HPE Community
Comware Based
1819913 Members
2129 Online
109607 Solutions
New Discussion

MSR3012 attack-defense policy DNS trouble

 
grinnZli
Occasional Advisor

‎06-25-2020 01:01 AM

‎06-25-2020 01:01 AM

MSR3012 attack-defense policy DNS trouble

Hello! MSR3012

i have problems with attack-defense policy.

Blocked DNS (GOOGLE. YANDEX)

version 7.1.064, Release 0415

#
dns proxy enable
dns server 8.8.8.8
dns server 77.88.8.8

interface GigabitEthernet0/1
port link-mode route
description Link_to_Internet
ip address dhcp-alloc
mac-address ########
qos rtpq start-port 5060 end-port 5060 bandwidth 10000 cbs 250000
qos gts any cir 90000 cbs 1875000 ebs 0 queue-length 50
nat outbound name GL_NAT
nat server protocol tcp global current-interface 443 inside #####  443 acl 3030
nat server protocol udp global current-interface 443 inside ##### 443 acl 3030 

attack-defense apply policy INet-Interface

 

 

attack-defense policy INet-Interface
scan detect level high action logging block-source
syn-flood detect non-specific
syn-flood action drop
udp-flood detect non-specific
udp-flood action drop
icmp-flood detect non-specific
icmp-flood action drop
signature detect smurf action drop
signature detect large-icmp action drop
signature detect large-icmpv6 action drop
signature detect tcp-invalid-flags action drop
signature detect tcp-null-flag action drop
signature detect tcp-all-flags action drop
signature detect tcp-syn-fin action drop
signature detect tcp-fin-only action drop
signature detect land action drop
signature detect winnuke action drop
signature detect fraggle action drop
signature detect icmp-type destination-unreachable action drop
signature detect icmp-type source-quench action drop
signature detect ip-option 0 action drop
signature detect ip-option 5 action drop

 

 

 

 

0 Kudos
5 REPLIES 5
Ivan_B
HPE Pro

‎06-25-2020 11:19 AM - last edited on ‎04-13-2021 08:25 AM by

‎06-25-2020 11:19 AM - last edited on ‎04-13-2021 08:25 AM by

Re: MSR3012 attack-defense policy DNS trouble

Hi @grinnZli !

I am wondering if that's not the 'udp-flood detect non-specific' responsible for that... Try to set 'udp-flood action logging' instead of 'udp-flood action drop' to verify if that is the rule that blocks the connection. I suppose the amount of DNS traffic to the router is pretty high and may be considered as attack.

Otherwise the ultimate solution would be to safelist both DNS servers - create an object-group for both DNS server's IP addresses and safelist the object-group. Packets from the allowed address object group are directly
forwarded whether they are attack packets or not. You can see an example in the Security Configuration Guide, ' Address object group safelist configuration example' section.

Hope this helps!

 

I am an HPE employee

Accept or Kudo

0 Kudos
grinnZli
Occasional Advisor

‎06-26-2020 02:21 AM - edited ‎06-26-2020 04:19 AM

‎06-26-2020 02:21 AM - edited ‎06-26-2020 04:19 AM

Re: MSR3012 attack-defense policy DNS trouble

[rt1-GigabitEthernet0/1]display attack-defense statistics interface g0/1
Attack policy name: INet-Interface
Slot 0:
Scan attack defense statistics:
AttackType AttackTimes Dropped
Port scan     5                    10
Distribute port scan 1       0
Flood attack defense statistics:
AttackType AttackTimes Dropped
No flood attacks detected.
Signature attack defense statistics:
AttackType AttackTimes Dropped
No signature attacks detected.
[rt1-GigabitEthernet0/1]dis

[rt1-GigabitEthernet0/1]display blacklist ip
Slot 0:
IP address VPN instance DS-Lite tunnel peer Type TTL(sec) Dropped
8.8.8.8 -- -- Dynamic 497 375
77.88.8.8 -- -- Dynamic 497 359
85.234.0.20 -- -- Dynamic 497 283
85.234.0.38 -- -- Dynamic 497 279
[rt1-GigabitEthernet0/1]

0 Kudos
Ivan_B
HPE Pro

‎06-26-2020 04:50 AM - last edited on ‎04-13-2021 08:26 AM by

‎06-26-2020 04:50 AM - last edited on ‎04-13-2021 08:26 AM by

Re: MSR3012 attack-defense policy DNS trouble

If you believe it's a bug, I suggest you to open a case with Support. As a workaround you can temporarily safelist all DNS servers as I stated in my previous email.

