The network traffic clean-up system has done diversion for some two level DNS server ,the user cannot access the special Web.
Viewing the log ,we can find all the traffic of the first order DNS server accessing second order DNS server is affirmed DNS-Flood attacking,ensure the command of firewall defend dns-flood enable lead this fault phenomena.
Configuring the two commands at the same on the Eudemon8080:
firewall defend dns-flood interface GigabitEthernet4/0/0
alert-rate 2000 max-rate 1000000
firewall defend dns-flood enable.
The two commands are used to undo the function of defense DNS-Flood attack,but the algorithm is different.
The first :
When the DNS traffic arrives the setting alert threshold(2000p/s),it begein to progress source probe.Ensure if it is attacking traffic;when the DNS traffic is over the most threshold(1000000p/s),dropping it straight.
Check the validity of DNS REQUERY message:
The destination port of UDP must be 53;
Transcation ID cannot be 0;
The Length field of UDP message head must be more than 24 byte;
The QR,RA,Zero,Rcode of FLAGS field must be 0.
The DNS message will be dropped when it has been turn to attacking traffic by checking one of the deteceting above.
E8080 check the validity of DNS REQUERY message based in RFC1451/RFC1431,retrieving the message betwee public network first order DNS and second order DNS fall short of this criterion.when public network first order DNS send DNS request message to second order DNS ,it will be dropped by E8080.It leads the problem which part of users cannot access special Web after diversion.
The attacking log is on the accessory.
Based on the fault phenomena and the DNS attacking log which has been produced by E8080,we can find it leads by the request message of Internet DNS server sending to second order DNS doesn’t pass the validity of E8080.
We suggest that when we defense the DNA-Flood attack,only ues the first command (using source probe algorithm)