Threat Protection Rules
This document contains information about threat protection rules for the Infoblox Advanced DNS Protection solution.
It lists rule IDs, rule names, descriptions, enable/disable conditions, parameters and corresponding default values
for all auto and system rules. It also provides tuning information for specific rules so you can configure and better
utilize these rules to protect your environment without sacrificing performance. For information about Advanced DNS
Protection, see Infoblox Advanced DNS Protection on page 1333.
All rules are grouped by rule categories. System and auto rules are automatically updated during rule updates.
Note: Auto rules are always enabled, and you cannot disable them.
You can create custom rules using rule templates. For information about custom rule templates, refer to Custom Rule Templates on page 1524.
This document includes the following sections:
• Overview of Packet Flow on page 1498.
— Tuning Rule Parameters on page 1500
• DNS Cache Poisoning on page 1501
• DNS Message Type on page 1501
• General DDoS on page 1508
• Reconnaissance on page 1508
• DNS Malware on page 1509
• DNS Protocol Anomalies on page 1509
• Potential DDoS Related Domains on page 1510
• TCP/UDP Flood on page 1511
• DNS DDoS on page 1512
• DNS Tunneling on page 1513
• DNS Amplification and Reflection on page 1513
• NTP on page 1514
• BGP on page 1517
• OSPF on page 1518
• ICMP on page 1519
• Default Pass/Drop on page 1523
• HA Support on page 1524
• Custom Rule Templates on page 1524
NIOS 6.12 NIOS Administrator Guide (Rev. A) 1497
Overview of Packet Flow
Threat protection rules are designed to work together to provide maximum protection for your environment. This
section describes how these rules are being applied and how you can tune some of them to suit your system setup
and network environment.
Threat protection rules are grouped by rule categories, and most of them have one or more associated rule
parameters. Depending on the rules, you may or may not be able to override default values for the following rule
parameters (if applicable):
• Packets per second: The rate limit or the number of packets per second that the appliance processes before it
performs a triggered action, such as sending warnings or blocking traffic.
• Drop interval: The time period (in seconds) for which the appliance blocks all traffic from the client or traffic that
matches a certain pattern beyond the rate limit.
• Events per second: The number of events logged per second for the rule. Setting a value to 0 (zero) disables the
appliance from logging events for the rule. Most rules have this parameter, and the default value is 1.
• Packet size: DNS packet size. If the DNS packet size exceeds a certain value, the corresponding rule will be
triggered.
All incoming packets are filtered through enabled rules based on the order listed in Table H.1. Note that rules are
displayed in the same order in Grid Manager. For more information, see Viewing Threat Protection Rules on page
1352. You cannot change the filtering order of these rules. Incoming packets are screened by the first rule and
proceed through subsequent rules until they hit the last rule on the list, provided that they are not dropped or passed
by any rules in between, based on the matching conditions and rule criteria.
Depending on the rules, following are possible actions that can be taken:
• Ratelimiting and pass (magenta): Based on the configured rate limit, these rules drop incoming packets if the
packet rate hits the rate limit. Otherwise, the packets are passed.
• Ratelimiting (blue): Based on the configured rate limit, these rules drop incoming packets if they hit the rate
limit. Otherwise, the packets are screened by subsequent rules for further actions.
• Drop (salmon): These rules drop any incoming packets that match specific conditions and rule criteria.
• Pass (green): These rules pass any incoming packets that match specific conditions and rule criteria.
Note: All rate limiting rules, including custom rules, operate at a per source IP basis.
Table H.1 Flow Order for Threat Protection Rules
Conditions (if any) Rule Category Rule Name Action Reference
DNS Cache Poisoning DNS responses Ratelimiting and Pass DNS Cache Poisoning
Configured with external DNS primaries
DNS Message Type TXFR/AXFR responses Ratelimiting and Pass DNS Message Type
Allow DDNS updates DNS Message Type DNS Updates Ratelimiting and Pass DNS Message Type
General DDoS General DDoS Drop General DDoS
Reconnaissance Reconnaissance Drop Reconnaissance
DNS Malware DNS Malware Drop DNS Malware
DNS Protocol Anomalies DNS Protocol Anomalies Drop DNS Protocol Anomalies
User-defined Whitelist UDP Packets
User-defined Whitelist UDP Packets
Pass Custom Rule Templates
User-defined Whitelist TCP Packets
User-defined Whitelist TCP Packets
Pass Custom Rule Templates
User-defined Blacklist UDP Packets
User-defined Blacklist UDP Packets
Drop Custom Rule Templates
1498 NIOS Administrator Guide (Rev. A) NIOS 6.12
Overview of Packet Flow
User-defined Blacklist TCP Packets
User-defined Blacklist TCP Packets
Drop Custom Rule Templates
User-defined ratelimiting IP and Network UDP Packets
User-defined ratelimiting IP and Network UDP Packets
Ratelimiting Custom Rule Templates
User-defined ratelimiting IP and Network TCP Packets
User-defined ratelimiting IP and Network TCP Packets
Ratelimiting Custom Rule Templates
User-defined ratelimiting FQDN
User-defined ratelimiting FQDN
Ratelimiting Custom Rule Templates
User-defined Blacklist FQDN
User-defined Blacklist FQDN Drop Custom Rule Templates
Potential DDoS related domains
Potential DDoS related domains
Drop Potential DDoS Related Domains
TCP/UDP Floods High Rate inbound DNS Queries
Ratelimiting TCP/UDP Flood
DNS DDoS NXDomain/ NXRRset/ ServFail DNS Response
Ratelimiting DNS DDoS
DNS Tunneling DNS Tunneling Ratelimiting DNS Tunneling
DNS Protocol Anomalies DNS Protocol Anomalies Drop DNS Protocol Anomalies
Incoming zone transfer is allowed
DNS Message Type DNS IXFR/AXFR Requests Ratelimiting and Pass DNS Message Type
Incoming zone transfer is allowed
DNS Message Type Invalid DNS IXFR Queries Drop DNS Message Type
Incoming zone transfer is not allowed
DNS Message Type DNS AXFR/IXFR Requests Drop DNS Message Type
DNS Malware DNS Malware Drop DNS Malware
DNS Amplification and Reflection
DNS Amplification and Reflection
Ratelimiting DNS Amplification and Reflection
DNS Message Type DNS Query Types Drop/Pass depending on the configured action
DNS Message Type
NTP client is enabled NTP NTP Server Responses Ratelimiting and Pass NTP
NTP client is disabled NTP NTP Client Requests Drop NTP
NTP server is enabled NTP NTP Vulnerability Rules Ratelimiting NTP
NTP server is enabled NTP NTP Ratelimiting Rules based on NTP ACL Data
Ratelimiting and Pass NTP
NTP server is disabled NTP Invalid NTP Packets Drop NTP
BGP is enabled BGP Invalid BGP Packets Drop BGP
BGP is enabled BGP BGP Packets Ratelimiting and Pass BGP
BGP is disabled BGP BGP Packets Drop BGP
ICMP ICMP Pings Ratelimiting and Pass ICMP
OSPF is enabled OSPF OSPF Packets Ratelimiting and Pass OSPF
OSPF is disabled OSPF OSPF Packets Drop OSPF
ICMP ICMPv6 Pings Ratelimiting and Pass ICMP
Default Pass/Drop Unexpected DNS Packets Drop Default Pass/Drop
Default Pass/Drop TCP/UDP/ICMP Packets Drop Default Pass/Drop
HA Support HA Communication Packets Pass HA Support
Default Pass/Drop Unexpected Packets Drop Default Pass/Drop
Conditions (if any) Rule Category Rule Name Action Reference
NIOS 6.12 NIOS Administrator Guide (Rev. A) 1499
Tuning Rule Parameters
All threat protection rules contain rule parameters that you may or may not be able to configure. Rule parameters are
predefined with default values that generally suit most network environments. However, there are times when you
have special setups or configurations in your environment that require special attention. In these cases, you may
need to change some of the rule parameters to obtain optimal protection without sacrificing system performance.
Table H.2 lists specific conditions and corresponding rules that may require tuning when they are enabled. You can
view tuning suggestions in the Comments column for each of the following condition:
Table H.2 Tunable Rules
Conditions Rule(s) that Require Tuning Reference
Your appliance is configured as an
authoritative DNS server.
Rule 100000100 in the DNS
Cache Poisoning category
DNS Cache Poisoning Rules
Your DNS server is configured as the
secondary server with external primaries,
and it serves a large number of zones.
Rules 100100100 to
100100201 in the DNS
Message Type category
DNS Message Type Rules
You have enabled TCP/UDP Flood system
rules, and your network environment
consists of the following: NATd
environments, static forwarders, or VPN
concentrators.
All rules in the TCP/UDP Flood
category
TCP/UDP Flood Rules
You have enabled DNS DDoS system rules,
and your network environment consists of
the following: NATd environments, static
forwarders, or VPN concentrators.
Rules 200000001 to
200000003 in the DNS DDoS
category
DNS DDoS Rules
You have enabled DNS Tunneling system
rules, and your network environment
consists of the following: NATd
environments, static forwarders, and VPN
concentrators.
All rules in the DNS Tunneling
category
Anti DNS Tunneling Rules
Your DNS server is configured to allow
incoming IPv4 and IPv6 zone transfer
requests, and it serves a large number of
zones.
Rules 130100100 to
130100401 in the DNS
Message Type category
DNS Message Type Rules
You have enabled DNS Amplification and
Refection system rules.
All rules in the DNS
Amplification and Reflection
category
DNS Amplification and Reflection Rules
1500 NIOS Administrator Guide (Rev. A) NIOS 6.12
DNS Cache Poisoning
DNS Cache Poisoning
DNS cache poisoning involves inserting a false address record for an Internet domain into a DNS query. If the DNS
server accepts the record, subsequent requests for the address of the domain are answered with the address of a
server controlled by the attacker. For as long as the false entry is cached, incoming web requests and emails will go
to the attacker’s address. Cache poisoning attacks, such as the “birthday paradox,” use brute force, flooding DNS
responses and queries at the same time, hoping to get a match on one of the responses and poison the cache.
The following table lists auto rules that Advanced DNS Protection uses to mitigate DNS cache poisoning on your
advanced appliance.
Table H.3 DNS Cache Poisoning Rules
DNS Message Type
The following table lists the system and auto rules that are used to mitigate DNS message type attacks on your
advanced appliance.
All rules for DNS record types are system rules. By default, they are configured as Pass rules. You can override this
and change the rule action to Drop. Note that when you do that, the appliance drops all DNS packets that contain the
requested record type.
Table H.4 DNS Message Type Rules
Rule IDRule Type
Rule Name DescriptionEnable/Disable Condition
Parameters Comments
100000100 Auto EARLY PASS UDP response traffic
This rule passes UDP DNS response packets (from upstream DNS servers or external DNS primaries) if the packet rate is less than the Packets per second value. If any source IP sends packets over this value, the appliance blocks all traffic from this source IP for a time specified in Drop interval.
Always enabled. Packets per second (default = 30000)
Drop interval (default = 10 seconds)
Events per second (default = 1)
Consider tuning Packets per second to a smaller number if your system is serving authoritative DNS.
NOTE: If you set the parameter incorrectly, the rule could block legitimate DNS responses from upstream DNS servers, which could cause the DNS server to exceed its quota.
100000200 Auto EARLY PASS TCP response traffic
This rule passes TCP DNS responses initiated by the appliance.
Always enabled Packets per second (default = 100)
Consider raising the Packets per second value if DNSSEC is enabled.
100000300 Auto PASS ACK packets from NIOS initiated connections
This rule passes TCP ACK packets for DNS or BGP from NIOS initiated connections if the packet rate is less than the Packets per second value. If any source IP sends packets over this value, the appliance blocks all traffic from this source IP for a time specified in Drop interval.
Always enabled Packets per second (default = 600)
Drop interval (default = 10 seconds)
Events per second (default = 1)
Consider raising the Packets per second value if DNSSEC is enabled.
Rule IDRule Type
Rule Name DescriptionEnable/Disable Condition
Parameters Comments
100100100 Auto EARLY PASS IPv4 UDP Notify messages
This rule passes IPv4 UDP DNS NOTIFY messages if the packet rate is less than the Packets per second value. If any source IP sends packets over this value, the appliance blocks all traffic from this source IP for a time specified in Drop interval.
Enabled if Infoblox DNS serves as the secondary server with IPv4 external primaries configured.
Packets per second (default = 1000)
Drop interval (default = 10 seconds)
Events per second (default = 1)
Consider tuning Packets per second if Infoblox DNS serves a large number of zones. If this rule is triggered and the source IP address indicates a valid external primary server, tune the Packets per second value accordingly.
NIOS 6.12 NIOS Administrator Guide (Rev. A) 1501
100100101 Auto EARLY PASS IPv6 UDP Notify messages
This rule passes IPv6 UDP DNS NOTIFY messages if the packet rate is less than the Packets per second value. If any source IP sends packets over this value, the appliance blocks all traffic from this source IP for a time specified in Drop interval.
Enabled if Infoblox DNS serves as the secondary server with IPv6 external primaries configured.
Packets per second (default = 1000)
Drop interval (default = 10 seconds)
Events per second (default = 1)
Consider tuning Packets per second if Infoblox DNS serves a large number of zones. If this rule is triggered and the source IP address indicates a valid external primary server, tune the Packets per second value accordingly.
100100200 Auto EARLY PASS IPv4 TCP Notify messages
This rule passes IPv4 TCP DNS NOTIFY messages if the packet rate is less than the Packets per second value. If any source IP sends packets over this value, the appliance blocks all traffic from this source IP for a time specified in Drop interval.
Enabled if Infoblox DNS serves as the secondary server with IPv4 external primaries configured
Packets per second (default = 1000)
Drop interval (default = 10 seconds)
Events per second (default = 1)
Consider tuning Packets per second if Infoblox DNS serves a large number of zones. If this rule is triggered and the source IP address indicates a valid external primary server, tune the Packets per second value accordingly.
100100201 Auto EARLY PASS IPv6 TCP Notify messages
This rule passes IPv6 TCP DNS NOTIFY messages if the packet rate is less than the Packets per second value. If any source IP sends packets over this value, the appliance blocks all traffic from this source IP for a time specified in Drop interval.
Enabled if Infoblox DNS serves as the secondary server with IPv6 external primaries configured.
Packets per second (default = 1000)
Drop interval (default = 10 seconds)
Events per second (default = 1)
Consider tuning Packets per second if Infoblox DNS serves a large number of zones. If this rule is triggered and the source IP address indicates a valid external primary server, tune the Packets per second value accordingly.
100100300 Auto EARLY PASS IPv4 UDP Notify messages for DDNS update
This rule passes IPv4 UDP NOTIFY messages for DDNS update if the packet rate is less than the Packets per second value. If any source IP sends packets over this value, the appliance blocks all traffic from this source IP for a time specified in Drop interval.
Enabled if DDNS update is enabled for IPv4 clients.
Packets per second (default = 1000)
Drop interval (default = 10 seconds)
Events per second (default = 1)
100100350 Auto EARLY PASS IPv6 UDP Notify messages for DDNS update
This rule passes IPv6 UDP NOTIFY messages for DDNS update if the packet rate is less than the Packets per second value. If any source IP sends packets over this value, the appliance blocks all traffic from this source IP for a time specified in Drop interval.
Enabled if DDNS update is enabled for IPv6 clients.
Packets per second (default = 1000)
Drop interval (default = 10 seconds)
Events per second (default = 1)
130100100 Auto RATELIMIT PASS IPv4 UDP DNS AXFR zone transfer requests
This rule passes IPv4 UDP DNS full zone transfer requests if the packet rate is less than the Packets per second value. If any source IP sends packets over this value, the appliance blocks subsequent DNS traffic from this source IP for a time specified in Drop interval.
Enabled if Infoblox DNS allows incoming IPv4 zone transfer requests.
Packets per second (default = 1000)
Drop interval (default = 10 seconds)
Events per second (default = 1)
Consider tuning Packets per second if Infoblox DNS serves a large number of zones. If this rule is triggered and the source IP address indicates a valid secondary server, tune the Packets per second value accordingly.
130100101 Auto RATELIMIT PASS IPv6 UDP DNS AXFR zone transfer requests
This rule passes IPv6 UDP DNS full zone transfer requests if the packet rate is less than the Packets per second value. If any source IP sends packets over this value, the appliance blocks subsequent DNS traffic from this source IP for a for a time specified in Drop interval.
Enabled if Infoblox DNS allows incoming IPv6 zone transfer requests.
Packets per second (default = 1000)
Drop interval (default = 10 seconds)
Events per second (default = 1)
Consider tuning Packets per second if Infoblox DNS serves a large number of zones. If this rule is triggered and the source IP address indicates a valid secondary server, tune the Packets per second value accordingly.
130100200 Auto RATELIMIT PASS IPv4 TCP DNS AXFR zone transfer requests
This rule passes IPv4 TCP DNS full zone transfer requests if the packet rate is less than the specified Packets per second value (default = 100). If any source IP sends packets over this value, the appliance blocks all such traffic from this source IP for a for a time specified in Drop interval.
Enabled if Infoblox DNS allows incoming IPv4 zone transfer requests.
Packets per second (default = 1000)
Drop interval (default = 10 seconds)
Events per second (default = 1)
Consider tuning Packets per second if Infoblox DNS serves a large number of zones. If this rule is triggered and the source IP address indicates a valid secondary server, tune the Packets per second value accordingly.
Rule IDRule Type
Rule Name DescriptionEnable/Disable Condition
Parameters Comments
1502 NIOS Administrator Guide (Rev. A) NIOS 6.12
DNS Message Type
130100201 Auto RATELIMIT PASS IPv6 TCP DNS AXFR zone transfer requests
This rule passes IPv6 TCP DNS full zone transfer requests if the packet rate is less than the specified Packets per second value (default = 100). If any source IP sends packets over this value, the appliance blocks all such traffic from this source IP for a time specified in Drop interval.
Enabled if Infoblox DNS allows incoming IPv6 zone transfer requests.
Packets per second (default = 1000)
Drop interval (default = 10 seconds)
Events per second (default = 1)
Consider tuning Packets per second if Infoblox DNS serves a large number of zones. If this rule is triggered and the source IP address indicates a valid secondary server, tune the Packets per second value accordingly.
130100300 Auto RATELIMIT PASS IPv4 UDP DNS IXFR zone Transfer requests
This rule passes IPv4 UDP DNS incremental zone transfer requests if the packet rate is less than the specified Packets per second value (default = 100). If any source IP sends packets over this value, the appliance blocks all such traffic from this source IP for a time specified in Drop interval.
Enabled if Infoblox DNS allows incoming IPv4 zone transfer requests.
Packets per second (default = 1000)
Drop interval (default = 10 seconds)
Events per second (default = 1)
Consider tuning Packets per second if Infoblox DNS serves a large number of zones. If this rule is triggered and the source IP address indicates a valid secondary server, tune the Packets per second value accordingly.
130100301 Auto RATELIMIT PASS IPv6 UDP DNS IXFR zone Transfer requests
This rule passes IPv6 UDP DNS incremental zone transfer requests if the packet rate is less than the specified Packets per second value (default = 100). If any source IP sends packets over this value, the appliance blocks all such traffic from this source IP for a time specified in Drop interval.
Enabled if Infoblox DNS allows incoming IPv6 zone transfer requests.
Packets per second (default = 1000)
Drop interval (default = 10 seconds)
Events per second (default = 1)
Consider tuning Packets per second if Infoblox DNS serves a large number of zones. If this rule is triggered and the source IP address indicates a valid secondary server, tune the Packets per second value accordingly.
130100400 Auto RATELIMIT PASS IPv4 TCP DNS IXFR zone Transfer requests
This rule passes IPv4 TCP DNS incremental zone transfer requests if the packet rate is less than the specified Packets per second value (default = 100). If any source IP sends packets over this value, the appliance blocks all such traffic from this source IP for a time specified in Drop interval.
Enabled if Infoblox DNS allows incoming IPv4 zone transfer requests.
Packets per second (default = 1000)
Drop interval (default = 10 seconds)
Events per second (default = 1)
Consider tuning Packets per second if Infoblox DNS serves a large number of zones. If this rule is triggered and the source IP address indicates a valid secondary server, tune the Packets per second value accordingly.
130100401 Auto RATELIMIT PASS IPv6 TCP DNS IXFR zone Transfer requests
This rule passes IPv6 TCP DNS incremental zone transfer requests if the packet rate is less than the specified Packets per second value. If any source IP sends packets over this value, the appliance blocks all such traffic from this source IP for a time specified in Drop interval.
Enabled if Infoblox DNS allows incoming IPv6 zone transfer requests.
Packets per second (default = 1000)
Drop interval (default = 10 seconds)
Events per second (default = 1)
Consider tuning Packets per second if Infoblox DNS serves a large number of zones. If this rule is triggered and the source IP address indicates a valid secondary server, tune the Packets per second value accordingly.
130200100 Auto DROP UDP DNS AXFR zone transfer requests
This rule drops any DNS UDP full zone transfer requests when zone transfer is disabled. You can configure only the Events per second parameter.
Enabled if Infoblox DNS does not allow incoming zone transfer requests.
Events per second (default = 1)
130200200 Auto DROP TCP DNS AXFR zone transfer requests
This rule drops any DNS TCP full zone transfer requests when zone transfer is disabled. You can configure only the Events per second parameter.
Enabled if Infoblox DNS does not allow incoming zone transfer requests.
Events per second (default = 1)
130200300 Auto DROP UDP DNS IXFR zone Transfer requests
This rule drops any DNS UDP incremental zone transfer requests when zone transfer is disabled. You can configure only the Events per second parameter.
Enabled if Infoblox DNS does not allow incoming zone transfer requests.
Events per second (default = 1)
130200400 Auto DROP TCP DNS IXFR zone Transfer requests
This rule drops any DNS TCP incremental zone transfer requests when zone transfer is disabled. You can configure only the Events per second parameter.
Enabled if Infoblox DNS does not allow incoming zone transfer requests.
Events per second (default = 1)
Rule IDRule Type
Rule Name DescriptionEnable/Disable Condition
Parameters Comments
NIOS 6.12 NIOS Administrator Guide (Rev. A) 1503
130500100 System DNS A record You can configure this rule to pass or drop UDP packets that contain A record request. The default Action = Pass.
Enabled by default.
Action
(default = Pass)
Events per second (default = 1)
130500200 System DNS AAAA record You can configure this rule to pass or drop UDP packets that contain AAAA record request. The default Action = Pass.
Enabled by default.
Action
(default = Pass)
Events per second (default = 1)
130500300 System DNS CNAME record
You can configure this rule to pass or drop UDP packets that contain CNAME record request. The default Action = Pass.
Enabled by default.
Action
(default = Pass)
Events per second (default = 1)
130500400 System DNS DS record You can configure this rule to pass or drop UDP packets that contain DS record request. The default Action = Pass.
Enabled by default.
Action
(default = Pass)
Events per second (default = 1)
130500500 System DNS PTR record You can configure this rule to pass or drop UDP packets that contain PTR record request. The default Action = Pass.
Enabled by default.
Action
(default = Pass)
Events per second (default = 1)
130500600 System DNS NS record You can configure this rule to pass or drop UDP packets that contain NS record request. The default Action = Pass.
Enabled by default.
Action
(default = Pass)
Events per second (default = 1)
130500700 System DNS NSEC record You can configure this rule to pass or drop UDP packets that contain NSEC record request. The default Action = Pass.
Enabled by default.
Action
(default = Pass)
Events per second (default = 1)
130500800 System DNS NSEC3 record
You can configure this rule to pass or drop UDP packets that contain NSEC3 record request. The default Action = Pass.
Enabled by default.
Action
(default = Pass)
Events per second (default = 1)
130500900 System DNS NSEC3PARAM record
You can configure this rule to pass or drop UDP packets that contain NSEC3PARAM record request. The default Action = Pass.
Enabled by default.
Action
(default = Pass)
Events per second (default = 1)
130501000 System DNS MX record You can configure this rule to pass or drop UDP packets that contain MX record request. The default Action = Pass.
Enabled by default.
Action
(default = Pass)
Events per second (default = 1)
130501100 System DNS SRV record You can configure this rule to pass or drop UDP packets that contain SRV record request. The default Action = Pass.
Enabled by default.
Action
(default = Pass)
Events per second (default = 1)
130501200 System DNS TXT record You can configure this rule to pass or drop UDP packets that contain TXT record request. The default Action = Pass.
Enabled by default.
Action
(default = Pass)
Events per second (default = 1)
130501300 System DNS DNAME record
You can configure this rule to pass or drop UDP packets that contain DNAME record request. The default Action = Pass.
Enabled by default.
Action
(default = Pass)
Events per second (default = 1)
130501400 System DNS RRSIG record You can configure this rule to pass or drop UDP packets that contain RRSIG record request. The default Action = Pass.
Enabled by default.
Action
(default = Pass)
Events per second (default = 1)
130501500 System DNS NAPTR record
You can configure this rule to pass or drop UDP packets that contain NAPTR record request. The default Action = Pass.
Enabled by default.
Action
(default = Pass)
Events per second (default = 1)
Rule IDRule Type
Rule Name DescriptionEnable/Disable Condition
Parameters Comments
1504 NIOS Administrator Guide (Rev. A) NIOS 6.12
DNS Message Type
130501600 System DNS DNSKEY record
You can configure this rule to pass or drop UDP packets that contain DNSKEY record request. The default Action = Pass.
Enabled by default.
Action
(default = Pass)
Events per second (default = 1)
130501700 System DNS SPF record You can configure this rule to pass or drop UDP packets that contain SPF record request. The default Action = Pass.
Enabled by default.
Action
(default = Pass)
Events per second (default = 1)
130501800 System DNS DHCID record
You can configure this rule to pass or drop UDP packets that contain DHCID record request. The default Action = Pass.
Enabled by default.
Action
(default = Pass)
Events per second (default = 1)
130501900 System DNS SOA record You can configure this rule to pass or drop UDP packets that contain SOA record request. The default Action = Pass.
Enabled by default.
Action
(default = Pass)
Events per second (default = 1)
130502000 System DNS SIG record You can configure this rule to pass or drop UDP packets that contain SIG record request. The default Action = Pass.
Enabled by default.
Action
(default = Pass)
Events per second (default = 1)
130502100 System DNS LOC record You can configure this rule to pass or drop UDP packets that contain LOC record request. The default Action = Pass.
Enabled by default.
Action
(default = Pass)
Events per second (default = 1)
130502200 System DNS SSHFP record
You can configure this rule to pass or drop UDP packets that contain SSHFP record request. The default Action = Pass.
Enabled by default.
Action
(default = Pass)
Events per second (default = 1)
130502300 System DNS IPSECKEY record
You can configure this rule to pass or drop UDP packets that contain IPSECKEY record request. The default Action = Pass.
Enabled by default.
Action
(default = Pass)
Events per second (default = 1)
130502400 System DNS TKEY record You can configure this rule to pass or drop UDP packets that contain TKEY record request. The default Action = Pass.
Enabled by default.
Action
(default = Pass)
Events per second (default = 1)
130502500 System DNS TSIG record You can configure this rule to pass or drop UDP packets that contain TSIG record request. The default Action = Pass.
Enabled by default.
Action
(default = Pass)
Events per second (default = 1)
130502600 System DNS TA record You can configure this rule to pass or drop UDP packets that contain TA record request. The default Action = Pass.
Enabled by default.
Action
(default = Pass)
Events per second (default = 1)
130502700 System DNS DLV record You can configure this rule to pass or drop UDP packets that contain DLV record request. The default Action = Pass.
Enabled by default.
Action
(default = Pass)
Events per second (default = 1)
130502800 System DNS ANY record You can configure this rule to pass or drop UDP packets that contain ANY record request. The default Action = Pass.
Enabled by default.
Action
(default = Pass)
Events per second (default = 1)
130502900 System DNS A record TCP You can configure this rule to pass or drop TCP packets that contain A record request. The default Action = Pass.
Enabled by default.
Action
(default = Pass)
Events per second (default = 1)
130503000 System DNS AAAA record TCP
You can configure this rule to pass or drop TCP packets that contain AAAA record request. The default Action = Pass.
Enabled by default.
Action
(default = Pass)
Events per second (default = 1)
Rule IDRule Type
Rule Name DescriptionEnable/Disable Condition
Parameters Comments
NIOS 6.12 NIOS Administrator Guide (Rev. A) 1505
130503100 System DNS CNAME record TCP
You can configure this rule to pass or drop TCP packets that contain CNAME record request. The default Action = Pass.
Enabled by default.
Action
(default = Pass)
Events per second (default = 1)
130503200 System DNS DS record TCP
You can configure this rule to pass or drop TCP packets that contain DS record request. The default Action = Pass.
Enabled by default.
Action
(default = Pass)
Events per second (default = 1)
130503300 System DNS PTR record TCP
You can configure this rule to pass or drop TCP packets that contain PTR record request. The default Action = Pass.
Enabled by default.
Action
(default = Pass)
Events per second (default = 1)
130503400 System DNS NS record TCP
You can configure this rule to pass or drop TCP packets that contain NS record request. The default Action = Pass.
Enabled by default.
Action
(default = Pass)
Events per second (default = 1)
130503500 System DNS NSEC record TCP
You can configure this rule to pass or drop TCP packets that contain NSEC record request. The default Action = Pass.
Enabled by default.
Action
(default = Pass)
Events per second (default = 1)
130503600 System DNS NSEC3 record TCP
You can configure this rule to pass or drop TCP packets that contain NSEC3 record request. The default Action = Pass.
Enabled by default.
Action
(default = Pass)
Events per second (default = 1)
130503700 System DNS NSEC3PARAM record TCP
You can configure this rule to pass or drop TCP packets that contain NSEC3PARAM record request. The default Action = Pass.
Enabled by default.
Action
(default = Pass)
Events per second (default = 1)
130503800 System DNS MX record TCP
You can configure this rule to pass or drop TCP packets that contain MX record request. The default Action = Pass.
Enabled by default.
Action
(default = Pass)
Events per second (default = 1)
130503900 System DNS SRV record TCP
You can configure this rule to pass or drop TCP packets that contain SRV record request. The default Action = Pass.
Enabled by default.
Action
(default = Pass)
Events per second (default = 1)
130504000 System DNS TXT record TCP
You can configure this rule to pass or drop TCP packets that contain TXT record request. The default Action = Pass.
Enabled by default.
Action
(default = Pass)
Events per second (default = 1)
130504100 System DNS DNAME record TCP
You can configure this rule to pass or drop TCP packets that contain DNAME record request. The default Action = Pass.
Enabled by default.
Action
(default = Pass)
Events per second (default = 1)
130504200 System DNS RRSIG record TCP
You can configure this rule to pass or drop TCP packets that contain RRSIG record request. The default Action = Pass.
Enabled by default.
Action
(default = Pass)
Events per second (default = 1)
130504300 System DNS NAPTR record TCP
You can configure this rule to pass or drop TCP packets that contain NAPTR record request. The default Action = Pass.
Enabled by default.
Action
(default = Pass)
Events per second (default = 1)
130504400 System DNS DNSKEY record TCP
You can configure this rule to pass or drop TCP packets that contain IDNSKEY record request. The default Action = Pass.
Enabled by default.
Action
(default = Pass)
Events per second (default = 1)
130504500 System DNS SPF record TCP
You can configure this rule to pass or drop TCP packets that contain SPF record request. The default Action = Pass.
Enabled by default.
Action
(default = Pass)
Events per second (default = 1)
Rule IDRule Type
Rule Name DescriptionEnable/Disable Condition
Parameters Comments
1506 NIOS Administrator Guide (Rev. A) NIOS 6.12
DNS Message Type
130504600 System DNS DHCID record TCP
You can configure this rule to pass or drop TCP packets that contain DHCID record request. The default Action = Pass.
Enabled by default.
Action
(default = Pass)
Events per second (default = 1)
130504700 System DNS SOA record TCP
You can configure this rule to pass or drop TCP packets that contain SOA record request. The default Action = Pass.
Enabled by default.
Action
(default = Pass)
Events per second (default = 1)
130504800 System DNS SIG record TCP
You can configure this rule to pass or drop TCP packets that contain SIG record request. The default Action = Pass.
Enabled by default.
Action
(default = Pass)
Events per second (default = 1)
130504900 System DNS ROC record TCP
You can configure this rule to pass or drop TCP packets that contain ROC record request. The default Action = Pass.
Enabled by default.
Action
(default = Pass)
Events per second (default = 1)
130505000 System DNS SSHFP record TCP
You can configure this rule to pass or drop TCP packets that contain SSHFP record request. The default Action = Pass.
Enabled by default.
Action
(default = Pass)
Events per second (default = 1)
130505100 System DNS IPSECKEY record TCP
You can configure this rule to pass or drop TCP packets that contain IPSECKEY record request. The default Action = Pass.
Enabled by default.
Action
(default = Pass)
Events per second (default = 1)
130505200 System DNS TKEY record TCP
You can configure this rule to pass or drop TCP packets that contain TKEY record request. The default Action = Pass.
Enabled by default.
Action
(default = Pass)
Events per second (default = 1)
130505300 System DNS TSIG record TCP
You can configure this rule to pass or drop TCP packets that contain TSIG record request. The default Action = Pass.
Enabled by default.
Action
(default = Pass)
Events per second (default = 1)
130505400 System DNS TA record TCP
You can configure this rule to pass or drop TCP packets that contain TA record request. The default Action = Pass.
Enabled by default.
Action
(default = Pass)
Events per second (default = 1)
130505500 System DNS DLV record TCP
You can configure this rule to pass or drop TCP packets that contain DLV record request. The default Action = Pass.
Enabled by default.
Action
(default = Pass)
Events per second (default = 1)
130505600 System DNS ANY record TCP
You can configure this rule to pass or drop TCP packets that contain ANY record request. The default Action = Pass.
Enabled by default.
Action
(default = Pass)
Events per second (default = 1)
Rule IDRule Type
Rule Name DescriptionEnable/Disable Condition
Parameters Comments
NIOS 6.12 NIOS Administrator Guide (Rev. A) 1507
General DDoS
The following table lists the auto rules that are used to mitigate general DDoS attacks on your advanced appliance.
Table H.5 General DDoS Rules
Reconnaissance
Reconnaissance attacks consist of attempts to get information on the network environment before launching a large
DDoS or other types of attacks. Techniques include port scanning and finding versions and authors. These attacks
exhibit abnormal behavior patterns that, if identified, can provide early warnings.
The following table lists the auto rules that are used to mitigate reconnaissance attacks on your advanced appliance.
You can configure the following rule parameter for all rules in this category:
• Events per second: The number of events logged per second for the rule. Setting a value to 0 (zero) disables the
appliance from logging events for the rule. The default value is 10.
Table H.6 Reconnaissance Rules
Rule IDRule Type
Rule Name DescriptionEnable/Disable Condition
Parameters Comments
110000100 Auto EARLY DROP DoS packets with same source and destination IP
This rule drops any IP packets that contain the same source and destination IP address.
Always enabled. Events per second (default = 1)
110000200 Auto EARLY DROP DoS UDP packets with same source and destination IP
This rule drops UDP packets that contain the same source and destination IP address.
Always enabled. Events per second (default = 1)
110000300 Auto EARLY DROP DoS TCP packets with same source and destination IP
This rule drops TCP packets that contain the same source and destination IP address.
Always enabled. Events per second (default = 1)
130400300 Auto DROP IPv6 loopback address spoofing
This rule blocks any IP packets that attempt to forge the IPv6 loopback address.
Always enabled. Events per second (default = 1)
130400400 Auto DROP IPv6 loopback address spoofing
This rule blocks any IP packets that attempt to forge the IPv6 loopback address.
Always enabled. Events per second (default = 1)
Rule IDRule Type
Rule Name DescriptionEnable Condition
Parameters Comments
110100100 Auto EARLY DROP DNS named author attempts
This rule drops UDP DNS packets that contain attempts to find AUTHOR information.
Always enabled.
Events per second (default = 1)
110100200 Auto EARLY DROP DNS named version attempts
This rule drops UDP DNS packets that contain attempts to find VERSION information.
Always enabled.
Events per second (default = 1)
1508 NIOS Administrator Guide (Rev. A) NIOS 6.12
DNS Malware
DNS Malware
DNS malware is software used to disrupt your DNS service, gather sensitive information, or gain access to your
appliance. It can include downloaders, backdoors, trojan horses, and other malicious software.
The following table lists the auto rules that are used to mitigate DNS malware when forwarding DNS requests to a
resolver such as a Microsoft DNS server.
Table H.7 DNS Malware Rules
DNS Protocol Anomalies
DNS protocol anomalies send malformed DNS packets, including unexpected header and payload values, to the
targeted server. This causes the server to stop responding or crash, which results in an infinite loop in server threads.
These anomalies sometimes take the form of impersonation attacks.
The following table lists rules that are used to mitigate DNS protocol anomalies sent to the appliance.
Table H.8 DNS Protocol Anomalies Rules
Rule IDRule Type
Rule Name DescriptionEnable Condition
Parameters Comments
110100300 Auto EARLY DROP UDP MALWARE backdoor
This rule drops UDP packets that contain the backdoor malware BKDR_QUEJOB.EVL, which poses as an installer of FaceBook messenger. This malware may be spread as a malicious attachment in email messages.
Always enabled. Events per second (default = 1)
130300300 Auto DROP MALWARE trojan downloader
This rule drops UDP packets that contain the trojan downloader malware, which downloads and installs new versions of malicious programs, including Trojans and AdWare.
Always enabled. Events per second (default = 1)
130300400 Auto DROP MALWARE possible Hiloti
This rule drops UDP packets that contain trojan Hiloti malicious programs that may download potentially malicious files from a remote server and report system information back to the server.
Always enabled. Events per second (default = 1)
Rule IDRule Type
Rule Name DescriptionEnable Condition
Parameters Comments
110100400 Auto EARLY DROP UDP DNS question name too long
This rule drops UDP DNS packets when the DNS Question Name is too long.
Always enabled. Events per second (default = 1)
110100500 Auto EARLY DROP UDP DNS label too long
This rule drops UDP DNS packets when the DNS Label in the name being queried is too long.
Always enabled. Events per second (default = 1)
NIOS 6.12 NIOS Administrator Guide (Rev. A) 1509
Potential DDoS Related Domains
This rule category includes system rules the appliance uses to blacklist domains that may have been the targets or
subjects in NXDOMAIN or DDoS attacks. These rules block all FQDN lookups on UDP for domains that have been
observed to be used as targets in DDoS attacks. The rules are enabled by default. You can disable them when
necessary.
Note that these rules capture currently observed bad domain names that can change on a regular basis. Infoblox
recommends that you update to the latest ruleset to capture the most current rules in this category. For information
about how to update to the latest ruleset, see Managing Threat Protection Rules on page 1352.
110100600 Auto EARLY DROP UDP query invalid question count
This rule drops UDP DNS packets when the number of entries in the question section is invalid.
Always enabled. Events per second (default = 1)
110100700 Auto EARLY DROP UDP query invalid question class
This rule drops UDP DNS packets when the RR (resource record) class being queried is invalid.
Always enabled. Events per second (default = 1)
110100800 Auto EARLY DROP UDP query invalid question string
This rule drops UDP DNS packets that contain invalid question string.
Always enabled. Events per second (default = 1)
110100850 Auto EARLY UDP drop invalid DNS query with Authority
This rule drops UDP DNS queries that contain invalid AUTHORITY entry.
Always enabled. Events per second (default = 1)
110100900 Auto EARLY DROP query multiple questions or non query operation code
This rule drops UDP DNS packets when there are multiple questions being queried at one time or its operation code is not Query.
Always enabled. Events per second (default = 1)
130000700 Auto EARLY DROP TCP non-DNS query
This rule drops TCP packets when its operation code is not Query.
Always enabled. Events per second (default = 1)
130000800 Auto EARLY DROP TCP query multiple questions
This rule drops TCP DNS packets when there are multiple questions being queried at one time.
Always enabled. Events per second (default = 1)
130100500 Auto DROP UDP DNS invalid IXFR query with zero or more than one Authority
This rule drops UDP DNS incremental zone transfer requests that contain zero or more than one Authority entries.
Always enabled. Events per second (default = 1)
130100600 Auto DROP TCP DNS invalid IXFR query with zero or more than one Authority
This rule drops TCP DNS incremental zone transfer requests that contain zero or more than one Authority entries.
Always enabled. Events per second (default = 1)
130300200 Auto DROP TCP invalid DNS query with Authority
This rule drops TCP DNS queries that contain invalid Authority entries.
Always enabled. Events per second (default = 1)
Rule IDRule Type
Rule Name DescriptionEnable Condition
Parameters Comments
1510 NIOS Administrator Guide (Rev. A) NIOS 6.12
TCP/UDP Flood
TCP/UDP Flood
TCP and UDP flood attacks are volumetric attacks with massive numbers of packets that consume network bandwidth
and resources. They exploit TCP and UDP.
The following table lists the system and auto rules that are used to mitigate TCP/UDP floods on your advanced
appliance.
Table H.9 TCP/UDP Flood Rules
Rule ID Rule Type Rule Name DescriptionEnable Condition
Parameters Comments
130000100 System WARN about high rate inbound UDP DNS queries
This rule warns about any source IP that sends inbound UDP DNS packets at a rate equals or exceeds the Packets per second value.
Disabled by default
Packets per second (default = 40)
Events per second (default = 1)
Use this rule together with rule 130000200 to adjust the warning and blocking rate thresholds. This rule only sends alerts when the packet rate equals or exceeds the low threshold (Packets per second for this rule). When the packet rate reaches or exceeds the high threshold (Packets per second for rule 130000200), rule 130000200 is triggered.
NOTE: The Packets per second configured for this rule should be less than that of rule 130000200.
130000200 System WARN & BLOCK high rate inbound UDP DNS queries
This rule warns if any source IP sends inbound UDP DNS packets at a rate equals the Packets per second value. If the rate exceeds this value, the appliance blocks all such traffic from this source IP for a period of time specified in Drop interval.
Disabled by default
Packets per second (default = 1000)
Drop interval
(default = 5 seconds)
Events per second (default = 1)
Consider tuning Packets per second to a higher value for NATd environments, static forwarders, and VPN concentrators.
This rule may be triggered if Packet per second is lower than that in the custom rules created using the rate limiting templates.
NOTE: The Packets per second value for this rule must be higher than that for rule 130000100.
130000300 System WARN about high rate inbound TCP DNS queries
This rule warns about any source IP that sends inbound TCP DNS packets at a rate that equals or exceeds the Packets per second value.
Disabled by default
Packets per second (default = 5)
Events per second (default = 1)
Use this rule together with rule 130000400 to adjust the warning and blocking rate thresholds. This rule only sends alerts when the packet rate equals or exceeds the low threshold (Packets per second for this rule). When the packet rate reaches or exceeds the high threshold (Packets per second for rule 130000400), rule 130000400 is triggered.
NOTE: The Packets per second configured for this rule should be less than that of rule 130000400.
130000400 System WARN & BLOCK high rate inbound TCP DNS queries
This rule warns if any source IP sends inbound TCP DNS packets at a rate that equals the Packets per second value. If the rate exceeds this value, the appliance blocks all such traffic from this source IP for a period of time specified in Drop interval.
Disabled by default
Packets per second (default = 1000)
Drop interval (default = 10 seconds)
Events per second (default = 1)
Consider tuning Packets per second to a higher value for NATd environments, static forwarders, and VPN concentrators.
This rule may be triggered if Packet per second is lower than that in the custom rules created using the rate limiting templates.
NOTE: DO NOT enable this rule along with rule 130000300.
NIOS 6.12 NIOS Administrator Guide (Rev. A) 1511
DNS DDoS
The following table lists system rules that are used to mitigate DNS DDoS attacks on your advanced appliance. These
rules rate limits clients that trigger the following DNS responses: NXDOMAIN, NXRRSET, and SERVFAIL.
Table H.10 DNS DDoS Rules
Rule IDRule Type
Rule Name DescriptionEnable/Disable Condition
Parameters Comments
200000001 System NXDOMAIN rate limiting rule
This rule warns if any source IP sends inbound UDP DNS queries that trigger NXDOMAIN responses at a rate equals to the Packets per second value. If the rate exceeds this value, the appliance blocks all UDP DNS traffic from this source IP for a time specified in Drop interval.
Enabled by default
Packets per second (default = 1000)
Drop interval
(default = 5 seconds)
Events per second (default = 1)
Consider tuning Packets per second to a higher value for NATd environments, static forwarders, and VPN concentrators.
200000002 System NXRRSET rate limiting rule
This rule warns if any source IP sends inbound UDP DNS queries that trigger NXRRSET responses at a rate equals to the Packets per second value. If the rate exceeds this value, the appliance blocks all UDP DNS traffic from this source IP for a time specified in Drop interval.
Enabled by default
Packets per second (default = 1000)
Drop interval
(default = 5 seconds)
Events per second (default = 1)
Consider tuning Packets per second to a higher value for NATd environments, static forwarders, and VPN concentrators.
NOTE: NXRRSET responses include NO records, NO answers, and NO errors.
200000003 System SERVFAIL rate limiting rule
This rule warns if any source IP sends inbound UDP DNS queries that trigger SERVFAIL responses at a rate equals to the Packets per second value. If the rate exceeds this rate, the appliance blocks all UDP DNS traffic from this source IP for a time specified in Drop interval.
Enabled by default
Packets per second (default = 1000)
Drop interval (default = 5 seconds)
Events per second (default = 1)
Consider tuning Packets per second to a higher value for NATd environments, static forwarders, and VPN concentrators.
1512 NIOS Administrator Guide (Rev. A) NIOS 6.12
DNS Tunneling
DNS Tunneling
DNS tunneling attacks involve tunneling another protocol through DNS port 53 for the purpose of data exfiltration.
Outbound and inbound data being communicated is encoded into small chunks and fitted into DNS queries and DNS
responses.
The following table lists the system rule used to mitigate DNS tunneling on your advanced appliance.
Table H.11 Anti DNS Tunneling Rules
DNS Amplification and Reflection
DNS reflection attacks use a form of IP spoofing, changing the source address in their DNS queries to show the
address of their intended target, such as a DNS root server or a top-level domain (TLD) name server operator. DNS
reflection and amplification recognizes UDP as an asymmetrical protocol (small requests, large responses) and the
existence of open DNS resolvers to the Internet cloud. The result is that small DNS queries reflect large UDP datagram
responses to the target address in the original source datagrams. Some recent attacks have used this DDoS
technique at a huge scale.
Since DNS runs over UDP and does not require a handshake, it is possible to use the protocol as a means to lock down
a host or a network. Designed a specific way, sending a small query to any open DNS resolver can result in a single
response containing several kilobytes or more, that are sent to the unwitting spoofed victim. (This type of response
typically is sent via TCP, as UDP does not allow for more than 512 bytes in a response datagram. The resulting packet
usually exceeds the MTU of the recipient’s interfaces, resulting in further packet fragmentation and processing.) Open
DNS resolvers may allow for launching DDoS attacks containing hundreds of gigabytes of data. Attackers may also
Rule IDRule Type
Rule Name DescriptionEnable/Disable Condition
Parameters Comments
130000500 System RATELIMIT UDP high rate inbound large DNS queries (anti tunneling)
This rule warns If any source IP sends large UDP DNS queries (which could be DNS tunneling attacks) at a rate equals the Packets per second value. If the rate exceeds this value, it blocks all such traffic from this source IP for the time in Drop interval.
This rule is triggered when the DNS Packet size exceeds the configured value.
Disabled by default
Packets per second (default = 100)
Drop interval (default = 5 seconds)
Events per second (default = 1)
Packet size
(default = 200)
Consider tuning Packets per second to a higher value for NATd environments, static forwarders, and VPN concentrators.
130000600 Auto RATELIMIT TCP high rate inbound large DNS queries (anti-tunneling)
This rule warns if any source IP sends large TCP DNS queries (which could be DNS tunneling attacks) at a rate equals the Packets per second value. If the rate exceeds the value, the appliance blocks all such traffic from this source IP for the Drop interval.
This rule is triggered when the DNS Packet size exceeds the configured value.
Disabled by default
Packets per second (default = 100)
Drop interval
(default = 5 seconds)
Events per second (default = 1)
Packet size
(default = 200)
Consider tuning Packets per second to a higher value for NATd environments, static forwarders, and VPN concentrators.
200000004 System DNS tunneling rate limiting rule
This rule warns If any source IP sends inbound UDP DNS queries that trigger large TXT responses at a rate equals the Packets per second value. If the rate exceeds this value, it blocks all such traffic from this source IP for the Drop interval.
This rule is triggered when the size of the TXT records in the DNS responses exceeds the configured DNS Packet size.
Enabled by default
Packets per second (default = 1000)
Drop interval
(default = 5 seconds)
Events per second (default = 1)
Packet size
(default = 40)
Consider tuning Packets per second to a higher value for NATd environments, static forwarders, and VPN concentrators.
NIOS 6.12 NIOS Administrator Guide (Rev. A) 1513
use the EDNS0 DNS protocol extension as a means to enable larger DNS responses. Many network operators,
particularly overseas, allow open DNS resolvers to run on their networks, unwittingly allowing attackers to abuse
them. Many network operators do provide intelligent rate-limiting to prevent abuse, even while supporting open
recursive DNS servers. Hence, issues of this type usually result from mistakes in configuration.
The following table lists the system and auto rules that are used to mitigate DNS amplification and reflection attacks
on your advanced appliance.
Table H.12 DNS Amplification and Reflection Rules
NTP
The following table lists the auto rules that are used to mitigate NTP attacks and to support security for NTP traffic on
your advanced appliance. These rules include support for the following: NTP requests and responses, NTP IPv4 and
IPv6 ACLs (Access Control Lists), private mode 7 packets, named ACLs, and “ANY” ACLs.
Table H.13 NTP Rules
Rule IDRule Type
Rule Name DescriptionEnable/Disable Condition
Parameters Comments
130400100 Auto WARN & DROP DoS DNS possible reflection/ amplification attack attempts
This rule warns if any source IP sends UDP DNS packets that contain possible reflection/ amplification attacks. If the rate exceeds the Packets per second value, the appliance blocks all such traffic from this source IP for the Drop interval. Note that this rule applies when the query is “ANY.”
Enabled by default
Packets per second (default = 5)
Drop interval (default = 5 seconds)
Events per second (default = 1)
Consider tuning Packet per second to a higher value (approximately 100) for NATd environments, static forwarders, and VPN concentrators.
130400500 System RATELIMIT PASS UDP DNS root requests with additional RRs
This rule passes UDP DNS root requests that contain additional resource records until the traffic hits the Packets per second value. It then blocks subsequent UDP DNS root requests for the Drop interval.
Disabled by default
Packets per second (default = 500)
Drop interval (default = 5 seconds)
Events per second (default = 1)
130400600 System RATELIMIT PASS UDP DNS root requests
This rule passes UDP DNS root requests until the traffic hits the Packets per second value. It then blocks subsequent UDP DNS root requests for the Drop interval.
Disabled by default
Packets per second (default = 500)
Drop interval (default = 5 seconds)
Events per second (default = 1)
Consider tuning Packet per second to a higher value for NATd environments, static forwarders, and VPN concentrators.
Rule IDRule Type
Rule Name DescriptionEnable/Disable Condition
Parameters Comments
130600100 Auto RATELIMIT PASS NTP TIME responses
When the NTP client is enabled, this rule passes UDP NTP TIME responses until the traffic hits the rate limit of 10 packets per second; it then blocks all NTP traffic for 15 seconds.
Enabled when the NTP client is enabled.
Packets per second (default = 10)
Drop interval (default = 15 seconds)
Events per second (default = 1)
130600120 Auto DROP NTP TIME responses
This rule drops all UDP NTP TIME responses when the NTP client is disabled.
Enabled when the NTP client is disabled.
Events per second (default=1)
1514 NIOS Administrator Guide (Rev. A) NIOS 6.12
NTP
200001001 Auto DOS Possible NTP DDoS Inbound Frequent Un-Authed GET_RESTRICT Requests IMPL 0x02
When the NTP server is enabled, this rule warns about possible NTP DDoS Inbound Frequent Un-Authed GET_RESTRICT Requests IMPL 0x02 attacks. It then blocks suspicious NTP traffic for a time period that is specified in Drop Interval.
Enabled when NTP service is enabled on this member.
Events per second (default = 1)
200001005 Auto DOS Possible NTP DDoS Inbound Frequent Un-Authed GET_RESTRICT Requests IMPL 0x03
When the NTP server is enabled, this rule warns about possible NTP DDoS Inbound Frequent Un-Authed GET_RESTRICT Requests IMPL 0x03 attacks. It then blocks suspicious NTP traffic for a time period that is specified in Drop Interval.
Enabled when NTP service is enabled on this member.
Events per second (default = 1)
200001010 Auto DOS Possible NTP DDoS Inbound Frequent Un-Authed PEER_LIST_SUM Requests IMPL 0x02
When the NTP server is enabled, this rule warns about possible NTP DDoS Inbound Frequent Un-Authed PEER_LIST_SUM Requests IMPL 0x02 attacks. It then blocks suspicious NTP traffic for a time period that is specified in Drop Interval.
Enabled when NTP service is enabled on this member.
Events per second (default = 1)
200001015 Auto DOS Possible NTP DDoS Inbound Frequent Un-Authed PEER_LIST_SUM Requests IMPL 0x03
When the NTP server is enabled, this rule warns about possible NTP DDoS Inbound Frequent Un-Authed PEER_LIST_SUM Requests IMPL 0x03 attacks. It then blocks suspicious NTP traffic for a time period that is specified in Drop Interval.
Enabled when NTP service is enabled on this member.
Events per second (default = 1)
200001020 Auto DOS Possible NTP DDoS Inbound Frequent Un-Authed PEER_LIST Requests IMPL 0x02
When the NTP server is enabled, this rule warns about possible NTP DDoS Inbound Frequent Un-Authed PEER_LIST Requests IMPL 0x02 attacks. It then blocks suspicious NTP traffic for a time period that is specified in Drop Interval.
Enabled when NTP service is enabled on this member.
Events per second (default = 1)
200001025 Auto DOS Possible NTP DDoS Inbound Frequent Un-Authed PEER_LIST Requests IMPL 0x03
When the NTP server is enabled, this rule warns about possible NTP DDoS Inbound Frequent Un-Authed PEER_LIST Requests IMPL 0x03 attacks. It then blocks suspicious NTP traffic for a time period that is specified in Drop Interval.
Enabled when NTP service is enabled on this member.
Events per second (default = 1)
200001050 Auto RATELIMIT PASS NTPQ IPv4 requests
This rule passes UDP NTPQ requests from NTP IPv4 ACLs until the traffic hits the rate limit (Packets per second) value. It then blocks all subsequent NTPQ traffic for a time specified in Drop Interval.
Enabled when NTP IPv4 ACLs are defined. If no ACLs are defined and the NTP server is enabled, the default ACLs are enabled, and this rule is disabled.
Packets per second (default = 10)
Drop interval (default = 60 seconds)
Events per second (default = 1)
Rule IDRule Type
Rule Name DescriptionEnable/Disable Condition
Parameters Comments
NIOS 6.12 NIOS Administrator Guide (Rev. A) 1515
200001055 Auto RATELIMIT PASS NTP TIME IPv4 requests
This rule passes UDP NTP TIME requests from NTP IPv4 ACLs until the traffic hits the rate limit (Packets per second) value. It then blocks all subsequent NTP TIME traffic for a time specified in Drop interval.
Enabled when NTP IPv4 ACLs are defined. If no ACLs are defined and the NTP server is enabled, the default ACLs are enabled, and this rule is enabled.
Packets per second (default = 10)
Drop interval (default = 60 seconds)
Events per second (default = 1)
200001060 Auto RATELIMIT PASS NTP private mode IPv4 requests
This rule passes UDP NTP private mode 7 requests from NTP IPv4 ACLs until the traffic hits the rate limit (Packets per second) value. It then blocks all subsequent NTP private mode 7 traffic for a time specified in Drop interval.
Enabled when NTP IPv4 ACLs are defined. If no ACLs are defined and the NTP server is enabled, the default ACLs are enabled, and this rule is disabled.
Packets per second (default = 10)
Drop interval (default = 60 seconds)
Events per second (default = 1)
200001065 Auto RATELIMIT PASS NTPQ IPv6 requests
This rule passes UDP NTPQ requests from NTP IPv6 ACLs until the traffic hits the rate limit (Packets per second) value. It then blocks all subsequent NTPQ traffic for a time specified in Drop Interval.
Enabled when NTP IPv6 ACLs are defined. If no ACLs are defined and the NTP server is enabled, the default ACLs are enabled, and this rule is disabled.
Packets per second (default = 10)
Drop interval (default = 60 seconds)
Events per second (default = 1)
200001070 Auto RATELIMIT PASS NTP TIME IPv6 requests
This rule passes UDP NTP TIME requests from NTP IPv6 ACLs until the traffic hits the rate limit (Packets per second) value. It then blocks all subsequent NTP TIME traffic for a time specified in Drop interval.
Enabled when NTP IPv6 ACLs are defined. If no ACLs are defined and the NTP server is enabled, the default ACLs are enabled, and this rule is enabled.
Packets per second (default = 10)
Drop interval (default = 60 seconds)
Events per second (default = 1)
200001075 Auto RATELIMIT PASS NTP private mode IPv6 requests
This rule passes UDP NTP private mode 7 requests from NTP IPv4 ACLs until the traffic hits the rate limit (Packets per second) value. It then blocks all subsequent NTP private mode 7 traffic for a time specified in Drop interval.
Enabled when NTP IPv6 ACLs are defined. If no ACLs are defined and the NTP server is enabled, the default ACLs are enabled, and this rule is disabled.
Packets per second (default = 10)
Drop interval (default =60 seconds)
Events per second (default = 1)
200001100 Auto DROP NTPQ requests unexpected
When NTP service is disabled, this rule drops all UDP NTPQ requests.
Enabled when NTP service is disabled on this member.
Events per second (default=1)
200001105 Auto DROP NTP TIME requests unexpected
When NTP service is disabled, this rule drops all UDP NTP TIME requests.
Enabled when NTP service is disabled on this member.
Events per second (default=1)
200001110 Auto DROP NTP private mode requests unexpected
When NTP service is disabled, this rule drops all UDP NTP private mode 7 requests.
Enabled when NTP service is disabled on this member.
Events per second (default=1)
200001115 Auto DROP invalid NTP requests
When NTP service is disabled, this rule drops all invalid UDP NTP requests.
Enabled when NTP service is disabled on this member.
Events per second (default=1)
Rule IDRule Type
Rule Name DescriptionEnable/Disable Condition
Parameters Comments
1516 NIOS Administrator Guide (Rev. A) NIOS 6.12
BGP
BGP
The following table lists the auto rules that are used to mitigate BGP attacks on your advanced appliance when BGP
is enabled.
Table H.14 BGP Rules
Rule IDRule Type
Rule Name DescriptionEnable/Disable Condition
Parameters Comments
130700100 AUTO DROP BGP header length shorter than spec
When BGP is enabled, this rule drops TCP BGP packets that contain message header length that is shorter than the RFC specification.
Enabled when BGP service on this member is configured.
Events per second (default=1)
130700200 AUTO DROP BGP header length longer than spec
When BGP is enabled, this rule drops TCP BGP packets that contain message header length that is longer than the RFC specification.
Enabled when BGP service on this member is configured.
Events per second (default=1)
130700300 AUTO DROP BGP spoofed connection reset attempts
When BGP is enabled, this rule drops TCP BGP packets that contain spoofed connection reset.
This rule is enabled when BGP service on this member is configured.
Events per second (default=1)
130700400 AUTO DROP BGP invalid type 0
When BGP is enabled, this rule drops TCP BGP packets that contain invalid message type 0.
This rule is enabled when BGP service on this member is configured.
Events per second (default=1)
130700500 AUTO DROP BGP invalid type bigger than 5
When BGP is enabled, this rule drops TCP BGP packets that contain invalid message type greater than 5.
This rule is enabled when BGP service on this member is configured.
Events per second (default=1)
130700550 AUTO RATELIMIT PASS BGP IPv4 peer TCP connection attempts
This rule passes TCP BGP route advertisement connection attempts from IPv4 peers when BGP is enabled and if the packet rate is less than the Packets per second value. If any source IP sends packets over this value, the appliance blocks all such traffic from this source IP for a certain period of time (specified in Drop interval).
This rule is enabled when BGP service on this member is configured with IPv4 peers.
Events per second (default=1)
Drop Interval (default=60 sec)
Packets per second (default=10)
130700600 Auto RATELIMIT PASS BGP allowed with IPv4 peer
This rule passes TCP BGP route advertisement to IPv4 peers when BGP is enabled and if the packet rate is less than the Packets per second value. If any source IP sends packets over this value, the appliance blocks all such traffic from this source IP for a certain period of time (specified in Drop interval.
This rule is enabled when BGP service on this member is configured with IPv4 peers.
Events per second (default=1)
Drop Interval (default=60 sec)
Packets per second (default=10)
130700650 AUTO RATELIMIT PASS BGP IPv6 peer TCP connection attempts
This rule passes TCP BGP route advertisement connection attempts from IPv6 peers when BGP is enabled and if the packet rate is less than the Packets per second value. If any source IP sends packets over this value, the appliance blocks all such traffic from this source IP for a certain period of time (specified in Drop interval.
This rule is enabled when BGP service on this member is configured with IPv6 peers.
Events per second (default=1)
Drop Interval (default=60 sec)
Packets per second (default=10)
NIOS 6.12 NIOS Administrator Guide (Rev. A) 1517
OSPF
The following table lists auto rules that are used to mitigate OSPF attacks on your advanced appliance when OSPF is
not in use.
Table H.15 OSPF Rules
130700700 Auto RATELIMIT PASS BGP allowed with IPv6 peer
This rule passes TCP BGP route advertisement to IPv6 peers when BGP is enabled and if the packet rate is less than the Packets per second value. If any source IP sends packets over this value, the appliance blocks all such traffic from this source IP for a certain period of time (specified in Drop interval).
This rule is enabled when BGP service on this member is configured with IPv6 peers.
Events per second (default=1)
Drop Interval (default=60 sec)
Packets per second (default=10)
130800100 Auto DROP BGP unexpected When BGP is enabled, this rule drops unexpected TCP BGP packets.
This rule takes effect when BGP service on this member is NOT configured.
Events per second (default=1)
This rule is exclusive with other rules based on whether BGP is configured on the member or not.
Rule IDRule Type
Rule Name DescriptionEnable Condition
Parameters Comments
130900300 Auto DROP OSPF unexpected
This rule drops unexpected OSPF packets.
This rule takes effect when OSPF service on this member is NOT configured.
Events per second (default=1)
Default drop rule for all packets on the OSPF service port.
130900400 Auto RATELIMIT PASS OSPF multicast
This rule passes OSPF IPv4 multicast packets if the packet rate is less than the Packets per second value. If any source IP sends packets over this value, the appliance blocks all such traffic from this source IP for a time specified in Drop interval.
This rule takes effect when OSPF service on this member is configured for IPv4.
Events per second (default=1)
Drop Interval (default=60 sec)
Packets per second (default=100)
130900500 Auto RATELIMIT PASS OSPF IPv6 multicast
This rule passes OSPF IPv6 multicast packets if the packet rate is less than the Packets per second value. If any source IP sends packets over this value, the appliance blocks all such traffic from this source IP for a time specified in Drop interval.
This rule takes effect when OSPF service on this member is configured for IPv6.
Events per second (default=1)
Drop Interval (default=60 sec)
Packets per second (default=100)
130900600 Auto RATELIMIT PASS OSPF This rule passes OSPF packets if the packet rate is less than the Packets per second value. If any source IP sends packets over this value, the appliance blocks all such traffic from this source IP for a time specified in Drop interval.
This rule takes effect when OSPF service on this member is configured.
Events per second (default=1)
Drop Interval (default=10 sec)
Packets per second (default=50)
This rule works for both IPv4 and IPv6.
Rule IDRule Type
Rule Name DescriptionEnable/Disable Condition
Parameters Comments
1518 NIOS Administrator Guide (Rev. A) NIOS 6.12
ICMP
ICMP
ICMP attacks use network devices such as routers to send error messages when a requested service is not available
or the remote server cannot be reached. Examples of ICMP attacks include ping floods, ping-of-death attacks, and
smurf attacks.
The following table lists the system and auto rules that are used to mitigate ICMP attacks on your advanced appliance.
Table H.16 ICMP Rules
Rule ID Type Rule Name DescriptionEnable/Disable Condition
Parameters Comments
130400200 Auto DROP ICMP large packets
This rule drops large ICMP packets (bigger than800).
Always enabled. Events per second (default=1)
130900100 Auto RATE LIMIT PASS ICMP Ping
This rule passes ICMP ping packets if the packet rate is less than the Packets per second value. If any source IP sends packets over this value, the appliance blocks all such traffic from this source IP for a time specified in Drop interval.
Always enabled. Events per second (default=1)
Drop Interval (default=10 sec)
Packets per second (default=50)
130900200 Auto RATE LIMIT PASS ICMPv6 Ping
This rule passes ICMPv6 ping packets if the packet rate is less than the Packets per second value. If any source IP sends packets over this value, the appliance blocks all such traffic from this source IP for a time specified in Drop interval.
Always enabled. Events per second (default=1)
Drop Interval (default=10 sec)
Packets per second (default=50)
130900700 Auto RATELIMIT PASS ICMPv6 destination unreachable
This rule passes ICMPv6 Destination Unreachable messages if the packet rate is less than the Packets per second value. If any source IP sends packets over this value, the appliance blocks all such traffic from this source IP for a time specified in Drop interval.
Always enabled. Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=100)
130900800 Auto RATELIMIT PASS ICMPv6 packet too big
This rule passes ICMPv6 Packet Too Big messages if the packet rate is less than the Packets per second value. If any source IP sends packets over this value, the appliance blocks all such traffic from this source IP for a time specified in Drop interval.
Always enabled. Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=100)
130900900 Auto RATELIMIT PASS ICMPv6 ping responses
This rule passes ICMPv6 ping responses if the packet rate is less than the Packets per second value. If any source IP sends packets over this value, the appliance blocks all such traffic from this source IP for a time specified in Drop interval.
Always enabled. Events per second (default=1)
Drop Interval (default=10 sec)
Packets per second (default=50)
.
130901000 Auto RATELIMIT PASS ICMPv6 parameter problem erroneous header
This rule passes ICMPv6 Erroneous Header messages if the packet rate is less than the Packets per second value. If any source IP sends packets over this value, the appliance blocks all such traffic from this source IP for a time specified in Drop interval.
Always enabled. Events per second (default=1)
Drop Interval (default=10 sec)
Packets per second (default=50)
NIOS 6.12 NIOS Administrator Guide (Rev. A) 1519
130901100 Auto RATELIMIT PASS ICMPv6 parameter problem unrecognized next header
This rule passes ICMPv6 Unrecognized Next Header messages if the packet rate is less than the Packets per second value. If any source IP sends packets over this value, the appliance blocks all such traffic from this source IP for a time specified in Drop interval.
Always enabled. Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
130901200 Auto RATELIMIT PASS ICMPv6 parameter problem unrecognized IPv6 option
This rule passes ICMPv6 Unrecognized IPv6 Option messages if the packet rate is less than the Packets per second value. If any source IP sends packets over this value, the appliance blocks all such traffic from this source IP for a time specified in Drop interval.
Always enabled. Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
130901300 Auto RATELIMIT PASS ICMPv6 router solicitation
This rule passes ICMPv6 router solicitation packets if the packet rate is less than the Packets per second value. If any source IP sends packets over this value, the appliance blocks all such traffic from this source IP for a time specified in Drop interval.
Always enabled. Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
130901400 Auto RATELIMIT PASS ICMPv6 router advertisement
This rule passes ICMPv6 router advertisement if the packet rate is less than the Packets per second value. If any source IP sends packets over this value, the appliance blocks all such traffic from this source IP for a time specified in Drop interval.
Always enabled. Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
130901500 Auto RATELIMIT PASS ICMPv6 neighbor solicitation
This rule passes ICMPv6 neighbor solicitation packets if the packet rate is less than the Packets per second value. If any source IP sends packets over this value, the appliance blocks all such traffic from this source IP for a time specified in Drop interval.
Always enabled. Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
130901600 Auto RATELIMIT PASS ICMPv6 neighbor advertisement
This rule passes ICMPv6 neighbor advertisement if the packet rate is less than the Packets per second value. If any source IP sends packets over this value, the appliance blocks all such traffic from this source IP for a time specified in Drop interval.
Always enabled. Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
130901700 Auto RATELIMIT PASS ICMPv6 inverse neighbor solicitation
This rule passes ICMPv6 inverse neighbor solicitation messages if the packet rate is less than the Packets per second value. If any source IP sends packets over this value, the appliance blocks all such traffic from this source IP for a time specified in Drop interval.
Always enabled. Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
130901800 Auto RATELIMIT PASS ICMPv6 inverse neighbor advertisement
This rule passes ICMPv6 inverse neighbor advertisement if the packet rate is less than the Packets per second value. If any source IP sends packets over this value, the appliance blocks all such traffic from this source IP for a time specified in Drop interval.
Always enabled. Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
Rule ID Type Rule Name DescriptionEnable/Disable Condition
Parameters Comments
1520 NIOS Administrator Guide (Rev. A) NIOS 6.12
ICMP
130901900 Auto RATELIMIT PASS ICMPv6 listener query
This rule passes ICMPv6 listener query messages if the packet rate is less than the Packets per second value. If any source IP sends packets over this value, the appliance blocks all such traffic from this source IP for a time specified in Drop interval.
Always enabled. Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
130902000 Auto RATELIMIT PASS ICMPv6 listener report
This rule passes ICMPv6 listener report messages if the packet rate is less than the Packets per second value. If any source IP sends packets over this value, the appliance blocks all such traffic from this source IP for a time specified in Drop interval.
Always enabled. Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
130902100 Auto RATELIMIT PASS ICMPv6 listener done
This rule passes ICMPv6 listener done messages if the packet rate is less than the Packets per second value. If any source IP sends packets over this value, the appliance blocks all such traffic from this source IP for a time specified in Drop interval).
Always enabled. Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
130902200 Auto RATELIMIT PASS ICMPv6 listener report v2
This rule passes ICMPv6 listener report v2 messages if the packet rate is less than the Packets per second value. If any source IP sends packets over this value, the appliance blocks all such traffic from this source IP for a time specified in Drop interval.
Always enabled. Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
130902300 Auto RATELIMIT PASS ICMPV6 multicast router advertisement
This rule passes ICMPv6 multicast router advertisement if the packet rate is less than the Packets per second value. If any source IP sends packets over this value, the appliance blocks all such traffic from this source IP for a time specified in Drop interval.
Always enabled. Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
130902400 Auto RATELIMIT PASS ICMPV6 multicast router solicitation
This rule passes ICMPv6 multicast router solicitation messages if the packet rate is less than the Packets per second value. If any source IP sends packets over this value, the appliance blocks all such traffic from this source IP for a time specified in Drop interval.
Always enabled. Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
130902500 Auto RATELIMIT PASS ICMPV6 multicast router advertisement
This rule passes ICMPv6 multicast router advertisement if the packet rate is less than the Packets per second value. If any source IP sends packets over this value, the appliance blocks all such traffic from this source IP for a time specified in Drop interval.
Always enabled. Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
130902600 Auto RATELIMIT PASS ICMP ping responses
This rule passes ICMP ping responses if the packet rate is less than the Packets per second value. If any source IP sends packets over this value, the appliance blocks all such traffic from this source IP for a time specified in Drop interval.
Always enabled. Events per second (default=1)
Drop Interval (default=10 sec)
Packets per second (default=50)
Rule ID Type Rule Name DescriptionEnable/Disable Condition
Parameters Comments
NIOS 6.12 NIOS Administrator Guide (Rev. A) 1521
130902700 Auto RATELIMIT PASS ICMP router advertisement
This rule passes ICMP router advertisement if the packet rate is less than the Packets per second value. If any source IP sends packets over this value, the appliance blocks all such traffic from this source IP for a time specified in Drop interval.
Always enabled. Events per second (default=1)
Drop Interval (default=10 sec)
Packets per second (default=50)
130902800 Auto RATELIMIT PASS ICMP router solicitation
This rule passes ICMP router solicitation messages if the packet rate is less than the Packets per second value. If any source IP sends packets over this value, the appliance blocks all such traffic from this source IP for a time specified in Drop interval.
Always enabled. Events per second (default=1)
Drop Interval (default=10 sec)
Packets per second (default=50)
130902900 Auto RATELIMIT PASS ICMP time exceeded
This rule passes ICMP time exceeded messages if the packet rate is less than the Packets per second value. If any source IP sends packets over this value, the appliance blocks all such traffic from this source IP for a time specified in Drop interval.
Always enabled. Events per second (default=1)
Drop Interval (default=10 sec)
Packets per second (default=50)
130903000 Auto RATELIMIT PASS ICMP parameter problem
This rule passes ICMP parameter problems if the packet rate is less than the Packets per second value. If any source IP sends packets over this value, the appliance blocks all such traffic from this source IP for a time specified in Drop interval.
Always enabled. Events per second (default=1)
Drop Interval (default=10 sec)
Packets per second (default=50)
130903100 Auto RATELIMIT PASS ICMPv6 hop limit exceeded or ICMPv4 network unreachable
This rule passes ICMPv6 Hop Limit Exceeded messages or ICMPv4 Network Unreachable messages if the packet rate is less than the Packets per second value. If any source IP sends packets over this value, the appliance blocks all such traffic from this source IP for a time specified in Drop interval.
Always enabled. Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
130903200 Auto RATELIMIT PASS ICMPv6 fragment reassembly time exceeded or ICMPv4 host unreachable
This rule passes ICMPv6 fragment reassembly time exceeded messages or ICMPv4 host unreachable messages if the packet rate is less than the Packets per second value. If any source IP sends packets over this value, the appliance blocks all such traffic from this source IP for a time specified in Drop interval.
Always enabled. Events per second (default=1)
Drop Interval (default=10 sec)
Packets per second (default=50)
130903300 Auto RATELIMIT PASS ICMP protocol unreachable
This rule passes ICMP protocol unreachable messages if the packet rate is less than the Packets per second value. If any source IP sends packets over this value, the appliance blocks all such traffic from this source IP for a time specified in Drop interval.
Always enabled. Events per second (default=1)
Drop Interval (default=10 sec)
Packets per second (default=50)
130903400 Auto RATELIMIT ICMP port unreachable
This rule passes ICMP port unreachable messages if the packet rate is less than the Packets per second value. If any source IP sends packets over this value, the appliance blocks all such traffic from this source IP for a certain period of time (specified in Drop interval).
Always enabled. Events per second (default=10)
Drop Interval (default=10 sec)
Packets per second (default=50)
Rule ID Type Rule Name DescriptionEnable/Disable Condition
Parameters Comments
1522 NIOS Administrator Guide (Rev. A) NIOS 6.12
Default Pass/Drop
Default Pass/Drop
The following table lists the system rules that are used to pass or drop packets on your advanced appliance. All rules
are disabled by default.
Table H.17 Default Pass/Drop Rules
130903500 Auto RATELIMIT PASS ICMP fragmentation needed
This rule passes ICMP fragmentation needed messages if the packet rate is less than the Packets per second value. If any source IP sends packets over this value, the appliance blocks all such traffic from this source IP for a certain period of time (specified in Drop interval).
Always enabled. Events per second (default=1)
Drop Interval (default=10 sec)
Packets per second (default=50)
Rule IDRule Type
Rule Name DescriptionEnable Condition
Parameters Comments
100000050 System EARLY PASS TCP with flowbits set
This rule passes TCP traffic that has the flowbits options set and marked OK.
Enabled by default.
N/A
140000100 System DROP UDP DNS unexpected
This rule drops any unexpected UDP DNS packets.
Enabled by default.
Events per second (default=1)
Default drop rule for the DNS service port. If this rule is triggered, most likely this packet is an invalid DNS UDP packet.
140000200 System DROP TCP DNS unexpected
This rule drops any unexpected TCP DNS packets.
Enabled by default.
Events per second (default=1)
Default drop rule for the DNS service port. If this rule is triggered, most likely this packet is an invalid DNS TCP packet.
140000400 System PASS TCP established packets
This passes all TCP established packets.
Enabled by default.
Events per second (default=0)
140000500 System DROP TCP unexpected
This rule drops any unexpected TCP packets.
Enabled by default.
Events per second (default=0)
This rule drops any TCP packet on any port. If this rule is triggered, most likely this packet is not intended for services on this member.
140000600 System DROP UDP unexpected
This rule drops any unexpected UDP packets.
Enabled by default.
Events per second (default=0)
This rule drops any UDP packet on any port. If this rule is triggered, most likely this packet is not intended for services on this member.
140000700 System DROP ICMP unexpected
This rule drops any unexpected ICMP packets.
Enabled by default.
Events per second (default=0)
This rule drops any ICMP packet. If this rule is triggered, most likely this packet is not intended for services on this member.
140000800 System DROP unexpected protocol
This rule drops any unexpected protocol packets.
Enabled by default.
Events per second (default=0)
This is a catch all rule that drops anything that does not match any other rules in the system.
Rule ID Type Rule Name DescriptionEnable/Disable Condition
Parameters Comments
NIOS 6.12 NIOS Administrator Guide (Rev. A) 1523
HA Support
The following table lists auto rules that are used to pass packets that go through the Virtual Router Redundancy
Protocol (VRRP) and Internet Group Management Protocol (IGMP) for HA (High Availability) support.
Table H.18 HA Support Rules
Custom Rule Templates
Advanced DNS Protection supports a few custom rule templates from which you can create new custom rules. Note
that when you use a specific rule template to create custom rules, the new rules reside in their respective rule
categories. For information about custom rules and creating custom rules, see Custom Rules on page 1341 and
Creating Custom Rules on page 1343.
For each rule you create, you can define the Events per second value to determine the number of events per second
that will be logged for the rule. You can also define specific rule parameters for custom rules, as follows:
Note: Custom rules do not support IDNs (Internationalized Domain Names). To use IDNs for custom rules, you must
first convert the IDNs into puny codes. You can use the IDN Converter from the Toolbar for the conversion.
• BLACKLIST FQDN lookup TCP: Use this rule template to create custom rules for blacklisting DNS queries by FQDN
lookups on TCP. In the Rule Parameters table, complete the following:
— Blacklisted FQDN: Enter the FDQN that you want the appliance to block over TCP traffic. You can also enter a
list of FQDNs using semicolon as the separator.
• BLACKLIST FQDN lookup UDP: Use this rule template to create custom rules for blacklisting DNS queries by
FQDN lookups on UDP. In the Rule Parameters table, complete the following:
— Blacklisted FQDN: Enter the FDQN that you want the appliance to block over UDP traffic. You can also enter a
list of FQDNs using semicolon as the separator.
• BLACKLIST IP TCP Drop prior to rate limiting: Use this rule template to create rules for blocking IPv4 or IPv6
addresses on TCP before the appliance drops the packets based on rate limiting rules you have defined using
the RATELIMITED IP TCP template. In the Rule Parameters table, complete the following:
— Blacklisted IP address/network: Enter the IPv4 or IPv6 address from which packets sent are dropped before
any relevant rate limiting rules take effect. Note that all TCP traffic from the specified Ipv4 and IPv6
addresses and networks will be blocked. Enter network addresses in address/CIDR format.
• BLACKLIST IP UDP Drop prior to rate limiting: Use this rule template to create rules for blocking IPv4 or IPv6
addresses on UDP before the appliance drops the packets based on rate limiting rules you have defined using
the RATELIMITED IP UDP template. In the Rule Parameters table, complete the following:
— Blacklisted IP address/network: Enter the IPv4 or IPv6 address from which packets sent are dropped before
any relevant rate limiting rules take effect. Note that all UDP traffic from the specified Ipv4 and IPv6
addresses and networks will be blocked. Enter network addresses in address/CIDR format.
• RATELIMITED FQDN lookup UDP: Use this rule template to create custom rules that contains rate limiting
restrictions for blocking DNS queries by FQDN lookups on UDP traffic. In the Rule Parameters table, complete
the following:
Rule IDRule Type
Rule Name Description Enable Condition Parameters Comments
140000750 Auto PASS VRRP This rule passes packets that go through VRRP for HA support.
Enabled if HA is configured.
N/A
140000760 Auto PASS IGMP This rule passes packets that go through IGMP for HA support.
Enabled if HA is configured.
N/A
1524 NIOS Administrator Guide (Rev. A) NIOS 6.12
Custom Rule Templates
— Packets per second: Enter the number of packets per second to define the rate limit for this rule. You define
this value to control the rate of UDP traffic that consists of DNS lookups for the FQDN defined in this rule.
The default is 5.
— Drop interval: Enter the number of seconds for which the appliance drops packets.
— Blacklist rate limited FQDN: Enter the FQDN that is affected by the rate limit value configured for this rule.
The appliance drops the packets sent by this FQDN when the UDP traffic of DNS lookups for this FQDN
exceeds the configured rate limit value.
• RATELIMITED IP TCP: Use this rule template to create custom rules that contains rate limiting restrictions for
blacklisting IP addresses on TCP. If there are certain IP addresses that you want to block before its traffic reaches
the rate limit restrictions, you can create a rule using the BLACKLIST IP TCP Drop prior to rate limiting template.
In the Rule Parameters table, complete the following:
— Packets per second: Enter the number of packets per second to define the rate limit for this rule. You define
this value to control the rate of TCP traffic that consists of DNS lookups for the IP address or network
defined in this rule. The default is 5.
— Drop interval: Enter the time interval in seconds the appliance drops IP packets sent by the rate limited IP
address or network defined for this rule. The default is 30 seconds.
— Rate limited IP address/network: Enter the IP address or network that is affected by the rate limit value
configured for this rule. The appliance drops the packets sent by this IP address based on the drop interval
when the TCP traffic of DNS lookups for this IP address exceeds the configured rate limit value.
• RATELIMITED IP UDP: Use this rule template to create custom rules that contains rate limiting restrictions for
blacklisting IP addresses on UDP. If there are certain IP addresses that you want to block before its traffic
reaches the rate limit restrictions, you can create a rule using the BLACKLIST IP UDP Drop prior to rate limiting
template. In the Rule Parameters table, complete the following:
— Packets per second: Enter the number of packets per second to define the rate limit for this rule. You define
this value to control the rate of UDP traffic that consists of DNS lookups for the IP address or network
defined in this rule. The default is 5.
— Drop interval: Enter the time interval in seconds the appliance drops IP packets sent by the rate limited IP
address or network defined for this rule. The default is 30 seconds.
— Rate limited IP address/network: Enter the IP address or network that is affected by the rate limit value
configured for this rule. The appliance drops the packets sent by this IP address based on the drop interval
when the TCP traffic of DNS lookups for this IP address exceeds the configured rate limit value.
• WHITELIST IP TCP Pass prior to rate limiting: Use this rule template to create custom rules for allowing certain IP
addresses on TCP before the appliance drops the packets based on rate limiting rules you have defined using
the RATELIMITED IP TCP template. In the Rule Parameters table, complete the following:
— Whitelisted IP address/network: Enter the IPv4 or IPv6 address from which packets sent are allowed before
any relevant rate limiting rules take effect.
• WHITELIST IP UDP Pass prior to rate limiting: Use this rule template to create custom rules for allowing certain IP
addresses on UDP before the appliance drops the packets based on rate limiting rules you have defined using
the RATELIMITED IP UDP template. In the Rule Parameters table, complete the following:
— Whitelisted IP address/network: Enter the IPv4 or IPv6 address from which packets sent are allowed before
any relevant rate limiting rules take effect.
NIOS 6.12 NIOS Administrator Guide (Rev. A) 1525
1526 NIOS Administrator Guide (Rev. A) NIOS 6.12