 

I am an HPE employee

Accept or Kudo

0 Kudos
grinnZli
Occasional Advisor

‎06-26-2020 04:50 AM

‎06-26-2020 04:50 AM

Re: MSR3012 attack-defense policy DNS trouble

temporary solution

acl advanced name Global-DNS
rule 0 permit ip source 8.8.8.8 0
rule 5 permit ip source 77.88.8.8 0
rule 15 permit ip source 85.234.0.20 0
rule 20 permit ip source 85.234.0.38 0

attack-defense policy INet-Interface
exempt acl name Global-DNS
scan detect level high action logging block-source
syn-flood detect non-specific
syn-flood action drop
udp-flood detect non-specific
udp-flood action drop
icmp-flood detect non-specific
icmp-flood action drop
signature detect smurf action drop
signature detect large-icmp action drop
signature detect large-icmpv6 action drop
signature detect tcp-invalid-flags action drop
signature detect tcp-null-flag action drop
signature detect tcp-all-flags action drop
signature detect tcp-syn-fin action drop
signature detect tcp-fin-only action drop
signature detect land action drop
signature detect winnuke action drop
signature detect fraggle action drop
signature detect icmp-type destination-unreachable action drop
signature detect icmp-type source-quench action drop
signature detect ip-option 0 action drop
signature detect ip-option 5 action drop

 

 

0 Kudos
grinnZli
Occasional Advisor

‎06-29-2020 05:53 AM - edited ‎06-29-2020 06:18 AM

‎06-29-2020 05:53 AM - edited ‎06-29-2020 06:18 AM

Re: MSR3012 attack-defense policy DNS trouble

i have other problems

%Jun 29 15:31:41:678 2020 rt1 ATK/3/ATK_IP4_IPSWEEP: RcvIfName(1023)=GigabitEthernet0/1; Protocol(1001)=TCP; ; SrcIPAddr(1003)=173.218.80.160; SndDSLiteTunnelPeer(1041)=--; RcvVPNInstance(1042)=--; Action(1053)=logging,block-source; BeginTime_c(1011)=20200629153141.
%Jun 29 15:31:41:678 2020 rt1 BLS/5/BLS_ENTRY_ADD: SrcIPAddr(1003)=173.218.80.160; SndDSLiteTunnelPeer(1041)=--; RcvVPNInstance(1042)=--; TTL(1055)=30; Reason(1056)=Scan behavior detected.

%Jun 29 15:31:41:680 2020 rt1 BLS/5/BLS_ENTRY_ADD: SrcIPAddr(1003)=185.165.123.176; SndDSLiteTunnelPeer(1041)=--; RcvVPNInstance(1042)=--; TTL(1055)=30; Reason(1056)=Scan behavior detected.

%Jun 29 15:31:41:685 2020 rt1 BLS/5/BLS_ENTRY_ADD: SrcIPAddr(1003)=217.69.139.215; SndDSLiteTunnelPeer(1041)=--; RcvVPNInstance(1042)=--; TTL(1055)=30; Reason(1056)=Scan behavior detected.

%Jun 29 15:31:41:688 2020 rt1 BLS/5/BLS_ENTRY_ADD: SrcIPAddr(1003)=64.233.165.128; SndDSLiteTunnelPeer(1041)=--; RcvVPNInstance(1042)=--; TTL(1055)=30; Reason(1056)=Scan behavior detected.

%Jun 29 15:31:41:690 2020 rt1 BLS/5/BLS_ENTRY_ADD: SrcIPAddr(1003)=62.128.101.17; SndDSLiteTunnelPeer(1041)=--; RcvVPNInstance(1042)=--; TTL(1055)=30; Reason(1056)=Scan behavior detected.

attack-defense policy INet-Interface
exempt acl name Global-DNS
scan detect level high action logging block-source timeout 30
syn-flood detect non-specific
syn-flood action drop
syn-flood threshold 10000
udp-flood detect non-specific
udp-flood action drop
udp-flood threshold 10000
icmp-flood detect non-specific
icmp-flood action drop
icmp-flood threshold 10000
signature detect smurf action drop
signature detect large-icmp action drop
signature detect large-icmpv6 action drop
signature detect tcp-invalid-flags action drop
signature detect tcp-null-flag action drop
signature detect tcp-all-flags action drop
signature detect tcp-syn-fin action drop
signature detect tcp-fin-only action drop
signature detect land action drop
signature detect winnuke action drop
signature detect fraggle action drop
signature detect icmp-type destination-unreachable action drop
signature detect icmp-type source-quench action drop
signature detect ip-option 0 action drop
signature detect ip-option 5 action drop

 

0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.