Infoblox Threat Protection Rules - Oracle · Threat Protection Rules This document contains...

30
NIOS 6.12 NIOS Administrator Guide (Rev. A) 1497 Threat Protection Rules This document contains information about threat protection rules for the Infoblox Advanced DNS Protection solution. It lists rule IDs, rule names, descriptions, enable/disable conditions, parameters and corresponding default values for all auto and system rules. It also provides tuning information for specific rules so you can configure and better utilize these rules to protect your environment without sacrificing performance. For information about Advanced DNS Protection, see Infoblox Advanced DNS Protection on page 1333. All rules are grouped by rule categories. System and auto rules are automatically updated during rule updates. Note: Auto rules are always enabled, and you cannot disable them. You can create custom rules using rule templates. For information about custom rule templates, refer to Custom Rule Templates on page 1524. This document includes the following sections: Overview of Packet Flow on page 1498. Tuning Rule Parameters on page 1500 DNS Cache Poisoning on page 1501 DNS Message Type on page 1501 General DDoS on page 1508 Reconnaissance on page 1508 DNS Malware on page 1509 DNS Protocol Anomalies on page 1509 Potential DDoS Related Domains on page 1510 TCP/UDP Flood on page 1511 DNS DDoS on page 1512 DNS Tunneling on page 1513 DNS Amplification and Reflection on page 1513 NTP on page 1514 BGP on page 1517 OSPF on page 1518 ICMP on page 1519 Default Pass/Drop on page 1523 HA Support on page 1524 Custom Rule Templates on page 1524

Transcript of Infoblox Threat Protection Rules - Oracle · Threat Protection Rules This document contains...

Page 1: Infoblox Threat Protection Rules - Oracle · Threat Protection Rules This document contains information about threat protection rules for the Infoblox Advanced DNS Protection solution.

Threat Protection Rules

This document contains information about threat protection rules for the Infoblox Advanced DNS Protection solution.

It lists rule IDs, rule names, descriptions, enable/disable conditions, parameters and corresponding default values

for all auto and system rules. It also provides tuning information for specific rules so you can configure and better

utilize these rules to protect your environment without sacrificing performance. For information about Advanced DNS

Protection, see Infoblox Advanced DNS Protection on page 1333.

All rules are grouped by rule categories. System and auto rules are automatically updated during rule updates.

Note: Auto rules are always enabled, and you cannot disable them.

You can create custom rules using rule templates. For information about custom rule templates, refer to Custom Rule Templates on page 1524.

This document includes the following sections:

• Overview of Packet Flow on page 1498.

— Tuning Rule Parameters on page 1500

• DNS Cache Poisoning on page 1501

• DNS Message Type on page 1501

• General DDoS on page 1508

• Reconnaissance on page 1508

• DNS Malware on page 1509

• DNS Protocol Anomalies on page 1509

• Potential DDoS Related Domains on page 1510

• TCP/UDP Flood on page 1511

• DNS DDoS on page 1512

• DNS Tunneling on page 1513

• DNS Amplification and Reflection on page 1513

• NTP on page 1514

• BGP on page 1517

• OSPF on page 1518

• ICMP on page 1519

• Default Pass/Drop on page 1523

• HA Support on page 1524

• Custom Rule Templates on page 1524

NIOS 6.12 NIOS Administrator Guide (Rev. A) 1497

Page 2: Infoblox Threat Protection Rules - Oracle · Threat Protection Rules This document contains information about threat protection rules for the Infoblox Advanced DNS Protection solution.

Overview of Packet Flow

Threat protection rules are designed to work together to provide maximum protection for your environment. This

section describes how these rules are being applied and how you can tune some of them to suit your system setup

and network environment.

Threat protection rules are grouped by rule categories, and most of them have one or more associated rule

parameters. Depending on the rules, you may or may not be able to override default values for the following rule

parameters (if applicable):

• Packets per second: The rate limit or the number of packets per second that the appliance processes before it

performs a triggered action, such as sending warnings or blocking traffic.

• Drop interval: The time period (in seconds) for which the appliance blocks all traffic from the client or traffic that

matches a certain pattern beyond the rate limit.

• Events per second: The number of events logged per second for the rule. Setting a value to 0 (zero) disables the

appliance from logging events for the rule. Most rules have this parameter, and the default value is 1.

• Packet size: DNS packet size. If the DNS packet size exceeds a certain value, the corresponding rule will be

triggered.

All incoming packets are filtered through enabled rules based on the order listed in Table H.1. Note that rules are

displayed in the same order in Grid Manager. For more information, see Viewing Threat Protection Rules on page

1352. You cannot change the filtering order of these rules. Incoming packets are screened by the first rule and

proceed through subsequent rules until they hit the last rule on the list, provided that they are not dropped or passed

by any rules in between, based on the matching conditions and rule criteria.

Depending on the rules, following are possible actions that can be taken:

• Ratelimiting and pass (magenta): Based on the configured rate limit, these rules drop incoming packets if the

packet rate hits the rate limit. Otherwise, the packets are passed.

• Ratelimiting (blue): Based on the configured rate limit, these rules drop incoming packets if they hit the rate

limit. Otherwise, the packets are screened by subsequent rules for further actions.

• Drop (salmon): These rules drop any incoming packets that match specific conditions and rule criteria.

• Pass (green): These rules pass any incoming packets that match specific conditions and rule criteria.

Note: All rate limiting rules, including custom rules, operate at a per source IP basis.

Table H.1 Flow Order for Threat Protection Rules

Conditions (if any) Rule Category Rule Name Action Reference

DNS Cache Poisoning DNS responses Ratelimiting and Pass DNS Cache Poisoning

Configured with external DNS primaries

DNS Message Type TXFR/AXFR responses Ratelimiting and Pass DNS Message Type

Allow DDNS updates DNS Message Type DNS Updates Ratelimiting and Pass DNS Message Type

General DDoS General DDoS Drop General DDoS

Reconnaissance Reconnaissance Drop Reconnaissance

DNS Malware DNS Malware Drop DNS Malware

DNS Protocol Anomalies DNS Protocol Anomalies Drop DNS Protocol Anomalies

User-defined Whitelist UDP Packets

User-defined Whitelist UDP Packets

Pass Custom Rule Templates

User-defined Whitelist TCP Packets

User-defined Whitelist TCP Packets

Pass Custom Rule Templates

User-defined Blacklist UDP Packets

User-defined Blacklist UDP Packets

Drop Custom Rule Templates

1498 NIOS Administrator Guide (Rev. A) NIOS 6.12

Page 3: Infoblox Threat Protection Rules - Oracle · Threat Protection Rules This document contains information about threat protection rules for the Infoblox Advanced DNS Protection solution.

Overview of Packet Flow

User-defined Blacklist TCP Packets

User-defined Blacklist TCP Packets

Drop Custom Rule Templates

User-defined ratelimiting IP and Network UDP Packets

User-defined ratelimiting IP and Network UDP Packets

Ratelimiting Custom Rule Templates

User-defined ratelimiting IP and Network TCP Packets

User-defined ratelimiting IP and Network TCP Packets

Ratelimiting Custom Rule Templates

User-defined ratelimiting FQDN

User-defined ratelimiting FQDN

Ratelimiting Custom Rule Templates

User-defined Blacklist FQDN

User-defined Blacklist FQDN Drop Custom Rule Templates

Potential DDoS related domains

Potential DDoS related domains

Drop Potential DDoS Related Domains

TCP/UDP Floods High Rate inbound DNS Queries

Ratelimiting TCP/UDP Flood

DNS DDoS NXDomain/ NXRRset/ ServFail DNS Response

Ratelimiting DNS DDoS

DNS Tunneling DNS Tunneling Ratelimiting DNS Tunneling

DNS Protocol Anomalies DNS Protocol Anomalies Drop DNS Protocol Anomalies

Incoming zone transfer is allowed

DNS Message Type DNS IXFR/AXFR Requests Ratelimiting and Pass DNS Message Type

Incoming zone transfer is allowed

DNS Message Type Invalid DNS IXFR Queries Drop DNS Message Type

Incoming zone transfer is not allowed

DNS Message Type DNS AXFR/IXFR Requests Drop DNS Message Type

DNS Malware DNS Malware Drop DNS Malware

DNS Amplification and Reflection

DNS Amplification and Reflection

Ratelimiting DNS Amplification and Reflection

DNS Message Type DNS Query Types Drop/Pass depending on the configured action

DNS Message Type

NTP client is enabled NTP NTP Server Responses Ratelimiting and Pass NTP

NTP client is disabled NTP NTP Client Requests Drop NTP

NTP server is enabled NTP NTP Vulnerability Rules Ratelimiting NTP

NTP server is enabled NTP NTP Ratelimiting Rules based on NTP ACL Data

Ratelimiting and Pass NTP

NTP server is disabled NTP Invalid NTP Packets Drop NTP

BGP is enabled BGP Invalid BGP Packets Drop BGP

BGP is enabled BGP BGP Packets Ratelimiting and Pass BGP

BGP is disabled BGP BGP Packets Drop BGP

ICMP ICMP Pings Ratelimiting and Pass ICMP

OSPF is enabled OSPF OSPF Packets Ratelimiting and Pass OSPF

OSPF is disabled OSPF OSPF Packets Drop OSPF

ICMP ICMPv6 Pings Ratelimiting and Pass ICMP

Default Pass/Drop Unexpected DNS Packets Drop Default Pass/Drop

Default Pass/Drop TCP/UDP/ICMP Packets Drop Default Pass/Drop

HA Support HA Communication Packets Pass HA Support

Default Pass/Drop Unexpected Packets Drop Default Pass/Drop

Conditions (if any) Rule Category Rule Name Action Reference

NIOS 6.12 NIOS Administrator Guide (Rev. A) 1499

Page 4: Infoblox Threat Protection Rules - Oracle · Threat Protection Rules This document contains information about threat protection rules for the Infoblox Advanced DNS Protection solution.

Tuning Rule Parameters

All threat protection rules contain rule parameters that you may or may not be able to configure. Rule parameters are

predefined with default values that generally suit most network environments. However, there are times when you

have special setups or configurations in your environment that require special attention. In these cases, you may

need to change some of the rule parameters to obtain optimal protection without sacrificing system performance.

Table H.2 lists specific conditions and corresponding rules that may require tuning when they are enabled. You can

view tuning suggestions in the Comments column for each of the following condition:

Table H.2 Tunable Rules

Conditions Rule(s) that Require Tuning Reference

Your appliance is configured as an

authoritative DNS server.

Rule 100000100 in the DNS

Cache Poisoning category

DNS Cache Poisoning Rules

Your DNS server is configured as the

secondary server with external primaries,

and it serves a large number of zones.

Rules 100100100 to

100100201 in the DNS

Message Type category

DNS Message Type Rules

You have enabled TCP/UDP Flood system

rules, and your network environment

consists of the following: NATd

environments, static forwarders, or VPN

concentrators.

All rules in the TCP/UDP Flood

category

TCP/UDP Flood Rules

You have enabled DNS DDoS system rules,

and your network environment consists of

the following: NATd environments, static

forwarders, or VPN concentrators.

Rules 200000001 to

200000003 in the DNS DDoS

category

DNS DDoS Rules

You have enabled DNS Tunneling system

rules, and your network environment

consists of the following: NATd

environments, static forwarders, and VPN

concentrators.

All rules in the DNS Tunneling

category

Anti DNS Tunneling Rules

Your DNS server is configured to allow

incoming IPv4 and IPv6 zone transfer

requests, and it serves a large number of

zones.

Rules 130100100 to

130100401 in the DNS

Message Type category

DNS Message Type Rules

You have enabled DNS Amplification and

Refection system rules.

