Hi,

im receiving about average 600 DNS Requests per minute - all with the same (forged) source address and content (isc.org any).

How can i configure TMG to block this traffic? I would like to create rules that would look something like that:

"Filter dns where query contains isc.org" or "limit udp traffic for port 53 to 100 packets / minute / ip"

Thanks

Hi,

Thank you for the post.

In TMG you can configure Flood Mitigation which enables intrusion detection to prevent some kinds of attack.

Protecting against DNS and other attacks

http://technet.microsoft.com/en-us/library/cc441529.aspx

Setting flood mitigation connection limits

http://technet.microsoft.com/en-us/library/dd441028.aspx

Regards,

I already found this options (afaik they are enabled by default) and tried different settings but that didn't block this type of DNS requests.

Hi,

Thank you for the update.

As far as I know, you cannot customize you own connection limit settings, however you can edit the build-in option Maximum concurrent UDP sessions per IP address.

Regard,

0 down vote

I dont know if you ever found a solution to this? I didn't so I have written my own UDP packet filter that is presented as a Windows Service (64bit although I can provide a 32bit version if necessary). Its configurable so multiple domains can be specified in the filter but I only have a problem with isc.org from botnets participating in the DNS Reflection/Ampflication attack. Although I cannot erradicate the inital 50-64 byte request, the filter drops the that request before the DNS server receives and processes it, saving up to 140GB/month in upload bandwidth on my connection. If you (or anybody else is interested) please contact me at info@networkingfutures.co.uk