Brocade Communications Systems 12.4.00a DNS attack protection

42 ServerIron ADX Security Guide

53-1002440-03

DNS attack protection

1

DNS attack protection

The ServerIron ADX can be configured to provide DNS attack protection to VIP traffic. This

protection is provided by performing a deep packet scan and then classifying DNS requests based

on the following: query type, query name, RD flag or the DNSSEC “OK” bit in the EDNS0 header.

Based on this classification, the following actions can be taken either individually or in

combination: forward traffic to a specific server group, drop packets, log events or rate limit DNS

traffic from the identified client.

Figure 4 displays a potential configuration of this feature. For this configuration, a DNS deep packet

inspection with DNS filtering could be configured to perform the following actions.

Block specified types of DNS queries – for example:

•Block queries with the RD flag

•Block queries with the DNSSEC “OK” bit set.

Log specified types of DNS queries – for example:

•Log the number of queries to “www.mydomain.com”

Redirect specified DNS queries to a different set of DNS servers – for example:

•Forward all requests with the DNSSEC “OK” bit to a separate set of servers.

•Forward all queries for the “ www.mydomain.com” to a different group of servers

Impose rate limiting for certain types of DNS queries per client.– for example:

•Rate limit queries to “ www.mydomain.com” for each client

•Rate limit the number of MX queries that a client can send.

FIGURE 4 DNS attack protection

Notes:

1. Only DNS requests using UDP transport (port 53) is supported.

2. If an in coming request matche s an exi sting L4 session (including sticky sessions), DNS filtering

will not apply on the request

3. Query not expected across multiple packet

4. When multiple queries are in a single DNS packet, only first RR will be processed

5. There is no csw dns rule to identify DNS Root requests.

DNS Server

ServerIron ADX

DNS client A

VIP

200.200.200.1

Internet

DNS client B

DNS Server

Contents

Main Brocade Communications Systems, Incorporated Document History June, 2012 Title Publication number Summary of changes Date April, 2012 ServerIron ADX Security Guide 53-1002440-03 Updates made to documentation. Contents About This Document Chapter 1 Network Security Page Chapter 2 Access Control List Chapter 3 IPv6 Access Control Lists Chapter 4 Network Address Translation Chapter 5 Syn-Proxy and DoS Protection Chapter 6 Secure Socket Layer (SSL) Acceleration Page Page About This Document Audience Supported hardware and software Document conventions Notice to the reader Related publications Getting technical help Page Network Security TCP SYN attacks IP TCP syn-proxy Granular application of syn-proxy feature Syn-def Introduction show server traffic SYN-def-dont-send-ack show server debug 4ServerIron ADX Security Guide 53-1002440-03 No response to non-SYN first packet of a TCP flow No response to non-SYN first packet of a TCP flow Prioritizing management traffic Protection against attack in hardware Peak BP utilization with TRAP Show CPU-utilization command enhancement BP utilization threshold MP utilization threshold Transaction Rate Limit (TRL) Understanding transaction rate limit Configuring transaction rate limit Prerequisites Configure transaction rate limit rule set Configure transaction rate limit to exclude a client Configure a transaction rate limit default Configure transaction rate limit for pass through traffic Apply transaction rate limit to a VIP Deleting all TRL rules in a policy Download transaction rate limit configuration from a TFTP server. (optional) Configuring the maximum number of rules Changing the maximum number of rules globally. Changing the maximum number of rules locally per-policy. Saving a TRL configuration Disabling the storage of TRL rules on the internal USB drive Transaction rate limit command reference Global TRL TRL plus security ACL-ID security acl-id Transaction rate limit hold-down value Displaying TRL rules statistics Displaying TRL rules in a policy Displaying IP address with held down traffic Refusing new connections from a specified IP address TABLE 1 HTTP TRL Overview of HTTP TRL HTTP TRL features Configuring HTTP TRL Configuring HTTP TRL client Configuring HTTP TRL client rate limit Configuring HTTP TRL client maximum connection Configuring HTTP TRL defaults Configuring HTTP TRL default rate limit Configuring HTTP TRL default maximum connection Sample HTTP TRL configuration Creating an HTTP TRL policy with client rate limit Configuring Layer 4 SLB Creating a CSW rule and policy with HTTP TRL Displaying HTTP TRL Displaying HTTP TRL Display all HTTP TRL policies To show all running configurations for HTTP TRL policies, use the following command. Syntax: show run http-trl-policy all Display HTTP TRL policy from index Syntax: show run http-trl-policy <policy-name> <index> Display HTTP TRL policy client To show a running configuration for an HTTP TRL policy client, enter the following command. Syntax: show run http-trl-policy <policy-name> <client-name> Display HTTP TRL policy starting from index Syntax: show run http-trl-policy <policy-name> <start-index> <number-of-entries> Display HTTP TRL policy matching a regular expression Syntax: show http-trl policy <policy-name> <start entry number> <end entry number> The syntax for regex is the same as for piping. Syntax: show run http-trl-policy <policy-name> regex < regular expression> Display HTTP TRL policy client index (MP) Display HTTP TRL policy client index (BP) Downloading an HTTP TRL policy through TFTP Display HTTP TRL policy for all client entries (BP) Downloading an HTTP TRL policy through TFTP To download an HTTP TRL policy using TFTP, enter a command similar to the following. HTTP TRL policy commands Client-name <client-name> monitor-interval Client-name <client-name> max-conn Client-name <client-name> exceed-action Default monitor-interval Default max-conn Default exceed-action Logging for DoS Attacks Configuration commands show server conn-rate Maximum connections clear statistics dos-attack Maximum concurrent connection limit per client Limiting the number of concurrent connections per client Configure the maximum number of connections Binding the policy to a VIP Firewall load balancing enhancements Enabling firewall strict forwarding Enabling firewall VRRPE priority Enabling track firewall group Syn-cookie threshhold trap Service port attack protection in hardware Traffic segmentation VLAN bridging FIGURE 1 FIGURE 2 Considerations when configuring VLAN bridging Configuring VLAN bridging Displaying VLAN bridge information TABLE 2 TABLE 3 Traffic segmentation using the use-session-for-vip-mac command FIGURE 3 DNS attack protection FIGURE 4 