All rules in the DNS

Amplification and Reflection

category

DNS Amplification and Reflection Rules

1500 NIOS Administrator Guide (Rev. A) NIOS 6.12

Page 5: Infoblox Threat Protection Rules - Oracle · Threat Protection Rules This document contains information about threat protection rules for the Infoblox Advanced DNS Protection solution.

DNS Cache Poisoning

DNS Cache Poisoning

DNS cache poisoning involves inserting a false address record for an Internet domain into a DNS query. If the DNS

server accepts the record, subsequent requests for the address of the domain are answered with the address of a

server controlled by the attacker. For as long as the false entry is cached, incoming web requests and emails will go

to the attacker’s address. Cache poisoning attacks, such as the “birthday paradox,” use brute force, flooding DNS

responses and queries at the same time, hoping to get a match on one of the responses and poison the cache.

The following table lists auto rules that Advanced DNS Protection uses to mitigate DNS cache poisoning on your

advanced appliance.

Table H.3 DNS Cache Poisoning Rules

DNS Message Type

The following table lists the system and auto rules that are used to mitigate DNS message type attacks on your

advanced appliance.

All rules for DNS record types are system rules. By default, they are configured as Pass rules. You can override this

and change the rule action to Drop. Note that when you do that, the appliance drops all DNS packets that contain the

requested record type.

Table H.4 DNS Message Type Rules

Rule IDRule Type

Rule Name DescriptionEnable/Disable Condition

Parameters Comments

100000100 Auto EARLY PASS UDP response traffic

This rule passes UDP DNS response packets (from upstream DNS servers or external DNS primaries) if the packet rate is less than the Packets per second value. If any source IP sends packets over this value, the appliance blocks all traffic from this source IP for a time specified in Drop interval.

Always enabled. Packets per second (default = 30000)

Drop interval (default = 10 seconds)

Events per second (default = 1)

Consider tuning Packets per second to a smaller number if your system is serving authoritative DNS.

NOTE: If you set the parameter incorrectly, the rule could block legitimate DNS responses from upstream DNS servers, which could cause the DNS server to exceed its quota.

100000200 Auto EARLY PASS TCP response traffic

This rule passes TCP DNS responses initiated by the appliance.

Always enabled Packets per second (default = 100)

Consider raising the Packets per second value if DNSSEC is enabled.

100000300 Auto PASS ACK packets from NIOS initiated connections

This rule passes TCP ACK packets for DNS or BGP from NIOS initiated connections if the packet rate is less than the Packets per second value. If any source IP sends packets over this value, the appliance blocks all traffic from this source IP for a time specified in Drop interval.

Always enabled Packets per second (default = 600)

Drop interval (default = 10 seconds)

Events per second (default = 1)

Consider raising the Packets per second value if DNSSEC is enabled.

Rule IDRule Type

Rule Name DescriptionEnable/Disable Condition

Parameters Comments

100100100 Auto EARLY PASS IPv4 UDP Notify messages

This rule passes IPv4 UDP DNS NOTIFY messages if the packet rate is less than the Packets per second value. If any source IP sends packets over this value, the appliance blocks all traffic from this source IP for a time specified in Drop interval.

Enabled if Infoblox DNS serves as the secondary server with IPv4 external primaries configured.

Packets per second (default = 1000)

Drop interval (default = 10 seconds)

Events per second (default = 1)

Consider tuning Packets per second if Infoblox DNS serves a large number of zones. If this rule is triggered and the source IP address indicates a valid external primary server, tune the Packets per second value accordingly.

NIOS 6.12 NIOS Administrator Guide (Rev. A) 1501

Page 6: Infoblox Threat Protection Rules - Oracle · Threat Protection Rules This document contains information about threat protection rules for the Infoblox Advanced DNS Protection solution.

100100101 Auto EARLY PASS IPv6 UDP Notify messages

This rule passes IPv6 UDP DNS NOTIFY messages if the packet rate is less than the Packets per second value. If any source IP sends packets over this value, the appliance blocks all traffic from this source IP for a time specified in Drop interval.

Enabled if Infoblox DNS serves as the secondary server with IPv6 external primaries configured.

Packets per second (default = 1000)

Drop interval (default = 10 seconds)

Events per second (default = 1)

Consider tuning Packets per second if Infoblox DNS serves a large number of zones. If this rule is triggered and the source IP address indicates a valid external primary server, tune the Packets per second value accordingly.

100100200 Auto EARLY PASS IPv4 TCP Notify messages

This rule passes IPv4 TCP DNS NOTIFY messages if the packet rate is less than the Packets per second value. If any source IP sends packets over this value, the appliance blocks all traffic from this source IP for a time specified in Drop interval.

Enabled if Infoblox DNS serves as the secondary server with IPv4 external primaries configured

Packets per second (default = 1000)

Drop interval (default = 10 seconds)

Events per second (default = 1)

Consider tuning Packets per second if Infoblox DNS serves a large number of zones. If this rule is triggered and the source IP address indicates a valid external primary server, tune the Packets per second value accordingly.

100100201 Auto EARLY PASS IPv6 TCP Notify messages

This rule passes IPv6 TCP DNS NOTIFY messages if the packet rate is less than the Packets per second value. If any source IP sends packets over this value, the appliance blocks all traffic from this source IP for a time specified in Drop interval.

Enabled if Infoblox DNS serves as the secondary server with IPv6 external primaries configured.

Packets per second (default = 1000)

Drop interval (default = 10 seconds)

Events per second (default = 1)

Consider tuning Packets per second if Infoblox DNS serves a large number of zones. If this rule is triggered and the source IP address indicates a valid external primary server, tune the Packets per second value accordingly.

100100300 Auto EARLY PASS IPv4 UDP Notify messages for DDNS update

This rule passes IPv4 UDP NOTIFY messages for DDNS update if the packet rate is less than the Packets per second value. If any source IP sends packets over this value, the appliance blocks all traffic from this source IP for a time specified in Drop interval.

Enabled if DDNS update is enabled for IPv4 clients.

Packets per second (default = 1000)

Drop interval (default = 10 seconds)

Events per second (default = 1)

100100350 Auto EARLY PASS IPv6 UDP Notify messages for DDNS update

This rule passes IPv6 UDP NOTIFY messages for DDNS update if the packet rate is less than the Packets per second value. If any source IP sends packets over this value, the appliance blocks all traffic from this source IP for a time specified in Drop interval.

Enabled if DDNS update is enabled for IPv6 clients.

Packets per second (default = 1000)

Drop interval (default = 10 seconds)

Events per second (default = 1)

130100100 Auto RATELIMIT PASS IPv4 UDP DNS AXFR zone transfer requests

This rule passes IPv4 UDP DNS full zone transfer requests if the packet rate is less than the Packets per second value. If any source IP sends packets over this value, the appliance blocks subsequent DNS traffic from this source IP for a time specified in Drop interval.

Enabled if Infoblox DNS allows incoming IPv4 zone transfer requests.

Packets per second (default = 1000)

Drop interval (default = 10 seconds)

Events per second (default = 1)

Consider tuning Packets per second if Infoblox DNS serves a large number of zones. If this rule is triggered and the source IP address indicates a valid secondary server, tune the Packets per second value accordingly.

130100101 Auto RATELIMIT PASS IPv6 UDP DNS AXFR zone transfer requests

This rule passes IPv6 UDP DNS full zone transfer requests if the packet rate is less than the Packets per second value. If any source IP sends packets over this value, the appliance blocks subsequent DNS traffic from this source IP for a for a time specified in Drop interval.

Enabled if Infoblox DNS allows incoming IPv6 zone transfer requests.

Packets per second (default = 1000)

Drop interval (default = 10 seconds)

Events per second (default = 1)

Consider tuning Packets per second if Infoblox DNS serves a large number of zones. If this rule is triggered and the source IP address indicates a valid secondary server, tune the Packets per second value accordingly.

130100200 Auto RATELIMIT PASS IPv4 TCP DNS AXFR zone transfer requests

This rule passes IPv4 TCP DNS full zone transfer requests if the packet rate is less than the specified Packets per second value (default = 100). If any source IP sends packets over this value, the appliance blocks all such traffic from this source IP for a for a time specified in Drop interval.

Enabled if Infoblox DNS allows incoming IPv4 zone transfer requests.

Packets per second (default = 1000)

Drop interval (default = 10 seconds)

Events per second (default = 1)

Consider tuning Packets per second if Infoblox DNS serves a large number of zones. If this rule is triggered and the source IP address indicates a valid secondary server, tune the Packets per second value accordingly.

Rule IDRule Type

Rule Name DescriptionEnable/Disable Condition

Parameters Comments

1502 NIOS Administrator Guide (Rev. A) NIOS 6.12

Page 7: Infoblox Threat Protection Rules - Oracle · Threat Protection Rules This document contains information about threat protection rules for the Infoblox Advanced DNS Protection solution.

DNS Message Type

130100201 Auto RATELIMIT PASS IPv6 TCP DNS AXFR zone transfer requests

This rule passes IPv6 TCP DNS full zone transfer requests if the packet rate is less than the specified Packets per second value (default = 100). If any source IP sends packets over this value, the appliance blocks all such traffic from this source IP for a time specified in Drop interval.

Enabled if Infoblox DNS allows incoming IPv6 zone transfer requests.

Packets per second (default = 1000)

Drop interval (default = 10 seconds)

Events per second (default = 1)

Consider tuning Packets per second if Infoblox DNS serves a large number of zones. If this rule is triggered and the source IP address indicates a valid secondary server, tune the Packets per second value accordingly.

130100300 Auto RATELIMIT PASS IPv4 UDP DNS IXFR zone Transfer requests

This rule passes IPv4 UDP DNS incremental zone transfer requests if the packet rate is less than the specified Packets per second value (default = 100). If any source IP sends packets over this value, the appliance blocks all such traffic from this source IP for a time specified in Drop interval.

Enabled if Infoblox DNS allows incoming IPv4 zone transfer requests.

Packets per second (default = 1000)

Drop interval (default = 10 seconds)

Events per second (default = 1)

Consider tuning Packets per second if Infoblox DNS serves a large number of zones. If this rule is triggered and the source IP address indicates a valid secondary server, tune the Packets per second value accordingly.

130100301 Auto RATELIMIT PASS IPv6 UDP DNS IXFR zone Transfer requests

This rule passes IPv6 UDP DNS incremental zone transfer requests if the packet rate is less than the specified Packets per second value (default = 100). If any source IP sends packets over this value, the appliance blocks all such traffic from this source IP for a time specified in Drop interval.

Enabled if Infoblox DNS allows incoming IPv6 zone transfer requests.

Packets per second (default = 1000)

Drop interval (default = 10 seconds)

Events per second (default = 1)

Consider tuning Packets per second if Infoblox DNS serves a large number of zones. If this rule is triggered and the source IP address indicates a valid secondary server, tune the Packets per second value accordingly.

130100400 Auto RATELIMIT PASS IPv4 TCP DNS IXFR zone Transfer requests

This rule passes IPv4 TCP DNS incremental zone transfer requests if the packet rate is less than the specified Packets per second value (default = 100). If any source IP sends packets over this value, the appliance blocks all such traffic from this source IP for a time specified in Drop interval.

Enabled if Infoblox DNS allows incoming IPv4 zone transfer requests.

Packets per second (default = 1000)

Drop interval (default = 10 seconds)

Events per second (default = 1)

Consider tuning Packets per second if Infoblox DNS serves a large number of zones. If this rule is triggered and the source IP address indicates a valid secondary server, tune the Packets per second value accordingly.

130100401 Auto RATELIMIT PASS IPv6 TCP DNS IXFR zone Transfer requests

This rule passes IPv6 TCP DNS incremental zone transfer requests if the packet rate is less than the specified Packets per second value. If any source IP sends packets over this value, the appliance blocks all such traffic from this source IP for a time specified in Drop interval.

