Fortinet black logo

Handbook

Home FortiADC 7.4.2 Handbook
7.4.2
7.4.3
7.4.2
7.4.1
7.4.0
7.2.6
7.2.5
7.2.4
7.2.3
7.2.2
7.2.1
7.2.0
7.1.4
7.1.3
7.1.2
7.1.1
7.1.0
7.0.5
7.0.4
7.0.3
7.0.2
7.0.1
7.0.0
6.2.6
6.2.5
6.2.4
6.2.3
6.2.2
6.2.1
6.2.0
6.1.6
6.1.5
6.1.4
6.1.3
6.1.2
6.1.1
6.1.0
6.0.1
6.0.0
5.4.3
5.4.2
5.4.1
5.4.0
5.3.6
5.3.5
5.3.4
5.3.3
5.3.2
5.3.1
5.3.0
5.2.7

Configuring a DNS Reverse Flood Protection policy

Configuring a DNS Reverse Flood Protection policy

The DNS Reverse Flood Protection policy can limit the number of ANY type DNS requests per second to mitigate against DNS reverse flood attacks.

A DNS reverse flood is a type of DDoS attack that uses high volumes of DNS responses to overwhelm network resources. When a small request has a disproportionately larger response, the outbound network pipe can easily become congested and disrupt traffic responses for legitimate requests and/or other applications. And since the transport protocol is UDP, these types of requests can be easily spoofed.
One popular form of DNS reverse flood attack is DNS amplification attack. The Attacker sends out a DNS query with a forged IP address (the Victim's) to an open DNS resolver, prompting it to reply back to that address with a DNS response. With numerous fake queries being sent out, and with several DNS resolvers replying back simultaneously, the Victim's network can easily be overwhelmed by the high volume of DNS responses.

Using the DNS Reverse Flood Protection policy, you can set a ANY Query Rate Limit to restrict the number of all types (ANY) of DNS queries that can be made per second. Once the query rate exceeds the limit, it will trigger a corresponding action (Pass or Deny).

After you have configured a DNS Reverse Flood Protection policy, you can apply it in a DoS Protection Profile.

To configure a DNS Reverse Flood Protection policy:
  1. Go to DoS Protection > Application.
  2. Click the DNS Reverse Flood Protection tab.
  3. Click Create New to display the configuration editor.

  4. Configure the following DNS Reverse Flood Protection settings:

    Setting

    Description

    NameSpecify a name for the DNS Reverse Flood Protection policy.
    Valid characters are A-Z, a-z, 0-9, _, and -. No spaces. The configuration name cannot be edited once it has been saved.
    Status

    Enable/disable the status of this DNS Reverse Flood Protection policy.

    ANY Query Rate Limit

    Specify the allowable number of DNS requests per second, with query type ANY. The range is 0 to 1048567. The default is 0, which means that no limit is placed on the number of DNS queries that can be made per second.

    Note:
    Multiple "rate limit" type of operations may be executed through various configurations, however, they cannot be executed all at once. Priority is given to certain rate limit operations. The following lists the execution sequence.

    1. Transaction Rate Limit (from the virtual server configuration).

    2. DNS Query Rate Limit (from DNS Query Flood Protection policy).

    3. ANY Query Rate Limit (from DNS Reverse Flood Protection policy).

    Action

    Select the corresponding action to take when the ANY Query Rate Limit is exceeded:

    • Pass — Allow the traffic.

    • Deny — Drop the traffic, send a 400 Bad request to the client.

    Deny is the default option.

    LogEnable/disable logging for the Action. This is disabled by default.
    Severity

    Select the event severity to log when the DNS Reverse Flood Protection policy is triggered:

    • High — Log as high severity events.
    • Medium — Log as a medium severity events.
    • Low — Log as low severity events.

    The default is High.

  5. Click Save.
    After the new DNS Reverse Flood Protection policy has been saved, it will appear in the DNS Reverse Flood Protection page. You can now apply this DNS Reverse Flood Protection policy to a DoS Protection Profile configuration.

Statistical data of DNS Reverse Flood attacks are recorded in Security logs in detail (from FortiView and Log & Report), and in the Dashboard Security widget as event counts.

Typically, Security logs provide the attack count as well, however, due to the speed at which DNS Reverse Flood attacks can occur (within milliseconds), the Security logs cannot accurately count each attack as the logs are counted every 1 second. This means that when a DNS Reverse Flood attack occurs, Security logs can only capture the attack details but not the accurate count of the number of packets that has exceeded the ANY Query Rate Limit.

To view the correct count of each ANY Query Rate Limit excess event, you can reference the Security widget from the Dashboard that is a dedicated security event counter.
Previous
Next

Configuring a DNS Reverse Flood Protection policy

The DNS Reverse Flood Protection policy can limit the number of ANY type DNS requests per second to mitigate against DNS reverse flood attacks.

A DNS reverse flood is a type of DDoS attack that uses high volumes of DNS responses to overwhelm network resources. When a small request has a disproportionately larger response, the outbound network pipe can easily become congested and disrupt traffic responses for legitimate requests and/or other applications. And since the transport protocol is UDP, these types of requests can be easily spoofed.
One popular form of DNS reverse flood attack is DNS amplification attack. The Attacker sends out a DNS query with a forged IP address (the Victim's) to an open DNS resolver, prompting it to reply back to that address with a DNS response. With numerous fake queries being sent out, and with several DNS resolvers replying back simultaneously, the Victim's network can easily be overwhelmed by the high volume of DNS responses.

Using the DNS Reverse Flood Protection policy, you can set a ANY Query Rate Limit to restrict the number of all types (ANY) of DNS queries that can be made per second. Once the query rate exceeds the limit, it will trigger a corresponding action (Pass or Deny).

After you have configured a DNS Reverse Flood Protection policy, you can apply it in a DoS Protection Profile.

To configure a DNS Reverse Flood Protection policy:
  1. Go to DoS Protection > Application.
  2. Click the DNS Reverse Flood Protection tab.
  3. Click Create New to display the configuration editor.

  4. Configure the following DNS Reverse Flood Protection settings:

    Setting

    Description

    NameSpecify a name for the DNS Reverse Flood Protection policy.
    Valid characters are A-Z, a-z, 0-9, _, and -. No spaces. The configuration name cannot be edited once it has been saved.
    Status

    Enable/disable the status of this DNS Reverse Flood Protection policy.

    ANY Query Rate Limit

    Specify the allowable number of DNS requests per second, with query type ANY. The range is 0 to 1048567. The default is 0, which means that no limit is placed on the number of DNS queries that can be made per second.

    Note:
    Multiple "rate limit" type of operations may be executed through various configurations, however, they cannot be executed all at once. Priority is given to certain rate limit operations. The following lists the execution sequence.

    1. Transaction Rate Limit (from the virtual server configuration).

    2. DNS Query Rate Limit (from DNS Query Flood Protection policy).

    3. ANY Query Rate Limit (from DNS Reverse Flood Protection policy).

    Action

    Select the corresponding action to take when the ANY Query Rate Limit is exceeded:

    • Pass — Allow the traffic.

    • Deny — Drop the traffic, send a 400 Bad request to the client.

    Deny is the default option.

    LogEnable/disable logging for the Action. This is disabled by default.
    Severity

    Select the event severity to log when the DNS Reverse Flood Protection policy is triggered:

    • High — Log as high severity events.
    • Medium — Log as a medium severity events.
    • Low — Log as low severity events.

    The default is High.

  5. Click Save.
    After the new DNS Reverse Flood Protection policy has been saved, it will appear in the DNS Reverse Flood Protection page. You can now apply this DNS Reverse Flood Protection policy to a DoS Protection Profile configuration.

Statistical data of DNS Reverse Flood attacks are recorded in Security logs in detail (from FortiView and Log & Report), and in the Dashboard Security widget as event counts.

Typically, Security logs provide the attack count as well, however, due to the speed at which DNS Reverse Flood attacks can occur (within milliseconds), the Security logs cannot accurately count each attack as the logs are counted every 1 second. This means that when a DNS Reverse Flood attack occurs, Security logs can only capture the attack details but not the accurate count of the number of packets that has exceeded the ANY Query Rate Limit.

To view the correct count of each ANY Query Rate Limit excess event, you can reference the Security widget from the Dashboard that is a dedicated security event counter.
Previous
Next