Download - Threat Protection Rules 6.12
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 130
NIOS 612 NIOS Administrator Guide (Rev A) 1497
Threat Protection Rules
This document contains information about threat protection rules for the Infoblox Advanced DNS Protection solutionIt lists rule IDs rule names descriptions enabledisable conditions parameters and corresponding default valuesfor all auto and system rules It also provides tuning information for specific rules so you can configure and betterutilize these rules to protect your environment without sacrificing performance For information about Advanced DNS
Protection see Infoblox Advanced DNS Protection on page 1333All rules are grouped by rule categories System and auto rules are automatically updated during rule updates
Note Auto rules are always enabled and you cannot disable them
You can create custom rules using rule templates For information about custom rule templates refer to Custom RuleTemplates on page 1524
This document includes the following sections
bull Overview of Packet Flow on page 1498
mdash Tuning Rule Parameters on page 1500
bull DNS Cache Poisoning on page 1501
bull DNS Message Type on page 1501bull General DDoS on page 1508
bull Reconnaissance on page 1508
bull DNS Malware on page 1509
bull DNS Protocol Anomalies on page 1509
bull Potential DDoS Related Domains on page 1510
bull TCPUDP Flood on page 1511
bull DNS DDoS on page 1512
bull DNS Tunneling on page 1513
bull DNS Amplification and Reflection on page 1513
bull NTP on page 1514
bull BGP on page 1517
bull OSPF on page 1518
bull ICMP on page 1519
bull Default PassDrop on page 1523
bull HA Support on page 1524
bull Custom Rule Templates on page 1524
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 230
1498 NIOS Administrator Guide (Rev A) NIOS 612
Overview of Packet Flow
Threat protection rules are designed to work together to provide maximum protection for your environment Thissection describes how these rules are being applied and how you can tune some of them to suit your system setupand network environment
Threat protection rules are grouped by rule categories and most of them have one or more associated rule
parameters Depending on the rules you may or may not be able to override default values for the following ruleparameters (if applicable)
bull Packets per second The rate limit or the number of packets per second that the appliance processes before itperforms a triggered action such as sending warnings or blocking traffic
bull Drop interval The time period (in seconds) for which the appliance blocks all traffic from the client or traffic thatmatches a certain pattern beyond the rate limit
bull Events per second The number of events logged per second for the rule Setting a value to 0 (zero) disables theappliance from logging events for the rule Most rules have this parameter and the default value is 1
bull Packet size DNS packet size If the DNS packet size exceeds a certain value the corresponding rule will betriggered
All incoming packets are filtered through enabled rules based on the order listed in Table H1 Note that rules are
displayed in the same order in Grid Manager For more information see Viewing Threat Protection Rules on page1352 You cannot change the filtering order of these rules Incoming packets are screened by the first rule andproceed through subsequent rules until they hit the last rule on the list provided that they are not dropped or passedby any rules in between based on the matching conditions and rule criteria
Depending on the rules following are possible actions that can be taken
bull Ratelimiting and pass magenta) Based on the configured rate limit these rules drop incoming packets if thepacket rate hits the rate limit Otherwise the packets are passed
bull Ratelimiting blue) Based on the configured rate limit these rules drop incoming packets if they hit the ratelimit Otherwise the packets are screened by subsequent rules for further actions
bull Drop salmon) These rules drop any incoming packets that match specific conditions and rule criteria
bull Pass green) These rules pass any incoming packets that match specific conditions and rule criteria
Note All rate limiting rules including custom rules operate at a per source IP basis
Table H1 Flow Order for Threat Protection Rules
Conditions if any) Rule Category Rule Name Action Reference
DNS Cache Poisoning DNS responses Ratelimiting and Pass DNS Cache Poisoning
Configured with externalDNS primaries
DNS Message Type TXFRAXFR responses Ratelimiting and Pass DNS Message Type
Allow DDNS updates DNS Message Type DNS Updates Ratelimiting and Pass DNS Message Type
General DDoS General DDoS Drop General DDoS
Reconnaissance Reconnaissance Drop Reconnaissance
DNS Malware DNS Malware Drop DNS Malware
DNS Protocol Anomalies DNS Protocol Anomal ies Drop DNS Protocol Anomalies
User-defined WhitelistUDP Packets
User-defined Whitelist UDPPackets
Pass Custom Rule Templates
User-defined WhitelistTCP Packets
User-defined Whitelist TCPPackets
Pass Custom Rule Templates
User-defined BlacklistUDP Packets
User-defined Blacklist UDPPackets
Drop Custom Rule Templates
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 330
Overview of Packet Flow
NIOS 612 NIOS Administrator Guide (Rev A) 1499
User-defined BlacklistTCP Packets
User-defined Blacklist TCPPackets
Drop Custom Rule Templates
User-defined ratelimitingIP and Network UDPPackets
User-defined ratelimiting IPand Network UDP Packets
Ratelimiting Custom Rule Templates
User-defined ratelimiting
IP and Network TCPPackets
User-defined ratelimiting IP
and Network TCP Packets
Ratelimiting Custom Rule Templates
User-defined ratelimitingFQDN
User-defined ratelimitingFQDN
Ratelimiting Custom Rule Templates
User-defined BlacklistFQDN
User-defined Blacklist FQDN Drop Custom Rule Templates
Potential DDoS relateddomains
Potential DDoS relateddomains
Drop Potential DDoS RelatedDomains
TCPUDP Floods High Rate inbound DNSQueries
Ratelimiting TCPUDP Flood
DNS DDoS NXDomain NXRRsetServFail DNS Response
Ratelimiting DNS DDoS
DNS Tunneling DNS Tunneling Ratelimiting DNS Tunneling
DNS Protocol Anomalies DNS Protocol Anomal ies Drop DNS Protocol Anomalies
Incoming zone transferis allowed
DNS Message Type DNS IXFRAXFR Requests Ratelimiting and Pass DNS Message Type
Incoming zone transferis allowed
DNS Message Type Invalid DNS IXFR Queries Drop DNS Message Type
Incoming zone transferis not allowed
DNS Message Type DNS AXFRIXFR Requests Drop DNS Message Type
DNS Malware DNS Malware Drop DNS Malware
DNS Amplification andReflection
DNS Amplification andReflection
Ratelimiting DNS Amplification andReflection
DNS Message Type DNS Query Types DropPass depending on theconfigured action
DNS Message Type
NTP client is enabled NTP NTP Server Responses Ratelimiting and Pass NTP
NTP client is disabled NTP NTP Client Requests Drop NTP
NTP server is enabled NTP NTP Vulnerability Rules Ratelimiting NTP
NTP server is enabled NTP NTP Ratelimiting Rulesbased on NTP ACL Data
Ratelimiting and Pass NTP
NTP server is disabled NTP Invalid NTP Packets Drop NTP
BGP is enabled BGP Invalid BGP Packets Drop BGP
BGP is enabled BGP BGP Packets Ratelimiting and Pass BGP
BGP is disabled BGP BGP Packets Drop BGP
ICMP ICMP Pings Ratelimiting and Pass ICMP
OSPF is enabled OSPF OSPF Packets Ratelimiting and Pass OSPF
OSPF is disabled OSPF OSPF Packets Drop OSPF
ICMP ICMPv6 Pings Ratelimiting and Pass ICMP
Default PassDrop Unexpected DNS Packets Drop Default PassDrop
Default PassDrop TCPUDPICMP Packets Drop Default PassDrop
HA Support HA Communication Packets Pass HA Support
Default PassDrop Unexpected Packets Drop Default PassDrop
Conditions if any) Rule Category Rule Name Action Reference
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 430
1500 NIOS Administrator Guide (Rev A) NIOS 612
Tuning Rule Parameters
All threat protection rules contain rule parameters that you may or may not be able to configure Rule parameters arepredefined with default values that generally suit most network environments However there are times when youhave special setups or configurations in your environment that require special attention In these cases you mayneed to change some of the rule parameters to obtain optimal protection without sacrificing system performance
Table H2 lists specific conditions and corresponding rules that may require tuning when they are enabled You can
view tuning suggestions in the Comments column for each of the following condition
Table H2 Tunable Rules
Conditions Rule s) that Require Tuning Reference
Your appliance is configured as anauthoritative DNS server
Rule 100000100 in the DNS
Cache Poisoning categoryDNS Cache Poisoning Rules
Your DNS server is configured as thesecondary server with external primariesand it serves a large number of zones
Rules 100100100 to100100201 in the DNS
Message Type category
DNS Message Type Rules
You have enabled TCPUDP Flood systemrules and your network environmentconsists of the following NATdenvironments static forwarders or VPNconcentrators
All rules in the TCPUDP Flood category
TCPUDP Flood Rules
You have enabled DNS DDoS system rulesand your network environment consists ofthe following NATd environments staticforwarders or VPN concentrators
Rules 200000001 to200000003 in the DNS DDoS category
DNS DDoS Rules
You have enabled DNS Tunneling systemrules and your network environmentconsists of the following NATd
environments static forwarders and VPNconcentrators
All rules in the DNS Tunneling category
Anti DNS Tunneling Rules
Your DNS server is configured to allowincoming IPv4 and IPv6 zone transferrequests and it serves a large number ofzones
Rules 130100100 to130100401 in the DNS
Message Type category
DNS Message Type Rules
You have enabled DNS Amplification andRefection system rules
All rules in the DNS
Amplification and Reflection category
DNS Amplification andReflection Rules
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 530
DNS Cache Poisoning
NIOS 612 NIOS Administrator Guide (Rev A) 1501
DNS Cache Poisoning
DNS cache poisoning involves inserting a false address record for an Internet domain into a DNS query If the DNSserver accepts the record subsequent requests for the address of the domain are answered with the address of aserver controlled by the attacker For as long as the false entry is cached incoming web requests and emails will goto the attackerrsquos address Cache poisoning attacks such as the ldquobirthday paradoxrdquo use brute force flooding DNS
responses and queries at the same time hoping to get a match on one of the responses and poison the cacheThe following table lists auto rules that Advanced DNS Protection uses to mitigate DNS cache poisoning on youradvanced appliance
Table H3 DNS Cache Poisoning Rules
DNS Message Type
The following table lists the system and auto rules that are used to mitigate DNS message type attacks on youradvanced appliance
All rules for DNS record types are system rules By default they are configured as Pass rules You can override thisand change the rule action to Drop Note that when you do that the appliance drops all DNS packets that contain therequested record type
Table H4 DNS Message Type Rules
Rule ID
Rule
Type
Rule Name Description
EnableDisable
Condition
Parameters Comments
100000100 Auto EARLY PASSUDP responsetraffic
This rule passes UDP DNS responsepackets (from upstream DNS serversor external DNS primaries) if thepacket rate is less than the Packets
per second value If any source IPsends packets over this value the
appliance blocks all traffic from thissource IP for a time specified in Drop
interval
Always enabled Packets per second (default = 30000)
Drop interval (default = 10seconds)
Events per second
(default = 1)
Consider tuning Packets per
second to a smaller numberif your system is servingauthoritative DNS
NOTE If you set theparameter incorrectly the
rule could block legitimateDNS responses fromupstream DNS serverswhich could cause the DNSserver to exceed its quota
100000200 Auto EARLY PASSTCP responsetraffic
This rule passes TCP DNS responsesinitiated by the appliance
Always enabled Packets per second (default = 100)
Consider raising the Packets
per second value if DNSSECis enabled
100000300 Auto PASS ACKpackets fromNIOS initiatedconnections
This rule passes TCP ACK packets forDNS or BGP from NIOS initiatedconnections if the packet rate is lessthan the Packets per second value Ifany source IP sends packets overthis value the appliance blocks alltraffic from this source IP for a timespecified in Drop interval
Always enabled Packets per second (default = 600)
Drop interval (default = 10seconds)
Events per second (default = 1)
Consider raising the Packets
per second value if DNSSECis enabled
Rule ID
Rule
Type
Rule Name Description
EnableDisable
Condition
Parameters Comments
100100100 Auto EARLY PASS IPv4UDP Notifymessages
This rule passes IPv4 UDP DNSNOTIFY messages if the packetrate is less than the Packets per
second value If any source IPsends packets over this value theappliance blocks all traffic fromthis source IP for a time specifiedin Drop interval
Enabled if InfobloxDNS serves as thesecondary serverwith IPv4 externalprimariesconfigured
Packets per second (default = 1000)
Drop interval (default= 10 seconds)
Events per second (default = 1)
Consider tuning Packets per
second if Infoblox DNSserves a large number ofzones If this rule istriggered and the source IPaddress indicates a validexternal primary servertune the Packets per second value accordingly
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 630
1502 NIOS Administrator Guide (Rev A) NIOS 612
100100101 Auto EARLY PASS IPv6UDP Notifymessages
This rule passes IPv6 UDP DNSNOTIFY messages if the packetrate is less than the Packets per
second value If any source IPsends packets over this value theappliance blocks all traffic fromthis source IP for a time specified
in Drop interval
Enabled if InfobloxDNS serves as thesecondary serverwith IPv6 externalprimariesconfigured
Packets per second (default = 1000)
Drop interval (default= 10 seconds)
Events per second (default = 1)
Consider tuning Packets per
second if Infoblox DNSserves a large number ofzones If this rule istriggered and the source IPaddress indicates a validexternal primary server
tune the Packets per second value accordingly
100100200 Auto EARLY PASS IPv4TCP Notifymessages
This rule passes IPv4 TCP DNSNOTIFY messages if the packetrate is less than the Packets per
second value If any source IPsends packets over this value theappliance blocks all traffic fromthis source IP for a time specifiedin Drop interval
Enabled if InfobloxDNS serves as thesecondary serverwith IPv4 externalprimariesconfigured
Packets per second (default = 1000)
Drop interval (default= 10 seconds)
Events per second (default = 1)
Consider tuning Packets per
second if Infoblox DNSserves a large number ofzones If this rule istriggered and the source IPaddress indicates a validexternal primary servertune the Packets per second value accordingly
100100201 Auto EARLY PASS IPv6TCP Notifymessages
This rule passes IPv6 TCP DNSNOTIFY messages if the packetrate is less than the Packets per
second value If any source IPsends packets over this value theappliance blocks all traffic from
this source IP for a time specifiedin Drop interval
Enabled if InfobloxDNS serves as thesecondary serverwith IPv6 externalprimariesconfigured
Packets per second (default = 1000)
Drop interval (default= 10 seconds)
Events per second (default = 1)
Consider tuning Packets per
second if Infoblox DNSserves a large number ofzones If this rule istriggered and the source IPaddress indicates a valid
external primary servertune the Packets per second value accordingly
100100300 Auto EARLY PASS IPv4UDP Notifymessages forDDNS update
This rule passes IPv4 UDP NOTIFYmessages for DDNS update if thepacket rate is less than thePackets per second value If anysource IP sends packets over thisvalue the appliance blocks alltraffic from this source IP for atime specified in Drop interval
Enabled if DDNSupdate is enabledfor IPv4 clients
Packets per second (default = 1000)
Drop interval (default= 10 seconds)
Events per second (default = 1)
100100350 Auto EARLY PASS IPv6UDP Notifymessages forDDNS update
This rule passes IPv6 UDP NOTIFYmessages for DDNS update if thepacket rate is less than thePackets per second value If anysource IP sends packets over thisvalue the appliance blocks all
traffic from this source IP for atime specified in Drop interval
Enabled if DDNSupdate is enabledfor IPv6 clients
Packets per second (default = 1000)
Drop interval (default= 10 seconds)
Events per second (default = 1)
130100100 Auto RATELIMIT PASSIPv4 UDP DNSAXFR zonetransfer requests
This rule passes IPv4 UDP DNSfull zone transfer requests if thepacket rate is less than thePackets per second value If anysource IP sends packets over thisvalue the appliance blockssubsequent DNS traffic from thissource IP for a time specified inDrop interval
Enabled if InfobloxDNS allowsincoming IPv4zone transferrequests
Packets per second (default = 1000)
Drop interval (default= 10 seconds)
Events per second (default = 1)
Consider tuning Packets per
second if Infoblox DNSserves a large number ofzones If this rule istriggered and the source IPaddress indicates a validsecondary server tune thePackets per second valueaccordingly
130100101 Auto RATELIMIT PASSIPv6 UDP DNSAXFR zonetransfer requests
This rule passes IPv6 UDP DNSfull zone transfer requests if thepacket rate is less than thePackets per second value If anysource IP sends packets over thisvalue the appliance blocks
subsequent DNS traffic from thissource IP for a for a time specifiedin Drop interval
Enabled if InfobloxDNS allowsincoming IPv6zone transferrequests
Packets per second (default = 1000)
Drop interval (default= 10 seconds)
Events per second (default = 1)
Consider tuning Packets per
second if Infoblox DNSserves a large number ofzones If this rule istriggered and the source IPaddress indicates a valid
secondary server tune thePackets per second valueaccordingly
130100200 Auto RATELIMIT PASSIPv4 TCP DNSAXFR zonetransfer requests
This rule passes IPv4 TCP DNS fullzone transfer requests if thepacket rate is less than thespecified Packets per second value (default = 100) If anysource IP sends packets over thisvalue the appliance blocks allsuch traffic from this source IP fora for a time specified in Drop
interval
Enabled if InfobloxDNS allowsincoming IPv4zone transferrequests
Packets per second (default = 1000)
Drop interval (default= 10 seconds)
Events per second (default = 1)
Consider tuning Packets per
second if Infoblox DNSserves a large number ofzones If this rule istriggered and the source IPaddress indicates a validsecondary server tune thePackets per second valueaccordingly
Rule ID
Rule
Type
Rule Name Description
EnableDisable
Condition
Parameters Comments
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 730
DNS Message Type
NIOS 612 NIOS Administrator Guide (Rev A) 1503
130100201 Auto RATELIMIT PASSIPv6 TCP DNSAXFR zonetransfer requests
This rule passes IPv6 TCP DNS fullzone transfer requests if thepacket rate is less than thespecified Packets per second value (default = 100) If anysource IP sends packets over thisvalue the appliance blocks all
such traffic from this source IP fora time specified in Drop interval
Enabled if InfobloxDNS allowsincoming IPv6zone transferrequests
Packets per second (default = 1000)
Drop interval (default= 10 seconds)
Events per second (default = 1)
Consider tuning Packets per
second if Infoblox DNSserves a large number ofzones If this rule istriggered and the source IPaddress indicates a validsecondary server tune the
Packets per second valueaccordingly
130100300 Auto RATELIMIT PASSIPv4 UDP DNSIXFR zoneTransfer requests
This rule passes IPv4 UDP DNSincremental zone transferrequests if the packet rate is lessthan the specified Packets per
second value (default = 100) Ifany source IP sends packets overthis value the appliance blocksall such traffic from this source IPfor a time specified in Drop
interval
Enabled if InfobloxDNS allowsincoming IPv4zone transferrequests
Packets per second (default = 1000)
Drop interval (default= 10 seconds)
Events per second (default = 1)
Consider tuning Packets per
second if Infoblox DNSserves a large number ofzones If this rule istriggered and the source IPaddress indicates a validsecondary server tune thePackets per second valueaccordingly
130100301 Auto RATELIMIT PASSIPv6 UDP DNSIXFR zoneTransfer requests
This rule passes IPv6 UDP DNSincremental zone transferrequests if the packet rate is lessthan the specified Packets per
second value (default = 100) Ifany source IP sends packets overthis value the appliance blocksall such traffic from this source IPfor a time specified in Drop
interval
Enabled if InfobloxDNS allowsincoming IPv6zone transfer
requests
Packets per second (default = 1000)
Drop interval (default= 10 seconds)
Events per second (default = 1)
Consider tuning Packets per
second if Infoblox DNSserves a large number ofzones If this rule is
triggered and the source IPaddress indicates a validsecondary server tune thePackets per second valueaccordingly
130100400 Auto RATELIMIT PASSIPv4 TCP DNSIXFR zoneTransfer requests
This rule passes IPv4 TCP DNSincremental zone transferrequests if the packet rate is lessthan the specified Packets per
second value (default = 100) Ifany source IP sends packets overthis value the appliance blocksall such traffic from this source IPfor a time specified in Drop
interval
Enabled if InfobloxDNS allowsincoming IPv4zone transferrequests
Packets per second (default = 1000)
Drop interval (default= 10 seconds)
Events per second (default = 1)
Consider tuning Packets per
second if Infoblox DNSserves a large number ofzones If this rule istriggered and the source IPaddress indicates a validsecondary server tune thePackets per second valueaccordingly
130100401 Auto RATELIMIT PASS
IPv6 TCP DNSIXFR zoneTransfer requests
This rule passes IPv6 TCP DNS
incremental zone transferrequests if the packet rate is lessthan the specified Packets per
second value If any source IPsends packets over this value theappliance blocks all such trafficfrom this source IP for a timespecified in Drop interval
Enabled if Infoblox
DNS allowsincoming IPv6zone transferrequests
Packets per second
(default = 1000)Drop interval (default= 10 seconds)
Events per second (default = 1)
Consider tuning Packets per
second if Infoblox DNSserves a large number ofzones If this rule istriggered and the source IPaddress indicates a validsecondary server tune thePackets per second valueaccordingly
130200100 Auto DROP UDP DNSAXFR zonetransfer requests
This rule drops any DNS UDP fullzone transfer requests when zonetransfer is disabled You canconfigure only the Events per
second parameter
Enabled if InfobloxDNS does notallow incomingzone transferrequests
Events per second (default = 1)
130200200 Auto DROP TCP DNSAXFR zonetransfer requests
This rule drops any DNS TCP fullzone transfer requests when zonetransfer is disabled You can
configure only the Events per
second parameter
Enabled if InfobloxDNS does notallow incoming
zone transferrequests
Events per second (default = 1)
130200300 Auto DROP UDP DNSIXFR zoneTransfer requests
This rule drops any DNS UDPincremental zone transferrequests when zone transfer isdisabled You can configure onlythe Events per second parameter
Enabled if InfobloxDNS does notallow incomingzone transferrequests
Events per second (default = 1)
130200400 Auto DROP TCP DNSIXFR zoneTransfer requests
This rule drops any DNS TCPincremental zone transferrequests when zone transfer isdisabled You can configure onlythe Events per second parameter
Enabled if InfobloxDNS does notallow incomingzone transferrequests
Events per second (default = 1)
Rule ID
Rule
Type
Rule Name Description
EnableDisable
Condition
Parameters Comments
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 830
1504 NIOS Administrator Guide (Rev A) NIOS 612
130500100 System DNS A record You can configure this rule to passor drop UDP packets that containA record request The defaultAction = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
130500200 System DNS AAAA record You can configure this rule to passor drop UDP packets that contain
AAAA record request The defaultAction = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
130500300 System DNS CNAMErecord
You can configure this rule to passor drop UDP packets that containCNAME record request Thedefault Action = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
130500400 System DNS DS record You can configure this rule to passor drop UDP packets that containDS record request The defaultAction = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
130500500 System DNS PTR record You can configure this rule to passor drop UDP packets that containPTR record request The defaultAction = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
130500600 System DNS NS record You can configure this rule to passor drop UDP packets that containNS record request The defaultAction = Pass
Enabled bydefault
Action (default = Pass)
Events per second (default = 1)
130500700 System DNS NSEC record You can configure this rule to passor drop UDP packets that containNSEC record request The defaultAction = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
130500800 System DNS NSEC3record
You can configure this rule to passor drop UDP packets that containNSEC3 record request Thedefault Action = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
130500900 System DNSNSEC3PARAMrecord
You can configure this rule to passor drop UDP packets that containNSEC3PARAM record request The
default Action = Pass
Enabled bydefault
Action
(default = Pass)
Events per second
(default = 1)
130501000 System DNS MX record You can configure this rule to passor drop UDP packets that containMX record request The defaultAction = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
130501100 System DNS SRV record You can configure this rule to passor drop UDP packets that containSRV record request The defaultAction = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
130501200 System DNS TXT record You can configure this rule to passor drop UDP packets that containTXT record request The defaultAction = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
130501300 System DNS DNAME
record
You can configure this rule to pass
or drop UDP packets that containDNAME record request Thedefault Action = Pass
Enabled by
default
Action
(default = Pass)Events per second (default = 1)
130501400 System DNS RRSIG record You can configure this rule to passor drop UDP packets that containRRSIG record request The defaultAction = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
130501500 System DNS NAPTRrecord
You can configure this rule to passor drop UDP packets that containNAPTR record request The defaultAction = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
Rule ID
Rule
Type
Rule Name Description
EnableDisable
Condition
Parameters Comments
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 930
DNS Message Type
NIOS 612 NIOS Administrator Guide (Rev A) 1505
130501600 System DNS DNSKEYrecord
You can configure this rule to passor drop UDP packets that containDNSKEY record request Thedefault Action = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
130501700 System DNS SPF record You can configure this rule to passor drop UDP packets that contain
SPF record request The defaultAction = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
130501800 System DNS DHCIDrecord
You can configure this rule to passor drop UDP packets that containDHCID record request The defaultAction = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
130501900 System DNS SOA record You can configure this rule to passor drop UDP packets that containSOA record request The defaultAction = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
130502000 System DNS SIG record You can configure this rule to passor drop UDP packets that containSIG record request The defaultAction = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
130502100 System DNS LOC record You can configure this rule to passor drop UDP packets that containLOC record request The defaultAction = Pass
Enabled bydefault
Action (default = Pass)
Events per second (default = 1)
130502200 System DNS SSHFPrecord
You can configure this rule to passor drop UDP packets that containSSHFP record request The defaultAction = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
130502300 System DNS IPSECKEYrecord
You can configure this rule to passor drop UDP packets that containIPSECKEY record request Thedefault Action = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
130502400 System DNS TKEY record You can configure this rule to passor drop UDP packets that containTKEY record request The default
Action = Pass
Enabled bydefault
Action
(default = Pass)
Events per second
(default = 1)
130502500 System DNS TSIG record You can configure this rule to passor drop UDP packets that containTSIG record request The defaultAction = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
130502600 System DNS TA record You can configure this rule to passor drop UDP packets that containTA record request The defaultAction = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
130502700 System DNS DLV record You can configure this rule to passor drop UDP packets that containDLV record request The defaultAction = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
130502800 System DNS ANY record You can configure this rule to pass
or drop UDP packets that containANY record request The defaultAction = Pass
Enabled by
default
Action
(default = Pass)Events per second (default = 1)
130502900 System DNS A record TCP You can configure this rule to passor drop TCP packets that contain Arecord request The default Action = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
130503000 System DNS AAAA recordTCP
You can configure this rule to passor drop TCP packets that containAAAA record request The defaultAction = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
Rule ID
Rule
Type
Rule Name Description
EnableDisable
Condition
Parameters Comments
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 1030
1506 NIOS Administrator Guide (Rev A) NIOS 612
130503100 System DNS CNAMErecord TCP
You can configure this rule to passor drop TCP packets that containCNAME record request Thedefault Action = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
130503200 System DNS DS recordTCP
You can configure this rule to passor drop TCP packets that contain
DS record request The defaultAction = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
130503300 System DNS PTR recordTCP
You can configure this rule to passor drop TCP packets that containPTR record request The defaultAction = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
130503400 System DNS NS recordTCP
You can configure this rule to passor drop TCP packets that containNS record request The defaultAction = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
130503500 System DNS NSEC recordTCP
You can configure this rule to passor drop TCP packets that containNSEC record request The defaultAction = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
130503600 System DNS NSEC3record TCP
You can configure this rule to passor drop TCP packets that containNSEC3 record request Thedefault Action = Pass
Enabled bydefault
Action (default = Pass)
Events per second (default = 1)
130503700 System DNSNSEC3PARAMrecord TCP
You can configure this rule to passor drop TCP packets that containNSEC3PARAM record request Thedefault Action = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
130503800 System DNS MX recordTCP
You can configure this rule to passor drop TCP packets that containMX record request The defaultAction = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
130503900 System DNS SRV recordTCP
You can configure this rule to passor drop TCP packets that containSRV record request The default
Action = Pass
Enabled bydefault
Action
(default = Pass)
Events per second
(default = 1)
130504000 System DNS TXT recordTCP
You can configure this rule to passor drop TCP packets that containTXT record request The defaultAction = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
130504100 System DNS DNAMErecord TCP
You can configure this rule to passor drop TCP packets that containDNAME record request Thedefault Action = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
130504200 System DNS RRSIG recordTCP
You can configure this rule to passor drop TCP packets that containRRSIG record request The defaultAction = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
130504300 System DNS NAPTR
record TCP
You can configure this rule to pass
or drop TCP packets that containNAPTR record request The defaultAction = Pass
Enabled by
default
Action
(default = Pass)Events per second (default = 1)
130504400 System DNS DNSKEYrecord TCP
You can configure this rule to passor drop TCP packets that containIDNSKEY record request Thedefault Action = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
130504500 System DNS SPF recordTCP
You can configure this rule to passor drop TCP packets that containSPF record request The defaultAction = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
Rule ID
Rule
Type
Rule Name Description
EnableDisable
Condition
Parameters Comments
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 1130
DNS Message Type
NIOS 612 NIOS Administrator Guide (Rev A) 1507
130504600 System DNS DHCIDrecord TCP
You can configure this rule to passor drop TCP packets that containDHCID record request The defaultAction = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
130504700 System DNS SOA recordTCP
You can configure this rule to passor drop TCP packets that contain
SOA record request The defaultAction = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
130504800 System DNS SIG recordTCP
You can configure this rule to passor drop TCP packets that containSIG record request The defaultAction = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
130504900 System DNS ROC recordTCP
You can configure this rule to passor drop TCP packets that containROC record request The defaultAction = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
130505000 System DNS SSHFPrecord TCP
You can configure this rule to passor drop TCP packets that containSSHFP record request The defaultAction = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
130505100 System DNS IPSECKEYrecord TCP
You can configure this rule to passor drop TCP packets that containIPSECKEY record request Thedefault Action = Pass
Enabled bydefault
Action (default = Pass)
Events per second (default = 1)
130505200 System DNS TKEY recordTCP
You can configure this rule to passor drop TCP packets that containTKEY record request The defaultAction = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
130505300 System DNS TSIG recordTCP
You can configure this rule to passor drop TCP packets that containTSIG record request The defaultAction = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
130505400 System DNS TA recordTCP
You can configure this rule to passor drop TCP packets that containTA record request The default
Action = Pass
Enabled bydefault
Action
(default = Pass)
Events per second
(default = 1)
130505500 System DNS DLV recordTCP
You can configure this rule to passor drop TCP packets that containDLV record request The defaultAction = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
130505600 System DNS ANY recordTCP
You can configure this rule to passor drop TCP packets that containANY record request The defaultAction = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
Rule ID
Rule
Type
Rule Name Description
EnableDisable
Condition
Parameters Comments
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 1230
1508 NIOS Administrator Guide (Rev A) NIOS 612
General DDoS
The following table lists the auto rules that are used to mitigate general DDoS attacks on your advanced appliance
Table H5 General DDoS Rules
Reconnaissance
Reconnaissance attacks consist of attempts to get information on the network environment before launching a largeDDoS or other types of attacks Techniques include port scanning and finding versions and authors These attacksexhibit abnormal behavior patterns that if identified can provide early warnings
The following table lists the auto rules that are used to mitigate reconnaissance attacks on your advanced appliance
You can configure the following rule parameter for all rules in this category
bull Events per second The number of events logged per second for the rule Setting a value to 0 (zero) disables theappliance from logging events for the rule The default value is 10
Table H6 Reconnaissance Rules
Rule ID
Rule
Type
Rule Name Description
EnableDisable
Condition
Parameters Comments
110000100 Auto EARLY DROP DoSpackets with samesource and destinationIP
This rule drops any IP packetsthat contain the same sourceand destination IP address
Always enabled Events per second (default = 1)
110000200 Auto EARLY DROP DoS UDPpackets with samesource and destinationIP
This rule drops UDP packetsthat contain the same sourceand destination IP address
Always enabled Events per second (default = 1)
110000300 Auto EARLY DROP DoS TCPpackets with samesource and destinationIP
This rule drops TCP packetsthat contain the same sourceand destination IP address
Always enabled Events per second (default = 1)
130400300 Auto DROP IPv6 loopbackaddress spoofing
This rule blocks any IP packetsthat attempt to forge the IPv6loopback address
Always enabled Events per second (default = 1)
130400400 Auto DROP IPv6 loopbackaddress spoofing
This rule blocks any IP packetsthat attempt to forge the IPv6loopback address
Always enabled Events per second (default = 1)
Rule ID
Rule
Type
Rule Name Description
Enable
Condition
Parameters Comments
110100100 Auto EARLY DROP DNSnamed authorattempts
This rule drops UDP DNSpackets that containattempts to find AUTHOR
information
Alwaysenabled
Events per second (default = 1)
110100200 Auto EARLY DROP DNSnamed versionattempts
This rule drops UDP DNSpackets that containattempts to find VERSIONinformation
Alwaysenabled
Events per second (default = 1)
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 1330
DNS Malware
NIOS 612 NIOS Administrator Guide (Rev A) 1509
DNS Malware
DNS malware is software used to disrupt your DNS service gather sensitive information or gain access to yourappliance It can include downloaders backdoors trojan horses and other malicious software
The following table lists the auto rules that are used to mitigate DNS malware when forwarding DNS requests to aresolver such as a Microsoft DNS server
Table H7 DNS Malware Rules
DNS Protocol Anomalies
DNS protocol anomalies send malformed DNS packets including unexpected header and payload values to thetargeted server This causes the server to stop responding or crash which results in an infinite loop in server threadsThese anomalies sometimes take the form of impersonation attacks
The following table lists rules that are used to mitigate DNS protocol anomalies sent to the appliance
Table H8 DNS Protocol Anomalies Rules
Rule ID
Rule
Type
Rule Name Description
Enable
Condition
Parameters Comments
110100300 Auto EARLY DROP UDPMALWARE backdoor
This rule drops UDPpackets that contain thebackdoor malwareBKDR_QUEJOBEVL whichposes as an installer ofFaceBook messenger Thismalware may be spread asa malicious attachment inemail messages
Always enabled Events per second (default = 1)
130300300 Auto DROP MALWAREtrojan downloader
This rule drops UDPpackets that contain thetrojan downloadermalware which downloadsand installs new versionsof malicious programsincluding Trojans andAdWare
Always enabled Events per second (default = 1)
130300400 Auto DROP MALWAREpossible Hiloti
This rule drops UDPpackets that contain trojanHiloti malicious programsthat may downloadpotentially malicious filesfrom a remote server andreport system informationback to the server
Always enabled Events per second (default = 1)
Rule ID
Rule
Type
Rule Name Description
Enable
Condition
Parameters Comments
110100400 Auto EARLY DROP UDP DNSquestion name too long
This rule drops UDP DNSpackets when the DNSQuestion Name is toolong
Always enabled Events per second (default = 1)
110100500 Auto EARLY DROP UDP DNSlabel too long
This rule drops UDP DNSpackets when the DNSLabel in the name beingqueried is too long
Always enabled Events per second (default = 1)
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 1430
1510 NIOS Administrator Guide (Rev A) NIOS 612
Potential DDoS Related Domains
This rule category includes system rules the appliance uses to blacklist domains that may have been the targets orsubjects in NXDOMAIN or DDoS attacks These rules block all FQDN lookups on UDP for domains that have beenobserved to be used as targets in DDoS attacks The rules are enabled by default You can disable them whennecessary
Note that these rules capture currently observed bad domain names that can change on a regular basis Infobloxrecommends that you update to the latest ruleset to capture the most current rules in this category For informationabout how to update to the latest ruleset see Managing Threat Protection Rules on page 1352
110100600 Auto EARLY DROP UDP queryinvalid question count
This rule drops UDP DNSpackets when thenumber of entries in thequestion section isinvalid
Always enabled Events per second (default = 1)
110100700 Auto EARLY DROP UDP query
invalid question class
This rule drops UDP DNS
packets when the RR(resource record) classbeing queried is invalid
Always enabled Events per second
(default = 1)
110100800 Auto EARLY DROP UDP queryinvalid question string
This rule drops UDP DNSpackets that containinvalid question string
Always enabled Events per second (default = 1)
110100850 Auto EARLY UDP drop invalidDNS query with Authority
This rule drops UDP DNSqueries that containinvalid AUTHORITYentry
Always enabled Events per second (default = 1)
110100900 Auto EARLY DROP querymultiple questions or nonquery operation code
This rule drops UDP DNSpackets when there aremultiple questionsbeing queried at onetime or its operationcode is not Query
Always enabled Events per second (default = 1)
130000700 Auto EARLY DROP TCP non-DNSquery
This rule drops TCPpackets when itsoperation code is notQuery
Always enabled Events per second (default = 1)
130000800 Auto EARLY DROP TCP querymultiple questions
This rule drops TCP DNSpackets when there aremultiple questionsbeing queried at onetime
Always enabled Events per second (default = 1)
130100500 Auto DROP UDP DNS invalidIXFR query with zero ormore than one Authority
This rule drops UDP DNSincremental zonetransfer requests thatcontain zero or morethan one Authorityentries
Always enabled Events per second (default = 1)
130100600 Auto DROP TCP DNS invalidIXFR query with zero ormore than one Authority
This rule drops TCP DNSincremental zonetransfer requests thatcontain zero or morethan one Authorityentries
Always enabled Events per second (default = 1)
130300200 Auto DROP TCP invalid DNSquery with Authority
This rule drops TCP DNSqueries that containinvalid Authorityentries
Always enabled Events per second (default = 1)
Rule ID
Rule
Type
Rule Name Description
Enable
Condition
Parameters Comments
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 1530
TCPUDP Flood
NIOS 612 NIOS Administrator Guide (Rev A) 1511
TCP UDP Flood
TCP and UDP flood attacks are volumetric attacks with massive numbers of packets that consume network bandwidthand resources They exploit TCP and UDP
The following table lists the system and auto rules that are used to mitigate TCPUDP floods on your advancedappliance
Table H9 TCPUDP Flood Rules
Rule ID Rule Type Rule Name Description
Enable
Condition
Parameters Comments
130000100 System WARN about highrate inbound UDPDNS queries
This rule warns about anysource IP that sendsinbound UDP DNS packetsat a rate equals or exceedsthe Packets per second value
Disabled bydefault
Packets per second (default = 40)
Events per second (default = 1)
Use this rule together with rule130000200 to adjust the warningand blocking rate thresholds Thisrule only sends alerts when thepacket rate equals or exceeds thelow threshold ( Packets per second for this rule) When the packet ratereaches or exceeds the highthreshold ( Packets per second forrule 130000200) rule130000200 is triggered
NOTE The Packets per second configured for this rule should beless than that of rule 130000200
130000200 System WARN amp BLOCKhigh rate inboundUDP DNS queries
This rule warns if anysource IP sends inboundUDP DNS packets at a rateequals the Packets per
second value If the rateexceeds this value theappliance blocks all suchtraffic from this source IPfor a period of timespecified in Drop interval
Disabled bydefault
Packets per second (default = 1000)
Drop interval
(default = 5 seconds)
Events per second (default = 1)
Consider tuning Packets per
second to a higher value for NATdenvironments static forwardersand VPN concentrators
This rule may be triggered if Packet
per second is lower than that inthe custom rules created using therate limiting templates
NOTE The Packets per secondvalue for this rule must be higherthan that for rule 130000100
130000300 System WARN about highrate inbound TCP
DNS queries
This rule warns about anysource IP that sends
inbound TCP DNS packetsat a rate that equals orexceeds the Packets per
second value
Disabled bydefault
Packets per second (default = 5)
Events per second (default = 1)
Use this rule together with rule130000400 to adjust the warning
and blocking rate thresholds Thisrule only sends alerts when thepacket rate equals or exceeds thelow threshold ( Packets per second for this rule) When the packet ratereaches or exceeds the highthreshold ( Packets per second forrule 130000400) rule130000400 is triggered
NOTE The Packets per second configured for this rule should beless than that of rule 130000400
130000400 System WARN amp BLOCKhigh rate inboundTCP DNS queries
This rule warns if anysource IP sends inboundTCP DNS packets at a ratethat equals the Packets
per second value If therate exceeds this value
the appliance blocks allsuch traffic from thissource IP for a period oftime specified in Drop
interval
Disabled bydefault
Packets per second (default = 1000)
Drop interval (default = 10 seconds)
Events per second (default = 1)
Consider tuning Packets per
second to a higher value for NATdenvironments static forwardersand VPN concentrators
This rule may be triggered if Packet
per second is lower than that in
the custom rules created using therate limiting templates
NOTE DO NOT enable this rulealong with rule 130000300
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 1630
1512 NIOS Administrator Guide (Rev A) NIOS 612
DNS DDoS
The following table lists system rules that are used to mitigate DNS DDoS attacks on your advanced appliance Theserules rate limits clients that trigger the following DNS responses NXDOMAIN NXRRSET and SERVFAIL
Table H10 DNS DDoS Rules
Rule ID
Rule
Type
Rule Name Description
EnableDisable
Condition
Parameters Comments
200000001 System NXDOMAIN ratelimiting rule
This rule warns if any sourceIP sends inbound UDP DNSqueries that triggerNXDOMAIN responses at arate equals to the Packets
per second value If the rateexceeds this value theappliance blocks all UDPDNS traffic from this sourceIP for a time specified inDrop interval
Enabled bydefault
Packets per second (default = 1000)
Drop interval
(default = 5 seconds)
Events per second (default = 1)
Consider tuning Packets per
second to a higher value forNATd environments staticforwarders and VPNconcentrators
200000002 System NXRRSET ratelimiting rule
This rule warns if any sourceIP sends inbound UDP DNS
queries that trigger NXRRSETresponses at a rate equals tothe Packets per second value If the rate exceedsthis value the applianceblocks all UDP DNS trafficfrom this source IP for a timespecified in Drop interval
Enabled bydefault
Packets per second (default = 1000)
Drop interval (default = 5 seconds)
Events per second (default = 1)
Consider tuning Packets per
second to a higher value for
NATd environments staticforwarders and VPNconcentrators
NOTE NXRRSET responsesinclude NO records NOanswers and NO errors
200000003 System SERVFAIL ratelimiting rule
This rule warns if any sourceIP sends inbound UDP DNSqueries that triggerSERVFAIL responses at a rateequals to the Packets per
second value If the rateexceeds this rate theappliance blocks all UDPDNS traffic from this sourceIP for a time specified in
Drop interval
Enabled bydefault
Packets per second (default = 1000)
Drop interval
(default = 5 seconds)
Events per second (default = 1)
Consider tuning Packets per
second to a higher value forNATd environments staticforwarders and VPNconcentrators
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 1730
DNS Tunneling
NIOS 612 NIOS Administrator Guide (Rev A) 1513
DNS Tunneling
DNS tunneling attacks involve tunneling another protocol through DNS port 53 for the purpose of data exfiltrationOutbound and inbound data being communicated is encoded into small chunks and fitted into DNS queries and DNSresponses
The following table lists the system rule used to mitigate DNS tunneling on your advanced appliance
Table H11 Anti DNS Tunneling Rules
DNS Amplification and Reflection
DNS reflection attacks use a form of IP spoofing changing the source address in their DNS queries to show theaddress of their intended target such as a DNS root server or a top-level domain (TLD) name server operator DNS
reflection and amplification recognizes UDP as an asymmetrical protocol (small requests large responses) and theexistence of open DNS resolvers to the Internet cloud The result is that small DNS queries reflect large UDP datagramresponses to the target address in the original source datagrams Some recent attacks have used this DDoStechnique at a huge scale
Since DNS runs over UDP and does not require a handshake it is possible to use the protocol as a means to lock downa host or a network Designed a specific way sending a small query to any open DNS resolver can result in a singleresponse containing several kilobytes or more that are sent to the unwitting spoofed victim (This type of responsetypically is sent via TCP as UDP does not allow for more than 512 bytes in a response datagram The resulting packetusually exceeds the MTU of the recipientrsquos interfaces resulting in further packet fragmentation and processing) OpenDNS resolvers may allow for launching DDoS attacks containing hundreds of gigabytes of data Attackers may also
Rule ID
Rule
Type
Rule Name Description
EnableDisable
Condition
Parameters Comments
130000500 System RATELIMIT UDP highrate inbound largeDNS queries (antitunneling)
This rule warns If any source IPsends large UDP DNS queries(which could be DNS tunnelingattacks) at a rate equals thePackets per second value If therate exceeds this value it blocksall such traffic from this source IPfor the time in Drop interval
This rule is triggered when theDNS Packet size exceeds theconfigured value
Disabled bydefault
Packets per second (default = 100)
Drop interval (default = 5 seconds)
Events per second (default = 1)
Packet size
(default = 200)
Consider tuning Packets
per second to a highervalue for NATdenvironments staticforwarders and VPNconcentrators
130000600 Auto RATELIMIT TCP highrate inbound largeDNS queries(anti-tunneling)
This rule warns if any source IPsends large TCP DNS queries(which could be DNS tunnelingattacks) at a rate equals thePackets per second value If therate exceeds the value theappliance blocks all such trafficfrom this source IP for the Drop
interval
This rule is triggered when theDNS Packet size exceeds theconfigured value
Disabled bydefault
Packets per second (default = 100)
Drop interval
(default = 5 seconds)
Events per second (default = 1)
Packet size
(default = 200)
Consider tuning Packets
per second to a highervalue for NATdenvironments staticforwarders and VPNconcentrators
200000004 System DNS tunneling ratelimiting rule
This rule warns If any source IPsends inbound UDP DNS queriesthat trigger large TXT responses ata rate equals the Packets per
second value If the rate exceedsthis value it blocks all such t rafficfrom this source IP for the Drop
interval
This rule is triggered when the sizeof the TXT records in the DNSresponses exceeds the configuredDNS Packet size
Enabled bydefault
Packets per second (default = 1000)
Drop interval
(default = 5 seconds)
Events per second (default = 1)
Packet size
(default = 40)
Consider tuning Packets
per second to a highervalue for NATdenvironments static
forwarders and VPNconcentrators
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 1830
1514 NIOS Administrator Guide (Rev A) NIOS 612
use the EDNS0 DNS protocol extension as a means to enable larger DNS responses Many network operatorsparticularly overseas allow open DNS resolvers to run on their networks unwittingly allowing attackers to abusethem Many network operators do provide intelligent rate-limiting to prevent abuse even while supporting openrecursive DNS servers Hence issues of this type usually result from mistakes in configuration
The following table lists the system and auto rules that are used to mitigate DNS amplification and reflection attackson your advanced appliance
Table H12 DNS Amplification and Reflection Rules
NTP
The following table lists the auto rules that are used to mitigate NTP attacks and to support security for NTP traffic onyour advanced appliance These rules include support for the following NTP requests and responses NTP IPv4 andIPv6 ACLs (Access Control Lists) private mode 7 packets named ACLs and ldquoANYrdquo ACLs
Table H13 NTP Rules
Rule ID
Rule
Type
Rule Name Description
EnableDisable
Condition
Parameters Comments
130400100 Auto WARN amp DROP DoSDNS possiblereflectionamplification attackattempts
This rule warns if anysource IP sends UDP DNSpackets that containpossible reflectionamplification attacks If therate exceeds the Packets
per second value theappliance blocks all suchtraffic from this source IPfor the Drop interval Notethat this rule applies whenthe query is ldquoANYrdquo
Enabled bydefault
Packets per second (default = 5)
Drop interval (default = 5 seconds)
Events per second (default = 1)
Consider tuning Packet per
second to a higher value(approximately 100) forNATd environments staticforwarders and VPNconcentrators
130400500 System RATE LIMIT PASS UDPDNS root requestswith additional RRs
This rule passes UDP DNSroot requests that containadditional resource recordsuntil the traffic hits thePackets per second valueIt then blocks subsequentUDP DNS root requests forthe Drop interval
Disabled bydefault
Packets per second (default = 500)
Drop interval
(default = 5 seconds)
Events per second (default = 1)
130400600 System RATE LIMIT PASS UDPDNS root requests
This rule passes UDP DNSroot requests until thetraffic hits the Packets per
second value It thenblocks subsequent UDPDNS root requests for theDrop interval
Disabled bydefault
Packets per second (default = 500)
Drop interval (default = 5 seconds)
Events per second (default = 1)
Consider tuning Packet per
second to a higher valuefor NATd environmentsstatic forwarders and VPNconcentrators
Rule ID
Rule
Type
Rule Name Description
EnableDisable
Condition
Parameters Comments
130600100 Auto RATELIMIT PASS NTPTIME responses
When the NTP client isenabled this rule passesUDP NTP TIME responsesuntil the traffic hits the ratelimit of 10 packets persecond it then blocks allNTP traffic for 15 seconds
Enabled when theNTP client isenabled
Packets per second (default = 10)
Drop interval
(default = 15seconds)
Events per second (default = 1)
130600120 Auto DROP NTP TIMEresponses
This rule drops all UDP NTPTIME responses when theNTP client is disabled
Enabled when theNTP client isdisabled
Events per second (default=1)
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 1930
NTP
NIOS 612 NIOS Administrator Guide (Rev A) 1515
200001001 Auto DOS Possible NTPDDoS InboundFrequent Un-AuthedGET_RESTRICTRequests IMPL 0x02
When the NTP server isenabled this rule warnsabout possible NTP DDoSInbound FrequentUn-Authed GET_RESTRICTRequests IMPL 0x02attacks It then blocks
suspicious NTP traffic for atime period that isspecified in Drop Interval
Enabled whenNTP service isenabled on thismember
Events per second (default = 1)
200001005 Auto DOS Possible NTPDDoS InboundFrequent Un-AuthedGET_RESTRICTRequests IMPL 0x03
When the NTP server isenabled this rule warnsabout possible NTP DDoSInbound FrequentUn-Authed GET_RESTRICTRequests IMPL 0x03attacks It then blockssuspicious NTP traffic for atime period that isspecified in Drop Interval
Enabled whenNTP service isenabled on thismember
Events per second (default = 1)
200001010 Auto DOS Possible NTPDDoS InboundFrequent Un-AuthedPEER_LIST_SUM
Requests IMPL 0x02
When the NTP server isenabled this rule warnsabout possible NTP DDoSInbound Frequent
Un-AuthedPEER_LIST_SUM RequestsIMPL 0x02 attacks It thenblocks suspicious NTPtraffic for a time period thatis specified in Drop
Interval
Enabled whenNTP service isenabled on thismember
Events per second (default = 1)
200001015 Auto DOS Possible NTPDDoS InboundFrequent Un-AuthedPEER_LIST_SUMRequests IMPL 0x03
When the NTP server isenabled this rule warnsabout possible NTP DDoSInbound FrequentUn-AuthedPEER_LIST_SUM RequestsIMPL 0x03 attacks It thenblocks suspicious NTPtraffic for a time period thatis specified in Drop
Interval
Enabled whenNTP service isenabled on thismember
Events per second (default = 1)
200001020 Auto DOS Possible NTPDDoS InboundFrequent Un-AuthedPEER_LIST RequestsIMPL 0x02
When the NTP server isenabled this rule warnsabout possible NTP DDoSInbound FrequentUn-Authed PEER_LISTRequests IMPL 0x02attacks It then blockssuspicious NTP traffic for atime period that isspecified in Drop Interval
Enabled whenNTP service isenabled on thismember
Events per second (default = 1)
200001025 Auto DOS Possible NTPDDoS InboundFrequent Un-AuthedPEER_LIST RequestsIMPL 0x03
When the NTP server isenabled this rule warnsabout possible NTP DDoSInbound FrequentUn-Authed PEER_LISTRequests IMPL 0x03attacks It then blocks
suspicious NTP traffic for atime period that isspecified in Drop Interval
Enabled whenNTP service isenabled on thismember
Events per second (default = 1)
200001050 Auto RATELIMIT PASSNTPQ IPv4 requests
This rule passes UDP NTPQrequests from NTP IPv4ACLs until the traffic hitsthe rate limit ( Packets per
second ) value It thenblocks all subsequentNTPQ traffic for a timespecified in Drop Interval
Enabled whenNTP IPv4 ACLs aredefined If noACLs are definedand the NTPserver is enabledthe default ACLsare enabled andthis rule isdisabled
Packets per second (default = 10)
Drop interval
(default = 60seconds)
Events per second (default = 1)
Rule ID
Rule
Type
Rule Name Description
EnableDisable
Condition
Parameters Comments
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 2030
1516 NIOS Administrator Guide (Rev A) NIOS 612
200001055 Auto RATELIMIT PASS NTPTIME IPv4 requests
This rule passes UDP NTPTIME requests from NTPIPv4 ACLs until the traffichits the rate limit ( Packets
per second ) value It thenblocks all subsequent NTPTIME traffic for a time
specified in Drop interval
Enabled whenNTP IPv4 ACLs aredefined If noACLs are definedand the NTPserver is enabledthe default ACLs
are enabled andthis rule isenabled
Packets per second (default = 10)
Drop interval
(default = 60seconds)
Events per second (default = 1)
200001060 Auto RATELIMIT PASS NTPprivate mode IPv4requests
This rule passes UDP NTPprivate mode 7 requestsfrom NTP IPv4 ACLs untilthe traffic hits the rate limit( Packets per second ) valueIt then blocks allsubsequent NTP privatemode 7 traffic for a timespecified in Drop interval
Enabled whenNTP IPv4 ACLs aredefined If noACLs are definedand the NTPserver is enabledthe default ACLsare enabled andthis rule isdisabled
Packets per second (default = 10)
Drop interval
(default = 60seconds)
Events per second (default = 1)
200001065 Auto RATELIMIT PASSNTPQ IPv6 requests
This rule passes UDP NTPQrequests from NTP IPv6ACLs until the traffic hitsthe rate limit ( Packets per
second ) value It thenblocks all subsequentNTPQ traffic for a timespecified in Drop Interval
Enabled whenNTP IPv6 ACLs aredefined If noACLs are defined
and the NTPserver is enabledthe default ACLsare enabled andthis rule isdisabled
Packets per second (default = 10)
Drop interval
(default = 60
seconds)Events per second (default = 1)
200001070 Auto RATELIMIT PASS NTPTIME IPv6 requests
This rule passes UDP NTPTIME requests from NTPIPv6 ACLs until the traffichits the rate limit ( Packets
per second ) value It thenblocks all subsequent NTPTIME traffic for a timespecified in Drop interval
Enabled whenNTP IPv6 ACLs aredefined If noACLs are definedand the NTPserver is enabledthe default ACLsare enabled andthis rule isenabled
Packets per second (default = 10)
Drop interval
(default = 60seconds)
Events per second (default = 1)
200001075 Auto RATELIMIT PASS NTP
private mode IPv6requests
This rule passes UDP NTP
private mode 7 requestsfrom NTP IPv4 ACLs untilthe traffic hits the rate limit( Packets per second ) valueIt then blocks allsubsequent NTP privatemode 7 traffic for a timespecified in Drop interval
Enabled when
NTP IPv6 ACLs aredefined If noACLs are definedand the NTPserver is enabledthe default ACLsare enabled andthis rule isdisabled
Packets per second
(default = 10)Drop interval
(default =60seconds)
Events per second (default = 1)
200001100 Auto DROP NTPQ requestsunexpected
When NTP service isdisabled this rule drops allUDP NTPQ requests
Enabled whenNTP service isdisabled on thismember
Events per second (default=1)
200001105 Auto DROP NTP TIMErequests unexpected
When NTP service isdisabled this rule drops allUDP NTP TIME requests
Enabled whenNTP service isdisabled on thismember
Events per second (default=1)
200001110 Auto DROP NTP privatemode requestsunexpected
When NTP service isdisabled this rule drops allUDP NTP private mode 7requests
Enabled whenNTP service isdisabled on thismember
Events per second (default=1)
200001115 Auto DROP invalid NTPrequests
When NTP service isdisabled this rule drops allinvalid UDP NTP requests
Enabled whenNTP service isdisabled on thismember
Events per second (default=1)
Rule ID
Rule
Type
Rule Name Description
EnableDisable
Condition
Parameters Comments
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 2130
BGP
NIOS 612 NIOS Administrator Guide (Rev A) 1517
BGP
The following table lists the auto rules that are used to mitigate BGP attacks on your advanced appliance when BGPis enabled
Table H14 BGP Rules
Rule ID
Rule
Type
Rule Name Description
EnableDisable
Condition
Parameters Comments
130700100 AUTO DROP BGP headerlength shorter thanspec
When BGP is enabled this ruledrops TCP BGP packets thatcontain message headerlength that is shorter than theRFC specification
Enabled whenBGP service onthis member isconfigured
Events per second (default=1)
130700200 AUTO DROP BGP headerlength longer than spec
When BGP is enabled this ruledrops TCP BGP packets thatcontain message headerlength that is longer than theRFC specification
Enabled whenBGP service onthis member isconfigured
Events per second (default=1)
130700300 AUTO DROP BGP spoofedconnection reset
attempts
When BGP is enabled this ruledrops TCP BGP packets that
contain spoofed connectionreset
This rule isenabled when
BGP service onthis member isconfigured
Events per second (default=1)
130700400 AUTO DROP BGP invalid type0
When BGP is enabled this ruledrops TCP BGP packets thatcontain invalid message type0
This rule isenabled whenBGP service onthis member isconfigured
Events per second (default=1)
130700500 AUTO DROP BGP invalid typebigger than 5
When BGP is enabled this ruledrops TCP BGP packets thatcontain invalid message typegreater than 5
This rule isenabled whenBGP service onthis member isconfigured
Events per second (default=1)
130700550 AUTO RATELIMIT PASS BGPIPv4 peer TCPconnection attempts
This rule passes TCP BGP routeadvertisement connectionattempts from IPv4 peers
when BGP is enabled and ifthe packet rate is less than thePackets per second value Ifany source IP sends packetsover this value the applianceblocks all such traffic from thissource IP for a certain periodof time (specified in Drop
interval )
This rule isenabled whenBGP service on
this member isconfigured withIPv4 peers
Events per second (default=1)
Drop Interval
(default=60 sec)Packets per second (default=10)
130700600 Auto RATELIMIT PASS BGPallowed with IPv4 peer
This rule passes TCP BGP routeadvertisement to IPv4 peerswhen BGP is enabled and ifthe packet rate is less than thePackets per second value Ifany source IP sends packetsover this value the applianceblocks all such traffic from thissource IP for a certain period
of time (specified in Drop
interval
This rule isenabled whenBGP service onthis member isconfigured withIPv4 peers
Events per second (default=1)
Drop Interval (default=60 sec)
Packets per second (default=10)
130700650 AUTO RATELIMIT PASS BGPIPv6 peer TCPconnection attempts
This rule passes TCP BGP routeadvertisement connectionattempts from IPv6 peerswhen BGP is enabled and ifthe packet rate is less than thePackets per second value Ifany source IP sends packetsover this value the applianceblocks all such traffic from thissource IP for a certain periodof time (specified in Drop
interval
This rule isenabled whenBGP service onthis member isconfigured withIPv6 peers
Events per second (default=1)
Drop Interval (default=60 sec)
Packets per second (default=10)
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 2230
1518 NIOS Administrator Guide (Rev A) NIOS 612
OSPF
The following table lists auto rules that are used to mitigate OSPF attacks on your advanced appliance when OSPF isnot in use
Table H15 OSPF Rules
130700700 Auto RATELIMIT PASS BGPallowed with IPv6 peer
This rule passes TCP BGP routeadvertisement to IPv6 peerswhen BGP is enabled and ifthe packet rate is less than thePackets per second value Ifany source IP sends packetsover this value the appliance
blocks all such traffic from thissource IP for a certain periodof time (specified in Drop
interval )
This rule isenabled whenBGP service onthis member isconfigured withIPv6 peers
Events per second (default=1)
Drop Interval (default=60 sec)
Packets per second (default=10)
130800100 Auto DROP BGP unexpected When BGP is enabled this ruledrops unexpected TCP BGPpackets
This rule takeseffect when BGPservice on thismember is NOT configured
Events per second (default=1)
This rule is exclusive withother rules based onwhether BGP is configuredon the member or not
Rule ID
Rule
Type
Rule Name Description
Enable
Condition
Parameters Comments
130900300 Auto DROP OSPFunexpected
This rule drops unexpectedOSPF packets
This rule takeseffect when OSPFservice on thismember is NOT configured
Events per second (default=1)
Default drop rule for allpackets on the OSPF serviceport
130900400 Auto RATELIMIT PASS OSPFmulticast
This rule passes OSPF IPv4multicast packets if the packetrate is less than the Packets
per second value If anysource IP sends packets overthis value the applianceblocks all such traffic from thissource IP for a time specifiedin Drop interval
This rule takeseffect when OSPFservice on thismember isconfigured forIPv4
Events per second (default=1)
Drop Interval (default=60 sec)
Packets per second (default=100)
130900500 Auto RATELIMIT PASS OSPFIPv6 multicast
This rule passes OSPF IPv6multicast packets if the packetrate is less than the Packets
per second value If anysource IP sends packets overthis value the applianceblocks all such traffic from thissource IP for a time specifiedin Drop interval
This rule takeseffect when OSPFservice on thismember isconfigured forIPv6
Events per second (default=1)
Drop Interval (default=60 sec)
Packets per second (default=100)
130900600 Auto RATELIMIT PASS OSPF This rule passes OSPF packetsif the packet rate is less thanthe Packets per second valueIf any source IP sends packetsover this value the applianceblocks all such traffic from thissource IP for a time specifiedin Drop interval
This rule takeseffect when OSPFservice on thismember isconfigured
Events per second (default=1)
Drop Interval (default=10 sec)
Packets per second (default=50)
This rule works for both IPv4and IPv6
Rule ID
Rule
Type
Rule Name Description
EnableDisable
Condition
Parameters Comments
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 2330
ICMP
NIOS 612 NIOS Administrator Guide (Rev A) 1519
ICMP
ICMP attacks use network devices such as routers to send error messages when a requested service is not availableor the remote server cannot be reached Examples of ICMP attacks include ping floods ping-of-death attacks andsmurf attacks
The following table lists the system and auto rules that are used to mitigate ICMP attacks on your advanced appliance
Table H16 ICMP Rules
Rule ID Type Rule Name Description
EnableDisable
Condition
Parameters Comments
130400200 Auto DROP ICMP largepackets
This rule drops large ICMPpackets (bigger than800)
Always enabled Events per second (default=1)
130900100 Auto RATE LIMIT PASS ICMPPing
This rule passes ICMP pingpackets if the packet rate is lessthan the Packets per second value If any source IP sendspackets over this value theappliance blocks all such trafficfrom this source IP for a timespecified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=10 sec)
Packets per second (default=50)
130900200 Auto RATE LIMIT PASS ICMPv6Ping
This rule passes ICMPv6 pingpackets if the packet rate is lessthan the Packets per second value If any source IP sendspackets over this value theappliance blocks all such trafficfrom this source IP for a timespecified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=10 sec)
Packets per second (default=50)
130900700 Auto RATELIMIT PASS ICMPv6destinationunreachable
This rule passes ICMPv6Destination Unreachablemessages if the packet rate isless than the Packets per second value If any source IP sendspackets over this value theappliance blocks all such trafficfrom this source IP for a timespecified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=100)
130900800 Auto RATELIMIT PASS ICMPv6packet too big
This rule passes ICMPv6 PacketToo Big messages if the packetrate is less than the Packets per
second value If any source IPsends packets over this valuethe appliance blocks all suchtraffic from this source IP for atime specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=100)
130900900 Auto RATELIMIT PASS ICMPv6ping responses
This rule passes ICMPv6 pingresponses if the packet rate isless than the Packets per second value If any source IP sendspackets over this value theappliance blocks all such trafficfrom this source IP for a timespecified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=10 sec)
Packets per second (default=50)
130901000 Auto RATELIMIT PASS ICMPv6parameter problemerroneous header
This rule passes ICMPv6Erroneous Header messages ifthe packet rate is less than thePackets per second value If anysource IP sends packets over thisvalue the appliance blocks allsuch traffic from this source IP fora time specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=10 sec)
Packets per second (default=50)
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 2430
1520 NIOS Administrator Guide (Rev A) NIOS 612
130901100 Auto RATELIMIT PASS ICMPv6parameter problemunrecognized nextheader
This rule passes ICMPv6Unrecognized Next Headermessages if the packet rate isless than the Packets per second value If any source IP sendspackets over this value theappliance blocks all such traffic
from this source IP for a timespecified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
130901200 Auto RATELIMIT PASS ICMPv6parameter problemunrecognized IPv6option
This rule passes ICMPv6Unrecognized IPv6 Optionmessages if the packet rate isless than the Packets per second value If any source IP sendspackets over this value theappliance blocks all such trafficfrom this source IP for a timespecified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
130901300 Auto RATELIMIT PASS ICMPv6router solicitation
This rule passes ICMPv6 routersolicitation packets if the packetrate is less than the Packets per
second value If any source IPsends packets over this valuethe appliance blocks all such
traffic from this source IP for atime specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
130901400 Auto RATELIMIT PASS ICMPv6router advertisement
This rule passes ICMPv6 routeradvertisement if the packet rateis less than the Packets per
second value If any source IPsends packets over this valuethe appliance blocks all suchtraffic from this source IP for atime specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
130901500 Auto RATELIMIT PASS ICMPv6neighbor solicitation
This rule passes ICMPv6neighbor solicitation packets ifthe packet rate is less than thePackets per second value If anysource IP sends packets over thisvalue the appliance blocks allsuch traffic from this source IP for
a time specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