Enabled if Infoblox DNS allows incoming IPv6 zone transfer requests.

Packets per second (default = 1000)

Drop interval (default = 10 seconds)

Events per second (default = 1)

Consider tuning Packets per second if Infoblox DNS serves a large number of zones. If this rule is triggered and the source IP address indicates a valid secondary server, tune the Packets per second value accordingly.

130200100 Auto DROP UDP DNS AXFR zone transfer requests

This rule drops any DNS UDP full zone transfer requests when zone transfer is disabled. You can configure only the Events per second parameter.

Enabled if Infoblox DNS does not allow incoming zone transfer requests.

Events per second (default = 1)

130200200 Auto DROP TCP DNS AXFR zone transfer requests

This rule drops any DNS TCP full zone transfer requests when zone transfer is disabled. You can configure only the Events per second parameter.

Enabled if Infoblox DNS does not allow incoming zone transfer requests.

Events per second (default = 1)

130200300 Auto DROP UDP DNS IXFR zone Transfer requests

This rule drops any DNS UDP incremental zone transfer requests when zone transfer is disabled. You can configure only the Events per second parameter.

Enabled if Infoblox DNS does not allow incoming zone transfer requests.

Events per second (default = 1)

130200400 Auto DROP TCP DNS IXFR zone Transfer requests

This rule drops any DNS TCP incremental zone transfer requests when zone transfer is disabled. You can configure only the Events per second parameter.

Enabled if Infoblox DNS does not allow incoming zone transfer requests.

Events per second (default = 1)

Rule IDRule Type

Rule Name DescriptionEnable/Disable Condition

Parameters Comments

NIOS 6.12 NIOS Administrator Guide (Rev. A) 1503

Page 8: Infoblox Threat Protection Rules - Oracle · Threat Protection Rules This document contains information about threat protection rules for the Infoblox Advanced DNS Protection solution.

130500100 System DNS A record You can configure this rule to pass or drop UDP packets that contain A record request. The default Action = Pass.

Enabled by default.

Action

(default = Pass)

Events per second (default = 1)

130500200 System DNS AAAA record You can configure this rule to pass or drop UDP packets that contain AAAA record request. The default Action = Pass.

Enabled by default.

Action

(default = Pass)

Events per second (default = 1)

130500300 System DNS CNAME record

You can configure this rule to pass or drop UDP packets that contain CNAME record request. The default Action = Pass.

Enabled by default.

Action

(default = Pass)

Events per second (default = 1)

130500400 System DNS DS record You can configure this rule to pass or drop UDP packets that contain DS record request. The default Action = Pass.

Enabled by default.

Action

(default = Pass)

Events per second (default = 1)

130500500 System DNS PTR record You can configure this rule to pass or drop UDP packets that contain PTR record request. The default Action = Pass.

Enabled by default.

Action

(default = Pass)

Events per second (default = 1)

130500600 System DNS NS record You can configure this rule to pass or drop UDP packets that contain NS record request. The default Action = Pass.

Enabled by default.

Action

(default = Pass)

Events per second (default = 1)

130500700 System DNS NSEC record You can configure this rule to pass or drop UDP packets that contain NSEC record request. The default Action = Pass.

Enabled by default.

Action

(default = Pass)

Events per second (default = 1)

130500800 System DNS NSEC3 record

You can configure this rule to pass or drop UDP packets that contain NSEC3 record request. The default Action = Pass.

Enabled by default.

Action

(default = Pass)

Events per second (default = 1)

130500900 System DNS NSEC3PARAM record

You can configure this rule to pass or drop UDP packets that contain NSEC3PARAM record request. The default Action = Pass.

Enabled by default.

Action

(default = Pass)

Events per second (default = 1)

130501000 System DNS MX record You can configure this rule to pass or drop UDP packets that contain MX record request. The default Action = Pass.

Enabled by default.

Action

(default = Pass)

Events per second (default = 1)

130501100 System DNS SRV record You can configure this rule to pass or drop UDP packets that contain SRV record request. The default Action = Pass.

Enabled by default.

Action

(default = Pass)

Events per second (default = 1)

130501200 System DNS TXT record You can configure this rule to pass or drop UDP packets that contain TXT record request. The default Action = Pass.

Enabled by default.

Action

(default = Pass)

Events per second (default = 1)

130501300 System DNS DNAME record

You can configure this rule to pass or drop UDP packets that contain DNAME record request. The default Action = Pass.

Enabled by default.

Action

(default = Pass)

Events per second (default = 1)

130501400 System DNS RRSIG record You can configure this rule to pass or drop UDP packets that contain RRSIG record request. The default Action = Pass.

Enabled by default.

Action

(default = Pass)

Events per second (default = 1)

130501500 System DNS NAPTR record

You can configure this rule to pass or drop UDP packets that contain NAPTR record request. The default Action = Pass.

Enabled by default.

Action

(default = Pass)

Events per second (default = 1)

Rule IDRule Type

Rule Name DescriptionEnable/Disable Condition

Parameters Comments

1504 NIOS Administrator Guide (Rev. A) NIOS 6.12

Page 9: Infoblox Threat Protection Rules - Oracle · Threat Protection Rules This document contains information about threat protection rules for the Infoblox Advanced DNS Protection solution.

DNS Message Type

130501600 System DNS DNSKEY record

You can configure this rule to pass or drop UDP packets that contain DNSKEY record request. The default Action = Pass.

Enabled by default.

Action

(default = Pass)

Events per second (default = 1)

130501700 System DNS SPF record You can configure this rule to pass or drop UDP packets that contain SPF record request. The default Action = Pass.

Enabled by default.

Action

(default = Pass)

Events per second (default = 1)

130501800 System DNS DHCID record

You can configure this rule to pass or drop UDP packets that contain DHCID record request. The default Action = Pass.

Enabled by default.

Action

(default = Pass)

Events per second (default = 1)

130501900 System DNS SOA record You can configure this rule to pass or drop UDP packets that contain SOA record request. The default Action = Pass.

Enabled by default.

Action

(default = Pass)

Events per second (default = 1)

130502000 System DNS SIG record You can configure this rule to pass or drop UDP packets that contain SIG record request. The default Action = Pass.

Enabled by default.

Action

(default = Pass)

Events per second (default = 1)

130502100 System DNS LOC record You can configure this rule to pass or drop UDP packets that contain LOC record request. The default Action = Pass.

Enabled by default.

Action

(default = Pass)

Events per second (default = 1)

130502200 System DNS SSHFP record

You can configure this rule to pass or drop UDP packets that contain SSHFP record request. The default Action = Pass.

Enabled by default.

Action

(default = Pass)

Events per second (default = 1)

130502300 System DNS IPSECKEY record

You can configure this rule to pass or drop UDP packets that contain IPSECKEY record request. The default Action = Pass.

Enabled by default.

Action

(default = Pass)

Events per second (default = 1)

130502400 System DNS TKEY record You can configure this rule to pass or drop UDP packets that contain TKEY record request. The default Action = Pass.

Enabled by default.

Action

(default = Pass)

Events per second (default = 1)

130502500 System DNS TSIG record You can configure this rule to pass or drop UDP packets that contain TSIG record request. The default Action = Pass.

Enabled by default.

Action

(default = Pass)

Events per second (default = 1)

130502600 System DNS TA record You can configure this rule to pass or drop UDP packets that contain TA record request. The default Action = Pass.

Enabled by default.

Action

(default = Pass)

Events per second (default = 1)

130502700 System DNS DLV record You can configure this rule to pass or drop UDP packets that contain DLV record request. The default Action = Pass.

Enabled by default.

Action

(default = Pass)

Events per second (default = 1)

130502800 System DNS ANY record You can configure this rule to pass or drop UDP packets that contain ANY record request. The default Action = Pass.

Enabled by default.

Action

(default = Pass)

Events per second (default = 1)

130502900 System DNS A record TCP You can configure this rule to pass or drop TCP packets that contain A record request. The default Action = Pass.

Enabled by default.

Action

(default = Pass)

Events per second (default = 1)

130503000 System DNS AAAA record TCP

You can configure this rule to pass or drop TCP packets that contain AAAA record request. The default Action = Pass.

Enabled by default.

Action

(default = Pass)

Events per second (default = 1)

Rule IDRule Type

Rule Name DescriptionEnable/Disable Condition

Parameters Comments

NIOS 6.12 NIOS Administrator Guide (Rev. A) 1505

Page 10: Infoblox Threat Protection Rules - Oracle · Threat Protection Rules This document contains information about threat protection rules for the Infoblox Advanced DNS Protection solution.

130503100 System DNS CNAME record TCP

You can configure this rule to pass or drop TCP packets that contain CNAME record request. The default Action = Pass.

Enabled by default.

Action

(default = Pass)

Events per second (default = 1)

130503200 System DNS DS record TCP

You can configure this rule to pass or drop TCP packets that contain DS record request. The default Action = Pass.

Enabled by default.

Action

(default = Pass)

Events per second (default = 1)

130503300 System DNS PTR record TCP

You can configure this rule to pass or drop TCP packets that contain PTR record request. The default Action = Pass.

Enabled by default.

Action

(default = Pass)

Events per second (default = 1)

130503400 System DNS NS record TCP

You can configure this rule to pass or drop TCP packets that contain NS record request. The default Action = Pass.

Enabled by default.

Action

(default = Pass)

Events per second (default = 1)

130503500 System DNS NSEC record TCP

You can configure this rule to pass or drop TCP packets that contain NSEC record request. The default Action = Pass.

Enabled by default.

Action

(default = Pass)

Events per second (default = 1)

130503600 System DNS NSEC3 record TCP

You can configure this rule to pass or drop TCP packets that contain NSEC3 record request. The default Action = Pass.

Enabled by default.

Action

(default = Pass)

Events per second (default = 1)

130503700 System DNS NSEC3PARAM record TCP

You can configure this rule to pass or drop TCP packets that contain NSEC3PARAM record request. The default Action = Pass.

Enabled by default.

Action

(default = Pass)

Events per second (default = 1)

130503800 System DNS MX record TCP

You can configure this rule to pass or drop TCP packets that contain MX record request. The default Action = Pass.

Enabled by default.

Action

(default = Pass)

Events per second (default = 1)

130503900 System DNS SRV record TCP

You can configure this rule to pass or drop TCP packets that contain SRV record request. The default Action = Pass.

Enabled by default.

Action

(default = Pass)

Events per second (default = 1)

130504000 System DNS TXT record TCP

You can configure this rule to pass or drop TCP packets that contain TXT record request. The default Action = Pass.

Enabled by default.

Action

(default = Pass)

Events per second (default = 1)

130504100 System DNS DNAME record TCP

You can configure this rule to pass or drop TCP packets that contain DNAME record request. The default Action = Pass.

Enabled by default.

Action

(default = Pass)

Events per second (default = 1)

130504200 System DNS RRSIG record TCP

You can configure this rule to pass or drop TCP packets that contain RRSIG record request. The default Action = Pass.

Enabled by default.

Action

(default = Pass)

Events per second (default = 1)

130504300 System DNS NAPTR record TCP

You can configure this rule to pass or drop TCP packets that contain NAPTR record request. The default Action = Pass.

Enabled by default.

Action

(default = Pass)

Events per second (default = 1)

130504400 System DNS DNSKEY record TCP

You can configure this rule to pass or drop TCP packets that contain IDNSKEY record request. The default Action = Pass.

Enabled by default.

Action

(default = Pass)

Events per second (default = 1)

130504500 System DNS SPF record TCP

You can configure this rule to pass or drop TCP packets that contain SPF record request. The default Action = Pass.

