This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
iva
Explorer
‎2024-10-17 12:29 AM

DNS Data Overflow causing high CPU and IPS Bypass

We are running R81.10 JHF 132 on Quantum 6600 appliances. We are hosting DNS services for the public internet in a DMZ on TCP/UDP 53. Some time ago, our IPS started preventing DNS Data Overflow (Response packet too long, potential buffer overflow) attacks on TCP/53. In combination with these attacks, IPS bypass is activated and CPU Load increases to >80%. The appliance stops responding for some time, causing outages.

The traffic pattern usually includes a relatively low numer of connections from distributed source IPs. To me if looks like a OS vulnerability exploited by attackers.

To prevent this, we have contacted CheckPoint support, and activated DoS features such as rate limiting and penalty box. However, due to the traffic pattern mentioned above, these mitigations are not completely effective. 

I am contacting the community, hoping to some more input on alternative mitigation methods regarding this specific attack. Maybe somebody has experienced the same type of attack and managed to find a solution?

Labels
0 Kudos
5 Replies
Chris_Atkinson
MVP Platinum CHKP MVP Platinum CHKP
MVP Platinum CHKP
‎2024-10-17 08:56 AM

Is the traffic accepted by implied rules or specific rules you have configured?

As a side how is the memory utilization throughout and do your UDP DNS (domain-udp) service objects in the policy use the default timeout values?

CCSM R77/R80/ELITE
0 Kudos
iva
Explorer
‎2024-10-17 10:46 PM
In response to Chris_Atkinson

Hi, thanks for your input! Traffic is accepted by specific rules that were configured, and and memory usage does not show a noteable increase while CPU usage is high. We do use custom service objects for TCP/53 and UDP/53, but they use default timeout values. The only difference is that "Match for Any" in the custom object is checked...to my understanding this is not relevant.

0 Kudos
PhoneBoy
Admin
Admin
‎2024-10-18 07:10 AM

DDoS attacks can have both a "volume" element and an application-specific element.
The DDoS Mitigation features can definitely help with traffic volume portions of a DDoS, though it sounds like this is targeting something specific to your DNS implementation.
Check Point does offer DDoS Protector appliances that are more geared towards addressing these challenges.

0 Kudos
Timothy_Hall
MVP Gold
MVP Gold
‎2024-10-18 07:14 AM

Are you using a cluster?  DNS is notorious for causing a very high amount of state sync traffic which can drive up the CPU.  On the Advanced setting of your services matching DNS, uncheck "Synchronize connections...". 

There is a relatively new setting on the cluster object that only syncs connections/sessions that have lasted more than 3 seconds, but because UDP is stateless and the UDP session timeout is 40 seconds by default, these UDP DNS sessions always get synced and hang around for awhile.  

If this doesn't help next step is setting Aggressive Aging and possibly lowering the more aggressive UDP timeout from its default of 15 seconds.

Gaia 4.18 (R82) Immersion Tips, Tricks, & Best Practices Video Course
Now Available at https://shadowpeak.com/gaia4-18-immersion-course
0 Kudos
iva
Explorer
‎2024-10-21 06:04 AM
In response to Timothy_Hall

Thanks for your reply. I changed the parameters you suggested and will observe @PhoneBoy  Thanks, I agree... something application-specific is being targeted. We have DDoS mitigation service we can activate during an attack, but not running permanently. 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events