Cybersecurity Forum

This forum is for all security enthusiasts to discuss Fortinet's latest & evolving technologies and to connect & network with peers in the cybersecurity hemisphere. Share and learn on a broad range of topics like best practices, use cases, integrations and more. For support specific questions/resources, please visit the Support Forum or the Knowledge Base.

gnylander
New Contributor

udp_dst_session DoS rule triggering on our own DNS servers

This is an interesting anomaly, since the "DoS" is originating from inside the network. The traffic looks technically legit, as it's UDP DNS traffic towards internet name servers, but the rates are immense. We have 1,000's of devices concurrently operating, but they are spread across a handful of DNS servers. It'll arrive like a storm, where suddenly a number of the DNS servers begin triggering the DoS rule. If left unblocked, it nearly DoS's my FortiGate 600D with the session rate.

I've discussed this with the DNS admins, pointing out that this is a bit anomalous, but they brush it off as "there's a lot of clients" and claim I'm blocking their servers' DNS resolutions when I do knock this suspect traffic down. Has anybody seen something similar in their environments?

Thanks!

------------------------------
Gustave
------------------------------
[FirstName] [LastName] [Designation] [JobTitle] [CompanyName] [City] [State] [Phone]
[FirstName] [LastName] [Designation] [JobTitle] [CompanyName] [City] [State] [Phone]
3 REPLIES 3
rmoussa
Contributor

Dear,

Since its a UDP destination session threshold, its normal of you have a large number of client. Because this criteria check the destination session of the UDP packet and since all clients are connection to the DNS server this will result a high number of DNS queries with same destination address.
I would suggest that you enable udp source session and put a low threshold, this way you can detect if any of the client is launching a DoS attack.
I already experienced similar behavior in a Telco Environment where clients are connection to DNS server.

Regards
Rony

------------------------------
Rony Moussa
Fortinet NSE Certified: Level 8
------------------------------
Rony Moussa
Fortinet NSE Certified: Level 8
Rony MoussaFortinet NSE Certified: Level 8
gnylander

Thanks for the response, Rony. I've enabled source UDP session detection in pass mode, let's see how things look. I'm hoping to get some more insight that way.

Gus
[FirstName] [LastName] [Designation] [JobTitle] [CompanyName] [City] [State] [Phone]
[FirstName] [LastName] [Designation] [JobTitle] [CompanyName] [City] [State] [Phone]
samir3211

I am also facing the same problem .I am using fortios 6.4.14 firmware version. I my case when I set udp-scr-session anomaly in monitor state and come to know that some of the clients machine are generating the DoS attack to DNS server

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.