Enabled by default.

Action

(default = Pass)

Events per second (default = 1)

Rule IDRule Type

Rule Name DescriptionEnable/Disable Condition

Parameters Comments

1506 NIOS Administrator Guide (Rev. A) NIOS 6.12

Page 11: Infoblox Threat Protection Rules - Oracle · Threat Protection Rules This document contains information about threat protection rules for the Infoblox Advanced DNS Protection solution.

DNS Message Type

130504600 System DNS DHCID record TCP

You can configure this rule to pass or drop TCP packets that contain DHCID record request. The default Action = Pass.

Enabled by default.

Action

(default = Pass)

Events per second (default = 1)

130504700 System DNS SOA record TCP

You can configure this rule to pass or drop TCP packets that contain SOA record request. The default Action = Pass.

Enabled by default.

Action

(default = Pass)

Events per second (default = 1)

130504800 System DNS SIG record TCP

You can configure this rule to pass or drop TCP packets that contain SIG record request. The default Action = Pass.

Enabled by default.

Action

(default = Pass)

Events per second (default = 1)

130504900 System DNS ROC record TCP

You can configure this rule to pass or drop TCP packets that contain ROC record request. The default Action = Pass.

Enabled by default.

Action

(default = Pass)

Events per second (default = 1)

130505000 System DNS SSHFP record TCP

You can configure this rule to pass or drop TCP packets that contain SSHFP record request. The default Action = Pass.

Enabled by default.

Action

(default = Pass)

Events per second (default = 1)

130505100 System DNS IPSECKEY record TCP

You can configure this rule to pass or drop TCP packets that contain IPSECKEY record request. The default Action = Pass.

Enabled by default.

Action

(default = Pass)

Events per second (default = 1)

130505200 System DNS TKEY record TCP

You can configure this rule to pass or drop TCP packets that contain TKEY record request. The default Action = Pass.

Enabled by default.

Action

(default = Pass)

Events per second (default = 1)

130505300 System DNS TSIG record TCP

You can configure this rule to pass or drop TCP packets that contain TSIG record request. The default Action = Pass.

Enabled by default.

Action

(default = Pass)

Events per second (default = 1)

130505400 System DNS TA record TCP

You can configure this rule to pass or drop TCP packets that contain TA record request. The default Action = Pass.

Enabled by default.

Action

(default = Pass)

Events per second (default = 1)

130505500 System DNS DLV record TCP

You can configure this rule to pass or drop TCP packets that contain DLV record request. The default Action = Pass.

Enabled by default.

Action

(default = Pass)

Events per second (default = 1)

130505600 System DNS ANY record TCP

You can configure this rule to pass or drop TCP packets that contain ANY record request. The default Action = Pass.

Enabled by default.

Action

(default = Pass)

Events per second (default = 1)

Rule IDRule Type

Rule Name DescriptionEnable/Disable Condition

Parameters Comments

NIOS 6.12 NIOS Administrator Guide (Rev. A) 1507

Page 12: Infoblox Threat Protection Rules - Oracle · Threat Protection Rules This document contains information about threat protection rules for the Infoblox Advanced DNS Protection solution.

General DDoS

The following table lists the auto rules that are used to mitigate general DDoS attacks on your advanced appliance.

Table H.5 General DDoS Rules

Reconnaissance

Reconnaissance attacks consist of attempts to get information on the network environment before launching a large

DDoS or other types of attacks. Techniques include port scanning and finding versions and authors. These attacks

exhibit abnormal behavior patterns that, if identified, can provide early warnings.

The following table lists the auto rules that are used to mitigate reconnaissance attacks on your advanced appliance.

You can configure the following rule parameter for all rules in this category:

• Events per second: The number of events logged per second for the rule. Setting a value to 0 (zero) disables the

appliance from logging events for the rule. The default value is 10.

Table H.6 Reconnaissance Rules

Rule IDRule Type

Rule Name DescriptionEnable/Disable Condition

Parameters Comments

110000100 Auto EARLY DROP DoS packets with same source and destination IP

This rule drops any IP packets that contain the same source and destination IP address.

Always enabled. Events per second (default = 1)

110000200 Auto EARLY DROP DoS UDP packets with same source and destination IP

This rule drops UDP packets that contain the same source and destination IP address.

Always enabled. Events per second (default = 1)

110000300 Auto EARLY DROP DoS TCP packets with same source and destination IP

This rule drops TCP packets that contain the same source and destination IP address.

Always enabled. Events per second (default = 1)

130400300 Auto DROP IPv6 loopback address spoofing

This rule blocks any IP packets that attempt to forge the IPv6 loopback address.

Always enabled. Events per second (default = 1)

130400400 Auto DROP IPv6 loopback address spoofing

This rule blocks any IP packets that attempt to forge the IPv6 loopback address.

Always enabled. Events per second (default = 1)

Rule IDRule Type

Rule Name DescriptionEnable Condition

Parameters Comments

110100100 Auto EARLY DROP DNS named author attempts

This rule drops UDP DNS packets that contain attempts to find AUTHOR information.

Always enabled.

Events per second (default = 1)

110100200 Auto EARLY DROP DNS named version attempts

This rule drops UDP DNS packets that contain attempts to find VERSION information.

Always enabled.

Events per second (default = 1)

1508 NIOS Administrator Guide (Rev. A) NIOS 6.12

Page 13: Infoblox Threat Protection Rules - Oracle · Threat Protection Rules This document contains information about threat protection rules for the Infoblox Advanced DNS Protection solution.

DNS Malware

DNS Malware

DNS malware is software used to disrupt your DNS service, gather sensitive information, or gain access to your

appliance. It can include downloaders, backdoors, trojan horses, and other malicious software.

The following table lists the auto rules that are used to mitigate DNS malware when forwarding DNS requests to a

resolver such as a Microsoft DNS server.

Table H.7 DNS Malware Rules

DNS Protocol Anomalies

DNS protocol anomalies send malformed DNS packets, including unexpected header and payload values, to the

targeted server. This causes the server to stop responding or crash, which results in an infinite loop in server threads.

These anomalies sometimes take the form of impersonation attacks.

The following table lists rules that are used to mitigate DNS protocol anomalies sent to the appliance.

Table H.8 DNS Protocol Anomalies Rules

Rule IDRule Type

Rule Name DescriptionEnable Condition

Parameters Comments

110100300 Auto EARLY DROP UDP MALWARE backdoor

This rule drops UDP packets that contain the backdoor malware BKDR_QUEJOB.EVL, which poses as an installer of FaceBook messenger. This malware may be spread as a malicious attachment in email messages.

Always enabled. Events per second (default = 1)

130300300 Auto DROP MALWARE trojan downloader

This rule drops UDP packets that contain the trojan downloader malware, which downloads and installs new versions of malicious programs, including Trojans and AdWare.

Always enabled. Events per second (default = 1)

130300400 Auto DROP MALWARE possible Hiloti

This rule drops UDP packets that contain trojan Hiloti malicious programs that may download potentially malicious files from a remote server and report system information back to the server.

Always enabled. Events per second (default = 1)

Rule IDRule Type

Rule Name DescriptionEnable Condition

Parameters Comments

110100400 Auto EARLY DROP UDP DNS question name too long

This rule drops UDP DNS packets when the DNS Question Name is too long.

Always enabled. Events per second (default = 1)

110100500 Auto EARLY DROP UDP DNS label too long

This rule drops UDP DNS packets when the DNS Label in the name being queried is too long.

Always enabled. Events per second (default = 1)

NIOS 6.12 NIOS Administrator Guide (Rev. A) 1509

Page 14: Infoblox Threat Protection Rules - Oracle · Threat Protection Rules This document contains information about threat protection rules for the Infoblox Advanced DNS Protection solution.

Potential DDoS Related Domains

This rule category includes system rules the appliance uses to blacklist domains that may have been the targets or

subjects in NXDOMAIN or DDoS attacks. These rules block all FQDN lookups on UDP for domains that have been

observed to be used as targets in DDoS attacks. The rules are enabled by default. You can disable them when

necessary.

Note that these rules capture currently observed bad domain names that can change on a regular basis. Infoblox

recommends that you update to the latest ruleset to capture the most current rules in this category. For information

about how to update to the latest ruleset, see Managing Threat Protection Rules on page 1352.

110100600 Auto EARLY DROP UDP query invalid question count

This rule drops UDP DNS packets when the number of entries in the question section is invalid.

Always enabled. Events per second (default = 1)

110100700 Auto EARLY DROP UDP query invalid question class

This rule drops UDP DNS packets when the RR (resource record) class being queried is invalid.

Always enabled. Events per second (default = 1)

110100800 Auto EARLY DROP UDP query invalid question string

This rule drops UDP DNS packets that contain invalid question string.

Always enabled. Events per second (default = 1)

110100850 Auto EARLY UDP drop invalid DNS query with Authority

This rule drops UDP DNS queries that contain invalid AUTHORITY entry.

Always enabled. Events per second (default = 1)

110100900 Auto EARLY DROP query multiple questions or non query operation code

This rule drops UDP DNS packets when there are multiple questions being queried at one time or its operation code is not Query.

Always enabled. Events per second (default = 1)

130000700 Auto EARLY DROP TCP non-DNS query

This rule drops TCP packets when its operation code is not Query.

Always enabled. Events per second (default = 1)

130000800 Auto EARLY DROP TCP query multiple questions

This rule drops TCP DNS packets when there are multiple questions being queried at one time.

Always enabled. Events per second (default = 1)

130100500 Auto DROP UDP DNS invalid IXFR query with zero or more than one Authority

This rule drops UDP DNS incremental zone transfer requests that contain zero or more than one Authority entries.

Always enabled. Events per second (default = 1)

130100600 Auto DROP TCP DNS invalid IXFR query with zero or more than one Authority

This rule drops TCP DNS incremental zone transfer requests that contain zero or more than one Authority entries.

Always enabled. Events per second (default = 1)

130300200 Auto DROP TCP invalid DNS query with Authority

This rule drops TCP DNS queries that contain invalid Authority entries.

Always enabled. Events per second (default = 1)

Rule IDRule Type

Rule Name DescriptionEnable Condition

Parameters Comments

1510 NIOS Administrator Guide (Rev. A) NIOS 6.12

Page 15: Infoblox Threat Protection Rules - Oracle · Threat Protection Rules This document contains information about threat protection rules for the Infoblox Advanced DNS Protection solution.

TCP/UDP Flood

TCP/UDP Flood

TCP and UDP flood attacks are volumetric attacks with massive numbers of packets that consume network bandwidth

and resources. They exploit TCP and UDP.

The following table lists the system and auto rules that are used to mitigate TCP/UDP floods on your advanced

appliance.

Table H.9 TCP/UDP Flood Rules

Rule ID Rule Type Rule Name DescriptionEnable Condition

Parameters Comments

130000100 System WARN about high rate inbound UDP DNS queries

This rule warns about any source IP that sends inbound UDP DNS packets at a rate equals or exceeds the Packets per second value.

Disabled by default

Packets per second (default = 40)

Events per second (default = 1)

Use this rule together with rule 130000200 to adjust the warning and blocking rate thresholds. This rule only sends alerts when the packet rate equals or exceeds the low threshold (Packets per second for this rule). When the packet rate reaches or exceeds the high threshold (Packets per second for rule 130000200), rule 130000200 is triggered.

NOTE: The Packets per second configured for this rule should be less than that of rule 130000200.

130000200 System WARN & BLOCK high rate inbound UDP DNS queries

This rule warns if any source IP sends inbound UDP DNS packets at a rate equals the Packets per second value. If the rate exceeds this value, the appliance blocks all such traffic from this source IP for a period of time specified in Drop interval.

