Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
WebGregGit
New Contributor

Block traffic with IP from the black list (not only spam)

Hi

 

I have FortiGate 200F. 

 

I detect various disturbing connections from different addresses. At the moment, the intense ones - I manually add to the blocked. Unfortunately, it is not effective and very engaging.

These addresses are usually on some blacklists, such as zen.spamhaus.org. I am sure that a device of this class can automate the blocking of traffic coming from addresses on blacklists. But I don't know how to set it up. Any advice?

 

Security Profiles > DNS Filter > profile > External IP Block Lists options. 

Is this the right direction?

 

Do you have any addresses attached to them that you can share?

11 REPLIES 11
Yurisk
Valued Contributor

Hi, DNS Filter is for LAN/Internal users potentially browsing to malicious sites on the Internet. As I understand you observe incoming from the Internet potentially bad IPs, for this you'd rather use External Fabric Connector to set Fortigate dynamically download 3rd party threat feeds and then use them in WAN -> LAN rules with action Block. 

 

You may read more here: https://docs.fortinet.com/document/fortigate/6.2.0/cookbook/9463/threat-feeds

 

Yuri https://yurisk.info/  blog: All things Fortinet, no ads.
Yuri https://yurisk.info/ blog: All things Fortinet, no ads.
gfleming
Staff
Staff

Excellent response from Yurisk already. Just want to add you can also set up IPS filters (if you have that feature via FortiGuard subscription) to automatically detect attacks and block them and optionally quarantine the attacking IP addresses.

 

https://docs.fortinet.com/document/fortigate/7.2.2/administration-guide/565562/intrusion-prevention

 

This can work in conjunction with the Fabric Connector threat feeds as already advised.

Cheers,
Graham
dairu
New Contributor III

Great tips from other contributor. Found this helpful youtube video as guide on how you can establish External Fabric Connecor as what Yurisk has already mentioned:

https://www.youtube.com/watch?v=CarI6_URN90

WebGregGit

Thank you all for the tips. The easiest for me was from @dairu. I added a few lists, but for example I was not able to add:  http://wget-mirrors.uceprotect.net/rbldnsd-all/dnsbl-2.uceprotect.net.gz  (bad format). 
I also created my own file where I manually add addresses, but it doesn't make sense - what I will block in a moment, the "enemy" tries from a different address anyway. The never ending story.

 

@gfleming - I set a high security IPS profile for the policy but I don't see any effect - still huge traffic on port 53.

gfleming

OK let's explore a bit more the exact nature of the traffic you are seeing. Lots of traffic on port 53 could be evidence of a DDOS attack. Can you share what the traffic looks like. Is it many different sources hitting your IP on port 53?

 

Do you have port 53 open and exposed on the internet? If so, you might want to reconsider as most people do not need it. If not, then check DOS policy:

 

You might do well to look at a DOS Policy: https://docs.fortinet.com/document/fortigate/7.2.2/administration-guide/771644/dos-policy

 

 

Cheers,
Graham
WebGregGit

It looks like this

 

 

Spoiler
dns_problem02.jpg
Spoiler
dns_problem01.jpg

I have a lot of policies because I split them out of curiosity, which is the most effective.

Many of the logged addresses appear on blacklists. When I add the most bothersome addresses to my block list, new ones appear quickly.

 

Yes I have port 53 open and exposed on the internet. It is my DNS server. And only this port is unblocked (not now, of course, as you can see in the screenshot above).

 

@dairu yes I know - only plain text. I just expressed my regret :)

 

@scan888 Thank you very much for these addresses! There are no ip types that cause me a problem, but they will definitely be useful. Thank you :)

 

gfleming

OK very few people require a DNS server to be exposed to the internet. Do you have an actual need for this? 

 

If so, you need to lock down your allow policy as much as possible. Can you whitelist certain IPs only?

 

If not, you should look at enabling all of the DNS IPS rules and tuning them to your needs.

 

Also highly recommend a DOS policy for UDP / DNS traffic. 

Cheers,
Graham
WebGregGit

Unfortunately, the white list is not an option.

 

OK, I'll try what you advise. You mention about IPS rules. I set up WAN to DMZ traffic with IPS "high security" which means - "Blocks all Critical/High/Medium and some Low severity vulnerabilities". But that doesn't work in this case (do you personally have WAN to DMZ traffic set to this profile? I mean is this the recommended setting or rather just for extreme situations and it's better to work with the default profile?).

 

So now I know that I should add to it with DOS policy. At the moment, I have one: from WAN to all and action - monitor. And that's my problem with attacks. 

Would it be possible to show a screenshot of what this section looks like for you? 

gfleming

Can you explain further why you need DNS open to the internet? There's likely a better way to do what you are doing.

 

Either way, you need to also understand that by default some IPS signatures are enabled in IPS high security but they aren't default set to block. Such as DNS.Pointer.Loop. Please review your signatures and ensure they are acting as you need. 

 

https://docs.fortinet.com/document/fortigate/7.0.8/administration-guide/565562/intrusion-prevention

 

For DOS you can change from Monitor to Block: https://docs.fortinet.com/document/fortigate/7.0.8/administration-guide/771644/dos-protection

Cheers,
Graham
Top Kudoed Authors