires created 1424905065 dns.rate.limit.dst 192.168.3.20 <dns_server_ip> <exp_date1> <crea_date2> |
- 2nd : verification with a "diagnose debug flow"
FGT # diagnose debug flow filter daddr <dns_server_ip>
FGT # diagnose debug flow show console enable
FGT # diagnose debug enable
FGT # diagnose debug flow trace start 1000
| id=36870 trace_id=400 msg="vd-root received a packet(proto=17, 192.168.3.20:1470-><dns_server_ip>:53) from to_client." id=36870 trace_id=400 msg="allocate a new session-00002a55" id=36870 trace_id=400 msg="find a route: gw-172.16.0.254 via to_server" id=36870 trace_id=400 msg="find SNAT: IP-172.16.0.100, port-36150" id=36870 trace_id=400 msg="Denied by end point ip filter check" |
- 3rd : check the log events
FGT # execute log filter category 4
FGT # execute log filter device memory
FGT # execute log display
| 1 logs found. 1 logs returned. 1: 2010-08-24 05:21:37 log_id=0419016384 type=ips subtype=signature pri=alert fwver=040006 severity=critical carrier_ep="N/A" profile="DNS" src=192.168.3.20 dst=<dns_server_ip> src_int="to_client" dst_int="to_server" policyid=1 serial=11429 status=detected proto=17 service=dns vd="root" count=1 src_port=1489 dst_port=53 attack_id=4455 sensor="DNS" ref="http://www.fortinet.com/ids/VID4455" user="N/A" group="N/A" incident_serialno=1424905067 msg="custom: dns.rate.limit.dst" |
Related KB articles