Disabled by default

Packets per second (default = 1000)

Drop interval

(default = 5 seconds)

Events per second (default = 1)

Consider tuning Packets per second to a higher value for NATd environments, static forwarders, and VPN concentrators.

This rule may be triggered if Packet per second is lower than that in the custom rules created using the rate limiting templates.

NOTE: The Packets per second value for this rule must be higher than that for rule 130000100.

130000300 System WARN about high rate inbound TCP DNS queries

This rule warns about any source IP that sends inbound TCP DNS packets at a rate that equals or exceeds the Packets per second value.

Disabled by default

Packets per second (default = 5)

Events per second (default = 1)

Use this rule together with rule 130000400 to adjust the warning and blocking rate thresholds. This rule only sends alerts when the packet rate equals or exceeds the low threshold (Packets per second for this rule). When the packet rate reaches or exceeds the high threshold (Packets per second for rule 130000400), rule 130000400 is triggered.

NOTE: The Packets per second configured for this rule should be less than that of rule 130000400.

130000400 System WARN & BLOCK high rate inbound TCP DNS queries

This rule warns if any source IP sends inbound TCP DNS packets at a rate that equals the Packets per second value. If the rate exceeds this value, the appliance blocks all such traffic from this source IP for a period of time specified in Drop interval.

Disabled by default

Packets per second (default = 1000)

Drop interval (default = 10 seconds)

Events per second (default = 1)

Consider tuning Packets per second to a higher value for NATd environments, static forwarders, and VPN concentrators.

This rule may be triggered if Packet per second is lower than that in the custom rules created using the rate limiting templates.

NOTE: DO NOT enable this rule along with rule 130000300.

NIOS 6.12 NIOS Administrator Guide (Rev. A) 1511

Page 16: Infoblox Threat Protection Rules - Oracle · Threat Protection Rules This document contains information about threat protection rules for the Infoblox Advanced DNS Protection solution.

DNS DDoS

The following table lists system rules that are used to mitigate DNS DDoS attacks on your advanced appliance. These

rules rate limits clients that trigger the following DNS responses: NXDOMAIN, NXRRSET, and SERVFAIL.

Table H.10 DNS DDoS Rules

Rule IDRule Type

Rule Name DescriptionEnable/Disable Condition

Parameters Comments

200000001 System NXDOMAIN rate limiting rule

This rule warns if any source IP sends inbound UDP DNS queries that trigger NXDOMAIN responses at a rate equals to the Packets per second value. If the rate exceeds this value, the appliance blocks all UDP DNS traffic from this source IP for a time specified in Drop interval.

Enabled by default

Packets per second (default = 1000)

Drop interval

(default = 5 seconds)

Events per second (default = 1)

Consider tuning Packets per second to a higher value for NATd environments, static forwarders, and VPN concentrators.

200000002 System NXRRSET rate limiting rule

This rule warns if any source IP sends inbound UDP DNS queries that trigger NXRRSET responses at a rate equals to the Packets per second value. If the rate exceeds this value, the appliance blocks all UDP DNS traffic from this source IP for a time specified in Drop interval.

Enabled by default

Packets per second (default = 1000)

Drop interval

(default = 5 seconds)

Events per second (default = 1)

Consider tuning Packets per second to a higher value for NATd environments, static forwarders, and VPN concentrators.

NOTE: NXRRSET responses include NO records, NO answers, and NO errors.

200000003 System SERVFAIL rate limiting rule

This rule warns if any source IP sends inbound UDP DNS queries that trigger SERVFAIL responses at a rate equals to the Packets per second value. If the rate exceeds this rate, the appliance blocks all UDP DNS traffic from this source IP for a time specified in Drop interval.

Enabled by default

Packets per second (default = 1000)

Drop interval (default = 5 seconds)

Events per second (default = 1)

Consider tuning Packets per second to a higher value for NATd environments, static forwarders, and VPN concentrators.

1512 NIOS Administrator Guide (Rev. A) NIOS 6.12

Page 17: Infoblox Threat Protection Rules - Oracle · Threat Protection Rules This document contains information about threat protection rules for the Infoblox Advanced DNS Protection solution.

DNS Tunneling

DNS Tunneling

DNS tunneling attacks involve tunneling another protocol through DNS port 53 for the purpose of data exfiltration.

Outbound and inbound data being communicated is encoded into small chunks and fitted into DNS queries and DNS

responses.

The following table lists the system rule used to mitigate DNS tunneling on your advanced appliance.

Table H.11 Anti DNS Tunneling Rules

DNS Amplification and Reflection

DNS reflection attacks use a form of IP spoofing, changing the source address in their DNS queries to show the

address of their intended target, such as a DNS root server or a top-level domain (TLD) name server operator. DNS

reflection and amplification recognizes UDP as an asymmetrical protocol (small requests, large responses) and the

existence of open DNS resolvers to the Internet cloud. The result is that small DNS queries reflect large UDP datagram

responses to the target address in the original source datagrams. Some recent attacks have used this DDoS

technique at a huge scale.

Since DNS runs over UDP and does not require a handshake, it is possible to use the protocol as a means to lock down

a host or a network. Designed a specific way, sending a small query to any open DNS resolver can result in a single

response containing several kilobytes or more, that are sent to the unwitting spoofed victim. (This type of response

typically is sent via TCP, as UDP does not allow for more than 512 bytes in a response datagram. The resulting packet

usually exceeds the MTU of the recipient’s interfaces, resulting in further packet fragmentation and processing.) Open

DNS resolvers may allow for launching DDoS attacks containing hundreds of gigabytes of data. Attackers may also

Rule IDRule Type

Rule Name DescriptionEnable/Disable Condition

Parameters Comments

130000500 System RATELIMIT UDP high rate inbound large DNS queries (anti tunneling)

This rule warns If any source IP sends large UDP DNS queries (which could be DNS tunneling attacks) at a rate equals the Packets per second value. If the rate exceeds this value, it blocks all such traffic from this source IP for the time in Drop interval.

This rule is triggered when the DNS Packet size exceeds the configured value.

Disabled by default

Packets per second (default = 100)

Drop interval (default = 5 seconds)

Events per second (default = 1)

Packet size

(default = 200)

Consider tuning Packets per second to a higher value for NATd environments, static forwarders, and VPN concentrators.

130000600 Auto RATELIMIT TCP high rate inbound large DNS queries (anti-tunneling)

This rule warns if any source IP sends large TCP DNS queries (which could be DNS tunneling attacks) at a rate equals the Packets per second value. If the rate exceeds the value, the appliance blocks all such traffic from this source IP for the Drop interval.

This rule is triggered when the DNS Packet size exceeds the configured value.

Disabled by default

Packets per second (default = 100)

Drop interval

(default = 5 seconds)

Events per second (default = 1)

Packet size

(default = 200)

Consider tuning Packets per second to a higher value for NATd environments, static forwarders, and VPN concentrators.

200000004 System DNS tunneling rate limiting rule

This rule warns If any source IP sends inbound UDP DNS queries that trigger large TXT responses at a rate equals the Packets per second value. If the rate exceeds this value, it blocks all such traffic from this source IP for the Drop interval.

This rule is triggered when the size of the TXT records in the DNS responses exceeds the configured DNS Packet size.

Enabled by default

Packets per second (default = 1000)

Drop interval

(default = 5 seconds)

Events per second (default = 1)

Packet size

(default = 40)

Consider tuning Packets per second to a higher value for NATd environments, static forwarders, and VPN concentrators.

NIOS 6.12 NIOS Administrator Guide (Rev. A) 1513

Page 18: Infoblox Threat Protection Rules - Oracle · Threat Protection Rules This document contains information about threat protection rules for the Infoblox Advanced DNS Protection solution.

use the EDNS0 DNS protocol extension as a means to enable larger DNS responses. Many network operators,

particularly overseas, allow open DNS resolvers to run on their networks, unwittingly allowing attackers to abuse

them. Many network operators do provide intelligent rate-limiting to prevent abuse, even while supporting open

recursive DNS servers. Hence, issues of this type usually result from mistakes in configuration.

The following table lists the system and auto rules that are used to mitigate DNS amplification and reflection attacks

on your advanced appliance.

Table H.12 DNS Amplification and Reflection Rules

NTP

The following table lists the auto rules that are used to mitigate NTP attacks and to support security for NTP traffic on

your advanced appliance. These rules include support for the following: NTP requests and responses, NTP IPv4 and

IPv6 ACLs (Access Control Lists), private mode 7 packets, named ACLs, and “ANY” ACLs.

Table H.13 NTP Rules

Rule IDRule Type

Rule Name DescriptionEnable/Disable Condition

Parameters Comments

130400100 Auto WARN & DROP DoS DNS possible reflection/ amplification attack attempts

This rule warns if any source IP sends UDP DNS packets that contain possible reflection/ amplification attacks. If the rate exceeds the Packets per second value, the appliance blocks all such traffic from this source IP for the Drop interval. Note that this rule applies when the query is “ANY.”

Enabled by default

Packets per second (default = 5)

Drop interval (default = 5 seconds)

Events per second (default = 1)

Consider tuning Packet per second to a higher value (approximately 100) for NATd environments, static forwarders, and VPN concentrators.

130400500 System RATELIMIT PASS UDP DNS root requests with additional RRs

This rule passes UDP DNS root requests that contain additional resource records until the traffic hits the Packets per second value. It then blocks subsequent UDP DNS root requests for the Drop interval.

Disabled by default

Packets per second (default = 500)

Drop interval (default = 5 seconds)

Events per second (default = 1)

130400600 System RATELIMIT PASS UDP DNS root requests

This rule passes UDP DNS root requests until the traffic hits the Packets per second value. It then blocks subsequent UDP DNS root requests for the Drop interval.

Disabled by default

Packets per second (default = 500)

Drop interval (default = 5 seconds)

Events per second (default = 1)

Consider tuning Packet per second to a higher value for NATd environments, static forwarders, and VPN concentrators.

Rule IDRule Type

Rule Name DescriptionEnable/Disable Condition

Parameters Comments

130600100 Auto RATELIMIT PASS NTP TIME responses

When the NTP client is enabled, this rule passes UDP NTP TIME responses until the traffic hits the rate limit of 10 packets per second; it then blocks all NTP traffic for 15 seconds.

Enabled when the NTP client is enabled.

Packets per second (default = 10)

Drop interval (default = 15 seconds)

Events per second (default = 1)

130600120 Auto DROP NTP TIME responses

This rule drops all UDP NTP TIME responses when the NTP client is disabled.

Enabled when the NTP client is disabled.

Events per second (default=1)

1514 NIOS Administrator Guide (Rev. A) NIOS 6.12

Page 19: Infoblox Threat Protection Rules - Oracle · Threat Protection Rules This document contains information about threat protection rules for the Infoblox Advanced DNS Protection solution.

NTP

200001001 Auto DOS Possible NTP DDoS Inbound Frequent Un-Authed GET_RESTRICT Requests IMPL 0x02

When the NTP server is enabled, this rule warns about possible NTP DDoS Inbound Frequent Un-Authed GET_RESTRICT Requests IMPL 0x02 attacks. It then blocks suspicious NTP traffic for a time period that is specified in Drop Interval.

Enabled when NTP service is enabled on this member.

Events per second (default = 1)

200001005 Auto DOS Possible NTP DDoS Inbound Frequent Un-Authed GET_RESTRICT Requests IMPL 0x03

When the NTP server is enabled, this rule warns about possible NTP DDoS Inbound Frequent Un-Authed GET_RESTRICT Requests IMPL 0x03 attacks. It then blocks suspicious NTP traffic for a time period that is specified in Drop Interval.

Enabled when NTP service is enabled on this member.