130901600 Auto RATELIMIT PASS ICMPv6neighbor advertisement
This rule passes ICMPv6neighbor advertisement if thepacket rate is less than thePackets per second value If anysource IP sends packets over thisvalue the appliance blocks allsuch traffic from this source IP fora time specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
130901700 Auto RATELIMIT PASS ICMPv6inverse neighborsolicitation
This rule passes ICMPv6 inverseneighbor solicitation messages ifthe packet rate is less than thePackets per second value If anysource IP sends packets over thisvalue the appliance blocks allsuch traffic from this source IP fora time specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
130901800 Auto RATELIMIT PASS ICMPv6inverse neighboradvertisement
This rule passes ICMPv6 inverseneighbor advertisement if thepacket rate is less than thePackets per second value If anysource IP sends packets over thisvalue the appliance blocks allsuch traffic from this source IP fora time specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
Rule ID Type Rule Name Description
EnableDisable
Condition
Parameters Comments
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 2530
ICMP
NIOS 612 NIOS Administrator Guide (Rev A) 1521
130901900 Auto RATELIMIT PASS ICMPv6listener query
This rule passes ICMPv6 listenerquery messages if the packetrate is less than the Packets per
second value If any source IPsends packets over this valuethe appliance blocks all suchtraffic from this source IP for a
time specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
130902000 Auto RATELIMIT PASS ICMPv6listener report
This rule passes ICMPv6 listenerreport messages if the packetrate is less than the Packets per
second value If any source IPsends packets over this valuethe appliance blocks all suchtraffic from this source IP for atime specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
130902100 Auto RATELIMIT PASS ICMPv6listener done
This rule passes ICMPv6 listenerdone messages if the packet rateis less than the Packets per
second value If any source IPsends packets over this valuethe appliance blocks all suchtraffic from this source IP for atime specified in Drop interval )
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
130902200 Auto RATELIMIT PASS ICMPv6listener report v2
This rule passes ICMPv6 listenerreport v2 messages if the packetrate is less than the Packets per
second value If any source IPsends packets over this valuethe appliance blocks all suchtraffic from this source IP for atime specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
130902300 Auto RATELIMIT PASS ICMPV6multicast routeradvertisement
This rule passes ICMPv6multicast router advertisement ifthe packet rate is less than thePackets per second value If anysource IP sends packets over thisvalue the appliance blocks allsuch traffic from this source IP fora time specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
130902400 Auto RATELIMIT PASS ICMPV6multicast routersolicitation
This rule passes ICMPv6multicast router solicitationmessages if the packet rate isless than the Packets per second value If any source IP sendspackets over this value theappliance blocks all such trafficfrom this source IP for a timespecified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
130902500 Auto RATELIMIT PASS ICMPV6multicast routeradvertisement
This rule passes ICMPv6multicast router advertisement ifthe packet rate is less than thePackets per second value If anysource IP sends packets over thisvalue the appliance blocks allsuch traffic from this source IP fora time specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
130902600 Auto RATELIMIT PASS ICMPping responses This rule passes ICMP pingresponses if the packet rate isless than the Packets per second value If any source IP sendspackets over this value theappliance blocks all such trafficfrom this source IP for a timespecified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=10 sec)
Packets per second (default=50)
Rule ID Type Rule Name Description
EnableDisable
Condition
Parameters Comments
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 2630
1522 NIOS Administrator Guide (Rev A) NIOS 612
130902700 Auto RATELIMIT PASS ICMProuter advertisement
This rule passes ICMP routeradvertisement if the packet rateis less than the Packets per
second value If any source IPsends packets over this valuethe appliance blocks all suchtraffic from this source IP for a
time specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=10 sec)
Packets per second (default=50)
130902800 Auto RATELIMIT PASS ICMProuter solicitation
This rule passes ICMP routersolicitation messages if thepacket rate is less than thePackets per second value If anysource IP sends packets over thisvalue the appliance blocks allsuch traffic from this source IP fora time specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=10 sec)
Packets per second (default=50)
130902900 Auto RATELIMIT PASS ICMPtime exceeded
This rule passes ICMP timeexceeded messages if the packetrate is less than the Packets per
second value If any source IPsends packets over this valuethe appliance blocks all suchtraffic from this source IP for atime specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=10 sec)
Packets per second (default=50)
130903000 Auto RATELIMIT PASS ICMPparameter problem
This rule passes ICMP parameterproblems if the packet rate isless than the Packets per second value If any source IP sendspackets over this value theappliance blocks all such trafficfrom this source IP for a timespecified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=10 sec)
Packets per second (default=50)
130903100 Auto RATELIMIT PASS ICMPv6hop limit exceeded orICMPv4 networkunreachable
This rule passes ICMPv6 HopLimit Exceeded messages orICMPv4 Network Unreachablemessages if the packet rate isless than the Packets per second value If any source IP sendspackets over this value theappliance blocks all such trafficfrom this source IP for a time
specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
130903200 Auto RATELIMIT PASS ICMPv6fragment reassemblytime exceeded orICMPv4 hostunreachable
This rule passes ICMPv6fragment reassembly timeexceeded messages or ICMPv4host unreachable messages ifthe packet rate is less than thePackets per second value If anysource IP sends packets over thisvalue the appliance blocks allsuch traffic from this source IP fora time specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=10 sec)
Packets per second (default=50)
130903300 Auto RATELIMIT PASS ICMPprotocol unreachable
This rule passes ICMP protocolunreachable messages if thepacket rate is less than thePackets per second value If anysource IP sends packets over thisvalue the appliance blocks all
such traffic from this source IP fora time specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=10 sec)
Packets per second (default=50)
130903400 Auto RATELIMIT ICMP portunreachable
This rule passes ICMP portunreachable messages if thepacket rate is less than thePackets per second value If anysource IP sends packets over thisvalue the appliance blocks allsuch traffic from this source IP fora certain period of time(specified in Drop interval )
Always enabled Events per second (default=10)
Drop Interval (default=10 sec)
Packets per second (default=50)
Rule ID Type Rule Name Description
EnableDisable
Condition
Parameters Comments
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 2730
Default PassDrop
NIOS 612 NIOS Administrator Guide (Rev A) 1523
Default Pass Drop
The following table lists the system rules that are used to pass or drop packets on your advanced appliance All rulesare disabled by default
Table H17 Default PassDrop Rules
130903500 Auto RATELIMIT PASS ICMPfragmentation needed
This rule passes ICMPfragmentation needed messagesif the packet rate is less than thePackets per second value If anysource IP sends packets over thisvalue the appliance blocks allsuch traffic from this source IP for
a certain period of time(specified in Drop interval )
Always enabled Events per second (default=1)
Drop Interval (default=10 sec)
Packets per second (default=50)
Rule ID
Rule
Type Rule Name Description
Enable
Condition Parameters Comments
100000050 System EARLY PASS TCPwith flowbits set
This rule passes TCP trafficthat has the flowbitsoptions set and marked OK
Enabled bydefault
NA
140000100 System DROP UDP DNSunexpected
This rule drops anyunexpected UDP DNSpackets
Enabled bydefault
Events per second (default=1)
Default drop rule for the DNSservice port If this rule istriggered most likely thispacket is an invalid DNS UDPpacket
140000200 System DROP TCP DNSunexpected
This rule drops anyunexpected TCP DNSpackets
Enabled bydefault
Events per second (default=1)
Default drop rule for the DNSservice port If this rule istriggered most likely thispacket is an invalid DNS TCPpacket
140000400 System PASS TCPestablished packets
This passes all TCPestablished packets
Enabled bydefault
Events per second (default=0)
140000500 System DROP TCPunexpected
This rule drops anyunexpected TCP packets
Enabled bydefault
Events per second (default=0)
This rule drops any TCP packeton any port If this rule istriggered most likely thispacket is not intended forservices on this member
140000600 System DROP UDPunexpected
This rule drops anyunexpected UDP packets
Enabled bydefault
Events per second (default=0)
This rule drops any UDP packeton any port If this rule istriggered most likely thispacket is not intended forservices on this member
140000700 System DROP ICMPunexpected
This rule drops anyunexpected ICMP packets
Enabled bydefault
Events per second (default=0)
This rule drops any ICMPpacket If this rule is triggeredmost likely this packet is notintended for services on thismember
140000800 System DROP unexpectedprotocol
This rule drops anyunexpected protocolpackets
Enabled bydefault
Events per second (default=0)
This is a catch all rule thatdrops anything that does notmatch any other rules in thesystem
Rule ID Type Rule Name Description
EnableDisable
Condition
Parameters Comments
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 2830
1524 NIOS Administrator Guide (Rev A) NIOS 612
HA Support
The following table lists auto rules that are used to pass packets that go through the Virtual Router RedundancyProtocol (VRRP) and Internet Group Management Protocol (IGMP) for HA (High Availability) support
Table H18 HA Support Rules
Custom Rule Templates
Advanced DNS Protection supports a few custom rule templates from which you can create new custom rules Notethat when you use a specific rule template to create custom rules the new rules reside in their respective rulecategories For information about custom rules and creating custom rules see Custom Rules on page 1341 andCreating Custom Rules on page 1343
For each rule you create you can define the Events per second value to determine the number of events per secondthat will be logged for the rule You can also define specific rule parameters for custom rules as follows
Note Custom rules do not support IDNs (Internationalized Domain Names) To use IDNs for custom rules you mustfirst convert the IDNs into puny codes You can use the IDN Converter from the Toolbar for the conversion
bull BLACKLIST FQDN lookup TCP Use this rule template to create custom rules for blacklisting DNS queries by FQDNlookups on TCP In the Rule Parameters table complete the following
mdash Blacklisted FQDN Enter the FDQN that you want the appliance to block over TCP traffic You can also enter alist of FQDNs using semicolon as the separator
bull BLACKLIST FQDN lookup UDP Use this rule template to create custom rules for blacklisting DNS queries byFQDN lookups on UDP In the Rule Parameters table complete the following
mdash Blacklisted FQDN Enter the FDQN that you want the appliance to block over UDP traffic You can also enter alist of FQDNs using semicolon as the separator
bull BLACKLIST IP TCP Drop prior to rate limiting Use this rule template to create rules for blocking IPv4 or IPv6addresses on TCP before the appliance drops the packets based on rate limiting rules you have defined usingthe RATELIMITED IP TCP template In the Rule Parameters table complete the following
mdash Blacklisted IP addressnetwork Enter the IPv4 or IPv6 address from which packets sent are dropped beforeany relevant rate limiting rules take effect Note that all TCP traffic from the specified Ipv4 and IPv6
addresses and networks will be blocked Enter network addresses in addressCIDR formatbull BLACKLIST IP UDP Drop prior to rate limiting Use this rule template to create rules for blocking IPv4 or IPv6
addresses on UDP before the appliance drops the packets based on rate limiting rules you have defined usingthe RATELIMITED IP UDP template In the Rule Parameters table complete the following
mdash Blacklisted IP addressnetwork Enter the IPv4 or IPv6 address from which packets sent are dropped beforeany relevant rate limiting rules take effect Note that all UDP traffic from the specified Ipv4 and IPv6addresses and networks will be blocked Enter network addresses in addressCIDR format
bull RATELIMITED FQDN lookup UDP Use this rule template to create custom rules that contains rate limitingrestrictions for blocking DNS queries by FQDN lookups on UDP traffic In the Rule Parameters table completethe following
Rule ID
Rule
Type
Rule Name Description Enable Condition Parameters Comments
140000750 Auto PASS VRRP This rule passes packets thatgo through VRRP for HAsupport
Enabled if HA isconfigured
NA
140000760 Auto PASS IGMP This rule passes packets thatgo through IGMP for HAsupport
Enabled if HA isconfigured
NA
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 2930
Custom Rule Templates
NIOS 612 NIOS Administrator Guide (Rev A) 1525
mdash Packets per second Enter the number of packets per second to define the rate limit for this rule You definethis value to control the rate of UDP traffic that consists of DNS lookups for the FQDN defined in this ruleThe default is 5
mdash Drop interval Enter the number of seconds for which the appliance drops packets
mdash Blacklist rate limited FQDN Enter the FQDN that is affected by the rate limit value configured for this ruleThe appliance drops the packets sent by this FQDN when the UDP traffic of DNS lookups for this FQDNexceeds the configured rate limit value
bull RATELIMITED IP TCP Use this rule template to create custom rules that contains rate limiting restrictions forblacklisting IP addresses on TCP If there are certain IP addresses that you want to block before its traffic reachesthe rate limit restrictions you can create a rule using the BLACKLIST IP TCP Drop prior to rate limiting templateIn the Rule Parameters table complete the following
mdash Packets per second Enter the number of packets per second to define the rate limit for this rule You definethis value to control the rate of TCP traffic that consists of DNS lookups for the IP address or networkdefined in this rule The default is 5
mdash Drop interval Enter the time interval in seconds the appliance drops IP packets sent by the rate limited IPaddress or network defined for this rule The default is 30 seconds
mdash Rate limited IP addressnetwork Enter the IP address or network that is affected by the rate limit valueconfigured for this rule The appliance drops the packets sent by this IP address based on the drop intervalwhen the TCP traffic of DNS lookups for this IP address exceeds the configured rate limit value
bull RATELIMITED IP UDP Use this rule template to create custom rules that contains rate limiting restrictions forblacklisting IP addresses on UDP If there are certain IP addresses that you want to block before its trafficreaches the rate limit restrictions you can create a rule using the BLACKLIST IP UDP Drop prior to rate limiting template In the Rule Parameters table complete the following
mdash Packets per second Enter the number of packets per second to define the rate limit for this rule You definethis value to control the rate of UDP traffic that consists of DNS lookups for the IP address or networkdefined in this rule The default is 5
mdash Drop interval Enter the time interval in seconds the appliance drops IP packets sent by the rate limited IPaddress or network defined for this rule The default is 30 seconds
mdash Rate limited IP addressnetwork Enter the IP address or network that is affected by the rate limit valueconfigured for this rule The appliance drops the packets sent by this IP address based on the drop interval
when the TCP traffic of DNS lookups for this IP address exceeds the configured rate limit valuebull WHITELIST IP TCP Pass prior to rate limiting Use this rule template to create custom rules for allowing certain IP
addresses on TCP before the appliance drops the packets based on rate limiting rules you have defined usingthe RATELIMITED IP TCP template In the Rule Parameters table complete the following
mdash Whitelisted IP addressnetwork Enter the IPv4 or IPv6 address from which packets sent are allowed beforeany relevant rate limiting rules take effect
bull WHITELIST IP UDP Pass prior to rate limiting Use this rule template to create custom rules for allowing certain IPaddresses on UDP before the appliance drops the packets based on rate limiting rules you have defined usingthe RATELIMITED IP UDP template In the Rule Parameters table complete the following
mdash Whitelisted IP addressnetwork Enter the IPv4 or IPv6 address from which packets sent are allowed beforeany relevant rate limiting rules take effect
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 3030
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 230
1498 NIOS Administrator Guide (Rev A) NIOS 612
Overview of Packet Flow
Threat protection rules are designed to work together to provide maximum protection for your environment Thissection describes how these rules are being applied and how you can tune some of them to suit your system setupand network environment
Threat protection rules are grouped by rule categories and most of them have one or more associated rule
parameters Depending on the rules you may or may not be able to override default values for the following ruleparameters (if applicable)
bull Packets per second The rate limit or the number of packets per second that the appliance processes before itperforms a triggered action such as sending warnings or blocking traffic
bull Drop interval The time period (in seconds) for which the appliance blocks all traffic from the client or traffic thatmatches a certain pattern beyond the rate limit
bull Events per second The number of events logged per second for the rule Setting a value to 0 (zero) disables theappliance from logging events for the rule Most rules have this parameter and the default value is 1
bull Packet size DNS packet size If the DNS packet size exceeds a certain value the corresponding rule will betriggered
All incoming packets are filtered through enabled rules based on the order listed in Table H1 Note that rules are
displayed in the same order in Grid Manager For more information see Viewing Threat Protection Rules on page1352 You cannot change the filtering order of these rules Incoming packets are screened by the first rule andproceed through subsequent rules until they hit the last rule on the list provided that they are not dropped or passedby any rules in between based on the matching conditions and rule criteria
Depending on the rules following are possible actions that can be taken
bull Ratelimiting and pass magenta) Based on the configured rate limit these rules drop incoming packets if thepacket rate hits the rate limit Otherwise the packets are passed
bull Ratelimiting blue) Based on the configured rate limit these rules drop incoming packets if they hit the ratelimit Otherwise the packets are screened by subsequent rules for further actions
bull Drop salmon) These rules drop any incoming packets that match specific conditions and rule criteria
bull Pass green) These rules pass any incoming packets that match specific conditions and rule criteria
Note All rate limiting rules including custom rules operate at a per source IP basis
Table H1 Flow Order for Threat Protection Rules
Conditions if any) Rule Category Rule Name Action Reference
DNS Cache Poisoning DNS responses Ratelimiting and Pass DNS Cache Poisoning
Configured with externalDNS primaries
DNS Message Type TXFRAXFR responses Ratelimiting and Pass DNS Message Type
Allow DDNS updates DNS Message Type DNS Updates Ratelimiting and Pass DNS Message Type
General DDoS General DDoS Drop General DDoS
Reconnaissance Reconnaissance Drop Reconnaissance
DNS Malware DNS Malware Drop DNS Malware
DNS Protocol Anomalies DNS Protocol Anomal ies Drop DNS Protocol Anomalies
User-defined WhitelistUDP Packets
User-defined Whitelist UDPPackets
Pass Custom Rule Templates
User-defined WhitelistTCP Packets
User-defined Whitelist TCPPackets
Pass Custom Rule Templates
User-defined BlacklistUDP Packets
User-defined Blacklist UDPPackets
Drop Custom Rule Templates
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 330
Overview of Packet Flow
NIOS 612 NIOS Administrator Guide (Rev A) 1499
User-defined BlacklistTCP Packets
User-defined Blacklist TCPPackets
Drop Custom Rule Templates
User-defined ratelimitingIP and Network UDPPackets
User-defined ratelimiting IPand Network UDP Packets
Ratelimiting Custom Rule Templates
User-defined ratelimiting
IP and Network TCPPackets
User-defined ratelimiting IP
and Network TCP Packets
Ratelimiting Custom Rule Templates
User-defined ratelimitingFQDN
User-defined ratelimitingFQDN
Ratelimiting Custom Rule Templates
User-defined BlacklistFQDN
User-defined Blacklist FQDN Drop Custom Rule Templates
Potential DDoS relateddomains
Potential DDoS relateddomains
Drop Potential DDoS RelatedDomains
TCPUDP Floods High Rate inbound DNSQueries
Ratelimiting TCPUDP Flood
DNS DDoS NXDomain NXRRsetServFail DNS Response
Ratelimiting DNS DDoS
DNS Tunneling DNS Tunneling Ratelimiting DNS Tunneling
DNS Protocol Anomalies DNS Protocol Anomal ies Drop DNS Protocol Anomalies
Incoming zone transferis allowed
DNS Message Type DNS IXFRAXFR Requests Ratelimiting and Pass DNS Message Type
Incoming zone transferis allowed
DNS Message Type Invalid DNS IXFR Queries Drop DNS Message Type
Incoming zone transferis not allowed
DNS Message Type DNS AXFRIXFR Requests Drop DNS Message Type
DNS Malware DNS Malware Drop DNS Malware
DNS Amplification andReflection
DNS Amplification andReflection
Ratelimiting DNS Amplification andReflection
DNS Message Type DNS Query Types DropPass depending on theconfigured action
DNS Message Type
NTP client is enabled NTP NTP Server Responses Ratelimiting and Pass NTP
NTP client is disabled NTP NTP Client Requests Drop NTP
NTP server is enabled NTP NTP Vulnerability Rules Ratelimiting NTP
NTP server is enabled NTP NTP Ratelimiting Rulesbased on NTP ACL Data
Ratelimiting and Pass NTP
NTP server is disabled NTP Invalid NTP Packets Drop NTP
BGP is enabled BGP Invalid BGP Packets Drop BGP
BGP is enabled BGP BGP Packets Ratelimiting and Pass BGP
BGP is disabled BGP BGP Packets Drop BGP
ICMP ICMP Pings Ratelimiting and Pass ICMP
OSPF is enabled OSPF OSPF Packets Ratelimiting and Pass OSPF
OSPF is disabled OSPF OSPF Packets Drop OSPF
ICMP ICMPv6 Pings Ratelimiting and Pass ICMP
Default PassDrop Unexpected DNS Packets Drop Default PassDrop
Default PassDrop TCPUDPICMP Packets Drop Default PassDrop
HA Support HA Communication Packets Pass HA Support
Default PassDrop Unexpected Packets Drop Default PassDrop
Conditions if any) Rule Category Rule Name Action Reference
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 430
1500 NIOS Administrator Guide (Rev A) NIOS 612
Tuning Rule Parameters
All threat protection rules contain rule parameters that you may or may not be able to configure Rule parameters arepredefined with default values that generally suit most network environments However there are times when youhave special setups or configurations in your environment that require special attention In these cases you mayneed to change some of the rule parameters to obtain optimal protection without sacrificing system performance
Table H2 lists specific conditions and corresponding rules that may require tuning when they are enabled You can
view tuning suggestions in the Comments column for each of the following condition
Table H2 Tunable Rules
Conditions Rule s) that Require Tuning Reference
Your appliance is configured as anauthoritative DNS server
Rule 100000100 in the DNS
Cache Poisoning categoryDNS Cache Poisoning Rules
Your DNS server is configured as thesecondary server with external primariesand it serves a large number of zones
Rules 100100100 to100100201 in the DNS
Message Type category
DNS Message Type Rules
You have enabled TCPUDP Flood systemrules and your network environmentconsists of the following NATdenvironments static forwarders or VPNconcentrators
All rules in the TCPUDP Flood category
TCPUDP Flood Rules
You have enabled DNS DDoS system rulesand your network environment consists ofthe following NATd environments staticforwarders or VPN concentrators
Rules 200000001 to200000003 in the DNS DDoS category
DNS DDoS Rules
You have enabled DNS Tunneling systemrules and your network environmentconsists of the following NATd
environments static forwarders and VPNconcentrators
All rules in the DNS Tunneling category
Anti DNS Tunneling Rules
Your DNS server is configured to allowincoming IPv4 and IPv6 zone transferrequests and it serves a large number ofzones
Rules 130100100 to130100401 in the DNS
Message Type category
DNS Message Type Rules
You have enabled DNS Amplification andRefection system rules
All rules in the DNS
Amplification and Reflection category
DNS Amplification andReflection Rules
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 530
DNS Cache Poisoning
NIOS 612 NIOS Administrator Guide (Rev A) 1501
DNS Cache Poisoning
DNS cache poisoning involves inserting a false address record for an Internet domain into a DNS query If the DNSserver accepts the record subsequent requests for the address of the domain are answered with the address of aserver controlled by the attacker For as long as the false entry is cached incoming web requests and emails will goto the attackerrsquos address Cache poisoning attacks such as the ldquobirthday paradoxrdquo use brute force flooding DNS
responses and queries at the same time hoping to get a match on one of the responses and poison the cacheThe following table lists auto rules that Advanced DNS Protection uses to mitigate DNS cache poisoning on youradvanced appliance
Table H3 DNS Cache Poisoning Rules
DNS Message Type
The following table lists the system and auto rules that are used to mitigate DNS message type attacks on youradvanced appliance
All rules for DNS record types are system rules By default they are configured as Pass rules You can override thisand change the rule action to Drop Note that when you do that the appliance drops all DNS packets that contain therequested record type
Table H4 DNS Message Type Rules
Rule ID
Rule
Type
Rule Name Description
EnableDisable
Condition
Parameters Comments
100000100 Auto EARLY PASSUDP responsetraffic
This rule passes UDP DNS responsepackets (from upstream DNS serversor external DNS primaries) if thepacket rate is less than the Packets
per second value If any source IPsends packets over this value the
appliance blocks all traffic from thissource IP for a time specified in Drop
interval
Always enabled Packets per second (default = 30000)
Drop interval (default = 10seconds)
Events per second
(default = 1)
Consider tuning Packets per
second to a smaller numberif your system is servingauthoritative DNS
NOTE If you set theparameter incorrectly the
rule could block legitimateDNS responses fromupstream DNS serverswhich could cause the DNSserver to exceed its quota
100000200 Auto EARLY PASSTCP responsetraffic
This rule passes TCP DNS responsesinitiated by the appliance
Always enabled Packets per second (default = 100)
Consider raising the Packets
per second value if DNSSECis enabled
100000300 Auto PASS ACKpackets fromNIOS initiatedconnections
This rule passes TCP ACK packets forDNS or BGP from NIOS initiatedconnections if the packet rate is lessthan the Packets per second value Ifany source IP sends packets overthis value the appliance blocks alltraffic from this source IP for a timespecified in Drop interval
Always enabled Packets per second (default = 600)
Drop interval (default = 10seconds)
Events per second (default = 1)
Consider raising the Packets
per second value if DNSSECis enabled
Rule ID
Rule
Type
Rule Name Description
EnableDisable
Condition
Parameters Comments
100100100 Auto EARLY PASS IPv4UDP Notifymessages
This rule passes IPv4 UDP DNSNOTIFY messages if the packetrate is less than the Packets per
second value If any source IPsends packets over this value theappliance blocks all traffic fromthis source IP for a time specifiedin Drop interval
Enabled if InfobloxDNS serves as thesecondary serverwith IPv4 externalprimariesconfigured
Packets per second (default = 1000)
Drop interval (default= 10 seconds)
Events per second (default = 1)
Consider tuning Packets per
second if Infoblox DNSserves a large number ofzones If this rule istriggered and the source IPaddress indicates a validexternal primary servertune the Packets per second value accordingly
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 630
1502 NIOS Administrator Guide (Rev A) NIOS 612
100100101 Auto EARLY PASS IPv6UDP Notifymessages
This rule passes IPv6 UDP DNSNOTIFY messages if the packetrate is less than the Packets per
second value If any source IPsends packets over this value theappliance blocks all traffic fromthis source IP for a time specified
in Drop interval
Enabled if InfobloxDNS serves as thesecondary serverwith IPv6 externalprimariesconfigured
Packets per second (default = 1000)
Drop interval (default= 10 seconds)
Events per second (default = 1)
Consider tuning Packets per
second if Infoblox DNSserves a large number ofzones If this rule istriggered and the source IPaddress indicates a validexternal primary server
tune the Packets per second value accordingly
100100200 Auto EARLY PASS IPv4TCP Notifymessages
This rule passes IPv4 TCP DNSNOTIFY messages if the packetrate is less than the Packets per
second value If any source IPsends packets over this value theappliance blocks all traffic fromthis source IP for a time specifiedin Drop interval
Enabled if InfobloxDNS serves as thesecondary serverwith IPv4 externalprimariesconfigured
Packets per second (default = 1000)
Drop interval (default= 10 seconds)
Events per second (default = 1)
Consider tuning Packets per
second if Infoblox DNSserves a large number ofzones If this rule istriggered and the source IPaddress indicates a validexternal primary servertune the Packets per second value accordingly
100100201 Auto EARLY PASS IPv6TCP Notifymessages
This rule passes IPv6 TCP DNSNOTIFY messages if the packetrate is less than the Packets per
second value If any source IPsends packets over this value theappliance blocks all traffic from
this source IP for a time specifiedin Drop interval
Enabled if InfobloxDNS serves as thesecondary serverwith IPv6 externalprimariesconfigured
Packets per second (default = 1000)
Drop interval (default= 10 seconds)
Events per second (default = 1)
Consider tuning Packets per
second if Infoblox DNSserves a large number ofzones If this rule istriggered and the source IPaddress indicates a valid
external primary servertune the Packets per second value accordingly
100100300 Auto EARLY PASS IPv4UDP Notifymessages forDDNS update
This rule passes IPv4 UDP NOTIFYmessages for DDNS update if thepacket rate is less than thePackets per second value If anysource IP sends packets over thisvalue the appliance blocks alltraffic from this source IP for atime specified in Drop interval
Enabled if DDNSupdate is enabledfor IPv4 clients
Packets per second (default = 1000)
Drop interval (default= 10 seconds)
Events per second (default = 1)
100100350 Auto EARLY PASS IPv6UDP Notifymessages forDDNS update
This rule passes IPv6 UDP NOTIFYmessages for DDNS update if thepacket rate is less than thePackets per second value If anysource IP sends packets over thisvalue the appliance blocks all
traffic from this source IP for atime specified in Drop interval
Enabled if DDNSupdate is enabledfor IPv6 clients
Packets per second (default = 1000)
Drop interval (default= 10 seconds)
Events per second (default = 1)
130100100 Auto RATELIMIT PASSIPv4 UDP DNSAXFR zonetransfer requests
This rule passes IPv4 UDP DNSfull zone transfer requests if thepacket rate is less than thePackets per second value If anysource IP sends packets over thisvalue the appliance blockssubsequent DNS traffic from thissource IP for a time specified inDrop interval
Enabled if InfobloxDNS allowsincoming IPv4zone transferrequests
Packets per second (default = 1000)
Drop interval (default= 10 seconds)
Events per second (default = 1)
Consider tuning Packets per
second if Infoblox DNSserves a large number ofzones If this rule istriggered and the source IPaddress indicates a validsecondary server tune thePackets per second valueaccordingly
130100101 Auto RATELIMIT PASSIPv6 UDP DNSAXFR zonetransfer requests
This rule passes IPv6 UDP DNSfull zone transfer requests if thepacket rate is less than thePackets per second value If anysource IP sends packets over thisvalue the appliance blocks
subsequent DNS traffic from thissource IP for a for a time specifiedin Drop interval
Enabled if InfobloxDNS allowsincoming IPv6zone transferrequests
Packets per second (default = 1000)
Drop interval (default= 10 seconds)
Events per second (default = 1)
Consider tuning Packets per
second if Infoblox DNSserves a large number ofzones If this rule istriggered and the source IPaddress indicates a valid
secondary server tune thePackets per second valueaccordingly
130100200 Auto RATELIMIT PASSIPv4 TCP DNSAXFR zonetransfer requests
This rule passes IPv4 TCP DNS fullzone transfer requests if thepacket rate is less than thespecified Packets per second value (default = 100) If anysource IP sends packets over thisvalue the appliance blocks allsuch traffic from this source IP fora for a time specified in Drop
interval
Enabled if InfobloxDNS allowsincoming IPv4zone transferrequests
Packets per second (default = 1000)
Drop interval (default= 10 seconds)
Events per second (default = 1)
Consider tuning Packets per
second if Infoblox DNSserves a large number ofzones If this rule istriggered and the source IPaddress indicates a validsecondary server tune thePackets per second valueaccordingly
Rule ID
Rule
Type
Rule Name Description
EnableDisable
Condition
Parameters Comments
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 730
DNS Message Type
NIOS 612 NIOS Administrator Guide (Rev A) 1503
130100201 Auto RATELIMIT PASSIPv6 TCP DNSAXFR zonetransfer requests
This rule passes IPv6 TCP DNS fullzone transfer requests if thepacket rate is less than thespecified Packets per second value (default = 100) If anysource IP sends packets over thisvalue the appliance blocks all
such traffic from this source IP fora time specified in Drop interval
Enabled if InfobloxDNS allowsincoming IPv6zone transferrequests
Packets per second (default = 1000)
Drop interval (default= 10 seconds)
Events per second (default = 1)
Consider tuning Packets per
second if Infoblox DNSserves a large number ofzones If this rule istriggered and the source IPaddress indicates a validsecondary server tune the
Packets per second valueaccordingly
130100300 Auto RATELIMIT PASSIPv4 UDP DNSIXFR zoneTransfer requests
This rule passes IPv4 UDP DNSincremental zone transferrequests if the packet rate is lessthan the specified Packets per
second value (default = 100) Ifany source IP sends packets overthis value the appliance blocksall such traffic from this source IPfor a time specified in Drop
interval
Enabled if InfobloxDNS allowsincoming IPv4zone transferrequests
Packets per second (default = 1000)
Drop interval (default= 10 seconds)
Events per second (default = 1)
Consider tuning Packets per
second if Infoblox DNSserves a large number ofzones If this rule istriggered and the source IPaddress indicates a validsecondary server tune thePackets per second valueaccordingly
130100301 Auto RATELIMIT PASSIPv6 UDP DNSIXFR zoneTransfer requests
This rule passes IPv6 UDP DNSincremental zone transferrequests if the packet rate is lessthan the specified Packets per
second value (default = 100) Ifany source IP sends packets overthis value the appliance blocksall such traffic from this source IPfor a time specified in Drop
interval
Enabled if InfobloxDNS allowsincoming IPv6zone transfer
requests
Packets per second (default = 1000)
Drop interval (default= 10 seconds)
Events per second (default = 1)
Consider tuning Packets per
second if Infoblox DNSserves a large number ofzones If this rule is
triggered and the source IPaddress indicates a validsecondary server tune thePackets per second valueaccordingly
130100400 Auto RATELIMIT PASSIPv4 TCP DNSIXFR zoneTransfer requests
This rule passes IPv4 TCP DNSincremental zone transferrequests if the packet rate is lessthan the specified Packets per
second value (default = 100) Ifany source IP sends packets overthis value the appliance blocksall such traffic from this source IPfor a time specified in Drop
interval
Enabled if InfobloxDNS allowsincoming IPv4zone transferrequests
Packets per second (default = 1000)
Drop interval (default= 10 seconds)
Events per second (default = 1)
Consider tuning Packets per
second if Infoblox DNSserves a large number ofzones If this rule istriggered and the source IPaddress indicates a validsecondary server tune thePackets per second valueaccordingly
130100401 Auto RATELIMIT PASS
IPv6 TCP DNSIXFR zoneTransfer requests
This rule passes IPv6 TCP DNS
incremental zone transferrequests if the packet rate is lessthan the specified Packets per
second value If any source IPsends packets over this value theappliance blocks all such trafficfrom this source IP for a timespecified in Drop interval
Enabled if Infoblox
DNS allowsincoming IPv6zone transferrequests
Packets per second
(default = 1000)Drop interval (default= 10 seconds)
Events per second (default = 1)
Consider tuning Packets per
second if Infoblox DNSserves a large number ofzones If this rule istriggered and the source IPaddress indicates a validsecondary server tune thePackets per second valueaccordingly
130200100 Auto DROP UDP DNSAXFR zonetransfer requests
This rule drops any DNS UDP fullzone transfer requests when zonetransfer is disabled You canconfigure only the Events per
second parameter
Enabled if InfobloxDNS does notallow incomingzone transferrequests
Events per second (default = 1)
130200200 Auto DROP TCP DNSAXFR zonetransfer requests
This rule drops any DNS TCP fullzone transfer requests when zonetransfer is disabled You can
configure only the Events per
second parameter
Enabled if InfobloxDNS does notallow incoming
zone transferrequests
Events per second (default = 1)
130200300 Auto DROP UDP DNSIXFR zoneTransfer requests
This rule drops any DNS UDPincremental zone transferrequests when zone transfer isdisabled You can configure onlythe Events per second parameter
Enabled if InfobloxDNS does notallow incomingzone transferrequests
Events per second (default = 1)
130200400 Auto DROP TCP DNSIXFR zoneTransfer requests
This rule drops any DNS TCPincremental zone transferrequests when zone transfer isdisabled You can configure onlythe Events per second parameter
Enabled if InfobloxDNS does notallow incomingzone transferrequests
Events per second (default = 1)
Rule ID
Rule
Type
Rule Name Description
EnableDisable
Condition
Parameters Comments
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 830
1504 NIOS Administrator Guide (Rev A) NIOS 612
130500100 System DNS A record You can configure this rule to passor drop UDP packets that containA record request The defaultAction = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
130500200 System DNS AAAA record You can configure this rule to passor drop UDP packets that contain
AAAA record request The defaultAction = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
130500300 System DNS CNAMErecord
You can configure this rule to passor drop UDP packets that containCNAME record request Thedefault Action = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
130500400 System DNS DS record You can configure this rule to passor drop UDP packets that containDS record request The defaultAction = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
130500500 System DNS PTR record You can configure this rule to passor drop UDP packets that containPTR record request The defaultAction = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
130500600 System DNS NS record You can configure this rule to passor drop UDP packets that containNS record request The defaultAction = Pass
Enabled bydefault
Action (default = Pass)
Events per second (default = 1)
130500700 System DNS NSEC record You can configure this rule to passor drop UDP packets that containNSEC record request The defaultAction = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
130500800 System DNS NSEC3record
You can configure this rule to passor drop UDP packets that containNSEC3 record request Thedefault Action = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
130500900 System DNSNSEC3PARAMrecord
You can configure this rule to passor drop UDP packets that containNSEC3PARAM record request The
default Action = Pass
Enabled bydefault
Action
(default = Pass)
Events per second
(default = 1)
130501000 System DNS MX record You can configure this rule to passor drop UDP packets that containMX record request The defaultAction = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
130501100 System DNS SRV record You can configure this rule to passor drop UDP packets that containSRV record request The defaultAction = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
130501200 System DNS TXT record You can configure this rule to passor drop UDP packets that containTXT record request The defaultAction = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
130501300 System DNS DNAME
record
You can configure this rule to pass
or drop UDP packets that containDNAME record request Thedefault Action = Pass
Enabled by
default
Action
(default = Pass)Events per second (default = 1)
130501400 System DNS RRSIG record You can configure this rule to passor drop UDP packets that containRRSIG record request The defaultAction = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
130501500 System DNS NAPTRrecord
You can configure this rule to passor drop UDP packets that containNAPTR record request The defaultAction = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
Rule ID
Rule
Type
Rule Name Description
EnableDisable
Condition
Parameters Comments
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 930
DNS Message Type
NIOS 612 NIOS Administrator Guide (Rev A) 1505
130501600 System DNS DNSKEYrecord
You can configure this rule to passor drop UDP packets that containDNSKEY record request Thedefault Action = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
130501700 System DNS SPF record You can configure this rule to passor drop UDP packets that contain
SPF record request The defaultAction = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
130501800 System DNS DHCIDrecord
You can configure this rule to passor drop UDP packets that containDHCID record request The defaultAction = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
130501900 System DNS SOA record You can configure this rule to passor drop UDP packets that containSOA record request The defaultAction = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
130502000 System DNS SIG record You can configure this rule to passor drop UDP packets that containSIG record request The defaultAction = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
130502100 System DNS LOC record You can configure this rule to passor drop UDP packets that containLOC record request The defaultAction = Pass
Enabled bydefault
Action (default = Pass)
Events per second (default = 1)
130502200 System DNS SSHFPrecord
You can configure this rule to passor drop UDP packets that containSSHFP record request The defaultAction = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
130502300 System DNS IPSECKEYrecord
You can configure this rule to passor drop UDP packets that containIPSECKEY record request Thedefault Action = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
130502400 System DNS TKEY record You can configure this rule to passor drop UDP packets that containTKEY record request The default
Action = Pass
Enabled bydefault
Action
(default = Pass)
Events per second
(default = 1)
130502500 System DNS TSIG record You can configure this rule to passor drop UDP packets that containTSIG record request The defaultAction = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
130502600 System DNS TA record You can configure this rule to passor drop UDP packets that containTA record request The defaultAction = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
130502700 System DNS DLV record You can configure this rule to passor drop UDP packets that containDLV record request The defaultAction = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
130502800 System DNS ANY record You can configure this rule to pass
or drop UDP packets that containANY record request The defaultAction = Pass
Enabled by
default
Action
(default = Pass)Events per second (default = 1)
130502900 System DNS A record TCP You can configure this rule to passor drop TCP packets that contain Arecord request The default Action = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
130503000 System DNS AAAA recordTCP
You can configure this rule to passor drop TCP packets that containAAAA record request The defaultAction = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
Rule ID
Rule
Type
Rule Name Description
EnableDisable
Condition
Parameters Comments
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 1030
1506 NIOS Administrator Guide (Rev A) NIOS 612
130503100 System DNS CNAMErecord TCP
You can configure this rule to passor drop TCP packets that containCNAME record request Thedefault Action = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
130503200 System DNS DS recordTCP
You can configure this rule to passor drop TCP packets that contain
DS record request The defaultAction = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
130503300 System DNS PTR recordTCP
You can configure this rule to passor drop TCP packets that containPTR record request The defaultAction = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
130503400 System DNS NS recordTCP
You can configure this rule to passor drop TCP packets that containNS record request The defaultAction = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
130503500 System DNS NSEC recordTCP
You can configure this rule to passor drop TCP packets that containNSEC record request The defaultAction = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
130503600 System DNS NSEC3record TCP
You can configure this rule to passor drop TCP packets that containNSEC3 record request Thedefault Action = Pass
Enabled bydefault
Action (default = Pass)
Events per second (default = 1)
130503700 System DNSNSEC3PARAMrecord TCP
You can configure this rule to passor drop TCP packets that containNSEC3PARAM record request Thedefault Action = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
130503800 System DNS MX recordTCP
You can configure this rule to passor drop TCP packets that containMX record request The defaultAction = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
130503900 System DNS SRV recordTCP
You can configure this rule to passor drop TCP packets that containSRV record request The default
Action = Pass
Enabled bydefault
Action
(default = Pass)
Events per second
(default = 1)
130504000 System DNS TXT recordTCP
You can configure this rule to passor drop TCP packets that containTXT record request The defaultAction = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
130504100 System DNS DNAMErecord TCP
You can configure this rule to passor drop TCP packets that containDNAME record request Thedefault Action = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
130504200 System DNS RRSIG recordTCP
You can configure this rule to passor drop TCP packets that containRRSIG record request The defaultAction = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
130504300 System DNS NAPTR
record TCP
You can configure this rule to pass
or drop TCP packets that containNAPTR record request The defaultAction = Pass
Enabled by
default
Action
(default = Pass)Events per second (default = 1)
130504400 System DNS DNSKEYrecord TCP
You can configure this rule to passor drop TCP packets that containIDNSKEY record request Thedefault Action = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
130504500 System DNS SPF recordTCP
You can configure this rule to passor drop TCP packets that containSPF record request The defaultAction = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
Rule ID
Rule
Type
Rule Name Description
EnableDisable
Condition
Parameters Comments
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 1130
DNS Message Type
NIOS 612 NIOS Administrator Guide (Rev A) 1507
130504600 System DNS DHCIDrecord TCP
You can configure this rule to passor drop TCP packets that containDHCID record request The defaultAction = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
130504700 System DNS SOA recordTCP
You can configure this rule to passor drop TCP packets that contain
SOA record request The defaultAction = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
130504800 System DNS SIG recordTCP
You can configure this rule to passor drop TCP packets that containSIG record request The defaultAction = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
130504900 System DNS ROC recordTCP
You can configure this rule to passor drop TCP packets that containROC record request The defaultAction = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
130505000 System DNS SSHFPrecord TCP
You can configure this rule to passor drop TCP packets that containSSHFP record request The defaultAction = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
130505100 System DNS IPSECKEYrecord TCP
You can configure this rule to passor drop TCP packets that containIPSECKEY record request Thedefault Action = Pass
Enabled bydefault
Action (default = Pass)
Events per second (default = 1)
130505200 System DNS TKEY recordTCP
You can configure this rule to passor drop TCP packets that containTKEY record request The defaultAction = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
130505300 System DNS TSIG recordTCP
You can configure this rule to passor drop TCP packets that containTSIG record request The defaultAction = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
130505400 System DNS TA recordTCP
You can configure this rule to passor drop TCP packets that containTA record request The default
Action = Pass
Enabled bydefault
Action
(default = Pass)
Events per second
(default = 1)
130505500 System DNS DLV recordTCP
You can configure this rule to passor drop TCP packets that containDLV record request The defaultAction = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
130505600 System DNS ANY recordTCP
You can configure this rule to passor drop TCP packets that containANY record request The defaultAction = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
Rule ID
Rule
Type
Rule Name Description
EnableDisable
Condition
Parameters Comments
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 1230
1508 NIOS Administrator Guide (Rev A) NIOS 612
General DDoS
The following table lists the auto rules that are used to mitigate general DDoS attacks on your advanced appliance
Table H5 General DDoS Rules
Reconnaissance
Reconnaissance attacks consist of attempts to get information on the network environment before launching a largeDDoS or other types of attacks Techniques include port scanning and finding versions and authors These attacksexhibit abnormal behavior patterns that if identified can provide early warnings
The following table lists the auto rules that are used to mitigate reconnaissance attacks on your advanced appliance
You can configure the following rule parameter for all rules in this category
bull Events per second The number of events logged per second for the rule Setting a value to 0 (zero) disables theappliance from logging events for the rule The default value is 10
Table H6 Reconnaissance Rules
Rule ID
Rule
Type
Rule Name Description
EnableDisable
Condition
Parameters Comments
110000100 Auto EARLY DROP DoSpackets with samesource and destinationIP
This rule drops any IP packetsthat contain the same sourceand destination IP address
Always enabled Events per second (default = 1)
110000200 Auto EARLY DROP DoS UDPpackets with samesource and destinationIP
This rule drops UDP packetsthat contain the same sourceand destination IP address
Always enabled Events per second (default = 1)
110000300 Auto EARLY DROP DoS TCPpackets with samesource and destinationIP
This rule drops TCP packetsthat contain the same sourceand destination IP address
Always enabled Events per second (default = 1)
130400300 Auto DROP IPv6 loopbackaddress spoofing
This rule blocks any IP packetsthat attempt to forge the IPv6loopback address
Always enabled Events per second (default = 1)
130400400 Auto DROP IPv6 loopbackaddress spoofing
This rule blocks any IP packetsthat attempt to forge the IPv6loopback address
Always enabled Events per second (default = 1)
Rule ID
Rule
Type
Rule Name Description
Enable
Condition
Parameters Comments
110100100 Auto EARLY DROP DNSnamed authorattempts
This rule drops UDP DNSpackets that containattempts to find AUTHOR
information
Alwaysenabled
Events per second (default = 1)
110100200 Auto EARLY DROP DNSnamed versionattempts
This rule drops UDP DNSpackets that containattempts to find VERSIONinformation
Alwaysenabled
Events per second (default = 1)
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 1330
DNS Malware
NIOS 612 NIOS Administrator Guide (Rev A) 1509
DNS Malware
DNS malware is software used to disrupt your DNS service gather sensitive information or gain access to yourappliance It can include downloaders backdoors trojan horses and other malicious software
The following table lists the auto rules that are used to mitigate DNS malware when forwarding DNS requests to aresolver such as a Microsoft DNS server
Table H7 DNS Malware Rules
DNS Protocol Anomalies
DNS protocol anomalies send malformed DNS packets including unexpected header and payload values to thetargeted server This causes the server to stop responding or crash which results in an infinite loop in server threadsThese anomalies sometimes take the form of impersonation attacks
The following table lists rules that are used to mitigate DNS protocol anomalies sent to the appliance
Table H8 DNS Protocol Anomalies Rules
Rule ID
Rule
Type
Rule Name Description
Enable
Condition
Parameters Comments
110100300 Auto EARLY DROP UDPMALWARE backdoor
This rule drops UDPpackets that contain thebackdoor malwareBKDR_QUEJOBEVL whichposes as an installer ofFaceBook messenger Thismalware may be spread asa malicious attachment inemail messages
Always enabled Events per second (default = 1)
130300300 Auto DROP MALWAREtrojan downloader
This rule drops UDPpackets that contain thetrojan downloadermalware which downloadsand installs new versionsof malicious programsincluding Trojans andAdWare
Always enabled Events per second (default = 1)
130300400 Auto DROP MALWAREpossible Hiloti
This rule drops UDPpackets that contain trojanHiloti malicious programsthat may downloadpotentially malicious filesfrom a remote server andreport system informationback to the server
Always enabled Events per second (default = 1)
Rule ID
Rule
Type
Rule Name Description
Enable
Condition
Parameters Comments
110100400 Auto EARLY DROP UDP DNSquestion name too long
This rule drops UDP DNSpackets when the DNSQuestion Name is toolong
Always enabled Events per second (default = 1)
110100500 Auto EARLY DROP UDP DNSlabel too long
This rule drops UDP DNSpackets when the DNSLabel in the name beingqueried is too long
Always enabled Events per second (default = 1)
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 1430
1510 NIOS Administrator Guide (Rev A) NIOS 612
Potential DDoS Related Domains
This rule category includes system rules the appliance uses to blacklist domains that may have been the targets orsubjects in NXDOMAIN or DDoS attacks These rules block all FQDN lookups on UDP for domains that have beenobserved to be used as targets in DDoS attacks The rules are enabled by default You can disable them whennecessary
Note that these rules capture currently observed bad domain names that can change on a regular basis Infobloxrecommends that you update to the latest ruleset to capture the most current rules in this category For informationabout how to update to the latest ruleset see Managing Threat Protection Rules on page 1352
110100600 Auto EARLY DROP UDP queryinvalid question count
This rule drops UDP DNSpackets when thenumber of entries in thequestion section isinvalid
Always enabled Events per second (default = 1)
110100700 Auto EARLY DROP UDP query
invalid question class
This rule drops UDP DNS
packets when the RR(resource record) classbeing queried is invalid
Always enabled Events per second
(default = 1)
110100800 Auto EARLY DROP UDP queryinvalid question string
This rule drops UDP DNSpackets that containinvalid question string
Always enabled Events per second (default = 1)
110100850 Auto EARLY UDP drop invalidDNS query with Authority
This rule drops UDP DNSqueries that containinvalid AUTHORITYentry
Always enabled Events per second (default = 1)
110100900 Auto EARLY DROP querymultiple questions or nonquery operation code
This rule drops UDP DNSpackets when there aremultiple questionsbeing queried at onetime or its operationcode is not Query
Always enabled Events per second (default = 1)
130000700 Auto EARLY DROP TCP non-DNSquery
This rule drops TCPpackets when itsoperation code is notQuery
Always enabled Events per second (default = 1)
130000800 Auto EARLY DROP TCP querymultiple questions
This rule drops TCP DNSpackets when there aremultiple questionsbeing queried at onetime
Always enabled Events per second (default = 1)
130100500 Auto DROP UDP DNS invalidIXFR query with zero ormore than one Authority
This rule drops UDP DNSincremental zonetransfer requests thatcontain zero or morethan one Authorityentries
Always enabled Events per second (default = 1)
130100600 Auto DROP TCP DNS invalidIXFR query with zero ormore than one Authority
This rule drops TCP DNSincremental zonetransfer requests thatcontain zero or morethan one Authorityentries
Always enabled Events per second (default = 1)
130300200 Auto DROP TCP invalid DNSquery with Authority
This rule drops TCP DNSqueries that containinvalid Authorityentries
Always enabled Events per second (default = 1)
Rule ID
Rule
Type
Rule Name Description
Enable
Condition
Parameters Comments
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 1530
TCPUDP Flood
NIOS 612 NIOS Administrator Guide (Rev A) 1511
TCP UDP Flood
TCP and UDP flood attacks are volumetric attacks with massive numbers of packets that consume network bandwidthand resources They exploit TCP and UDP
The following table lists the system and auto rules that are used to mitigate TCPUDP floods on your advancedappliance
Table H9 TCPUDP Flood Rules
Rule ID Rule Type Rule Name Description
Enable
Condition
Parameters Comments
130000100 System WARN about highrate inbound UDPDNS queries
This rule warns about anysource IP that sendsinbound UDP DNS packetsat a rate equals or exceedsthe Packets per second value
Disabled bydefault
Packets per second (default = 40)
Events per second (default = 1)
Use this rule together with rule130000200 to adjust the warningand blocking rate thresholds Thisrule only sends alerts when thepacket rate equals or exceeds thelow threshold ( Packets per second for this rule) When the packet ratereaches or exceeds the highthreshold ( Packets per second forrule 130000200) rule130000200 is triggered
NOTE The Packets per second configured for this rule should beless than that of rule 130000200
130000200 System WARN amp BLOCKhigh rate inboundUDP DNS queries
This rule warns if anysource IP sends inboundUDP DNS packets at a rateequals the Packets per
second value If the rateexceeds this value theappliance blocks all suchtraffic from this source IPfor a period of timespecified in Drop interval
Disabled bydefault
Packets per second (default = 1000)
Drop interval
(default = 5 seconds)
Events per second (default = 1)
Consider tuning Packets per
second to a higher value for NATdenvironments static forwardersand VPN concentrators
This rule may be triggered if Packet
per second is lower than that inthe custom rules created using therate limiting templates
NOTE The Packets per secondvalue for this rule must be higherthan that for rule 130000100
130000300 System WARN about highrate inbound TCP
DNS queries
This rule warns about anysource IP that sends
inbound TCP DNS packetsat a rate that equals orexceeds the Packets per
second value
Disabled bydefault
Packets per second (default = 5)
Events per second (default = 1)
Use this rule together with rule130000400 to adjust the warning
and blocking rate thresholds Thisrule only sends alerts when thepacket rate equals or exceeds thelow threshold ( Packets per second for this rule) When the packet ratereaches or exceeds the highthreshold ( Packets per second forrule 130000400) rule130000400 is triggered
NOTE The Packets per second configured for this rule should beless than that of rule 130000400
130000400 System WARN amp BLOCKhigh rate inboundTCP DNS queries
This rule warns if anysource IP sends inboundTCP DNS packets at a ratethat equals the Packets
per second value If therate exceeds this value
the appliance blocks allsuch traffic from thissource IP for a period oftime specified in Drop
interval
Disabled bydefault
Packets per second (default = 1000)
Drop interval (default = 10 seconds)
Events per second (default = 1)
Consider tuning Packets per
second to a higher value for NATdenvironments static forwardersand VPN concentrators
This rule may be triggered if Packet
per second is lower than that in
the custom rules created using therate limiting templates
NOTE DO NOT enable this rulealong with rule 130000300
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 1630
1512 NIOS Administrator Guide (Rev A) NIOS 612
DNS DDoS
The following table lists system rules that are used to mitigate DNS DDoS attacks on your advanced appliance Theserules rate limits clients that trigger the following DNS responses NXDOMAIN NXRRSET and SERVFAIL
Table H10 DNS DDoS Rules
Rule ID
Rule
Type
Rule Name Description
EnableDisable
Condition
Parameters Comments
200000001 System NXDOMAIN ratelimiting rule
This rule warns if any sourceIP sends inbound UDP DNSqueries that triggerNXDOMAIN responses at arate equals to the Packets
per second value If the rateexceeds this value theappliance blocks all UDPDNS traffic from this sourceIP for a time specified inDrop interval
Enabled bydefault
Packets per second (default = 1000)
Drop interval
(default = 5 seconds)
Events per second (default = 1)
Consider tuning Packets per
second to a higher value forNATd environments staticforwarders and VPNconcentrators
200000002 System NXRRSET ratelimiting rule
This rule warns if any sourceIP sends inbound UDP DNS
queries that trigger NXRRSETresponses at a rate equals tothe Packets per second value If the rate exceedsthis value the applianceblocks all UDP DNS trafficfrom this source IP for a timespecified in Drop interval
Enabled bydefault
Packets per second (default = 1000)
Drop interval (default = 5 seconds)
Events per second (default = 1)
Consider tuning Packets per
second to a higher value for
NATd environments staticforwarders and VPNconcentrators
NOTE NXRRSET responsesinclude NO records NOanswers and NO errors
200000003 System SERVFAIL ratelimiting rule
This rule warns if any sourceIP sends inbound UDP DNSqueries that triggerSERVFAIL responses at a rateequals to the Packets per
second value If the rateexceeds this rate theappliance blocks all UDPDNS traffic from this sourceIP for a time specified in
Drop interval
Enabled bydefault
Packets per second (default = 1000)
Drop interval
(default = 5 seconds)
Events per second (default = 1)
Consider tuning Packets per
second to a higher value forNATd environments staticforwarders and VPNconcentrators
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 1730
DNS Tunneling
NIOS 612 NIOS Administrator Guide (Rev A) 1513
DNS Tunneling
DNS tunneling attacks involve tunneling another protocol through DNS port 53 for the purpose of data exfiltrationOutbound and inbound data being communicated is encoded into small chunks and fitted into DNS queries and DNSresponses
The following table lists the system rule used to mitigate DNS tunneling on your advanced appliance
Table H11 Anti DNS Tunneling Rules
DNS Amplification and Reflection
DNS reflection attacks use a form of IP spoofing changing the source address in their DNS queries to show theaddress of their intended target such as a DNS root server or a top-level domain (TLD) name server operator DNS
reflection and amplification recognizes UDP as an asymmetrical protocol (small requests large responses) and theexistence of open DNS resolvers to the Internet cloud The result is that small DNS queries reflect large UDP datagramresponses to the target address in the original source datagrams Some recent attacks have used this DDoStechnique at a huge scale
Since DNS runs over UDP and does not require a handshake it is possible to use the protocol as a means to lock downa host or a network Designed a specific way sending a small query to any open DNS resolver can result in a singleresponse containing several kilobytes or more that are sent to the unwitting spoofed victim (This type of responsetypically is sent via TCP as UDP does not allow for more than 512 bytes in a response datagram The resulting packetusually exceeds the MTU of the recipientrsquos interfaces resulting in further packet fragmentation and processing) OpenDNS resolvers may allow for launching DDoS attacks containing hundreds of gigabytes of data Attackers may also
Rule ID
Rule
Type
Rule Name Description
EnableDisable
Condition
Parameters Comments
130000500 System RATELIMIT UDP highrate inbound largeDNS queries (antitunneling)
This rule warns If any source IPsends large UDP DNS queries(which could be DNS tunnelingattacks) at a rate equals thePackets per second value If therate exceeds this value it blocksall such traffic from this source IPfor the time in Drop interval
This rule is triggered when theDNS Packet size exceeds theconfigured value
Disabled bydefault
Packets per second (default = 100)
Drop interval (default = 5 seconds)
Events per second (default = 1)
Packet size
(default = 200)
Consider tuning Packets
per second to a highervalue for NATdenvironments staticforwarders and VPNconcentrators
130000600 Auto RATELIMIT TCP highrate inbound largeDNS queries(anti-tunneling)
This rule warns if any source IPsends large TCP DNS queries(which could be DNS tunnelingattacks) at a rate equals thePackets per second value If therate exceeds the value theappliance blocks all such trafficfrom this source IP for the Drop
interval
This rule is triggered when theDNS Packet size exceeds theconfigured value
Disabled bydefault
Packets per second (default = 100)
Drop interval
(default = 5 seconds)
Events per second (default = 1)
Packet size
(default = 200)
Consider tuning Packets
per second to a highervalue for NATdenvironments staticforwarders and VPNconcentrators
200000004 System DNS tunneling ratelimiting rule
This rule warns If any source IPsends inbound UDP DNS queriesthat trigger large TXT responses ata rate equals the Packets per
second value If the rate exceedsthis value it blocks all such t rafficfrom this source IP for the Drop
interval
This rule is triggered when the sizeof the TXT records in the DNSresponses exceeds the configuredDNS Packet size
Enabled bydefault
Packets per second (default = 1000)
Drop interval
(default = 5 seconds)
Events per second (default = 1)
Packet size
(default = 40)
Consider tuning Packets
per second to a highervalue for NATdenvironments static
forwarders and VPNconcentrators
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 1830
1514 NIOS Administrator Guide (Rev A) NIOS 612
use the EDNS0 DNS protocol extension as a means to enable larger DNS responses Many network operatorsparticularly overseas allow open DNS resolvers to run on their networks unwittingly allowing attackers to abusethem Many network operators do provide intelligent rate-limiting to prevent abuse even while supporting openrecursive DNS servers Hence issues of this type usually result from mistakes in configuration
The following table lists the system and auto rules that are used to mitigate DNS amplification and reflection attackson your advanced appliance
Table H12 DNS Amplification and Reflection Rules
NTP
The following table lists the auto rules that are used to mitigate NTP attacks and to support security for NTP traffic onyour advanced appliance These rules include support for the following NTP requests and responses NTP IPv4 andIPv6 ACLs (Access Control Lists) private mode 7 packets named ACLs and ldquoANYrdquo ACLs
Table H13 NTP Rules
Rule ID
Rule
Type
Rule Name Description
EnableDisable
Condition
Parameters Comments
130400100 Auto WARN amp DROP DoSDNS possiblereflectionamplification attackattempts
This rule warns if anysource IP sends UDP DNSpackets that containpossible reflectionamplification attacks If therate exceeds the Packets
per second value theappliance blocks all suchtraffic from this source IPfor the Drop interval Notethat this rule applies whenthe query is ldquoANYrdquo
Enabled bydefault
Packets per second (default = 5)
Drop interval (default = 5 seconds)
Events per second (default = 1)
Consider tuning Packet per
second to a higher value(approximately 100) forNATd environments staticforwarders and VPNconcentrators
130400500 System RATE LIMIT PASS UDPDNS root requestswith additional RRs
This rule passes UDP DNSroot requests that containadditional resource recordsuntil the traffic hits thePackets per second valueIt then blocks subsequentUDP DNS root requests forthe Drop interval
Disabled bydefault
Packets per second (default = 500)
Drop interval
(default = 5 seconds)
Events per second (default = 1)
130400600 System RATE LIMIT PASS UDPDNS root requests
This rule passes UDP DNSroot requests until thetraffic hits the Packets per
second value It thenblocks subsequent UDPDNS root requests for theDrop interval
Disabled bydefault
Packets per second (default = 500)
Drop interval (default = 5 seconds)
Events per second (default = 1)
Consider tuning Packet per
second to a higher valuefor NATd environmentsstatic forwarders and VPNconcentrators
Rule ID
Rule
Type
Rule Name Description
EnableDisable
Condition
Parameters Comments
130600100 Auto RATELIMIT PASS NTPTIME responses
When the NTP client isenabled this rule passesUDP NTP TIME responsesuntil the traffic hits the ratelimit of 10 packets persecond it then blocks allNTP traffic for 15 seconds
Enabled when theNTP client isenabled
Packets per second (default = 10)
Drop interval
(default = 15seconds)
Events per second (default = 1)
130600120 Auto DROP NTP TIMEresponses
This rule drops all UDP NTPTIME responses when theNTP client is disabled
Enabled when theNTP client isdisabled
Events per second (default=1)
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 1930
NTP
NIOS 612 NIOS Administrator Guide (Rev A) 1515
200001001 Auto DOS Possible NTPDDoS InboundFrequent Un-AuthedGET_RESTRICTRequests IMPL 0x02
When the NTP server isenabled this rule warnsabout possible NTP DDoSInbound FrequentUn-Authed GET_RESTRICTRequests IMPL 0x02attacks It then blocks
suspicious NTP traffic for atime period that isspecified in Drop Interval
Enabled whenNTP service isenabled on thismember
Events per second (default = 1)
200001005 Auto DOS Possible NTPDDoS InboundFrequent Un-AuthedGET_RESTRICTRequests IMPL 0x03
When the NTP server isenabled this rule warnsabout possible NTP DDoSInbound FrequentUn-Authed GET_RESTRICTRequests IMPL 0x03attacks It then blockssuspicious NTP traffic for atime period that isspecified in Drop Interval
Enabled whenNTP service isenabled on thismember
Events per second (default = 1)
200001010 Auto DOS Possible NTPDDoS InboundFrequent Un-AuthedPEER_LIST_SUM
Requests IMPL 0x02
When the NTP server isenabled this rule warnsabout possible NTP DDoSInbound Frequent
Un-AuthedPEER_LIST_SUM RequestsIMPL 0x02 attacks It thenblocks suspicious NTPtraffic for a time period thatis specified in Drop
Interval
Enabled whenNTP service isenabled on thismember
Events per second (default = 1)
200001015 Auto DOS Possible NTPDDoS InboundFrequent Un-AuthedPEER_LIST_SUMRequests IMPL 0x03
