This section explains the steps to create and configure a new security policy and use it to protect the virtual service against a DNS Amplification Egress DDoS attack.

The DNS virtual service is targeted by sending concise queries that solicit expansive responses (spanning multiple UDP packets). The DNS virtual services can participate in a reflection attack. The attacker spoofs the DNS query’s source IP and source port to be that of a well-known service port on a victim server.

Any requests from a defined range of source ports (well-known ports) will be denied. The range of ports to be denied is configured in the Security Policy.

Use Security Policy to Protect the Virtual Service

Create a new security policy as shown below:

Log in to the NSX Advanced Load Balancer shell and create a new security policy as shown below:

configure securitypolicy test-secpolicy1 dns_policy_index 0
save
configure securitypolicy test-secpolicy1 oper_mode mitigation
save
configure securitypolicy test-secpolicy1
dns_attacks
attacks  attack_vector dns_amplification_egress
mitigation_action deny
save
save
save
exit

The new security policy test-secpolicy1 with DNS Amplification Egress DDoS protection is displayed as follows:

shell> show securitypolicy test-secpolicy1
+-------------------------------+---------------------------------------+
| Field                         | Value                                 |
+-------------------------------+---------------------------------------+
| uuid                          | securitypolicy-9f5149f2-ab88-4ea3-9944-cc6ed6aea77a                                                            |
| name                          | test-secpolicy1                       |
| oper_mode                     | MITIGATION                            |
| dns_attacks                   |                                       |
|   attacks[1]                  |                                       |
|     attack_vector             | DNS_AMPLIFICATION_EGRESS              |
|     mitigation_action         |                                       |
|       deny                    | True                                  |
|     enabled                   | True                                  |
|     max_mitigation_age        | 60 min                                |
| network_security_policy_index | 0                                     |
| dns_policy_index              | 0                                     |
| dns_amplification_denyports   |                                       |
|   match_criteria              | IS_IN                                 |
|   ranges[1]                   |                                       |
|     start                     | 1                                     |
|     end                       | 52                                    |
|   ranges[2]                   |                                       |
|     start                     | 54                                    |
|     end                       | 2048                                  |
| tenant_ref                    | admin                                 |
+-------------------------------+---------------------------------------+

The dns_amplification_denyports is automatically created to block well-known ports 1-52 and 54-2048, inclusive, for DNS Amplification Egress DDoS attacks. These ports are usually used as spoofed source ports in the attacks. Port 53 is excluded, however, since source IP addresses may initiate legitimate DNS queries to external DNS servers.

Attaching the Security Policy to a Virtual Service

If you have a DNS virtual service and want to protect the virtual service from DNS Amplification Egress DDoS attack, you can attach a security policy to the virtual service.

Note:

A security policy configured for DNS Amplification Egress mitigation cannot be attached to a non-DNS virtual service, for instance, an HTTP virtual service. When attached to a non-DNS virtual service, an error will be displayed, and the security policy will not be attached to the virtual service.

For instance, consider a virtual service dns-vs-1. The steps to attach the network policy to the virtual service are shown below:

shell>
configure virtualservice dns-vs-1
security_policy_ref test-secpolicy1
save
exit

Now the virtual service dns-vs-1 is secured with the DDoS protection security policy. Any such attacks will be detected and mitigated by the SE. Security manager creates network security rules and DNS rules for SE to use and block the attacker’s IP address, source port, and DNS record request types. On significant attacks, the metrics manager will raise DDoS events which will be displayed on the controller UI.