Comware Based
cancel
Showing results for 
Search instead for 
Did you mean: 

MSR3012 attack-defense policy DNS trouble

 
Visitor

MSR3012 attack-defense policy DNS trouble

Hello! MSR3012

i have problems with attack-defense policy.

Blocked DNS (GOOGLE. YANDEX)

version 7.1.064, Release 0415

#
dns proxy enable
dns server 8.8.8.8
dns server 77.88.8.8

interface GigabitEthernet0/1
port link-mode route
description Link_to_Internet
ip address dhcp-alloc
mac-address ########
qos rtpq start-port 5060 end-port 5060 bandwidth 10000 cbs 250000
qos gts any cir 90000 cbs 1875000 ebs 0 queue-length 50
nat outbound name GL_NAT
nat server protocol tcp global current-interface 443 inside #####  443 acl 3030
nat server protocol udp global current-interface 443 inside ##### 443 acl 3030 

attack-defense apply policy INet-Interface

 

 

attack-defense policy INet-Interface
scan detect level high action logging block-source
syn-flood detect non-specific
syn-flood action drop
udp-flood detect non-specific
udp-flood action drop
icmp-flood detect non-specific
icmp-flood action drop
signature detect smurf action drop
signature detect large-icmp action drop
signature detect large-icmpv6 action drop
signature detect tcp-invalid-flags action drop
signature detect tcp-null-flag action drop
signature detect tcp-all-flags action drop
signature detect tcp-syn-fin action drop
signature detect tcp-fin-only action drop
signature detect land action drop
signature detect winnuke action drop
signature detect fraggle action drop
signature detect icmp-type destination-unreachable action drop
signature detect icmp-type source-quench action drop
signature detect ip-option 0 action drop
signature detect ip-option 5 action drop

 

 

 

 

5 REPLIES 5
Highlighted
HPE Pro

Re: MSR3012 attack-defense policy DNS trouble

Hi @grinnZli !

I am wondering if that's not the 'udp-flood detect non-specific' responsible for that... Try to set 'udp-flood action logging' instead of 'udp-flood action drop' to verify if that is the rule that blocks the connection. I suppose the amount of DNS traffic to the router is pretty high and may be considered as attack.

Otherwise the ultimate solution would be to whitelist both DNS servers - create an object-group for both DNS server's IP addresses and whitelist the object-group. Packets from the whitelisted address object group are directly
forwarded whether they are attack packets or not. 
You can see an example in the Security Configuration Guide, ' Address object group whitelist configuration example' section.

Hope this helps!

 

I am an HPE employee

Accept or Kudo

Highlighted
Visitor

Re: MSR3012 attack-defense policy DNS trouble

[rt1-GigabitEthernet0/1]display attack-defense statistics interface g0/1
Attack policy name: INet-Interface
Slot 0:
Scan attack defense statistics:
AttackType AttackTimes Dropped
Port scan     5                    10
Distribute port scan 1       0
Flood attack defense statistics:
AttackType AttackTimes Dropped
No flood attacks detected.
Signature attack defense statistics:
AttackType AttackTimes Dropped
No signature attacks detected.
[rt1-GigabitEthernet0/1]dis

[rt1-GigabitEthernet0/1]display blacklist ip
Slot 0:
IP address VPN instance DS-Lite tunnel peer Type TTL(sec) Dropped
8.8.8.8 -- -- Dynamic 497 375
77.88.8.8 -- -- Dynamic 497 359
85.234.0.20 -- -- Dynamic 497 283
85.234.0.38 -- -- Dynamic 497 279
[rt1-GigabitEthernet0/1]

Highlighted
HPE Pro

Re: MSR3012 attack-defense policy DNS trouble

If you believe it's a bug, I suggest you to open a case with Support. As a workaround you can temporarily whitelist all DNS servers as I stated in my previous email.

