Configure Security Policy for DNS Amplification Egress DDoS Protection


The DNS virtual service is targeted by sending very short queries which solicit very large responses (spanning to multiple UDP packets). The DNS virtual services could be made to participate in a reflection attack. The attacker spoofs the DNS query’s source IP and source port to be that of a well known service port on a victim server.

Any requests coming from a defined range of source ports (well-known ports) will be denied. The range of ports to be denied is configured in the Security Policy.

This article explains how to configure a security policy and use it to protect the virtual service against a DNS Amplification Egress DDoS attack.

Use Security Policy to Protect the Virtual Service

Creating a New Security Policy

Log in to the Avi shell and create a new security policy as shown below:

configure securitypolicy test-secpolicy1 dns_policy_index 0
configure securitypolicy test-secpolicy1 oper_mode mitigation
configure securitypolicy test-secpolicy1
attacks  attack_vector dns_amplification_egress
mitigation_action deny

The new security policy test-secpolicy1 with DNS Amplification Egress DDoS protection is as shown below:

shell> show securitypolicy test-secpolicy1
| Field                         | Value                                               |
| uuid                          | securitypolicy-9f5149f2-ab88-4ea3-9944-cc6ed6aea77a |
| name                          | test-secpolicy1                                     |
| oper_mode                     | MITIGATION                                          |
| dns_attacks                   |                                                     |
|   attacks[1]                  |                                                     |
|     attack_vector             | DNS_AMPLIFICATION_EGRESS                            |
|     mitigation_action         |                                                     |
|       deny                    | True                                                |
|     enabled                   | True                                                |
|     max_mitigation_age        | 60 min                                              |
| network_security_policy_index | 0                                                   |
| dns_policy_index              | 0                                                   |
| dns_amplification_denyports   |                                                     |
|   match_criteria              | IS_IN                                               |
|   ranges[1]                   |                                                     |
|     start                     | 1                                                   |
|     end                       | 52                                                  |
|   ranges[2]                   |                                                     |
|     start                     | 54                                                  |
|     end                       | 2048                                                |
| tenant_ref                    | admin                                               |

The dns_amplification_denyports is automatically created to block well-known ports 1-52 and 54-2048, inclusive, for DNS Amplification Egress DDoS attacks. These ports are usually used as spoofed source ports in the attacks. Port 53 is excluded, however, since source IP addresses may initiate legitimate DNS queries to external DNS servers.

Attaching the Security Policy to a Virtual Service

If you have a DNS virtual service and you want to protect the virtual service from DNS Amplification Egress DDoS attack, you can attack the above security policy to the virtual service.

Note: A security policy configured for DNS Amplification Egress mitigation cannot be attached to a non-DNS virtual service, for example, an HTTP virtual service. When attached to a non-DNS virtual service, an error will be displayed and the security policy will not be attached to the virtual service.

For example, consider a virtual service dns-vs-1. Use the following commands to attach the network policy to the virtual service.

configure virtualservice dns-vs-1
security_policy_ref test-secpolicy1

Now the virtual service dns-vs-1 is armed with the DDoS protection security policy. Any such attacks will be detected and mitigated by the Service Engine. Security Manager creates network security rules and DNS rules for SE to use and block the attacker’s IP address, source port, and or DNS record request types. On significant attacks, the metrics manager will raise DDoS events which will be displayed on the controller UI.