Connect. Communicate. Collaborate. Securely.

Home » Kerio User Forums » Kerio Control » Can Kerio Control stop DNS attacks?
  •  
Bulb

Messages: 4
Karma: 0
Send a private message to this user

I frequently have hackers and script kiddies trying to use a (non kerio) DNS server to conduct DOS attacks against someone else. As of Kerio Control 7.0, I was not aware of any way to prevent this from happening except to block each and every individual IP address trying to do this.

Does the current version of Kerio Control add any tools that can help with this? Is there any way I can say, for example, that if an individual DNS connection uses more than a certain amount of bandwidth or sends/receives more than a certain amount of data, to automatically block that IP address?

Or if that's not possible, is it at least possible to set up an alert to tell me when this is happening? Right now, I only know if I check regularly and happen to come across it, or if people start complaining that internet access is slow or non-existant.
  •  
kokhong

Messages: 37
Karma: -1
Send a private message to this user
Looks like there's been no suggestions to address this issue?

Possible to set per host connection/bandwidth rate limiting?
  •  
silars

Messages: 429
Karma: 59
Send a private message to this user
DNS is primarily UDP. There aren't many "connections".

You would need to explain the network and configuration a bit more for a real answer. The short answer is to deploy prioritization and rate limiting. You can also explore using multiple DNS servers, one internal/one external.

There are many options depending on the particular attack.
  •  
Bulb

Messages: 4
Karma: 0
Send a private message to this user
What I would look for the is ability to set up a rule that would automatically block an IP that accessed a specified service above a specified bandwidth for a given amount of time.

Right now, I have to do that manually.
  •  
silars

Messages: 429
Karma: 59
Send a private message to this user
That's certainly one way to approach the issue. The problem with that solution is maintaining state. That blocked IP table can only get so big. It can't be infinite. The kiddies can just change the DoS attack to consume your block table similar to a TCP SYN Flood attack.

Bandwidth management scales better, especially for a service like DNS which should be fairly low bandwidth. You should be able to provide a low bandwidth external service to your DNS which would prevent hackers/kiddies from overwhelming your DNS, while allowing your user population a higher bandwidth service.

Otherwise, my knowledge of Control doesn't appear to allow what you are asking. They have the bandwidth management functionality, just not reactive rules in the manner you're asking. You would need to ask for that feature.

I can certainly be wrong. Perhaps someone will chirp up with a better idea.
Previous Topic: Firewall rule with proxy rule
Next Topic: Control end user for windows rt
Goto Forum:
  


Disclaimer:
Kerio discussion forums are intended for open communication between forum members and may contain information and material posted by members which may be useful in learning about Kerio products. The discussion forums are not intended to provide technical support for any specific product. Any information implied or expressed in the discussion forums is that of the posting member. Kerio is in no way responsible for the information posted in the forums, or its accuracy. Kerio employees may participate in the discussions, but their postings do not represent an offical position of the company on any issues raised or discussed. Kerio reserves the right to monitor and maintain the forums to promote free and accurate exchange of information.

Current Time: Tue Aug 22 20:30:04 CEST 2017

Total time taken to generate the page: 0.00427 seconds
.:: Contact :: Home ::.
Powered by: FUDforum 3.0.4.