Help
Cybersecurity Forum

This forum is for all security enthusiasts to discuss Fortinet's latest & evolving technologies and to connect & network with peers in the cybersecurity hemisphere. Share and learn on a broad range of topics like best practices, use cases, integrations and more. For support specific questions/resources, please visit the Support Forum or the Knowledge Base.

gnylander
New Contributor

Created on ‎09-20-2018 12:52 PM

udp_dst_session DoS rule triggering on our own DNS servers

This is an interesting anomaly, since the "DoS" is originating from inside the network. The traffic looks technically legit, as it's UDP DNS traffic towards internet name servers, but the rates are immense. We have 1,000's of devices concurrently operating, but they are spread across a handful of DNS servers. It'll arrive like a storm, where suddenly a number of the DNS servers begin triggering the DoS rule. If left unblocked, it nearly DoS's my FortiGate 600D with the session rate.

I've discussed this with the DNS admins, pointing out that this is a bit anomalous, but they brush it off as "there's a lot of clients" and claim I'm blocking their servers' DNS resolutions when I do knock this suspect traffic down. Has anybody seen something similar in their environments?

Thanks!

------------------------------
Gustave
------------------------------
[FirstName] [LastName] [Designation] [JobTitle] [CompanyName] [City] [State] [Phone]
[FirstName] [LastName] [Designation] [JobTitle] [CompanyName] [City] [State] [Phone]
Labels:
633
0 Kudos
3 REPLIES 3
rmoussa
Contributor

Created on ‎09-23-2018 11:16 AM

Dear,

Since its a UDP destination session threshold, its normal of you have a large number of client. Because this criteria check the destination session of the UDP packet and since all clients are connection to the DNS server this will result a high number of DNS queries with same destination address.
I would suggest that you enable udp source session and put a low threshold, this way you can detect if any of the client is launching a DoS attack.
I already experienced similar behavior in a Telco Environment where clients are connection to DNS server.

Regards
Rony

------------------------------
Rony Moussa
Fortinet NSE Certified: Level 8
------------------------------
Rony Moussa
Fortinet NSE Certified: Level 8
Rony MoussaFortinet NSE Certified: Level 8
613
0 Kudos
gnylander
New Contributor
In response to rmoussa

Created on ‎10-02-2018 07:13 AM

Thanks for the response, Rony. I've enabled source UDP session detection in pass mode, let's see how things look. I'm hoping to get some more insight that way.

Gus
[FirstName] [LastName] [Designation] [JobTitle] [CompanyName] [City] [State] [Phone]
[FirstName] [LastName] [Designation] [JobTitle] [CompanyName] [City] [State] [Phone]
613
0 Kudos
samir3211
New Contributor
In response to gnylander

Created on ‎03-13-2024 07:36 AM

I am also facing the same problem .I am using fortios 6.4.14 firmware version. I my case when I set udp-scr-session anomaly in monitor state and come to know that some of the clients machine are generating the DoS attack to DNS server

161
0 Kudos
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.