Events per second (default = 1)

200001010 Auto DOS Possible NTP DDoS Inbound Frequent Un-Authed PEER_LIST_SUM Requests IMPL 0x02

When the NTP server is enabled, this rule warns about possible NTP DDoS Inbound Frequent Un-Authed PEER_LIST_SUM Requests IMPL 0x02 attacks. It then blocks suspicious NTP traffic for a time period that is specified in Drop Interval.

Enabled when NTP service is enabled on this member.

Events per second (default = 1)

200001015 Auto DOS Possible NTP DDoS Inbound Frequent Un-Authed PEER_LIST_SUM Requests IMPL 0x03

When the NTP server is enabled, this rule warns about possible NTP DDoS Inbound Frequent Un-Authed PEER_LIST_SUM Requests IMPL 0x03 attacks. It then blocks suspicious NTP traffic for a time period that is specified in Drop Interval.

Enabled when NTP service is enabled on this member.

Events per second (default = 1)

200001020 Auto DOS Possible NTP DDoS Inbound Frequent Un-Authed PEER_LIST Requests IMPL 0x02

When the NTP server is enabled, this rule warns about possible NTP DDoS Inbound Frequent Un-Authed PEER_LIST Requests IMPL 0x02 attacks. It then blocks suspicious NTP traffic for a time period that is specified in Drop Interval.

Enabled when NTP service is enabled on this member.

Events per second (default = 1)

200001025 Auto DOS Possible NTP DDoS Inbound Frequent Un-Authed PEER_LIST Requests IMPL 0x03

When the NTP server is enabled, this rule warns about possible NTP DDoS Inbound Frequent Un-Authed PEER_LIST Requests IMPL 0x03 attacks. It then blocks suspicious NTP traffic for a time period that is specified in Drop Interval.

Enabled when NTP service is enabled on this member.

Events per second (default = 1)

200001050 Auto RATELIMIT PASS NTPQ IPv4 requests

This rule passes UDP NTPQ requests from NTP IPv4 ACLs until the traffic hits the rate limit (Packets per second) value. It then blocks all subsequent NTPQ traffic for a time specified in Drop Interval.

Enabled when NTP IPv4 ACLs are defined. If no ACLs are defined and the NTP server is enabled, the default ACLs are enabled, and this rule is disabled.

Packets per second (default = 10)

Drop interval (default = 60 seconds)

Events per second (default = 1)

Rule IDRule Type

Rule Name DescriptionEnable/Disable Condition

Parameters Comments

NIOS 6.12 NIOS Administrator Guide (Rev. A) 1515

Page 20: Infoblox Threat Protection Rules - Oracle · Threat Protection Rules This document contains information about threat protection rules for the Infoblox Advanced DNS Protection solution.

200001055 Auto RATELIMIT PASS NTP TIME IPv4 requests

This rule passes UDP NTP TIME requests from NTP IPv4 ACLs until the traffic hits the rate limit (Packets per second) value. It then blocks all subsequent NTP TIME traffic for a time specified in Drop interval.

Enabled when NTP IPv4 ACLs are defined. If no ACLs are defined and the NTP server is enabled, the default ACLs are enabled, and this rule is enabled.

Packets per second (default = 10)

Drop interval (default = 60 seconds)

Events per second (default = 1)

200001060 Auto RATELIMIT PASS NTP private mode IPv4 requests

This rule passes UDP NTP private mode 7 requests from NTP IPv4 ACLs until the traffic hits the rate limit (Packets per second) value. It then blocks all subsequent NTP private mode 7 traffic for a time specified in Drop interval.

Enabled when NTP IPv4 ACLs are defined. If no ACLs are defined and the NTP server is enabled, the default ACLs are enabled, and this rule is disabled.

Packets per second (default = 10)

Drop interval (default = 60 seconds)

Events per second (default = 1)

200001065 Auto RATELIMIT PASS NTPQ IPv6 requests

This rule passes UDP NTPQ requests from NTP IPv6 ACLs until the traffic hits the rate limit (Packets per second) value. It then blocks all subsequent NTPQ traffic for a time specified in Drop Interval.

Enabled when NTP IPv6 ACLs are defined. If no ACLs are defined and the NTP server is enabled, the default ACLs are enabled, and this rule is disabled.

Packets per second (default = 10)

Drop interval (default = 60 seconds)

Events per second (default = 1)

200001070 Auto RATELIMIT PASS NTP TIME IPv6 requests

This rule passes UDP NTP TIME requests from NTP IPv6 ACLs until the traffic hits the rate limit (Packets per second) value. It then blocks all subsequent NTP TIME traffic for a time specified in Drop interval.

Enabled when NTP IPv6 ACLs are defined. If no ACLs are defined and the NTP server is enabled, the default ACLs are enabled, and this rule is enabled.

Packets per second (default = 10)

Drop interval (default = 60 seconds)

Events per second (default = 1)

200001075 Auto RATELIMIT PASS NTP private mode IPv6 requests

This rule passes UDP NTP private mode 7 requests from NTP IPv4 ACLs until the traffic hits the rate limit (Packets per second) value. It then blocks all subsequent NTP private mode 7 traffic for a time specified in Drop interval.

Enabled when NTP IPv6 ACLs are defined. If no ACLs are defined and the NTP server is enabled, the default ACLs are enabled, and this rule is disabled.

Packets per second (default = 10)

Drop interval (default =60 seconds)

Events per second (default = 1)

200001100 Auto DROP NTPQ requests unexpected

When NTP service is disabled, this rule drops all UDP NTPQ requests.

Enabled when NTP service is disabled on this member.

Events per second (default=1)

200001105 Auto DROP NTP TIME requests unexpected

When NTP service is disabled, this rule drops all UDP NTP TIME requests.

Enabled when NTP service is disabled on this member.

Events per second (default=1)

200001110 Auto DROP NTP private mode requests unexpected

When NTP service is disabled, this rule drops all UDP NTP private mode 7 requests.

Enabled when NTP service is disabled on this member.

Events per second (default=1)

200001115 Auto DROP invalid NTP requests

When NTP service is disabled, this rule drops all invalid UDP NTP requests.

Enabled when NTP service is disabled on this member.

Events per second (default=1)

Rule IDRule Type

Rule Name DescriptionEnable/Disable Condition

Parameters Comments

1516 NIOS Administrator Guide (Rev. A) NIOS 6.12

Page 21: Infoblox Threat Protection Rules - Oracle · Threat Protection Rules This document contains information about threat protection rules for the Infoblox Advanced DNS Protection solution.

BGP

BGP

The following table lists the auto rules that are used to mitigate BGP attacks on your advanced appliance when BGP

is enabled.

Table H.14 BGP Rules

Rule IDRule Type

Rule Name DescriptionEnable/Disable Condition

Parameters Comments

130700100 AUTO DROP BGP header length shorter than spec

When BGP is enabled, this rule drops TCP BGP packets that contain message header length that is shorter than the RFC specification.

Enabled when BGP service on this member is configured.

Events per second (default=1)

130700200 AUTO DROP BGP header length longer than spec

When BGP is enabled, this rule drops TCP BGP packets that contain message header length that is longer than the RFC specification.

Enabled when BGP service on this member is configured.

Events per second (default=1)

130700300 AUTO DROP BGP spoofed connection reset attempts

When BGP is enabled, this rule drops TCP BGP packets that contain spoofed connection reset.

This rule is enabled when BGP service on this member is configured.

Events per second (default=1)

130700400 AUTO DROP BGP invalid type 0

When BGP is enabled, this rule drops TCP BGP packets that contain invalid message type 0.

This rule is enabled when BGP service on this member is configured.

Events per second (default=1)

130700500 AUTO DROP BGP invalid type bigger than 5

When BGP is enabled, this rule drops TCP BGP packets that contain invalid message type greater than 5.

This rule is enabled when BGP service on this member is configured.

Events per second (default=1)

130700550 AUTO RATELIMIT PASS BGP IPv4 peer TCP connection attempts

This rule passes TCP BGP route advertisement connection attempts from IPv4 peers when BGP is enabled and if the packet rate is less than the Packets per second value. If any source IP sends packets over this value, the appliance blocks all such traffic from this source IP for a certain period of time (specified in Drop interval).

This rule is enabled when BGP service on this member is configured with IPv4 peers.

Events per second (default=1)

Drop Interval (default=60 sec)

Packets per second (default=10)

130700600 Auto RATELIMIT PASS BGP allowed with IPv4 peer

This rule passes TCP BGP route advertisement to IPv4 peers when BGP is enabled and if the packet rate is less than the Packets per second value. If any source IP sends packets over this value, the appliance blocks all such traffic from this source IP for a certain period of time (specified in Drop interval.

This rule is enabled when BGP service on this member is configured with IPv4 peers.

Events per second (default=1)

Drop Interval (default=60 sec)

Packets per second (default=10)

130700650 AUTO RATELIMIT PASS BGP IPv6 peer TCP connection attempts

This rule passes TCP BGP route advertisement connection attempts from IPv6 peers when BGP is enabled and if the packet rate is less than the Packets per second value. If any source IP sends packets over this value, the appliance blocks all such traffic from this source IP for a certain period of time (specified in Drop interval.

This rule is enabled when BGP service on this member is configured with IPv6 peers.

Events per second (default=1)

Drop Interval (default=60 sec)

Packets per second (default=10)

NIOS 6.12 NIOS Administrator Guide (Rev. A) 1517

Page 22: Infoblox Threat Protection Rules - Oracle · Threat Protection Rules This document contains information about threat protection rules for the Infoblox Advanced DNS Protection solution.

OSPF

The following table lists auto rules that are used to mitigate OSPF attacks on your advanced appliance when OSPF is

not in use.

Table H.15 OSPF Rules

130700700 Auto RATELIMIT PASS BGP allowed with IPv6 peer

This rule passes TCP BGP route advertisement to IPv6 peers when BGP is enabled and if the packet rate is less than the Packets per second value. If any source IP sends packets over this value, the appliance blocks all such traffic from this source IP for a certain period of time (specified in Drop interval).

This rule is enabled when BGP service on this member is configured with IPv6 peers.

Events per second (default=1)

Drop Interval (default=60 sec)

Packets per second (default=10)

130800100 Auto DROP BGP unexpected When BGP is enabled, this rule drops unexpected TCP BGP packets.

This rule takes effect when BGP service on this member is NOT configured.

Events per second (default=1)

This rule is exclusive with other rules based on whether BGP is configured on the member or not.

Rule IDRule Type

Rule Name DescriptionEnable Condition

Parameters Comments

130900300 Auto DROP OSPF unexpected

This rule drops unexpected OSPF packets.

This rule takes effect when OSPF service on this member is NOT configured.

Events per second (default=1)

Default drop rule for all packets on the OSPF service port.

130900400 Auto RATELIMIT PASS OSPF multicast

This rule passes OSPF IPv4 multicast packets if the packet rate is less than the Packets per second value. If any source IP sends packets over this value, the appliance blocks all such traffic from this source IP for a time specified in Drop interval.

This rule takes effect when OSPF service on this member is configured for IPv4.

Events per second (default=1)

Drop Interval (default=60 sec)

Packets per second (default=100)

130900500 Auto RATELIMIT PASS OSPF IPv6 multicast

This rule passes OSPF IPv6 multicast packets if the packet rate is less than the Packets per second value. If any source IP sends packets over this value, the appliance blocks all such traffic from this source IP for a time specified in Drop interval.

This rule takes effect when OSPF service on this member is configured for IPv6.

Events per second (default=1)

Drop Interval (default=60 sec)

Packets per second (default=100)

130900600 Auto RATELIMIT PASS OSPF This rule passes OSPF packets if the packet rate is less than the Packets per second value. If any source IP sends packets over this value, the appliance blocks all such traffic from this source IP for a time specified in Drop interval.

