Re: MSR3012 attack-defense policy DNS trouble

grinnZli · ‎06-25-2020

Hello! MSR3012

i have problems with attack-defense policy.

Blocked DNS (GOOGLE. YANDEX)

version 7.1.064, Release 0415

#
dns proxy enable
dns server 8.8.8.8
dns server 77.88.8.8

interface GigabitEthernet0/1
port link-mode route
description Link_to_Internet
ip address dhcp-alloc
mac-address ########
qos rtpq start-port 5060 end-port 5060 bandwidth 10000 cbs 250000
qos gts any cir 90000 cbs 1875000 ebs 0 queue-length 50
nat outbound name GL_NAT
nat server protocol tcp global current-interface 443 inside ##### 443 acl 3030
nat server protocol udp global current-interface 443 inside ##### 443 acl 3030

attack-defense apply policy INet-Interface

attack-defense policy INet-Interface
scan detect level high action logging block-source
syn-flood detect non-specific
syn-flood action drop
udp-flood detect non-specific
udp-flood action drop
icmp-flood detect non-specific
icmp-flood action drop
signature detect smurf action drop
signature detect large-icmp action drop
signature detect large-icmpv6 action drop
signature detect tcp-invalid-flags action drop
signature detect tcp-null-flag action drop
signature detect tcp-all-flags action drop
signature detect tcp-syn-fin action drop
signature detect tcp-fin-only action drop
signature detect land action drop
signature detect winnuke action drop
signature detect fraggle action drop
signature detect icmp-type destination-unreachable action drop
signature detect icmp-type source-quench action drop
signature detect ip-option 0 action drop
signature detect ip-option 5 action drop

Ivan_B · ‎06-25-2020

Hi @grinnZli !

I am wondering if that's not the 'udp-flood detect non-specific' responsible for that... Try to set 'udp-flood action logging' instead of 'udp-flood action drop' to verify if that is the rule that blocks the connection. I suppose the amount of DNS traffic to the router is pretty high and may be considered as attack.

Otherwise the ultimate solution would be to safelist both DNS servers - create an object-group for both DNS server's IP addresses and safelist the object-group. Packets from the allowed address object group are directly
forwarded whether they are attack packets or not. You can see an example in the Security Configuration Guide, ' Address object group safelist configuration example' section.

Hope this helps!

I am an HPE employee

grinnZli · ‎06-26-2020

[rt1-GigabitEthernet0/1]display attack-defense statistics interface g0/1
Attack policy name: INet-Interface
Slot 0:
Scan attack defense statistics:
AttackType AttackTimes Dropped
Port scan 5 10
Distribute port scan 1 0
Flood attack defense statistics:
AttackType AttackTimes Dropped
No flood attacks detected.
Signature attack defense statistics:
AttackType AttackTimes Dropped
No signature attacks detected.
[rt1-GigabitEthernet0/1]dis

[rt1-GigabitEthernet0/1]display blacklist ip
Slot 0:
IP address VPN instance DS-Lite tunnel peer Type TTL(sec) Dropped
8.8.8.8 -- -- Dynamic 497 375
77.88.8.8 -- -- Dynamic 497 359
85.234.0.20 -- -- Dynamic 497 283
85.234.0.38 -- -- Dynamic 497 279
[rt1-GigabitEthernet0/1]

Ivan_B · ‎06-26-2020

If you believe it's a bug, I suggest you to open a case with Support. As a workaround you can temporarily safelist all DNS servers as I stated in my previous email.