When the NTP server isenabled this rule warnsabout possible NTP DDoSInbound FrequentUn-AuthedPEER_LIST_SUM RequestsIMPL 0x03 attacks It thenblocks suspicious NTPtraffic for a time period thatis specified in Drop
Interval
Enabled whenNTP service isenabled on thismember
Events per second (default = 1)
200001020 Auto DOS Possible NTPDDoS InboundFrequent Un-AuthedPEER_LIST RequestsIMPL 0x02
When the NTP server isenabled this rule warnsabout possible NTP DDoSInbound FrequentUn-Authed PEER_LISTRequests IMPL 0x02attacks It then blockssuspicious NTP traffic for atime period that isspecified in Drop Interval
Enabled whenNTP service isenabled on thismember
Events per second (default = 1)
200001025 Auto DOS Possible NTPDDoS InboundFrequent Un-AuthedPEER_LIST RequestsIMPL 0x03
When the NTP server isenabled this rule warnsabout possible NTP DDoSInbound FrequentUn-Authed PEER_LISTRequests IMPL 0x03attacks It then blocks
suspicious NTP traffic for atime period that isspecified in Drop Interval
Enabled whenNTP service isenabled on thismember
Events per second (default = 1)
200001050 Auto RATELIMIT PASSNTPQ IPv4 requests
This rule passes UDP NTPQrequests from NTP IPv4ACLs until the traffic hitsthe rate limit ( Packets per
second ) value It thenblocks all subsequentNTPQ traffic for a timespecified in Drop Interval
Enabled whenNTP IPv4 ACLs aredefined If noACLs are definedand the NTPserver is enabledthe default ACLsare enabled andthis rule isdisabled
Packets per second (default = 10)
Drop interval
(default = 60seconds)
Events per second (default = 1)
Rule ID
Rule
Type
Rule Name Description
EnableDisable
Condition
Parameters Comments
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 2030
1516 NIOS Administrator Guide (Rev A) NIOS 612
200001055 Auto RATELIMIT PASS NTPTIME IPv4 requests
This rule passes UDP NTPTIME requests from NTPIPv4 ACLs until the traffichits the rate limit ( Packets
per second ) value It thenblocks all subsequent NTPTIME traffic for a time
specified in Drop interval
Enabled whenNTP IPv4 ACLs aredefined If noACLs are definedand the NTPserver is enabledthe default ACLs
are enabled andthis rule isenabled
Packets per second (default = 10)
Drop interval
(default = 60seconds)
Events per second (default = 1)
200001060 Auto RATELIMIT PASS NTPprivate mode IPv4requests
This rule passes UDP NTPprivate mode 7 requestsfrom NTP IPv4 ACLs untilthe traffic hits the rate limit( Packets per second ) valueIt then blocks allsubsequent NTP privatemode 7 traffic for a timespecified in Drop interval
Enabled whenNTP IPv4 ACLs aredefined If noACLs are definedand the NTPserver is enabledthe default ACLsare enabled andthis rule isdisabled
Packets per second (default = 10)
Drop interval
(default = 60seconds)
Events per second (default = 1)
200001065 Auto RATELIMIT PASSNTPQ IPv6 requests
This rule passes UDP NTPQrequests from NTP IPv6ACLs until the traffic hitsthe rate limit ( Packets per
second ) value It thenblocks all subsequentNTPQ traffic for a timespecified in Drop Interval
Enabled whenNTP IPv6 ACLs aredefined If noACLs are defined
and the NTPserver is enabledthe default ACLsare enabled andthis rule isdisabled
Packets per second (default = 10)
Drop interval
(default = 60
seconds)Events per second (default = 1)
200001070 Auto RATELIMIT PASS NTPTIME IPv6 requests
This rule passes UDP NTPTIME requests from NTPIPv6 ACLs until the traffichits the rate limit ( Packets
per second ) value It thenblocks all subsequent NTPTIME traffic for a timespecified in Drop interval
Enabled whenNTP IPv6 ACLs aredefined If noACLs are definedand the NTPserver is enabledthe default ACLsare enabled andthis rule isenabled
Packets per second (default = 10)
Drop interval
(default = 60seconds)
Events per second (default = 1)
200001075 Auto RATELIMIT PASS NTP
private mode IPv6requests
This rule passes UDP NTP
private mode 7 requestsfrom NTP IPv4 ACLs untilthe traffic hits the rate limit( Packets per second ) valueIt then blocks allsubsequent NTP privatemode 7 traffic for a timespecified in Drop interval
Enabled when
NTP IPv6 ACLs aredefined If noACLs are definedand the NTPserver is enabledthe default ACLsare enabled andthis rule isdisabled
Packets per second
(default = 10)Drop interval
(default =60seconds)
Events per second (default = 1)
200001100 Auto DROP NTPQ requestsunexpected
When NTP service isdisabled this rule drops allUDP NTPQ requests
Enabled whenNTP service isdisabled on thismember
Events per second (default=1)
200001105 Auto DROP NTP TIMErequests unexpected
When NTP service isdisabled this rule drops allUDP NTP TIME requests
Enabled whenNTP service isdisabled on thismember
Events per second (default=1)
200001110 Auto DROP NTP privatemode requestsunexpected
When NTP service isdisabled this rule drops allUDP NTP private mode 7requests
Enabled whenNTP service isdisabled on thismember
Events per second (default=1)
200001115 Auto DROP invalid NTPrequests
When NTP service isdisabled this rule drops allinvalid UDP NTP requests
Enabled whenNTP service isdisabled on thismember
Events per second (default=1)
Rule ID
Rule
Type
Rule Name Description
EnableDisable
Condition
Parameters Comments
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 2130
BGP
NIOS 612 NIOS Administrator Guide (Rev A) 1517
BGP
The following table lists the auto rules that are used to mitigate BGP attacks on your advanced appliance when BGPis enabled
Table H14 BGP Rules
Rule ID
Rule
Type
Rule Name Description
EnableDisable
Condition
Parameters Comments
130700100 AUTO DROP BGP headerlength shorter thanspec
When BGP is enabled this ruledrops TCP BGP packets thatcontain message headerlength that is shorter than theRFC specification
Enabled whenBGP service onthis member isconfigured
Events per second (default=1)
130700200 AUTO DROP BGP headerlength longer than spec
When BGP is enabled this ruledrops TCP BGP packets thatcontain message headerlength that is longer than theRFC specification
Enabled whenBGP service onthis member isconfigured
Events per second (default=1)
130700300 AUTO DROP BGP spoofedconnection reset
attempts
When BGP is enabled this ruledrops TCP BGP packets that
contain spoofed connectionreset
This rule isenabled when
BGP service onthis member isconfigured
Events per second (default=1)
130700400 AUTO DROP BGP invalid type0
When BGP is enabled this ruledrops TCP BGP packets thatcontain invalid message type0
This rule isenabled whenBGP service onthis member isconfigured
Events per second (default=1)
130700500 AUTO DROP BGP invalid typebigger than 5
When BGP is enabled this ruledrops TCP BGP packets thatcontain invalid message typegreater than 5
This rule isenabled whenBGP service onthis member isconfigured
Events per second (default=1)
130700550 AUTO RATELIMIT PASS BGPIPv4 peer TCPconnection attempts
This rule passes TCP BGP routeadvertisement connectionattempts from IPv4 peers
when BGP is enabled and ifthe packet rate is less than thePackets per second value Ifany source IP sends packetsover this value the applianceblocks all such traffic from thissource IP for a certain periodof time (specified in Drop
interval )
This rule isenabled whenBGP service on
this member isconfigured withIPv4 peers
Events per second (default=1)
Drop Interval
(default=60 sec)Packets per second (default=10)
130700600 Auto RATELIMIT PASS BGPallowed with IPv4 peer
This rule passes TCP BGP routeadvertisement to IPv4 peerswhen BGP is enabled and ifthe packet rate is less than thePackets per second value Ifany source IP sends packetsover this value the applianceblocks all such traffic from thissource IP for a certain period
of time (specified in Drop
interval
This rule isenabled whenBGP service onthis member isconfigured withIPv4 peers
Events per second (default=1)
Drop Interval (default=60 sec)
Packets per second (default=10)
130700650 AUTO RATELIMIT PASS BGPIPv6 peer TCPconnection attempts
This rule passes TCP BGP routeadvertisement connectionattempts from IPv6 peerswhen BGP is enabled and ifthe packet rate is less than thePackets per second value Ifany source IP sends packetsover this value the applianceblocks all such traffic from thissource IP for a certain periodof time (specified in Drop
interval
This rule isenabled whenBGP service onthis member isconfigured withIPv6 peers
Events per second (default=1)
Drop Interval (default=60 sec)
Packets per second (default=10)
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 2230
1518 NIOS Administrator Guide (Rev A) NIOS 612
OSPF
The following table lists auto rules that are used to mitigate OSPF attacks on your advanced appliance when OSPF isnot in use
Table H15 OSPF Rules
130700700 Auto RATELIMIT PASS BGPallowed with IPv6 peer
This rule passes TCP BGP routeadvertisement to IPv6 peerswhen BGP is enabled and ifthe packet rate is less than thePackets per second value Ifany source IP sends packetsover this value the appliance
blocks all such traffic from thissource IP for a certain periodof time (specified in Drop
interval )
This rule isenabled whenBGP service onthis member isconfigured withIPv6 peers
Events per second (default=1)
Drop Interval (default=60 sec)
Packets per second (default=10)
130800100 Auto DROP BGP unexpected When BGP is enabled this ruledrops unexpected TCP BGPpackets
This rule takeseffect when BGPservice on thismember is NOT configured
Events per second (default=1)
This rule is exclusive withother rules based onwhether BGP is configuredon the member or not
Rule ID
Rule
Type
Rule Name Description
Enable
Condition
Parameters Comments
130900300 Auto DROP OSPFunexpected
This rule drops unexpectedOSPF packets
This rule takeseffect when OSPFservice on thismember is NOT configured
Events per second (default=1)
Default drop rule for allpackets on the OSPF serviceport
130900400 Auto RATELIMIT PASS OSPFmulticast
This rule passes OSPF IPv4multicast packets if the packetrate is less than the Packets
per second value If anysource IP sends packets overthis value the applianceblocks all such traffic from thissource IP for a time specifiedin Drop interval
This rule takeseffect when OSPFservice on thismember isconfigured forIPv4
Events per second (default=1)
Drop Interval (default=60 sec)
Packets per second (default=100)
130900500 Auto RATELIMIT PASS OSPFIPv6 multicast
This rule passes OSPF IPv6multicast packets if the packetrate is less than the Packets
per second value If anysource IP sends packets overthis value the applianceblocks all such traffic from thissource IP for a time specifiedin Drop interval
This rule takeseffect when OSPFservice on thismember isconfigured forIPv6
Events per second (default=1)
Drop Interval (default=60 sec)
Packets per second (default=100)
130900600 Auto RATELIMIT PASS OSPF This rule passes OSPF packetsif the packet rate is less thanthe Packets per second valueIf any source IP sends packetsover this value the applianceblocks all such traffic from thissource IP for a time specifiedin Drop interval
This rule takeseffect when OSPFservice on thismember isconfigured
Events per second (default=1)
Drop Interval (default=10 sec)
Packets per second (default=50)
This rule works for both IPv4and IPv6
Rule ID
Rule
Type
Rule Name Description
EnableDisable
Condition
Parameters Comments
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 2330
ICMP
NIOS 612 NIOS Administrator Guide (Rev A) 1519
ICMP
ICMP attacks use network devices such as routers to send error messages when a requested service is not availableor the remote server cannot be reached Examples of ICMP attacks include ping floods ping-of-death attacks andsmurf attacks
The following table lists the system and auto rules that are used to mitigate ICMP attacks on your advanced appliance
Table H16 ICMP Rules
Rule ID Type Rule Name Description
EnableDisable
Condition
Parameters Comments
130400200 Auto DROP ICMP largepackets
This rule drops large ICMPpackets (bigger than800)
Always enabled Events per second (default=1)
130900100 Auto RATE LIMIT PASS ICMPPing
This rule passes ICMP pingpackets if the packet rate is lessthan the Packets per second value If any source IP sendspackets over this value theappliance blocks all such trafficfrom this source IP for a timespecified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=10 sec)
Packets per second (default=50)
130900200 Auto RATE LIMIT PASS ICMPv6Ping
This rule passes ICMPv6 pingpackets if the packet rate is lessthan the Packets per second value If any source IP sendspackets over this value theappliance blocks all such trafficfrom this source IP for a timespecified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=10 sec)
Packets per second (default=50)
130900700 Auto RATELIMIT PASS ICMPv6destinationunreachable
This rule passes ICMPv6Destination Unreachablemessages if the packet rate isless than the Packets per second value If any source IP sendspackets over this value theappliance blocks all such trafficfrom this source IP for a timespecified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=100)
130900800 Auto RATELIMIT PASS ICMPv6packet too big
This rule passes ICMPv6 PacketToo Big messages if the packetrate is less than the Packets per
second value If any source IPsends packets over this valuethe appliance blocks all suchtraffic from this source IP for atime specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=100)
130900900 Auto RATELIMIT PASS ICMPv6ping responses
This rule passes ICMPv6 pingresponses if the packet rate isless than the Packets per second value If any source IP sendspackets over this value theappliance blocks all such trafficfrom this source IP for a timespecified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=10 sec)
Packets per second (default=50)
130901000 Auto RATELIMIT PASS ICMPv6parameter problemerroneous header
This rule passes ICMPv6Erroneous Header messages ifthe packet rate is less than thePackets per second value If anysource IP sends packets over thisvalue the appliance blocks allsuch traffic from this source IP fora time specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=10 sec)
Packets per second (default=50)
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 2430
1520 NIOS Administrator Guide (Rev A) NIOS 612
130901100 Auto RATELIMIT PASS ICMPv6parameter problemunrecognized nextheader
This rule passes ICMPv6Unrecognized Next Headermessages if the packet rate isless than the Packets per second value If any source IP sendspackets over this value theappliance blocks all such traffic
from this source IP for a timespecified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
130901200 Auto RATELIMIT PASS ICMPv6parameter problemunrecognized IPv6option
This rule passes ICMPv6Unrecognized IPv6 Optionmessages if the packet rate isless than the Packets per second value If any source IP sendspackets over this value theappliance blocks all such trafficfrom this source IP for a timespecified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
130901300 Auto RATELIMIT PASS ICMPv6router solicitation
This rule passes ICMPv6 routersolicitation packets if the packetrate is less than the Packets per
second value If any source IPsends packets over this valuethe appliance blocks all such
traffic from this source IP for atime specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
130901400 Auto RATELIMIT PASS ICMPv6router advertisement
This rule passes ICMPv6 routeradvertisement if the packet rateis less than the Packets per
second value If any source IPsends packets over this valuethe appliance blocks all suchtraffic from this source IP for atime specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
130901500 Auto RATELIMIT PASS ICMPv6neighbor solicitation
This rule passes ICMPv6neighbor solicitation packets ifthe packet rate is less than thePackets per second value If anysource IP sends packets over thisvalue the appliance blocks allsuch traffic from this source IP for
a time specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
130901600 Auto RATELIMIT PASS ICMPv6neighbor advertisement
This rule passes ICMPv6neighbor advertisement if thepacket rate is less than thePackets per second value If anysource IP sends packets over thisvalue the appliance blocks allsuch traffic from this source IP fora time specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
130901700 Auto RATELIMIT PASS ICMPv6inverse neighborsolicitation
This rule passes ICMPv6 inverseneighbor solicitation messages ifthe packet rate is less than thePackets per second value If anysource IP sends packets over thisvalue the appliance blocks allsuch traffic from this source IP fora time specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
130901800 Auto RATELIMIT PASS ICMPv6inverse neighboradvertisement
This rule passes ICMPv6 inverseneighbor advertisement if thepacket rate is less than thePackets per second value If anysource IP sends packets over thisvalue the appliance blocks allsuch traffic from this source IP fora time specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
Rule ID Type Rule Name Description
EnableDisable
Condition
Parameters Comments
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 2530
ICMP
NIOS 612 NIOS Administrator Guide (Rev A) 1521
130901900 Auto RATELIMIT PASS ICMPv6listener query
This rule passes ICMPv6 listenerquery messages if the packetrate is less than the Packets per
second value If any source IPsends packets over this valuethe appliance blocks all suchtraffic from this source IP for a
time specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
130902000 Auto RATELIMIT PASS ICMPv6listener report
This rule passes ICMPv6 listenerreport messages if the packetrate is less than the Packets per
second value If any source IPsends packets over this valuethe appliance blocks all suchtraffic from this source IP for atime specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
130902100 Auto RATELIMIT PASS ICMPv6listener done
This rule passes ICMPv6 listenerdone messages if the packet rateis less than the Packets per
second value If any source IPsends packets over this valuethe appliance blocks all suchtraffic from this source IP for atime specified in Drop interval )
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
130902200 Auto RATELIMIT PASS ICMPv6listener report v2
This rule passes ICMPv6 listenerreport v2 messages if the packetrate is less than the Packets per
second value If any source IPsends packets over this valuethe appliance blocks all suchtraffic from this source IP for atime specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
130902300 Auto RATELIMIT PASS ICMPV6multicast routeradvertisement
This rule passes ICMPv6multicast router advertisement ifthe packet rate is less than thePackets per second value If anysource IP sends packets over thisvalue the appliance blocks allsuch traffic from this source IP fora time specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
130902400 Auto RATELIMIT PASS ICMPV6multicast routersolicitation
This rule passes ICMPv6multicast router solicitationmessages if the packet rate isless than the Packets per second value If any source IP sendspackets over this value theappliance blocks all such trafficfrom this source IP for a timespecified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
130902500 Auto RATELIMIT PASS ICMPV6multicast routeradvertisement
This rule passes ICMPv6multicast router advertisement ifthe packet rate is less than thePackets per second value If anysource IP sends packets over thisvalue the appliance blocks allsuch traffic from this source IP fora time specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
130902600 Auto RATELIMIT PASS ICMPping responses This rule passes ICMP pingresponses if the packet rate isless than the Packets per second value If any source IP sendspackets over this value theappliance blocks all such trafficfrom this source IP for a timespecified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=10 sec)
Packets per second (default=50)
Rule ID Type Rule Name Description
EnableDisable
Condition
Parameters Comments
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 2630
1522 NIOS Administrator Guide (Rev A) NIOS 612
130902700 Auto RATELIMIT PASS ICMProuter advertisement
This rule passes ICMP routeradvertisement if the packet rateis less than the Packets per
second value If any source IPsends packets over this valuethe appliance blocks all suchtraffic from this source IP for a
time specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=10 sec)
Packets per second (default=50)
130902800 Auto RATELIMIT PASS ICMProuter solicitation
This rule passes ICMP routersolicitation messages if thepacket rate is less than thePackets per second value If anysource IP sends packets over thisvalue the appliance blocks allsuch traffic from this source IP fora time specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=10 sec)
Packets per second (default=50)
130902900 Auto RATELIMIT PASS ICMPtime exceeded
This rule passes ICMP timeexceeded messages if the packetrate is less than the Packets per
second value If any source IPsends packets over this valuethe appliance blocks all suchtraffic from this source IP for atime specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=10 sec)
Packets per second (default=50)
130903000 Auto RATELIMIT PASS ICMPparameter problem
This rule passes ICMP parameterproblems if the packet rate isless than the Packets per second value If any source IP sendspackets over this value theappliance blocks all such trafficfrom this source IP for a timespecified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=10 sec)
Packets per second (default=50)
130903100 Auto RATELIMIT PASS ICMPv6hop limit exceeded orICMPv4 networkunreachable
This rule passes ICMPv6 HopLimit Exceeded messages orICMPv4 Network Unreachablemessages if the packet rate isless than the Packets per second value If any source IP sendspackets over this value theappliance blocks all such trafficfrom this source IP for a time
specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
130903200 Auto RATELIMIT PASS ICMPv6fragment reassemblytime exceeded orICMPv4 hostunreachable
This rule passes ICMPv6fragment reassembly timeexceeded messages or ICMPv4host unreachable messages ifthe packet rate is less than thePackets per second value If anysource IP sends packets over thisvalue the appliance blocks allsuch traffic from this source IP fora time specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=10 sec)
Packets per second (default=50)
130903300 Auto RATELIMIT PASS ICMPprotocol unreachable
This rule passes ICMP protocolunreachable messages if thepacket rate is less than thePackets per second value If anysource IP sends packets over thisvalue the appliance blocks all
such traffic from this source IP fora time specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=10 sec)
Packets per second (default=50)
130903400 Auto RATELIMIT ICMP portunreachable
This rule passes ICMP portunreachable messages if thepacket rate is less than thePackets per second value If anysource IP sends packets over thisvalue the appliance blocks allsuch traffic from this source IP fora certain period of time(specified in Drop interval )
Always enabled Events per second (default=10)
Drop Interval (default=10 sec)
Packets per second (default=50)
Rule ID Type Rule Name Description
EnableDisable
Condition
Parameters Comments
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 2730
Default PassDrop
NIOS 612 NIOS Administrator Guide (Rev A) 1523
Default Pass Drop
The following table lists the system rules that are used to pass or drop packets on your advanced appliance All rulesare disabled by default
Table H17 Default PassDrop Rules
130903500 Auto RATELIMIT PASS ICMPfragmentation needed
This rule passes ICMPfragmentation needed messagesif the packet rate is less than thePackets per second value If anysource IP sends packets over thisvalue the appliance blocks allsuch traffic from this source IP for
a certain period of time(specified in Drop interval )
Always enabled Events per second (default=1)
Drop Interval (default=10 sec)
Packets per second (default=50)
Rule ID
Rule
Type Rule Name Description
Enable
Condition Parameters Comments
100000050 System EARLY PASS TCPwith flowbits set
This rule passes TCP trafficthat has the flowbitsoptions set and marked OK
Enabled bydefault
NA
140000100 System DROP UDP DNSunexpected
This rule drops anyunexpected UDP DNSpackets
Enabled bydefault
Events per second (default=1)
Default drop rule for the DNSservice port If this rule istriggered most likely thispacket is an invalid DNS UDPpacket
140000200 System DROP TCP DNSunexpected
This rule drops anyunexpected TCP DNSpackets
Enabled bydefault
Events per second (default=1)
Default drop rule for the DNSservice port If this rule istriggered most likely thispacket is an invalid DNS TCPpacket
140000400 System PASS TCPestablished packets
This passes all TCPestablished packets
Enabled bydefault
Events per second (default=0)
140000500 System DROP TCPunexpected
This rule drops anyunexpected TCP packets
Enabled bydefault
Events per second (default=0)
This rule drops any TCP packeton any port If this rule istriggered most likely thispacket is not intended forservices on this member
140000600 System DROP UDPunexpected
This rule drops anyunexpected UDP packets
Enabled bydefault
Events per second (default=0)
This rule drops any UDP packeton any port If this rule istriggered most likely thispacket is not intended forservices on this member
140000700 System DROP ICMPunexpected
This rule drops anyunexpected ICMP packets
Enabled bydefault
Events per second (default=0)
This rule drops any ICMPpacket If this rule is triggeredmost likely this packet is notintended for services on thismember
140000800 System DROP unexpectedprotocol
This rule drops anyunexpected protocolpackets
Enabled bydefault
Events per second (default=0)
This is a catch all rule thatdrops anything that does notmatch any other rules in thesystem
Rule ID Type Rule Name Description
EnableDisable
Condition
Parameters Comments
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 2830
1524 NIOS Administrator Guide (Rev A) NIOS 612
HA Support
The following table lists auto rules that are used to pass packets that go through the Virtual Router RedundancyProtocol (VRRP) and Internet Group Management Protocol (IGMP) for HA (High Availability) support
Table H18 HA Support Rules
Custom Rule Templates
Advanced DNS Protection supports a few custom rule templates from which you can create new custom rules Notethat when you use a specific rule template to create custom rules the new rules reside in their respective rulecategories For information about custom rules and creating custom rules see Custom Rules on page 1341 andCreating Custom Rules on page 1343
For each rule you create you can define the Events per second value to determine the number of events per secondthat will be logged for the rule You can also define specific rule parameters for custom rules as follows
Note Custom rules do not support IDNs (Internationalized Domain Names) To use IDNs for custom rules you mustfirst convert the IDNs into puny codes You can use the IDN Converter from the Toolbar for the conversion
bull BLACKLIST FQDN lookup TCP Use this rule template to create custom rules for blacklisting DNS queries by FQDNlookups on TCP In the Rule Parameters table complete the following
mdash Blacklisted FQDN Enter the FDQN that you want the appliance to block over TCP traffic You can also enter alist of FQDNs using semicolon as the separator
bull BLACKLIST FQDN lookup UDP Use this rule template to create custom rules for blacklisting DNS queries byFQDN lookups on UDP In the Rule Parameters table complete the following
mdash Blacklisted FQDN Enter the FDQN that you want the appliance to block over UDP traffic You can also enter alist of FQDNs using semicolon as the separator
bull BLACKLIST IP TCP Drop prior to rate limiting Use this rule template to create rules for blocking IPv4 or IPv6addresses on TCP before the appliance drops the packets based on rate limiting rules you have defined usingthe RATELIMITED IP TCP template In the Rule Parameters table complete the following
mdash Blacklisted IP addressnetwork Enter the IPv4 or IPv6 address from which packets sent are dropped beforeany relevant rate limiting rules take effect Note that all TCP traffic from the specified Ipv4 and IPv6
addresses and networks will be blocked Enter network addresses in addressCIDR formatbull BLACKLIST IP UDP Drop prior to rate limiting Use this rule template to create rules for blocking IPv4 or IPv6
addresses on UDP before the appliance drops the packets based on rate limiting rules you have defined usingthe RATELIMITED IP UDP template In the Rule Parameters table complete the following
mdash Blacklisted IP addressnetwork Enter the IPv4 or IPv6 address from which packets sent are dropped beforeany relevant rate limiting rules take effect Note that all UDP traffic from the specified Ipv4 and IPv6addresses and networks will be blocked Enter network addresses in addressCIDR format
bull RATELIMITED FQDN lookup UDP Use this rule template to create custom rules that contains rate limitingrestrictions for blocking DNS queries by FQDN lookups on UDP traffic In the Rule Parameters table completethe following
Rule ID
Rule
Type
Rule Name Description Enable Condition Parameters Comments
140000750 Auto PASS VRRP This rule passes packets thatgo through VRRP for HAsupport
Enabled if HA isconfigured
NA
140000760 Auto PASS IGMP This rule passes packets thatgo through IGMP for HAsupport
Enabled if HA isconfigured
NA
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 2930
Custom Rule Templates
NIOS 612 NIOS Administrator Guide (Rev A) 1525
mdash Packets per second Enter the number of packets per second to define the rate limit for this rule You definethis value to control the rate of UDP traffic that consists of DNS lookups for the FQDN defined in this ruleThe default is 5
mdash Drop interval Enter the number of seconds for which the appliance drops packets
mdash Blacklist rate limited FQDN Enter the FQDN that is affected by the rate limit value configured for this ruleThe appliance drops the packets sent by this FQDN when the UDP traffic of DNS lookups for this FQDNexceeds the configured rate limit value
bull RATELIMITED IP TCP Use this rule template to create custom rules that contains rate limiting restrictions forblacklisting IP addresses on TCP If there are certain IP addresses that you want to block before its traffic reachesthe rate limit restrictions you can create a rule using the BLACKLIST IP TCP Drop prior to rate limiting templateIn the Rule Parameters table complete the following
mdash Packets per second Enter the number of packets per second to define the rate limit for this rule You definethis value to control the rate of TCP traffic that consists of DNS lookups for the IP address or networkdefined in this rule The default is 5
mdash Drop interval Enter the time interval in seconds the appliance drops IP packets sent by the rate limited IPaddress or network defined for this rule The default is 30 seconds
mdash Rate limited IP addressnetwork Enter the IP address or network that is affected by the rate limit valueconfigured for this rule The appliance drops the packets sent by this IP address based on the drop intervalwhen the TCP traffic of DNS lookups for this IP address exceeds the configured rate limit value
bull RATELIMITED IP UDP Use this rule template to create custom rules that contains rate limiting restrictions forblacklisting IP addresses on UDP If there are certain IP addresses that you want to block before its trafficreaches the rate limit restrictions you can create a rule using the BLACKLIST IP UDP Drop prior to rate limiting template In the Rule Parameters table complete the following
mdash Packets per second Enter the number of packets per second to define the rate limit for this rule You definethis value to control the rate of UDP traffic that consists of DNS lookups for the IP address or networkdefined in this rule The default is 5
mdash Drop interval Enter the time interval in seconds the appliance drops IP packets sent by the rate limited IPaddress or network defined for this rule The default is 30 seconds
mdash Rate limited IP addressnetwork Enter the IP address or network that is affected by the rate limit valueconfigured for this rule The appliance drops the packets sent by this IP address based on the drop interval
when the TCP traffic of DNS lookups for this IP address exceeds the configured rate limit valuebull WHITELIST IP TCP Pass prior to rate limiting Use this rule template to create custom rules for allowing certain IP
addresses on TCP before the appliance drops the packets based on rate limiting rules you have defined usingthe RATELIMITED IP TCP template In the Rule Parameters table complete the following
mdash Whitelisted IP addressnetwork Enter the IPv4 or IPv6 address from which packets sent are allowed beforeany relevant rate limiting rules take effect
bull WHITELIST IP UDP Pass prior to rate limiting Use this rule template to create custom rules for allowing certain IPaddresses on UDP before the appliance drops the packets based on rate limiting rules you have defined usingthe RATELIMITED IP UDP template In the Rule Parameters table complete the following
mdash Whitelisted IP addressnetwork Enter the IPv4 or IPv6 address from which packets sent are allowed beforeany relevant rate limiting rules take effect
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 3030
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 330
Overview of Packet Flow
NIOS 612 NIOS Administrator Guide (Rev A) 1499
User-defined BlacklistTCP Packets
User-defined Blacklist TCPPackets
Drop Custom Rule Templates
User-defined ratelimitingIP and Network UDPPackets
User-defined ratelimiting IPand Network UDP Packets
Ratelimiting Custom Rule Templates
User-defined ratelimiting
IP and Network TCPPackets
User-defined ratelimiting IP
and Network TCP Packets
Ratelimiting Custom Rule Templates
User-defined ratelimitingFQDN
User-defined ratelimitingFQDN
Ratelimiting Custom Rule Templates
User-defined BlacklistFQDN
User-defined Blacklist FQDN Drop Custom Rule Templates
Potential DDoS relateddomains
Potential DDoS relateddomains
Drop Potential DDoS RelatedDomains
TCPUDP Floods High Rate inbound DNSQueries
Ratelimiting TCPUDP Flood
DNS DDoS NXDomain NXRRsetServFail DNS Response
Ratelimiting DNS DDoS
DNS Tunneling DNS Tunneling Ratelimiting DNS Tunneling
DNS Protocol Anomalies DNS Protocol Anomal ies Drop DNS Protocol Anomalies
Incoming zone transferis allowed
DNS Message Type DNS IXFRAXFR Requests Ratelimiting and Pass DNS Message Type
Incoming zone transferis allowed
DNS Message Type Invalid DNS IXFR Queries Drop DNS Message Type
Incoming zone transferis not allowed
DNS Message Type DNS AXFRIXFR Requests Drop DNS Message Type
DNS Malware DNS Malware Drop DNS Malware
DNS Amplification andReflection
DNS Amplification andReflection
Ratelimiting DNS Amplification andReflection
DNS Message Type DNS Query Types DropPass depending on theconfigured action
DNS Message Type
NTP client is enabled NTP NTP Server Responses Ratelimiting and Pass NTP
NTP client is disabled NTP NTP Client Requests Drop NTP
NTP server is enabled NTP NTP Vulnerability Rules Ratelimiting NTP
NTP server is enabled NTP NTP Ratelimiting Rulesbased on NTP ACL Data
Ratelimiting and Pass NTP
NTP server is disabled NTP Invalid NTP Packets Drop NTP
BGP is enabled BGP Invalid BGP Packets Drop BGP
BGP is enabled BGP BGP Packets Ratelimiting and Pass BGP
BGP is disabled BGP BGP Packets Drop BGP
ICMP ICMP Pings Ratelimiting and Pass ICMP
OSPF is enabled OSPF OSPF Packets Ratelimiting and Pass OSPF
OSPF is disabled OSPF OSPF Packets Drop OSPF
ICMP ICMPv6 Pings Ratelimiting and Pass ICMP
Default PassDrop Unexpected DNS Packets Drop Default PassDrop
Default PassDrop TCPUDPICMP Packets Drop Default PassDrop
HA Support HA Communication Packets Pass HA Support
Default PassDrop Unexpected Packets Drop Default PassDrop
Conditions if any) Rule Category Rule Name Action Reference
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 430
1500 NIOS Administrator Guide (Rev A) NIOS 612
Tuning Rule Parameters
All threat protection rules contain rule parameters that you may or may not be able to configure Rule parameters arepredefined with default values that generally suit most network environments However there are times when youhave special setups or configurations in your environment that require special attention In these cases you mayneed to change some of the rule parameters to obtain optimal protection without sacrificing system performance
Table H2 lists specific conditions and corresponding rules that may require tuning when they are enabled You can
view tuning suggestions in the Comments column for each of the following condition
Table H2 Tunable Rules
Conditions Rule s) that Require Tuning Reference
Your appliance is configured as anauthoritative DNS server
Rule 100000100 in the DNS
Cache Poisoning categoryDNS Cache Poisoning Rules
Your DNS server is configured as thesecondary server with external primariesand it serves a large number of zones
Rules 100100100 to100100201 in the DNS
Message Type category
DNS Message Type Rules
You have enabled TCPUDP Flood systemrules and your network environmentconsists of the following NATdenvironments static forwarders or VPNconcentrators
All rules in the TCPUDP Flood category
TCPUDP Flood Rules
You have enabled DNS DDoS system rulesand your network environment consists ofthe following NATd environments staticforwarders or VPN concentrators
Rules 200000001 to200000003 in the DNS DDoS category
DNS DDoS Rules
You have enabled DNS Tunneling systemrules and your network environmentconsists of the following NATd
environments static forwarders and VPNconcentrators
All rules in the DNS Tunneling category
Anti DNS Tunneling Rules
Your DNS server is configured to allowincoming IPv4 and IPv6 zone transferrequests and it serves a large number ofzones
Rules 130100100 to130100401 in the DNS
Message Type category
DNS Message Type Rules
You have enabled DNS Amplification andRefection system rules
All rules in the DNS
Amplification and Reflection category
DNS Amplification andReflection Rules
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 530
DNS Cache Poisoning
NIOS 612 NIOS Administrator Guide (Rev A) 1501
DNS Cache Poisoning
DNS cache poisoning involves inserting a false address record for an Internet domain into a DNS query If the DNSserver accepts the record subsequent requests for the address of the domain are answered with the address of aserver controlled by the attacker For as long as the false entry is cached incoming web requests and emails will goto the attackerrsquos address Cache poisoning attacks such as the ldquobirthday paradoxrdquo use brute force flooding DNS
responses and queries at the same time hoping to get a match on one of the responses and poison the cacheThe following table lists auto rules that Advanced DNS Protection uses to mitigate DNS cache poisoning on youradvanced appliance
Table H3 DNS Cache Poisoning Rules
DNS Message Type
The following table lists the system and auto rules that are used to mitigate DNS message type attacks on youradvanced appliance
All rules for DNS record types are system rules By default they are configured as Pass rules You can override thisand change the rule action to Drop Note that when you do that the appliance drops all DNS packets that contain therequested record type
Table H4 DNS Message Type Rules
Rule ID
Rule
Type
Rule Name Description
EnableDisable
Condition
Parameters Comments
100000100 Auto EARLY PASSUDP responsetraffic
This rule passes UDP DNS responsepackets (from upstream DNS serversor external DNS primaries) if thepacket rate is less than the Packets
per second value If any source IPsends packets over this value the
appliance blocks all traffic from thissource IP for a time specified in Drop
interval
Always enabled Packets per second (default = 30000)
Drop interval (default = 10seconds)
Events per second
(default = 1)
Consider tuning Packets per
second to a smaller numberif your system is servingauthoritative DNS
NOTE If you set theparameter incorrectly the
rule could block legitimateDNS responses fromupstream DNS serverswhich could cause the DNSserver to exceed its quota
100000200 Auto EARLY PASSTCP responsetraffic
This rule passes TCP DNS responsesinitiated by the appliance
Always enabled Packets per second (default = 100)
Consider raising the Packets
per second value if DNSSECis enabled
100000300 Auto PASS ACKpackets fromNIOS initiatedconnections
This rule passes TCP ACK packets forDNS or BGP from NIOS initiatedconnections if the packet rate is lessthan the Packets per second value Ifany source IP sends packets overthis value the appliance blocks alltraffic from this source IP for a timespecified in Drop interval
Always enabled Packets per second (default = 600)
Drop interval (default = 10seconds)
Events per second (default = 1)
Consider raising the Packets
per second value if DNSSECis enabled
Rule ID
Rule
Type
Rule Name Description
EnableDisable
Condition
Parameters Comments
100100100 Auto EARLY PASS IPv4UDP Notifymessages
This rule passes IPv4 UDP DNSNOTIFY messages if the packetrate is less than the Packets per
second value If any source IPsends packets over this value theappliance blocks all traffic fromthis source IP for a time specifiedin Drop interval
Enabled if InfobloxDNS serves as thesecondary serverwith IPv4 externalprimariesconfigured
Packets per second (default = 1000)
Drop interval (default= 10 seconds)
Events per second (default = 1)
Consider tuning Packets per
second if Infoblox DNSserves a large number ofzones If this rule istriggered and the source IPaddress indicates a validexternal primary servertune the Packets per second value accordingly
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 630
1502 NIOS Administrator Guide (Rev A) NIOS 612
100100101 Auto EARLY PASS IPv6UDP Notifymessages
This rule passes IPv6 UDP DNSNOTIFY messages if the packetrate is less than the Packets per
second value If any source IPsends packets over this value theappliance blocks all traffic fromthis source IP for a time specified
in Drop interval
Enabled if InfobloxDNS serves as thesecondary serverwith IPv6 externalprimariesconfigured
Packets per second (default = 1000)
Drop interval (default= 10 seconds)
Events per second (default = 1)
Consider tuning Packets per
second if Infoblox DNSserves a large number ofzones If this rule istriggered and the source IPaddress indicates a validexternal primary server
tune the Packets per second value accordingly
100100200 Auto EARLY PASS IPv4TCP Notifymessages
This rule passes IPv4 TCP DNSNOTIFY messages if the packetrate is less than the Packets per
second value If any source IPsends packets over this value theappliance blocks all traffic fromthis source IP for a time specifiedin Drop interval
Enabled if InfobloxDNS serves as thesecondary serverwith IPv4 externalprimariesconfigured
Packets per second (default = 1000)
Drop interval (default= 10 seconds)
Events per second (default = 1)
Consider tuning Packets per
second if Infoblox DNSserves a large number ofzones If this rule istriggered and the source IPaddress indicates a validexternal primary servertune the Packets per second value accordingly
100100201 Auto EARLY PASS IPv6TCP Notifymessages
This rule passes IPv6 TCP DNSNOTIFY messages if the packetrate is less than the Packets per
second value If any source IPsends packets over this value theappliance blocks all traffic from
this source IP for a time specifiedin Drop interval
Enabled if InfobloxDNS serves as thesecondary serverwith IPv6 externalprimariesconfigured
Packets per second (default = 1000)
Drop interval (default= 10 seconds)
Events per second (default = 1)
Consider tuning Packets per
second if Infoblox DNSserves a large number ofzones If this rule istriggered and the source IPaddress indicates a valid
external primary servertune the Packets per second value accordingly
100100300 Auto EARLY PASS IPv4UDP Notifymessages forDDNS update
This rule passes IPv4 UDP NOTIFYmessages for DDNS update if thepacket rate is less than thePackets per second value If anysource IP sends packets over thisvalue the appliance blocks alltraffic from this source IP for atime specified in Drop interval
Enabled if DDNSupdate is enabledfor IPv4 clients
Packets per second (default = 1000)
Drop interval (default= 10 seconds)
Events per second (default = 1)
100100350 Auto EARLY PASS IPv6UDP Notifymessages forDDNS update
This rule passes IPv6 UDP NOTIFYmessages for DDNS update if thepacket rate is less than thePackets per second value If anysource IP sends packets over thisvalue the appliance blocks all
traffic from this source IP for atime specified in Drop interval
Enabled if DDNSupdate is enabledfor IPv6 clients
Packets per second (default = 1000)
Drop interval (default= 10 seconds)
Events per second (default = 1)
130100100 Auto RATELIMIT PASSIPv4 UDP DNSAXFR zonetransfer requests
This rule passes IPv4 UDP DNSfull zone transfer requests if thepacket rate is less than thePackets per second value If anysource IP sends packets over thisvalue the appliance blockssubsequent DNS traffic from thissource IP for a time specified inDrop interval
Enabled if InfobloxDNS allowsincoming IPv4zone transferrequests
Packets per second (default = 1000)
Drop interval (default= 10 seconds)
Events per second (default = 1)
Consider tuning Packets per
second if Infoblox DNSserves a large number ofzones If this rule istriggered and the source IPaddress indicates a validsecondary server tune thePackets per second valueaccordingly
130100101 Auto RATELIMIT PASSIPv6 UDP DNSAXFR zonetransfer requests
This rule passes IPv6 UDP DNSfull zone transfer requests if thepacket rate is less than thePackets per second value If anysource IP sends packets over thisvalue the appliance blocks
subsequent DNS traffic from thissource IP for a for a time specifiedin Drop interval
Enabled if InfobloxDNS allowsincoming IPv6zone transferrequests
Packets per second (default = 1000)
Drop interval (default= 10 seconds)
Events per second (default = 1)
Consider tuning Packets per
second if Infoblox DNSserves a large number ofzones If this rule istriggered and the source IPaddress indicates a valid
secondary server tune thePackets per second valueaccordingly
130100200 Auto RATELIMIT PASSIPv4 TCP DNSAXFR zonetransfer requests
This rule passes IPv4 TCP DNS fullzone transfer requests if thepacket rate is less than thespecified Packets per second value (default = 100) If anysource IP sends packets over thisvalue the appliance blocks allsuch traffic from this source IP fora for a time specified in Drop
interval
Enabled if InfobloxDNS allowsincoming IPv4zone transferrequests
Packets per second (default = 1000)
Drop interval (default= 10 seconds)
Events per second (default = 1)
Consider tuning Packets per
second if Infoblox DNSserves a large number ofzones If this rule istriggered and the source IPaddress indicates a validsecondary server tune thePackets per second valueaccordingly
Rule ID
Rule
Type
Rule Name Description
EnableDisable
Condition
Parameters Comments
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 730
DNS Message Type
NIOS 612 NIOS Administrator Guide (Rev A) 1503
130100201 Auto RATELIMIT PASSIPv6 TCP DNSAXFR zonetransfer requests
This rule passes IPv6 TCP DNS fullzone transfer requests if thepacket rate is less than thespecified Packets per second value (default = 100) If anysource IP sends packets over thisvalue the appliance blocks all
such traffic from this source IP fora time specified in Drop interval
Enabled if InfobloxDNS allowsincoming IPv6zone transferrequests
Packets per second (default = 1000)
Drop interval (default= 10 seconds)
Events per second (default = 1)
Consider tuning Packets per
second if Infoblox DNSserves a large number ofzones If this rule istriggered and the source IPaddress indicates a validsecondary server tune the
Packets per second valueaccordingly
130100300 Auto RATELIMIT PASSIPv4 UDP DNSIXFR zoneTransfer requests
This rule passes IPv4 UDP DNSincremental zone transferrequests if the packet rate is lessthan the specified Packets per
second value (default = 100) Ifany source IP sends packets overthis value the appliance blocksall such traffic from this source IPfor a time specified in Drop
interval
Enabled if InfobloxDNS allowsincoming IPv4zone transferrequests
Packets per second (default = 1000)
Drop interval (default= 10 seconds)
Events per second (default = 1)
Consider tuning Packets per
second if Infoblox DNSserves a large number ofzones If this rule istriggered and the source IPaddress indicates a validsecondary server tune thePackets per second valueaccordingly
130100301 Auto RATELIMIT PASSIPv6 UDP DNSIXFR zoneTransfer requests
This rule passes IPv6 UDP DNSincremental zone transferrequests if the packet rate is lessthan the specified Packets per
second value (default = 100) Ifany source IP sends packets overthis value the appliance blocksall such traffic from this source IPfor a time specified in Drop
interval
Enabled if InfobloxDNS allowsincoming IPv6zone transfer
requests
Packets per second (default = 1000)
Drop interval (default= 10 seconds)
Events per second (default = 1)
Consider tuning Packets per
second if Infoblox DNSserves a large number ofzones If this rule is
triggered and the source IPaddress indicates a validsecondary server tune thePackets per second valueaccordingly
130100400 Auto RATELIMIT PASSIPv4 TCP DNSIXFR zoneTransfer requests
This rule passes IPv4 TCP DNSincremental zone transferrequests if the packet rate is lessthan the specified Packets per
second value (default = 100) Ifany source IP sends packets overthis value the appliance blocksall such traffic from this source IPfor a time specified in Drop
interval
Enabled if InfobloxDNS allowsincoming IPv4zone transferrequests
Packets per second (default = 1000)
Drop interval (default= 10 seconds)
Events per second (default = 1)
Consider tuning Packets per
second if Infoblox DNSserves a large number ofzones If this rule istriggered and the source IPaddress indicates a validsecondary server tune thePackets per second valueaccordingly
130100401 Auto RATELIMIT PASS
IPv6 TCP DNSIXFR zoneTransfer requests
This rule passes IPv6 TCP DNS
incremental zone transferrequests if the packet rate is lessthan the specified Packets per
second value If any source IPsends packets over this value theappliance blocks all such trafficfrom this source IP for a timespecified in Drop interval
Enabled if Infoblox
DNS allowsincoming IPv6zone transferrequests
Packets per second
(default = 1000)Drop interval (default= 10 seconds)
Events per second (default = 1)
Consider tuning Packets per
second if Infoblox DNSserves a large number ofzones If this rule istriggered and the source IPaddress indicates a validsecondary server tune thePackets per second valueaccordingly
130200100 Auto DROP UDP DNSAXFR zonetransfer requests
This rule drops any DNS UDP fullzone transfer requests when zonetransfer is disabled You canconfigure only the Events per
second parameter
Enabled if InfobloxDNS does notallow incomingzone transferrequests
Events per second (default = 1)
130200200 Auto DROP TCP DNSAXFR zonetransfer requests
This rule drops any DNS TCP fullzone transfer requests when zonetransfer is disabled You can
configure only the Events per
second parameter
Enabled if InfobloxDNS does notallow incoming
zone transferrequests
Events per second (default = 1)
130200300 Auto DROP UDP DNSIXFR zoneTransfer requests
This rule drops any DNS UDPincremental zone transferrequests when zone transfer isdisabled You can configure onlythe Events per second parameter
Enabled if InfobloxDNS does notallow incomingzone transferrequests
Events per second (default = 1)
130200400 Auto DROP TCP DNSIXFR zoneTransfer requests
This rule drops any DNS TCPincremental zone transferrequests when zone transfer isdisabled You can configure onlythe Events per second parameter
Enabled if InfobloxDNS does notallow incomingzone transferrequests
Events per second (default = 1)
Rule ID
Rule
Type
Rule Name Description
EnableDisable
Condition
Parameters Comments
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 830
1504 NIOS Administrator Guide (Rev A) NIOS 612
130500100 System DNS A record You can configure this rule to passor drop UDP packets that containA record request The defaultAction = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
130500200 System DNS AAAA record You can configure this rule to passor drop UDP packets that contain
AAAA record request The defaultAction = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
130500300 System DNS CNAMErecord
You can configure this rule to passor drop UDP packets that containCNAME record request Thedefault Action = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
130500400 System DNS DS record You can configure this rule to passor drop UDP packets that containDS record request The defaultAction = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
130500500 System DNS PTR record You can configure this rule to passor drop UDP packets that containPTR record request The defaultAction = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
130500600 System DNS NS record You can configure this rule to passor drop UDP packets that containNS record request The defaultAction = Pass
Enabled bydefault
Action (default = Pass)
Events per second (default = 1)
130500700 System DNS NSEC record You can configure this rule to passor drop UDP packets that containNSEC record request The defaultAction = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
130500800 System DNS NSEC3record
You can configure this rule to passor drop UDP packets that containNSEC3 record request Thedefault Action = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
130500900 System DNSNSEC3PARAMrecord
You can configure this rule to passor drop UDP packets that containNSEC3PARAM record request The
default Action = Pass
Enabled bydefault
Action
(default = Pass)
Events per second
(default = 1)
130501000 System DNS MX record You can configure this rule to passor drop UDP packets that containMX record request The defaultAction = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
130501100 System DNS SRV record You can configure this rule to passor drop UDP packets that containSRV record request The defaultAction = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
130501200 System DNS TXT record You can configure this rule to passor drop UDP packets that containTXT record request The defaultAction = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
130501300 System DNS DNAME
record
You can configure this rule to pass
or drop UDP packets that containDNAME record request Thedefault Action = Pass
Enabled by
default
Action
(default = Pass)Events per second (default = 1)
130501400 System DNS RRSIG record You can configure this rule to passor drop UDP packets that containRRSIG record request The defaultAction = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
130501500 System DNS NAPTRrecord
You can configure this rule to passor drop UDP packets that containNAPTR record request The defaultAction = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
Rule ID
Rule
Type
Rule Name Description
EnableDisable
Condition
Parameters Comments
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 930
DNS Message Type
NIOS 612 NIOS Administrator Guide (Rev A) 1505
130501600 System DNS DNSKEYrecord
You can configure this rule to passor drop UDP packets that containDNSKEY record request Thedefault Action = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
130501700 System DNS SPF record You can configure this rule to passor drop UDP packets that contain
SPF record request The defaultAction = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
130501800 System DNS DHCIDrecord
You can configure this rule to passor drop UDP packets that containDHCID record request The defaultAction = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
130501900 System DNS SOA record You can configure this rule to passor drop UDP packets that containSOA record request The defaultAction = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
130502000 System DNS SIG record You can configure this rule to passor drop UDP packets that containSIG record request The defaultAction = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
130502100 System DNS LOC record You can configure this rule to passor drop UDP packets that containLOC record request The defaultAction = Pass
Enabled bydefault
Action (default = Pass)
Events per second (default = 1)
130502200 System DNS SSHFPrecord
You can configure this rule to passor drop UDP packets that containSSHFP record request The defaultAction = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
130502300 System DNS IPSECKEYrecord
You can configure this rule to passor drop UDP packets that containIPSECKEY record request Thedefault Action = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
130502400 System DNS TKEY record You can configure this rule to passor drop UDP packets that containTKEY record request The default
Action = Pass
Enabled bydefault
Action
(default = Pass)
Events per second
(default = 1)
130502500 System DNS TSIG record You can configure this rule to passor drop UDP packets that containTSIG record request The defaultAction = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
130502600 System DNS TA record You can configure this rule to passor drop UDP packets that containTA record request The defaultAction = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
130502700 System DNS DLV record You can configure this rule to passor drop UDP packets that containDLV record request The defaultAction = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
130502800 System DNS ANY record You can configure this rule to pass
or drop UDP packets that containANY record request The defaultAction = Pass
Enabled by
default
Action
(default = Pass)Events per second (default = 1)
130502900 System DNS A record TCP You can configure this rule to passor drop TCP packets that contain Arecord request The default Action = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
130503000 System DNS AAAA recordTCP
You can configure this rule to passor drop TCP packets that containAAAA record request The defaultAction = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
Rule ID
Rule
Type
Rule Name Description
EnableDisable
Condition
Parameters Comments
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 1030
1506 NIOS Administrator Guide (Rev A) NIOS 612
130503100 System DNS CNAMErecord TCP
You can configure this rule to passor drop TCP packets that containCNAME record request Thedefault Action = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
130503200 System DNS DS recordTCP
You can configure this rule to passor drop TCP packets that contain
DS record request The defaultAction = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
130503300 System DNS PTR recordTCP
You can configure this rule to passor drop TCP packets that containPTR record request The defaultAction = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
130503400 System DNS NS recordTCP
You can configure this rule to passor drop TCP packets that containNS record request The defaultAction = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
130503500 System DNS NSEC recordTCP
You can configure this rule to passor drop TCP packets that containNSEC record request The defaultAction = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
130503600 System DNS NSEC3record TCP
You can configure this rule to passor drop TCP packets that containNSEC3 record request Thedefault Action = Pass
Enabled bydefault
Action (default = Pass)
Events per second (default = 1)
130503700 System DNSNSEC3PARAMrecord TCP
You can configure this rule to passor drop TCP packets that containNSEC3PARAM record request Thedefault Action = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
130503800 System DNS MX recordTCP
You can configure this rule to passor drop TCP packets that containMX record request The defaultAction = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
130503900 System DNS SRV recordTCP
You can configure this rule to passor drop TCP packets that containSRV record request The default
Action = Pass
Enabled bydefault
Action
(default = Pass)
Events per second
(default = 1)
130504000 System DNS TXT recordTCP
You can configure this rule to passor drop TCP packets that containTXT record request The defaultAction = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
130504100 System DNS DNAMErecord TCP
You can configure this rule to passor drop TCP packets that containDNAME record request Thedefault Action = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
130504200 System DNS RRSIG recordTCP
You can configure this rule to passor drop TCP packets that containRRSIG record request The defaultAction = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
130504300 System DNS NAPTR
record TCP
You can configure this rule to pass
or drop TCP packets that containNAPTR record request The defaultAction = Pass
Enabled by
default
Action
(default = Pass)Events per second (default = 1)
130504400 System DNS DNSKEYrecord TCP
You can configure this rule to passor drop TCP packets that containIDNSKEY record request Thedefault Action = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
130504500 System DNS SPF recordTCP
You can configure this rule to passor drop TCP packets that containSPF record request The defaultAction = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
Rule ID
Rule
Type
Rule Name Description
EnableDisable
Condition
Parameters Comments
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 1130
DNS Message Type
NIOS 612 NIOS Administrator Guide (Rev A) 1507
130504600 System DNS DHCIDrecord TCP
You can configure this rule to passor drop TCP packets that containDHCID record request The defaultAction = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
130504700 System DNS SOA recordTCP
You can configure this rule to passor drop TCP packets that contain
SOA record request The defaultAction = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
130504800 System DNS SIG recordTCP
You can configure this rule to passor drop TCP packets that containSIG record request The defaultAction = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
130504900 System DNS ROC recordTCP
You can configure this rule to passor drop TCP packets that containROC record request The defaultAction = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
130505000 System DNS SSHFPrecord TCP
You can configure this rule to passor drop TCP packets that containSSHFP record request The defaultAction = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
130505100 System DNS IPSECKEYrecord TCP
You can configure this rule to passor drop TCP packets that containIPSECKEY record request Thedefault Action = Pass
Enabled bydefault
Action (default = Pass)
Events per second (default = 1)
130505200 System DNS TKEY recordTCP
You can configure this rule to passor drop TCP packets that containTKEY record request The defaultAction = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
130505300 System DNS TSIG recordTCP
You can configure this rule to passor drop TCP packets that containTSIG record request The defaultAction = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
130505400 System DNS TA recordTCP
You can configure this rule to passor drop TCP packets that containTA record request The default
Action = Pass
Enabled bydefault
Action
(default = Pass)
Events per second
(default = 1)
130505500 System DNS DLV recordTCP
You can configure this rule to passor drop TCP packets that containDLV record request The defaultAction = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
130505600 System DNS ANY recordTCP
You can configure this rule to passor drop TCP packets that containANY record request The defaultAction = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
Rule ID
Rule
Type
Rule Name Description
EnableDisable
Condition
Parameters Comments
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 1230
1508 NIOS Administrator Guide (Rev A) NIOS 612
General DDoS
The following table lists the auto rules that are used to mitigate general DDoS attacks on your advanced appliance
Table H5 General DDoS Rules
Reconnaissance
Reconnaissance attacks consist of attempts to get information on the network environment before launching a largeDDoS or other types of attacks Techniques include port scanning and finding versions and authors These attacksexhibit abnormal behavior patterns that if identified can provide early warnings
The following table lists the auto rules that are used to mitigate reconnaissance attacks on your advanced appliance
You can configure the following rule parameter for all rules in this category
bull Events per second The number of events logged per second for the rule Setting a value to 0 (zero) disables theappliance from logging events for the rule The default value is 10
Table H6 Reconnaissance Rules
Rule ID
Rule
Type
Rule Name Description
EnableDisable
Condition
Parameters Comments
110000100 Auto EARLY DROP DoSpackets with samesource and destinationIP
This rule drops any IP packetsthat contain the same sourceand destination IP address
Always enabled Events per second (default = 1)
110000200 Auto EARLY DROP DoS UDPpackets with samesource and destinationIP
This rule drops UDP packetsthat contain the same sourceand destination IP address
Always enabled Events per second (default = 1)
110000300 Auto EARLY DROP DoS TCPpackets with samesource and destinationIP
This rule drops TCP packetsthat contain the same sourceand destination IP address
Always enabled Events per second (default = 1)
130400300 Auto DROP IPv6 loopbackaddress spoofing
This rule blocks any IP packetsthat attempt to forge the IPv6loopback address
Always enabled Events per second (default = 1)
130400400 Auto DROP IPv6 loopbackaddress spoofing
This rule blocks any IP packetsthat attempt to forge the IPv6loopback address
Always enabled Events per second (default = 1)
Rule ID
Rule
Type
Rule Name Description
Enable
Condition
Parameters Comments
110100100 Auto EARLY DROP DNSnamed authorattempts
This rule drops UDP DNSpackets that containattempts to find AUTHOR
information
Alwaysenabled
Events per second (default = 1)
110100200 Auto EARLY DROP DNSnamed versionattempts
This rule drops UDP DNSpackets that containattempts to find VERSIONinformation
Alwaysenabled
Events per second (default = 1)
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 1330
DNS Malware
NIOS 612 NIOS Administrator Guide (Rev A) 1509
DNS Malware
DNS malware is software used to disrupt your DNS service gather sensitive information or gain access to yourappliance It can include downloaders backdoors trojan horses and other malicious software
The following table lists the auto rules that are used to mitigate DNS malware when forwarding DNS requests to aresolver such as a Microsoft DNS server
Table H7 DNS Malware Rules
DNS Protocol Anomalies
DNS protocol anomalies send malformed DNS packets including unexpected header and payload values to thetargeted server This causes the server to stop responding or crash which results in an infinite loop in server threadsThese anomalies sometimes take the form of impersonation attacks
The following table lists rules that are used to mitigate DNS protocol anomalies sent to the appliance
Table H8 DNS Protocol Anomalies Rules
Rule ID
Rule
Type
Rule Name Description
Enable
Condition
Parameters Comments
110100300 Auto EARLY DROP UDPMALWARE backdoor
This rule drops UDPpackets that contain thebackdoor malwareBKDR_QUEJOBEVL whichposes as an installer ofFaceBook messenger Thismalware may be spread asa malicious attachment inemail messages
Always enabled Events per second (default = 1)
130300300 Auto DROP MALWAREtrojan downloader
This rule drops UDPpackets that contain thetrojan downloadermalware which downloadsand installs new versionsof malicious programsincluding Trojans andAdWare
Always enabled Events per second (default = 1)
130300400 Auto DROP MALWAREpossible Hiloti
This rule drops UDPpackets that contain trojanHiloti malicious programsthat may downloadpotentially malicious filesfrom a remote server andreport system informationback to the server
Always enabled Events per second (default = 1)
Rule ID
Rule
Type
Rule Name Description
Enable
Condition
Parameters Comments
110100400 Auto EARLY DROP UDP DNSquestion name too long
This rule drops UDP DNSpackets when the DNSQuestion Name is toolong
Always enabled Events per second (default = 1)
110100500 Auto EARLY DROP UDP DNSlabel too long
This rule drops UDP DNSpackets when the DNSLabel in the name beingqueried is too long
Always enabled Events per second (default = 1)
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 1430
1510 NIOS Administrator Guide (Rev A) NIOS 612
Potential DDoS Related Domains
This rule category includes system rules the appliance uses to blacklist domains that may have been the targets orsubjects in NXDOMAIN or DDoS attacks These rules block all FQDN lookups on UDP for domains that have beenobserved to be used as targets in DDoS attacks The rules are enabled by default You can disable them whennecessary
Note that these rules capture currently observed bad domain names that can change on a regular basis Infobloxrecommends that you update to the latest ruleset to capture the most current rules in this category For informationabout how to update to the latest ruleset see Managing Threat Protection Rules on page 1352
110100600 Auto EARLY DROP UDP queryinvalid question count
This rule drops UDP DNSpackets when thenumber of entries in thequestion section isinvalid
Always enabled Events per second (default = 1)
110100700 Auto EARLY DROP UDP query
invalid question class
This rule drops UDP DNS
packets when the RR(resource record) classbeing queried is invalid
Always enabled Events per second
(default = 1)
110100800 Auto EARLY DROP UDP queryinvalid question string
This rule drops UDP DNSpackets that containinvalid question string
Always enabled Events per second (default = 1)
110100850 Auto EARLY UDP drop invalidDNS query with Authority
This rule drops UDP DNSqueries that containinvalid AUTHORITYentry
Always enabled Events per second (default = 1)
110100900 Auto EARLY DROP querymultiple questions or nonquery operation code
This rule drops UDP DNSpackets when there aremultiple questionsbeing queried at onetime or its operationcode is not Query
Always enabled Events per second (default = 1)
130000700 Auto EARLY DROP TCP non-DNSquery
This rule drops TCPpackets when itsoperation code is notQuery
Always enabled Events per second (default = 1)
130000800 Auto EARLY DROP TCP querymultiple questions
This rule drops TCP DNSpackets when there aremultiple questionsbeing queried at onetime
Always enabled Events per second (default = 1)
130100500 Auto DROP UDP DNS invalidIXFR query with zero ormore than one Authority
This rule drops UDP DNSincremental zonetransfer requests thatcontain zero or morethan one Authorityentries
Always enabled Events per second (default = 1)
130100600 Auto DROP TCP DNS invalidIXFR query with zero ormore than one Authority
This rule drops TCP DNSincremental zonetransfer requests thatcontain zero or morethan one Authorityentries
Always enabled Events per second (default = 1)
130300200 Auto DROP TCP invalid DNSquery with Authority
This rule drops TCP DNSqueries that containinvalid Authorityentries
Always enabled Events per second (default = 1)
Rule ID
Rule
Type
Rule Name Description
Enable
Condition
Parameters Comments
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 1530
TCPUDP Flood
NIOS 612 NIOS Administrator Guide (Rev A) 1511
TCP UDP Flood
TCP and UDP flood attacks are volumetric attacks with massive numbers of packets that consume network bandwidthand resources They exploit TCP and UDP
The following table lists the system and auto rules that are used to mitigate TCPUDP floods on your advancedappliance
Table H9 TCPUDP Flood Rules
Rule ID Rule Type Rule Name Description
Enable
Condition
Parameters Comments
130000100 System WARN about highrate inbound UDPDNS queries
This rule warns about anysource IP that sendsinbound UDP DNS packetsat a rate equals or exceedsthe Packets per second value
Disabled bydefault
Packets per second (default = 40)
Events per second (default = 1)
Use this rule together with rule130000200 to adjust the warningand blocking rate thresholds Thisrule only sends alerts when thepacket rate equals or exceeds thelow threshold ( Packets per second for this rule) When the packet ratereaches or exceeds the highthreshold ( Packets per second forrule 130000200) rule130000200 is triggered
NOTE The Packets per second configured for this rule should beless than that of rule 130000200
130000200 System WARN amp BLOCKhigh rate inboundUDP DNS queries
This rule warns if anysource IP sends inboundUDP DNS packets at a rateequals the Packets per
second value If the rateexceeds this value theappliance blocks all suchtraffic from this source IPfor a period of timespecified in Drop interval
Disabled bydefault
Packets per second (default = 1000)
