The defense policies for DNS services transmitted over UDP cover traffic limiting, and defense.
NOTE: The AntiDDoS identifies well-known protocols by port number. Non-DNS services with port 53 may be identified as DNS services and therefore be discarded when matching specific policies. Therefore, do not use well-known ports for other services.
Rate Limiting
Rate Limiting on Request Packets
With the DNS requested flood defense enabled, perform traffic limiting on the source IP address to limit traffic of DNS request packets below Rate Limiting Threshold. When traffic of DNS request packets exceeds the threshold, the detecting device reports anomaly events to the ATIC Management center. Then the cleaning device discards excess DNS request packets.
Rate Limiting on Reply Packets
With the DNS reply flood defense, perform traffic limiting on the source IP address to limit traffic of DNS reply packets below Rate Limiting Threshold. When traffic of DNS reply packets exceeds the threshold,the detecting device reports anomaly events to the ATIC Management center. Then the cleaning device discards excess DNS reply packets.
Defense
Unique Configuration Item of the Cache Server
For parameters, see Table 1.
Table 1 Unique configuration items of the cache server Parameter Description Value DNS Request Flood Attack Defense Defense Mode
Indicates that the cleaning device defends against DNS request flood attacks. TCP Authentication: Source authentication is used for defense. During source authentication, the cleaning device triggers the client to send DNS request packets over TCP. This consumes the TCP connection resources of the DNS cache server to a certain extent.
Passive: The first one of the requests from the same source is discarded to trigger the request retransmission. Authentication is performed on subsequent requests. If the request is a retransmitted one, authentication succeeds.
Threshold
If the rate of DNS request packets exceeds Threshold, the device reports anomaly events to the ATIC Management center and starts defense.
You are advised to perform configurations through baseline learning. For details, see Configuring a Baseline Learning Task.
First Packet Check Interval
Supports the configuration of the upper and lower limits of the interval for discarding the first packets. If the actual interval is lower than the lower limit or higher than the upper limit, the packet is considered as the first packet and is discarded. If the actual interval is between the configured lower and upper limits, the packet is a follow-up packet and is permitted.
You are advised to perform configurations through baseline learning. For details, see Configuring a Baseline Learning Task.
Unique Configuration Items of the Authorization Server
For parameters, see Table 2.
Table 2 Unique configuration items of the authorization server Parameter Description Value DNS Request Flood Attack Defense Defense Mode
Indicates that the cleaning device defends against DNS request flood attacks. Passive: The first one of the requests from the same source is discarded to trigger the request retransmission. Authentication is performed on subsequent requests. If the request is a retransmitted one, authentication succeeds.
CNAME: DNS redirection is used for defense. The client responds to the DNS redirection packet from the server and re-initiates a DNS request. The client must be able to respond to DNS redirection packets.
Threshold
If the rate of DNS request packets exceeds Threshold, the device reports anomaly events to the ATIC Management center and starts defense.
You are advised to perform configurations through baseline learning. For details, see Configuring a Baseline Learning Task.
First Packet Check Interval
Supports the configuration of the upper and lower limits of the interval for discarding the first packets. If the actual interval is lower than the lower limit or higher than the upper limit, the packet is considered as the first packet and is discarded. If the actual interval is between the configured lower and upper limits, the packet is a follow-up packet and is permitted.
You are advised to perform configurations through baseline learning. For details, see Configuring a Baseline Learning Task.
DNS Reply Flood Attack Defense
If the rate of DNS reply packets exceeds Threshold, the cleaning device defends against forged source attacks.
Detection of the requests for NXDomain
If the proportion of unknown domain name requests within one second exceeds the threshold, the detecting device reports an anomaly event to the ATIC Management center. At this time, you are advised to configure an anomaly packet capture task and extract fingerprints from the packet capture file. The specific unknown domain name can be extracted and added to the Rate Limiting on Request Packets of Specified Domain Name list so that traffic rate limiting can be performed on the request packets of the unknown domain name.
NOTE: If this function is enabled, you must run the anti-ddos server-flow-statistic enable command on the inbound interface to enable the upstream traffic analysis function.
Packet malformed
After the validity check on packets is enabled, the cleaning device checks DNS packet formats and discards non-standard packets.
DNS request packet length limiting
Enable the limiting on the DNS request packet length to limit the length of DNS request packets below Threshold. When the length of DNS request packets exceeds the threshold, the detecting device reports anomaly events to the ATIC Management center. Then the cleaning device discards overlong DNS request packets.
DNS reply packet length limiting
Enable the limiting on the DNS reply packet length to limit the length of DNS reply packets below Threshold. When the length of DNS reply packets exceeds the threshold, the detecting device reports anomaly events to the ATIC Management center. Then the cleaning device discards overlong DNS reply packets.