This rule takes effect when OSPF service on this member is configured.

Events per second (default=1)

Drop Interval (default=10 sec)

Packets per second (default=50)

This rule works for both IPv4 and IPv6.

Rule IDRule Type

Rule Name DescriptionEnable/Disable Condition

Parameters Comments

1518 NIOS Administrator Guide (Rev. A) NIOS 6.12

Page 23: Infoblox Threat Protection Rules - Oracle · Threat Protection Rules This document contains information about threat protection rules for the Infoblox Advanced DNS Protection solution.

ICMP

ICMP

ICMP attacks use network devices such as routers to send error messages when a requested service is not available

or the remote server cannot be reached. Examples of ICMP attacks include ping floods, ping-of-death attacks, and

smurf attacks.

The following table lists the system and auto rules that are used to mitigate ICMP attacks on your advanced appliance.

Table H.16 ICMP Rules

Rule ID Type Rule Name DescriptionEnable/Disable Condition

Parameters Comments

130400200 Auto DROP ICMP large packets

This rule drops large ICMP packets (bigger than800).

Always enabled. Events per second (default=1)

130900100 Auto RATE LIMIT PASS ICMP Ping

This rule passes ICMP ping packets if the packet rate is less than the Packets per second value. If any source IP sends packets over this value, the appliance blocks all such traffic from this source IP for a time specified in Drop interval.

Always enabled. Events per second (default=1)

Drop Interval (default=10 sec)

Packets per second (default=50)

130900200 Auto RATE LIMIT PASS ICMPv6 Ping

This rule passes ICMPv6 ping packets if the packet rate is less than the Packets per second value. If any source IP sends packets over this value, the appliance blocks all such traffic from this source IP for a time specified in Drop interval.

Always enabled. Events per second (default=1)

Drop Interval (default=10 sec)

Packets per second (default=50)

130900700 Auto RATELIMIT PASS ICMPv6 destination unreachable

This rule passes ICMPv6 Destination Unreachable messages if the packet rate is less than the Packets per second value. If any source IP sends packets over this value, the appliance blocks all such traffic from this source IP for a time specified in Drop interval.

Always enabled. Events per second (default=1)

Drop Interval (default=30 sec)

Packets per second (default=100)

130900800 Auto RATELIMIT PASS ICMPv6 packet too big

This rule passes ICMPv6 Packet Too Big messages if the packet rate is less than the Packets per second value. If any source IP sends packets over this value, the appliance blocks all such traffic from this source IP for a time specified in Drop interval.

Always enabled. Events per second (default=1)

Drop Interval (default=30 sec)

Packets per second (default=100)

130900900 Auto RATELIMIT PASS ICMPv6 ping responses

This rule passes ICMPv6 ping responses if the packet rate is less than the Packets per second value. If any source IP sends packets over this value, the appliance blocks all such traffic from this source IP for a time specified in Drop interval.

Always enabled. Events per second (default=1)

Drop Interval (default=10 sec)

Packets per second (default=50)

.

130901000 Auto RATELIMIT PASS ICMPv6 parameter problem erroneous header

This rule passes ICMPv6 Erroneous Header messages if the packet rate is less than the Packets per second value. If any source IP sends packets over this value, the appliance blocks all such traffic from this source IP for a time specified in Drop interval.

Always enabled. Events per second (default=1)

Drop Interval (default=10 sec)

Packets per second (default=50)

NIOS 6.12 NIOS Administrator Guide (Rev. A) 1519

Page 24: Infoblox Threat Protection Rules - Oracle · Threat Protection Rules This document contains information about threat protection rules for the Infoblox Advanced DNS Protection solution.

130901100 Auto RATELIMIT PASS ICMPv6 parameter problem unrecognized next header

This rule passes ICMPv6 Unrecognized Next Header messages if the packet rate is less than the Packets per second value. If any source IP sends packets over this value, the appliance blocks all such traffic from this source IP for a time specified in Drop interval.

Always enabled. Events per second (default=1)

Drop Interval (default=30 sec)

Packets per second (default=50)

130901200 Auto RATELIMIT PASS ICMPv6 parameter problem unrecognized IPv6 option

This rule passes ICMPv6 Unrecognized IPv6 Option messages if the packet rate is less than the Packets per second value. If any source IP sends packets over this value, the appliance blocks all such traffic from this source IP for a time specified in Drop interval.

Always enabled. Events per second (default=1)

Drop Interval (default=30 sec)

Packets per second (default=50)

130901300 Auto RATELIMIT PASS ICMPv6 router solicitation

This rule passes ICMPv6 router solicitation packets if the packet rate is less than the Packets per second value. If any source IP sends packets over this value, the appliance blocks all such traffic from this source IP for a time specified in Drop interval.

Always enabled. Events per second (default=1)

Drop Interval (default=30 sec)

Packets per second (default=50)

130901400 Auto RATELIMIT PASS ICMPv6 router advertisement

This rule passes ICMPv6 router advertisement if the packet rate is less than the Packets per second value. If any source IP sends packets over this value, the appliance blocks all such traffic from this source IP for a time specified in Drop interval.

Always enabled. Events per second (default=1)

Drop Interval (default=30 sec)

Packets per second (default=50)

130901500 Auto RATELIMIT PASS ICMPv6 neighbor solicitation

This rule passes ICMPv6 neighbor solicitation packets if the packet rate is less than the Packets per second value. If any source IP sends packets over this value, the appliance blocks all such traffic from this source IP for a time specified in Drop interval.

Always enabled. Events per second (default=1)

Drop Interval (default=30 sec)

Packets per second (default=50)

130901600 Auto RATELIMIT PASS ICMPv6 neighbor advertisement

This rule passes ICMPv6 neighbor advertisement if the packet rate is less than the Packets per second value. If any source IP sends packets over this value, the appliance blocks all such traffic from this source IP for a time specified in Drop interval.

Always enabled. Events per second (default=1)

Drop Interval (default=30 sec)

Packets per second (default=50)

130901700 Auto RATELIMIT PASS ICMPv6 inverse neighbor solicitation

This rule passes ICMPv6 inverse neighbor solicitation messages if the packet rate is less than the Packets per second value. If any source IP sends packets over this value, the appliance blocks all such traffic from this source IP for a time specified in Drop interval.

Always enabled. Events per second (default=1)

Drop Interval (default=30 sec)

Packets per second (default=50)

130901800 Auto RATELIMIT PASS ICMPv6 inverse neighbor advertisement

This rule passes ICMPv6 inverse neighbor advertisement if the packet rate is less than the Packets per second value. If any source IP sends packets over this value, the appliance blocks all such traffic from this source IP for a time specified in Drop interval.

Always enabled. Events per second (default=1)

Drop Interval (default=30 sec)

Packets per second (default=50)

Rule ID Type Rule Name DescriptionEnable/Disable Condition

Parameters Comments

1520 NIOS Administrator Guide (Rev. A) NIOS 6.12

Page 25: Infoblox Threat Protection Rules - Oracle · Threat Protection Rules This document contains information about threat protection rules for the Infoblox Advanced DNS Protection solution.

ICMP

130901900 Auto RATELIMIT PASS ICMPv6 listener query

This rule passes ICMPv6 listener query messages if the packet rate is less than the Packets per second value. If any source IP sends packets over this value, the appliance blocks all such traffic from this source IP for a time specified in Drop interval.

Always enabled. Events per second (default=1)

Drop Interval (default=30 sec)

Packets per second (default=50)

130902000 Auto RATELIMIT PASS ICMPv6 listener report

This rule passes ICMPv6 listener report messages if the packet rate is less than the Packets per second value. If any source IP sends packets over this value, the appliance blocks all such traffic from this source IP for a time specified in Drop interval.

Always enabled. Events per second (default=1)

Drop Interval (default=30 sec)

Packets per second (default=50)

130902100 Auto RATELIMIT PASS ICMPv6 listener done

This rule passes ICMPv6 listener done messages if the packet rate is less than the Packets per second value. If any source IP sends packets over this value, the appliance blocks all such traffic from this source IP for a time specified in Drop interval).

Always enabled. Events per second (default=1)

Drop Interval (default=30 sec)

Packets per second (default=50)

130902200 Auto RATELIMIT PASS ICMPv6 listener report v2

This rule passes ICMPv6 listener report v2 messages if the packet rate is less than the Packets per second value. If any source IP sends packets over this value, the appliance blocks all such traffic from this source IP for a time specified in Drop interval.

Always enabled. Events per second (default=1)

Drop Interval (default=30 sec)

Packets per second (default=50)

130902300 Auto RATELIMIT PASS ICMPV6 multicast router advertisement

This rule passes ICMPv6 multicast router advertisement if the packet rate is less than the Packets per second value. If any source IP sends packets over this value, the appliance blocks all such traffic from this source IP for a time specified in Drop interval.

Always enabled. Events per second (default=1)

Drop Interval (default=30 sec)

Packets per second (default=50)

130902400 Auto RATELIMIT PASS ICMPV6 multicast router solicitation

This rule passes ICMPv6 multicast router solicitation messages if the packet rate is less than the Packets per second value. If any source IP sends packets over this value, the appliance blocks all such traffic from this source IP for a time specified in Drop interval.

Always enabled. Events per second (default=1)

Drop Interval (default=30 sec)

Packets per second (default=50)

130902500 Auto RATELIMIT PASS ICMPV6 multicast router advertisement

This rule passes ICMPv6 multicast router advertisement if the packet rate is less than the Packets per second value. If any source IP sends packets over this value, the appliance blocks all such traffic from this source IP for a time specified in Drop interval.

Always enabled. Events per second (default=1)

Drop Interval (default=30 sec)

Packets per second (default=50)

130902600 Auto RATELIMIT PASS ICMP ping responses

This rule passes ICMP ping responses if the packet rate is less than the Packets per second value. If any source IP sends packets over this value, the appliance blocks all such traffic from this source IP for a time specified in Drop interval.

Always enabled. Events per second (default=1)

Drop Interval (default=10 sec)

Packets per second (default=50)

Rule ID Type Rule Name DescriptionEnable/Disable Condition

Parameters Comments

NIOS 6.12 NIOS Administrator Guide (Rev. A) 1521

Page 26: Infoblox Threat Protection Rules - Oracle · Threat Protection Rules This document contains information about threat protection rules for the Infoblox Advanced DNS Protection solution.

130902700 Auto RATELIMIT PASS ICMP router advertisement

This rule passes ICMP router advertisement if the packet rate is less than the Packets per second value. If any source IP sends packets over this value, the appliance blocks all such traffic from this source IP for a time specified in Drop interval.

Always enabled. Events per second (default=1)

Drop Interval (default=10 sec)

Packets per second (default=50)

130902800 Auto RATELIMIT PASS ICMP router solicitation

This rule passes ICMP router solicitation messages if the packet rate is less than the Packets per second value. If any source IP sends packets over this value, the appliance blocks all such traffic from this source IP for a time specified in Drop interval.

Always enabled. Events per second (default=1)

Drop Interval (default=10 sec)

Packets per second (default=50)

130902900 Auto RATELIMIT PASS ICMP time exceeded

This rule passes ICMP time exceeded messages if the packet rate is less than the Packets per second value. If any source IP sends packets over this value, the appliance blocks all such traffic from this source IP for a time specified in Drop interval.

Always enabled. Events per second (default=1)

Drop Interval (default=10 sec)

Packets per second (default=50)

130903000 Auto RATELIMIT PASS ICMP parameter problem

This rule passes ICMP parameter problems if the packet rate is less than the Packets per second value. If any source IP sends packets over this value, the appliance blocks all such traffic from this source IP for a time specified in Drop interval.