Drop interval
(default = 5 seconds)
Events per second (default = 1)
Consider tuning Packets per
second to a higher value for NATdenvironments static forwardersand VPN concentrators
This rule may be triggered if Packet
per second is lower than that inthe custom rules created using therate limiting templates
NOTE The Packets per secondvalue for this rule must be higherthan that for rule 130000100
130000300 System WARN about highrate inbound TCP
DNS queries
This rule warns about anysource IP that sends
inbound TCP DNS packetsat a rate that equals orexceeds the Packets per
second value
Disabled bydefault
Packets per second (default = 5)
Events per second (default = 1)
Use this rule together with rule130000400 to adjust the warning
and blocking rate thresholds Thisrule only sends alerts when thepacket rate equals or exceeds thelow threshold ( Packets per second for this rule) When the packet ratereaches or exceeds the highthreshold ( Packets per second forrule 130000400) rule130000400 is triggered
NOTE The Packets per second configured for this rule should beless than that of rule 130000400
130000400 System WARN amp BLOCKhigh rate inboundTCP DNS queries
This rule warns if anysource IP sends inboundTCP DNS packets at a ratethat equals the Packets
per second value If therate exceeds this value
the appliance blocks allsuch traffic from thissource IP for a period oftime specified in Drop
interval
Disabled bydefault
Packets per second (default = 1000)
Drop interval (default = 10 seconds)
Events per second (default = 1)
Consider tuning Packets per
second to a higher value for NATdenvironments static forwardersand VPN concentrators
This rule may be triggered if Packet
per second is lower than that in
the custom rules created using therate limiting templates
NOTE DO NOT enable this rulealong with rule 130000300
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 1630
1512 NIOS Administrator Guide (Rev A) NIOS 612
DNS DDoS
The following table lists system rules that are used to mitigate DNS DDoS attacks on your advanced appliance Theserules rate limits clients that trigger the following DNS responses NXDOMAIN NXRRSET and SERVFAIL
Table H10 DNS DDoS Rules
Rule ID
Rule
Type
Rule Name Description
EnableDisable
Condition
Parameters Comments
200000001 System NXDOMAIN ratelimiting rule
This rule warns if any sourceIP sends inbound UDP DNSqueries that triggerNXDOMAIN responses at arate equals to the Packets
per second value If the rateexceeds this value theappliance blocks all UDPDNS traffic from this sourceIP for a time specified inDrop interval
Enabled bydefault
Packets per second (default = 1000)
Drop interval
(default = 5 seconds)
Events per second (default = 1)
Consider tuning Packets per
second to a higher value forNATd environments staticforwarders and VPNconcentrators
200000002 System NXRRSET ratelimiting rule
This rule warns if any sourceIP sends inbound UDP DNS
queries that trigger NXRRSETresponses at a rate equals tothe Packets per second value If the rate exceedsthis value the applianceblocks all UDP DNS trafficfrom this source IP for a timespecified in Drop interval
Enabled bydefault
Packets per second (default = 1000)
Drop interval (default = 5 seconds)
Events per second (default = 1)
Consider tuning Packets per
second to a higher value for
NATd environments staticforwarders and VPNconcentrators
NOTE NXRRSET responsesinclude NO records NOanswers and NO errors
200000003 System SERVFAIL ratelimiting rule
This rule warns if any sourceIP sends inbound UDP DNSqueries that triggerSERVFAIL responses at a rateequals to the Packets per
second value If the rateexceeds this rate theappliance blocks all UDPDNS traffic from this sourceIP for a time specified in
Drop interval
Enabled bydefault
Packets per second (default = 1000)
Drop interval
(default = 5 seconds)
Events per second (default = 1)
Consider tuning Packets per
second to a higher value forNATd environments staticforwarders and VPNconcentrators
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 1730
DNS Tunneling
NIOS 612 NIOS Administrator Guide (Rev A) 1513
DNS Tunneling
DNS tunneling attacks involve tunneling another protocol through DNS port 53 for the purpose of data exfiltrationOutbound and inbound data being communicated is encoded into small chunks and fitted into DNS queries and DNSresponses
The following table lists the system rule used to mitigate DNS tunneling on your advanced appliance
Table H11 Anti DNS Tunneling Rules
DNS Amplification and Reflection
DNS reflection attacks use a form of IP spoofing changing the source address in their DNS queries to show theaddress of their intended target such as a DNS root server or a top-level domain (TLD) name server operator DNS
reflection and amplification recognizes UDP as an asymmetrical protocol (small requests large responses) and theexistence of open DNS resolvers to the Internet cloud The result is that small DNS queries reflect large UDP datagramresponses to the target address in the original source datagrams Some recent attacks have used this DDoStechnique at a huge scale
Since DNS runs over UDP and does not require a handshake it is possible to use the protocol as a means to lock downa host or a network Designed a specific way sending a small query to any open DNS resolver can result in a singleresponse containing several kilobytes or more that are sent to the unwitting spoofed victim (This type of responsetypically is sent via TCP as UDP does not allow for more than 512 bytes in a response datagram The resulting packetusually exceeds the MTU of the recipientrsquos interfaces resulting in further packet fragmentation and processing) OpenDNS resolvers may allow for launching DDoS attacks containing hundreds of gigabytes of data Attackers may also
Rule ID
Rule
Type
Rule Name Description
EnableDisable
Condition
Parameters Comments
130000500 System RATELIMIT UDP highrate inbound largeDNS queries (antitunneling)
This rule warns If any source IPsends large UDP DNS queries(which could be DNS tunnelingattacks) at a rate equals thePackets per second value If therate exceeds this value it blocksall such traffic from this source IPfor the time in Drop interval
This rule is triggered when theDNS Packet size exceeds theconfigured value
Disabled bydefault
Packets per second (default = 100)
Drop interval (default = 5 seconds)
Events per second (default = 1)
Packet size
(default = 200)
Consider tuning Packets
per second to a highervalue for NATdenvironments staticforwarders and VPNconcentrators
130000600 Auto RATELIMIT TCP highrate inbound largeDNS queries(anti-tunneling)
This rule warns if any source IPsends large TCP DNS queries(which could be DNS tunnelingattacks) at a rate equals thePackets per second value If therate exceeds the value theappliance blocks all such trafficfrom this source IP for the Drop
interval
This rule is triggered when theDNS Packet size exceeds theconfigured value
Disabled bydefault
Packets per second (default = 100)
Drop interval
(default = 5 seconds)
Events per second (default = 1)
Packet size
(default = 200)
Consider tuning Packets
per second to a highervalue for NATdenvironments staticforwarders and VPNconcentrators
200000004 System DNS tunneling ratelimiting rule
This rule warns If any source IPsends inbound UDP DNS queriesthat trigger large TXT responses ata rate equals the Packets per
second value If the rate exceedsthis value it blocks all such t rafficfrom this source IP for the Drop
interval
This rule is triggered when the sizeof the TXT records in the DNSresponses exceeds the configuredDNS Packet size
Enabled bydefault
Packets per second (default = 1000)
Drop interval
(default = 5 seconds)
Events per second (default = 1)
Packet size
(default = 40)
Consider tuning Packets
per second to a highervalue for NATdenvironments static
forwarders and VPNconcentrators
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 1830
1514 NIOS Administrator Guide (Rev A) NIOS 612
use the EDNS0 DNS protocol extension as a means to enable larger DNS responses Many network operatorsparticularly overseas allow open DNS resolvers to run on their networks unwittingly allowing attackers to abusethem Many network operators do provide intelligent rate-limiting to prevent abuse even while supporting openrecursive DNS servers Hence issues of this type usually result from mistakes in configuration
The following table lists the system and auto rules that are used to mitigate DNS amplification and reflection attackson your advanced appliance
Table H12 DNS Amplification and Reflection Rules
NTP
The following table lists the auto rules that are used to mitigate NTP attacks and to support security for NTP traffic onyour advanced appliance These rules include support for the following NTP requests and responses NTP IPv4 andIPv6 ACLs (Access Control Lists) private mode 7 packets named ACLs and ldquoANYrdquo ACLs
Table H13 NTP Rules
Rule ID
Rule
Type
Rule Name Description
EnableDisable
Condition
Parameters Comments
130400100 Auto WARN amp DROP DoSDNS possiblereflectionamplification attackattempts
This rule warns if anysource IP sends UDP DNSpackets that containpossible reflectionamplification attacks If therate exceeds the Packets
per second value theappliance blocks all suchtraffic from this source IPfor the Drop interval Notethat this rule applies whenthe query is ldquoANYrdquo
Enabled bydefault
Packets per second (default = 5)
Drop interval (default = 5 seconds)
Events per second (default = 1)
Consider tuning Packet per
second to a higher value(approximately 100) forNATd environments staticforwarders and VPNconcentrators
130400500 System RATE LIMIT PASS UDPDNS root requestswith additional RRs
This rule passes UDP DNSroot requests that containadditional resource recordsuntil the traffic hits thePackets per second valueIt then blocks subsequentUDP DNS root requests forthe Drop interval
Disabled bydefault
Packets per second (default = 500)
Drop interval
(default = 5 seconds)
Events per second (default = 1)
130400600 System RATE LIMIT PASS UDPDNS root requests
This rule passes UDP DNSroot requests until thetraffic hits the Packets per
second value It thenblocks subsequent UDPDNS root requests for theDrop interval
Disabled bydefault
Packets per second (default = 500)
Drop interval (default = 5 seconds)
Events per second (default = 1)
Consider tuning Packet per
second to a higher valuefor NATd environmentsstatic forwarders and VPNconcentrators
Rule ID
Rule
Type
Rule Name Description
EnableDisable
Condition
Parameters Comments
130600100 Auto RATELIMIT PASS NTPTIME responses
When the NTP client isenabled this rule passesUDP NTP TIME responsesuntil the traffic hits the ratelimit of 10 packets persecond it then blocks allNTP traffic for 15 seconds
Enabled when theNTP client isenabled
Packets per second (default = 10)
Drop interval
(default = 15seconds)
Events per second (default = 1)
130600120 Auto DROP NTP TIMEresponses
This rule drops all UDP NTPTIME responses when theNTP client is disabled
Enabled when theNTP client isdisabled
Events per second (default=1)
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 1930
NTP
NIOS 612 NIOS Administrator Guide (Rev A) 1515
200001001 Auto DOS Possible NTPDDoS InboundFrequent Un-AuthedGET_RESTRICTRequests IMPL 0x02
When the NTP server isenabled this rule warnsabout possible NTP DDoSInbound FrequentUn-Authed GET_RESTRICTRequests IMPL 0x02attacks It then blocks
suspicious NTP traffic for atime period that isspecified in Drop Interval
Enabled whenNTP service isenabled on thismember
Events per second (default = 1)
200001005 Auto DOS Possible NTPDDoS InboundFrequent Un-AuthedGET_RESTRICTRequests IMPL 0x03
When the NTP server isenabled this rule warnsabout possible NTP DDoSInbound FrequentUn-Authed GET_RESTRICTRequests IMPL 0x03attacks It then blockssuspicious NTP traffic for atime period that isspecified in Drop Interval
Enabled whenNTP service isenabled on thismember
Events per second (default = 1)
200001010 Auto DOS Possible NTPDDoS InboundFrequent Un-AuthedPEER_LIST_SUM
Requests IMPL 0x02
When the NTP server isenabled this rule warnsabout possible NTP DDoSInbound Frequent
Un-AuthedPEER_LIST_SUM RequestsIMPL 0x02 attacks It thenblocks suspicious NTPtraffic for a time period thatis specified in Drop
Interval
Enabled whenNTP service isenabled on thismember
Events per second (default = 1)
200001015 Auto DOS Possible NTPDDoS InboundFrequent Un-AuthedPEER_LIST_SUMRequests IMPL 0x03
When the NTP server isenabled this rule warnsabout possible NTP DDoSInbound FrequentUn-AuthedPEER_LIST_SUM RequestsIMPL 0x03 attacks It thenblocks suspicious NTPtraffic for a time period thatis specified in Drop
Interval
Enabled whenNTP service isenabled on thismember
Events per second (default = 1)
200001020 Auto DOS Possible NTPDDoS InboundFrequent Un-AuthedPEER_LIST RequestsIMPL 0x02
When the NTP server isenabled this rule warnsabout possible NTP DDoSInbound FrequentUn-Authed PEER_LISTRequests IMPL 0x02attacks It then blockssuspicious NTP traffic for atime period that isspecified in Drop Interval
Enabled whenNTP service isenabled on thismember
Events per second (default = 1)
200001025 Auto DOS Possible NTPDDoS InboundFrequent Un-AuthedPEER_LIST RequestsIMPL 0x03
When the NTP server isenabled this rule warnsabout possible NTP DDoSInbound FrequentUn-Authed PEER_LISTRequests IMPL 0x03attacks It then blocks
suspicious NTP traffic for atime period that isspecified in Drop Interval
Enabled whenNTP service isenabled on thismember
Events per second (default = 1)
200001050 Auto RATELIMIT PASSNTPQ IPv4 requests
This rule passes UDP NTPQrequests from NTP IPv4ACLs until the traffic hitsthe rate limit ( Packets per
second ) value It thenblocks all subsequentNTPQ traffic for a timespecified in Drop Interval
Enabled whenNTP IPv4 ACLs aredefined If noACLs are definedand the NTPserver is enabledthe default ACLsare enabled andthis rule isdisabled
Packets per second (default = 10)
Drop interval
(default = 60seconds)
Events per second (default = 1)
Rule ID
Rule
Type
Rule Name Description
EnableDisable
Condition
Parameters Comments
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 2030
1516 NIOS Administrator Guide (Rev A) NIOS 612
200001055 Auto RATELIMIT PASS NTPTIME IPv4 requests
This rule passes UDP NTPTIME requests from NTPIPv4 ACLs until the traffichits the rate limit ( Packets
per second ) value It thenblocks all subsequent NTPTIME traffic for a time
specified in Drop interval
Enabled whenNTP IPv4 ACLs aredefined If noACLs are definedand the NTPserver is enabledthe default ACLs
are enabled andthis rule isenabled
Packets per second (default = 10)
Drop interval
(default = 60seconds)
Events per second (default = 1)
200001060 Auto RATELIMIT PASS NTPprivate mode IPv4requests
This rule passes UDP NTPprivate mode 7 requestsfrom NTP IPv4 ACLs untilthe traffic hits the rate limit( Packets per second ) valueIt then blocks allsubsequent NTP privatemode 7 traffic for a timespecified in Drop interval
Enabled whenNTP IPv4 ACLs aredefined If noACLs are definedand the NTPserver is enabledthe default ACLsare enabled andthis rule isdisabled
Packets per second (default = 10)
Drop interval
(default = 60seconds)
Events per second (default = 1)
200001065 Auto RATELIMIT PASSNTPQ IPv6 requests
This rule passes UDP NTPQrequests from NTP IPv6ACLs until the traffic hitsthe rate limit ( Packets per
second ) value It thenblocks all subsequentNTPQ traffic for a timespecified in Drop Interval
Enabled whenNTP IPv6 ACLs aredefined If noACLs are defined
and the NTPserver is enabledthe default ACLsare enabled andthis rule isdisabled
Packets per second (default = 10)
Drop interval
(default = 60
seconds)Events per second (default = 1)
200001070 Auto RATELIMIT PASS NTPTIME IPv6 requests
This rule passes UDP NTPTIME requests from NTPIPv6 ACLs until the traffichits the rate limit ( Packets
per second ) value It thenblocks all subsequent NTPTIME traffic for a timespecified in Drop interval
Enabled whenNTP IPv6 ACLs aredefined If noACLs are definedand the NTPserver is enabledthe default ACLsare enabled andthis rule isenabled
Packets per second (default = 10)
Drop interval
(default = 60seconds)
Events per second (default = 1)
200001075 Auto RATELIMIT PASS NTP
private mode IPv6requests
This rule passes UDP NTP
private mode 7 requestsfrom NTP IPv4 ACLs untilthe traffic hits the rate limit( Packets per second ) valueIt then blocks allsubsequent NTP privatemode 7 traffic for a timespecified in Drop interval
Enabled when
NTP IPv6 ACLs aredefined If noACLs are definedand the NTPserver is enabledthe default ACLsare enabled andthis rule isdisabled
Packets per second
(default = 10)Drop interval
(default =60seconds)
Events per second (default = 1)
200001100 Auto DROP NTPQ requestsunexpected
When NTP service isdisabled this rule drops allUDP NTPQ requests
Enabled whenNTP service isdisabled on thismember
Events per second (default=1)
200001105 Auto DROP NTP TIMErequests unexpected
When NTP service isdisabled this rule drops allUDP NTP TIME requests
Enabled whenNTP service isdisabled on thismember
Events per second (default=1)
200001110 Auto DROP NTP privatemode requestsunexpected
When NTP service isdisabled this rule drops allUDP NTP private mode 7requests
Enabled whenNTP service isdisabled on thismember
Events per second (default=1)
200001115 Auto DROP invalid NTPrequests
When NTP service isdisabled this rule drops allinvalid UDP NTP requests
Enabled whenNTP service isdisabled on thismember
Events per second (default=1)
Rule ID
Rule
Type
Rule Name Description
EnableDisable
Condition
Parameters Comments
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 2130
BGP
NIOS 612 NIOS Administrator Guide (Rev A) 1517
BGP
The following table lists the auto rules that are used to mitigate BGP attacks on your advanced appliance when BGPis enabled
Table H14 BGP Rules
Rule ID
Rule
Type
Rule Name Description
EnableDisable
Condition
Parameters Comments
130700100 AUTO DROP BGP headerlength shorter thanspec
When BGP is enabled this ruledrops TCP BGP packets thatcontain message headerlength that is shorter than theRFC specification
Enabled whenBGP service onthis member isconfigured
Events per second (default=1)
130700200 AUTO DROP BGP headerlength longer than spec
When BGP is enabled this ruledrops TCP BGP packets thatcontain message headerlength that is longer than theRFC specification
Enabled whenBGP service onthis member isconfigured
Events per second (default=1)
130700300 AUTO DROP BGP spoofedconnection reset
attempts
When BGP is enabled this ruledrops TCP BGP packets that
contain spoofed connectionreset
This rule isenabled when
BGP service onthis member isconfigured
Events per second (default=1)
130700400 AUTO DROP BGP invalid type0
When BGP is enabled this ruledrops TCP BGP packets thatcontain invalid message type0
This rule isenabled whenBGP service onthis member isconfigured
Events per second (default=1)
130700500 AUTO DROP BGP invalid typebigger than 5
When BGP is enabled this ruledrops TCP BGP packets thatcontain invalid message typegreater than 5
This rule isenabled whenBGP service onthis member isconfigured
Events per second (default=1)
130700550 AUTO RATELIMIT PASS BGPIPv4 peer TCPconnection attempts
This rule passes TCP BGP routeadvertisement connectionattempts from IPv4 peers
when BGP is enabled and ifthe packet rate is less than thePackets per second value Ifany source IP sends packetsover this value the applianceblocks all such traffic from thissource IP for a certain periodof time (specified in Drop
interval )
This rule isenabled whenBGP service on
this member isconfigured withIPv4 peers
Events per second (default=1)
Drop Interval
(default=60 sec)Packets per second (default=10)
130700600 Auto RATELIMIT PASS BGPallowed with IPv4 peer
This rule passes TCP BGP routeadvertisement to IPv4 peerswhen BGP is enabled and ifthe packet rate is less than thePackets per second value Ifany source IP sends packetsover this value the applianceblocks all such traffic from thissource IP for a certain period
of time (specified in Drop
interval
This rule isenabled whenBGP service onthis member isconfigured withIPv4 peers
Events per second (default=1)
Drop Interval (default=60 sec)
Packets per second (default=10)
130700650 AUTO RATELIMIT PASS BGPIPv6 peer TCPconnection attempts
This rule passes TCP BGP routeadvertisement connectionattempts from IPv6 peerswhen BGP is enabled and ifthe packet rate is less than thePackets per second value Ifany source IP sends packetsover this value the applianceblocks all such traffic from thissource IP for a certain periodof time (specified in Drop
interval
This rule isenabled whenBGP service onthis member isconfigured withIPv6 peers
Events per second (default=1)
Drop Interval (default=60 sec)
Packets per second (default=10)
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 2230
1518 NIOS Administrator Guide (Rev A) NIOS 612
OSPF
The following table lists auto rules that are used to mitigate OSPF attacks on your advanced appliance when OSPF isnot in use
Table H15 OSPF Rules
130700700 Auto RATELIMIT PASS BGPallowed with IPv6 peer
This rule passes TCP BGP routeadvertisement to IPv6 peerswhen BGP is enabled and ifthe packet rate is less than thePackets per second value Ifany source IP sends packetsover this value the appliance
blocks all such traffic from thissource IP for a certain periodof time (specified in Drop
interval )
This rule isenabled whenBGP service onthis member isconfigured withIPv6 peers
Events per second (default=1)
Drop Interval (default=60 sec)
Packets per second (default=10)
130800100 Auto DROP BGP unexpected When BGP is enabled this ruledrops unexpected TCP BGPpackets
This rule takeseffect when BGPservice on thismember is NOT configured
Events per second (default=1)
This rule is exclusive withother rules based onwhether BGP is configuredon the member or not
Rule ID
Rule
Type
Rule Name Description
Enable
Condition
Parameters Comments
130900300 Auto DROP OSPFunexpected
This rule drops unexpectedOSPF packets
This rule takeseffect when OSPFservice on thismember is NOT configured
Events per second (default=1)
Default drop rule for allpackets on the OSPF serviceport
130900400 Auto RATELIMIT PASS OSPFmulticast
This rule passes OSPF IPv4multicast packets if the packetrate is less than the Packets
per second value If anysource IP sends packets overthis value the applianceblocks all such traffic from thissource IP for a time specifiedin Drop interval
This rule takeseffect when OSPFservice on thismember isconfigured forIPv4
Events per second (default=1)
Drop Interval (default=60 sec)
Packets per second (default=100)
130900500 Auto RATELIMIT PASS OSPFIPv6 multicast
This rule passes OSPF IPv6multicast packets if the packetrate is less than the Packets
per second value If anysource IP sends packets overthis value the applianceblocks all such traffic from thissource IP for a time specifiedin Drop interval
This rule takeseffect when OSPFservice on thismember isconfigured forIPv6
Events per second (default=1)
Drop Interval (default=60 sec)
Packets per second (default=100)
130900600 Auto RATELIMIT PASS OSPF This rule passes OSPF packetsif the packet rate is less thanthe Packets per second valueIf any source IP sends packetsover this value the applianceblocks all such traffic from thissource IP for a time specifiedin Drop interval
This rule takeseffect when OSPFservice on thismember isconfigured
Events per second (default=1)
Drop Interval (default=10 sec)
Packets per second (default=50)
This rule works for both IPv4and IPv6
Rule ID
Rule
Type
Rule Name Description
EnableDisable
Condition
Parameters Comments
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 2330
ICMP
NIOS 612 NIOS Administrator Guide (Rev A) 1519
ICMP
ICMP attacks use network devices such as routers to send error messages when a requested service is not availableor the remote server cannot be reached Examples of ICMP attacks include ping floods ping-of-death attacks andsmurf attacks
The following table lists the system and auto rules that are used to mitigate ICMP attacks on your advanced appliance
Table H16 ICMP Rules
Rule ID Type Rule Name Description
EnableDisable
Condition
Parameters Comments
130400200 Auto DROP ICMP largepackets
This rule drops large ICMPpackets (bigger than800)
Always enabled Events per second (default=1)
130900100 Auto RATE LIMIT PASS ICMPPing
This rule passes ICMP pingpackets if the packet rate is lessthan the Packets per second value If any source IP sendspackets over this value theappliance blocks all such trafficfrom this source IP for a timespecified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=10 sec)
Packets per second (default=50)
130900200 Auto RATE LIMIT PASS ICMPv6Ping
This rule passes ICMPv6 pingpackets if the packet rate is lessthan the Packets per second value If any source IP sendspackets over this value theappliance blocks all such trafficfrom this source IP for a timespecified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=10 sec)
Packets per second (default=50)
130900700 Auto RATELIMIT PASS ICMPv6destinationunreachable
This rule passes ICMPv6Destination Unreachablemessages if the packet rate isless than the Packets per second value If any source IP sendspackets over this value theappliance blocks all such trafficfrom this source IP for a timespecified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=100)
130900800 Auto RATELIMIT PASS ICMPv6packet too big
This rule passes ICMPv6 PacketToo Big messages if the packetrate is less than the Packets per
second value If any source IPsends packets over this valuethe appliance blocks all suchtraffic from this source IP for atime specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=100)
130900900 Auto RATELIMIT PASS ICMPv6ping responses
This rule passes ICMPv6 pingresponses if the packet rate isless than the Packets per second value If any source IP sendspackets over this value theappliance blocks all such trafficfrom this source IP for a timespecified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=10 sec)
Packets per second (default=50)
130901000 Auto RATELIMIT PASS ICMPv6parameter problemerroneous header
This rule passes ICMPv6Erroneous Header messages ifthe packet rate is less than thePackets per second value If anysource IP sends packets over thisvalue the appliance blocks allsuch traffic from this source IP fora time specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=10 sec)
Packets per second (default=50)
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 2430
1520 NIOS Administrator Guide (Rev A) NIOS 612
130901100 Auto RATELIMIT PASS ICMPv6parameter problemunrecognized nextheader
This rule passes ICMPv6Unrecognized Next Headermessages if the packet rate isless than the Packets per second value If any source IP sendspackets over this value theappliance blocks all such traffic
from this source IP for a timespecified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
130901200 Auto RATELIMIT PASS ICMPv6parameter problemunrecognized IPv6option
This rule passes ICMPv6Unrecognized IPv6 Optionmessages if the packet rate isless than the Packets per second value If any source IP sendspackets over this value theappliance blocks all such trafficfrom this source IP for a timespecified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
130901300 Auto RATELIMIT PASS ICMPv6router solicitation
This rule passes ICMPv6 routersolicitation packets if the packetrate is less than the Packets per
second value If any source IPsends packets over this valuethe appliance blocks all such
traffic from this source IP for atime specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
130901400 Auto RATELIMIT PASS ICMPv6router advertisement
This rule passes ICMPv6 routeradvertisement if the packet rateis less than the Packets per
second value If any source IPsends packets over this valuethe appliance blocks all suchtraffic from this source IP for atime specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
130901500 Auto RATELIMIT PASS ICMPv6neighbor solicitation
This rule passes ICMPv6neighbor solicitation packets ifthe packet rate is less than thePackets per second value If anysource IP sends packets over thisvalue the appliance blocks allsuch traffic from this source IP for
a time specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
130901600 Auto RATELIMIT PASS ICMPv6neighbor advertisement
This rule passes ICMPv6neighbor advertisement if thepacket rate is less than thePackets per second value If anysource IP sends packets over thisvalue the appliance blocks allsuch traffic from this source IP fora time specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
130901700 Auto RATELIMIT PASS ICMPv6inverse neighborsolicitation
This rule passes ICMPv6 inverseneighbor solicitation messages ifthe packet rate is less than thePackets per second value If anysource IP sends packets over thisvalue the appliance blocks allsuch traffic from this source IP fora time specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
130901800 Auto RATELIMIT PASS ICMPv6inverse neighboradvertisement
This rule passes ICMPv6 inverseneighbor advertisement if thepacket rate is less than thePackets per second value If anysource IP sends packets over thisvalue the appliance blocks allsuch traffic from this source IP fora time specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
Rule ID Type Rule Name Description
EnableDisable
Condition
Parameters Comments
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 2530
ICMP
NIOS 612 NIOS Administrator Guide (Rev A) 1521
130901900 Auto RATELIMIT PASS ICMPv6listener query
This rule passes ICMPv6 listenerquery messages if the packetrate is less than the Packets per
second value If any source IPsends packets over this valuethe appliance blocks all suchtraffic from this source IP for a
time specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
130902000 Auto RATELIMIT PASS ICMPv6listener report
This rule passes ICMPv6 listenerreport messages if the packetrate is less than the Packets per
second value If any source IPsends packets over this valuethe appliance blocks all suchtraffic from this source IP for atime specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
130902100 Auto RATELIMIT PASS ICMPv6listener done
This rule passes ICMPv6 listenerdone messages if the packet rateis less than the Packets per
second value If any source IPsends packets over this valuethe appliance blocks all suchtraffic from this source IP for atime specified in Drop interval )
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
130902200 Auto RATELIMIT PASS ICMPv6listener report v2
This rule passes ICMPv6 listenerreport v2 messages if the packetrate is less than the Packets per
second value If any source IPsends packets over this valuethe appliance blocks all suchtraffic from this source IP for atime specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
130902300 Auto RATELIMIT PASS ICMPV6multicast routeradvertisement
This rule passes ICMPv6multicast router advertisement ifthe packet rate is less than thePackets per second value If anysource IP sends packets over thisvalue the appliance blocks allsuch traffic from this source IP fora time specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
130902400 Auto RATELIMIT PASS ICMPV6multicast routersolicitation
This rule passes ICMPv6multicast router solicitationmessages if the packet rate isless than the Packets per second value If any source IP sendspackets over this value theappliance blocks all such trafficfrom this source IP for a timespecified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
130902500 Auto RATELIMIT PASS ICMPV6multicast routeradvertisement
This rule passes ICMPv6multicast router advertisement ifthe packet rate is less than thePackets per second value If anysource IP sends packets over thisvalue the appliance blocks allsuch traffic from this source IP fora time specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
130902600 Auto RATELIMIT PASS ICMPping responses This rule passes ICMP pingresponses if the packet rate isless than the Packets per second value If any source IP sendspackets over this value theappliance blocks all such trafficfrom this source IP for a timespecified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=10 sec)
Packets per second (default=50)
Rule ID Type Rule Name Description
EnableDisable
Condition
Parameters Comments
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 2630
1522 NIOS Administrator Guide (Rev A) NIOS 612
130902700 Auto RATELIMIT PASS ICMProuter advertisement
This rule passes ICMP routeradvertisement if the packet rateis less than the Packets per
second value If any source IPsends packets over this valuethe appliance blocks all suchtraffic from this source IP for a
time specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=10 sec)
Packets per second (default=50)
130902800 Auto RATELIMIT PASS ICMProuter solicitation
This rule passes ICMP routersolicitation messages if thepacket rate is less than thePackets per second value If anysource IP sends packets over thisvalue the appliance blocks allsuch traffic from this source IP fora time specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=10 sec)
Packets per second (default=50)
130902900 Auto RATELIMIT PASS ICMPtime exceeded
This rule passes ICMP timeexceeded messages if the packetrate is less than the Packets per
second value If any source IPsends packets over this valuethe appliance blocks all suchtraffic from this source IP for atime specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=10 sec)
Packets per second (default=50)
130903000 Auto RATELIMIT PASS ICMPparameter problem
This rule passes ICMP parameterproblems if the packet rate isless than the Packets per second value If any source IP sendspackets over this value theappliance blocks all such trafficfrom this source IP for a timespecified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=10 sec)
Packets per second (default=50)
130903100 Auto RATELIMIT PASS ICMPv6hop limit exceeded orICMPv4 networkunreachable
This rule passes ICMPv6 HopLimit Exceeded messages orICMPv4 Network Unreachablemessages if the packet rate isless than the Packets per second value If any source IP sendspackets over this value theappliance blocks all such trafficfrom this source IP for a time
specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
130903200 Auto RATELIMIT PASS ICMPv6fragment reassemblytime exceeded orICMPv4 hostunreachable
This rule passes ICMPv6fragment reassembly timeexceeded messages or ICMPv4host unreachable messages ifthe packet rate is less than thePackets per second value If anysource IP sends packets over thisvalue the appliance blocks allsuch traffic from this source IP fora time specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=10 sec)
Packets per second (default=50)
130903300 Auto RATELIMIT PASS ICMPprotocol unreachable
This rule passes ICMP protocolunreachable messages if thepacket rate is less than thePackets per second value If anysource IP sends packets over thisvalue the appliance blocks all
such traffic from this source IP fora time specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=10 sec)
Packets per second (default=50)
130903400 Auto RATELIMIT ICMP portunreachable
This rule passes ICMP portunreachable messages if thepacket rate is less than thePackets per second value If anysource IP sends packets over thisvalue the appliance blocks allsuch traffic from this source IP fora certain period of time(specified in Drop interval )
Always enabled Events per second (default=10)
Drop Interval (default=10 sec)
Packets per second (default=50)
Rule ID Type Rule Name Description
EnableDisable
Condition
Parameters Comments
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 2730
Default PassDrop
NIOS 612 NIOS Administrator Guide (Rev A) 1523
Default Pass Drop
The following table lists the system rules that are used to pass or drop packets on your advanced appliance All rulesare disabled by default
Table H17 Default PassDrop Rules
130903500 Auto RATELIMIT PASS ICMPfragmentation needed
This rule passes ICMPfragmentation needed messagesif the packet rate is less than thePackets per second value If anysource IP sends packets over thisvalue the appliance blocks allsuch traffic from this source IP for
a certain period of time(specified in Drop interval )
Always enabled Events per second (default=1)
Drop Interval (default=10 sec)
Packets per second (default=50)
Rule ID
Rule
Type Rule Name Description
Enable
Condition Parameters Comments
100000050 System EARLY PASS TCPwith flowbits set
This rule passes TCP trafficthat has the flowbitsoptions set and marked OK
Enabled bydefault
NA
140000100 System DROP UDP DNSunexpected
This rule drops anyunexpected UDP DNSpackets
Enabled bydefault
Events per second (default=1)
Default drop rule for the DNSservice port If this rule istriggered most likely thispacket is an invalid DNS UDPpacket
140000200 System DROP TCP DNSunexpected
This rule drops anyunexpected TCP DNSpackets
Enabled bydefault
Events per second (default=1)
Default drop rule for the DNSservice port If this rule istriggered most likely thispacket is an invalid DNS TCPpacket
140000400 System PASS TCPestablished packets
This passes all TCPestablished packets
Enabled bydefault
Events per second (default=0)
140000500 System DROP TCPunexpected
This rule drops anyunexpected TCP packets
Enabled bydefault
Events per second (default=0)
This rule drops any TCP packeton any port If this rule istriggered most likely thispacket is not intended forservices on this member
140000600 System DROP UDPunexpected
This rule drops anyunexpected UDP packets
Enabled bydefault
Events per second (default=0)
This rule drops any UDP packeton any port If this rule istriggered most likely thispacket is not intended forservices on this member
140000700 System DROP ICMPunexpected
This rule drops anyunexpected ICMP packets
Enabled bydefault
Events per second (default=0)
This rule drops any ICMPpacket If this rule is triggeredmost likely this packet is notintended for services on thismember
140000800 System DROP unexpectedprotocol
This rule drops anyunexpected protocolpackets
Enabled bydefault
Events per second (default=0)
This is a catch all rule thatdrops anything that does notmatch any other rules in thesystem
Rule ID Type Rule Name Description
EnableDisable
Condition
Parameters Comments
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 2830
1524 NIOS Administrator Guide (Rev A) NIOS 612
HA Support
The following table lists auto rules that are used to pass packets that go through the Virtual Router RedundancyProtocol (VRRP) and Internet Group Management Protocol (IGMP) for HA (High Availability) support
Table H18 HA Support Rules
Custom Rule Templates
Advanced DNS Protection supports a few custom rule templates from which you can create new custom rules Notethat when you use a specific rule template to create custom rules the new rules reside in their respective rulecategories For information about custom rules and creating custom rules see Custom Rules on page 1341 andCreating Custom Rules on page 1343
For each rule you create you can define the Events per second value to determine the number of events per secondthat will be logged for the rule You can also define specific rule parameters for custom rules as follows
Note Custom rules do not support IDNs (Internationalized Domain Names) To use IDNs for custom rules you mustfirst convert the IDNs into puny codes You can use the IDN Converter from the Toolbar for the conversion
bull BLACKLIST FQDN lookup TCP Use this rule template to create custom rules for blacklisting DNS queries by FQDNlookups on TCP In the Rule Parameters table complete the following
mdash Blacklisted FQDN Enter the FDQN that you want the appliance to block over TCP traffic You can also enter alist of FQDNs using semicolon as the separator
bull BLACKLIST FQDN lookup UDP Use this rule template to create custom rules for blacklisting DNS queries byFQDN lookups on UDP In the Rule Parameters table complete the following
mdash Blacklisted FQDN Enter the FDQN that you want the appliance to block over UDP traffic You can also enter alist of FQDNs using semicolon as the separator
bull BLACKLIST IP TCP Drop prior to rate limiting Use this rule template to create rules for blocking IPv4 or IPv6addresses on TCP before the appliance drops the packets based on rate limiting rules you have defined usingthe RATELIMITED IP TCP template In the Rule Parameters table complete the following
mdash Blacklisted IP addressnetwork Enter the IPv4 or IPv6 address from which packets sent are dropped beforeany relevant rate limiting rules take effect Note that all TCP traffic from the specified Ipv4 and IPv6
addresses and networks will be blocked Enter network addresses in addressCIDR formatbull BLACKLIST IP UDP Drop prior to rate limiting Use this rule template to create rules for blocking IPv4 or IPv6
addresses on UDP before the appliance drops the packets based on rate limiting rules you have defined usingthe RATELIMITED IP UDP template In the Rule Parameters table complete the following
mdash Blacklisted IP addressnetwork Enter the IPv4 or IPv6 address from which packets sent are dropped beforeany relevant rate limiting rules take effect Note that all UDP traffic from the specified Ipv4 and IPv6addresses and networks will be blocked Enter network addresses in addressCIDR format
bull RATELIMITED FQDN lookup UDP Use this rule template to create custom rules that contains rate limitingrestrictions for blocking DNS queries by FQDN lookups on UDP traffic In the Rule Parameters table completethe following
Rule ID
Rule
Type
Rule Name Description Enable Condition Parameters Comments
140000750 Auto PASS VRRP This rule passes packets thatgo through VRRP for HAsupport
Enabled if HA isconfigured
NA
140000760 Auto PASS IGMP This rule passes packets thatgo through IGMP for HAsupport
Enabled if HA isconfigured
NA
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 2930
Custom Rule Templates
NIOS 612 NIOS Administrator Guide (Rev A) 1525
mdash Packets per second Enter the number of packets per second to define the rate limit for this rule You definethis value to control the rate of UDP traffic that consists of DNS lookups for the FQDN defined in this ruleThe default is 5
mdash Drop interval Enter the number of seconds for which the appliance drops packets
mdash Blacklist rate limited FQDN Enter the FQDN that is affected by the rate limit value configured for this ruleThe appliance drops the packets sent by this FQDN when the UDP traffic of DNS lookups for this FQDNexceeds the configured rate limit value
bull RATELIMITED IP TCP Use this rule template to create custom rules that contains rate limiting restrictions forblacklisting IP addresses on TCP If there are certain IP addresses that you want to block before its traffic reachesthe rate limit restrictions you can create a rule using the BLACKLIST IP TCP Drop prior to rate limiting templateIn the Rule Parameters table complete the following
mdash Packets per second Enter the number of packets per second to define the rate limit for this rule You definethis value to control the rate of TCP traffic that consists of DNS lookups for the IP address or networkdefined in this rule The default is 5
mdash Drop interval Enter the time interval in seconds the appliance drops IP packets sent by the rate limited IPaddress or network defined for this rule The default is 30 seconds
mdash Rate limited IP addressnetwork Enter the IP address or network that is affected by the rate limit valueconfigured for this rule The appliance drops the packets sent by this IP address based on the drop intervalwhen the TCP traffic of DNS lookups for this IP address exceeds the configured rate limit value
bull RATELIMITED IP UDP Use this rule template to create custom rules that contains rate limiting restrictions forblacklisting IP addresses on UDP If there are certain IP addresses that you want to block before its trafficreaches the rate limit restrictions you can create a rule using the BLACKLIST IP UDP Drop prior to rate limiting template In the Rule Parameters table complete the following
mdash Packets per second Enter the number of packets per second to define the rate limit for this rule You definethis value to control the rate of UDP traffic that consists of DNS lookups for the IP address or networkdefined in this rule The default is 5
mdash Drop interval Enter the time interval in seconds the appliance drops IP packets sent by the rate limited IPaddress or network defined for this rule The default is 30 seconds
mdash Rate limited IP addressnetwork Enter the IP address or network that is affected by the rate limit valueconfigured for this rule The appliance drops the packets sent by this IP address based on the drop interval
when the TCP traffic of DNS lookups for this IP address exceeds the configured rate limit valuebull WHITELIST IP TCP Pass prior to rate limiting Use this rule template to create custom rules for allowing certain IP
addresses on TCP before the appliance drops the packets based on rate limiting rules you have defined usingthe RATELIMITED IP TCP template In the Rule Parameters table complete the following
mdash Whitelisted IP addressnetwork Enter the IPv4 or IPv6 address from which packets sent are allowed beforeany relevant rate limiting rules take effect
bull WHITELIST IP UDP Pass prior to rate limiting Use this rule template to create custom rules for allowing certain IPaddresses on UDP before the appliance drops the packets based on rate limiting rules you have defined usingthe RATELIMITED IP UDP template In the Rule Parameters table complete the following
mdash Whitelisted IP addressnetwork Enter the IPv4 or IPv6 address from which packets sent are allowed beforeany relevant rate limiting rules take effect
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 3030
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 430
1500 NIOS Administrator Guide (Rev A) NIOS 612
Tuning Rule Parameters
All threat protection rules contain rule parameters that you may or may not be able to configure Rule parameters arepredefined with default values that generally suit most network environments However there are times when youhave special setups or configurations in your environment that require special attention In these cases you mayneed to change some of the rule parameters to obtain optimal protection without sacrificing system performance
Table H2 lists specific conditions and corresponding rules that may require tuning when they are enabled You can
view tuning suggestions in the Comments column for each of the following condition
Table H2 Tunable Rules
Conditions Rule s) that Require Tuning Reference
Your appliance is configured as anauthoritative DNS server
Rule 100000100 in the DNS
Cache Poisoning categoryDNS Cache Poisoning Rules
Your DNS server is configured as thesecondary server with external primariesand it serves a large number of zones
Rules 100100100 to100100201 in the DNS
Message Type category
DNS Message Type Rules
You have enabled TCPUDP Flood systemrules and your network environmentconsists of the following NATdenvironments static forwarders or VPNconcentrators
All rules in the TCPUDP Flood category
TCPUDP Flood Rules
You have enabled DNS DDoS system rulesand your network environment consists ofthe following NATd environments staticforwarders or VPN concentrators
Rules 200000001 to200000003 in the DNS DDoS category
DNS DDoS Rules
You have enabled DNS Tunneling systemrules and your network environmentconsists of the following NATd
environments static forwarders and VPNconcentrators
All rules in the DNS Tunneling category
Anti DNS Tunneling Rules
Your DNS server is configured to allowincoming IPv4 and IPv6 zone transferrequests and it serves a large number ofzones
Rules 130100100 to130100401 in the DNS
Message Type category
DNS Message Type Rules
You have enabled DNS Amplification andRefection system rules
All rules in the DNS
Amplification and Reflection category
DNS Amplification andReflection Rules
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 530
DNS Cache Poisoning
NIOS 612 NIOS Administrator Guide (Rev A) 1501
DNS Cache Poisoning
DNS cache poisoning involves inserting a false address record for an Internet domain into a DNS query If the DNSserver accepts the record subsequent requests for the address of the domain are answered with the address of aserver controlled by the attacker For as long as the false entry is cached incoming web requests and emails will goto the attackerrsquos address Cache poisoning attacks such as the ldquobirthday paradoxrdquo use brute force flooding DNS
responses and queries at the same time hoping to get a match on one of the responses and poison the cacheThe following table lists auto rules that Advanced DNS Protection uses to mitigate DNS cache poisoning on youradvanced appliance
Table H3 DNS Cache Poisoning Rules
DNS Message Type
The following table lists the system and auto rules that are used to mitigate DNS message type attacks on youradvanced appliance
All rules for DNS record types are system rules By default they are configured as Pass rules You can override thisand change the rule action to Drop Note that when you do that the appliance drops all DNS packets that contain therequested record type
Table H4 DNS Message Type Rules
Rule ID
Rule
Type
Rule Name Description
EnableDisable
Condition
Parameters Comments
100000100 Auto EARLY PASSUDP responsetraffic
This rule passes UDP DNS responsepackets (from upstream DNS serversor external DNS primaries) if thepacket rate is less than the Packets
per second value If any source IPsends packets over this value the
appliance blocks all traffic from thissource IP for a time specified in Drop
interval
Always enabled Packets per second (default = 30000)
Drop interval (default = 10seconds)
Events per second
(default = 1)
Consider tuning Packets per
second to a smaller numberif your system is servingauthoritative DNS
NOTE If you set theparameter incorrectly the
rule could block legitimateDNS responses fromupstream DNS serverswhich could cause the DNSserver to exceed its quota
100000200 Auto EARLY PASSTCP responsetraffic
This rule passes TCP DNS responsesinitiated by the appliance
Always enabled Packets per second (default = 100)
Consider raising the Packets
per second value if DNSSECis enabled
100000300 Auto PASS ACKpackets fromNIOS initiatedconnections
This rule passes TCP ACK packets forDNS or BGP from NIOS initiatedconnections if the packet rate is lessthan the Packets per second value Ifany source IP sends packets overthis value the appliance blocks alltraffic from this source IP for a timespecified in Drop interval
Always enabled Packets per second (default = 600)
Drop interval (default = 10seconds)
Events per second (default = 1)
Consider raising the Packets
per second value if DNSSECis enabled
Rule ID
Rule
Type
Rule Name Description
EnableDisable
Condition
Parameters Comments
100100100 Auto EARLY PASS IPv4UDP Notifymessages
This rule passes IPv4 UDP DNSNOTIFY messages if the packetrate is less than the Packets per
second value If any source IPsends packets over this value theappliance blocks all traffic fromthis source IP for a time specifiedin Drop interval
Enabled if InfobloxDNS serves as thesecondary serverwith IPv4 externalprimariesconfigured
Packets per second (default = 1000)
Drop interval (default= 10 seconds)
Events per second (default = 1)
Consider tuning Packets per
second if Infoblox DNSserves a large number ofzones If this rule istriggered and the source IPaddress indicates a validexternal primary servertune the Packets per second value accordingly
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 630
1502 NIOS Administrator Guide (Rev A) NIOS 612
100100101 Auto EARLY PASS IPv6UDP Notifymessages
This rule passes IPv6 UDP DNSNOTIFY messages if the packetrate is less than the Packets per
second value If any source IPsends packets over this value theappliance blocks all traffic fromthis source IP for a time specified
in Drop interval
Enabled if InfobloxDNS serves as thesecondary serverwith IPv6 externalprimariesconfigured
Packets per second (default = 1000)
Drop interval (default= 10 seconds)
Events per second (default = 1)
Consider tuning Packets per
second if Infoblox DNSserves a large number ofzones If this rule istriggered and the source IPaddress indicates a validexternal primary server
tune the Packets per second value accordingly
100100200 Auto EARLY PASS IPv4TCP Notifymessages
This rule passes IPv4 TCP DNSNOTIFY messages if the packetrate is less than the Packets per
second value If any source IPsends packets over this value theappliance blocks all traffic fromthis source IP for a time specifiedin Drop interval
Enabled if InfobloxDNS serves as thesecondary serverwith IPv4 externalprimariesconfigured
Packets per second (default = 1000)
Drop interval (default= 10 seconds)
Events per second (default = 1)
Consider tuning Packets per
second if Infoblox DNSserves a large number ofzones If this rule istriggered and the source IPaddress indicates a validexternal primary servertune the Packets per second value accordingly
100100201 Auto EARLY PASS IPv6TCP Notifymessages
This rule passes IPv6 TCP DNSNOTIFY messages if the packetrate is less than the Packets per
second value If any source IPsends packets over this value theappliance blocks all traffic from
this source IP for a time specifiedin Drop interval
Enabled if InfobloxDNS serves as thesecondary serverwith IPv6 externalprimariesconfigured
Packets per second (default = 1000)
Drop interval (default= 10 seconds)
Events per second (default = 1)
Consider tuning Packets per
second if Infoblox DNSserves a large number ofzones If this rule istriggered and the source IPaddress indicates a valid
external primary servertune the Packets per second value accordingly
100100300 Auto EARLY PASS IPv4UDP Notifymessages forDDNS update
This rule passes IPv4 UDP NOTIFYmessages for DDNS update if thepacket rate is less than thePackets per second value If anysource IP sends packets over thisvalue the appliance blocks alltraffic from this source IP for atime specified in Drop interval
Enabled if DDNSupdate is enabledfor IPv4 clients
Packets per second (default = 1000)
Drop interval (default= 10 seconds)
Events per second (default = 1)
100100350 Auto EARLY PASS IPv6UDP Notifymessages forDDNS update
This rule passes IPv6 UDP NOTIFYmessages for DDNS update if thepacket rate is less than thePackets per second value If anysource IP sends packets over thisvalue the appliance blocks all
traffic from this source IP for atime specified in Drop interval
Enabled if DDNSupdate is enabledfor IPv6 clients
Packets per second (default = 1000)
Drop interval (default= 10 seconds)
Events per second (default = 1)
130100100 Auto RATELIMIT PASSIPv4 UDP DNSAXFR zonetransfer requests
This rule passes IPv4 UDP DNSfull zone transfer requests if thepacket rate is less than thePackets per second value If anysource IP sends packets over thisvalue the appliance blockssubsequent DNS traffic from thissource IP for a time specified inDrop interval
Enabled if InfobloxDNS allowsincoming IPv4zone transferrequests
Packets per second (default = 1000)
Drop interval (default= 10 seconds)
Events per second (default = 1)
Consider tuning Packets per
second if Infoblox DNSserves a large number ofzones If this rule istriggered and the source IPaddress indicates a validsecondary server tune thePackets per second valueaccordingly
130100101 Auto RATELIMIT PASSIPv6 UDP DNSAXFR zonetransfer requests
This rule passes IPv6 UDP DNSfull zone transfer requests if thepacket rate is less than thePackets per second value If anysource IP sends packets over thisvalue the appliance blocks
subsequent DNS traffic from thissource IP for a for a time specifiedin Drop interval
Enabled if InfobloxDNS allowsincoming IPv6zone transferrequests
Packets per second (default = 1000)
Drop interval (default= 10 seconds)
Events per second (default = 1)
Consider tuning Packets per
second if Infoblox DNSserves a large number ofzones If this rule istriggered and the source IPaddress indicates a valid
secondary server tune thePackets per second valueaccordingly
130100200 Auto RATELIMIT PASSIPv4 TCP DNSAXFR zonetransfer requests
This rule passes IPv4 TCP DNS fullzone transfer requests if thepacket rate is less than thespecified Packets per second value (default = 100) If anysource IP sends packets over thisvalue the appliance blocks allsuch traffic from this source IP fora for a time specified in Drop
interval
Enabled if InfobloxDNS allowsincoming IPv4zone transferrequests
Packets per second (default = 1000)
Drop interval (default= 10 seconds)
Events per second (default = 1)
Consider tuning Packets per
second if Infoblox DNSserves a large number ofzones If this rule istriggered and the source IPaddress indicates a validsecondary server tune thePackets per second valueaccordingly
Rule ID
Rule
Type
Rule Name Description
EnableDisable
Condition
Parameters Comments
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 730
DNS Message Type
NIOS 612 NIOS Administrator Guide (Rev A) 1503
130100201 Auto RATELIMIT PASSIPv6 TCP DNSAXFR zonetransfer requests
This rule passes IPv6 TCP DNS fullzone transfer requests if thepacket rate is less than thespecified Packets per second value (default = 100) If anysource IP sends packets over thisvalue the appliance blocks all
such traffic from this source IP fora time specified in Drop interval
Enabled if InfobloxDNS allowsincoming IPv6zone transferrequests
Packets per second (default = 1000)
Drop interval (default= 10 seconds)
Events per second (default = 1)
Consider tuning Packets per
second if Infoblox DNSserves a large number ofzones If this rule istriggered and the source IPaddress indicates a validsecondary server tune the
Packets per second valueaccordingly
130100300 Auto RATELIMIT PASSIPv4 UDP DNSIXFR zoneTransfer requests
This rule passes IPv4 UDP DNSincremental zone transferrequests if the packet rate is lessthan the specified Packets per
second value (default = 100) Ifany source IP sends packets overthis value the appliance blocksall such traffic from this source IPfor a time specified in Drop
interval
Enabled if InfobloxDNS allowsincoming IPv4zone transferrequests
Packets per second (default = 1000)
Drop interval (default= 10 seconds)
Events per second (default = 1)
Consider tuning Packets per
second if Infoblox DNSserves a large number ofzones If this rule istriggered and the source IPaddress indicates a validsecondary server tune thePackets per second valueaccordingly
130100301 Auto RATELIMIT PASSIPv6 UDP DNSIXFR zoneTransfer requests
This rule passes IPv6 UDP DNSincremental zone transferrequests if the packet rate is lessthan the specified Packets per
second value (default = 100) Ifany source IP sends packets overthis value the appliance blocksall such traffic from this source IPfor a time specified in Drop
interval
Enabled if InfobloxDNS allowsincoming IPv6zone transfer
requests
Packets per second (default = 1000)
Drop interval (default= 10 seconds)
Events per second (default = 1)
Consider tuning Packets per
second if Infoblox DNSserves a large number ofzones If this rule is
triggered and the source IPaddress indicates a validsecondary server tune thePackets per second valueaccordingly
130100400 Auto RATELIMIT PASSIPv4 TCP DNSIXFR zoneTransfer requests
This rule passes IPv4 TCP DNSincremental zone transferrequests if the packet rate is lessthan the specified Packets per
second value (default = 100) Ifany source IP sends packets overthis value the appliance blocksall such traffic from this source IPfor a time specified in Drop
interval
Enabled if InfobloxDNS allowsincoming IPv4zone transferrequests
Packets per second (default = 1000)
Drop interval (default= 10 seconds)
Events per second (default = 1)
Consider tuning Packets per
second if Infoblox DNSserves a large number ofzones If this rule istriggered and the source IPaddress indicates a validsecondary server tune thePackets per second valueaccordingly
130100401 Auto RATELIMIT PASS
IPv6 TCP DNSIXFR zoneTransfer requests
This rule passes IPv6 TCP DNS
incremental zone transferrequests if the packet rate is lessthan the specified Packets per
second value If any source IPsends packets over this value theappliance blocks all such trafficfrom this source IP for a timespecified in Drop interval
Enabled if Infoblox
DNS allowsincoming IPv6zone transferrequests
Packets per second
(default = 1000)Drop interval (default= 10 seconds)
Events per second (default = 1)
Consider tuning Packets per
second if Infoblox DNSserves a large number ofzones If this rule istriggered and the source IPaddress indicates a validsecondary server tune thePackets per second valueaccordingly
130200100 Auto DROP UDP DNSAXFR zonetransfer requests
This rule drops any DNS UDP fullzone transfer requests when zonetransfer is disabled You canconfigure only the Events per
second parameter
Enabled if InfobloxDNS does notallow incomingzone transferrequests
Events per second (default = 1)
130200200 Auto DROP TCP DNSAXFR zonetransfer requests
This rule drops any DNS TCP fullzone transfer requests when zonetransfer is disabled You can
configure only the Events per
second parameter
Enabled if InfobloxDNS does notallow incoming
zone transferrequests
Events per second (default = 1)
130200300 Auto DROP UDP DNSIXFR zoneTransfer requests
This rule drops any DNS UDPincremental zone transferrequests when zone transfer isdisabled You can configure onlythe Events per second parameter
Enabled if InfobloxDNS does notallow incomingzone transferrequests
Events per second (default = 1)
130200400 Auto DROP TCP DNSIXFR zoneTransfer requests
This rule drops any DNS TCPincremental zone transferrequests when zone transfer isdisabled You can configure onlythe Events per second parameter
Enabled if InfobloxDNS does notallow incomingzone transferrequests
Events per second (default = 1)
Rule ID
Rule
Type
Rule Name Description
EnableDisable
Condition
Parameters Comments
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 830
1504 NIOS Administrator Guide (Rev A) NIOS 612
130500100 System DNS A record You can configure this rule to passor drop UDP packets that containA record request The defaultAction = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
130500200 System DNS AAAA record You can configure this rule to passor drop UDP packets that contain
AAAA record request The defaultAction = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
130500300 System DNS CNAMErecord
You can configure this rule to passor drop UDP packets that containCNAME record request Thedefault Action = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
130500400 System DNS DS record You can configure this rule to passor drop UDP packets that containDS record request The defaultAction = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
130500500 System DNS PTR record You can configure this rule to passor drop UDP packets that containPTR record request The defaultAction = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
130500600 System DNS NS record You can configure this rule to passor drop UDP packets that containNS record request The defaultAction = Pass
Enabled bydefault
Action (default = Pass)
Events per second (default = 1)
130500700 System DNS NSEC record You can configure this rule to passor drop UDP packets that containNSEC record request The defaultAction = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
130500800 System DNS NSEC3record
You can configure this rule to passor drop UDP packets that containNSEC3 record request Thedefault Action = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
130500900 System DNSNSEC3PARAMrecord
You can configure this rule to passor drop UDP packets that containNSEC3PARAM record request The
default Action = Pass
Enabled bydefault
Action
(default = Pass)
Events per second
(default = 1)
130501000 System DNS MX record You can configure this rule to passor drop UDP packets that containMX record request The defaultAction = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
130501100 System DNS SRV record You can configure this rule to passor drop UDP packets that containSRV record request The defaultAction = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
130501200 System DNS TXT record You can configure this rule to passor drop UDP packets that containTXT record request The defaultAction = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
130501300 System DNS DNAME
record
You can configure this rule to pass
or drop UDP packets that containDNAME record request Thedefault Action = Pass
Enabled by
default
Action
(default = Pass)Events per second (default = 1)
130501400 System DNS RRSIG record You can configure this rule to passor drop UDP packets that containRRSIG record request The defaultAction = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
130501500 System DNS NAPTRrecord
You can configure this rule to passor drop UDP packets that containNAPTR record request The defaultAction = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
Rule ID
Rule
Type
Rule Name Description
EnableDisable
Condition
Parameters Comments
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 930
DNS Message Type
NIOS 612 NIOS Administrator Guide (Rev A) 1505
130501600 System DNS DNSKEYrecord
You can configure this rule to passor drop UDP packets that containDNSKEY record request Thedefault Action = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
130501700 System DNS SPF record You can configure this rule to passor drop UDP packets that contain
SPF record request The defaultAction = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
130501800 System DNS DHCIDrecord
You can configure this rule to passor drop UDP packets that containDHCID record request The defaultAction = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
130501900 System DNS SOA record You can configure this rule to passor drop UDP packets that containSOA record request The defaultAction = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
130502000 System DNS SIG record You can configure this rule to passor drop UDP packets that containSIG record request The defaultAction = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
130502100 System DNS LOC record You can configure this rule to passor drop UDP packets that containLOC record request The defaultAction = Pass
Enabled bydefault
Action (default = Pass)
Events per second (default = 1)
130502200 System DNS SSHFPrecord
You can configure this rule to passor drop UDP packets that containSSHFP record request The defaultAction = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
130502300 System DNS IPSECKEYrecord
You can configure this rule to passor drop UDP packets that containIPSECKEY record request Thedefault Action = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
130502400 System DNS TKEY record You can configure this rule to passor drop UDP packets that containTKEY record request The default
Action = Pass
Enabled bydefault
Action
(default = Pass)
Events per second
(default = 1)
130502500 System DNS TSIG record You can configure this rule to passor drop UDP packets that containTSIG record request The defaultAction = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
130502600 System DNS TA record You can configure this rule to passor drop UDP packets that containTA record request The defaultAction = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
130502700 System DNS DLV record You can configure this rule to passor drop UDP packets that containDLV record request The defaultAction = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
130502800 System DNS ANY record You can configure this rule to pass
or drop UDP packets that containANY record request The defaultAction = Pass
Enabled by
default
Action
(default = Pass)Events per second (default = 1)
130502900 System DNS A record TCP You can configure this rule to passor drop TCP packets that contain Arecord request The default Action = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
130503000 System DNS AAAA recordTCP
You can configure this rule to passor drop TCP packets that containAAAA record request The defaultAction = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
Rule ID
Rule
Type
Rule Name Description
EnableDisable
Condition
Parameters Comments
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 1030
1506 NIOS Administrator Guide (Rev A) NIOS 612
130503100 System DNS CNAMErecord TCP
You can configure this rule to passor drop TCP packets that containCNAME record request Thedefault Action = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
130503200 System DNS DS recordTCP
You can configure this rule to passor drop TCP packets that contain
DS record request The defaultAction = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
130503300 System DNS PTR recordTCP
You can configure this rule to passor drop TCP packets that containPTR record request The defaultAction = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
130503400 System DNS NS recordTCP
You can configure this rule to passor drop TCP packets that containNS record request The defaultAction = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
130503500 System DNS NSEC recordTCP
You can configure this rule to passor drop TCP packets that containNSEC record request The defaultAction = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
130503600 System DNS NSEC3record TCP
You can configure this rule to passor drop TCP packets that containNSEC3 record request Thedefault Action = Pass
Enabled bydefault
Action (default = Pass)
Events per second (default = 1)
130503700 System DNSNSEC3PARAMrecord TCP
You can configure this rule to passor drop TCP packets that containNSEC3PARAM record request Thedefault Action = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
130503800 System DNS MX recordTCP
You can configure this rule to passor drop TCP packets that containMX record request The defaultAction = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
130503900 System DNS SRV recordTCP
You can configure this rule to passor drop TCP packets that containSRV record request The default
Action = Pass
Enabled bydefault
Action
(default = Pass)
Events per second
(default = 1)
130504000 System DNS TXT recordTCP
You can configure this rule to passor drop TCP packets that containTXT record request The defaultAction = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
130504100 System DNS DNAMErecord TCP
You can configure this rule to passor drop TCP packets that containDNAME record request Thedefault Action = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
130504200 System DNS RRSIG recordTCP
You can configure this rule to passor drop TCP packets that containRRSIG record request The defaultAction = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
130504300 System DNS NAPTR
record TCP
You can configure this rule to pass
or drop TCP packets that containNAPTR record request The defaultAction = Pass
Enabled by
default
Action
(default = Pass)Events per second (default = 1)
130504400 System DNS DNSKEYrecord TCP
You can configure this rule to passor drop TCP packets that containIDNSKEY record request Thedefault Action = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
130504500 System DNS SPF recordTCP
You can configure this rule to passor drop TCP packets that containSPF record request The defaultAction = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
Rule ID
Rule
Type
Rule Name Description
EnableDisable
Condition
Parameters Comments
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 1130
DNS Message Type
NIOS 612 NIOS Administrator Guide (Rev A) 1507
130504600 System DNS DHCIDrecord TCP
You can configure this rule to passor drop TCP packets that containDHCID record request The defaultAction = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
130504700 System DNS SOA recordTCP
You can configure this rule to passor drop TCP packets that contain
SOA record request The defaultAction = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
130504800 System DNS SIG recordTCP
You can configure this rule to passor drop TCP packets that containSIG record request The defaultAction = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
130504900 System DNS ROC recordTCP
You can configure this rule to passor drop TCP packets that containROC record request The defaultAction = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
130505000 System DNS SSHFPrecord TCP
You can configure this rule to passor drop TCP packets that containSSHFP record request The defaultAction = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
130505100 System DNS IPSECKEYrecord TCP
You can configure this rule to passor drop TCP packets that containIPSECKEY record request Thedefault Action = Pass
Enabled bydefault
Action (default = Pass)
Events per second (default = 1)
130505200 System DNS TKEY recordTCP
You can configure this rule to passor drop TCP packets that containTKEY record request The defaultAction = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
130505300 System DNS TSIG recordTCP
You can configure this rule to passor drop TCP packets that containTSIG record request The defaultAction = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
