DoS applictation attack to DNS server - how to prevent, and how to create report showing IP addressess with the highest number of session (not bytes) opened to it

Reply
Highlighted
L1 Bithead

DoS applictation attack to DNS server - how to prevent, and how to create report showing IP addressess with the highest number of session (not bytes) opened to it

From time to time I observe a lots of DNS queries (not UDP floods) from Internet to my DNS servers. Unfortunately those queries have negative inpact to my old firewall (it can't establish so many sessions, which makes the network stops).

Probably my DNS servers are targets of:

- DoS application layer attacks: target specific applications, eg DNS dictionary attacks becuase I can see many DNS requests to unknown domains, which even doesn't exists on Internet.

rahter than

- DoS volumetric attacks: designed to saturate and overwhelm network recources, eg DNS Reflection, DNSSec Amplification, because I don't see DNS responses

My questions are:

1. PAN device is offering Zone/DoS Protection featers How to configure those featers to prevent my whole network from such DoS application attacks?

2. How to create report showing IP addresses with the highest number of session (not bytes) opened to my DNS servers behind PAN device? I would like to know (just in case) if in the future my DNS servers would be a target of DoS volumetric attack.

L7 Applicator

Re: DoS applictation attack to DNS server - how to prevent, and how to create report showing IP addressess with the highest number of session (not bytes) opened to it

Hello Sir,

1. Please follow the below mentioned documents, it will help you to understand and configure DOS/ZONE protection profiles on PAN firewall.

Understanding DoS Protection

Few related docs to troubleshoot:

a. CLI commands to verify the DOS functionality on Palo Alto Networks Devices

b. What are the Differences between DoS Protection and Zone Protection?

c. Global Counters Triggered by a Zone Protection Profile

2. You can create a custom report under ACC tab ( Application Command center). Please see the example below:

ACC-session-1.JPG.jpg

Next, click into the application, where you want see the source and destination IP details:

ACC-session-2.JPG.jpg

Hope this helps.

Thanks

L3 Networker

Re: DoS applictation attack to DNS server - how to prevent, and how to create report showing IP addressess with the highest number of session (not bytes) opened to it

Hi Mariusz,

In addition to the DOS protection, you may wish to consider using one of the DNS hosting services out there.  Then you won't see traffic like that targeted at your DNS servers.  I use DNS Made Easy, and I can tell you, they can take a bigger hit than I can.  Anyway for public DNS, it's a good way to go, and it isn't expensive.

Cheers,

Mike

L1 Bithead

Re: DoS applictation attack to DNS server - how to prevent, and how to create report showing IP addressess with the highest number of session (not bytes) opened to it

Ad1. I was thinking about your recomendation how to configure DoS protection regarding described attacks, not sending documents from Knowledge base.

Is it possible anyway to prtoect from DoS application layer attacks with Palo Atlo?

Ad2. I know about ACC tab, but I was thinking about Manageed Custom Reports, and your advice how to configure such report grouped by seession.

L1 Bithead

Re: DoS applictation attack to DNS server - how to prevent, and how to create report showing IP addressess with the highest number of session (not bytes) opened to it

Mike, you'are definitely right, maybe this is workaround but I agree it works, always :smileywink:

Anyway I would like to tackle the problem without external dns hosting services..

L4 Transporter

Re: DoS applictation attack to DNS server - how to prevent, and how to create report showing IP addressess with the highest number of session (not bytes) opened to it

Mariusz,

You may also wish to reduce the session timeout for the dns application from the default 30 seconds to something a bit lower.  This would tear down the udp sessions sooner thus reducing the size of the connection table that relates to DNS traffic.  The other approach with DOS protection is to utilize resource protection and limit the number of concurrent sessions you allow to your DNS servers.  Hope this provides some additional options for you to think about.

Phil

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!