topic Re: DoS applictation attack to DNS server - how to prevent, and how to create report showing IP addressess with the highest number of session (not bytes) opened to it in General Topics

DoS applictation attack to DNS server - how to prevent, and how to create report showing IP addressess with the highest number of session (not bytes) opened to it

mariusz_sawczuk — Wed, 05 Feb 2014 15:58:56 GMT

From time to time I observe a lots of DNS queries (not UDP floods) from Internet to my DNS servers. Unfortunately those queries have negative inpact to my old firewall (it can't establish so many sessions, which makes the network stops).

Probably my DNS servers are targets of:

- DoS application layer attacks: target specific applications, eg DNS dictionary attacks becuase I can see many DNS requests to unknown domains, which even doesn't exists on Internet.

rahter than

- DoS volumetric attacks: designed to saturate and overwhelm network recources, eg DNS Reflection, DNSSec Amplification, because I don't see DNS responses

My questions are:

1. PAN device is offering Zone/DoS Protection featers How to configure those featers to prevent my whole network from such DoS application attacks?

2. How to create report showing IP addresses with the highest number of session (not bytes) opened to my DNS servers behind PAN device? I would like to know (just in case) if in the future my DNS servers would be a target of DoS volumetric attack.

Re: DoS applictation attack to DNS server - how to prevent, and how to create report showing IP addressess with the highest number of session (not bytes) opened to it

HULK — Wed, 05 Feb 2014 16:51:46 GMT

Hello Sir,

1. Please follow the below mentioned documents, it will help you to understand and configure DOS/ZONE protection profiles on PAN firewall.

Understanding DoS Protection

Few related docs to troubleshoot:

a. CLI commands to verify the DOS functionality on Palo Alto Networks Devices

b. What are the Differences between DoS Protection and Zone Protection?

c. Global Counters Triggered by a Zone Protection Profile

2. You can create a custom report under ACC tab ( Application Command center). Please see the example below:

Next, click into the application, where you want see the source and destination IP details:

Hope this helps.

Thanks

Re: DoS applictation attack to DNS server - how to prevent, and how to create report showing IP addressess with the highest number of session (not bytes) opened to it

msullivan — Wed, 05 Feb 2014 20:22:55 GMT

Hi Mariusz,

In addition to the DOS protection, you may wish to consider using one of the DNS hosting services out there. Then you won't see traffic like that targeted at your DNS servers. I use DNS Made Easy, and I can tell you, they can take a bigger hit than I can. Anyway for public DNS, it's a good way to go, and it isn't expensive.

Cheers,

Mike

Re: DoS applictation attack to DNS server - how to prevent, and how to create report showing IP addressess with the highest number of session (not bytes) opened to it

mariusz_sawczuk — Wed, 05 Feb 2014 23:20:03 GMT

Ad1. I was thinking about your recomendation how to configure DoS protection regarding described attacks, not sending documents from Knowledge base.

Is it possible anyway to prtoect from DoS application layer attacks with Palo Atlo?

Ad2. I know about ACC tab, but I was thinking about Manageed Custom Reports, and your advice how to configure such report grouped by seession.

Re: DoS applictation attack to DNS server - how to prevent, and how to create report showing IP addressess with the highest number of session (not bytes) opened to it

mariusz_sawczuk — Wed, 05 Feb 2014 23:25:22 GMT

Mike, you'are definitely right, maybe this is workaround but I agree it works, always

Anyway I would like to tackle the problem without external dns hosting services..

Re: DoS applictation attack to DNS server - how to prevent, and how to create report showing IP addressess with the highest number of session (not bytes) opened to it

HITSSEC — Thu, 06 Feb 2014 00:13:39 GMT

Mariusz,

You may also wish to reduce the session timeout for the dns application from the default 30 seconds to something a bit lower. This would tear down the udp sessions sooner thus reducing the size of the connection table that relates to DNS traffic. The other approach with DOS protection is to utilize resource protection and limit the number of concurrent sessions you allow to your DNS servers. Hope this provides some additional options for you to think about.

Phil