130505400 System DNS TA recordTCP
You can configure this rule to passor drop TCP packets that containTA record request The default
Action = Pass
Enabled bydefault
Action
(default = Pass)
Events per second
(default = 1)
130505500 System DNS DLV recordTCP
You can configure this rule to passor drop TCP packets that containDLV record request The defaultAction = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
130505600 System DNS ANY recordTCP
You can configure this rule to passor drop TCP packets that containANY record request The defaultAction = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
Rule ID
Rule
Type
Rule Name Description
EnableDisable
Condition
Parameters Comments
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 1230
1508 NIOS Administrator Guide (Rev A) NIOS 612
General DDoS
The following table lists the auto rules that are used to mitigate general DDoS attacks on your advanced appliance
Table H5 General DDoS Rules
Reconnaissance
Reconnaissance attacks consist of attempts to get information on the network environment before launching a largeDDoS or other types of attacks Techniques include port scanning and finding versions and authors These attacksexhibit abnormal behavior patterns that if identified can provide early warnings
The following table lists the auto rules that are used to mitigate reconnaissance attacks on your advanced appliance
You can configure the following rule parameter for all rules in this category
bull Events per second The number of events logged per second for the rule Setting a value to 0 (zero) disables theappliance from logging events for the rule The default value is 10
Table H6 Reconnaissance Rules
Rule ID
Rule
Type
Rule Name Description
EnableDisable
Condition
Parameters Comments
110000100 Auto EARLY DROP DoSpackets with samesource and destinationIP
This rule drops any IP packetsthat contain the same sourceand destination IP address
Always enabled Events per second (default = 1)
110000200 Auto EARLY DROP DoS UDPpackets with samesource and destinationIP
This rule drops UDP packetsthat contain the same sourceand destination IP address
Always enabled Events per second (default = 1)
110000300 Auto EARLY DROP DoS TCPpackets with samesource and destinationIP
This rule drops TCP packetsthat contain the same sourceand destination IP address
Always enabled Events per second (default = 1)
130400300 Auto DROP IPv6 loopbackaddress spoofing
This rule blocks any IP packetsthat attempt to forge the IPv6loopback address
Always enabled Events per second (default = 1)
130400400 Auto DROP IPv6 loopbackaddress spoofing
This rule blocks any IP packetsthat attempt to forge the IPv6loopback address
Always enabled Events per second (default = 1)
Rule ID
Rule
Type
Rule Name Description
Enable
Condition
Parameters Comments
110100100 Auto EARLY DROP DNSnamed authorattempts
This rule drops UDP DNSpackets that containattempts to find AUTHOR
information
Alwaysenabled
Events per second (default = 1)
110100200 Auto EARLY DROP DNSnamed versionattempts
This rule drops UDP DNSpackets that containattempts to find VERSIONinformation
Alwaysenabled
Events per second (default = 1)
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 1330
DNS Malware
NIOS 612 NIOS Administrator Guide (Rev A) 1509
DNS Malware
DNS malware is software used to disrupt your DNS service gather sensitive information or gain access to yourappliance It can include downloaders backdoors trojan horses and other malicious software
The following table lists the auto rules that are used to mitigate DNS malware when forwarding DNS requests to aresolver such as a Microsoft DNS server
Table H7 DNS Malware Rules
DNS Protocol Anomalies
DNS protocol anomalies send malformed DNS packets including unexpected header and payload values to thetargeted server This causes the server to stop responding or crash which results in an infinite loop in server threadsThese anomalies sometimes take the form of impersonation attacks
The following table lists rules that are used to mitigate DNS protocol anomalies sent to the appliance
Table H8 DNS Protocol Anomalies Rules
Rule ID
Rule
Type
Rule Name Description
Enable
Condition
Parameters Comments
110100300 Auto EARLY DROP UDPMALWARE backdoor
This rule drops UDPpackets that contain thebackdoor malwareBKDR_QUEJOBEVL whichposes as an installer ofFaceBook messenger Thismalware may be spread asa malicious attachment inemail messages
Always enabled Events per second (default = 1)
130300300 Auto DROP MALWAREtrojan downloader
This rule drops UDPpackets that contain thetrojan downloadermalware which downloadsand installs new versionsof malicious programsincluding Trojans andAdWare
Always enabled Events per second (default = 1)
130300400 Auto DROP MALWAREpossible Hiloti
This rule drops UDPpackets that contain trojanHiloti malicious programsthat may downloadpotentially malicious filesfrom a remote server andreport system informationback to the server
Always enabled Events per second (default = 1)
Rule ID
Rule
Type
Rule Name Description
Enable
Condition
Parameters Comments
110100400 Auto EARLY DROP UDP DNSquestion name too long
This rule drops UDP DNSpackets when the DNSQuestion Name is toolong
Always enabled Events per second (default = 1)
110100500 Auto EARLY DROP UDP DNSlabel too long
This rule drops UDP DNSpackets when the DNSLabel in the name beingqueried is too long
Always enabled Events per second (default = 1)
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 1430
1510 NIOS Administrator Guide (Rev A) NIOS 612
Potential DDoS Related Domains
This rule category includes system rules the appliance uses to blacklist domains that may have been the targets orsubjects in NXDOMAIN or DDoS attacks These rules block all FQDN lookups on UDP for domains that have beenobserved to be used as targets in DDoS attacks The rules are enabled by default You can disable them whennecessary
Note that these rules capture currently observed bad domain names that can change on a regular basis Infobloxrecommends that you update to the latest ruleset to capture the most current rules in this category For informationabout how to update to the latest ruleset see Managing Threat Protection Rules on page 1352
110100600 Auto EARLY DROP UDP queryinvalid question count
This rule drops UDP DNSpackets when thenumber of entries in thequestion section isinvalid
Always enabled Events per second (default = 1)
110100700 Auto EARLY DROP UDP query
invalid question class
This rule drops UDP DNS
packets when the RR(resource record) classbeing queried is invalid
Always enabled Events per second
(default = 1)
110100800 Auto EARLY DROP UDP queryinvalid question string
This rule drops UDP DNSpackets that containinvalid question string
Always enabled Events per second (default = 1)
110100850 Auto EARLY UDP drop invalidDNS query with Authority
This rule drops UDP DNSqueries that containinvalid AUTHORITYentry
Always enabled Events per second (default = 1)
110100900 Auto EARLY DROP querymultiple questions or nonquery operation code
This rule drops UDP DNSpackets when there aremultiple questionsbeing queried at onetime or its operationcode is not Query
Always enabled Events per second (default = 1)
130000700 Auto EARLY DROP TCP non-DNSquery
This rule drops TCPpackets when itsoperation code is notQuery
Always enabled Events per second (default = 1)
130000800 Auto EARLY DROP TCP querymultiple questions
This rule drops TCP DNSpackets when there aremultiple questionsbeing queried at onetime
Always enabled Events per second (default = 1)
130100500 Auto DROP UDP DNS invalidIXFR query with zero ormore than one Authority
This rule drops UDP DNSincremental zonetransfer requests thatcontain zero or morethan one Authorityentries
Always enabled Events per second (default = 1)
130100600 Auto DROP TCP DNS invalidIXFR query with zero ormore than one Authority
This rule drops TCP DNSincremental zonetransfer requests thatcontain zero or morethan one Authorityentries
Always enabled Events per second (default = 1)
130300200 Auto DROP TCP invalid DNSquery with Authority
This rule drops TCP DNSqueries that containinvalid Authorityentries
Always enabled Events per second (default = 1)
Rule ID
Rule
Type
Rule Name Description
Enable
Condition
Parameters Comments
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 1530
TCPUDP Flood
NIOS 612 NIOS Administrator Guide (Rev A) 1511
TCP UDP Flood
TCP and UDP flood attacks are volumetric attacks with massive numbers of packets that consume network bandwidthand resources They exploit TCP and UDP
The following table lists the system and auto rules that are used to mitigate TCPUDP floods on your advancedappliance
Table H9 TCPUDP Flood Rules
Rule ID Rule Type Rule Name Description
Enable
Condition
Parameters Comments
130000100 System WARN about highrate inbound UDPDNS queries
This rule warns about anysource IP that sendsinbound UDP DNS packetsat a rate equals or exceedsthe Packets per second value
Disabled bydefault
Packets per second (default = 40)
Events per second (default = 1)
Use this rule together with rule130000200 to adjust the warningand blocking rate thresholds Thisrule only sends alerts when thepacket rate equals or exceeds thelow threshold ( Packets per second for this rule) When the packet ratereaches or exceeds the highthreshold ( Packets per second forrule 130000200) rule130000200 is triggered
NOTE The Packets per second configured for this rule should beless than that of rule 130000200
130000200 System WARN amp BLOCKhigh rate inboundUDP DNS queries
This rule warns if anysource IP sends inboundUDP DNS packets at a rateequals the Packets per
second value If the rateexceeds this value theappliance blocks all suchtraffic from this source IPfor a period of timespecified in Drop interval
Disabled bydefault
Packets per second (default = 1000)
Drop interval
(default = 5 seconds)
Events per second (default = 1)
Consider tuning Packets per
second to a higher value for NATdenvironments static forwardersand VPN concentrators
This rule may be triggered if Packet
per second is lower than that inthe custom rules created using therate limiting templates
NOTE The Packets per secondvalue for this rule must be higherthan that for rule 130000100
130000300 System WARN about highrate inbound TCP
DNS queries
This rule warns about anysource IP that sends
inbound TCP DNS packetsat a rate that equals orexceeds the Packets per
second value
Disabled bydefault
Packets per second (default = 5)
Events per second (default = 1)
Use this rule together with rule130000400 to adjust the warning
and blocking rate thresholds Thisrule only sends alerts when thepacket rate equals or exceeds thelow threshold ( Packets per second for this rule) When the packet ratereaches or exceeds the highthreshold ( Packets per second forrule 130000400) rule130000400 is triggered
NOTE The Packets per second configured for this rule should beless than that of rule 130000400
130000400 System WARN amp BLOCKhigh rate inboundTCP DNS queries
This rule warns if anysource IP sends inboundTCP DNS packets at a ratethat equals the Packets
per second value If therate exceeds this value
the appliance blocks allsuch traffic from thissource IP for a period oftime specified in Drop
interval
Disabled bydefault
Packets per second (default = 1000)
Drop interval (default = 10 seconds)
Events per second (default = 1)
Consider tuning Packets per
second to a higher value for NATdenvironments static forwardersand VPN concentrators
This rule may be triggered if Packet
per second is lower than that in
the custom rules created using therate limiting templates
NOTE DO NOT enable this rulealong with rule 130000300
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 1630
1512 NIOS Administrator Guide (Rev A) NIOS 612
DNS DDoS
The following table lists system rules that are used to mitigate DNS DDoS attacks on your advanced appliance Theserules rate limits clients that trigger the following DNS responses NXDOMAIN NXRRSET and SERVFAIL
Table H10 DNS DDoS Rules
Rule ID
Rule
Type
Rule Name Description
EnableDisable
Condition
Parameters Comments
200000001 System NXDOMAIN ratelimiting rule
This rule warns if any sourceIP sends inbound UDP DNSqueries that triggerNXDOMAIN responses at arate equals to the Packets
per second value If the rateexceeds this value theappliance blocks all UDPDNS traffic from this sourceIP for a time specified inDrop interval
Enabled bydefault
Packets per second (default = 1000)
Drop interval
(default = 5 seconds)
Events per second (default = 1)
Consider tuning Packets per
second to a higher value forNATd environments staticforwarders and VPNconcentrators
200000002 System NXRRSET ratelimiting rule
This rule warns if any sourceIP sends inbound UDP DNS
queries that trigger NXRRSETresponses at a rate equals tothe Packets per second value If the rate exceedsthis value the applianceblocks all UDP DNS trafficfrom this source IP for a timespecified in Drop interval
Enabled bydefault
Packets per second (default = 1000)
Drop interval (default = 5 seconds)
Events per second (default = 1)
Consider tuning Packets per
second to a higher value for
NATd environments staticforwarders and VPNconcentrators
NOTE NXRRSET responsesinclude NO records NOanswers and NO errors
200000003 System SERVFAIL ratelimiting rule
This rule warns if any sourceIP sends inbound UDP DNSqueries that triggerSERVFAIL responses at a rateequals to the Packets per
second value If the rateexceeds this rate theappliance blocks all UDPDNS traffic from this sourceIP for a time specified in
Drop interval
Enabled bydefault
Packets per second (default = 1000)
Drop interval
(default = 5 seconds)
Events per second (default = 1)
Consider tuning Packets per
second to a higher value forNATd environments staticforwarders and VPNconcentrators
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 1730
DNS Tunneling
NIOS 612 NIOS Administrator Guide (Rev A) 1513
DNS Tunneling
DNS tunneling attacks involve tunneling another protocol through DNS port 53 for the purpose of data exfiltrationOutbound and inbound data being communicated is encoded into small chunks and fitted into DNS queries and DNSresponses
The following table lists the system rule used to mitigate DNS tunneling on your advanced appliance
Table H11 Anti DNS Tunneling Rules
DNS Amplification and Reflection
DNS reflection attacks use a form of IP spoofing changing the source address in their DNS queries to show theaddress of their intended target such as a DNS root server or a top-level domain (TLD) name server operator DNS
reflection and amplification recognizes UDP as an asymmetrical protocol (small requests large responses) and theexistence of open DNS resolvers to the Internet cloud The result is that small DNS queries reflect large UDP datagramresponses to the target address in the original source datagrams Some recent attacks have used this DDoStechnique at a huge scale
Since DNS runs over UDP and does not require a handshake it is possible to use the protocol as a means to lock downa host or a network Designed a specific way sending a small query to any open DNS resolver can result in a singleresponse containing several kilobytes or more that are sent to the unwitting spoofed victim (This type of responsetypically is sent via TCP as UDP does not allow for more than 512 bytes in a response datagram The resulting packetusually exceeds the MTU of the recipientrsquos interfaces resulting in further packet fragmentation and processing) OpenDNS resolvers may allow for launching DDoS attacks containing hundreds of gigabytes of data Attackers may also
Rule ID
Rule
Type
Rule Name Description
EnableDisable
Condition
Parameters Comments
130000500 System RATELIMIT UDP highrate inbound largeDNS queries (antitunneling)
This rule warns If any source IPsends large UDP DNS queries(which could be DNS tunnelingattacks) at a rate equals thePackets per second value If therate exceeds this value it blocksall such traffic from this source IPfor the time in Drop interval
This rule is triggered when theDNS Packet size exceeds theconfigured value
Disabled bydefault
Packets per second (default = 100)
Drop interval (default = 5 seconds)
Events per second (default = 1)
Packet size
(default = 200)
Consider tuning Packets
per second to a highervalue for NATdenvironments staticforwarders and VPNconcentrators
130000600 Auto RATELIMIT TCP highrate inbound largeDNS queries(anti-tunneling)
This rule warns if any source IPsends large TCP DNS queries(which could be DNS tunnelingattacks) at a rate equals thePackets per second value If therate exceeds the value theappliance blocks all such trafficfrom this source IP for the Drop
interval
This rule is triggered when theDNS Packet size exceeds theconfigured value
Disabled bydefault
Packets per second (default = 100)
Drop interval
(default = 5 seconds)
Events per second (default = 1)
Packet size
(default = 200)
Consider tuning Packets
per second to a highervalue for NATdenvironments staticforwarders and VPNconcentrators
200000004 System DNS tunneling ratelimiting rule
This rule warns If any source IPsends inbound UDP DNS queriesthat trigger large TXT responses ata rate equals the Packets per
second value If the rate exceedsthis value it blocks all such t rafficfrom this source IP for the Drop
interval
This rule is triggered when the sizeof the TXT records in the DNSresponses exceeds the configuredDNS Packet size
Enabled bydefault
Packets per second (default = 1000)
Drop interval
(default = 5 seconds)
Events per second (default = 1)
Packet size
(default = 40)
Consider tuning Packets
per second to a highervalue for NATdenvironments static
forwarders and VPNconcentrators
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 1830
1514 NIOS Administrator Guide (Rev A) NIOS 612
use the EDNS0 DNS protocol extension as a means to enable larger DNS responses Many network operatorsparticularly overseas allow open DNS resolvers to run on their networks unwittingly allowing attackers to abusethem Many network operators do provide intelligent rate-limiting to prevent abuse even while supporting openrecursive DNS servers Hence issues of this type usually result from mistakes in configuration
The following table lists the system and auto rules that are used to mitigate DNS amplification and reflection attackson your advanced appliance
Table H12 DNS Amplification and Reflection Rules
NTP
The following table lists the auto rules that are used to mitigate NTP attacks and to support security for NTP traffic onyour advanced appliance These rules include support for the following NTP requests and responses NTP IPv4 andIPv6 ACLs (Access Control Lists) private mode 7 packets named ACLs and ldquoANYrdquo ACLs
Table H13 NTP Rules
Rule ID
Rule
Type
Rule Name Description
EnableDisable
Condition
Parameters Comments
130400100 Auto WARN amp DROP DoSDNS possiblereflectionamplification attackattempts
This rule warns if anysource IP sends UDP DNSpackets that containpossible reflectionamplification attacks If therate exceeds the Packets
per second value theappliance blocks all suchtraffic from this source IPfor the Drop interval Notethat this rule applies whenthe query is ldquoANYrdquo
Enabled bydefault
Packets per second (default = 5)
Drop interval (default = 5 seconds)
Events per second (default = 1)
Consider tuning Packet per
second to a higher value(approximately 100) forNATd environments staticforwarders and VPNconcentrators
130400500 System RATE LIMIT PASS UDPDNS root requestswith additional RRs
This rule passes UDP DNSroot requests that containadditional resource recordsuntil the traffic hits thePackets per second valueIt then blocks subsequentUDP DNS root requests forthe Drop interval
Disabled bydefault
Packets per second (default = 500)
Drop interval
(default = 5 seconds)
Events per second (default = 1)
130400600 System RATE LIMIT PASS UDPDNS root requests
This rule passes UDP DNSroot requests until thetraffic hits the Packets per
second value It thenblocks subsequent UDPDNS root requests for theDrop interval
Disabled bydefault
Packets per second (default = 500)
Drop interval (default = 5 seconds)
Events per second (default = 1)
Consider tuning Packet per
second to a higher valuefor NATd environmentsstatic forwarders and VPNconcentrators
Rule ID
Rule
Type
Rule Name Description
EnableDisable
Condition
Parameters Comments
130600100 Auto RATELIMIT PASS NTPTIME responses
When the NTP client isenabled this rule passesUDP NTP TIME responsesuntil the traffic hits the ratelimit of 10 packets persecond it then blocks allNTP traffic for 15 seconds
Enabled when theNTP client isenabled
Packets per second (default = 10)
Drop interval
(default = 15seconds)
Events per second (default = 1)
130600120 Auto DROP NTP TIMEresponses
This rule drops all UDP NTPTIME responses when theNTP client is disabled
Enabled when theNTP client isdisabled
Events per second (default=1)
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 1930
NTP
NIOS 612 NIOS Administrator Guide (Rev A) 1515
200001001 Auto DOS Possible NTPDDoS InboundFrequent Un-AuthedGET_RESTRICTRequests IMPL 0x02
When the NTP server isenabled this rule warnsabout possible NTP DDoSInbound FrequentUn-Authed GET_RESTRICTRequests IMPL 0x02attacks It then blocks
suspicious NTP traffic for atime period that isspecified in Drop Interval
Enabled whenNTP service isenabled on thismember
Events per second (default = 1)
200001005 Auto DOS Possible NTPDDoS InboundFrequent Un-AuthedGET_RESTRICTRequests IMPL 0x03
When the NTP server isenabled this rule warnsabout possible NTP DDoSInbound FrequentUn-Authed GET_RESTRICTRequests IMPL 0x03attacks It then blockssuspicious NTP traffic for atime period that isspecified in Drop Interval
Enabled whenNTP service isenabled on thismember
Events per second (default = 1)
200001010 Auto DOS Possible NTPDDoS InboundFrequent Un-AuthedPEER_LIST_SUM
Requests IMPL 0x02
When the NTP server isenabled this rule warnsabout possible NTP DDoSInbound Frequent
Un-AuthedPEER_LIST_SUM RequestsIMPL 0x02 attacks It thenblocks suspicious NTPtraffic for a time period thatis specified in Drop
Interval
Enabled whenNTP service isenabled on thismember
Events per second (default = 1)
200001015 Auto DOS Possible NTPDDoS InboundFrequent Un-AuthedPEER_LIST_SUMRequests IMPL 0x03
When the NTP server isenabled this rule warnsabout possible NTP DDoSInbound FrequentUn-AuthedPEER_LIST_SUM RequestsIMPL 0x03 attacks It thenblocks suspicious NTPtraffic for a time period thatis specified in Drop
Interval
Enabled whenNTP service isenabled on thismember
Events per second (default = 1)
200001020 Auto DOS Possible NTPDDoS InboundFrequent Un-AuthedPEER_LIST RequestsIMPL 0x02
When the NTP server isenabled this rule warnsabout possible NTP DDoSInbound FrequentUn-Authed PEER_LISTRequests IMPL 0x02attacks It then blockssuspicious NTP traffic for atime period that isspecified in Drop Interval
Enabled whenNTP service isenabled on thismember
Events per second (default = 1)
200001025 Auto DOS Possible NTPDDoS InboundFrequent Un-AuthedPEER_LIST RequestsIMPL 0x03
When the NTP server isenabled this rule warnsabout possible NTP DDoSInbound FrequentUn-Authed PEER_LISTRequests IMPL 0x03attacks It then blocks
suspicious NTP traffic for atime period that isspecified in Drop Interval
Enabled whenNTP service isenabled on thismember
Events per second (default = 1)
200001050 Auto RATELIMIT PASSNTPQ IPv4 requests
This rule passes UDP NTPQrequests from NTP IPv4ACLs until the traffic hitsthe rate limit ( Packets per
second ) value It thenblocks all subsequentNTPQ traffic for a timespecified in Drop Interval
Enabled whenNTP IPv4 ACLs aredefined If noACLs are definedand the NTPserver is enabledthe default ACLsare enabled andthis rule isdisabled
Packets per second (default = 10)
Drop interval
(default = 60seconds)
Events per second (default = 1)
Rule ID
Rule
Type
Rule Name Description
EnableDisable
Condition
Parameters Comments
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 2030
1516 NIOS Administrator Guide (Rev A) NIOS 612
200001055 Auto RATELIMIT PASS NTPTIME IPv4 requests
This rule passes UDP NTPTIME requests from NTPIPv4 ACLs until the traffichits the rate limit ( Packets
per second ) value It thenblocks all subsequent NTPTIME traffic for a time
specified in Drop interval
Enabled whenNTP IPv4 ACLs aredefined If noACLs are definedand the NTPserver is enabledthe default ACLs
are enabled andthis rule isenabled
Packets per second (default = 10)
Drop interval
(default = 60seconds)
Events per second (default = 1)
200001060 Auto RATELIMIT PASS NTPprivate mode IPv4requests
This rule passes UDP NTPprivate mode 7 requestsfrom NTP IPv4 ACLs untilthe traffic hits the rate limit( Packets per second ) valueIt then blocks allsubsequent NTP privatemode 7 traffic for a timespecified in Drop interval
Enabled whenNTP IPv4 ACLs aredefined If noACLs are definedand the NTPserver is enabledthe default ACLsare enabled andthis rule isdisabled
Packets per second (default = 10)
Drop interval
(default = 60seconds)
Events per second (default = 1)
200001065 Auto RATELIMIT PASSNTPQ IPv6 requests
This rule passes UDP NTPQrequests from NTP IPv6ACLs until the traffic hitsthe rate limit ( Packets per
second ) value It thenblocks all subsequentNTPQ traffic for a timespecified in Drop Interval
Enabled whenNTP IPv6 ACLs aredefined If noACLs are defined
and the NTPserver is enabledthe default ACLsare enabled andthis rule isdisabled
Packets per second (default = 10)
Drop interval
(default = 60
seconds)Events per second (default = 1)
200001070 Auto RATELIMIT PASS NTPTIME IPv6 requests
This rule passes UDP NTPTIME requests from NTPIPv6 ACLs until the traffichits the rate limit ( Packets
per second ) value It thenblocks all subsequent NTPTIME traffic for a timespecified in Drop interval
Enabled whenNTP IPv6 ACLs aredefined If noACLs are definedand the NTPserver is enabledthe default ACLsare enabled andthis rule isenabled
Packets per second (default = 10)
Drop interval
(default = 60seconds)
Events per second (default = 1)
200001075 Auto RATELIMIT PASS NTP
private mode IPv6requests
This rule passes UDP NTP
private mode 7 requestsfrom NTP IPv4 ACLs untilthe traffic hits the rate limit( Packets per second ) valueIt then blocks allsubsequent NTP privatemode 7 traffic for a timespecified in Drop interval
Enabled when
NTP IPv6 ACLs aredefined If noACLs are definedand the NTPserver is enabledthe default ACLsare enabled andthis rule isdisabled
Packets per second
(default = 10)Drop interval
(default =60seconds)
Events per second (default = 1)
200001100 Auto DROP NTPQ requestsunexpected
When NTP service isdisabled this rule drops allUDP NTPQ requests
Enabled whenNTP service isdisabled on thismember
Events per second (default=1)
200001105 Auto DROP NTP TIMErequests unexpected
When NTP service isdisabled this rule drops allUDP NTP TIME requests
Enabled whenNTP service isdisabled on thismember
Events per second (default=1)
200001110 Auto DROP NTP privatemode requestsunexpected
When NTP service isdisabled this rule drops allUDP NTP private mode 7requests
Enabled whenNTP service isdisabled on thismember
Events per second (default=1)
200001115 Auto DROP invalid NTPrequests
When NTP service isdisabled this rule drops allinvalid UDP NTP requests
Enabled whenNTP service isdisabled on thismember
Events per second (default=1)
Rule ID
Rule
Type
Rule Name Description
EnableDisable
Condition
Parameters Comments
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 2130
BGP
NIOS 612 NIOS Administrator Guide (Rev A) 1517
BGP
The following table lists the auto rules that are used to mitigate BGP attacks on your advanced appliance when BGPis enabled
Table H14 BGP Rules
Rule ID
Rule
Type
Rule Name Description
EnableDisable
Condition
Parameters Comments
130700100 AUTO DROP BGP headerlength shorter thanspec
When BGP is enabled this ruledrops TCP BGP packets thatcontain message headerlength that is shorter than theRFC specification
Enabled whenBGP service onthis member isconfigured
Events per second (default=1)
130700200 AUTO DROP BGP headerlength longer than spec
When BGP is enabled this ruledrops TCP BGP packets thatcontain message headerlength that is longer than theRFC specification
Enabled whenBGP service onthis member isconfigured
Events per second (default=1)
130700300 AUTO DROP BGP spoofedconnection reset
attempts
When BGP is enabled this ruledrops TCP BGP packets that
contain spoofed connectionreset
This rule isenabled when
BGP service onthis member isconfigured
Events per second (default=1)
130700400 AUTO DROP BGP invalid type0
When BGP is enabled this ruledrops TCP BGP packets thatcontain invalid message type0
This rule isenabled whenBGP service onthis member isconfigured
Events per second (default=1)
130700500 AUTO DROP BGP invalid typebigger than 5
When BGP is enabled this ruledrops TCP BGP packets thatcontain invalid message typegreater than 5
This rule isenabled whenBGP service onthis member isconfigured
Events per second (default=1)
130700550 AUTO RATELIMIT PASS BGPIPv4 peer TCPconnection attempts
This rule passes TCP BGP routeadvertisement connectionattempts from IPv4 peers
when BGP is enabled and ifthe packet rate is less than thePackets per second value Ifany source IP sends packetsover this value the applianceblocks all such traffic from thissource IP for a certain periodof time (specified in Drop
interval )
This rule isenabled whenBGP service on
this member isconfigured withIPv4 peers
Events per second (default=1)
Drop Interval
(default=60 sec)Packets per second (default=10)
130700600 Auto RATELIMIT PASS BGPallowed with IPv4 peer
This rule passes TCP BGP routeadvertisement to IPv4 peerswhen BGP is enabled and ifthe packet rate is less than thePackets per second value Ifany source IP sends packetsover this value the applianceblocks all such traffic from thissource IP for a certain period
of time (specified in Drop
interval
This rule isenabled whenBGP service onthis member isconfigured withIPv4 peers
Events per second (default=1)
Drop Interval (default=60 sec)
Packets per second (default=10)
130700650 AUTO RATELIMIT PASS BGPIPv6 peer TCPconnection attempts
This rule passes TCP BGP routeadvertisement connectionattempts from IPv6 peerswhen BGP is enabled and ifthe packet rate is less than thePackets per second value Ifany source IP sends packetsover this value the applianceblocks all such traffic from thissource IP for a certain periodof time (specified in Drop
interval
This rule isenabled whenBGP service onthis member isconfigured withIPv6 peers
Events per second (default=1)
Drop Interval (default=60 sec)
Packets per second (default=10)
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 2230
1518 NIOS Administrator Guide (Rev A) NIOS 612
OSPF
The following table lists auto rules that are used to mitigate OSPF attacks on your advanced appliance when OSPF isnot in use
Table H15 OSPF Rules
130700700 Auto RATELIMIT PASS BGPallowed with IPv6 peer
This rule passes TCP BGP routeadvertisement to IPv6 peerswhen BGP is enabled and ifthe packet rate is less than thePackets per second value Ifany source IP sends packetsover this value the appliance
blocks all such traffic from thissource IP for a certain periodof time (specified in Drop
interval )
This rule isenabled whenBGP service onthis member isconfigured withIPv6 peers
Events per second (default=1)
Drop Interval (default=60 sec)
Packets per second (default=10)
130800100 Auto DROP BGP unexpected When BGP is enabled this ruledrops unexpected TCP BGPpackets
This rule takeseffect when BGPservice on thismember is NOT configured
Events per second (default=1)
This rule is exclusive withother rules based onwhether BGP is configuredon the member or not
Rule ID
Rule
Type
Rule Name Description
Enable
Condition
Parameters Comments
130900300 Auto DROP OSPFunexpected
This rule drops unexpectedOSPF packets
This rule takeseffect when OSPFservice on thismember is NOT configured
Events per second (default=1)
Default drop rule for allpackets on the OSPF serviceport
130900400 Auto RATELIMIT PASS OSPFmulticast
This rule passes OSPF IPv4multicast packets if the packetrate is less than the Packets
per second value If anysource IP sends packets overthis value the applianceblocks all such traffic from thissource IP for a time specifiedin Drop interval
This rule takeseffect when OSPFservice on thismember isconfigured forIPv4
Events per second (default=1)
Drop Interval (default=60 sec)
Packets per second (default=100)
130900500 Auto RATELIMIT PASS OSPFIPv6 multicast
This rule passes OSPF IPv6multicast packets if the packetrate is less than the Packets
per second value If anysource IP sends packets overthis value the applianceblocks all such traffic from thissource IP for a time specifiedin Drop interval
This rule takeseffect when OSPFservice on thismember isconfigured forIPv6
Events per second (default=1)
Drop Interval (default=60 sec)
Packets per second (default=100)
130900600 Auto RATELIMIT PASS OSPF This rule passes OSPF packetsif the packet rate is less thanthe Packets per second valueIf any source IP sends packetsover this value the applianceblocks all such traffic from thissource IP for a time specifiedin Drop interval
This rule takeseffect when OSPFservice on thismember isconfigured
Events per second (default=1)
Drop Interval (default=10 sec)
Packets per second (default=50)
This rule works for both IPv4and IPv6
Rule ID
Rule
Type
Rule Name Description
EnableDisable
Condition
Parameters Comments
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 2330
ICMP
NIOS 612 NIOS Administrator Guide (Rev A) 1519
ICMP
ICMP attacks use network devices such as routers to send error messages when a requested service is not availableor the remote server cannot be reached Examples of ICMP attacks include ping floods ping-of-death attacks andsmurf attacks
The following table lists the system and auto rules that are used to mitigate ICMP attacks on your advanced appliance
Table H16 ICMP Rules
Rule ID Type Rule Name Description
EnableDisable
Condition
Parameters Comments
130400200 Auto DROP ICMP largepackets
This rule drops large ICMPpackets (bigger than800)
Always enabled Events per second (default=1)
130900100 Auto RATE LIMIT PASS ICMPPing
This rule passes ICMP pingpackets if the packet rate is lessthan the Packets per second value If any source IP sendspackets over this value theappliance blocks all such trafficfrom this source IP for a timespecified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=10 sec)
Packets per second (default=50)
130900200 Auto RATE LIMIT PASS ICMPv6Ping
This rule passes ICMPv6 pingpackets if the packet rate is lessthan the Packets per second value If any source IP sendspackets over this value theappliance blocks all such trafficfrom this source IP for a timespecified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=10 sec)
Packets per second (default=50)
130900700 Auto RATELIMIT PASS ICMPv6destinationunreachable
This rule passes ICMPv6Destination Unreachablemessages if the packet rate isless than the Packets per second value If any source IP sendspackets over this value theappliance blocks all such trafficfrom this source IP for a timespecified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=100)
130900800 Auto RATELIMIT PASS ICMPv6packet too big
This rule passes ICMPv6 PacketToo Big messages if the packetrate is less than the Packets per
second value If any source IPsends packets over this valuethe appliance blocks all suchtraffic from this source IP for atime specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=100)
130900900 Auto RATELIMIT PASS ICMPv6ping responses
This rule passes ICMPv6 pingresponses if the packet rate isless than the Packets per second value If any source IP sendspackets over this value theappliance blocks all such trafficfrom this source IP for a timespecified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=10 sec)
Packets per second (default=50)
130901000 Auto RATELIMIT PASS ICMPv6parameter problemerroneous header
This rule passes ICMPv6Erroneous Header messages ifthe packet rate is less than thePackets per second value If anysource IP sends packets over thisvalue the appliance blocks allsuch traffic from this source IP fora time specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=10 sec)
Packets per second (default=50)
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 2430
1520 NIOS Administrator Guide (Rev A) NIOS 612
130901100 Auto RATELIMIT PASS ICMPv6parameter problemunrecognized nextheader
This rule passes ICMPv6Unrecognized Next Headermessages if the packet rate isless than the Packets per second value If any source IP sendspackets over this value theappliance blocks all such traffic
from this source IP for a timespecified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
130901200 Auto RATELIMIT PASS ICMPv6parameter problemunrecognized IPv6option
This rule passes ICMPv6Unrecognized IPv6 Optionmessages if the packet rate isless than the Packets per second value If any source IP sendspackets over this value theappliance blocks all such trafficfrom this source IP for a timespecified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
130901300 Auto RATELIMIT PASS ICMPv6router solicitation
This rule passes ICMPv6 routersolicitation packets if the packetrate is less than the Packets per
second value If any source IPsends packets over this valuethe appliance blocks all such
traffic from this source IP for atime specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
130901400 Auto RATELIMIT PASS ICMPv6router advertisement
This rule passes ICMPv6 routeradvertisement if the packet rateis less than the Packets per
second value If any source IPsends packets over this valuethe appliance blocks all suchtraffic from this source IP for atime specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
130901500 Auto RATELIMIT PASS ICMPv6neighbor solicitation
This rule passes ICMPv6neighbor solicitation packets ifthe packet rate is less than thePackets per second value If anysource IP sends packets over thisvalue the appliance blocks allsuch traffic from this source IP for
a time specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
130901600 Auto RATELIMIT PASS ICMPv6neighbor advertisement
This rule passes ICMPv6neighbor advertisement if thepacket rate is less than thePackets per second value If anysource IP sends packets over thisvalue the appliance blocks allsuch traffic from this source IP fora time specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
130901700 Auto RATELIMIT PASS ICMPv6inverse neighborsolicitation
This rule passes ICMPv6 inverseneighbor solicitation messages ifthe packet rate is less than thePackets per second value If anysource IP sends packets over thisvalue the appliance blocks allsuch traffic from this source IP fora time specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
130901800 Auto RATELIMIT PASS ICMPv6inverse neighboradvertisement
This rule passes ICMPv6 inverseneighbor advertisement if thepacket rate is less than thePackets per second value If anysource IP sends packets over thisvalue the appliance blocks allsuch traffic from this source IP fora time specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
Rule ID Type Rule Name Description
EnableDisable
Condition
Parameters Comments
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 2530
ICMP
NIOS 612 NIOS Administrator Guide (Rev A) 1521
130901900 Auto RATELIMIT PASS ICMPv6listener query
This rule passes ICMPv6 listenerquery messages if the packetrate is less than the Packets per
second value If any source IPsends packets over this valuethe appliance blocks all suchtraffic from this source IP for a
time specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
130902000 Auto RATELIMIT PASS ICMPv6listener report
This rule passes ICMPv6 listenerreport messages if the packetrate is less than the Packets per
second value If any source IPsends packets over this valuethe appliance blocks all suchtraffic from this source IP for atime specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
130902100 Auto RATELIMIT PASS ICMPv6listener done
This rule passes ICMPv6 listenerdone messages if the packet rateis less than the Packets per
second value If any source IPsends packets over this valuethe appliance blocks all suchtraffic from this source IP for atime specified in Drop interval )
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
130902200 Auto RATELIMIT PASS ICMPv6listener report v2
This rule passes ICMPv6 listenerreport v2 messages if the packetrate is less than the Packets per
second value If any source IPsends packets over this valuethe appliance blocks all suchtraffic from this source IP for atime specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
130902300 Auto RATELIMIT PASS ICMPV6multicast routeradvertisement
This rule passes ICMPv6multicast router advertisement ifthe packet rate is less than thePackets per second value If anysource IP sends packets over thisvalue the appliance blocks allsuch traffic from this source IP fora time specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
130902400 Auto RATELIMIT PASS ICMPV6multicast routersolicitation
This rule passes ICMPv6multicast router solicitationmessages if the packet rate isless than the Packets per second value If any source IP sendspackets over this value theappliance blocks all such trafficfrom this source IP for a timespecified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
130902500 Auto RATELIMIT PASS ICMPV6multicast routeradvertisement
This rule passes ICMPv6multicast router advertisement ifthe packet rate is less than thePackets per second value If anysource IP sends packets over thisvalue the appliance blocks allsuch traffic from this source IP fora time specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
130902600 Auto RATELIMIT PASS ICMPping responses This rule passes ICMP pingresponses if the packet rate isless than the Packets per second value If any source IP sendspackets over this value theappliance blocks all such trafficfrom this source IP for a timespecified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=10 sec)
Packets per second (default=50)
Rule ID Type Rule Name Description
EnableDisable
Condition
Parameters Comments
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 2630
1522 NIOS Administrator Guide (Rev A) NIOS 612
130902700 Auto RATELIMIT PASS ICMProuter advertisement
This rule passes ICMP routeradvertisement if the packet rateis less than the Packets per
second value If any source IPsends packets over this valuethe appliance blocks all suchtraffic from this source IP for a
time specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=10 sec)
Packets per second (default=50)
130902800 Auto RATELIMIT PASS ICMProuter solicitation
This rule passes ICMP routersolicitation messages if thepacket rate is less than thePackets per second value If anysource IP sends packets over thisvalue the appliance blocks allsuch traffic from this source IP fora time specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=10 sec)
Packets per second (default=50)
130902900 Auto RATELIMIT PASS ICMPtime exceeded
This rule passes ICMP timeexceeded messages if the packetrate is less than the Packets per
second value If any source IPsends packets over this valuethe appliance blocks all suchtraffic from this source IP for atime specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=10 sec)
Packets per second (default=50)
130903000 Auto RATELIMIT PASS ICMPparameter problem
This rule passes ICMP parameterproblems if the packet rate isless than the Packets per second value If any source IP sendspackets over this value theappliance blocks all such trafficfrom this source IP for a timespecified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=10 sec)
Packets per second (default=50)
130903100 Auto RATELIMIT PASS ICMPv6hop limit exceeded orICMPv4 networkunreachable
This rule passes ICMPv6 HopLimit Exceeded messages orICMPv4 Network Unreachablemessages if the packet rate isless than the Packets per second value If any source IP sendspackets over this value theappliance blocks all such trafficfrom this source IP for a time
specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
130903200 Auto RATELIMIT PASS ICMPv6fragment reassemblytime exceeded orICMPv4 hostunreachable
This rule passes ICMPv6fragment reassembly timeexceeded messages or ICMPv4host unreachable messages ifthe packet rate is less than thePackets per second value If anysource IP sends packets over thisvalue the appliance blocks allsuch traffic from this source IP fora time specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=10 sec)
Packets per second (default=50)
130903300 Auto RATELIMIT PASS ICMPprotocol unreachable
This rule passes ICMP protocolunreachable messages if thepacket rate is less than thePackets per second value If anysource IP sends packets over thisvalue the appliance blocks all
such traffic from this source IP fora time specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=10 sec)
Packets per second (default=50)
130903400 Auto RATELIMIT ICMP portunreachable
This rule passes ICMP portunreachable messages if thepacket rate is less than thePackets per second value If anysource IP sends packets over thisvalue the appliance blocks allsuch traffic from this source IP fora certain period of time(specified in Drop interval )
Always enabled Events per second (default=10)
Drop Interval (default=10 sec)
Packets per second (default=50)
Rule ID Type Rule Name Description
EnableDisable
Condition
Parameters Comments
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 2730
Default PassDrop
NIOS 612 NIOS Administrator Guide (Rev A) 1523
Default Pass Drop
The following table lists the system rules that are used to pass or drop packets on your advanced appliance All rulesare disabled by default
Table H17 Default PassDrop Rules
130903500 Auto RATELIMIT PASS ICMPfragmentation needed
This rule passes ICMPfragmentation needed messagesif the packet rate is less than thePackets per second value If anysource IP sends packets over thisvalue the appliance blocks allsuch traffic from this source IP for
a certain period of time(specified in Drop interval )
Always enabled Events per second (default=1)
Drop Interval (default=10 sec)
Packets per second (default=50)
Rule ID
Rule
Type Rule Name Description
Enable
Condition Parameters Comments
100000050 System EARLY PASS TCPwith flowbits set
This rule passes TCP trafficthat has the flowbitsoptions set and marked OK
Enabled bydefault
NA
140000100 System DROP UDP DNSunexpected
This rule drops anyunexpected UDP DNSpackets
Enabled bydefault
Events per second (default=1)
Default drop rule for the DNSservice port If this rule istriggered most likely thispacket is an invalid DNS UDPpacket
140000200 System DROP TCP DNSunexpected
This rule drops anyunexpected TCP DNSpackets
Enabled bydefault
Events per second (default=1)
Default drop rule for the DNSservice port If this rule istriggered most likely thispacket is an invalid DNS TCPpacket
140000400 System PASS TCPestablished packets
This passes all TCPestablished packets
Enabled bydefault
Events per second (default=0)
140000500 System DROP TCPunexpected
This rule drops anyunexpected TCP packets
Enabled bydefault
Events per second (default=0)
This rule drops any TCP packeton any port If this rule istriggered most likely thispacket is not intended forservices on this member
140000600 System DROP UDPunexpected
This rule drops anyunexpected UDP packets
Enabled bydefault
Events per second (default=0)
This rule drops any UDP packeton any port If this rule istriggered most likely thispacket is not intended forservices on this member
140000700 System DROP ICMPunexpected
This rule drops anyunexpected ICMP packets
Enabled bydefault
Events per second (default=0)
This rule drops any ICMPpacket If this rule is triggeredmost likely this packet is notintended for services on thismember
140000800 System DROP unexpectedprotocol
This rule drops anyunexpected protocolpackets
Enabled bydefault
Events per second (default=0)
This is a catch all rule thatdrops anything that does notmatch any other rules in thesystem
Rule ID Type Rule Name Description
EnableDisable
Condition
Parameters Comments
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 2830
1524 NIOS Administrator Guide (Rev A) NIOS 612
HA Support
The following table lists auto rules that are used to pass packets that go through the Virtual Router RedundancyProtocol (VRRP) and Internet Group Management Protocol (IGMP) for HA (High Availability) support
Table H18 HA Support Rules
Custom Rule Templates
Advanced DNS Protection supports a few custom rule templates from which you can create new custom rules Notethat when you use a specific rule template to create custom rules the new rules reside in their respective rulecategories For information about custom rules and creating custom rules see Custom Rules on page 1341 andCreating Custom Rules on page 1343
For each rule you create you can define the Events per second value to determine the number of events per secondthat will be logged for the rule You can also define specific rule parameters for custom rules as follows
Note Custom rules do not support IDNs (Internationalized Domain Names) To use IDNs for custom rules you mustfirst convert the IDNs into puny codes You can use the IDN Converter from the Toolbar for the conversion
bull BLACKLIST FQDN lookup TCP Use this rule template to create custom rules for blacklisting DNS queries by FQDNlookups on TCP In the Rule Parameters table complete the following
mdash Blacklisted FQDN Enter the FDQN that you want the appliance to block over TCP traffic You can also enter alist of FQDNs using semicolon as the separator
bull BLACKLIST FQDN lookup UDP Use this rule template to create custom rules for blacklisting DNS queries byFQDN lookups on UDP In the Rule Parameters table complete the following
mdash Blacklisted FQDN Enter the FDQN that you want the appliance to block over UDP traffic You can also enter alist of FQDNs using semicolon as the separator
bull BLACKLIST IP TCP Drop prior to rate limiting Use this rule template to create rules for blocking IPv4 or IPv6addresses on TCP before the appliance drops the packets based on rate limiting rules you have defined usingthe RATELIMITED IP TCP template In the Rule Parameters table complete the following
mdash Blacklisted IP addressnetwork Enter the IPv4 or IPv6 address from which packets sent are dropped beforeany relevant rate limiting rules take effect Note that all TCP traffic from the specified Ipv4 and IPv6
addresses and networks will be blocked Enter network addresses in addressCIDR formatbull BLACKLIST IP UDP Drop prior to rate limiting Use this rule template to create rules for blocking IPv4 or IPv6
addresses on UDP before the appliance drops the packets based on rate limiting rules you have defined usingthe RATELIMITED IP UDP template In the Rule Parameters table complete the following
mdash Blacklisted IP addressnetwork Enter the IPv4 or IPv6 address from which packets sent are dropped beforeany relevant rate limiting rules take effect Note that all UDP traffic from the specified Ipv4 and IPv6addresses and networks will be blocked Enter network addresses in addressCIDR format
bull RATELIMITED FQDN lookup UDP Use this rule template to create custom rules that contains rate limitingrestrictions for blocking DNS queries by FQDN lookups on UDP traffic In the Rule Parameters table completethe following
Rule ID
Rule
Type
Rule Name Description Enable Condition Parameters Comments
140000750 Auto PASS VRRP This rule passes packets thatgo through VRRP for HAsupport
Enabled if HA isconfigured
NA
140000760 Auto PASS IGMP This rule passes packets thatgo through IGMP for HAsupport
Enabled if HA isconfigured
NA
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 2930
Custom Rule Templates
NIOS 612 NIOS Administrator Guide (Rev A) 1525
mdash Packets per second Enter the number of packets per second to define the rate limit for this rule You definethis value to control the rate of UDP traffic that consists of DNS lookups for the FQDN defined in this ruleThe default is 5
mdash Drop interval Enter the number of seconds for which the appliance drops packets
mdash Blacklist rate limited FQDN Enter the FQDN that is affected by the rate limit value configured for this ruleThe appliance drops the packets sent by this FQDN when the UDP traffic of DNS lookups for this FQDNexceeds the configured rate limit value
bull RATELIMITED IP TCP Use this rule template to create custom rules that contains rate limiting restrictions forblacklisting IP addresses on TCP If there are certain IP addresses that you want to block before its traffic reachesthe rate limit restrictions you can create a rule using the BLACKLIST IP TCP Drop prior to rate limiting templateIn the Rule Parameters table complete the following
mdash Packets per second Enter the number of packets per second to define the rate limit for this rule You definethis value to control the rate of TCP traffic that consists of DNS lookups for the IP address or networkdefined in this rule The default is 5
mdash Drop interval Enter the time interval in seconds the appliance drops IP packets sent by the rate limited IPaddress or network defined for this rule The default is 30 seconds
mdash Rate limited IP addressnetwork Enter the IP address or network that is affected by the rate limit valueconfigured for this rule The appliance drops the packets sent by this IP address based on the drop intervalwhen the TCP traffic of DNS lookups for this IP address exceeds the configured rate limit value
bull RATELIMITED IP UDP Use this rule template to create custom rules that contains rate limiting restrictions forblacklisting IP addresses on UDP If there are certain IP addresses that you want to block before its trafficreaches the rate limit restrictions you can create a rule using the BLACKLIST IP UDP Drop prior to rate limiting template In the Rule Parameters table complete the following
mdash Packets per second Enter the number of packets per second to define the rate limit for this rule You definethis value to control the rate of UDP traffic that consists of DNS lookups for the IP address or networkdefined in this rule The default is 5
mdash Drop interval Enter the time interval in seconds the appliance drops IP packets sent by the rate limited IPaddress or network defined for this rule The default is 30 seconds
mdash Rate limited IP addressnetwork Enter the IP address or network that is affected by the rate limit valueconfigured for this rule The appliance drops the packets sent by this IP address based on the drop interval
when the TCP traffic of DNS lookups for this IP address exceeds the configured rate limit valuebull WHITELIST IP TCP Pass prior to rate limiting Use this rule template to create custom rules for allowing certain IP
addresses on TCP before the appliance drops the packets based on rate limiting rules you have defined usingthe RATELIMITED IP TCP template In the Rule Parameters table complete the following
mdash Whitelisted IP addressnetwork Enter the IPv4 or IPv6 address from which packets sent are allowed beforeany relevant rate limiting rules take effect
bull WHITELIST IP UDP Pass prior to rate limiting Use this rule template to create custom rules for allowing certain IPaddresses on UDP before the appliance drops the packets based on rate limiting rules you have defined usingthe RATELIMITED IP UDP template In the Rule Parameters table complete the following
mdash Whitelisted IP addressnetwork Enter the IPv4 or IPv6 address from which packets sent are allowed beforeany relevant rate limiting rules take effect
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 3030
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 530
DNS Cache Poisoning
NIOS 612 NIOS Administrator Guide (Rev A) 1501
DNS Cache Poisoning
DNS cache poisoning involves inserting a false address record for an Internet domain into a DNS query If the DNSserver accepts the record subsequent requests for the address of the domain are answered with the address of aserver controlled by the attacker For as long as the false entry is cached incoming web requests and emails will goto the attackerrsquos address Cache poisoning attacks such as the ldquobirthday paradoxrdquo use brute force flooding DNS
responses and queries at the same time hoping to get a match on one of the responses and poison the cacheThe following table lists auto rules that Advanced DNS Protection uses to mitigate DNS cache poisoning on youradvanced appliance
Table H3 DNS Cache Poisoning Rules
DNS Message Type
The following table lists the system and auto rules that are used to mitigate DNS message type attacks on youradvanced appliance
All rules for DNS record types are system rules By default they are configured as Pass rules You can override thisand change the rule action to Drop Note that when you do that the appliance drops all DNS packets that contain therequested record type
Table H4 DNS Message Type Rules
Rule ID
Rule
Type
Rule Name Description
EnableDisable
Condition
Parameters Comments
100000100 Auto EARLY PASSUDP responsetraffic
This rule passes UDP DNS responsepackets (from upstream DNS serversor external DNS primaries) if thepacket rate is less than the Packets
per second value If any source IPsends packets over this value the
appliance blocks all traffic from thissource IP for a time specified in Drop
interval
Always enabled Packets per second (default = 30000)
Drop interval (default = 10seconds)
Events per second
(default = 1)
Consider tuning Packets per
second to a smaller numberif your system is servingauthoritative DNS
NOTE If you set theparameter incorrectly the
rule could block legitimateDNS responses fromupstream DNS serverswhich could cause the DNSserver to exceed its quota
100000200 Auto EARLY PASSTCP responsetraffic
This rule passes TCP DNS responsesinitiated by the appliance
Always enabled Packets per second (default = 100)
Consider raising the Packets
per second value if DNSSECis enabled
100000300 Auto PASS ACKpackets fromNIOS initiatedconnections
This rule passes TCP ACK packets forDNS or BGP from NIOS initiatedconnections if the packet rate is lessthan the Packets per second value Ifany source IP sends packets overthis value the appliance blocks alltraffic from this source IP for a timespecified in Drop interval
Always enabled Packets per second (default = 600)
Drop interval (default = 10seconds)
Events per second (default = 1)
Consider raising the Packets
per second value if DNSSECis enabled
Rule ID
Rule
Type
Rule Name Description
EnableDisable
Condition
Parameters Comments
100100100 Auto EARLY PASS IPv4UDP Notifymessages
This rule passes IPv4 UDP DNSNOTIFY messages if the packetrate is less than the Packets per
second value If any source IPsends packets over this value theappliance blocks all traffic fromthis source IP for a time specifiedin Drop interval
Enabled if InfobloxDNS serves as thesecondary serverwith IPv4 externalprimariesconfigured
Packets per second (default = 1000)
Drop interval (default= 10 seconds)
Events per second (default = 1)
Consider tuning Packets per
second if Infoblox DNSserves a large number ofzones If this rule istriggered and the source IPaddress indicates a validexternal primary servertune the Packets per second value accordingly
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 630
1502 NIOS Administrator Guide (Rev A) NIOS 612
100100101 Auto EARLY PASS IPv6UDP Notifymessages
This rule passes IPv6 UDP DNSNOTIFY messages if the packetrate is less than the Packets per
second value If any source IPsends packets over this value theappliance blocks all traffic fromthis source IP for a time specified
in Drop interval
Enabled if InfobloxDNS serves as thesecondary serverwith IPv6 externalprimariesconfigured
Packets per second (default = 1000)
Drop interval (default= 10 seconds)
Events per second (default = 1)
Consider tuning Packets per
second if Infoblox DNSserves a large number ofzones If this rule istriggered and the source IPaddress indicates a validexternal primary server
tune the Packets per second value accordingly
100100200 Auto EARLY PASS IPv4TCP Notifymessages
This rule passes IPv4 TCP DNSNOTIFY messages if the packetrate is less than the Packets per
second value If any source IPsends packets over this value theappliance blocks all traffic fromthis source IP for a time specifiedin Drop interval
Enabled if InfobloxDNS serves as thesecondary serverwith IPv4 externalprimariesconfigured
Packets per second (default = 1000)
Drop interval (default= 10 seconds)
Events per second (default = 1)
Consider tuning Packets per
second if Infoblox DNSserves a large number ofzones If this rule istriggered and the source IPaddress indicates a validexternal primary servertune the Packets per second value accordingly
100100201 Auto EARLY PASS IPv6TCP Notifymessages
This rule passes IPv6 TCP DNSNOTIFY messages if the packetrate is less than the Packets per
second value If any source IPsends packets over this value theappliance blocks all traffic from
this source IP for a time specifiedin Drop interval
Enabled if InfobloxDNS serves as thesecondary serverwith IPv6 externalprimariesconfigured
Packets per second (default = 1000)
Drop interval (default= 10 seconds)
Events per second (default = 1)
Consider tuning Packets per
second if Infoblox DNSserves a large number ofzones If this rule istriggered and the source IPaddress indicates a valid
external primary servertune the Packets per second value accordingly
100100300 Auto EARLY PASS IPv4UDP Notifymessages forDDNS update
This rule passes IPv4 UDP NOTIFYmessages for DDNS update if thepacket rate is less than thePackets per second value If anysource IP sends packets over thisvalue the appliance blocks alltraffic from this source IP for atime specified in Drop interval
Enabled if DDNSupdate is enabledfor IPv4 clients
Packets per second (default = 1000)
Drop interval (default= 10 seconds)
Events per second (default = 1)
100100350 Auto EARLY PASS IPv6UDP Notifymessages forDDNS update
This rule passes IPv6 UDP NOTIFYmessages for DDNS update if thepacket rate is less than thePackets per second value If anysource IP sends packets over thisvalue the appliance blocks all
traffic from this source IP for atime specified in Drop interval
Enabled if DDNSupdate is enabledfor IPv6 clients
Packets per second (default = 1000)
Drop interval (default= 10 seconds)
Events per second (default = 1)
130100100 Auto RATELIMIT PASSIPv4 UDP DNSAXFR zonetransfer requests
This rule passes IPv4 UDP DNSfull zone transfer requests if thepacket rate is less than thePackets per second value If anysource IP sends packets over thisvalue the appliance blockssubsequent DNS traffic from thissource IP for a time specified inDrop interval
Enabled if InfobloxDNS allowsincoming IPv4zone transferrequests
Packets per second (default = 1000)
Drop interval (default= 10 seconds)
Events per second (default = 1)
Consider tuning Packets per
second if Infoblox DNSserves a large number ofzones If this rule istriggered and the source IPaddress indicates a validsecondary server tune thePackets per second valueaccordingly
130100101 Auto RATELIMIT PASSIPv6 UDP DNSAXFR zonetransfer requests
This rule passes IPv6 UDP DNSfull zone transfer requests if thepacket rate is less than thePackets per second value If anysource IP sends packets over thisvalue the appliance blocks
subsequent DNS traffic from thissource IP for a for a time specifiedin Drop interval
Enabled if InfobloxDNS allowsincoming IPv6zone transferrequests
Packets per second (default = 1000)
Drop interval (default= 10 seconds)
Events per second (default = 1)
Consider tuning Packets per
second if Infoblox DNSserves a large number ofzones If this rule istriggered and the source IPaddress indicates a valid
secondary server tune thePackets per second valueaccordingly
130100200 Auto RATELIMIT PASSIPv4 TCP DNSAXFR zonetransfer requests
This rule passes IPv4 TCP DNS fullzone transfer requests if thepacket rate is less than thespecified Packets per second value (default = 100) If anysource IP sends packets over thisvalue the appliance blocks allsuch traffic from this source IP fora for a time specified in Drop
interval
Enabled if InfobloxDNS allowsincoming IPv4zone transferrequests
Packets per second (default = 1000)
Drop interval (default= 10 seconds)
Events per second (default = 1)
Consider tuning Packets per
second if Infoblox DNSserves a large number ofzones If this rule istriggered and the source IPaddress indicates a validsecondary server tune thePackets per second valueaccordingly
Rule ID
Rule
Type
Rule Name Description
EnableDisable
Condition
Parameters Comments
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 730
DNS Message Type
NIOS 612 NIOS Administrator Guide (Rev A) 1503
130100201 Auto RATELIMIT PASSIPv6 TCP DNSAXFR zonetransfer requests
This rule passes IPv6 TCP DNS fullzone transfer requests if thepacket rate is less than thespecified Packets per second value (default = 100) If anysource IP sends packets over thisvalue the appliance blocks all
such traffic from this source IP fora time specified in Drop interval
Enabled if InfobloxDNS allowsincoming IPv6zone transferrequests
Packets per second (default = 1000)
Drop interval (default= 10 seconds)
Events per second (default = 1)
Consider tuning Packets per
second if Infoblox DNSserves a large number ofzones If this rule istriggered and the source IPaddress indicates a validsecondary server tune the
Packets per second valueaccordingly
130100300 Auto RATELIMIT PASSIPv4 UDP DNSIXFR zoneTransfer requests
This rule passes IPv4 UDP DNSincremental zone transferrequests if the packet rate is lessthan the specified Packets per
second value (default = 100) Ifany source IP sends packets overthis value the appliance blocksall such traffic from this source IPfor a time specified in Drop
interval
Enabled if InfobloxDNS allowsincoming IPv4zone transferrequests
Packets per second (default = 1000)
Drop interval (default= 10 seconds)
Events per second (default = 1)
Consider tuning Packets per
second if Infoblox DNSserves a large number ofzones If this rule istriggered and the source IPaddress indicates a validsecondary server tune thePackets per second valueaccordingly
130100301 Auto RATELIMIT PASSIPv6 UDP DNSIXFR zoneTransfer requests
This rule passes IPv6 UDP DNSincremental zone transferrequests if the packet rate is lessthan the specified Packets per
second value (default = 100) Ifany source IP sends packets overthis value the appliance blocksall such traffic from this source IPfor a time specified in Drop
interval
Enabled if InfobloxDNS allowsincoming IPv6zone transfer
requests
Packets per second (default = 1000)
Drop interval (default= 10 seconds)
Events per second (default = 1)
Consider tuning Packets per
second if Infoblox DNSserves a large number ofzones If this rule is
triggered and the source IPaddress indicates a validsecondary server tune thePackets per second valueaccordingly
130100400 Auto RATELIMIT PASSIPv4 TCP DNSIXFR zoneTransfer requests
This rule passes IPv4 TCP DNSincremental zone transferrequests if the packet rate is lessthan the specified Packets per
second value (default = 100) Ifany source IP sends packets overthis value the appliance blocksall such traffic from this source IPfor a time specified in Drop
interval
Enabled if InfobloxDNS allowsincoming IPv4zone transferrequests
Packets per second (default = 1000)
Drop interval (default= 10 seconds)
Events per second (default = 1)
Consider tuning Packets per
second if Infoblox DNSserves a large number ofzones If this rule istriggered and the source IPaddress indicates a validsecondary server tune thePackets per second valueaccordingly
130100401 Auto RATELIMIT PASS
IPv6 TCP DNSIXFR zoneTransfer requests
This rule passes IPv6 TCP DNS
incremental zone transferrequests if the packet rate is lessthan the specified Packets per
second value If any source IPsends packets over this value theappliance blocks all such trafficfrom this source IP for a timespecified in Drop interval
Enabled if Infoblox
DNS allowsincoming IPv6zone transferrequests
Packets per second
(default = 1000)Drop interval (default= 10 seconds)
Events per second (default = 1)
Consider tuning Packets per
second if Infoblox DNSserves a large number ofzones If this rule istriggered and the source IPaddress indicates a validsecondary server tune thePackets per second valueaccordingly
130200100 Auto DROP UDP DNSAXFR zonetransfer requests
This rule drops any DNS UDP fullzone transfer requests when zonetransfer is disabled You canconfigure only the Events per
second parameter
Enabled if InfobloxDNS does notallow incomingzone transferrequests
Events per second (default = 1)
130200200 Auto DROP TCP DNSAXFR zonetransfer requests
This rule drops any DNS TCP fullzone transfer requests when zonetransfer is disabled You can
configure only the Events per
second parameter
Enabled if InfobloxDNS does notallow incoming
zone transferrequests
Events per second (default = 1)
130200300 Auto DROP UDP DNSIXFR zoneTransfer requests
This rule drops any DNS UDPincremental zone transferrequests when zone transfer isdisabled You can configure onlythe Events per second parameter
Enabled if InfobloxDNS does notallow incomingzone transferrequests
Events per second (default = 1)
130200400 Auto DROP TCP DNSIXFR zoneTransfer requests
This rule drops any DNS TCPincremental zone transferrequests when zone transfer isdisabled You can configure onlythe Events per second parameter
Enabled if InfobloxDNS does notallow incomingzone transferrequests
Events per second (default = 1)
Rule ID
Rule
Type
Rule Name Description
EnableDisable
Condition
Parameters Comments
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 830
1504 NIOS Administrator Guide (Rev A) NIOS 612
130500100 System DNS A record You can configure this rule to passor drop UDP packets that containA record request The defaultAction = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
130500200 System DNS AAAA record You can configure this rule to passor drop UDP packets that contain
AAAA record request The defaultAction = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
130500300 System DNS CNAMErecord
You can configure this rule to passor drop UDP packets that containCNAME record request Thedefault Action = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
130500400 System DNS DS record You can configure this rule to passor drop UDP packets that containDS record request The defaultAction = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
130500500 System DNS PTR record You can configure this rule to passor drop UDP packets that containPTR record request The defaultAction = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
130500600 System DNS NS record You can configure this rule to passor drop UDP packets that containNS record request The defaultAction = Pass
Enabled bydefault
Action (default = Pass)
Events per second (default = 1)
130500700 System DNS NSEC record You can configure this rule to passor drop UDP packets that containNSEC record request The defaultAction = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
130500800 System DNS NSEC3record
You can configure this rule to passor drop UDP packets that containNSEC3 record request Thedefault Action = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
130500900 System DNSNSEC3PARAMrecord
You can configure this rule to passor drop UDP packets that containNSEC3PARAM record request The
default Action = Pass
Enabled bydefault
Action
(default = Pass)
Events per second
(default = 1)
130501000 System DNS MX record You can configure this rule to passor drop UDP packets that containMX record request The defaultAction = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
130501100 System DNS SRV record You can configure this rule to passor drop UDP packets that containSRV record request The defaultAction = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
130501200 System DNS TXT record You can configure this rule to passor drop UDP packets that containTXT record request The defaultAction = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
130501300 System DNS DNAME
record
You can configure this rule to pass
or drop UDP packets that containDNAME record request Thedefault Action = Pass
Enabled by
default
Action
(default = Pass)Events per second (default = 1)
130501400 System DNS RRSIG record You can configure this rule to passor drop UDP packets that containRRSIG record request The defaultAction = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
130501500 System DNS NAPTRrecord
You can configure this rule to passor drop UDP packets that containNAPTR record request The defaultAction = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
Rule ID
Rule
Type
Rule Name Description
EnableDisable
Condition
Parameters Comments
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 930
DNS Message Type
NIOS 612 NIOS Administrator Guide (Rev A) 1505
130501600 System DNS DNSKEYrecord
You can configure this rule to passor drop UDP packets that containDNSKEY record request Thedefault Action = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
130501700 System DNS SPF record You can configure this rule to passor drop UDP packets that contain
