Description
This article provides information about creating a custom IPS signature to detect / block a high rate of DNS requests to non-existing domains.
Scope
FortiGate.
Solution
Disclaimer: The Fortinet Technical Assistance Center (TAC) does not offer technical assistance customizing IPS signatures.
For more information, see Technical Tip: Technical support on customization on various Fortinet products.
Network setup:
[ client (192.168.3.20) ] --- [ FortiGate ] -- [ DNS server(s) ].
Requirement:
To block or detect any DNS requests for non-existing domain originated by the client.
This can be detected by inspecting the DNS server's response, by checking the 'Flags:' value.
The image below is an excerpt of a DNS response Flags.
The last digit, '3', is providing the status = 'no such name'. For the purpose of this example, the IPS signature will be using the full flag value here below : '83'.
Important note: If the quarantine options is used in the IPS sensor, the traffic from the client to the DNS server will be blocked for period configured. This may also impact the legitimate traffic from this client to the DNS servers. If this is not desired, an alternate option is to only detect and log this attack.
Configuration:
CLI configuration example (only relevant part provided).
config ips custom
edit "DNS rate limit dst"
set signature "F-SBID( --attack_id 4455; --name dns.rate.limit.dst; --protocol udp; --service DNS; --pattern "|83|" ; --distance 3,packet ; -- within 1,packet; --flow from_server,reversed; --rate 10,60; --track dst_ip;) "
next
end
Note: 10,60 in the signature means '10 patterns detected in 60 seconds'.
config ips sensor
edit "DNS"
config override
edit 4455
set action block
set log enable
set quarantine both
set quarantine-expiry 10
next
end
next
end
config firewall policy
edit 1
set srcintf "to_client"
set dstintf "to_server"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ANY"
set profile-status enable
set profile "DNS"
set nat enable
next
end
Verification:
To verify the behavior, send continuous DNS requests from the client to www.aabbccddeeffgg.com.
Once the threshold in the IPS signature is reached, the traffic from the client to the DNS server is blocked
- 1st: check the user BAN list:
FGT # get user ban list
id cause src-ip-addr dst-ip-addr expires created
1424905065 dns.rate.limit.dst 192.168.3.20 <dns_server_ip> <exp_date1> <crea_date2>
For FortiOS 7.2 and earlier:
FGT # diagnose user quarantine list
For FortiOS 7.2 and later:
FGT # diagnose user banned-ip list
- 2nd: verification with a 'diagnose debug flow':
FGT # diagnose debug flow filter daddr <dns_server_ip>
FGT # diagnose debug flow show console enable
FGT # diagnose debug enable
FGT # diagnose debug flow trace start 1000
id=36870 trace_id=400 msg="vd-root received a packet(proto=17, 192.168.3.20:1470-><dns_server_ip>:53) from to_client."
id=36870 trace_id=400 msg="allocate a new session-00002a55"
id=36870 trace_id=400 msg="find a route: gw-172.16.0.254 via to_server"
id=36870 trace_id=400 msg="find SNAT: IP-172.16.0.100, port-36150"
id=36870 trace_id=400 msg="Denied by end point ip filter check"
- 3rd: check the log events:
FGT # execute log filter category 4
FGT # execute log filter device memory
FGT # execute log display
1 logs found.
1 logs returned.
1: 2010-08-24 05:21:37 log_id=0419016384 type=ips subtype=signature pri=alert fwver=040006 severity=critical carrier_ep="N/A" profile="DNS" src=192.168.3.20 dst=<dns_server_ip> src_int="to_client" dst_int="to_server" policyid=1 serial=11429 status=detected proto=17 service=dns vd="root" count=1 src_port=1489 dst_port=53 attack_id=4455 sensor="DNS" ref="http://www.fortinet.com/ids/VID4455" user="N/A" group="N/A" incident_serialno=1424905067 msg="custom: dns.rate.limit.dst"
Related articles:
