Dns-dpi attack protection – Brocade Virtual ADX Security Guide (Supporting ADX v03.1.00) User Manual
Page 29
Brocade Virtual ADX Security Guide
17
53-1003250-01
DNS-DPI Attack Protection
1
DNS-DPI Attack Protection
The Brocade Virtual ADX can be configured to provide DNS attack protection to VIP traffic. This
protection is provided by performing a deep packet scan and then classifying DNS requests based
on the following: query type, query name, RD flag or the DNSSEC OK bit in the EDNS0 header.
Based on this classification, the following actions can be taken either individually or in
combination: forward traffic to a specific server group, drop packets, log events or rate limit DNS
traffic from the identified client.
displays a potential configuration of this feature. For this configuration, a DNS deep
packet inspection with DNS filtering could be configured to perform the following actions.
Block specified types of DNS queries. For example:
•
Block queries with the RD flag
•
Block queries with the DNSSEC OK bit set
Log specified types of DNS queries. For example:
•
Log the number of queries to www.example3.com
Redirect specified DNS queries to a different set of DNS servers. For example:
•
Forward all requests with the DNSSEC OK bit to a separate set of servers
•
Forward all queries for the www.example3.com to a different group of servers
Impose rate limiting for certain types of DNS queries per client. For example:
•
Rate limit queries to www.example3.com for each client
•
Rate limit the number of MX queries that a client can send
FIGURE 1
DNS attack protection
Notes:
•
Only DNS requests using UDP transport (port 53) is supported.
•
If an incoming request matches an existing Layer 4 session (including sticky sessions), DNS
filtering will not apply on the request.
•
Query is not expected across multiple packets.