Notes: Configuring DNS attack protection Defining DNS rules to filter packets Order of Rule matching Creating a DNS DPI policy and bind the rules to it Binding a DNS DPI policy to a Virtual port Configuring global commands for DNS attack protection Configuring the ADX to drop requests if servers in redirect actions are down Displaying DNS attack protection information DIsplaying DNS DPI policy counters DIsplaying IP addresses held down by a rate limit action Page Access Control List How ServerIron processes ACLs Prior to release 12.3.01 Beginning with release 12.3.01 and later Rule-based ACLs Configuration guidelines for rule-based ACLs: general guidelines How fragmented packets are processed Default ACL action Types of IP ACLs ACL IDs and entries Support for up to 4096 ACL entries ACL entries and the Layer 4 CAM Aging out of entries in the Layer 4 CAM Displaying the number of Layer 4 CAM entries Specifying the maximum number of CAM entries for rule-based ACLs Configuring numbered and named ACLs Configuring standard numbered ACLs Standard ACL syntax Configuring extended numbered ACLs Extended ACL syntax Page Page Configuring standard or extended named ACLs Displaying ACL definitions Displaying ACLs using keywords Numbered ACL Page Page Modifying ACLs Displaying a list of ACL entries Numbered ACLs Applying an ACLs to interfaces Reapplying modified ACLs ACL logging Syslog message for changed ACL mode Copying denied traffic to a mirror port for monitoring Displaying ACL log entries Displaying ACL statistics for flow-based ACLs Clearing flow-based ACL statistics Dropping all fragments that exactly match a flow-based ACL Clearing the ACL statistics Enabling ACL filtering of fragmented packets Filtering fragmented packets for rule-based ACLs Throttling the fragment rate Syslog messages for exceeded fragment thresholds Enabling hardware filtering for packets denied by flow-based ACLs TABLE 4 Enabling strict TCP or UDP mode for flow-based ACLs Enabling strict TCP mode Enabling strict UDP mode Configuring ACL packet and flow counters ACLs and ICMP Using flow-based ACLs to filter ICMP packets based on the IP packet length ICMP filtering with flow-based ACLs Numbered ACLs TABLE 5 Using ACLs and NAT on the same interface (flow-based ACLs) TABLE 5 Displaying ACL bindings Troubleshooting rule-based ACLs Page IPv6 Access Control Lists IACL overview Configuration Notes Processing of IPv6 ACLs Prior to release 12.3.01 Beginning with release 12.3.01 and later Configuring an IPv6 ACL Example Configurations Default and Implicit IPv6 ACL Action ACL Syntax NOTES: IACL overview DECIMAL <0-255> ICMP message type Page IACL overview Arguments... Description... Applying an IPv6 ACL to an interface Using an ACL to Restrict SSH Access Displaying ACLs Syntax: show ipv6 access-list [<access-list-name>] Displaying ACLs bound to an interface Using an ACL to Restrict SSH Access Using an ACL to Restrict Telnet Access Logging IPv6 ACLs Page Network Address Translation Introduction FIGURE 5 Configuring NAT Configuring static NAT Configuring dynamic NAT Configuring an address pool Associating a range of private addresses with a pool and enabling PAT NAT configuration examples Dynamic NAT configuration example 1 FIGURE 6 Dynamic NAT configuration example 2 FIGURE 7 Static NAT configuration example FIGURE 8 PAT Forwarding packets without NAT translation Translation timeouts Configuring the NAT translation aging timer Stateless static IP NAT Redundancy Enabling IP NAT Enabling IP NAT globally Enabling IP NAT per-interface Enabling static NAT redundancy Enabling dynamic NAT redundancy Displaying NAT information Displaying NAT information Displaying NAT statistics To display NAT statistics, enter commands such as the following. Displaying NAT information 4 Syntax: show ip nat statistics TABLE 7 This field... Displays... Displaying NAT information Displaying NAT translation TABLE 7 This field... Displays... Displaying NAT redundancy information TABLE 8 Displaying VRRPE information Clearing NAT entries from the table Syn-Proxy and DoS Protection Understanding Syn-Proxy Syn-Proxy auto control Difference between ServerIron ADX and JetCore Syn-Proxy Behavior Configuring Syn-Proxy Enabling SYN-Proxy Setting Attack-Rate-Threshold Setting SYN-Ack-Window-Size Setting Reset-Using-Client-MAC Retransmitting TCP SYNs Setting the time range for a valid ACK packet Limiting syn-proxy feature to defined VIPs Setting the source MAC address Limiting the syn-proxy feature to VIP traffic only Setting a minimum MSS value for SYN-ACK packets Hierarchy of operation Setting the MSS value at the global level Setting the MSS value at the virtual server level Setting the MSS value at the virtual port level Setting the MSS value for pass-through traffic to a specified destination IP address Negotiated MSS value set TABLE 9 Configuring Syn-Proxy auto control Considerations for configuring Syn-proxy auto control Setting the SYN-Proxy auto control thresholds TABLE 9 Setting the interval time for counting TCP SYN packets Displaying Syn-Proxy Commands Configuring Syn-Proxy Displaying TCP Attack Information The show server tcp-attack command displays attack information for connection rates counters. Syntax: show