SPF record request The defaultAction = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
130501800 System DNS DHCIDrecord
You can configure this rule to passor drop UDP packets that containDHCID record request The defaultAction = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
130501900 System DNS SOA record You can configure this rule to passor drop UDP packets that containSOA record request The defaultAction = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
130502000 System DNS SIG record You can configure this rule to passor drop UDP packets that containSIG record request The defaultAction = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
130502100 System DNS LOC record You can configure this rule to passor drop UDP packets that containLOC record request The defaultAction = Pass
Enabled bydefault
Action (default = Pass)
Events per second (default = 1)
130502200 System DNS SSHFPrecord
You can configure this rule to passor drop UDP packets that containSSHFP record request The defaultAction = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
130502300 System DNS IPSECKEYrecord
You can configure this rule to passor drop UDP packets that containIPSECKEY record request Thedefault Action = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
130502400 System DNS TKEY record You can configure this rule to passor drop UDP packets that containTKEY record request The default
Action = Pass
Enabled bydefault
Action
(default = Pass)
Events per second
(default = 1)
130502500 System DNS TSIG record You can configure this rule to passor drop UDP packets that containTSIG record request The defaultAction = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
130502600 System DNS TA record You can configure this rule to passor drop UDP packets that containTA record request The defaultAction = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
130502700 System DNS DLV record You can configure this rule to passor drop UDP packets that containDLV record request The defaultAction = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
130502800 System DNS ANY record You can configure this rule to pass
or drop UDP packets that containANY record request The defaultAction = Pass
Enabled by
default
Action
(default = Pass)Events per second (default = 1)
130502900 System DNS A record TCP You can configure this rule to passor drop TCP packets that contain Arecord request The default Action = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
130503000 System DNS AAAA recordTCP
You can configure this rule to passor drop TCP packets that containAAAA record request The defaultAction = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
Rule ID
Rule
Type
Rule Name Description
EnableDisable
Condition
Parameters Comments
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 1030
1506 NIOS Administrator Guide (Rev A) NIOS 612
130503100 System DNS CNAMErecord TCP
You can configure this rule to passor drop TCP packets that containCNAME record request Thedefault Action = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
130503200 System DNS DS recordTCP
You can configure this rule to passor drop TCP packets that contain
DS record request The defaultAction = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
130503300 System DNS PTR recordTCP
You can configure this rule to passor drop TCP packets that containPTR record request The defaultAction = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
130503400 System DNS NS recordTCP
You can configure this rule to passor drop TCP packets that containNS record request The defaultAction = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
130503500 System DNS NSEC recordTCP
You can configure this rule to passor drop TCP packets that containNSEC record request The defaultAction = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
130503600 System DNS NSEC3record TCP
You can configure this rule to passor drop TCP packets that containNSEC3 record request Thedefault Action = Pass
Enabled bydefault
Action (default = Pass)
Events per second (default = 1)
130503700 System DNSNSEC3PARAMrecord TCP
You can configure this rule to passor drop TCP packets that containNSEC3PARAM record request Thedefault Action = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
130503800 System DNS MX recordTCP
You can configure this rule to passor drop TCP packets that containMX record request The defaultAction = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
130503900 System DNS SRV recordTCP
You can configure this rule to passor drop TCP packets that containSRV record request The default
Action = Pass
Enabled bydefault
Action
(default = Pass)
Events per second
(default = 1)
130504000 System DNS TXT recordTCP
You can configure this rule to passor drop TCP packets that containTXT record request The defaultAction = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
130504100 System DNS DNAMErecord TCP
You can configure this rule to passor drop TCP packets that containDNAME record request Thedefault Action = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
130504200 System DNS RRSIG recordTCP
You can configure this rule to passor drop TCP packets that containRRSIG record request The defaultAction = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
130504300 System DNS NAPTR
record TCP
You can configure this rule to pass
or drop TCP packets that containNAPTR record request The defaultAction = Pass
Enabled by
default
Action
(default = Pass)Events per second (default = 1)
130504400 System DNS DNSKEYrecord TCP
You can configure this rule to passor drop TCP packets that containIDNSKEY record request Thedefault Action = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
130504500 System DNS SPF recordTCP
You can configure this rule to passor drop TCP packets that containSPF record request The defaultAction = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
Rule ID
Rule
Type
Rule Name Description
EnableDisable
Condition
Parameters Comments
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 1130
DNS Message Type
NIOS 612 NIOS Administrator Guide (Rev A) 1507
130504600 System DNS DHCIDrecord TCP
You can configure this rule to passor drop TCP packets that containDHCID record request The defaultAction = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
130504700 System DNS SOA recordTCP
You can configure this rule to passor drop TCP packets that contain
SOA record request The defaultAction = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
130504800 System DNS SIG recordTCP
You can configure this rule to passor drop TCP packets that containSIG record request The defaultAction = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
130504900 System DNS ROC recordTCP
You can configure this rule to passor drop TCP packets that containROC record request The defaultAction = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
130505000 System DNS SSHFPrecord TCP
You can configure this rule to passor drop TCP packets that containSSHFP record request The defaultAction = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
130505100 System DNS IPSECKEYrecord TCP
You can configure this rule to passor drop TCP packets that containIPSECKEY record request Thedefault Action = Pass
Enabled bydefault
Action (default = Pass)
Events per second (default = 1)
130505200 System DNS TKEY recordTCP
You can configure this rule to passor drop TCP packets that containTKEY record request The defaultAction = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
130505300 System DNS TSIG recordTCP
You can configure this rule to passor drop TCP packets that containTSIG record request The defaultAction = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
130505400 System DNS TA recordTCP
You can configure this rule to passor drop TCP packets that containTA record request The default
Action = Pass
Enabled bydefault
Action
(default = Pass)
Events per second
(default = 1)
130505500 System DNS DLV recordTCP
You can configure this rule to passor drop TCP packets that containDLV record request The defaultAction = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
130505600 System DNS ANY recordTCP
You can configure this rule to passor drop TCP packets that containANY record request The defaultAction = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
Rule ID
Rule
Type
Rule Name Description
EnableDisable
Condition
Parameters Comments
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 1230
1508 NIOS Administrator Guide (Rev A) NIOS 612
General DDoS
The following table lists the auto rules that are used to mitigate general DDoS attacks on your advanced appliance
Table H5 General DDoS Rules
Reconnaissance
Reconnaissance attacks consist of attempts to get information on the network environment before launching a largeDDoS or other types of attacks Techniques include port scanning and finding versions and authors These attacksexhibit abnormal behavior patterns that if identified can provide early warnings
The following table lists the auto rules that are used to mitigate reconnaissance attacks on your advanced appliance
You can configure the following rule parameter for all rules in this category
bull Events per second The number of events logged per second for the rule Setting a value to 0 (zero) disables theappliance from logging events for the rule The default value is 10
Table H6 Reconnaissance Rules
Rule ID
Rule
Type
Rule Name Description
EnableDisable
Condition
Parameters Comments
110000100 Auto EARLY DROP DoSpackets with samesource and destinationIP
This rule drops any IP packetsthat contain the same sourceand destination IP address
Always enabled Events per second (default = 1)
110000200 Auto EARLY DROP DoS UDPpackets with samesource and destinationIP
This rule drops UDP packetsthat contain the same sourceand destination IP address
Always enabled Events per second (default = 1)
110000300 Auto EARLY DROP DoS TCPpackets with samesource and destinationIP
This rule drops TCP packetsthat contain the same sourceand destination IP address
Always enabled Events per second (default = 1)
130400300 Auto DROP IPv6 loopbackaddress spoofing
This rule blocks any IP packetsthat attempt to forge the IPv6loopback address
Always enabled Events per second (default = 1)
130400400 Auto DROP IPv6 loopbackaddress spoofing
This rule blocks any IP packetsthat attempt to forge the IPv6loopback address
Always enabled Events per second (default = 1)
Rule ID
Rule
Type
Rule Name Description
Enable
Condition
Parameters Comments
110100100 Auto EARLY DROP DNSnamed authorattempts
This rule drops UDP DNSpackets that containattempts to find AUTHOR
information
Alwaysenabled
Events per second (default = 1)
110100200 Auto EARLY DROP DNSnamed versionattempts
This rule drops UDP DNSpackets that containattempts to find VERSIONinformation
Alwaysenabled
Events per second (default = 1)
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 1330
DNS Malware
NIOS 612 NIOS Administrator Guide (Rev A) 1509
DNS Malware
DNS malware is software used to disrupt your DNS service gather sensitive information or gain access to yourappliance It can include downloaders backdoors trojan horses and other malicious software
The following table lists the auto rules that are used to mitigate DNS malware when forwarding DNS requests to aresolver such as a Microsoft DNS server
Table H7 DNS Malware Rules
DNS Protocol Anomalies
DNS protocol anomalies send malformed DNS packets including unexpected header and payload values to thetargeted server This causes the server to stop responding or crash which results in an infinite loop in server threadsThese anomalies sometimes take the form of impersonation attacks
The following table lists rules that are used to mitigate DNS protocol anomalies sent to the appliance
Table H8 DNS Protocol Anomalies Rules
Rule ID
Rule
Type
Rule Name Description
Enable
Condition
Parameters Comments
110100300 Auto EARLY DROP UDPMALWARE backdoor
This rule drops UDPpackets that contain thebackdoor malwareBKDR_QUEJOBEVL whichposes as an installer ofFaceBook messenger Thismalware may be spread asa malicious attachment inemail messages
Always enabled Events per second (default = 1)
130300300 Auto DROP MALWAREtrojan downloader
This rule drops UDPpackets that contain thetrojan downloadermalware which downloadsand installs new versionsof malicious programsincluding Trojans andAdWare
Always enabled Events per second (default = 1)
130300400 Auto DROP MALWAREpossible Hiloti
This rule drops UDPpackets that contain trojanHiloti malicious programsthat may downloadpotentially malicious filesfrom a remote server andreport system informationback to the server
Always enabled Events per second (default = 1)
Rule ID
Rule
Type
Rule Name Description
Enable
Condition
Parameters Comments
110100400 Auto EARLY DROP UDP DNSquestion name too long
This rule drops UDP DNSpackets when the DNSQuestion Name is toolong
Always enabled Events per second (default = 1)
110100500 Auto EARLY DROP UDP DNSlabel too long
This rule drops UDP DNSpackets when the DNSLabel in the name beingqueried is too long
Always enabled Events per second (default = 1)
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 1430
1510 NIOS Administrator Guide (Rev A) NIOS 612
Potential DDoS Related Domains
This rule category includes system rules the appliance uses to blacklist domains that may have been the targets orsubjects in NXDOMAIN or DDoS attacks These rules block all FQDN lookups on UDP for domains that have beenobserved to be used as targets in DDoS attacks The rules are enabled by default You can disable them whennecessary
Note that these rules capture currently observed bad domain names that can change on a regular basis Infobloxrecommends that you update to the latest ruleset to capture the most current rules in this category For informationabout how to update to the latest ruleset see Managing Threat Protection Rules on page 1352
110100600 Auto EARLY DROP UDP queryinvalid question count
This rule drops UDP DNSpackets when thenumber of entries in thequestion section isinvalid
Always enabled Events per second (default = 1)
110100700 Auto EARLY DROP UDP query
invalid question class
This rule drops UDP DNS
packets when the RR(resource record) classbeing queried is invalid
Always enabled Events per second
(default = 1)
110100800 Auto EARLY DROP UDP queryinvalid question string
This rule drops UDP DNSpackets that containinvalid question string
Always enabled Events per second (default = 1)
110100850 Auto EARLY UDP drop invalidDNS query with Authority
This rule drops UDP DNSqueries that containinvalid AUTHORITYentry
Always enabled Events per second (default = 1)
110100900 Auto EARLY DROP querymultiple questions or nonquery operation code
This rule drops UDP DNSpackets when there aremultiple questionsbeing queried at onetime or its operationcode is not Query
Always enabled Events per second (default = 1)
130000700 Auto EARLY DROP TCP non-DNSquery
This rule drops TCPpackets when itsoperation code is notQuery
Always enabled Events per second (default = 1)
130000800 Auto EARLY DROP TCP querymultiple questions
This rule drops TCP DNSpackets when there aremultiple questionsbeing queried at onetime
Always enabled Events per second (default = 1)
130100500 Auto DROP UDP DNS invalidIXFR query with zero ormore than one Authority
This rule drops UDP DNSincremental zonetransfer requests thatcontain zero or morethan one Authorityentries
Always enabled Events per second (default = 1)
130100600 Auto DROP TCP DNS invalidIXFR query with zero ormore than one Authority
This rule drops TCP DNSincremental zonetransfer requests thatcontain zero or morethan one Authorityentries
Always enabled Events per second (default = 1)
130300200 Auto DROP TCP invalid DNSquery with Authority
This rule drops TCP DNSqueries that containinvalid Authorityentries
Always enabled Events per second (default = 1)
Rule ID
Rule
Type
Rule Name Description
Enable
Condition
Parameters Comments
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 1530
TCPUDP Flood
NIOS 612 NIOS Administrator Guide (Rev A) 1511
TCP UDP Flood
TCP and UDP flood attacks are volumetric attacks with massive numbers of packets that consume network bandwidthand resources They exploit TCP and UDP
The following table lists the system and auto rules that are used to mitigate TCPUDP floods on your advancedappliance
Table H9 TCPUDP Flood Rules
Rule ID Rule Type Rule Name Description
Enable
Condition
Parameters Comments
130000100 System WARN about highrate inbound UDPDNS queries
This rule warns about anysource IP that sendsinbound UDP DNS packetsat a rate equals or exceedsthe Packets per second value
Disabled bydefault
Packets per second (default = 40)
Events per second (default = 1)
Use this rule together with rule130000200 to adjust the warningand blocking rate thresholds Thisrule only sends alerts when thepacket rate equals or exceeds thelow threshold ( Packets per second for this rule) When the packet ratereaches or exceeds the highthreshold ( Packets per second forrule 130000200) rule130000200 is triggered
NOTE The Packets per second configured for this rule should beless than that of rule 130000200
130000200 System WARN amp BLOCKhigh rate inboundUDP DNS queries
This rule warns if anysource IP sends inboundUDP DNS packets at a rateequals the Packets per
second value If the rateexceeds this value theappliance blocks all suchtraffic from this source IPfor a period of timespecified in Drop interval
Disabled bydefault
Packets per second (default = 1000)
Drop interval
(default = 5 seconds)
Events per second (default = 1)
Consider tuning Packets per
second to a higher value for NATdenvironments static forwardersand VPN concentrators
This rule may be triggered if Packet
per second is lower than that inthe custom rules created using therate limiting templates
NOTE The Packets per secondvalue for this rule must be higherthan that for rule 130000100
130000300 System WARN about highrate inbound TCP
DNS queries
This rule warns about anysource IP that sends
inbound TCP DNS packetsat a rate that equals orexceeds the Packets per
second value
Disabled bydefault
Packets per second (default = 5)
Events per second (default = 1)
Use this rule together with rule130000400 to adjust the warning
and blocking rate thresholds Thisrule only sends alerts when thepacket rate equals or exceeds thelow threshold ( Packets per second for this rule) When the packet ratereaches or exceeds the highthreshold ( Packets per second forrule 130000400) rule130000400 is triggered
NOTE The Packets per second configured for this rule should beless than that of rule 130000400
130000400 System WARN amp BLOCKhigh rate inboundTCP DNS queries
This rule warns if anysource IP sends inboundTCP DNS packets at a ratethat equals the Packets
per second value If therate exceeds this value
the appliance blocks allsuch traffic from thissource IP for a period oftime specified in Drop
interval
Disabled bydefault
Packets per second (default = 1000)
Drop interval (default = 10 seconds)
Events per second (default = 1)
Consider tuning Packets per
second to a higher value for NATdenvironments static forwardersand VPN concentrators
This rule may be triggered if Packet
per second is lower than that in
the custom rules created using therate limiting templates
NOTE DO NOT enable this rulealong with rule 130000300
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 1630
1512 NIOS Administrator Guide (Rev A) NIOS 612
DNS DDoS
The following table lists system rules that are used to mitigate DNS DDoS attacks on your advanced appliance Theserules rate limits clients that trigger the following DNS responses NXDOMAIN NXRRSET and SERVFAIL
Table H10 DNS DDoS Rules
Rule ID
Rule
Type
Rule Name Description
EnableDisable
Condition
Parameters Comments
200000001 System NXDOMAIN ratelimiting rule
This rule warns if any sourceIP sends inbound UDP DNSqueries that triggerNXDOMAIN responses at arate equals to the Packets
per second value If the rateexceeds this value theappliance blocks all UDPDNS traffic from this sourceIP for a time specified inDrop interval
Enabled bydefault
Packets per second (default = 1000)
Drop interval
(default = 5 seconds)
Events per second (default = 1)
Consider tuning Packets per
second to a higher value forNATd environments staticforwarders and VPNconcentrators
200000002 System NXRRSET ratelimiting rule
This rule warns if any sourceIP sends inbound UDP DNS
queries that trigger NXRRSETresponses at a rate equals tothe Packets per second value If the rate exceedsthis value the applianceblocks all UDP DNS trafficfrom this source IP for a timespecified in Drop interval
Enabled bydefault
Packets per second (default = 1000)
Drop interval (default = 5 seconds)
Events per second (default = 1)
Consider tuning Packets per
second to a higher value for
NATd environments staticforwarders and VPNconcentrators
NOTE NXRRSET responsesinclude NO records NOanswers and NO errors
200000003 System SERVFAIL ratelimiting rule
This rule warns if any sourceIP sends inbound UDP DNSqueries that triggerSERVFAIL responses at a rateequals to the Packets per
second value If the rateexceeds this rate theappliance blocks all UDPDNS traffic from this sourceIP for a time specified in
Drop interval
Enabled bydefault
Packets per second (default = 1000)
Drop interval
(default = 5 seconds)
Events per second (default = 1)
Consider tuning Packets per
second to a higher value forNATd environments staticforwarders and VPNconcentrators
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 1730
DNS Tunneling
NIOS 612 NIOS Administrator Guide (Rev A) 1513
DNS Tunneling
DNS tunneling attacks involve tunneling another protocol through DNS port 53 for the purpose of data exfiltrationOutbound and inbound data being communicated is encoded into small chunks and fitted into DNS queries and DNSresponses
The following table lists the system rule used to mitigate DNS tunneling on your advanced appliance
Table H11 Anti DNS Tunneling Rules
DNS Amplification and Reflection
DNS reflection attacks use a form of IP spoofing changing the source address in their DNS queries to show theaddress of their intended target such as a DNS root server or a top-level domain (TLD) name server operator DNS
reflection and amplification recognizes UDP as an asymmetrical protocol (small requests large responses) and theexistence of open DNS resolvers to the Internet cloud The result is that small DNS queries reflect large UDP datagramresponses to the target address in the original source datagrams Some recent attacks have used this DDoStechnique at a huge scale
Since DNS runs over UDP and does not require a handshake it is possible to use the protocol as a means to lock downa host or a network Designed a specific way sending a small query to any open DNS resolver can result in a singleresponse containing several kilobytes or more that are sent to the unwitting spoofed victim (This type of responsetypically is sent via TCP as UDP does not allow for more than 512 bytes in a response datagram The resulting packetusually exceeds the MTU of the recipientrsquos interfaces resulting in further packet fragmentation and processing) OpenDNS resolvers may allow for launching DDoS attacks containing hundreds of gigabytes of data Attackers may also
Rule ID
Rule
Type
Rule Name Description
EnableDisable
Condition
Parameters Comments
130000500 System RATELIMIT UDP highrate inbound largeDNS queries (antitunneling)
This rule warns If any source IPsends large UDP DNS queries(which could be DNS tunnelingattacks) at a rate equals thePackets per second value If therate exceeds this value it blocksall such traffic from this source IPfor the time in Drop interval
This rule is triggered when theDNS Packet size exceeds theconfigured value
Disabled bydefault
Packets per second (default = 100)
Drop interval (default = 5 seconds)
Events per second (default = 1)
Packet size
(default = 200)
Consider tuning Packets
per second to a highervalue for NATdenvironments staticforwarders and VPNconcentrators
130000600 Auto RATELIMIT TCP highrate inbound largeDNS queries(anti-tunneling)
This rule warns if any source IPsends large TCP DNS queries(which could be DNS tunnelingattacks) at a rate equals thePackets per second value If therate exceeds the value theappliance blocks all such trafficfrom this source IP for the Drop
interval
This rule is triggered when theDNS Packet size exceeds theconfigured value
Disabled bydefault
Packets per second (default = 100)
Drop interval
(default = 5 seconds)
Events per second (default = 1)
Packet size
(default = 200)
Consider tuning Packets
per second to a highervalue for NATdenvironments staticforwarders and VPNconcentrators
200000004 System DNS tunneling ratelimiting rule
This rule warns If any source IPsends inbound UDP DNS queriesthat trigger large TXT responses ata rate equals the Packets per
second value If the rate exceedsthis value it blocks all such t rafficfrom this source IP for the Drop
interval
This rule is triggered when the sizeof the TXT records in the DNSresponses exceeds the configuredDNS Packet size
Enabled bydefault
Packets per second (default = 1000)
Drop interval
(default = 5 seconds)
Events per second (default = 1)
Packet size
(default = 40)
Consider tuning Packets
per second to a highervalue for NATdenvironments static
forwarders and VPNconcentrators
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 1830
1514 NIOS Administrator Guide (Rev A) NIOS 612
use the EDNS0 DNS protocol extension as a means to enable larger DNS responses Many network operatorsparticularly overseas allow open DNS resolvers to run on their networks unwittingly allowing attackers to abusethem Many network operators do provide intelligent rate-limiting to prevent abuse even while supporting openrecursive DNS servers Hence issues of this type usually result from mistakes in configuration
The following table lists the system and auto rules that are used to mitigate DNS amplification and reflection attackson your advanced appliance
Table H12 DNS Amplification and Reflection Rules
NTP
The following table lists the auto rules that are used to mitigate NTP attacks and to support security for NTP traffic onyour advanced appliance These rules include support for the following NTP requests and responses NTP IPv4 andIPv6 ACLs (Access Control Lists) private mode 7 packets named ACLs and ldquoANYrdquo ACLs
Table H13 NTP Rules
Rule ID
Rule
Type
Rule Name Description
EnableDisable
Condition
Parameters Comments
130400100 Auto WARN amp DROP DoSDNS possiblereflectionamplification attackattempts
This rule warns if anysource IP sends UDP DNSpackets that containpossible reflectionamplification attacks If therate exceeds the Packets
per second value theappliance blocks all suchtraffic from this source IPfor the Drop interval Notethat this rule applies whenthe query is ldquoANYrdquo
Enabled bydefault
Packets per second (default = 5)
Drop interval (default = 5 seconds)
Events per second (default = 1)
Consider tuning Packet per
second to a higher value(approximately 100) forNATd environments staticforwarders and VPNconcentrators
130400500 System RATE LIMIT PASS UDPDNS root requestswith additional RRs
This rule passes UDP DNSroot requests that containadditional resource recordsuntil the traffic hits thePackets per second valueIt then blocks subsequentUDP DNS root requests forthe Drop interval
Disabled bydefault
Packets per second (default = 500)
Drop interval
(default = 5 seconds)
Events per second (default = 1)
130400600 System RATE LIMIT PASS UDPDNS root requests
This rule passes UDP DNSroot requests until thetraffic hits the Packets per
second value It thenblocks subsequent UDPDNS root requests for theDrop interval
Disabled bydefault
Packets per second (default = 500)
Drop interval (default = 5 seconds)
Events per second (default = 1)
Consider tuning Packet per
second to a higher valuefor NATd environmentsstatic forwarders and VPNconcentrators
Rule ID
Rule
Type
Rule Name Description
EnableDisable
Condition
Parameters Comments
130600100 Auto RATELIMIT PASS NTPTIME responses
When the NTP client isenabled this rule passesUDP NTP TIME responsesuntil the traffic hits the ratelimit of 10 packets persecond it then blocks allNTP traffic for 15 seconds
Enabled when theNTP client isenabled
Packets per second (default = 10)
Drop interval
(default = 15seconds)
Events per second (default = 1)
130600120 Auto DROP NTP TIMEresponses
This rule drops all UDP NTPTIME responses when theNTP client is disabled
Enabled when theNTP client isdisabled
Events per second (default=1)
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 1930
NTP
NIOS 612 NIOS Administrator Guide (Rev A) 1515
200001001 Auto DOS Possible NTPDDoS InboundFrequent Un-AuthedGET_RESTRICTRequests IMPL 0x02
When the NTP server isenabled this rule warnsabout possible NTP DDoSInbound FrequentUn-Authed GET_RESTRICTRequests IMPL 0x02attacks It then blocks
suspicious NTP traffic for atime period that isspecified in Drop Interval
Enabled whenNTP service isenabled on thismember
Events per second (default = 1)
200001005 Auto DOS Possible NTPDDoS InboundFrequent Un-AuthedGET_RESTRICTRequests IMPL 0x03
When the NTP server isenabled this rule warnsabout possible NTP DDoSInbound FrequentUn-Authed GET_RESTRICTRequests IMPL 0x03attacks It then blockssuspicious NTP traffic for atime period that isspecified in Drop Interval
Enabled whenNTP service isenabled on thismember
Events per second (default = 1)
200001010 Auto DOS Possible NTPDDoS InboundFrequent Un-AuthedPEER_LIST_SUM
Requests IMPL 0x02
When the NTP server isenabled this rule warnsabout possible NTP DDoSInbound Frequent
Un-AuthedPEER_LIST_SUM RequestsIMPL 0x02 attacks It thenblocks suspicious NTPtraffic for a time period thatis specified in Drop
Interval
Enabled whenNTP service isenabled on thismember
Events per second (default = 1)
200001015 Auto DOS Possible NTPDDoS InboundFrequent Un-AuthedPEER_LIST_SUMRequests IMPL 0x03
When the NTP server isenabled this rule warnsabout possible NTP DDoSInbound FrequentUn-AuthedPEER_LIST_SUM RequestsIMPL 0x03 attacks It thenblocks suspicious NTPtraffic for a time period thatis specified in Drop
Interval
Enabled whenNTP service isenabled on thismember
Events per second (default = 1)
200001020 Auto DOS Possible NTPDDoS InboundFrequent Un-AuthedPEER_LIST RequestsIMPL 0x02
When the NTP server isenabled this rule warnsabout possible NTP DDoSInbound FrequentUn-Authed PEER_LISTRequests IMPL 0x02attacks It then blockssuspicious NTP traffic for atime period that isspecified in Drop Interval
Enabled whenNTP service isenabled on thismember
Events per second (default = 1)
200001025 Auto DOS Possible NTPDDoS InboundFrequent Un-AuthedPEER_LIST RequestsIMPL 0x03
When the NTP server isenabled this rule warnsabout possible NTP DDoSInbound FrequentUn-Authed PEER_LISTRequests IMPL 0x03attacks It then blocks
suspicious NTP traffic for atime period that isspecified in Drop Interval
Enabled whenNTP service isenabled on thismember
Events per second (default = 1)
200001050 Auto RATELIMIT PASSNTPQ IPv4 requests
This rule passes UDP NTPQrequests from NTP IPv4ACLs until the traffic hitsthe rate limit ( Packets per
second ) value It thenblocks all subsequentNTPQ traffic for a timespecified in Drop Interval
Enabled whenNTP IPv4 ACLs aredefined If noACLs are definedand the NTPserver is enabledthe default ACLsare enabled andthis rule isdisabled
Packets per second (default = 10)
Drop interval
(default = 60seconds)
Events per second (default = 1)
Rule ID
Rule
Type
Rule Name Description
EnableDisable
Condition
Parameters Comments
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 2030
1516 NIOS Administrator Guide (Rev A) NIOS 612
200001055 Auto RATELIMIT PASS NTPTIME IPv4 requests
This rule passes UDP NTPTIME requests from NTPIPv4 ACLs until the traffichits the rate limit ( Packets
per second ) value It thenblocks all subsequent NTPTIME traffic for a time
specified in Drop interval
Enabled whenNTP IPv4 ACLs aredefined If noACLs are definedand the NTPserver is enabledthe default ACLs
are enabled andthis rule isenabled
Packets per second (default = 10)
Drop interval
(default = 60seconds)
Events per second (default = 1)
200001060 Auto RATELIMIT PASS NTPprivate mode IPv4requests
This rule passes UDP NTPprivate mode 7 requestsfrom NTP IPv4 ACLs untilthe traffic hits the rate limit( Packets per second ) valueIt then blocks allsubsequent NTP privatemode 7 traffic for a timespecified in Drop interval
Enabled whenNTP IPv4 ACLs aredefined If noACLs are definedand the NTPserver is enabledthe default ACLsare enabled andthis rule isdisabled
Packets per second (default = 10)
Drop interval
(default = 60seconds)
Events per second (default = 1)
200001065 Auto RATELIMIT PASSNTPQ IPv6 requests
This rule passes UDP NTPQrequests from NTP IPv6ACLs until the traffic hitsthe rate limit ( Packets per
second ) value It thenblocks all subsequentNTPQ traffic for a timespecified in Drop Interval
Enabled whenNTP IPv6 ACLs aredefined If noACLs are defined
and the NTPserver is enabledthe default ACLsare enabled andthis rule isdisabled
Packets per second (default = 10)
Drop interval
(default = 60
seconds)Events per second (default = 1)
200001070 Auto RATELIMIT PASS NTPTIME IPv6 requests
This rule passes UDP NTPTIME requests from NTPIPv6 ACLs until the traffichits the rate limit ( Packets
per second ) value It thenblocks all subsequent NTPTIME traffic for a timespecified in Drop interval
Enabled whenNTP IPv6 ACLs aredefined If noACLs are definedand the NTPserver is enabledthe default ACLsare enabled andthis rule isenabled
Packets per second (default = 10)
Drop interval
(default = 60seconds)
Events per second (default = 1)
200001075 Auto RATELIMIT PASS NTP
private mode IPv6requests
This rule passes UDP NTP
private mode 7 requestsfrom NTP IPv4 ACLs untilthe traffic hits the rate limit( Packets per second ) valueIt then blocks allsubsequent NTP privatemode 7 traffic for a timespecified in Drop interval
Enabled when
NTP IPv6 ACLs aredefined If noACLs are definedand the NTPserver is enabledthe default ACLsare enabled andthis rule isdisabled
Packets per second
(default = 10)Drop interval
(default =60seconds)
Events per second (default = 1)
200001100 Auto DROP NTPQ requestsunexpected
When NTP service isdisabled this rule drops allUDP NTPQ requests
Enabled whenNTP service isdisabled on thismember
Events per second (default=1)
200001105 Auto DROP NTP TIMErequests unexpected
When NTP service isdisabled this rule drops allUDP NTP TIME requests
Enabled whenNTP service isdisabled on thismember
Events per second (default=1)
200001110 Auto DROP NTP privatemode requestsunexpected
When NTP service isdisabled this rule drops allUDP NTP private mode 7requests
Enabled whenNTP service isdisabled on thismember
Events per second (default=1)
200001115 Auto DROP invalid NTPrequests
When NTP service isdisabled this rule drops allinvalid UDP NTP requests
Enabled whenNTP service isdisabled on thismember
Events per second (default=1)
Rule ID
Rule
Type
Rule Name Description
EnableDisable
Condition
Parameters Comments
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 2130
BGP
NIOS 612 NIOS Administrator Guide (Rev A) 1517
BGP
The following table lists the auto rules that are used to mitigate BGP attacks on your advanced appliance when BGPis enabled
Table H14 BGP Rules
Rule ID
Rule
Type
Rule Name Description
EnableDisable
Condition
Parameters Comments
130700100 AUTO DROP BGP headerlength shorter thanspec
When BGP is enabled this ruledrops TCP BGP packets thatcontain message headerlength that is shorter than theRFC specification
Enabled whenBGP service onthis member isconfigured
Events per second (default=1)
130700200 AUTO DROP BGP headerlength longer than spec
When BGP is enabled this ruledrops TCP BGP packets thatcontain message headerlength that is longer than theRFC specification
Enabled whenBGP service onthis member isconfigured
Events per second (default=1)
130700300 AUTO DROP BGP spoofedconnection reset
attempts
When BGP is enabled this ruledrops TCP BGP packets that
contain spoofed connectionreset
This rule isenabled when
BGP service onthis member isconfigured
Events per second (default=1)
130700400 AUTO DROP BGP invalid type0
When BGP is enabled this ruledrops TCP BGP packets thatcontain invalid message type0
This rule isenabled whenBGP service onthis member isconfigured
Events per second (default=1)
130700500 AUTO DROP BGP invalid typebigger than 5
When BGP is enabled this ruledrops TCP BGP packets thatcontain invalid message typegreater than 5
This rule isenabled whenBGP service onthis member isconfigured
Events per second (default=1)
130700550 AUTO RATELIMIT PASS BGPIPv4 peer TCPconnection attempts
This rule passes TCP BGP routeadvertisement connectionattempts from IPv4 peers
when BGP is enabled and ifthe packet rate is less than thePackets per second value Ifany source IP sends packetsover this value the applianceblocks all such traffic from thissource IP for a certain periodof time (specified in Drop
interval )
This rule isenabled whenBGP service on
this member isconfigured withIPv4 peers
Events per second (default=1)
Drop Interval
(default=60 sec)Packets per second (default=10)
130700600 Auto RATELIMIT PASS BGPallowed with IPv4 peer
This rule passes TCP BGP routeadvertisement to IPv4 peerswhen BGP is enabled and ifthe packet rate is less than thePackets per second value Ifany source IP sends packetsover this value the applianceblocks all such traffic from thissource IP for a certain period
of time (specified in Drop
interval
This rule isenabled whenBGP service onthis member isconfigured withIPv4 peers
Events per second (default=1)
Drop Interval (default=60 sec)
Packets per second (default=10)
130700650 AUTO RATELIMIT PASS BGPIPv6 peer TCPconnection attempts
This rule passes TCP BGP routeadvertisement connectionattempts from IPv6 peerswhen BGP is enabled and ifthe packet rate is less than thePackets per second value Ifany source IP sends packetsover this value the applianceblocks all such traffic from thissource IP for a certain periodof time (specified in Drop
interval
This rule isenabled whenBGP service onthis member isconfigured withIPv6 peers
Events per second (default=1)
Drop Interval (default=60 sec)
Packets per second (default=10)
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 2230
1518 NIOS Administrator Guide (Rev A) NIOS 612
OSPF
The following table lists auto rules that are used to mitigate OSPF attacks on your advanced appliance when OSPF isnot in use
Table H15 OSPF Rules
130700700 Auto RATELIMIT PASS BGPallowed with IPv6 peer
This rule passes TCP BGP routeadvertisement to IPv6 peerswhen BGP is enabled and ifthe packet rate is less than thePackets per second value Ifany source IP sends packetsover this value the appliance
blocks all such traffic from thissource IP for a certain periodof time (specified in Drop
interval )
This rule isenabled whenBGP service onthis member isconfigured withIPv6 peers
Events per second (default=1)
Drop Interval (default=60 sec)
Packets per second (default=10)
130800100 Auto DROP BGP unexpected When BGP is enabled this ruledrops unexpected TCP BGPpackets
This rule takeseffect when BGPservice on thismember is NOT configured
Events per second (default=1)
This rule is exclusive withother rules based onwhether BGP is configuredon the member or not
Rule ID
Rule
Type
Rule Name Description
Enable
Condition
Parameters Comments
130900300 Auto DROP OSPFunexpected
This rule drops unexpectedOSPF packets
This rule takeseffect when OSPFservice on thismember is NOT configured
Events per second (default=1)
Default drop rule for allpackets on the OSPF serviceport
130900400 Auto RATELIMIT PASS OSPFmulticast
This rule passes OSPF IPv4multicast packets if the packetrate is less than the Packets
per second value If anysource IP sends packets overthis value the applianceblocks all such traffic from thissource IP for a time specifiedin Drop interval
This rule takeseffect when OSPFservice on thismember isconfigured forIPv4
Events per second (default=1)
Drop Interval (default=60 sec)
Packets per second (default=100)
130900500 Auto RATELIMIT PASS OSPFIPv6 multicast
This rule passes OSPF IPv6multicast packets if the packetrate is less than the Packets
per second value If anysource IP sends packets overthis value the applianceblocks all such traffic from thissource IP for a time specifiedin Drop interval
This rule takeseffect when OSPFservice on thismember isconfigured forIPv6
Events per second (default=1)
Drop Interval (default=60 sec)
Packets per second (default=100)
130900600 Auto RATELIMIT PASS OSPF This rule passes OSPF packetsif the packet rate is less thanthe Packets per second valueIf any source IP sends packetsover this value the applianceblocks all such traffic from thissource IP for a time specifiedin Drop interval
This rule takeseffect when OSPFservice on thismember isconfigured
Events per second (default=1)
Drop Interval (default=10 sec)
Packets per second (default=50)
This rule works for both IPv4and IPv6
Rule ID
Rule
Type
Rule Name Description
EnableDisable
Condition
Parameters Comments
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 2330
ICMP
NIOS 612 NIOS Administrator Guide (Rev A) 1519
ICMP
ICMP attacks use network devices such as routers to send error messages when a requested service is not availableor the remote server cannot be reached Examples of ICMP attacks include ping floods ping-of-death attacks andsmurf attacks
The following table lists the system and auto rules that are used to mitigate ICMP attacks on your advanced appliance
Table H16 ICMP Rules
Rule ID Type Rule Name Description
EnableDisable
Condition
Parameters Comments
130400200 Auto DROP ICMP largepackets
This rule drops large ICMPpackets (bigger than800)
Always enabled Events per second (default=1)
130900100 Auto RATE LIMIT PASS ICMPPing
This rule passes ICMP pingpackets if the packet rate is lessthan the Packets per second value If any source IP sendspackets over this value theappliance blocks all such trafficfrom this source IP for a timespecified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=10 sec)
Packets per second (default=50)
130900200 Auto RATE LIMIT PASS ICMPv6Ping
This rule passes ICMPv6 pingpackets if the packet rate is lessthan the Packets per second value If any source IP sendspackets over this value theappliance blocks all such trafficfrom this source IP for a timespecified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=10 sec)
Packets per second (default=50)
130900700 Auto RATELIMIT PASS ICMPv6destinationunreachable
This rule passes ICMPv6Destination Unreachablemessages if the packet rate isless than the Packets per second value If any source IP sendspackets over this value theappliance blocks all such trafficfrom this source IP for a timespecified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=100)
130900800 Auto RATELIMIT PASS ICMPv6packet too big
This rule passes ICMPv6 PacketToo Big messages if the packetrate is less than the Packets per
second value If any source IPsends packets over this valuethe appliance blocks all suchtraffic from this source IP for atime specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=100)
130900900 Auto RATELIMIT PASS ICMPv6ping responses
This rule passes ICMPv6 pingresponses if the packet rate isless than the Packets per second value If any source IP sendspackets over this value theappliance blocks all such trafficfrom this source IP for a timespecified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=10 sec)
Packets per second (default=50)
130901000 Auto RATELIMIT PASS ICMPv6parameter problemerroneous header
This rule passes ICMPv6Erroneous Header messages ifthe packet rate is less than thePackets per second value If anysource IP sends packets over thisvalue the appliance blocks allsuch traffic from this source IP fora time specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=10 sec)
Packets per second (default=50)
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 2430
1520 NIOS Administrator Guide (Rev A) NIOS 612
130901100 Auto RATELIMIT PASS ICMPv6parameter problemunrecognized nextheader
This rule passes ICMPv6Unrecognized Next Headermessages if the packet rate isless than the Packets per second value If any source IP sendspackets over this value theappliance blocks all such traffic
from this source IP for a timespecified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
130901200 Auto RATELIMIT PASS ICMPv6parameter problemunrecognized IPv6option
This rule passes ICMPv6Unrecognized IPv6 Optionmessages if the packet rate isless than the Packets per second value If any source IP sendspackets over this value theappliance blocks all such trafficfrom this source IP for a timespecified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
130901300 Auto RATELIMIT PASS ICMPv6router solicitation
This rule passes ICMPv6 routersolicitation packets if the packetrate is less than the Packets per
second value If any source IPsends packets over this valuethe appliance blocks all such
traffic from this source IP for atime specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
130901400 Auto RATELIMIT PASS ICMPv6router advertisement
This rule passes ICMPv6 routeradvertisement if the packet rateis less than the Packets per
second value If any source IPsends packets over this valuethe appliance blocks all suchtraffic from this source IP for atime specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
130901500 Auto RATELIMIT PASS ICMPv6neighbor solicitation
This rule passes ICMPv6neighbor solicitation packets ifthe packet rate is less than thePackets per second value If anysource IP sends packets over thisvalue the appliance blocks allsuch traffic from this source IP for
a time specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
130901600 Auto RATELIMIT PASS ICMPv6neighbor advertisement
This rule passes ICMPv6neighbor advertisement if thepacket rate is less than thePackets per second value If anysource IP sends packets over thisvalue the appliance blocks allsuch traffic from this source IP fora time specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
130901700 Auto RATELIMIT PASS ICMPv6inverse neighborsolicitation
This rule passes ICMPv6 inverseneighbor solicitation messages ifthe packet rate is less than thePackets per second value If anysource IP sends packets over thisvalue the appliance blocks allsuch traffic from this source IP fora time specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
130901800 Auto RATELIMIT PASS ICMPv6inverse neighboradvertisement
This rule passes ICMPv6 inverseneighbor advertisement if thepacket rate is less than thePackets per second value If anysource IP sends packets over thisvalue the appliance blocks allsuch traffic from this source IP fora time specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
Rule ID Type Rule Name Description
EnableDisable
Condition
Parameters Comments
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 2530
ICMP
NIOS 612 NIOS Administrator Guide (Rev A) 1521
130901900 Auto RATELIMIT PASS ICMPv6listener query
This rule passes ICMPv6 listenerquery messages if the packetrate is less than the Packets per
second value If any source IPsends packets over this valuethe appliance blocks all suchtraffic from this source IP for a
time specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
130902000 Auto RATELIMIT PASS ICMPv6listener report
This rule passes ICMPv6 listenerreport messages if the packetrate is less than the Packets per
second value If any source IPsends packets over this valuethe appliance blocks all suchtraffic from this source IP for atime specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
130902100 Auto RATELIMIT PASS ICMPv6listener done
This rule passes ICMPv6 listenerdone messages if the packet rateis less than the Packets per
second value If any source IPsends packets over this valuethe appliance blocks all suchtraffic from this source IP for atime specified in Drop interval )
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
130902200 Auto RATELIMIT PASS ICMPv6listener report v2
This rule passes ICMPv6 listenerreport v2 messages if the packetrate is less than the Packets per
second value If any source IPsends packets over this valuethe appliance blocks all suchtraffic from this source IP for atime specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
130902300 Auto RATELIMIT PASS ICMPV6multicast routeradvertisement
This rule passes ICMPv6multicast router advertisement ifthe packet rate is less than thePackets per second value If anysource IP sends packets over thisvalue the appliance blocks allsuch traffic from this source IP fora time specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
130902400 Auto RATELIMIT PASS ICMPV6multicast routersolicitation
This rule passes ICMPv6multicast router solicitationmessages if the packet rate isless than the Packets per second value If any source IP sendspackets over this value theappliance blocks all such trafficfrom this source IP for a timespecified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
130902500 Auto RATELIMIT PASS ICMPV6multicast routeradvertisement
This rule passes ICMPv6multicast router advertisement ifthe packet rate is less than thePackets per second value If anysource IP sends packets over thisvalue the appliance blocks allsuch traffic from this source IP fora time specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
130902600 Auto RATELIMIT PASS ICMPping responses This rule passes ICMP pingresponses if the packet rate isless than the Packets per second value If any source IP sendspackets over this value theappliance blocks all such trafficfrom this source IP for a timespecified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=10 sec)
Packets per second (default=50)
Rule ID Type Rule Name Description
EnableDisable
Condition
Parameters Comments
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 2630
1522 NIOS Administrator Guide (Rev A) NIOS 612
130902700 Auto RATELIMIT PASS ICMProuter advertisement
This rule passes ICMP routeradvertisement if the packet rateis less than the Packets per
second value If any source IPsends packets over this valuethe appliance blocks all suchtraffic from this source IP for a
time specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=10 sec)
Packets per second (default=50)
130902800 Auto RATELIMIT PASS ICMProuter solicitation
This rule passes ICMP routersolicitation messages if thepacket rate is less than thePackets per second value If anysource IP sends packets over thisvalue the appliance blocks allsuch traffic from this source IP fora time specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=10 sec)
Packets per second (default=50)
130902900 Auto RATELIMIT PASS ICMPtime exceeded
This rule passes ICMP timeexceeded messages if the packetrate is less than the Packets per
second value If any source IPsends packets over this valuethe appliance blocks all suchtraffic from this source IP for atime specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=10 sec)
Packets per second (default=50)
130903000 Auto RATELIMIT PASS ICMPparameter problem
This rule passes ICMP parameterproblems if the packet rate isless than the Packets per second value If any source IP sendspackets over this value theappliance blocks all such trafficfrom this source IP for a timespecified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=10 sec)
Packets per second (default=50)
130903100 Auto RATELIMIT PASS ICMPv6hop limit exceeded orICMPv4 networkunreachable
This rule passes ICMPv6 HopLimit Exceeded messages orICMPv4 Network Unreachablemessages if the packet rate isless than the Packets per second value If any source IP sendspackets over this value theappliance blocks all such trafficfrom this source IP for a time
specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
130903200 Auto RATELIMIT PASS ICMPv6fragment reassemblytime exceeded orICMPv4 hostunreachable
This rule passes ICMPv6fragment reassembly timeexceeded messages or ICMPv4host unreachable messages ifthe packet rate is less than thePackets per second value If anysource IP sends packets over thisvalue the appliance blocks allsuch traffic from this source IP fora time specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=10 sec)
Packets per second (default=50)
130903300 Auto RATELIMIT PASS ICMPprotocol unreachable
This rule passes ICMP protocolunreachable messages if thepacket rate is less than thePackets per second value If anysource IP sends packets over thisvalue the appliance blocks all
such traffic from this source IP fora time specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=10 sec)
Packets per second (default=50)
130903400 Auto RATELIMIT ICMP portunreachable
This rule passes ICMP portunreachable messages if thepacket rate is less than thePackets per second value If anysource IP sends packets over thisvalue the appliance blocks allsuch traffic from this source IP fora certain period of time(specified in Drop interval )
Always enabled Events per second (default=10)
Drop Interval (default=10 sec)
Packets per second (default=50)
Rule ID Type Rule Name Description
EnableDisable
Condition
Parameters Comments
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 2730
Default PassDrop
NIOS 612 NIOS Administrator Guide (Rev A) 1523
Default Pass Drop
The following table lists the system rules that are used to pass or drop packets on your advanced appliance All rulesare disabled by default
Table H17 Default PassDrop Rules
130903500 Auto RATELIMIT PASS ICMPfragmentation needed
This rule passes ICMPfragmentation needed messagesif the packet rate is less than thePackets per second value If anysource IP sends packets over thisvalue the appliance blocks allsuch traffic from this source IP for
a certain period of time(specified in Drop interval )
Always enabled Events per second (default=1)
Drop Interval (default=10 sec)
Packets per second (default=50)
Rule ID
Rule
Type Rule Name Description
Enable
Condition Parameters Comments
100000050 System EARLY PASS TCPwith flowbits set
This rule passes TCP trafficthat has the flowbitsoptions set and marked OK
Enabled bydefault
NA
140000100 System DROP UDP DNSunexpected
This rule drops anyunexpected UDP DNSpackets
Enabled bydefault
Events per second (default=1)
Default drop rule for the DNSservice port If this rule istriggered most likely thispacket is an invalid DNS UDPpacket
140000200 System DROP TCP DNSunexpected
This rule drops anyunexpected TCP DNSpackets
Enabled bydefault
Events per second (default=1)
Default drop rule for the DNSservice port If this rule istriggered most likely thispacket is an invalid DNS TCPpacket
140000400 System PASS TCPestablished packets
This passes all TCPestablished packets
Enabled bydefault
Events per second (default=0)
140000500 System DROP TCPunexpected
This rule drops anyunexpected TCP packets
Enabled bydefault
Events per second (default=0)
This rule drops any TCP packeton any port If this rule istriggered most likely thispacket is not intended forservices on this member
140000600 System DROP UDPunexpected
This rule drops anyunexpected UDP packets
Enabled bydefault
Events per second (default=0)
This rule drops any UDP packeton any port If this rule istriggered most likely thispacket is not intended forservices on this member
140000700 System DROP ICMPunexpected
This rule drops anyunexpected ICMP packets
Enabled bydefault
Events per second (default=0)
This rule drops any ICMPpacket If this rule is triggeredmost likely this packet is notintended for services on thismember
140000800 System DROP unexpectedprotocol
This rule drops anyunexpected protocolpackets
Enabled bydefault
Events per second (default=0)
This is a catch all rule thatdrops anything that does notmatch any other rules in thesystem
Rule ID Type Rule Name Description
EnableDisable
Condition
Parameters Comments
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 2830
1524 NIOS Administrator Guide (Rev A) NIOS 612
HA Support
The following table lists auto rules that are used to pass packets that go through the Virtual Router RedundancyProtocol (VRRP) and Internet Group Management Protocol (IGMP) for HA (High Availability) support
Table H18 HA Support Rules
Custom Rule Templates
Advanced DNS Protection supports a few custom rule templates from which you can create new custom rules Notethat when you use a specific rule template to create custom rules the new rules reside in their respective rulecategories For information about custom rules and creating custom rules see Custom Rules on page 1341 andCreating Custom Rules on page 1343
For each rule you create you can define the Events per second value to determine the number of events per secondthat will be logged for the rule You can also define specific rule parameters for custom rules as follows
Note Custom rules do not support IDNs (Internationalized Domain Names) To use IDNs for custom rules you mustfirst convert the IDNs into puny codes You can use the IDN Converter from the Toolbar for the conversion
bull BLACKLIST FQDN lookup TCP Use this rule template to create custom rules for blacklisting DNS queries by FQDNlookups on TCP In the Rule Parameters table complete the following
mdash Blacklisted FQDN Enter the FDQN that you want the appliance to block over TCP traffic You can also enter alist of FQDNs using semicolon as the separator
bull BLACKLIST FQDN lookup UDP Use this rule template to create custom rules for blacklisting DNS queries byFQDN lookups on UDP In the Rule Parameters table complete the following
mdash Blacklisted FQDN Enter the FDQN that you want the appliance to block over UDP traffic You can also enter alist of FQDNs using semicolon as the separator
bull BLACKLIST IP TCP Drop prior to rate limiting Use this rule template to create rules for blocking IPv4 or IPv6addresses on TCP before the appliance drops the packets based on rate limiting rules you have defined usingthe RATELIMITED IP TCP template In the Rule Parameters table complete the following
mdash Blacklisted IP addressnetwork Enter the IPv4 or IPv6 address from which packets sent are dropped beforeany relevant rate limiting rules take effect Note that all TCP traffic from the specified Ipv4 and IPv6
addresses and networks will be blocked Enter network addresses in addressCIDR formatbull BLACKLIST IP UDP Drop prior to rate limiting Use this rule template to create rules for blocking IPv4 or IPv6
addresses on UDP before the appliance drops the packets based on rate limiting rules you have defined usingthe RATELIMITED IP UDP template In the Rule Parameters table complete the following
mdash Blacklisted IP addressnetwork Enter the IPv4 or IPv6 address from which packets sent are dropped beforeany relevant rate limiting rules take effect Note that all UDP traffic from the specified Ipv4 and IPv6addresses and networks will be blocked Enter network addresses in addressCIDR format
bull RATELIMITED FQDN lookup UDP Use this rule template to create custom rules that contains rate limitingrestrictions for blocking DNS queries by FQDN lookups on UDP traffic In the Rule Parameters table completethe following
Rule ID
Rule
Type
Rule Name Description Enable Condition Parameters Comments
140000750 Auto PASS VRRP This rule passes packets thatgo through VRRP for HAsupport
Enabled if HA isconfigured
NA
140000760 Auto PASS IGMP This rule passes packets thatgo through IGMP for HAsupport
Enabled if HA isconfigured
NA
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 2930
Custom Rule Templates
NIOS 612 NIOS Administrator Guide (Rev A) 1525
mdash Packets per second Enter the number of packets per second to define the rate limit for this rule You definethis value to control the rate of UDP traffic that consists of DNS lookups for the FQDN defined in this ruleThe default is 5
mdash Drop interval Enter the number of seconds for which the appliance drops packets
mdash Blacklist rate limited FQDN Enter the FQDN that is affected by the rate limit value configured for this ruleThe appliance drops the packets sent by this FQDN when the UDP traffic of DNS lookups for this FQDNexceeds the configured rate limit value
bull RATELIMITED IP TCP Use this rule template to create custom rules that contains rate limiting restrictions forblacklisting IP addresses on TCP If there are certain IP addresses that you want to block before its traffic reachesthe rate limit restrictions you can create a rule using the BLACKLIST IP TCP Drop prior to rate limiting templateIn the Rule Parameters table complete the following
mdash Packets per second Enter the number of packets per second to define the rate limit for this rule You definethis value to control the rate of TCP traffic that consists of DNS lookups for the IP address or networkdefined in this rule The default is 5
mdash Drop interval Enter the time interval in seconds the appliance drops IP packets sent by the rate limited IPaddress or network defined for this rule The default is 30 seconds
mdash Rate limited IP addressnetwork Enter the IP address or network that is affected by the rate limit valueconfigured for this rule The appliance drops the packets sent by this IP address based on the drop intervalwhen the TCP traffic of DNS lookups for this IP address exceeds the configured rate limit value
bull RATELIMITED IP UDP Use this rule template to create custom rules that contains rate limiting restrictions forblacklisting IP addresses on UDP If there are certain IP addresses that you want to block before its trafficreaches the rate limit restrictions you can create a rule using the BLACKLIST IP UDP Drop prior to rate limiting template In the Rule Parameters table complete the following
mdash Packets per second Enter the number of packets per second to define the rate limit for this rule You definethis value to control the rate of UDP traffic that consists of DNS lookups for the IP address or networkdefined in this rule The default is 5
mdash Drop interval Enter the time interval in seconds the appliance drops IP packets sent by the rate limited IPaddress or network defined for this rule The default is 30 seconds
mdash Rate limited IP addressnetwork Enter the IP address or network that is affected by the rate limit valueconfigured for this rule The appliance drops the packets sent by this IP address based on the drop interval
when the TCP traffic of DNS lookups for this IP address exceeds the configured rate limit valuebull WHITELIST IP TCP Pass prior to rate limiting Use this rule template to create custom rules for allowing certain IP
addresses on TCP before the appliance drops the packets based on rate limiting rules you have defined usingthe RATELIMITED IP TCP template In the Rule Parameters table complete the following
mdash Whitelisted IP addressnetwork Enter the IPv4 or IPv6 address from which packets sent are allowed beforeany relevant rate limiting rules take effect
bull WHITELIST IP UDP Pass prior to rate limiting Use this rule template to create custom rules for allowing certain IPaddresses on UDP before the appliance drops the packets based on rate limiting rules you have defined usingthe RATELIMITED IP UDP template In the Rule Parameters table complete the following
mdash Whitelisted IP addressnetwork Enter the IPv4 or IPv6 address from which packets sent are allowed beforeany relevant rate limiting rules take effect
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 3030
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 630
1502 NIOS Administrator Guide (Rev A) NIOS 612
100100101 Auto EARLY PASS IPv6UDP Notifymessages
This rule passes IPv6 UDP DNSNOTIFY messages if the packetrate is less than the Packets per
second value If any source IPsends packets over this value theappliance blocks all traffic fromthis source IP for a time specified
in Drop interval
Enabled if InfobloxDNS serves as thesecondary serverwith IPv6 externalprimariesconfigured
Packets per second (default = 1000)
Drop interval (default= 10 seconds)
Events per second (default = 1)
Consider tuning Packets per
second if Infoblox DNSserves a large number ofzones If this rule istriggered and the source IPaddress indicates a validexternal primary server
tune the Packets per second value accordingly
100100200 Auto EARLY PASS IPv4TCP Notifymessages
This rule passes IPv4 TCP DNSNOTIFY messages if the packetrate is less than the Packets per
second value If any source IPsends packets over this value theappliance blocks all traffic fromthis source IP for a time specifiedin Drop interval
Enabled if InfobloxDNS serves as thesecondary serverwith IPv4 externalprimariesconfigured
Packets per second (default = 1000)
Drop interval (default= 10 seconds)
Events per second (default = 1)
Consider tuning Packets per
second if Infoblox DNSserves a large number ofzones If this rule istriggered and the source IPaddress indicates a validexternal primary servertune the Packets per second value accordingly
100100201 Auto EARLY PASS IPv6TCP Notifymessages
This rule passes IPv6 TCP DNSNOTIFY messages if the packetrate is less than the Packets per
second value If any source IPsends packets over this value theappliance blocks all traffic from
this source IP for a time specifiedin Drop interval
Enabled if InfobloxDNS serves as thesecondary serverwith IPv6 externalprimariesconfigured
Packets per second (default = 1000)
Drop interval (default= 10 seconds)
Events per second (default = 1)
Consider tuning Packets per
second if Infoblox DNSserves a large number ofzones If this rule istriggered and the source IPaddress indicates a valid
external primary servertune the Packets per second value accordingly
100100300 Auto EARLY PASS IPv4UDP Notifymessages forDDNS update
This rule passes IPv4 UDP NOTIFYmessages for DDNS update if thepacket rate is less than thePackets per second value If anysource IP sends packets over thisvalue the appliance blocks alltraffic from this source IP for atime specified in Drop interval
Enabled if DDNSupdate is enabledfor IPv4 clients
Packets per second (default = 1000)
Drop interval (default= 10 seconds)
Events per second (default = 1)
100100350 Auto EARLY PASS IPv6UDP Notifymessages forDDNS update
This rule passes IPv6 UDP NOTIFYmessages for DDNS update if thepacket rate is less than thePackets per second value If anysource IP sends packets over thisvalue the appliance blocks all
traffic from this source IP for atime specified in Drop interval
Enabled if DDNSupdate is enabledfor IPv6 clients
Packets per second (default = 1000)
Drop interval (default= 10 seconds)
Events per second (default = 1)
130100100 Auto RATELIMIT PASSIPv4 UDP DNSAXFR zonetransfer requests
This rule passes IPv4 UDP DNSfull zone transfer requests if thepacket rate is less than thePackets per second value If anysource IP sends packets over thisvalue the appliance blockssubsequent DNS traffic from thissource IP for a time specified inDrop interval
Enabled if InfobloxDNS allowsincoming IPv4zone transferrequests
Packets per second (default = 1000)
Drop interval (default= 10 seconds)
Events per second (default = 1)
Consider tuning Packets per
second if Infoblox DNSserves a large number ofzones If this rule istriggered and the source IPaddress indicates a validsecondary server tune thePackets per second valueaccordingly
130100101 Auto RATELIMIT PASSIPv6 UDP DNSAXFR zonetransfer requests
This rule passes IPv6 UDP DNSfull zone transfer requests if thepacket rate is less than thePackets per second value If anysource IP sends packets over thisvalue the appliance blocks
subsequent DNS traffic from thissource IP for a for a time specifiedin Drop interval
Enabled if InfobloxDNS allowsincoming IPv6zone transferrequests
Packets per second (default = 1000)
Drop interval (default= 10 seconds)
Events per second (default = 1)
Consider tuning Packets per
second if Infoblox DNSserves a large number ofzones If this rule istriggered and the source IPaddress indicates a valid
secondary server tune thePackets per second valueaccordingly
130100200 Auto RATELIMIT PASSIPv4 TCP DNSAXFR zonetransfer requests
This rule passes IPv4 TCP DNS fullzone transfer requests if thepacket rate is less than thespecified Packets per second value (default = 100) If anysource IP sends packets over thisvalue the appliance blocks allsuch traffic from this source IP fora for a time specified in Drop
interval
Enabled if InfobloxDNS allowsincoming IPv4zone transferrequests
Packets per second (default = 1000)
Drop interval (default= 10 seconds)
Events per second (default = 1)
Consider tuning Packets per
second if Infoblox DNSserves a large number ofzones If this rule istriggered and the source IPaddress indicates a validsecondary server tune thePackets per second valueaccordingly
Rule ID
Rule
Type
Rule Name Description
EnableDisable
Condition
Parameters Comments
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 730
DNS Message Type
NIOS 612 NIOS Administrator Guide (Rev A) 1503
130100201 Auto RATELIMIT PASSIPv6 TCP DNSAXFR zonetransfer requests
This rule passes IPv6 TCP DNS fullzone transfer requests if thepacket rate is less than thespecified Packets per second value (default = 100) If anysource IP sends packets over thisvalue the appliance blocks all
such traffic from this source IP fora time specified in Drop interval
Enabled if InfobloxDNS allowsincoming IPv6zone transferrequests
Packets per second (default = 1000)
Drop interval (default= 10 seconds)
Events per second (default = 1)
Consider tuning Packets per
second if Infoblox DNSserves a large number ofzones If this rule istriggered and the source IPaddress indicates a validsecondary server tune the
Packets per second valueaccordingly
130100300 Auto RATELIMIT PASSIPv4 UDP DNSIXFR zoneTransfer requests
This rule passes IPv4 UDP DNSincremental zone transferrequests if the packet rate is lessthan the specified Packets per
second value (default = 100) Ifany source IP sends packets overthis value the appliance blocksall such traffic from this source IPfor a time specified in Drop
interval
Enabled if InfobloxDNS allowsincoming IPv4zone transferrequests
Packets per second (default = 1000)
Drop interval (default= 10 seconds)
Events per second (default = 1)
Consider tuning Packets per
second if Infoblox DNSserves a large number ofzones If this rule istriggered and the source IPaddress indicates a validsecondary server tune thePackets per second valueaccordingly
130100301 Auto RATELIMIT PASSIPv6 UDP DNSIXFR zoneTransfer requests
This rule passes IPv6 UDP DNSincremental zone transferrequests if the packet rate is lessthan the specified Packets per
second value (default = 100) Ifany source IP sends packets overthis value the appliance blocksall such traffic from this source IPfor a time specified in Drop
interval
Enabled if InfobloxDNS allowsincoming IPv6zone transfer
requests
Packets per second (default = 1000)
Drop interval (default= 10 seconds)
Events per second (default = 1)
Consider tuning Packets per
second if Infoblox DNSserves a large number ofzones If this rule is
triggered and the source IPaddress indicates a validsecondary server tune thePackets per second valueaccordingly
130100400 Auto RATELIMIT PASSIPv4 TCP DNSIXFR zoneTransfer requests
This rule passes IPv4 TCP DNSincremental zone transferrequests if the packet rate is lessthan the specified Packets per
second value (default = 100) Ifany source IP sends packets overthis value the appliance blocksall such traffic from this source IPfor a time specified in Drop
interval
Enabled if InfobloxDNS allowsincoming IPv4zone transferrequests
Packets per second (default = 1000)
Drop interval (default= 10 seconds)
Events per second (default = 1)
Consider tuning Packets per
second if Infoblox DNSserves a large number ofzones If this rule istriggered and the source IPaddress indicates a validsecondary server tune thePackets per second valueaccordingly
130100401 Auto RATELIMIT PASS
IPv6 TCP DNSIXFR zoneTransfer requests
This rule passes IPv6 TCP DNS
incremental zone transferrequests if the packet rate is lessthan the specified Packets per
second value If any source IPsends packets over this value theappliance blocks all such trafficfrom this source IP for a timespecified in Drop interval
Enabled if Infoblox
DNS allowsincoming IPv6zone transferrequests
Packets per second
(default = 1000)Drop interval (default= 10 seconds)
Events per second (default = 1)
Consider tuning Packets per
second if Infoblox DNSserves a large number ofzones If this rule istriggered and the source IPaddress indicates a validsecondary server tune thePackets per second valueaccordingly
130200100 Auto DROP UDP DNSAXFR zonetransfer requests
This rule drops any DNS UDP fullzone transfer requests when zonetransfer is disabled You canconfigure only the Events per
second parameter
Enabled if InfobloxDNS does notallow incomingzone transferrequests
Events per second (default = 1)
130200200 Auto DROP TCP DNSAXFR zonetransfer requests
This rule drops any DNS TCP fullzone transfer requests when zonetransfer is disabled You can
configure only the Events per
second parameter
Enabled if InfobloxDNS does notallow incoming
zone transferrequests
Events per second (default = 1)
130200300 Auto DROP UDP DNSIXFR zoneTransfer requests
This rule drops any DNS UDPincremental zone transferrequests when zone transfer isdisabled You can configure onlythe Events per second parameter