 

I am an HPE employee

Accept or Kudo

Highlighted
Visitor

Re: MSR3012 attack-defense policy DNS trouble

temporary solution

acl advanced name Global-DNS
rule 0 permit ip source 8.8.8.8 0
rule 5 permit ip source 77.88.8.8 0
rule 15 permit ip source 85.234.0.20 0
rule 20 permit ip source 85.234.0.38 0

attack-defense policy INet-Interface
exempt acl name Global-DNS
scan detect level high action logging block-source
syn-flood detect non-specific
syn-flood action drop
udp-flood detect non-specific
udp-flood action drop
icmp-flood detect non-specific
icmp-flood action drop
signature detect smurf action drop
signature detect large-icmp action drop
signature detect large-icmpv6 action drop
signature detect tcp-invalid-flags action drop
signature detect tcp-null-flag action drop
signature detect tcp-all-flags action drop
signature detect tcp-syn-fin action drop
signature detect tcp-fin-only action drop
signature detect land action drop
signature detect winnuke action drop
signature detect fraggle action drop
signature detect icmp-type destination-unreachable action drop
signature detect icmp-type source-quench action drop
signature detect ip-option 0 action drop
signature detect ip-option 5 action drop

 

 

Highlighted
Visitor

Re: MSR3012 attack-defense policy DNS trouble

i have other problems

%Jun 29 15:31:41:678 2020 rt1 ATK/3/ATK_IP4_IPSWEEP: RcvIfName(1023)=GigabitEthernet0/1; Protocol(1001)=TCP; ; SrcIPAddr(1003)=173.218.80.160; SndDSLiteTunnelPeer(1041)=--; RcvVPNInstance(1042)=--; Action(1053)=logging,block-source; BeginTime_c(1011)=20200629153141.
%Jun 29 15:31:41:678 2020 rt1 BLS/5/BLS_ENTRY_ADD: SrcIPAddr(1003)=173.218.80.160; SndDSLiteTunnelPeer(1041)=--; RcvVPNInstance(1042)=--; TTL(1055)=30; Reason(1056)=Scan behavior detected.

%Jun 29 15:31:41:680 2020 rt1 BLS/5/BLS_ENTRY_ADD: SrcIPAddr(1003)=185.165.123.176; SndDSLiteTunnelPeer(1041)=--; RcvVPNInstance(1042)=--; TTL(1055)=30; Reason(1056)=Scan behavior detected.

%Jun 29 15:31:41:685 2020 rt1 BLS/5/BLS_ENTRY_ADD: SrcIPAddr(1003)=217.69.139.215; SndDSLiteTunnelPeer(1041)=--; RcvVPNInstance(1042)=--; TTL(1055)=30; Reason(1056)=Scan behavior detected.

%Jun 29 15:31:41:688 2020 rt1 BLS/5/BLS_ENTRY_ADD: SrcIPAddr(1003)=64.233.165.128; SndDSLiteTunnelPeer(1041)=--; RcvVPNInstance(1042)=--; TTL(1055)=30; Reason(1056)=Scan behavior detected.

%Jun 29 15:31:41:690 2020 rt1 BLS/5/BLS_ENTRY_ADD: SrcIPAddr(1003)=62.128.101.17; SndDSLiteTunnelPeer(1041)=--; RcvVPNInstance(1042)=--; TTL(1055)=30; Reason(1056)=Scan behavior detected.

attack-defense policy INet-Interface
exempt acl name Global-DNS
scan detect level high action logging block-source timeout 30
syn-flood detect non-specific
syn-flood action drop
syn-flood threshold 10000
udp-flood detect non-specific
udp-flood action drop
udp-flood threshold 10000
icmp-flood detect non-specific
icmp-flood action drop
icmp-flood threshold 10000
signature detect smurf action drop
signature detect large-icmp action drop
signature detect large-icmpv6 action drop
signature detect tcp-invalid-flags action drop
signature detect tcp-null-flag action drop
signature detect tcp-all-flags action drop
signature detect tcp-syn-fin action drop
signature detect tcp-fin-only action drop
signature detect land action drop
signature detect winnuke action drop
signature detect fraggle action drop
signature detect icmp-type destination-unreachable action drop
signature detect icmp-type source-quench action drop
signature detect ip-option 0 action drop
signature detect ip-option 5 action drop