server tcp-attack [debug | fast-path] Displaying Server Traffic information Displaying SYN Cookie Information TABLE 10 TABLE 11 DDoS protection Configuring a security filter Configuring a Generic Rule TABLE 12 Configuring a rule for common attack types TABLE 13 DDoS protection Configuring a rule for ip-option attack types TABLE 14 Configuring a rule for icmp-type options TABLE 15 Configuring a rule for IPv6 ICMP types TABLE 15 TABLE 16 Configuring a rule for IPv6 ext header types TABLE 16 TABLE 17 Binding the filter to an interface Clearing DOS attack statistics Clearing all DDOS Filter & Attack Counters Logging for DoS attacks Displaying security filter statistics Address-sweep and port-scan logging Secure Socket Layer (SSL) Acceleration SSL overview Public Key Infrastructure (PKI) Page Public key SSL acceleration on the ServerIron ADX FIGURE 9 SSL Termination Mode SSL Proxy Mode FIGURE 10 ServerIron ServerIron ADX SSL Real Server Client SSL Traffic ServerIron ADX keypair file Digital certificate Configuring SSL on a ServerIron ADX Obtaining a ServerIron ADX keypair file Certificate management Generating a Self-Signed Certificate Using CA-signed certificates Exporting Web Server Certificates Page Page Page Converting certificate formats Importing keys and certificates Page Page Creating a Master Password for export of SSL keys Deleting certificate and key files Certificate Verification FIGURE 11 Chained Certificate Verification FIGURE 12 Page Page FIGURE 13 The certificate hierarchy is shown as under: Page Page a9:fe:19:9d:0e:c1:b0:f9:73:ec:66:db:38:30:39:91:92:71: FIGURE 14 Common Mistakes Step 1: Import Server Certificate and Intermediate CA Certificates Step 2: Enable Certificate Chain Support for SSL renegotiation Basic SSL profile configuration Specifying a keypair file Specifying a cipher suite Configuring Multiple Cipher Suites Specifying a certificate file Advanced SSL profile configuration Configuring client authentication Enabling certificate verification Client certificate verification in SSL Proxy Mode Configuring a CA certificate file Creating a certificate revocation list Allowing Self Signed Certificates Enabling a certificate chain Configuring certificate chain depth Enabling session caching Configuring session cache size Configuring a session cache timeout Enabling SSL Version 2 Enabling close notify Disabling certificate verification Enabling a ServerIron ADX SSL to respond with renegotiation headers Configuring Real and Virtual Servers for SSL Termination and Proxy Mode Configuring Real and Virtual Servers for SSL Termination Mode Configuring Real and Virtual Servers for SSL Proxy Mode Page Configuration Examples for SSL Termination and Proxy Modes Configuring SSL Termination Mode Configuring SSL Proxy Mode TCP configuration issues with SSL Terminate and SSL Proxy Page FIGURE 16 The TCP Nagle Algorithm Delayed TCP ACK Creating a TCP Profile Applying the TCP profile to VIP for SSL terminate Applying the TCP profile to VIP for SSL Proxy Inserting a certificate in an HTTP header Other protocols supported for SSL TABLE 18 Configuring the system max values Configuring SSLv2 connection rate Configuring memory limit for SSL hardware buffers Configuring number of ssl profiles Configuring the maximum number of SSL concurrent connections SSL debug and troubleshooting commands Diagnostics Displaying SSL information Using Rconsole Displaying proxy debug counters Displaying proxy statistics Displaying authentication statistics Displaying locally stored SSL certificates Displaying SSL connection information Displaying the status of a CRL record Page Displaying SSL debug counters Displaying SSL key information The following example provides information about a specified key: "rsakey". Displaying an SSL Profile Displaying the session cache statistics for and SSL profile Displaying the certificate bound to an SSL profile Displaying the key that is bound to an SSL profile SSL debug and troubleshooting commands 6 Displaying record size information Use the show ssl record-size command in rconsole mode to display information regarding record size. Displaying socket information Displaying socket details in open status Displaying all sockets in open status Displaying socket state information Syntax: show socket state Displaying SSL Statistics information Displaying SSL Statistics alert information Displaying SSL decoded client site status counters Syntax: show ssl statistics client Displaying SSL Statistics counters Syntax: show statistics counters Displaying SSL crypto engine status counters Syntax: show ssl statistics crypto Displaying TCP IP information Displaying SSL, TCP, and IP buffer information Displaying TCP, and IP chain length statistics Syntax: show tcp-ip chain-statistics Displaying TCP and IP statistics Syntax: show tcp-ip statistics Show SSL memory ASM SSL dump commands Syntax: asm dm ssldump asm dm ssldump Use the asm dm ssldump command on the BP to display all transmit and receive SSL packets. asm dm ssldump both asm dm ssldump client asm dm ssldump filter asm dm ssldump mode brief asm dm ssldump mode detail asm dm ssldump mode decrypt asm dm ssldump receive asm dm ssldump send asm dm ssldump server asm dm ssldump max