Enabled if InfobloxDNS does notallow incomingzone transferrequests
Events per second (default = 1)
130200400 Auto DROP TCP DNSIXFR zoneTransfer requests
This rule drops any DNS TCPincremental zone transferrequests when zone transfer isdisabled You can configure onlythe Events per second parameter
Enabled if InfobloxDNS does notallow incomingzone transferrequests
Events per second (default = 1)
Rule ID
Rule
Type
Rule Name Description
EnableDisable
Condition
Parameters Comments
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 830
1504 NIOS Administrator Guide (Rev A) NIOS 612
130500100 System DNS A record You can configure this rule to passor drop UDP packets that containA record request The defaultAction = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
130500200 System DNS AAAA record You can configure this rule to passor drop UDP packets that contain
AAAA record request The defaultAction = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
130500300 System DNS CNAMErecord
You can configure this rule to passor drop UDP packets that containCNAME record request Thedefault Action = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
130500400 System DNS DS record You can configure this rule to passor drop UDP packets that containDS record request The defaultAction = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
130500500 System DNS PTR record You can configure this rule to passor drop UDP packets that containPTR record request The defaultAction = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
130500600 System DNS NS record You can configure this rule to passor drop UDP packets that containNS record request The defaultAction = Pass
Enabled bydefault
Action (default = Pass)
Events per second (default = 1)
130500700 System DNS NSEC record You can configure this rule to passor drop UDP packets that containNSEC record request The defaultAction = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
130500800 System DNS NSEC3record
You can configure this rule to passor drop UDP packets that containNSEC3 record request Thedefault Action = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
130500900 System DNSNSEC3PARAMrecord
You can configure this rule to passor drop UDP packets that containNSEC3PARAM record request The
default Action = Pass
Enabled bydefault
Action
(default = Pass)
Events per second
(default = 1)
130501000 System DNS MX record You can configure this rule to passor drop UDP packets that containMX record request The defaultAction = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
130501100 System DNS SRV record You can configure this rule to passor drop UDP packets that containSRV record request The defaultAction = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
130501200 System DNS TXT record You can configure this rule to passor drop UDP packets that containTXT record request The defaultAction = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
130501300 System DNS DNAME
record
You can configure this rule to pass
or drop UDP packets that containDNAME record request Thedefault Action = Pass
Enabled by
default
Action
(default = Pass)Events per second (default = 1)
130501400 System DNS RRSIG record You can configure this rule to passor drop UDP packets that containRRSIG record request The defaultAction = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
130501500 System DNS NAPTRrecord
You can configure this rule to passor drop UDP packets that containNAPTR record request The defaultAction = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
Rule ID
Rule
Type
Rule Name Description
EnableDisable
Condition
Parameters Comments
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 930
DNS Message Type
NIOS 612 NIOS Administrator Guide (Rev A) 1505
130501600 System DNS DNSKEYrecord
You can configure this rule to passor drop UDP packets that containDNSKEY record request Thedefault Action = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
130501700 System DNS SPF record You can configure this rule to passor drop UDP packets that contain
SPF record request The defaultAction = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
130501800 System DNS DHCIDrecord
You can configure this rule to passor drop UDP packets that containDHCID record request The defaultAction = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
130501900 System DNS SOA record You can configure this rule to passor drop UDP packets that containSOA record request The defaultAction = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
130502000 System DNS SIG record You can configure this rule to passor drop UDP packets that containSIG record request The defaultAction = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
130502100 System DNS LOC record You can configure this rule to passor drop UDP packets that containLOC record request The defaultAction = Pass
Enabled bydefault
Action (default = Pass)
Events per second (default = 1)
130502200 System DNS SSHFPrecord
You can configure this rule to passor drop UDP packets that containSSHFP record request The defaultAction = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
130502300 System DNS IPSECKEYrecord
You can configure this rule to passor drop UDP packets that containIPSECKEY record request Thedefault Action = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
130502400 System DNS TKEY record You can configure this rule to passor drop UDP packets that containTKEY record request The default
Action = Pass
Enabled bydefault
Action
(default = Pass)
Events per second
(default = 1)
130502500 System DNS TSIG record You can configure this rule to passor drop UDP packets that containTSIG record request The defaultAction = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
130502600 System DNS TA record You can configure this rule to passor drop UDP packets that containTA record request The defaultAction = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
130502700 System DNS DLV record You can configure this rule to passor drop UDP packets that containDLV record request The defaultAction = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
130502800 System DNS ANY record You can configure this rule to pass
or drop UDP packets that containANY record request The defaultAction = Pass
Enabled by
default
Action
(default = Pass)Events per second (default = 1)
130502900 System DNS A record TCP You can configure this rule to passor drop TCP packets that contain Arecord request The default Action = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
130503000 System DNS AAAA recordTCP
You can configure this rule to passor drop TCP packets that containAAAA record request The defaultAction = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
Rule ID
Rule
Type
Rule Name Description
EnableDisable
Condition
Parameters Comments
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 1030
1506 NIOS Administrator Guide (Rev A) NIOS 612
130503100 System DNS CNAMErecord TCP
You can configure this rule to passor drop TCP packets that containCNAME record request Thedefault Action = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
130503200 System DNS DS recordTCP
You can configure this rule to passor drop TCP packets that contain
DS record request The defaultAction = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
130503300 System DNS PTR recordTCP
You can configure this rule to passor drop TCP packets that containPTR record request The defaultAction = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
130503400 System DNS NS recordTCP
You can configure this rule to passor drop TCP packets that containNS record request The defaultAction = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
130503500 System DNS NSEC recordTCP
You can configure this rule to passor drop TCP packets that containNSEC record request The defaultAction = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
130503600 System DNS NSEC3record TCP
You can configure this rule to passor drop TCP packets that containNSEC3 record request Thedefault Action = Pass
Enabled bydefault
Action (default = Pass)
Events per second (default = 1)
130503700 System DNSNSEC3PARAMrecord TCP
You can configure this rule to passor drop TCP packets that containNSEC3PARAM record request Thedefault Action = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
130503800 System DNS MX recordTCP
You can configure this rule to passor drop TCP packets that containMX record request The defaultAction = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
130503900 System DNS SRV recordTCP
You can configure this rule to passor drop TCP packets that containSRV record request The default
Action = Pass
Enabled bydefault
Action
(default = Pass)
Events per second
(default = 1)
130504000 System DNS TXT recordTCP
You can configure this rule to passor drop TCP packets that containTXT record request The defaultAction = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
130504100 System DNS DNAMErecord TCP
You can configure this rule to passor drop TCP packets that containDNAME record request Thedefault Action = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
130504200 System DNS RRSIG recordTCP
You can configure this rule to passor drop TCP packets that containRRSIG record request The defaultAction = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
130504300 System DNS NAPTR
record TCP
You can configure this rule to pass
or drop TCP packets that containNAPTR record request The defaultAction = Pass
Enabled by
default
Action
(default = Pass)Events per second (default = 1)
130504400 System DNS DNSKEYrecord TCP
You can configure this rule to passor drop TCP packets that containIDNSKEY record request Thedefault Action = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
130504500 System DNS SPF recordTCP
You can configure this rule to passor drop TCP packets that containSPF record request The defaultAction = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
Rule ID
Rule
Type
Rule Name Description
EnableDisable
Condition
Parameters Comments
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 1130
DNS Message Type
NIOS 612 NIOS Administrator Guide (Rev A) 1507
130504600 System DNS DHCIDrecord TCP
You can configure this rule to passor drop TCP packets that containDHCID record request The defaultAction = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
130504700 System DNS SOA recordTCP
You can configure this rule to passor drop TCP packets that contain
SOA record request The defaultAction = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
130504800 System DNS SIG recordTCP
You can configure this rule to passor drop TCP packets that containSIG record request The defaultAction = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
130504900 System DNS ROC recordTCP
You can configure this rule to passor drop TCP packets that containROC record request The defaultAction = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
130505000 System DNS SSHFPrecord TCP
You can configure this rule to passor drop TCP packets that containSSHFP record request The defaultAction = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
130505100 System DNS IPSECKEYrecord TCP
You can configure this rule to passor drop TCP packets that containIPSECKEY record request Thedefault Action = Pass
Enabled bydefault
Action (default = Pass)
Events per second (default = 1)
130505200 System DNS TKEY recordTCP
You can configure this rule to passor drop TCP packets that containTKEY record request The defaultAction = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
130505300 System DNS TSIG recordTCP
You can configure this rule to passor drop TCP packets that containTSIG record request The defaultAction = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
130505400 System DNS TA recordTCP
You can configure this rule to passor drop TCP packets that containTA record request The default
Action = Pass
Enabled bydefault
Action
(default = Pass)
Events per second
(default = 1)
130505500 System DNS DLV recordTCP
You can configure this rule to passor drop TCP packets that containDLV record request The defaultAction = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
130505600 System DNS ANY recordTCP
You can configure this rule to passor drop TCP packets that containANY record request The defaultAction = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
Rule ID
Rule
Type
Rule Name Description
EnableDisable
Condition
Parameters Comments
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 1230
1508 NIOS Administrator Guide (Rev A) NIOS 612
General DDoS
The following table lists the auto rules that are used to mitigate general DDoS attacks on your advanced appliance
Table H5 General DDoS Rules
Reconnaissance
Reconnaissance attacks consist of attempts to get information on the network environment before launching a largeDDoS or other types of attacks Techniques include port scanning and finding versions and authors These attacksexhibit abnormal behavior patterns that if identified can provide early warnings
The following table lists the auto rules that are used to mitigate reconnaissance attacks on your advanced appliance
You can configure the following rule parameter for all rules in this category
bull Events per second The number of events logged per second for the rule Setting a value to 0 (zero) disables theappliance from logging events for the rule The default value is 10
Table H6 Reconnaissance Rules
Rule ID
Rule
Type
Rule Name Description
EnableDisable
Condition
Parameters Comments
110000100 Auto EARLY DROP DoSpackets with samesource and destinationIP
This rule drops any IP packetsthat contain the same sourceand destination IP address
Always enabled Events per second (default = 1)
110000200 Auto EARLY DROP DoS UDPpackets with samesource and destinationIP
This rule drops UDP packetsthat contain the same sourceand destination IP address
Always enabled Events per second (default = 1)
110000300 Auto EARLY DROP DoS TCPpackets with samesource and destinationIP
This rule drops TCP packetsthat contain the same sourceand destination IP address
Always enabled Events per second (default = 1)
130400300 Auto DROP IPv6 loopbackaddress spoofing
This rule blocks any IP packetsthat attempt to forge the IPv6loopback address
Always enabled Events per second (default = 1)
130400400 Auto DROP IPv6 loopbackaddress spoofing
This rule blocks any IP packetsthat attempt to forge the IPv6loopback address
Always enabled Events per second (default = 1)
Rule ID
Rule
Type
Rule Name Description
Enable
Condition
Parameters Comments
110100100 Auto EARLY DROP DNSnamed authorattempts
This rule drops UDP DNSpackets that containattempts to find AUTHOR
information
Alwaysenabled
Events per second (default = 1)
110100200 Auto EARLY DROP DNSnamed versionattempts
This rule drops UDP DNSpackets that containattempts to find VERSIONinformation
Alwaysenabled
Events per second (default = 1)
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 1330
DNS Malware
NIOS 612 NIOS Administrator Guide (Rev A) 1509
DNS Malware
DNS malware is software used to disrupt your DNS service gather sensitive information or gain access to yourappliance It can include downloaders backdoors trojan horses and other malicious software
The following table lists the auto rules that are used to mitigate DNS malware when forwarding DNS requests to aresolver such as a Microsoft DNS server
Table H7 DNS Malware Rules
DNS Protocol Anomalies
DNS protocol anomalies send malformed DNS packets including unexpected header and payload values to thetargeted server This causes the server to stop responding or crash which results in an infinite loop in server threadsThese anomalies sometimes take the form of impersonation attacks
The following table lists rules that are used to mitigate DNS protocol anomalies sent to the appliance
Table H8 DNS Protocol Anomalies Rules
Rule ID
Rule
Type
Rule Name Description
Enable
Condition
Parameters Comments
110100300 Auto EARLY DROP UDPMALWARE backdoor
This rule drops UDPpackets that contain thebackdoor malwareBKDR_QUEJOBEVL whichposes as an installer ofFaceBook messenger Thismalware may be spread asa malicious attachment inemail messages
Always enabled Events per second (default = 1)
130300300 Auto DROP MALWAREtrojan downloader
This rule drops UDPpackets that contain thetrojan downloadermalware which downloadsand installs new versionsof malicious programsincluding Trojans andAdWare
Always enabled Events per second (default = 1)
130300400 Auto DROP MALWAREpossible Hiloti
This rule drops UDPpackets that contain trojanHiloti malicious programsthat may downloadpotentially malicious filesfrom a remote server andreport system informationback to the server
Always enabled Events per second (default = 1)
Rule ID
Rule
Type
Rule Name Description
Enable
Condition
Parameters Comments
110100400 Auto EARLY DROP UDP DNSquestion name too long
This rule drops UDP DNSpackets when the DNSQuestion Name is toolong
Always enabled Events per second (default = 1)
110100500 Auto EARLY DROP UDP DNSlabel too long
This rule drops UDP DNSpackets when the DNSLabel in the name beingqueried is too long
Always enabled Events per second (default = 1)
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 1430
1510 NIOS Administrator Guide (Rev A) NIOS 612
Potential DDoS Related Domains
This rule category includes system rules the appliance uses to blacklist domains that may have been the targets orsubjects in NXDOMAIN or DDoS attacks These rules block all FQDN lookups on UDP for domains that have beenobserved to be used as targets in DDoS attacks The rules are enabled by default You can disable them whennecessary
Note that these rules capture currently observed bad domain names that can change on a regular basis Infobloxrecommends that you update to the latest ruleset to capture the most current rules in this category For informationabout how to update to the latest ruleset see Managing Threat Protection Rules on page 1352
110100600 Auto EARLY DROP UDP queryinvalid question count
This rule drops UDP DNSpackets when thenumber of entries in thequestion section isinvalid
Always enabled Events per second (default = 1)
110100700 Auto EARLY DROP UDP query
invalid question class
This rule drops UDP DNS
packets when the RR(resource record) classbeing queried is invalid
Always enabled Events per second
(default = 1)
110100800 Auto EARLY DROP UDP queryinvalid question string
This rule drops UDP DNSpackets that containinvalid question string
Always enabled Events per second (default = 1)
110100850 Auto EARLY UDP drop invalidDNS query with Authority
This rule drops UDP DNSqueries that containinvalid AUTHORITYentry
Always enabled Events per second (default = 1)
110100900 Auto EARLY DROP querymultiple questions or nonquery operation code
This rule drops UDP DNSpackets when there aremultiple questionsbeing queried at onetime or its operationcode is not Query
Always enabled Events per second (default = 1)
130000700 Auto EARLY DROP TCP non-DNSquery
This rule drops TCPpackets when itsoperation code is notQuery
Always enabled Events per second (default = 1)
130000800 Auto EARLY DROP TCP querymultiple questions
This rule drops TCP DNSpackets when there aremultiple questionsbeing queried at onetime
Always enabled Events per second (default = 1)
130100500 Auto DROP UDP DNS invalidIXFR query with zero ormore than one Authority
This rule drops UDP DNSincremental zonetransfer requests thatcontain zero or morethan one Authorityentries
Always enabled Events per second (default = 1)
130100600 Auto DROP TCP DNS invalidIXFR query with zero ormore than one Authority
This rule drops TCP DNSincremental zonetransfer requests thatcontain zero or morethan one Authorityentries
Always enabled Events per second (default = 1)
130300200 Auto DROP TCP invalid DNSquery with Authority
This rule drops TCP DNSqueries that containinvalid Authorityentries
Always enabled Events per second (default = 1)
Rule ID
Rule
Type
Rule Name Description
Enable
Condition
Parameters Comments
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 1530
TCPUDP Flood
NIOS 612 NIOS Administrator Guide (Rev A) 1511
TCP UDP Flood
TCP and UDP flood attacks are volumetric attacks with massive numbers of packets that consume network bandwidthand resources They exploit TCP and UDP
The following table lists the system and auto rules that are used to mitigate TCPUDP floods on your advancedappliance
Table H9 TCPUDP Flood Rules
Rule ID Rule Type Rule Name Description
Enable
Condition
Parameters Comments
130000100 System WARN about highrate inbound UDPDNS queries
This rule warns about anysource IP that sendsinbound UDP DNS packetsat a rate equals or exceedsthe Packets per second value
Disabled bydefault
Packets per second (default = 40)
Events per second (default = 1)
Use this rule together with rule130000200 to adjust the warningand blocking rate thresholds Thisrule only sends alerts when thepacket rate equals or exceeds thelow threshold ( Packets per second for this rule) When the packet ratereaches or exceeds the highthreshold ( Packets per second forrule 130000200) rule130000200 is triggered
NOTE The Packets per second configured for this rule should beless than that of rule 130000200
130000200 System WARN amp BLOCKhigh rate inboundUDP DNS queries
This rule warns if anysource IP sends inboundUDP DNS packets at a rateequals the Packets per
second value If the rateexceeds this value theappliance blocks all suchtraffic from this source IPfor a period of timespecified in Drop interval
Disabled bydefault
Packets per second (default = 1000)
Drop interval
(default = 5 seconds)
Events per second (default = 1)
Consider tuning Packets per
second to a higher value for NATdenvironments static forwardersand VPN concentrators
This rule may be triggered if Packet
per second is lower than that inthe custom rules created using therate limiting templates
NOTE The Packets per secondvalue for this rule must be higherthan that for rule 130000100
130000300 System WARN about highrate inbound TCP
DNS queries
This rule warns about anysource IP that sends
inbound TCP DNS packetsat a rate that equals orexceeds the Packets per
second value
Disabled bydefault
Packets per second (default = 5)
Events per second (default = 1)
Use this rule together with rule130000400 to adjust the warning
and blocking rate thresholds Thisrule only sends alerts when thepacket rate equals or exceeds thelow threshold ( Packets per second for this rule) When the packet ratereaches or exceeds the highthreshold ( Packets per second forrule 130000400) rule130000400 is triggered
NOTE The Packets per second configured for this rule should beless than that of rule 130000400
130000400 System WARN amp BLOCKhigh rate inboundTCP DNS queries
This rule warns if anysource IP sends inboundTCP DNS packets at a ratethat equals the Packets
per second value If therate exceeds this value
the appliance blocks allsuch traffic from thissource IP for a period oftime specified in Drop
interval
Disabled bydefault
Packets per second (default = 1000)
Drop interval (default = 10 seconds)
Events per second (default = 1)
Consider tuning Packets per
second to a higher value for NATdenvironments static forwardersand VPN concentrators
This rule may be triggered if Packet
per second is lower than that in
the custom rules created using therate limiting templates
NOTE DO NOT enable this rulealong with rule 130000300
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 1630
1512 NIOS Administrator Guide (Rev A) NIOS 612
DNS DDoS
The following table lists system rules that are used to mitigate DNS DDoS attacks on your advanced appliance Theserules rate limits clients that trigger the following DNS responses NXDOMAIN NXRRSET and SERVFAIL
Table H10 DNS DDoS Rules
Rule ID
Rule
Type
Rule Name Description
EnableDisable
Condition
Parameters Comments
200000001 System NXDOMAIN ratelimiting rule
This rule warns if any sourceIP sends inbound UDP DNSqueries that triggerNXDOMAIN responses at arate equals to the Packets
per second value If the rateexceeds this value theappliance blocks all UDPDNS traffic from this sourceIP for a time specified inDrop interval
Enabled bydefault
Packets per second (default = 1000)
Drop interval
(default = 5 seconds)
Events per second (default = 1)
Consider tuning Packets per
second to a higher value forNATd environments staticforwarders and VPNconcentrators
200000002 System NXRRSET ratelimiting rule
This rule warns if any sourceIP sends inbound UDP DNS
queries that trigger NXRRSETresponses at a rate equals tothe Packets per second value If the rate exceedsthis value the applianceblocks all UDP DNS trafficfrom this source IP for a timespecified in Drop interval
Enabled bydefault
Packets per second (default = 1000)
Drop interval (default = 5 seconds)
Events per second (default = 1)
Consider tuning Packets per
second to a higher value for
NATd environments staticforwarders and VPNconcentrators
NOTE NXRRSET responsesinclude NO records NOanswers and NO errors
200000003 System SERVFAIL ratelimiting rule
This rule warns if any sourceIP sends inbound UDP DNSqueries that triggerSERVFAIL responses at a rateequals to the Packets per
second value If the rateexceeds this rate theappliance blocks all UDPDNS traffic from this sourceIP for a time specified in
Drop interval
Enabled bydefault
Packets per second (default = 1000)
Drop interval
(default = 5 seconds)
Events per second (default = 1)
Consider tuning Packets per
second to a higher value forNATd environments staticforwarders and VPNconcentrators
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 1730
DNS Tunneling
NIOS 612 NIOS Administrator Guide (Rev A) 1513
DNS Tunneling
DNS tunneling attacks involve tunneling another protocol through DNS port 53 for the purpose of data exfiltrationOutbound and inbound data being communicated is encoded into small chunks and fitted into DNS queries and DNSresponses
The following table lists the system rule used to mitigate DNS tunneling on your advanced appliance
Table H11 Anti DNS Tunneling Rules
DNS Amplification and Reflection
DNS reflection attacks use a form of IP spoofing changing the source address in their DNS queries to show theaddress of their intended target such as a DNS root server or a top-level domain (TLD) name server operator DNS
reflection and amplification recognizes UDP as an asymmetrical protocol (small requests large responses) and theexistence of open DNS resolvers to the Internet cloud The result is that small DNS queries reflect large UDP datagramresponses to the target address in the original source datagrams Some recent attacks have used this DDoStechnique at a huge scale
Since DNS runs over UDP and does not require a handshake it is possible to use the protocol as a means to lock downa host or a network Designed a specific way sending a small query to any open DNS resolver can result in a singleresponse containing several kilobytes or more that are sent to the unwitting spoofed victim (This type of responsetypically is sent via TCP as UDP does not allow for more than 512 bytes in a response datagram The resulting packetusually exceeds the MTU of the recipientrsquos interfaces resulting in further packet fragmentation and processing) OpenDNS resolvers may allow for launching DDoS attacks containing hundreds of gigabytes of data Attackers may also
Rule ID
Rule
Type
Rule Name Description
EnableDisable
Condition
Parameters Comments
130000500 System RATELIMIT UDP highrate inbound largeDNS queries (antitunneling)
This rule warns If any source IPsends large UDP DNS queries(which could be DNS tunnelingattacks) at a rate equals thePackets per second value If therate exceeds this value it blocksall such traffic from this source IPfor the time in Drop interval
This rule is triggered when theDNS Packet size exceeds theconfigured value
Disabled bydefault
Packets per second (default = 100)
Drop interval (default = 5 seconds)
Events per second (default = 1)
Packet size
(default = 200)
Consider tuning Packets
per second to a highervalue for NATdenvironments staticforwarders and VPNconcentrators
130000600 Auto RATELIMIT TCP highrate inbound largeDNS queries(anti-tunneling)
This rule warns if any source IPsends large TCP DNS queries(which could be DNS tunnelingattacks) at a rate equals thePackets per second value If therate exceeds the value theappliance blocks all such trafficfrom this source IP for the Drop
interval
This rule is triggered when theDNS Packet size exceeds theconfigured value
Disabled bydefault
Packets per second (default = 100)
Drop interval
(default = 5 seconds)
Events per second (default = 1)
Packet size
(default = 200)
Consider tuning Packets
per second to a highervalue for NATdenvironments staticforwarders and VPNconcentrators
200000004 System DNS tunneling ratelimiting rule
This rule warns If any source IPsends inbound UDP DNS queriesthat trigger large TXT responses ata rate equals the Packets per
second value If the rate exceedsthis value it blocks all such t rafficfrom this source IP for the Drop
interval
This rule is triggered when the sizeof the TXT records in the DNSresponses exceeds the configuredDNS Packet size
Enabled bydefault
Packets per second (default = 1000)
Drop interval
(default = 5 seconds)
Events per second (default = 1)
Packet size
(default = 40)
Consider tuning Packets
per second to a highervalue for NATdenvironments static
forwarders and VPNconcentrators
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 1830
1514 NIOS Administrator Guide (Rev A) NIOS 612
use the EDNS0 DNS protocol extension as a means to enable larger DNS responses Many network operatorsparticularly overseas allow open DNS resolvers to run on their networks unwittingly allowing attackers to abusethem Many network operators do provide intelligent rate-limiting to prevent abuse even while supporting openrecursive DNS servers Hence issues of this type usually result from mistakes in configuration
The following table lists the system and auto rules that are used to mitigate DNS amplification and reflection attackson your advanced appliance
Table H12 DNS Amplification and Reflection Rules
NTP
The following table lists the auto rules that are used to mitigate NTP attacks and to support security for NTP traffic onyour advanced appliance These rules include support for the following NTP requests and responses NTP IPv4 andIPv6 ACLs (Access Control Lists) private mode 7 packets named ACLs and ldquoANYrdquo ACLs
Table H13 NTP Rules
Rule ID
Rule
Type
Rule Name Description
EnableDisable
Condition
Parameters Comments
130400100 Auto WARN amp DROP DoSDNS possiblereflectionamplification attackattempts
This rule warns if anysource IP sends UDP DNSpackets that containpossible reflectionamplification attacks If therate exceeds the Packets
per second value theappliance blocks all suchtraffic from this source IPfor the Drop interval Notethat this rule applies whenthe query is ldquoANYrdquo
Enabled bydefault
Packets per second (default = 5)
Drop interval (default = 5 seconds)
Events per second (default = 1)
Consider tuning Packet per
second to a higher value(approximately 100) forNATd environments staticforwarders and VPNconcentrators
130400500 System RATE LIMIT PASS UDPDNS root requestswith additional RRs
This rule passes UDP DNSroot requests that containadditional resource recordsuntil the traffic hits thePackets per second valueIt then blocks subsequentUDP DNS root requests forthe Drop interval
Disabled bydefault
Packets per second (default = 500)
Drop interval
(default = 5 seconds)
Events per second (default = 1)
130400600 System RATE LIMIT PASS UDPDNS root requests
This rule passes UDP DNSroot requests until thetraffic hits the Packets per
second value It thenblocks subsequent UDPDNS root requests for theDrop interval
Disabled bydefault
Packets per second (default = 500)
Drop interval (default = 5 seconds)
Events per second (default = 1)
Consider tuning Packet per
second to a higher valuefor NATd environmentsstatic forwarders and VPNconcentrators
Rule ID
Rule
Type
Rule Name Description
EnableDisable
Condition
Parameters Comments
130600100 Auto RATELIMIT PASS NTPTIME responses
When the NTP client isenabled this rule passesUDP NTP TIME responsesuntil the traffic hits the ratelimit of 10 packets persecond it then blocks allNTP traffic for 15 seconds
Enabled when theNTP client isenabled
Packets per second (default = 10)
Drop interval
(default = 15seconds)
Events per second (default = 1)
130600120 Auto DROP NTP TIMEresponses
This rule drops all UDP NTPTIME responses when theNTP client is disabled
Enabled when theNTP client isdisabled
Events per second (default=1)
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 1930
NTP
NIOS 612 NIOS Administrator Guide (Rev A) 1515
200001001 Auto DOS Possible NTPDDoS InboundFrequent Un-AuthedGET_RESTRICTRequests IMPL 0x02
When the NTP server isenabled this rule warnsabout possible NTP DDoSInbound FrequentUn-Authed GET_RESTRICTRequests IMPL 0x02attacks It then blocks
suspicious NTP traffic for atime period that isspecified in Drop Interval
Enabled whenNTP service isenabled on thismember
Events per second (default = 1)
200001005 Auto DOS Possible NTPDDoS InboundFrequent Un-AuthedGET_RESTRICTRequests IMPL 0x03
When the NTP server isenabled this rule warnsabout possible NTP DDoSInbound FrequentUn-Authed GET_RESTRICTRequests IMPL 0x03attacks It then blockssuspicious NTP traffic for atime period that isspecified in Drop Interval
Enabled whenNTP service isenabled on thismember
Events per second (default = 1)
200001010 Auto DOS Possible NTPDDoS InboundFrequent Un-AuthedPEER_LIST_SUM
Requests IMPL 0x02
When the NTP server isenabled this rule warnsabout possible NTP DDoSInbound Frequent
Un-AuthedPEER_LIST_SUM RequestsIMPL 0x02 attacks It thenblocks suspicious NTPtraffic for a time period thatis specified in Drop
Interval
Enabled whenNTP service isenabled on thismember
Events per second (default = 1)
200001015 Auto DOS Possible NTPDDoS InboundFrequent Un-AuthedPEER_LIST_SUMRequests IMPL 0x03
When the NTP server isenabled this rule warnsabout possible NTP DDoSInbound FrequentUn-AuthedPEER_LIST_SUM RequestsIMPL 0x03 attacks It thenblocks suspicious NTPtraffic for a time period thatis specified in Drop
Interval
Enabled whenNTP service isenabled on thismember
Events per second (default = 1)
200001020 Auto DOS Possible NTPDDoS InboundFrequent Un-AuthedPEER_LIST RequestsIMPL 0x02
When the NTP server isenabled this rule warnsabout possible NTP DDoSInbound FrequentUn-Authed PEER_LISTRequests IMPL 0x02attacks It then blockssuspicious NTP traffic for atime period that isspecified in Drop Interval
Enabled whenNTP service isenabled on thismember
Events per second (default = 1)
200001025 Auto DOS Possible NTPDDoS InboundFrequent Un-AuthedPEER_LIST RequestsIMPL 0x03
When the NTP server isenabled this rule warnsabout possible NTP DDoSInbound FrequentUn-Authed PEER_LISTRequests IMPL 0x03attacks It then blocks
suspicious NTP traffic for atime period that isspecified in Drop Interval
Enabled whenNTP service isenabled on thismember
Events per second (default = 1)
200001050 Auto RATELIMIT PASSNTPQ IPv4 requests
This rule passes UDP NTPQrequests from NTP IPv4ACLs until the traffic hitsthe rate limit ( Packets per
second ) value It thenblocks all subsequentNTPQ traffic for a timespecified in Drop Interval
Enabled whenNTP IPv4 ACLs aredefined If noACLs are definedand the NTPserver is enabledthe default ACLsare enabled andthis rule isdisabled
Packets per second (default = 10)
Drop interval
(default = 60seconds)
Events per second (default = 1)
Rule ID
Rule
Type
Rule Name Description
EnableDisable
Condition
Parameters Comments
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 2030
1516 NIOS Administrator Guide (Rev A) NIOS 612
200001055 Auto RATELIMIT PASS NTPTIME IPv4 requests
This rule passes UDP NTPTIME requests from NTPIPv4 ACLs until the traffichits the rate limit ( Packets
per second ) value It thenblocks all subsequent NTPTIME traffic for a time
specified in Drop interval
Enabled whenNTP IPv4 ACLs aredefined If noACLs are definedand the NTPserver is enabledthe default ACLs
are enabled andthis rule isenabled
Packets per second (default = 10)
Drop interval
(default = 60seconds)
Events per second (default = 1)
200001060 Auto RATELIMIT PASS NTPprivate mode IPv4requests
This rule passes UDP NTPprivate mode 7 requestsfrom NTP IPv4 ACLs untilthe traffic hits the rate limit( Packets per second ) valueIt then blocks allsubsequent NTP privatemode 7 traffic for a timespecified in Drop interval
Enabled whenNTP IPv4 ACLs aredefined If noACLs are definedand the NTPserver is enabledthe default ACLsare enabled andthis rule isdisabled
Packets per second (default = 10)
Drop interval
(default = 60seconds)
Events per second (default = 1)
200001065 Auto RATELIMIT PASSNTPQ IPv6 requests
This rule passes UDP NTPQrequests from NTP IPv6ACLs until the traffic hitsthe rate limit ( Packets per
second ) value It thenblocks all subsequentNTPQ traffic for a timespecified in Drop Interval
Enabled whenNTP IPv6 ACLs aredefined If noACLs are defined
and the NTPserver is enabledthe default ACLsare enabled andthis rule isdisabled
Packets per second (default = 10)
Drop interval
(default = 60
seconds)Events per second (default = 1)
200001070 Auto RATELIMIT PASS NTPTIME IPv6 requests
This rule passes UDP NTPTIME requests from NTPIPv6 ACLs until the traffichits the rate limit ( Packets
per second ) value It thenblocks all subsequent NTPTIME traffic for a timespecified in Drop interval
Enabled whenNTP IPv6 ACLs aredefined If noACLs are definedand the NTPserver is enabledthe default ACLsare enabled andthis rule isenabled
Packets per second (default = 10)
Drop interval
(default = 60seconds)
Events per second (default = 1)
200001075 Auto RATELIMIT PASS NTP
private mode IPv6requests
This rule passes UDP NTP
private mode 7 requestsfrom NTP IPv4 ACLs untilthe traffic hits the rate limit( Packets per second ) valueIt then blocks allsubsequent NTP privatemode 7 traffic for a timespecified in Drop interval
Enabled when
NTP IPv6 ACLs aredefined If noACLs are definedand the NTPserver is enabledthe default ACLsare enabled andthis rule isdisabled
Packets per second
(default = 10)Drop interval
(default =60seconds)
Events per second (default = 1)
200001100 Auto DROP NTPQ requestsunexpected
When NTP service isdisabled this rule drops allUDP NTPQ requests
Enabled whenNTP service isdisabled on thismember
Events per second (default=1)
200001105 Auto DROP NTP TIMErequests unexpected
When NTP service isdisabled this rule drops allUDP NTP TIME requests
Enabled whenNTP service isdisabled on thismember
Events per second (default=1)
200001110 Auto DROP NTP privatemode requestsunexpected
When NTP service isdisabled this rule drops allUDP NTP private mode 7requests
Enabled whenNTP service isdisabled on thismember
Events per second (default=1)
200001115 Auto DROP invalid NTPrequests
When NTP service isdisabled this rule drops allinvalid UDP NTP requests
Enabled whenNTP service isdisabled on thismember
Events per second (default=1)
Rule ID
Rule
Type
Rule Name Description
EnableDisable
Condition
Parameters Comments
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 2130
BGP
NIOS 612 NIOS Administrator Guide (Rev A) 1517
BGP
The following table lists the auto rules that are used to mitigate BGP attacks on your advanced appliance when BGPis enabled
Table H14 BGP Rules
Rule ID
Rule
Type
Rule Name Description
EnableDisable
Condition
Parameters Comments
130700100 AUTO DROP BGP headerlength shorter thanspec
When BGP is enabled this ruledrops TCP BGP packets thatcontain message headerlength that is shorter than theRFC specification
Enabled whenBGP service onthis member isconfigured
Events per second (default=1)
130700200 AUTO DROP BGP headerlength longer than spec
When BGP is enabled this ruledrops TCP BGP packets thatcontain message headerlength that is longer than theRFC specification
Enabled whenBGP service onthis member isconfigured
Events per second (default=1)
130700300 AUTO DROP BGP spoofedconnection reset
attempts
When BGP is enabled this ruledrops TCP BGP packets that
contain spoofed connectionreset
This rule isenabled when
BGP service onthis member isconfigured
Events per second (default=1)
130700400 AUTO DROP BGP invalid type0
When BGP is enabled this ruledrops TCP BGP packets thatcontain invalid message type0
This rule isenabled whenBGP service onthis member isconfigured
Events per second (default=1)
130700500 AUTO DROP BGP invalid typebigger than 5
When BGP is enabled this ruledrops TCP BGP packets thatcontain invalid message typegreater than 5
This rule isenabled whenBGP service onthis member isconfigured
Events per second (default=1)
130700550 AUTO RATELIMIT PASS BGPIPv4 peer TCPconnection attempts
This rule passes TCP BGP routeadvertisement connectionattempts from IPv4 peers
when BGP is enabled and ifthe packet rate is less than thePackets per second value Ifany source IP sends packetsover this value the applianceblocks all such traffic from thissource IP for a certain periodof time (specified in Drop
interval )
This rule isenabled whenBGP service on
this member isconfigured withIPv4 peers
Events per second (default=1)
Drop Interval
(default=60 sec)Packets per second (default=10)
130700600 Auto RATELIMIT PASS BGPallowed with IPv4 peer
This rule passes TCP BGP routeadvertisement to IPv4 peerswhen BGP is enabled and ifthe packet rate is less than thePackets per second value Ifany source IP sends packetsover this value the applianceblocks all such traffic from thissource IP for a certain period
of time (specified in Drop
interval
This rule isenabled whenBGP service onthis member isconfigured withIPv4 peers
Events per second (default=1)
Drop Interval (default=60 sec)
Packets per second (default=10)
130700650 AUTO RATELIMIT PASS BGPIPv6 peer TCPconnection attempts
This rule passes TCP BGP routeadvertisement connectionattempts from IPv6 peerswhen BGP is enabled and ifthe packet rate is less than thePackets per second value Ifany source IP sends packetsover this value the applianceblocks all such traffic from thissource IP for a certain periodof time (specified in Drop
interval
This rule isenabled whenBGP service onthis member isconfigured withIPv6 peers
Events per second (default=1)
Drop Interval (default=60 sec)
Packets per second (default=10)
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 2230
1518 NIOS Administrator Guide (Rev A) NIOS 612
OSPF
The following table lists auto rules that are used to mitigate OSPF attacks on your advanced appliance when OSPF isnot in use
Table H15 OSPF Rules
130700700 Auto RATELIMIT PASS BGPallowed with IPv6 peer
This rule passes TCP BGP routeadvertisement to IPv6 peerswhen BGP is enabled and ifthe packet rate is less than thePackets per second value Ifany source IP sends packetsover this value the appliance
blocks all such traffic from thissource IP for a certain periodof time (specified in Drop
interval )
This rule isenabled whenBGP service onthis member isconfigured withIPv6 peers
Events per second (default=1)
Drop Interval (default=60 sec)
Packets per second (default=10)
130800100 Auto DROP BGP unexpected When BGP is enabled this ruledrops unexpected TCP BGPpackets
This rule takeseffect when BGPservice on thismember is NOT configured
Events per second (default=1)
This rule is exclusive withother rules based onwhether BGP is configuredon the member or not
Rule ID
Rule
Type
Rule Name Description
Enable
Condition
Parameters Comments
130900300 Auto DROP OSPFunexpected
This rule drops unexpectedOSPF packets
This rule takeseffect when OSPFservice on thismember is NOT configured
Events per second (default=1)
Default drop rule for allpackets on the OSPF serviceport
130900400 Auto RATELIMIT PASS OSPFmulticast
This rule passes OSPF IPv4multicast packets if the packetrate is less than the Packets
per second value If anysource IP sends packets overthis value the applianceblocks all such traffic from thissource IP for a time specifiedin Drop interval
This rule takeseffect when OSPFservice on thismember isconfigured forIPv4
Events per second (default=1)
Drop Interval (default=60 sec)
Packets per second (default=100)
130900500 Auto RATELIMIT PASS OSPFIPv6 multicast
This rule passes OSPF IPv6multicast packets if the packetrate is less than the Packets
per second value If anysource IP sends packets overthis value the applianceblocks all such traffic from thissource IP for a time specifiedin Drop interval
This rule takeseffect when OSPFservice on thismember isconfigured forIPv6
Events per second (default=1)
Drop Interval (default=60 sec)
Packets per second (default=100)
130900600 Auto RATELIMIT PASS OSPF This rule passes OSPF packetsif the packet rate is less thanthe Packets per second valueIf any source IP sends packetsover this value the applianceblocks all such traffic from thissource IP for a time specifiedin Drop interval
This rule takeseffect when OSPFservice on thismember isconfigured
Events per second (default=1)
Drop Interval (default=10 sec)
Packets per second (default=50)
This rule works for both IPv4and IPv6
Rule ID
Rule
Type
Rule Name Description
EnableDisable
Condition
Parameters Comments
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 2330
ICMP
NIOS 612 NIOS Administrator Guide (Rev A) 1519
ICMP
ICMP attacks use network devices such as routers to send error messages when a requested service is not availableor the remote server cannot be reached Examples of ICMP attacks include ping floods ping-of-death attacks andsmurf attacks
The following table lists the system and auto rules that are used to mitigate ICMP attacks on your advanced appliance
Table H16 ICMP Rules
Rule ID Type Rule Name Description
EnableDisable
Condition
Parameters Comments
130400200 Auto DROP ICMP largepackets
This rule drops large ICMPpackets (bigger than800)
Always enabled Events per second (default=1)
130900100 Auto RATE LIMIT PASS ICMPPing
This rule passes ICMP pingpackets if the packet rate is lessthan the Packets per second value If any source IP sendspackets over this value theappliance blocks all such trafficfrom this source IP for a timespecified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=10 sec)
Packets per second (default=50)
130900200 Auto RATE LIMIT PASS ICMPv6Ping
This rule passes ICMPv6 pingpackets if the packet rate is lessthan the Packets per second value If any source IP sendspackets over this value theappliance blocks all such trafficfrom this source IP for a timespecified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=10 sec)
Packets per second (default=50)
130900700 Auto RATELIMIT PASS ICMPv6destinationunreachable
This rule passes ICMPv6Destination Unreachablemessages if the packet rate isless than the Packets per second value If any source IP sendspackets over this value theappliance blocks all such trafficfrom this source IP for a timespecified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=100)
130900800 Auto RATELIMIT PASS ICMPv6packet too big
This rule passes ICMPv6 PacketToo Big messages if the packetrate is less than the Packets per
second value If any source IPsends packets over this valuethe appliance blocks all suchtraffic from this source IP for atime specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=100)
130900900 Auto RATELIMIT PASS ICMPv6ping responses
This rule passes ICMPv6 pingresponses if the packet rate isless than the Packets per second value If any source IP sendspackets over this value theappliance blocks all such trafficfrom this source IP for a timespecified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=10 sec)
Packets per second (default=50)
130901000 Auto RATELIMIT PASS ICMPv6parameter problemerroneous header
This rule passes ICMPv6Erroneous Header messages ifthe packet rate is less than thePackets per second value If anysource IP sends packets over thisvalue the appliance blocks allsuch traffic from this source IP fora time specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=10 sec)
Packets per second (default=50)
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 2430
1520 NIOS Administrator Guide (Rev A) NIOS 612
130901100 Auto RATELIMIT PASS ICMPv6parameter problemunrecognized nextheader
This rule passes ICMPv6Unrecognized Next Headermessages if the packet rate isless than the Packets per second value If any source IP sendspackets over this value theappliance blocks all such traffic
from this source IP for a timespecified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
130901200 Auto RATELIMIT PASS ICMPv6parameter problemunrecognized IPv6option
This rule passes ICMPv6Unrecognized IPv6 Optionmessages if the packet rate isless than the Packets per second value If any source IP sendspackets over this value theappliance blocks all such trafficfrom this source IP for a timespecified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
130901300 Auto RATELIMIT PASS ICMPv6router solicitation
This rule passes ICMPv6 routersolicitation packets if the packetrate is less than the Packets per
second value If any source IPsends packets over this valuethe appliance blocks all such
traffic from this source IP for atime specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
130901400 Auto RATELIMIT PASS ICMPv6router advertisement
This rule passes ICMPv6 routeradvertisement if the packet rateis less than the Packets per
second value If any source IPsends packets over this valuethe appliance blocks all suchtraffic from this source IP for atime specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
130901500 Auto RATELIMIT PASS ICMPv6neighbor solicitation
This rule passes ICMPv6neighbor solicitation packets ifthe packet rate is less than thePackets per second value If anysource IP sends packets over thisvalue the appliance blocks allsuch traffic from this source IP for
a time specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
130901600 Auto RATELIMIT PASS ICMPv6neighbor advertisement
This rule passes ICMPv6neighbor advertisement if thepacket rate is less than thePackets per second value If anysource IP sends packets over thisvalue the appliance blocks allsuch traffic from this source IP fora time specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
130901700 Auto RATELIMIT PASS ICMPv6inverse neighborsolicitation
This rule passes ICMPv6 inverseneighbor solicitation messages ifthe packet rate is less than thePackets per second value If anysource IP sends packets over thisvalue the appliance blocks allsuch traffic from this source IP fora time specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
130901800 Auto RATELIMIT PASS ICMPv6inverse neighboradvertisement
This rule passes ICMPv6 inverseneighbor advertisement if thepacket rate is less than thePackets per second value If anysource IP sends packets over thisvalue the appliance blocks allsuch traffic from this source IP fora time specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
Rule ID Type Rule Name Description
EnableDisable
Condition
Parameters Comments
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 2530
ICMP
NIOS 612 NIOS Administrator Guide (Rev A) 1521
130901900 Auto RATELIMIT PASS ICMPv6listener query
This rule passes ICMPv6 listenerquery messages if the packetrate is less than the Packets per
second value If any source IPsends packets over this valuethe appliance blocks all suchtraffic from this source IP for a
time specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
130902000 Auto RATELIMIT PASS ICMPv6listener report
This rule passes ICMPv6 listenerreport messages if the packetrate is less than the Packets per
second value If any source IPsends packets over this valuethe appliance blocks all suchtraffic from this source IP for atime specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
130902100 Auto RATELIMIT PASS ICMPv6listener done
This rule passes ICMPv6 listenerdone messages if the packet rateis less than the Packets per
second value If any source IPsends packets over this valuethe appliance blocks all suchtraffic from this source IP for atime specified in Drop interval )
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
130902200 Auto RATELIMIT PASS ICMPv6listener report v2
This rule passes ICMPv6 listenerreport v2 messages if the packetrate is less than the Packets per
second value If any source IPsends packets over this valuethe appliance blocks all suchtraffic from this source IP for atime specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
130902300 Auto RATELIMIT PASS ICMPV6multicast routeradvertisement
This rule passes ICMPv6multicast router advertisement ifthe packet rate is less than thePackets per second value If anysource IP sends packets over thisvalue the appliance blocks allsuch traffic from this source IP fora time specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
130902400 Auto RATELIMIT PASS ICMPV6multicast routersolicitation
This rule passes ICMPv6multicast router solicitationmessages if the packet rate isless than the Packets per second value If any source IP sendspackets over this value theappliance blocks all such trafficfrom this source IP for a timespecified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
130902500 Auto RATELIMIT PASS ICMPV6multicast routeradvertisement
This rule passes ICMPv6multicast router advertisement ifthe packet rate is less than thePackets per second value If anysource IP sends packets over thisvalue the appliance blocks allsuch traffic from this source IP fora time specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
130902600 Auto RATELIMIT PASS ICMPping responses This rule passes ICMP pingresponses if the packet rate isless than the Packets per second value If any source IP sendspackets over this value theappliance blocks all such trafficfrom this source IP for a timespecified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=10 sec)
Packets per second (default=50)
Rule ID Type Rule Name Description
EnableDisable
Condition
Parameters Comments
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 2630
1522 NIOS Administrator Guide (Rev A) NIOS 612
130902700 Auto RATELIMIT PASS ICMProuter advertisement
This rule passes ICMP routeradvertisement if the packet rateis less than the Packets per
second value If any source IPsends packets over this valuethe appliance blocks all suchtraffic from this source IP for a
time specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=10 sec)
Packets per second (default=50)
130902800 Auto RATELIMIT PASS ICMProuter solicitation
This rule passes ICMP routersolicitation messages if thepacket rate is less than thePackets per second value If anysource IP sends packets over thisvalue the appliance blocks allsuch traffic from this source IP fora time specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=10 sec)
Packets per second (default=50)
130902900 Auto RATELIMIT PASS ICMPtime exceeded
This rule passes ICMP timeexceeded messages if the packetrate is less than the Packets per
second value If any source IPsends packets over this valuethe appliance blocks all suchtraffic from this source IP for atime specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=10 sec)
Packets per second (default=50)
130903000 Auto RATELIMIT PASS ICMPparameter problem
This rule passes ICMP parameterproblems if the packet rate isless than the Packets per second value If any source IP sendspackets over this value theappliance blocks all such trafficfrom this source IP for a timespecified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=10 sec)
Packets per second (default=50)
130903100 Auto RATELIMIT PASS ICMPv6hop limit exceeded orICMPv4 networkunreachable
This rule passes ICMPv6 HopLimit Exceeded messages orICMPv4 Network Unreachablemessages if the packet rate isless than the Packets per second value If any source IP sendspackets over this value theappliance blocks all such trafficfrom this source IP for a time
specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
130903200 Auto RATELIMIT PASS ICMPv6fragment reassemblytime exceeded orICMPv4 hostunreachable
This rule passes ICMPv6fragment reassembly timeexceeded messages or ICMPv4host unreachable messages ifthe packet rate is less than thePackets per second value If anysource IP sends packets over thisvalue the appliance blocks allsuch traffic from this source IP fora time specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=10 sec)
Packets per second (default=50)
130903300 Auto RATELIMIT PASS ICMPprotocol unreachable
This rule passes ICMP protocolunreachable messages if thepacket rate is less than thePackets per second value If anysource IP sends packets over thisvalue the appliance blocks all
such traffic from this source IP fora time specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=10 sec)
Packets per second (default=50)
130903400 Auto RATELIMIT ICMP portunreachable
This rule passes ICMP portunreachable messages if thepacket rate is less than thePackets per second value If anysource IP sends packets over thisvalue the appliance blocks allsuch traffic from this source IP fora certain period of time(specified in Drop interval )
Always enabled Events per second (default=10)
Drop Interval (default=10 sec)
Packets per second (default=50)
Rule ID Type Rule Name Description
EnableDisable
Condition
Parameters Comments
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 2730
Default PassDrop
NIOS 612 NIOS Administrator Guide (Rev A) 1523
Default Pass Drop
The following table lists the system rules that are used to pass or drop packets on your advanced appliance All rulesare disabled by default
Table H17 Default PassDrop Rules
130903500 Auto RATELIMIT PASS ICMPfragmentation needed
This rule passes ICMPfragmentation needed messagesif the packet rate is less than thePackets per second value If anysource IP sends packets over thisvalue the appliance blocks allsuch traffic from this source IP for
a certain period of time(specified in Drop interval )
Always enabled Events per second (default=1)
Drop Interval (default=10 sec)
Packets per second (default=50)
Rule ID
Rule
Type Rule Name Description
Enable
Condition Parameters Comments
100000050 System EARLY PASS TCPwith flowbits set
This rule passes TCP trafficthat has the flowbitsoptions set and marked OK
Enabled bydefault
NA
140000100 System DROP UDP DNSunexpected
This rule drops anyunexpected UDP DNSpackets
Enabled bydefault
Events per second (default=1)
Default drop rule for the DNSservice port If this rule istriggered most likely thispacket is an invalid DNS UDPpacket
140000200 System DROP TCP DNSunexpected
This rule drops anyunexpected TCP DNSpackets
Enabled bydefault
Events per second (default=1)
Default drop rule for the DNSservice port If this rule istriggered most likely thispacket is an invalid DNS TCPpacket
140000400 System PASS TCPestablished packets
This passes all TCPestablished packets
Enabled bydefault
Events per second (default=0)
140000500 System DROP TCPunexpected
This rule drops anyunexpected TCP packets
Enabled bydefault
Events per second (default=0)
This rule drops any TCP packeton any port If this rule istriggered most likely thispacket is not intended forservices on this member
140000600 System DROP UDPunexpected
This rule drops anyunexpected UDP packets
Enabled bydefault
Events per second (default=0)
This rule drops any UDP packeton any port If this rule istriggered most likely thispacket is not intended forservices on this member
140000700 System DROP ICMPunexpected
This rule drops anyunexpected ICMP packets
Enabled bydefault
Events per second (default=0)
This rule drops any ICMPpacket If this rule is triggeredmost likely this packet is notintended for services on thismember
140000800 System DROP unexpectedprotocol
This rule drops anyunexpected protocolpackets
Enabled bydefault
Events per second (default=0)
This is a catch all rule thatdrops anything that does notmatch any other rules in thesystem
Rule ID Type Rule Name Description
EnableDisable
Condition
Parameters Comments
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 2830
1524 NIOS Administrator Guide (Rev A) NIOS 612
HA Support
The following table lists auto rules that are used to pass packets that go through the Virtual Router RedundancyProtocol (VRRP) and Internet Group Management Protocol (IGMP) for HA (High Availability) support
Table H18 HA Support Rules
Custom Rule Templates
Advanced DNS Protection supports a few custom rule templates from which you can create new custom rules Notethat when you use a specific rule template to create custom rules the new rules reside in their respective rulecategories For information about custom rules and creating custom rules see Custom Rules on page 1341 andCreating Custom Rules on page 1343
For each rule you create you can define the Events per second value to determine the number of events per secondthat will be logged for the rule You can also define specific rule parameters for custom rules as follows
Note Custom rules do not support IDNs (Internationalized Domain Names) To use IDNs for custom rules you mustfirst convert the IDNs into puny codes You can use the IDN Converter from the Toolbar for the conversion
bull BLACKLIST FQDN lookup TCP Use this rule template to create custom rules for blacklisting DNS queries by FQDNlookups on TCP In the Rule Parameters table complete the following
mdash Blacklisted FQDN Enter the FDQN that you want the appliance to block over TCP traffic You can also enter alist of FQDNs using semicolon as the separator
bull BLACKLIST FQDN lookup UDP Use this rule template to create custom rules for blacklisting DNS queries byFQDN lookups on UDP In the Rule Parameters table complete the following
mdash Blacklisted FQDN Enter the FDQN that you want the appliance to block over UDP traffic You can also enter alist of FQDNs using semicolon as the separator
bull BLACKLIST IP TCP Drop prior to rate limiting Use this rule template to create rules for blocking IPv4 or IPv6addresses on TCP before the appliance drops the packets based on rate limiting rules you have defined usingthe RATELIMITED IP TCP template In the Rule Parameters table complete the following
mdash Blacklisted IP addressnetwork Enter the IPv4 or IPv6 address from which packets sent are dropped beforeany relevant rate limiting rules take effect Note that all TCP traffic from the specified Ipv4 and IPv6
addresses and networks will be blocked Enter network addresses in addressCIDR formatbull BLACKLIST IP UDP Drop prior to rate limiting Use this rule template to create rules for blocking IPv4 or IPv6
addresses on UDP before the appliance drops the packets based on rate limiting rules you have defined usingthe RATELIMITED IP UDP template In the Rule Parameters table complete the following
mdash Blacklisted IP addressnetwork Enter the IPv4 or IPv6 address from which packets sent are dropped beforeany relevant rate limiting rules take effect Note that all UDP traffic from the specified Ipv4 and IPv6addresses and networks will be blocked Enter network addresses in addressCIDR format
bull RATELIMITED FQDN lookup UDP Use this rule template to create custom rules that contains rate limitingrestrictions for blocking DNS queries by FQDN lookups on UDP traffic In the Rule Parameters table completethe following
Rule ID
Rule
Type
Rule Name Description Enable Condition Parameters Comments
140000750 Auto PASS VRRP This rule passes packets thatgo through VRRP for HAsupport
Enabled if HA isconfigured
NA
140000760 Auto PASS IGMP This rule passes packets thatgo through IGMP for HAsupport
Enabled if HA isconfigured
NA
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 2930
Custom Rule Templates
NIOS 612 NIOS Administrator Guide (Rev A) 1525
mdash Packets per second Enter the number of packets per second to define the rate limit for this rule You definethis value to control the rate of UDP traffic that consists of DNS lookups for the FQDN defined in this ruleThe default is 5
mdash Drop interval Enter the number of seconds for which the appliance drops packets
mdash Blacklist rate limited FQDN Enter the FQDN that is affected by the rate limit value configured for this ruleThe appliance drops the packets sent by this FQDN when the UDP traffic of DNS lookups for this FQDNexceeds the configured rate limit value
bull RATELIMITED IP TCP Use this rule template to create custom rules that contains rate limiting restrictions forblacklisting IP addresses on TCP If there are certain IP addresses that you want to block before its traffic reachesthe rate limit restrictions you can create a rule using the BLACKLIST IP TCP Drop prior to rate limiting templateIn the Rule Parameters table complete the following
mdash Packets per second Enter the number of packets per second to define the rate limit for this rule You definethis value to control the rate of TCP traffic that consists of DNS lookups for the IP address or networkdefined in this rule The default is 5
mdash Drop interval Enter the time interval in seconds the appliance drops IP packets sent by the rate limited IPaddress or network defined for this rule The default is 30 seconds
mdash Rate limited IP addressnetwork Enter the IP address or network that is affected by the rate limit valueconfigured for this rule The appliance drops the packets sent by this IP address based on the drop intervalwhen the TCP traffic of DNS lookups for this IP address exceeds the configured rate limit value
bull RATELIMITED IP UDP Use this rule template to create custom rules that contains rate limiting restrictions forblacklisting IP addresses on UDP If there are certain IP addresses that you want to block before its trafficreaches the rate limit restrictions you can create a rule using the BLACKLIST IP UDP Drop prior to rate limiting template In the Rule Parameters table complete the following
mdash Packets per second Enter the number of packets per second to define the rate limit for this rule You definethis value to control the rate of UDP traffic that consists of DNS lookups for the IP address or networkdefined in this rule The default is 5
mdash Drop interval Enter the time interval in seconds the appliance drops IP packets sent by the rate limited IPaddress or network defined for this rule The default is 30 seconds
mdash Rate limited IP addressnetwork Enter the IP address or network that is affected by the rate limit valueconfigured for this rule The appliance drops the packets sent by this IP address based on the drop interval
when the TCP traffic of DNS lookups for this IP address exceeds the configured rate limit valuebull WHITELIST IP TCP Pass prior to rate limiting Use this rule template to create custom rules for allowing certain IP
addresses on TCP before the appliance drops the packets based on rate limiting rules you have defined usingthe RATELIMITED IP TCP template In the Rule Parameters table complete the following
mdash Whitelisted IP addressnetwork Enter the IPv4 or IPv6 address from which packets sent are allowed beforeany relevant rate limiting rules take effect
bull WHITELIST IP UDP Pass prior to rate limiting Use this rule template to create custom rules for allowing certain IPaddresses on UDP before the appliance drops the packets based on rate limiting rules you have defined usingthe RATELIMITED IP UDP template In the Rule Parameters table complete the following
mdash Whitelisted IP addressnetwork Enter the IPv4 or IPv6 address from which packets sent are allowed beforeany relevant rate limiting rules take effect
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 3030
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 730
DNS Message Type
NIOS 612 NIOS Administrator Guide (Rev A) 1503
130100201 Auto RATELIMIT PASSIPv6 TCP DNSAXFR zonetransfer requests
This rule passes IPv6 TCP DNS fullzone transfer requests if thepacket rate is less than thespecified Packets per second value (default = 100) If anysource IP sends packets over thisvalue the appliance blocks all
such traffic from this source IP fora time specified in Drop interval
Enabled if InfobloxDNS allowsincoming IPv6zone transferrequests
Packets per second (default = 1000)
Drop interval (default= 10 seconds)
Events per second (default = 1)
Consider tuning Packets per
second if Infoblox DNSserves a large number ofzones If this rule istriggered and the source IPaddress indicates a validsecondary server tune the
Packets per second valueaccordingly
130100300 Auto RATELIMIT PASSIPv4 UDP DNSIXFR zoneTransfer requests
This rule passes IPv4 UDP DNSincremental zone transferrequests if the packet rate is lessthan the specified Packets per
second value (default = 100) Ifany source IP sends packets overthis value the appliance blocksall such traffic from this source IPfor a time specified in Drop
interval
Enabled if InfobloxDNS allowsincoming IPv4zone transferrequests
Packets per second (default = 1000)
Drop interval (default= 10 seconds)
Events per second (default = 1)
Consider tuning Packets per
second if Infoblox DNSserves a large number ofzones If this rule istriggered and the source IPaddress indicates a validsecondary server tune thePackets per second valueaccordingly
130100301 Auto RATELIMIT PASSIPv6 UDP DNSIXFR zoneTransfer requests
This rule passes IPv6 UDP DNSincremental zone transferrequests if the packet rate is lessthan the specified Packets per
second value (default = 100) Ifany source IP sends packets overthis value the appliance blocksall such traffic from this source IPfor a time specified in Drop
interval
Enabled if InfobloxDNS allowsincoming IPv6zone transfer
requests
Packets per second (default = 1000)
Drop interval (default= 10 seconds)
Events per second (default = 1)
Consider tuning Packets per
second if Infoblox DNSserves a large number ofzones If this rule is
triggered and the source IPaddress indicates a validsecondary server tune thePackets per second valueaccordingly
130100400 Auto RATELIMIT PASSIPv4 TCP DNSIXFR zoneTransfer requests
This rule passes IPv4 TCP DNSincremental zone transferrequests if the packet rate is lessthan the specified Packets per
second value (default = 100) Ifany source IP sends packets overthis value the appliance blocksall such traffic from this source IPfor a time specified in Drop
interval
Enabled if InfobloxDNS allowsincoming IPv4zone transferrequests
Packets per second (default = 1000)
Drop interval (default= 10 seconds)
Events per second (default = 1)
Consider tuning Packets per
second if Infoblox DNSserves a large number ofzones If this rule istriggered and the source IPaddress indicates a validsecondary server tune thePackets per second valueaccordingly
130100401 Auto RATELIMIT PASS
IPv6 TCP DNSIXFR zoneTransfer requests
This rule passes IPv6 TCP DNS
incremental zone transferrequests if the packet rate is lessthan the specified Packets per
second value If any source IPsends packets over this value theappliance blocks all such trafficfrom this source IP for a timespecified in Drop interval
Enabled if Infoblox
DNS allowsincoming IPv6zone transferrequests
Packets per second
(default = 1000)Drop interval (default= 10 seconds)
Events per second (default = 1)
Consider tuning Packets per
second if Infoblox DNSserves a large number ofzones If this rule istriggered and the source IPaddress indicates a validsecondary server tune thePackets per second valueaccordingly
130200100 Auto DROP UDP DNSAXFR zonetransfer requests
This rule drops any DNS UDP fullzone transfer requests when zonetransfer is disabled You canconfigure only the Events per
second parameter
Enabled if InfobloxDNS does notallow incomingzone transferrequests
Events per second (default = 1)
130200200 Auto DROP TCP DNSAXFR zonetransfer requests
This rule drops any DNS TCP fullzone transfer requests when zonetransfer is disabled You can
configure only the Events per
second parameter
Enabled if InfobloxDNS does notallow incoming
zone transferrequests
Events per second (default = 1)
130200300 Auto DROP UDP DNSIXFR zoneTransfer requests
This rule drops any DNS UDPincremental zone transferrequests when zone transfer isdisabled You can configure onlythe Events per second parameter
Enabled if InfobloxDNS does notallow incomingzone transferrequests
Events per second (default = 1)
130200400 Auto DROP TCP DNSIXFR zoneTransfer requests
This rule drops any DNS TCPincremental zone transferrequests when zone transfer isdisabled You can configure onlythe Events per second parameter
Enabled if InfobloxDNS does notallow incomingzone transferrequests
Events per second (default = 1)
Rule ID
Rule
Type
Rule Name Description
EnableDisable
Condition
Parameters Comments
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 830
1504 NIOS Administrator Guide (Rev A) NIOS 612
130500100 System DNS A record You can configure this rule to passor drop UDP packets that containA record request The defaultAction = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
130500200 System DNS AAAA record You can configure this rule to passor drop UDP packets that contain
AAAA record request The defaultAction = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
130500300 System DNS CNAMErecord
You can configure this rule to passor drop UDP packets that containCNAME record request Thedefault Action = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