Always enabled. Events per second (default=1)

Drop Interval (default=10 sec)

Packets per second (default=50)

130903100 Auto RATELIMIT PASS ICMPv6 hop limit exceeded or ICMPv4 network unreachable

This rule passes ICMPv6 Hop Limit Exceeded messages or ICMPv4 Network Unreachable messages if the packet rate is less than the Packets per second value. If any source IP sends packets over this value, the appliance blocks all such traffic from this source IP for a time specified in Drop interval.

Always enabled. Events per second (default=1)

Drop Interval (default=30 sec)

Packets per second (default=50)

130903200 Auto RATELIMIT PASS ICMPv6 fragment reassembly time exceeded or ICMPv4 host unreachable

This rule passes ICMPv6 fragment reassembly time exceeded messages or ICMPv4 host unreachable messages if the packet rate is less than the Packets per second value. If any source IP sends packets over this value, the appliance blocks all such traffic from this source IP for a time specified in Drop interval.

Always enabled. Events per second (default=1)

Drop Interval (default=10 sec)

Packets per second (default=50)

130903300 Auto RATELIMIT PASS ICMP protocol unreachable

This rule passes ICMP protocol unreachable messages if the packet rate is less than the Packets per second value. If any source IP sends packets over this value, the appliance blocks all such traffic from this source IP for a time specified in Drop interval.

Always enabled. Events per second (default=1)

Drop Interval (default=10 sec)

Packets per second (default=50)

130903400 Auto RATELIMIT ICMP port unreachable

This rule passes ICMP port unreachable messages if the packet rate is less than the Packets per second value. If any source IP sends packets over this value, the appliance blocks all such traffic from this source IP for a certain period of time (specified in Drop interval).

Always enabled. Events per second (default=10)

Drop Interval (default=10 sec)

Packets per second (default=50)

Rule ID Type Rule Name DescriptionEnable/Disable Condition

Parameters Comments

1522 NIOS Administrator Guide (Rev. A) NIOS 6.12

Page 27: Infoblox Threat Protection Rules - Oracle · Threat Protection Rules This document contains information about threat protection rules for the Infoblox Advanced DNS Protection solution.

Default Pass/Drop

Default Pass/Drop

The following table lists the system rules that are used to pass or drop packets on your advanced appliance. All rules

are disabled by default.

Table H.17 Default Pass/Drop Rules

130903500 Auto RATELIMIT PASS ICMP fragmentation needed

This rule passes ICMP fragmentation needed messages if the packet rate is less than the Packets per second value. If any source IP sends packets over this value, the appliance blocks all such traffic from this source IP for a certain period of time (specified in Drop interval).

Always enabled. Events per second (default=1)

Drop Interval (default=10 sec)

Packets per second (default=50)

Rule IDRule Type

Rule Name DescriptionEnable Condition

Parameters Comments

100000050 System EARLY PASS TCP with flowbits set

This rule passes TCP traffic that has the flowbits options set and marked OK.

Enabled by default.

N/A

140000100 System DROP UDP DNS unexpected

This rule drops any unexpected UDP DNS packets.

Enabled by default.

Events per second (default=1)

Default drop rule for the DNS service port. If this rule is triggered, most likely this packet is an invalid DNS UDP packet.

140000200 System DROP TCP DNS unexpected

This rule drops any unexpected TCP DNS packets.

Enabled by default.

Events per second (default=1)

Default drop rule for the DNS service port. If this rule is triggered, most likely this packet is an invalid DNS TCP packet.

140000400 System PASS TCP established packets

This passes all TCP established packets.

Enabled by default.

Events per second (default=0)

140000500 System DROP TCP unexpected

This rule drops any unexpected TCP packets.

Enabled by default.

Events per second (default=0)

This rule drops any TCP packet on any port. If this rule is triggered, most likely this packet is not intended for services on this member.

140000600 System DROP UDP unexpected

This rule drops any unexpected UDP packets.

Enabled by default.

Events per second (default=0)

This rule drops any UDP packet on any port. If this rule is triggered, most likely this packet is not intended for services on this member.

140000700 System DROP ICMP unexpected

This rule drops any unexpected ICMP packets.

Enabled by default.

Events per second (default=0)

This rule drops any ICMP packet. If this rule is triggered, most likely this packet is not intended for services on this member.

140000800 System DROP unexpected protocol

This rule drops any unexpected protocol packets.

Enabled by default.

Events per second (default=0)

This is a catch all rule that drops anything that does not match any other rules in the system.

Rule ID Type Rule Name DescriptionEnable/Disable Condition

Parameters Comments

NIOS 6.12 NIOS Administrator Guide (Rev. A) 1523

Page 28: Infoblox Threat Protection Rules - Oracle · Threat Protection Rules This document contains information about threat protection rules for the Infoblox Advanced DNS Protection solution.

HA Support

The following table lists auto rules that are used to pass packets that go through the Virtual Router Redundancy

Protocol (VRRP) and Internet Group Management Protocol (IGMP) for HA (High Availability) support.

Table H.18 HA Support Rules

Custom Rule Templates

Advanced DNS Protection supports a few custom rule templates from which you can create new custom rules. Note

that when you use a specific rule template to create custom rules, the new rules reside in their respective rule

categories. For information about custom rules and creating custom rules, see Custom Rules on page 1341 and

Creating Custom Rules on page 1343.

For each rule you create, you can define the Events per second value to determine the number of events per second

that will be logged for the rule. You can also define specific rule parameters for custom rules, as follows:

Note: Custom rules do not support IDNs (Internationalized Domain Names). To use IDNs for custom rules, you must

first convert the IDNs into puny codes. You can use the IDN Converter from the Toolbar for the conversion.

• BLACKLIST FQDN lookup TCP: Use this rule template to create custom rules for blacklisting DNS queries by FQDN

lookups on TCP. In the Rule Parameters table, complete the following:

— Blacklisted FQDN: Enter the FDQN that you want the appliance to block over TCP traffic. You can also enter a

list of FQDNs using semicolon as the separator.

• BLACKLIST FQDN lookup UDP: Use this rule template to create custom rules for blacklisting DNS queries by

FQDN lookups on UDP. In the Rule Parameters table, complete the following:

— Blacklisted FQDN: Enter the FDQN that you want the appliance to block over UDP traffic. You can also enter a

list of FQDNs using semicolon as the separator.

• BLACKLIST IP TCP Drop prior to rate limiting: Use this rule template to create rules for blocking IPv4 or IPv6

addresses on TCP before the appliance drops the packets based on rate limiting rules you have defined using

the RATELIMITED IP TCP template. In the Rule Parameters table, complete the following:

— Blacklisted IP address/network: Enter the IPv4 or IPv6 address from which packets sent are dropped before

any relevant rate limiting rules take effect. Note that all TCP traffic from the specified Ipv4 and IPv6

addresses and networks will be blocked. Enter network addresses in address/CIDR format.

• BLACKLIST IP UDP Drop prior to rate limiting: Use this rule template to create rules for blocking IPv4 or IPv6

addresses on UDP before the appliance drops the packets based on rate limiting rules you have defined using

the RATELIMITED IP UDP template. In the Rule Parameters table, complete the following:

— Blacklisted IP address/network: Enter the IPv4 or IPv6 address from which packets sent are dropped before

any relevant rate limiting rules take effect. Note that all UDP traffic from the specified Ipv4 and IPv6

addresses and networks will be blocked. Enter network addresses in address/CIDR format.

• RATELIMITED FQDN lookup UDP: Use this rule template to create custom rules that contains rate limiting

restrictions for blocking DNS queries by FQDN lookups on UDP traffic. In the Rule Parameters table, complete

the following:

Rule IDRule Type

Rule Name Description Enable Condition Parameters Comments

140000750 Auto PASS VRRP This rule passes packets that go through VRRP for HA support.

Enabled if HA is configured.

N/A

140000760 Auto PASS IGMP This rule passes packets that go through IGMP for HA support.

Enabled if HA is configured.

N/A

1524 NIOS Administrator Guide (Rev. A) NIOS 6.12

Page 29: Infoblox Threat Protection Rules - Oracle · Threat Protection Rules This document contains information about threat protection rules for the Infoblox Advanced DNS Protection solution.

Custom Rule Templates

— Packets per second: Enter the number of packets per second to define the rate limit for this rule. You define

this value to control the rate of UDP traffic that consists of DNS lookups for the FQDN defined in this rule.

The default is 5.

— Drop interval: Enter the number of seconds for which the appliance drops packets.

— Blacklist rate limited FQDN: Enter the FQDN that is affected by the rate limit value configured for this rule.

The appliance drops the packets sent by this FQDN when the UDP traffic of DNS lookups for this FQDN

exceeds the configured rate limit value.

• RATELIMITED IP TCP: Use this rule template to create custom rules that contains rate limiting restrictions for

blacklisting IP addresses on TCP. If there are certain IP addresses that you want to block before its traffic reaches

the rate limit restrictions, you can create a rule using the BLACKLIST IP TCP Drop prior to rate limiting template.

In the Rule Parameters table, complete the following:

— Packets per second: Enter the number of packets per second to define the rate limit for this rule. You define

this value to control the rate of TCP traffic that consists of DNS lookups for the IP address or network

defined in this rule. The default is 5.

— Drop interval: Enter the time interval in seconds the appliance drops IP packets sent by the rate limited IP

address or network defined for this rule. The default is 30 seconds.

— Rate limited IP address/network: Enter the IP address or network that is affected by the rate limit value

configured for this rule. The appliance drops the packets sent by this IP address based on the drop interval

when the TCP traffic of DNS lookups for this IP address exceeds the configured rate limit value.

• RATELIMITED IP UDP: Use this rule template to create custom rules that contains rate limiting restrictions for

blacklisting IP addresses on UDP. If there are certain IP addresses that you want to block before its traffic

reaches the rate limit restrictions, you can create a rule using the BLACKLIST IP UDP Drop prior to rate limiting

template. In the Rule Parameters table, complete the following:

— Packets per second: Enter the number of packets per second to define the rate limit for this rule. You define

this value to control the rate of UDP traffic that consists of DNS lookups for the IP address or network

defined in this rule. The default is 5.

— Drop interval: Enter the time interval in seconds the appliance drops IP packets sent by the rate limited IP

address or network defined for this rule. The default is 30 seconds.

— Rate limited IP address/network: Enter the IP address or network that is affected by the rate limit value

configured for this rule. The appliance drops the packets sent by this IP address based on the drop interval

when the TCP traffic of DNS lookups for this IP address exceeds the configured rate limit value.

• WHITELIST IP TCP Pass prior to rate limiting: Use this rule template to create custom rules for allowing certain IP

addresses on TCP before the appliance drops the packets based on rate limiting rules you have defined using

the RATELIMITED IP TCP template. In the Rule Parameters table, complete the following:

— Whitelisted IP address/network: Enter the IPv4 or IPv6 address from which packets sent are allowed before

any relevant rate limiting rules take effect.

• WHITELIST IP UDP Pass prior to rate limiting: Use this rule template to create custom rules for allowing certain IP

addresses on UDP before the appliance drops the packets based on rate limiting rules you have defined using

the RATELIMITED IP UDP template. In the Rule Parameters table, complete the following:

— Whitelisted IP address/network: Enter the IPv4 or IPv6 address from which packets sent are allowed before

any relevant rate limiting rules take effect.

NIOS 6.12 NIOS Administrator Guide (Rev. A) 1525

Page 30: Infoblox Threat Protection Rules - Oracle · Threat Protection Rules This document contains information about threat protection rules for the Infoblox Advanced DNS Protection solution.

1526 NIOS Administrator Guide (Rev. A) NIOS 6.12