I am an HPE employee

grinnZli · ‎06-26-2020

temporary solution

acl advanced name Global-DNS
rule 0 permit ip source 8.8.8.8 0
rule 5 permit ip source 77.88.8.8 0
rule 15 permit ip source 85.234.0.20 0
rule 20 permit ip source 85.234.0.38 0

attack-defense policy INet-Interface
exempt acl name Global-DNS
scan detect level high action logging block-source
syn-flood detect non-specific
syn-flood action drop
udp-flood detect non-specific
udp-flood action drop
icmp-flood detect non-specific
icmp-flood action drop
signature detect smurf action drop
signature detect large-icmp action drop
signature detect large-icmpv6 action drop
signature detect tcp-invalid-flags action drop
signature detect tcp-null-flag action drop
signature detect tcp-all-flags action drop
signature detect tcp-syn-fin action drop
signature detect tcp-fin-only action drop
signature detect land action drop
signature detect winnuke action drop
signature detect fraggle action drop
signature detect icmp-type destination-unreachable action drop
signature detect icmp-type source-quench action drop
signature detect ip-option 0 action drop
signature detect ip-option 5 action drop

grinnZli · ‎06-29-2020

i have other problems

%Jun 29 15:31:41:678 2020 rt1 ATK/3/ATK_IP4_IPSWEEP: RcvIfName(1023)=GigabitEthernet0/1; Protocol(1001)=TCP; ; SrcIPAddr(1003)=173.218.80.160; SndDSLiteTunnelPeer(1041)=--; RcvVPNInstance(1042)=--; Action(1053)=logging,block-source; BeginTime_c(1011)=20200629153141.
%Jun 29 15:31:41:678 2020 rt1 BLS/5/BLS_ENTRY_ADD: SrcIPAddr(1003)=173.218.80.160; SndDSLiteTunnelPeer(1041)=--; RcvVPNInstance(1042)=--; TTL(1055)=30; Reason(1056)=Scan behavior detected.

%Jun 29 15:31:41:680 2020 rt1 BLS/5/BLS_ENTRY_ADD: SrcIPAddr(1003)=185.165.123.176; SndDSLiteTunnelPeer(1041)=--; RcvVPNInstance(1042)=--; TTL(1055)=30; Reason(1056)=Scan behavior detected.

%Jun 29 15:31:41:685 2020 rt1 BLS/5/BLS_ENTRY_ADD: SrcIPAddr(1003)=217.69.139.215; SndDSLiteTunnelPeer(1041)=--; RcvVPNInstance(1042)=--; TTL(1055)=30; Reason(1056)=Scan behavior detected.

%Jun 29 15:31:41:688 2020 rt1 BLS/5/BLS_ENTRY_ADD: SrcIPAddr(1003)=64.233.165.128; SndDSLiteTunnelPeer(1041)=--; RcvVPNInstance(1042)=--; TTL(1055)=30; Reason(1056)=Scan behavior detected.

%Jun 29 15:31:41:690 2020 rt1 BLS/5/BLS_ENTRY_ADD: SrcIPAddr(1003)=62.128.101.17; SndDSLiteTunnelPeer(1041)=--; RcvVPNInstance(1042)=--; TTL(1055)=30; Reason(1056)=Scan behavior detected.

attack-defense policy INet-Interface
exempt acl name Global-DNS
scan detect level high action logging block-source timeout 30
syn-flood detect non-specific
syn-flood action drop
syn-flood threshold 10000
udp-flood detect non-specific
udp-flood action drop
udp-flood threshold 10000
icmp-flood detect non-specific
icmp-flood action drop
icmp-flood threshold 10000
signature detect smurf action drop
signature detect large-icmp action drop
signature detect large-icmpv6 action drop
signature detect tcp-invalid-flags action drop
signature detect tcp-null-flag action drop
signature detect tcp-all-flags action drop
signature detect tcp-syn-fin action drop
signature detect tcp-fin-only action drop
signature detect land action drop
signature detect winnuke action drop
signature detect fraggle action drop
signature detect icmp-type destination-unreachable action drop
signature detect icmp-type source-quench action drop
signature detect ip-option 0 action drop
signature detect ip-option 5 action drop

Categories

Company

Local Language

Forums

Discussions

Forums

Discussions

Discussions

Forums

Discussions

Forums

Discussions

Forums

Forums

Discussions

Forums

Discussions

Forums

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Community

Resources

Other HPE Sites

Discussions

Forums

Blogs

Re: MSR3012 attack-defense policy DNS trouble

MSR3012 attack-defense policy DNS trouble