130500400 System DNS DS record You can configure this rule to passor drop UDP packets that containDS record request The defaultAction = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
130500500 System DNS PTR record You can configure this rule to passor drop UDP packets that containPTR record request The defaultAction = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
130500600 System DNS NS record You can configure this rule to passor drop UDP packets that containNS record request The defaultAction = Pass
Enabled bydefault
Action (default = Pass)
Events per second (default = 1)
130500700 System DNS NSEC record You can configure this rule to passor drop UDP packets that containNSEC record request The defaultAction = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
130500800 System DNS NSEC3record
You can configure this rule to passor drop UDP packets that containNSEC3 record request Thedefault Action = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
130500900 System DNSNSEC3PARAMrecord
You can configure this rule to passor drop UDP packets that containNSEC3PARAM record request The
default Action = Pass
Enabled bydefault
Action
(default = Pass)
Events per second
(default = 1)
130501000 System DNS MX record You can configure this rule to passor drop UDP packets that containMX record request The defaultAction = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
130501100 System DNS SRV record You can configure this rule to passor drop UDP packets that containSRV record request The defaultAction = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
130501200 System DNS TXT record You can configure this rule to passor drop UDP packets that containTXT record request The defaultAction = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
130501300 System DNS DNAME
record
You can configure this rule to pass
or drop UDP packets that containDNAME record request Thedefault Action = Pass
Enabled by
default
Action
(default = Pass)Events per second (default = 1)
130501400 System DNS RRSIG record You can configure this rule to passor drop UDP packets that containRRSIG record request The defaultAction = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
130501500 System DNS NAPTRrecord
You can configure this rule to passor drop UDP packets that containNAPTR record request The defaultAction = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
Rule ID
Rule
Type
Rule Name Description
EnableDisable
Condition
Parameters Comments
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 930
DNS Message Type
NIOS 612 NIOS Administrator Guide (Rev A) 1505
130501600 System DNS DNSKEYrecord
You can configure this rule to passor drop UDP packets that containDNSKEY record request Thedefault Action = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
130501700 System DNS SPF record You can configure this rule to passor drop UDP packets that contain
SPF record request The defaultAction = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
130501800 System DNS DHCIDrecord
You can configure this rule to passor drop UDP packets that containDHCID record request The defaultAction = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
130501900 System DNS SOA record You can configure this rule to passor drop UDP packets that containSOA record request The defaultAction = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
130502000 System DNS SIG record You can configure this rule to passor drop UDP packets that containSIG record request The defaultAction = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
130502100 System DNS LOC record You can configure this rule to passor drop UDP packets that containLOC record request The defaultAction = Pass
Enabled bydefault
Action (default = Pass)
Events per second (default = 1)
130502200 System DNS SSHFPrecord
You can configure this rule to passor drop UDP packets that containSSHFP record request The defaultAction = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
130502300 System DNS IPSECKEYrecord
You can configure this rule to passor drop UDP packets that containIPSECKEY record request Thedefault Action = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
130502400 System DNS TKEY record You can configure this rule to passor drop UDP packets that containTKEY record request The default
Action = Pass
Enabled bydefault
Action
(default = Pass)
Events per second
(default = 1)
130502500 System DNS TSIG record You can configure this rule to passor drop UDP packets that containTSIG record request The defaultAction = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
130502600 System DNS TA record You can configure this rule to passor drop UDP packets that containTA record request The defaultAction = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
130502700 System DNS DLV record You can configure this rule to passor drop UDP packets that containDLV record request The defaultAction = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
130502800 System DNS ANY record You can configure this rule to pass
or drop UDP packets that containANY record request The defaultAction = Pass
Enabled by
default
Action
(default = Pass)Events per second (default = 1)
130502900 System DNS A record TCP You can configure this rule to passor drop TCP packets that contain Arecord request The default Action = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
130503000 System DNS AAAA recordTCP
You can configure this rule to passor drop TCP packets that containAAAA record request The defaultAction = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
Rule ID
Rule
Type
Rule Name Description
EnableDisable
Condition
Parameters Comments
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 1030
1506 NIOS Administrator Guide (Rev A) NIOS 612
130503100 System DNS CNAMErecord TCP
You can configure this rule to passor drop TCP packets that containCNAME record request Thedefault Action = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
130503200 System DNS DS recordTCP
You can configure this rule to passor drop TCP packets that contain
DS record request The defaultAction = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
130503300 System DNS PTR recordTCP
You can configure this rule to passor drop TCP packets that containPTR record request The defaultAction = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
130503400 System DNS NS recordTCP
You can configure this rule to passor drop TCP packets that containNS record request The defaultAction = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
130503500 System DNS NSEC recordTCP
You can configure this rule to passor drop TCP packets that containNSEC record request The defaultAction = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
130503600 System DNS NSEC3record TCP
You can configure this rule to passor drop TCP packets that containNSEC3 record request Thedefault Action = Pass
Enabled bydefault
Action (default = Pass)
Events per second (default = 1)
130503700 System DNSNSEC3PARAMrecord TCP
You can configure this rule to passor drop TCP packets that containNSEC3PARAM record request Thedefault Action = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
130503800 System DNS MX recordTCP
You can configure this rule to passor drop TCP packets that containMX record request The defaultAction = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
130503900 System DNS SRV recordTCP
You can configure this rule to passor drop TCP packets that containSRV record request The default
Action = Pass
Enabled bydefault
Action
(default = Pass)
Events per second
(default = 1)
130504000 System DNS TXT recordTCP
You can configure this rule to passor drop TCP packets that containTXT record request The defaultAction = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
130504100 System DNS DNAMErecord TCP
You can configure this rule to passor drop TCP packets that containDNAME record request Thedefault Action = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
130504200 System DNS RRSIG recordTCP
You can configure this rule to passor drop TCP packets that containRRSIG record request The defaultAction = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
130504300 System DNS NAPTR
record TCP
You can configure this rule to pass
or drop TCP packets that containNAPTR record request The defaultAction = Pass
Enabled by
default
Action
(default = Pass)Events per second (default = 1)
130504400 System DNS DNSKEYrecord TCP
You can configure this rule to passor drop TCP packets that containIDNSKEY record request Thedefault Action = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
130504500 System DNS SPF recordTCP
You can configure this rule to passor drop TCP packets that containSPF record request The defaultAction = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
Rule ID
Rule
Type
Rule Name Description
EnableDisable
Condition
Parameters Comments
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 1130
DNS Message Type
NIOS 612 NIOS Administrator Guide (Rev A) 1507
130504600 System DNS DHCIDrecord TCP
You can configure this rule to passor drop TCP packets that containDHCID record request The defaultAction = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
130504700 System DNS SOA recordTCP
You can configure this rule to passor drop TCP packets that contain
SOA record request The defaultAction = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
130504800 System DNS SIG recordTCP
You can configure this rule to passor drop TCP packets that containSIG record request The defaultAction = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
130504900 System DNS ROC recordTCP
You can configure this rule to passor drop TCP packets that containROC record request The defaultAction = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
130505000 System DNS SSHFPrecord TCP
You can configure this rule to passor drop TCP packets that containSSHFP record request The defaultAction = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
130505100 System DNS IPSECKEYrecord TCP
You can configure this rule to passor drop TCP packets that containIPSECKEY record request Thedefault Action = Pass
Enabled bydefault
Action (default = Pass)
Events per second (default = 1)
130505200 System DNS TKEY recordTCP
You can configure this rule to passor drop TCP packets that containTKEY record request The defaultAction = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
130505300 System DNS TSIG recordTCP
You can configure this rule to passor drop TCP packets that containTSIG record request The defaultAction = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
130505400 System DNS TA recordTCP
You can configure this rule to passor drop TCP packets that containTA record request The default
Action = Pass
Enabled bydefault
Action
(default = Pass)
Events per second
(default = 1)
130505500 System DNS DLV recordTCP
You can configure this rule to passor drop TCP packets that containDLV record request The defaultAction = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
130505600 System DNS ANY recordTCP
You can configure this rule to passor drop TCP packets that containANY record request The defaultAction = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
Rule ID
Rule
Type
Rule Name Description
EnableDisable
Condition
Parameters Comments
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 1230
1508 NIOS Administrator Guide (Rev A) NIOS 612
General DDoS
The following table lists the auto rules that are used to mitigate general DDoS attacks on your advanced appliance
Table H5 General DDoS Rules
Reconnaissance
Reconnaissance attacks consist of attempts to get information on the network environment before launching a largeDDoS or other types of attacks Techniques include port scanning and finding versions and authors These attacksexhibit abnormal behavior patterns that if identified can provide early warnings
The following table lists the auto rules that are used to mitigate reconnaissance attacks on your advanced appliance
You can configure the following rule parameter for all rules in this category
bull Events per second The number of events logged per second for the rule Setting a value to 0 (zero) disables theappliance from logging events for the rule The default value is 10
Table H6 Reconnaissance Rules
Rule ID
Rule
Type
Rule Name Description
EnableDisable
Condition
Parameters Comments
110000100 Auto EARLY DROP DoSpackets with samesource and destinationIP
This rule drops any IP packetsthat contain the same sourceand destination IP address
Always enabled Events per second (default = 1)
110000200 Auto EARLY DROP DoS UDPpackets with samesource and destinationIP
This rule drops UDP packetsthat contain the same sourceand destination IP address
Always enabled Events per second (default = 1)
110000300 Auto EARLY DROP DoS TCPpackets with samesource and destinationIP
This rule drops TCP packetsthat contain the same sourceand destination IP address
Always enabled Events per second (default = 1)
130400300 Auto DROP IPv6 loopbackaddress spoofing
This rule blocks any IP packetsthat attempt to forge the IPv6loopback address
Always enabled Events per second (default = 1)
130400400 Auto DROP IPv6 loopbackaddress spoofing
This rule blocks any IP packetsthat attempt to forge the IPv6loopback address
Always enabled Events per second (default = 1)
Rule ID
Rule
Type
Rule Name Description
Enable
Condition
Parameters Comments
110100100 Auto EARLY DROP DNSnamed authorattempts
This rule drops UDP DNSpackets that containattempts to find AUTHOR
information
Alwaysenabled
Events per second (default = 1)
110100200 Auto EARLY DROP DNSnamed versionattempts
This rule drops UDP DNSpackets that containattempts to find VERSIONinformation
Alwaysenabled
Events per second (default = 1)
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 1330
DNS Malware
NIOS 612 NIOS Administrator Guide (Rev A) 1509
DNS Malware
DNS malware is software used to disrupt your DNS service gather sensitive information or gain access to yourappliance It can include downloaders backdoors trojan horses and other malicious software
The following table lists the auto rules that are used to mitigate DNS malware when forwarding DNS requests to aresolver such as a Microsoft DNS server
Table H7 DNS Malware Rules
DNS Protocol Anomalies
DNS protocol anomalies send malformed DNS packets including unexpected header and payload values to thetargeted server This causes the server to stop responding or crash which results in an infinite loop in server threadsThese anomalies sometimes take the form of impersonation attacks
The following table lists rules that are used to mitigate DNS protocol anomalies sent to the appliance
Table H8 DNS Protocol Anomalies Rules
Rule ID
Rule
Type
Rule Name Description
Enable
Condition
Parameters Comments
110100300 Auto EARLY DROP UDPMALWARE backdoor
This rule drops UDPpackets that contain thebackdoor malwareBKDR_QUEJOBEVL whichposes as an installer ofFaceBook messenger Thismalware may be spread asa malicious attachment inemail messages
Always enabled Events per second (default = 1)
130300300 Auto DROP MALWAREtrojan downloader
This rule drops UDPpackets that contain thetrojan downloadermalware which downloadsand installs new versionsof malicious programsincluding Trojans andAdWare
Always enabled Events per second (default = 1)
130300400 Auto DROP MALWAREpossible Hiloti
This rule drops UDPpackets that contain trojanHiloti malicious programsthat may downloadpotentially malicious filesfrom a remote server andreport system informationback to the server
Always enabled Events per second (default = 1)
Rule ID
Rule
Type
Rule Name Description
Enable
Condition
Parameters Comments
110100400 Auto EARLY DROP UDP DNSquestion name too long
This rule drops UDP DNSpackets when the DNSQuestion Name is toolong
Always enabled Events per second (default = 1)
110100500 Auto EARLY DROP UDP DNSlabel too long
This rule drops UDP DNSpackets when the DNSLabel in the name beingqueried is too long
Always enabled Events per second (default = 1)
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 1430
1510 NIOS Administrator Guide (Rev A) NIOS 612
Potential DDoS Related Domains
This rule category includes system rules the appliance uses to blacklist domains that may have been the targets orsubjects in NXDOMAIN or DDoS attacks These rules block all FQDN lookups on UDP for domains that have beenobserved to be used as targets in DDoS attacks The rules are enabled by default You can disable them whennecessary
Note that these rules capture currently observed bad domain names that can change on a regular basis Infobloxrecommends that you update to the latest ruleset to capture the most current rules in this category For informationabout how to update to the latest ruleset see Managing Threat Protection Rules on page 1352
110100600 Auto EARLY DROP UDP queryinvalid question count
This rule drops UDP DNSpackets when thenumber of entries in thequestion section isinvalid
Always enabled Events per second (default = 1)
110100700 Auto EARLY DROP UDP query
invalid question class
This rule drops UDP DNS
packets when the RR(resource record) classbeing queried is invalid
Always enabled Events per second
(default = 1)
110100800 Auto EARLY DROP UDP queryinvalid question string
This rule drops UDP DNSpackets that containinvalid question string
Always enabled Events per second (default = 1)
110100850 Auto EARLY UDP drop invalidDNS query with Authority
This rule drops UDP DNSqueries that containinvalid AUTHORITYentry
Always enabled Events per second (default = 1)
110100900 Auto EARLY DROP querymultiple questions or nonquery operation code
This rule drops UDP DNSpackets when there aremultiple questionsbeing queried at onetime or its operationcode is not Query
Always enabled Events per second (default = 1)
130000700 Auto EARLY DROP TCP non-DNSquery
This rule drops TCPpackets when itsoperation code is notQuery
Always enabled Events per second (default = 1)
130000800 Auto EARLY DROP TCP querymultiple questions
This rule drops TCP DNSpackets when there aremultiple questionsbeing queried at onetime
Always enabled Events per second (default = 1)
130100500 Auto DROP UDP DNS invalidIXFR query with zero ormore than one Authority
This rule drops UDP DNSincremental zonetransfer requests thatcontain zero or morethan one Authorityentries
Always enabled Events per second (default = 1)
130100600 Auto DROP TCP DNS invalidIXFR query with zero ormore than one Authority
This rule drops TCP DNSincremental zonetransfer requests thatcontain zero or morethan one Authorityentries
Always enabled Events per second (default = 1)
130300200 Auto DROP TCP invalid DNSquery with Authority
This rule drops TCP DNSqueries that containinvalid Authorityentries
Always enabled Events per second (default = 1)
Rule ID
Rule
Type
Rule Name Description
Enable
Condition
Parameters Comments
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 1530
TCPUDP Flood
NIOS 612 NIOS Administrator Guide (Rev A) 1511
TCP UDP Flood
TCP and UDP flood attacks are volumetric attacks with massive numbers of packets that consume network bandwidthand resources They exploit TCP and UDP
The following table lists the system and auto rules that are used to mitigate TCPUDP floods on your advancedappliance
Table H9 TCPUDP Flood Rules
Rule ID Rule Type Rule Name Description
Enable
Condition
Parameters Comments
130000100 System WARN about highrate inbound UDPDNS queries
This rule warns about anysource IP that sendsinbound UDP DNS packetsat a rate equals or exceedsthe Packets per second value
Disabled bydefault
Packets per second (default = 40)
Events per second (default = 1)
Use this rule together with rule130000200 to adjust the warningand blocking rate thresholds Thisrule only sends alerts when thepacket rate equals or exceeds thelow threshold ( Packets per second for this rule) When the packet ratereaches or exceeds the highthreshold ( Packets per second forrule 130000200) rule130000200 is triggered
NOTE The Packets per second configured for this rule should beless than that of rule 130000200
130000200 System WARN amp BLOCKhigh rate inboundUDP DNS queries
This rule warns if anysource IP sends inboundUDP DNS packets at a rateequals the Packets per
second value If the rateexceeds this value theappliance blocks all suchtraffic from this source IPfor a period of timespecified in Drop interval
Disabled bydefault
Packets per second (default = 1000)
Drop interval
(default = 5 seconds)
Events per second (default = 1)
Consider tuning Packets per
second to a higher value for NATdenvironments static forwardersand VPN concentrators
This rule may be triggered if Packet
per second is lower than that inthe custom rules created using therate limiting templates
NOTE The Packets per secondvalue for this rule must be higherthan that for rule 130000100
130000300 System WARN about highrate inbound TCP
DNS queries
This rule warns about anysource IP that sends
inbound TCP DNS packetsat a rate that equals orexceeds the Packets per
second value
Disabled bydefault
Packets per second (default = 5)
Events per second (default = 1)
Use this rule together with rule130000400 to adjust the warning
and blocking rate thresholds Thisrule only sends alerts when thepacket rate equals or exceeds thelow threshold ( Packets per second for this rule) When the packet ratereaches or exceeds the highthreshold ( Packets per second forrule 130000400) rule130000400 is triggered
NOTE The Packets per second configured for this rule should beless than that of rule 130000400
130000400 System WARN amp BLOCKhigh rate inboundTCP DNS queries
This rule warns if anysource IP sends inboundTCP DNS packets at a ratethat equals the Packets
per second value If therate exceeds this value
the appliance blocks allsuch traffic from thissource IP for a period oftime specified in Drop
interval
Disabled bydefault
Packets per second (default = 1000)
Drop interval (default = 10 seconds)
Events per second (default = 1)
Consider tuning Packets per
second to a higher value for NATdenvironments static forwardersand VPN concentrators
This rule may be triggered if Packet
per second is lower than that in
the custom rules created using therate limiting templates
NOTE DO NOT enable this rulealong with rule 130000300
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 1630
1512 NIOS Administrator Guide (Rev A) NIOS 612
DNS DDoS
The following table lists system rules that are used to mitigate DNS DDoS attacks on your advanced appliance Theserules rate limits clients that trigger the following DNS responses NXDOMAIN NXRRSET and SERVFAIL
Table H10 DNS DDoS Rules
Rule ID
Rule
Type
Rule Name Description
EnableDisable
Condition
Parameters Comments
200000001 System NXDOMAIN ratelimiting rule
This rule warns if any sourceIP sends inbound UDP DNSqueries that triggerNXDOMAIN responses at arate equals to the Packets
per second value If the rateexceeds this value theappliance blocks all UDPDNS traffic from this sourceIP for a time specified inDrop interval
Enabled bydefault
Packets per second (default = 1000)
Drop interval
(default = 5 seconds)
Events per second (default = 1)
Consider tuning Packets per
second to a higher value forNATd environments staticforwarders and VPNconcentrators
200000002 System NXRRSET ratelimiting rule
This rule warns if any sourceIP sends inbound UDP DNS
queries that trigger NXRRSETresponses at a rate equals tothe Packets per second value If the rate exceedsthis value the applianceblocks all UDP DNS trafficfrom this source IP for a timespecified in Drop interval
Enabled bydefault
Packets per second (default = 1000)
Drop interval (default = 5 seconds)
Events per second (default = 1)
Consider tuning Packets per
second to a higher value for
NATd environments staticforwarders and VPNconcentrators
NOTE NXRRSET responsesinclude NO records NOanswers and NO errors
200000003 System SERVFAIL ratelimiting rule
This rule warns if any sourceIP sends inbound UDP DNSqueries that triggerSERVFAIL responses at a rateequals to the Packets per
second value If the rateexceeds this rate theappliance blocks all UDPDNS traffic from this sourceIP for a time specified in
Drop interval
Enabled bydefault
Packets per second (default = 1000)
Drop interval
(default = 5 seconds)
Events per second (default = 1)
Consider tuning Packets per
second to a higher value forNATd environments staticforwarders and VPNconcentrators
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 1730
DNS Tunneling
NIOS 612 NIOS Administrator Guide (Rev A) 1513
DNS Tunneling
DNS tunneling attacks involve tunneling another protocol through DNS port 53 for the purpose of data exfiltrationOutbound and inbound data being communicated is encoded into small chunks and fitted into DNS queries and DNSresponses
The following table lists the system rule used to mitigate DNS tunneling on your advanced appliance
Table H11 Anti DNS Tunneling Rules
DNS Amplification and Reflection
DNS reflection attacks use a form of IP spoofing changing the source address in their DNS queries to show theaddress of their intended target such as a DNS root server or a top-level domain (TLD) name server operator DNS
reflection and amplification recognizes UDP as an asymmetrical protocol (small requests large responses) and theexistence of open DNS resolvers to the Internet cloud The result is that small DNS queries reflect large UDP datagramresponses to the target address in the original source datagrams Some recent attacks have used this DDoStechnique at a huge scale
Since DNS runs over UDP and does not require a handshake it is possible to use the protocol as a means to lock downa host or a network Designed a specific way sending a small query to any open DNS resolver can result in a singleresponse containing several kilobytes or more that are sent to the unwitting spoofed victim (This type of responsetypically is sent via TCP as UDP does not allow for more than 512 bytes in a response datagram The resulting packetusually exceeds the MTU of the recipientrsquos interfaces resulting in further packet fragmentation and processing) OpenDNS resolvers may allow for launching DDoS attacks containing hundreds of gigabytes of data Attackers may also
Rule ID
Rule
Type
Rule Name Description
EnableDisable
Condition
Parameters Comments
130000500 System RATELIMIT UDP highrate inbound largeDNS queries (antitunneling)
This rule warns If any source IPsends large UDP DNS queries(which could be DNS tunnelingattacks) at a rate equals thePackets per second value If therate exceeds this value it blocksall such traffic from this source IPfor the time in Drop interval
This rule is triggered when theDNS Packet size exceeds theconfigured value
Disabled bydefault
Packets per second (default = 100)
Drop interval (default = 5 seconds)
Events per second (default = 1)
Packet size
(default = 200)
Consider tuning Packets
per second to a highervalue for NATdenvironments staticforwarders and VPNconcentrators
130000600 Auto RATELIMIT TCP highrate inbound largeDNS queries(anti-tunneling)
This rule warns if any source IPsends large TCP DNS queries(which could be DNS tunnelingattacks) at a rate equals thePackets per second value If therate exceeds the value theappliance blocks all such trafficfrom this source IP for the Drop
interval
This rule is triggered when theDNS Packet size exceeds theconfigured value
Disabled bydefault
Packets per second (default = 100)
Drop interval
(default = 5 seconds)
Events per second (default = 1)
Packet size
(default = 200)
Consider tuning Packets
per second to a highervalue for NATdenvironments staticforwarders and VPNconcentrators
200000004 System DNS tunneling ratelimiting rule
This rule warns If any source IPsends inbound UDP DNS queriesthat trigger large TXT responses ata rate equals the Packets per
second value If the rate exceedsthis value it blocks all such t rafficfrom this source IP for the Drop
interval
This rule is triggered when the sizeof the TXT records in the DNSresponses exceeds the configuredDNS Packet size
Enabled bydefault
Packets per second (default = 1000)
Drop interval
(default = 5 seconds)
Events per second (default = 1)
Packet size
(default = 40)
Consider tuning Packets
per second to a highervalue for NATdenvironments static
forwarders and VPNconcentrators
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 1830
1514 NIOS Administrator Guide (Rev A) NIOS 612
use the EDNS0 DNS protocol extension as a means to enable larger DNS responses Many network operatorsparticularly overseas allow open DNS resolvers to run on their networks unwittingly allowing attackers to abusethem Many network operators do provide intelligent rate-limiting to prevent abuse even while supporting openrecursive DNS servers Hence issues of this type usually result from mistakes in configuration
The following table lists the system and auto rules that are used to mitigate DNS amplification and reflection attackson your advanced appliance
Table H12 DNS Amplification and Reflection Rules
NTP
The following table lists the auto rules that are used to mitigate NTP attacks and to support security for NTP traffic onyour advanced appliance These rules include support for the following NTP requests and responses NTP IPv4 andIPv6 ACLs (Access Control Lists) private mode 7 packets named ACLs and ldquoANYrdquo ACLs
Table H13 NTP Rules
Rule ID
Rule
Type
Rule Name Description
EnableDisable
Condition
Parameters Comments
130400100 Auto WARN amp DROP DoSDNS possiblereflectionamplification attackattempts
This rule warns if anysource IP sends UDP DNSpackets that containpossible reflectionamplification attacks If therate exceeds the Packets
per second value theappliance blocks all suchtraffic from this source IPfor the Drop interval Notethat this rule applies whenthe query is ldquoANYrdquo
Enabled bydefault
Packets per second (default = 5)
Drop interval (default = 5 seconds)
Events per second (default = 1)
Consider tuning Packet per
second to a higher value(approximately 100) forNATd environments staticforwarders and VPNconcentrators
130400500 System RATE LIMIT PASS UDPDNS root requestswith additional RRs
This rule passes UDP DNSroot requests that containadditional resource recordsuntil the traffic hits thePackets per second valueIt then blocks subsequentUDP DNS root requests forthe Drop interval
Disabled bydefault
Packets per second (default = 500)
Drop interval
(default = 5 seconds)
Events per second (default = 1)
130400600 System RATE LIMIT PASS UDPDNS root requests
This rule passes UDP DNSroot requests until thetraffic hits the Packets per
second value It thenblocks subsequent UDPDNS root requests for theDrop interval
Disabled bydefault
Packets per second (default = 500)
Drop interval (default = 5 seconds)
Events per second (default = 1)
Consider tuning Packet per
second to a higher valuefor NATd environmentsstatic forwarders and VPNconcentrators
Rule ID
Rule
Type
Rule Name Description
EnableDisable
Condition
Parameters Comments
130600100 Auto RATELIMIT PASS NTPTIME responses
When the NTP client isenabled this rule passesUDP NTP TIME responsesuntil the traffic hits the ratelimit of 10 packets persecond it then blocks allNTP traffic for 15 seconds
Enabled when theNTP client isenabled
Packets per second (default = 10)
Drop interval
(default = 15seconds)
Events per second (default = 1)
130600120 Auto DROP NTP TIMEresponses
This rule drops all UDP NTPTIME responses when theNTP client is disabled
Enabled when theNTP client isdisabled
Events per second (default=1)
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 1930
NTP
NIOS 612 NIOS Administrator Guide (Rev A) 1515
200001001 Auto DOS Possible NTPDDoS InboundFrequent Un-AuthedGET_RESTRICTRequests IMPL 0x02
When the NTP server isenabled this rule warnsabout possible NTP DDoSInbound FrequentUn-Authed GET_RESTRICTRequests IMPL 0x02attacks It then blocks
suspicious NTP traffic for atime period that isspecified in Drop Interval
Enabled whenNTP service isenabled on thismember
Events per second (default = 1)
200001005 Auto DOS Possible NTPDDoS InboundFrequent Un-AuthedGET_RESTRICTRequests IMPL 0x03
When the NTP server isenabled this rule warnsabout possible NTP DDoSInbound FrequentUn-Authed GET_RESTRICTRequests IMPL 0x03attacks It then blockssuspicious NTP traffic for atime period that isspecified in Drop Interval
Enabled whenNTP service isenabled on thismember
Events per second (default = 1)
200001010 Auto DOS Possible NTPDDoS InboundFrequent Un-AuthedPEER_LIST_SUM
Requests IMPL 0x02
When the NTP server isenabled this rule warnsabout possible NTP DDoSInbound Frequent
Un-AuthedPEER_LIST_SUM RequestsIMPL 0x02 attacks It thenblocks suspicious NTPtraffic for a time period thatis specified in Drop
Interval
Enabled whenNTP service isenabled on thismember
Events per second (default = 1)
200001015 Auto DOS Possible NTPDDoS InboundFrequent Un-AuthedPEER_LIST_SUMRequests IMPL 0x03
When the NTP server isenabled this rule warnsabout possible NTP DDoSInbound FrequentUn-AuthedPEER_LIST_SUM RequestsIMPL 0x03 attacks It thenblocks suspicious NTPtraffic for a time period thatis specified in Drop
Interval
Enabled whenNTP service isenabled on thismember
Events per second (default = 1)
200001020 Auto DOS Possible NTPDDoS InboundFrequent Un-AuthedPEER_LIST RequestsIMPL 0x02
When the NTP server isenabled this rule warnsabout possible NTP DDoSInbound FrequentUn-Authed PEER_LISTRequests IMPL 0x02attacks It then blockssuspicious NTP traffic for atime period that isspecified in Drop Interval
Enabled whenNTP service isenabled on thismember
Events per second (default = 1)
200001025 Auto DOS Possible NTPDDoS InboundFrequent Un-AuthedPEER_LIST RequestsIMPL 0x03
When the NTP server isenabled this rule warnsabout possible NTP DDoSInbound FrequentUn-Authed PEER_LISTRequests IMPL 0x03attacks It then blocks
suspicious NTP traffic for atime period that isspecified in Drop Interval
Enabled whenNTP service isenabled on thismember
Events per second (default = 1)
200001050 Auto RATELIMIT PASSNTPQ IPv4 requests
This rule passes UDP NTPQrequests from NTP IPv4ACLs until the traffic hitsthe rate limit ( Packets per
second ) value It thenblocks all subsequentNTPQ traffic for a timespecified in Drop Interval
Enabled whenNTP IPv4 ACLs aredefined If noACLs are definedand the NTPserver is enabledthe default ACLsare enabled andthis rule isdisabled
Packets per second (default = 10)
Drop interval
(default = 60seconds)
Events per second (default = 1)
Rule ID
Rule
Type
Rule Name Description
EnableDisable
Condition
Parameters Comments
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 2030
1516 NIOS Administrator Guide (Rev A) NIOS 612
200001055 Auto RATELIMIT PASS NTPTIME IPv4 requests
This rule passes UDP NTPTIME requests from NTPIPv4 ACLs until the traffichits the rate limit ( Packets
per second ) value It thenblocks all subsequent NTPTIME traffic for a time
specified in Drop interval
Enabled whenNTP IPv4 ACLs aredefined If noACLs are definedand the NTPserver is enabledthe default ACLs
are enabled andthis rule isenabled
Packets per second (default = 10)
Drop interval
(default = 60seconds)
Events per second (default = 1)
200001060 Auto RATELIMIT PASS NTPprivate mode IPv4requests
This rule passes UDP NTPprivate mode 7 requestsfrom NTP IPv4 ACLs untilthe traffic hits the rate limit( Packets per second ) valueIt then blocks allsubsequent NTP privatemode 7 traffic for a timespecified in Drop interval
Enabled whenNTP IPv4 ACLs aredefined If noACLs are definedand the NTPserver is enabledthe default ACLsare enabled andthis rule isdisabled
Packets per second (default = 10)
Drop interval
(default = 60seconds)
Events per second (default = 1)
200001065 Auto RATELIMIT PASSNTPQ IPv6 requests
This rule passes UDP NTPQrequests from NTP IPv6ACLs until the traffic hitsthe rate limit ( Packets per
second ) value It thenblocks all subsequentNTPQ traffic for a timespecified in Drop Interval
Enabled whenNTP IPv6 ACLs aredefined If noACLs are defined
and the NTPserver is enabledthe default ACLsare enabled andthis rule isdisabled
Packets per second (default = 10)
Drop interval
(default = 60
seconds)Events per second (default = 1)
200001070 Auto RATELIMIT PASS NTPTIME IPv6 requests
This rule passes UDP NTPTIME requests from NTPIPv6 ACLs until the traffichits the rate limit ( Packets
per second ) value It thenblocks all subsequent NTPTIME traffic for a timespecified in Drop interval
Enabled whenNTP IPv6 ACLs aredefined If noACLs are definedand the NTPserver is enabledthe default ACLsare enabled andthis rule isenabled
Packets per second (default = 10)
Drop interval
(default = 60seconds)
Events per second (default = 1)
200001075 Auto RATELIMIT PASS NTP
private mode IPv6requests
This rule passes UDP NTP
private mode 7 requestsfrom NTP IPv4 ACLs untilthe traffic hits the rate limit( Packets per second ) valueIt then blocks allsubsequent NTP privatemode 7 traffic for a timespecified in Drop interval
Enabled when
NTP IPv6 ACLs aredefined If noACLs are definedand the NTPserver is enabledthe default ACLsare enabled andthis rule isdisabled
Packets per second
(default = 10)Drop interval
(default =60seconds)
Events per second (default = 1)
200001100 Auto DROP NTPQ requestsunexpected
When NTP service isdisabled this rule drops allUDP NTPQ requests
Enabled whenNTP service isdisabled on thismember
Events per second (default=1)
200001105 Auto DROP NTP TIMErequests unexpected
When NTP service isdisabled this rule drops allUDP NTP TIME requests
Enabled whenNTP service isdisabled on thismember
Events per second (default=1)
200001110 Auto DROP NTP privatemode requestsunexpected
When NTP service isdisabled this rule drops allUDP NTP private mode 7requests
Enabled whenNTP service isdisabled on thismember
Events per second (default=1)
200001115 Auto DROP invalid NTPrequests
When NTP service isdisabled this rule drops allinvalid UDP NTP requests
Enabled whenNTP service isdisabled on thismember
Events per second (default=1)
Rule ID
Rule
Type
Rule Name Description
EnableDisable
Condition
Parameters Comments
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 2130
BGP
NIOS 612 NIOS Administrator Guide (Rev A) 1517
BGP
The following table lists the auto rules that are used to mitigate BGP attacks on your advanced appliance when BGPis enabled
Table H14 BGP Rules
Rule ID
Rule
Type
Rule Name Description
EnableDisable
Condition
Parameters Comments
130700100 AUTO DROP BGP headerlength shorter thanspec
When BGP is enabled this ruledrops TCP BGP packets thatcontain message headerlength that is shorter than theRFC specification
Enabled whenBGP service onthis member isconfigured
Events per second (default=1)
130700200 AUTO DROP BGP headerlength longer than spec
When BGP is enabled this ruledrops TCP BGP packets thatcontain message headerlength that is longer than theRFC specification
Enabled whenBGP service onthis member isconfigured
Events per second (default=1)
130700300 AUTO DROP BGP spoofedconnection reset
attempts
When BGP is enabled this ruledrops TCP BGP packets that
contain spoofed connectionreset
This rule isenabled when
BGP service onthis member isconfigured
Events per second (default=1)
130700400 AUTO DROP BGP invalid type0
When BGP is enabled this ruledrops TCP BGP packets thatcontain invalid message type0
This rule isenabled whenBGP service onthis member isconfigured
Events per second (default=1)
130700500 AUTO DROP BGP invalid typebigger than 5
When BGP is enabled this ruledrops TCP BGP packets thatcontain invalid message typegreater than 5
This rule isenabled whenBGP service onthis member isconfigured
Events per second (default=1)
130700550 AUTO RATELIMIT PASS BGPIPv4 peer TCPconnection attempts
This rule passes TCP BGP routeadvertisement connectionattempts from IPv4 peers
when BGP is enabled and ifthe packet rate is less than thePackets per second value Ifany source IP sends packetsover this value the applianceblocks all such traffic from thissource IP for a certain periodof time (specified in Drop
interval )
This rule isenabled whenBGP service on
this member isconfigured withIPv4 peers
Events per second (default=1)
Drop Interval
(default=60 sec)Packets per second (default=10)
130700600 Auto RATELIMIT PASS BGPallowed with IPv4 peer
This rule passes TCP BGP routeadvertisement to IPv4 peerswhen BGP is enabled and ifthe packet rate is less than thePackets per second value Ifany source IP sends packetsover this value the applianceblocks all such traffic from thissource IP for a certain period
of time (specified in Drop
interval
This rule isenabled whenBGP service onthis member isconfigured withIPv4 peers
Events per second (default=1)
Drop Interval (default=60 sec)
Packets per second (default=10)
130700650 AUTO RATELIMIT PASS BGPIPv6 peer TCPconnection attempts
This rule passes TCP BGP routeadvertisement connectionattempts from IPv6 peerswhen BGP is enabled and ifthe packet rate is less than thePackets per second value Ifany source IP sends packetsover this value the applianceblocks all such traffic from thissource IP for a certain periodof time (specified in Drop
interval
This rule isenabled whenBGP service onthis member isconfigured withIPv6 peers
Events per second (default=1)
Drop Interval (default=60 sec)
Packets per second (default=10)
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 2230
1518 NIOS Administrator Guide (Rev A) NIOS 612
OSPF
The following table lists auto rules that are used to mitigate OSPF attacks on your advanced appliance when OSPF isnot in use
Table H15 OSPF Rules
130700700 Auto RATELIMIT PASS BGPallowed with IPv6 peer
This rule passes TCP BGP routeadvertisement to IPv6 peerswhen BGP is enabled and ifthe packet rate is less than thePackets per second value Ifany source IP sends packetsover this value the appliance
blocks all such traffic from thissource IP for a certain periodof time (specified in Drop
interval )
This rule isenabled whenBGP service onthis member isconfigured withIPv6 peers
Events per second (default=1)
Drop Interval (default=60 sec)
Packets per second (default=10)
130800100 Auto DROP BGP unexpected When BGP is enabled this ruledrops unexpected TCP BGPpackets
This rule takeseffect when BGPservice on thismember is NOT configured
Events per second (default=1)
This rule is exclusive withother rules based onwhether BGP is configuredon the member or not
Rule ID
Rule
Type
Rule Name Description
Enable
Condition
Parameters Comments
130900300 Auto DROP OSPFunexpected
This rule drops unexpectedOSPF packets
This rule takeseffect when OSPFservice on thismember is NOT configured
Events per second (default=1)
Default drop rule for allpackets on the OSPF serviceport
130900400 Auto RATELIMIT PASS OSPFmulticast
This rule passes OSPF IPv4multicast packets if the packetrate is less than the Packets
per second value If anysource IP sends packets overthis value the applianceblocks all such traffic from thissource IP for a time specifiedin Drop interval
This rule takeseffect when OSPFservice on thismember isconfigured forIPv4
Events per second (default=1)
Drop Interval (default=60 sec)
Packets per second (default=100)
130900500 Auto RATELIMIT PASS OSPFIPv6 multicast
This rule passes OSPF IPv6multicast packets if the packetrate is less than the Packets
per second value If anysource IP sends packets overthis value the applianceblocks all such traffic from thissource IP for a time specifiedin Drop interval
This rule takeseffect when OSPFservice on thismember isconfigured forIPv6
Events per second (default=1)
Drop Interval (default=60 sec)
Packets per second (default=100)
130900600 Auto RATELIMIT PASS OSPF This rule passes OSPF packetsif the packet rate is less thanthe Packets per second valueIf any source IP sends packetsover this value the applianceblocks all such traffic from thissource IP for a time specifiedin Drop interval
This rule takeseffect when OSPFservice on thismember isconfigured
Events per second (default=1)
Drop Interval (default=10 sec)
Packets per second (default=50)
This rule works for both IPv4and IPv6
Rule ID
Rule
Type
Rule Name Description
EnableDisable
Condition
Parameters Comments
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 2330
ICMP
NIOS 612 NIOS Administrator Guide (Rev A) 1519
ICMP
ICMP attacks use network devices such as routers to send error messages when a requested service is not availableor the remote server cannot be reached Examples of ICMP attacks include ping floods ping-of-death attacks andsmurf attacks
The following table lists the system and auto rules that are used to mitigate ICMP attacks on your advanced appliance
Table H16 ICMP Rules
Rule ID Type Rule Name Description
EnableDisable
Condition
Parameters Comments
130400200 Auto DROP ICMP largepackets
This rule drops large ICMPpackets (bigger than800)
Always enabled Events per second (default=1)
130900100 Auto RATE LIMIT PASS ICMPPing
This rule passes ICMP pingpackets if the packet rate is lessthan the Packets per second value If any source IP sendspackets over this value theappliance blocks all such trafficfrom this source IP for a timespecified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=10 sec)
Packets per second (default=50)
130900200 Auto RATE LIMIT PASS ICMPv6Ping
This rule passes ICMPv6 pingpackets if the packet rate is lessthan the Packets per second value If any source IP sendspackets over this value theappliance blocks all such trafficfrom this source IP for a timespecified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=10 sec)
Packets per second (default=50)
130900700 Auto RATELIMIT PASS ICMPv6destinationunreachable
This rule passes ICMPv6Destination Unreachablemessages if the packet rate isless than the Packets per second value If any source IP sendspackets over this value theappliance blocks all such trafficfrom this source IP for a timespecified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=100)
130900800 Auto RATELIMIT PASS ICMPv6packet too big
This rule passes ICMPv6 PacketToo Big messages if the packetrate is less than the Packets per
second value If any source IPsends packets over this valuethe appliance blocks all suchtraffic from this source IP for atime specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=100)
130900900 Auto RATELIMIT PASS ICMPv6ping responses
This rule passes ICMPv6 pingresponses if the packet rate isless than the Packets per second value If any source IP sendspackets over this value theappliance blocks all such trafficfrom this source IP for a timespecified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=10 sec)
Packets per second (default=50)
130901000 Auto RATELIMIT PASS ICMPv6parameter problemerroneous header
This rule passes ICMPv6Erroneous Header messages ifthe packet rate is less than thePackets per second value If anysource IP sends packets over thisvalue the appliance blocks allsuch traffic from this source IP fora time specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=10 sec)
Packets per second (default=50)
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 2430
1520 NIOS Administrator Guide (Rev A) NIOS 612
130901100 Auto RATELIMIT PASS ICMPv6parameter problemunrecognized nextheader
This rule passes ICMPv6Unrecognized Next Headermessages if the packet rate isless than the Packets per second value If any source IP sendspackets over this value theappliance blocks all such traffic
from this source IP for a timespecified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
130901200 Auto RATELIMIT PASS ICMPv6parameter problemunrecognized IPv6option
This rule passes ICMPv6Unrecognized IPv6 Optionmessages if the packet rate isless than the Packets per second value If any source IP sendspackets over this value theappliance blocks all such trafficfrom this source IP for a timespecified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
130901300 Auto RATELIMIT PASS ICMPv6router solicitation
This rule passes ICMPv6 routersolicitation packets if the packetrate is less than the Packets per
second value If any source IPsends packets over this valuethe appliance blocks all such
traffic from this source IP for atime specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
130901400 Auto RATELIMIT PASS ICMPv6router advertisement
This rule passes ICMPv6 routeradvertisement if the packet rateis less than the Packets per
second value If any source IPsends packets over this valuethe appliance blocks all suchtraffic from this source IP for atime specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
130901500 Auto RATELIMIT PASS ICMPv6neighbor solicitation
This rule passes ICMPv6neighbor solicitation packets ifthe packet rate is less than thePackets per second value If anysource IP sends packets over thisvalue the appliance blocks allsuch traffic from this source IP for
a time specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
130901600 Auto RATELIMIT PASS ICMPv6neighbor advertisement
This rule passes ICMPv6neighbor advertisement if thepacket rate is less than thePackets per second value If anysource IP sends packets over thisvalue the appliance blocks allsuch traffic from this source IP fora time specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
130901700 Auto RATELIMIT PASS ICMPv6inverse neighborsolicitation
This rule passes ICMPv6 inverseneighbor solicitation messages ifthe packet rate is less than thePackets per second value If anysource IP sends packets over thisvalue the appliance blocks allsuch traffic from this source IP fora time specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
130901800 Auto RATELIMIT PASS ICMPv6inverse neighboradvertisement
This rule passes ICMPv6 inverseneighbor advertisement if thepacket rate is less than thePackets per second value If anysource IP sends packets over thisvalue the appliance blocks allsuch traffic from this source IP fora time specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
Rule ID Type Rule Name Description
EnableDisable
Condition
Parameters Comments
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 2530
ICMP
NIOS 612 NIOS Administrator Guide (Rev A) 1521
130901900 Auto RATELIMIT PASS ICMPv6listener query
This rule passes ICMPv6 listenerquery messages if the packetrate is less than the Packets per
second value If any source IPsends packets over this valuethe appliance blocks all suchtraffic from this source IP for a
time specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
130902000 Auto RATELIMIT PASS ICMPv6listener report
This rule passes ICMPv6 listenerreport messages if the packetrate is less than the Packets per
second value If any source IPsends packets over this valuethe appliance blocks all suchtraffic from this source IP for atime specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
130902100 Auto RATELIMIT PASS ICMPv6listener done
This rule passes ICMPv6 listenerdone messages if the packet rateis less than the Packets per
second value If any source IPsends packets over this valuethe appliance blocks all suchtraffic from this source IP for atime specified in Drop interval )
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
130902200 Auto RATELIMIT PASS ICMPv6listener report v2
This rule passes ICMPv6 listenerreport v2 messages if the packetrate is less than the Packets per
second value If any source IPsends packets over this valuethe appliance blocks all suchtraffic from this source IP for atime specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
130902300 Auto RATELIMIT PASS ICMPV6multicast routeradvertisement
This rule passes ICMPv6multicast router advertisement ifthe packet rate is less than thePackets per second value If anysource IP sends packets over thisvalue the appliance blocks allsuch traffic from this source IP fora time specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
130902400 Auto RATELIMIT PASS ICMPV6multicast routersolicitation
This rule passes ICMPv6multicast router solicitationmessages if the packet rate isless than the Packets per second value If any source IP sendspackets over this value theappliance blocks all such trafficfrom this source IP for a timespecified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
130902500 Auto RATELIMIT PASS ICMPV6multicast routeradvertisement
This rule passes ICMPv6multicast router advertisement ifthe packet rate is less than thePackets per second value If anysource IP sends packets over thisvalue the appliance blocks allsuch traffic from this source IP fora time specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
130902600 Auto RATELIMIT PASS ICMPping responses This rule passes ICMP pingresponses if the packet rate isless than the Packets per second value If any source IP sendspackets over this value theappliance blocks all such trafficfrom this source IP for a timespecified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=10 sec)
Packets per second (default=50)
Rule ID Type Rule Name Description
EnableDisable
Condition
Parameters Comments
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 2630
1522 NIOS Administrator Guide (Rev A) NIOS 612
130902700 Auto RATELIMIT PASS ICMProuter advertisement
This rule passes ICMP routeradvertisement if the packet rateis less than the Packets per
second value If any source IPsends packets over this valuethe appliance blocks all suchtraffic from this source IP for a
time specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=10 sec)
Packets per second (default=50)
130902800 Auto RATELIMIT PASS ICMProuter solicitation
This rule passes ICMP routersolicitation messages if thepacket rate is less than thePackets per second value If anysource IP sends packets over thisvalue the appliance blocks allsuch traffic from this source IP fora time specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=10 sec)
Packets per second (default=50)
130902900 Auto RATELIMIT PASS ICMPtime exceeded
This rule passes ICMP timeexceeded messages if the packetrate is less than the Packets per
second value If any source IPsends packets over this valuethe appliance blocks all suchtraffic from this source IP for atime specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=10 sec)
Packets per second (default=50)
130903000 Auto RATELIMIT PASS ICMPparameter problem
This rule passes ICMP parameterproblems if the packet rate isless than the Packets per second value If any source IP sendspackets over this value theappliance blocks all such trafficfrom this source IP for a timespecified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=10 sec)
Packets per second (default=50)
130903100 Auto RATELIMIT PASS ICMPv6hop limit exceeded orICMPv4 networkunreachable
This rule passes ICMPv6 HopLimit Exceeded messages orICMPv4 Network Unreachablemessages if the packet rate isless than the Packets per second value If any source IP sendspackets over this value theappliance blocks all such trafficfrom this source IP for a time
specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
130903200 Auto RATELIMIT PASS ICMPv6fragment reassemblytime exceeded orICMPv4 hostunreachable
This rule passes ICMPv6fragment reassembly timeexceeded messages or ICMPv4host unreachable messages ifthe packet rate is less than thePackets per second value If anysource IP sends packets over thisvalue the appliance blocks allsuch traffic from this source IP fora time specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=10 sec)
Packets per second (default=50)
130903300 Auto RATELIMIT PASS ICMPprotocol unreachable
This rule passes ICMP protocolunreachable messages if thepacket rate is less than thePackets per second value If anysource IP sends packets over thisvalue the appliance blocks all
such traffic from this source IP fora time specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=10 sec)
Packets per second (default=50)
130903400 Auto RATELIMIT ICMP portunreachable
This rule passes ICMP portunreachable messages if thepacket rate is less than thePackets per second value If anysource IP sends packets over thisvalue the appliance blocks allsuch traffic from this source IP fora certain period of time(specified in Drop interval )
Always enabled Events per second (default=10)
Drop Interval (default=10 sec)
Packets per second (default=50)
Rule ID Type Rule Name Description
EnableDisable
Condition
Parameters Comments
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 2730
Default PassDrop
NIOS 612 NIOS Administrator Guide (Rev A) 1523
Default Pass Drop
The following table lists the system rules that are used to pass or drop packets on your advanced appliance All rulesare disabled by default
Table H17 Default PassDrop Rules
130903500 Auto RATELIMIT PASS ICMPfragmentation needed
This rule passes ICMPfragmentation needed messagesif the packet rate is less than thePackets per second value If anysource IP sends packets over thisvalue the appliance blocks allsuch traffic from this source IP for
a certain period of time(specified in Drop interval )
Always enabled Events per second (default=1)
Drop Interval (default=10 sec)
Packets per second (default=50)
Rule ID
Rule
Type Rule Name Description
Enable
Condition Parameters Comments
100000050 System EARLY PASS TCPwith flowbits set
This rule passes TCP trafficthat has the flowbitsoptions set and marked OK
Enabled bydefault
NA
140000100 System DROP UDP DNSunexpected
This rule drops anyunexpected UDP DNSpackets
Enabled bydefault
Events per second (default=1)
Default drop rule for the DNSservice port If this rule istriggered most likely thispacket is an invalid DNS UDPpacket
140000200 System DROP TCP DNSunexpected
This rule drops anyunexpected TCP DNSpackets
Enabled bydefault
Events per second (default=1)
Default drop rule for the DNSservice port If this rule istriggered most likely thispacket is an invalid DNS TCPpacket
140000400 System PASS TCPestablished packets
This passes all TCPestablished packets
Enabled bydefault
Events per second (default=0)
140000500 System DROP TCPunexpected
This rule drops anyunexpected TCP packets
Enabled bydefault
Events per second (default=0)
This rule drops any TCP packeton any port If this rule istriggered most likely thispacket is not intended forservices on this member
140000600 System DROP UDPunexpected
This rule drops anyunexpected UDP packets
Enabled bydefault
Events per second (default=0)
This rule drops any UDP packeton any port If this rule istriggered most likely thispacket is not intended forservices on this member
140000700 System DROP ICMPunexpected
This rule drops anyunexpected ICMP packets
Enabled bydefault
Events per second (default=0)
This rule drops any ICMPpacket If this rule is triggeredmost likely this packet is notintended for services on thismember
140000800 System DROP unexpectedprotocol
This rule drops anyunexpected protocolpackets
Enabled bydefault
Events per second (default=0)
This is a catch all rule thatdrops anything that does notmatch any other rules in thesystem
Rule ID Type Rule Name Description
EnableDisable
Condition
Parameters Comments
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 2830
1524 NIOS Administrator Guide (Rev A) NIOS 612
HA Support
The following table lists auto rules that are used to pass packets that go through the Virtual Router RedundancyProtocol (VRRP) and Internet Group Management Protocol (IGMP) for HA (High Availability) support
Table H18 HA Support Rules
Custom Rule Templates
Advanced DNS Protection supports a few custom rule templates from which you can create new custom rules Notethat when you use a specific rule template to create custom rules the new rules reside in their respective rulecategories For information about custom rules and creating custom rules see Custom Rules on page 1341 andCreating Custom Rules on page 1343
For each rule you create you can define the Events per second value to determine the number of events per secondthat will be logged for the rule You can also define specific rule parameters for custom rules as follows
Note Custom rules do not support IDNs (Internationalized Domain Names) To use IDNs for custom rules you mustfirst convert the IDNs into puny codes You can use the IDN Converter from the Toolbar for the conversion
bull BLACKLIST FQDN lookup TCP Use this rule template to create custom rules for blacklisting DNS queries by FQDNlookups on TCP In the Rule Parameters table complete the following
mdash Blacklisted FQDN Enter the FDQN that you want the appliance to block over TCP traffic You can also enter alist of FQDNs using semicolon as the separator
bull BLACKLIST FQDN lookup UDP Use this rule template to create custom rules for blacklisting DNS queries byFQDN lookups on UDP In the Rule Parameters table complete the following
mdash Blacklisted FQDN Enter the FDQN that you want the appliance to block over UDP traffic You can also enter alist of FQDNs using semicolon as the separator
bull BLACKLIST IP TCP Drop prior to rate limiting Use this rule template to create rules for blocking IPv4 or IPv6addresses on TCP before the appliance drops the packets based on rate limiting rules you have defined usingthe RATELIMITED IP TCP template In the Rule Parameters table complete the following
mdash Blacklisted IP addressnetwork Enter the IPv4 or IPv6 address from which packets sent are dropped beforeany relevant rate limiting rules take effect Note that all TCP traffic from the specified Ipv4 and IPv6
addresses and networks will be blocked Enter network addresses in addressCIDR formatbull BLACKLIST IP UDP Drop prior to rate limiting Use this rule template to create rules for blocking IPv4 or IPv6
addresses on UDP before the appliance drops the packets based on rate limiting rules you have defined usingthe RATELIMITED IP UDP template In the Rule Parameters table complete the following
mdash Blacklisted IP addressnetwork Enter the IPv4 or IPv6 address from which packets sent are dropped beforeany relevant rate limiting rules take effect Note that all UDP traffic from the specified Ipv4 and IPv6addresses and networks will be blocked Enter network addresses in addressCIDR format
bull RATELIMITED FQDN lookup UDP Use this rule template to create custom rules that contains rate limitingrestrictions for blocking DNS queries by FQDN lookups on UDP traffic In the Rule Parameters table completethe following
Rule ID
Rule
Type
Rule Name Description Enable Condition Parameters Comments
140000750 Auto PASS VRRP This rule passes packets thatgo through VRRP for HAsupport
Enabled if HA isconfigured
NA
140000760 Auto PASS IGMP This rule passes packets thatgo through IGMP for HAsupport
Enabled if HA isconfigured
NA
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 2930
Custom Rule Templates
NIOS 612 NIOS Administrator Guide (Rev A) 1525
mdash Packets per second Enter the number of packets per second to define the rate limit for this rule You definethis value to control the rate of UDP traffic that consists of DNS lookups for the FQDN defined in this ruleThe default is 5
mdash Drop interval Enter the number of seconds for which the appliance drops packets
mdash Blacklist rate limited FQDN Enter the FQDN that is affected by the rate limit value configured for this ruleThe appliance drops the packets sent by this FQDN when the UDP traffic of DNS lookups for this FQDNexceeds the configured rate limit value
bull RATELIMITED IP TCP Use this rule template to create custom rules that contains rate limiting restrictions forblacklisting IP addresses on TCP If there are certain IP addresses that you want to block before its traffic reachesthe rate limit restrictions you can create a rule using the BLACKLIST IP TCP Drop prior to rate limiting templateIn the Rule Parameters table complete the following
mdash Packets per second Enter the number of packets per second to define the rate limit for this rule You definethis value to control the rate of TCP traffic that consists of DNS lookups for the IP address or networkdefined in this rule The default is 5
mdash Drop interval Enter the time interval in seconds the appliance drops IP packets sent by the rate limited IPaddress or network defined for this rule The default is 30 seconds
mdash Rate limited IP addressnetwork Enter the IP address or network that is affected by the rate limit valueconfigured for this rule The appliance drops the packets sent by this IP address based on the drop intervalwhen the TCP traffic of DNS lookups for this IP address exceeds the configured rate limit value
bull RATELIMITED IP UDP Use this rule template to create custom rules that contains rate limiting restrictions forblacklisting IP addresses on UDP If there are certain IP addresses that you want to block before its trafficreaches the rate limit restrictions you can create a rule using the BLACKLIST IP UDP Drop prior to rate limiting template In the Rule Parameters table complete the following
mdash Packets per second Enter the number of packets per second to define the rate limit for this rule You definethis value to control the rate of UDP traffic that consists of DNS lookups for the IP address or networkdefined in this rule The default is 5
mdash Drop interval Enter the time interval in seconds the appliance drops IP packets sent by the rate limited IPaddress or network defined for this rule The default is 30 seconds
mdash Rate limited IP addressnetwork Enter the IP address or network that is affected by the rate limit valueconfigured for this rule The appliance drops the packets sent by this IP address based on the drop interval
when the TCP traffic of DNS lookups for this IP address exceeds the configured rate limit valuebull WHITELIST IP TCP Pass prior to rate limiting Use this rule template to create custom rules for allowing certain IP
addresses on TCP before the appliance drops the packets based on rate limiting rules you have defined usingthe RATELIMITED IP TCP template In the Rule Parameters table complete the following
mdash Whitelisted IP addressnetwork Enter the IPv4 or IPv6 address from which packets sent are allowed beforeany relevant rate limiting rules take effect
bull WHITELIST IP UDP Pass prior to rate limiting Use this rule template to create custom rules for allowing certain IPaddresses on UDP before the appliance drops the packets based on rate limiting rules you have defined usingthe RATELIMITED IP UDP template In the Rule Parameters table complete the following
mdash Whitelisted IP addressnetwork Enter the IPv4 or IPv6 address from which packets sent are allowed beforeany relevant rate limiting rules take effect
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 3030
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 830
1504 NIOS Administrator Guide (Rev A) NIOS 612
130500100 System DNS A record You can configure this rule to passor drop UDP packets that containA record request The defaultAction = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
130500200 System DNS AAAA record You can configure this rule to passor drop UDP packets that contain
AAAA record request The defaultAction = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
130500300 System DNS CNAMErecord
You can configure this rule to passor drop UDP packets that containCNAME record request Thedefault Action = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
130500400 System DNS DS record You can configure this rule to passor drop UDP packets that containDS record request The defaultAction = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
130500500 System DNS PTR record You can configure this rule to passor drop UDP packets that containPTR record request The defaultAction = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
130500600 System DNS NS record You can configure this rule to passor drop UDP packets that containNS record request The defaultAction = Pass
Enabled bydefault
Action (default = Pass)
Events per second (default = 1)
130500700 System DNS NSEC record You can configure this rule to passor drop UDP packets that containNSEC record request The defaultAction = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
130500800 System DNS NSEC3record
You can configure this rule to passor drop UDP packets that containNSEC3 record request Thedefault Action = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
130500900 System DNSNSEC3PARAMrecord
You can configure this rule to passor drop UDP packets that containNSEC3PARAM record request The
default Action = Pass
Enabled bydefault
Action
(default = Pass)
Events per second
(default = 1)
130501000 System DNS MX record You can configure this rule to passor drop UDP packets that containMX record request The defaultAction = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
130501100 System DNS SRV record You can configure this rule to passor drop UDP packets that containSRV record request The defaultAction = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
130501200 System DNS TXT record You can configure this rule to passor drop UDP packets that containTXT record request The defaultAction = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
130501300 System DNS DNAME
record
You can configure this rule to pass
or drop UDP packets that containDNAME record request Thedefault Action = Pass
Enabled by
default
Action
(default = Pass)Events per second (default = 1)
130501400 System DNS RRSIG record You can configure this rule to passor drop UDP packets that containRRSIG record request The defaultAction = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
130501500 System DNS NAPTRrecord
You can configure this rule to passor drop UDP packets that containNAPTR record request The defaultAction = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
Rule ID
Rule
Type
Rule Name Description
EnableDisable
Condition
Parameters Comments
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 930
DNS Message Type
NIOS 612 NIOS Administrator Guide (Rev A) 1505
130501600 System DNS DNSKEYrecord
You can configure this rule to passor drop UDP packets that containDNSKEY record request Thedefault Action = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
130501700 System DNS SPF record You can configure this rule to passor drop UDP packets that contain
SPF record request The defaultAction = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
130501800 System DNS DHCIDrecord
You can configure this rule to passor drop UDP packets that containDHCID record request The defaultAction = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
130501900 System DNS SOA record You can configure this rule to passor drop UDP packets that containSOA record request The defaultAction = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
130502000 System DNS SIG record You can configure this rule to passor drop UDP packets that containSIG record request The defaultAction = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
130502100 System DNS LOC record You can configure this rule to passor drop UDP packets that containLOC record request The defaultAction = Pass
Enabled bydefault
Action (default = Pass)
Events per second (default = 1)
130502200 System DNS SSHFPrecord
You can configure this rule to passor drop UDP packets that containSSHFP record request The defaultAction = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
130502300 System DNS IPSECKEYrecord
You can configure this rule to passor drop UDP packets that containIPSECKEY record request Thedefault Action = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
130502400 System DNS TKEY record You can configure this rule to passor drop UDP packets that containTKEY record request The default
Action = Pass
Enabled bydefault
Action
(default = Pass)
Events per second
(default = 1)
130502500 System DNS TSIG record You can configure this rule to passor drop UDP packets that containTSIG record request The defaultAction = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
130502600 System DNS TA record You can configure this rule to passor drop UDP packets that containTA record request The defaultAction = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
130502700 System DNS DLV record You can configure this rule to passor drop UDP packets that containDLV record request The defaultAction = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
130502800 System DNS ANY record You can configure this rule to pass
or drop UDP packets that containANY record request The defaultAction = Pass
Enabled by
default
Action
(default = Pass)Events per second (default = 1)
130502900 System DNS A record TCP You can configure this rule to passor drop TCP packets that contain Arecord request The default Action = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
130503000 System DNS AAAA recordTCP
You can configure this rule to passor drop TCP packets that containAAAA record request The defaultAction = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
Rule ID
Rule
Type
Rule Name Description
EnableDisable
Condition
Parameters Comments
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 1030
1506 NIOS Administrator Guide (Rev A) NIOS 612
130503100 System DNS CNAMErecord TCP
You can configure this rule to passor drop TCP packets that containCNAME record request Thedefault Action = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
130503200 System DNS DS recordTCP
You can configure this rule to passor drop TCP packets that contain
DS record request The defaultAction = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
130503300 System DNS PTR recordTCP
You can configure this rule to passor drop TCP packets that containPTR record request The defaultAction = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
130503400 System DNS NS recordTCP
You can configure this rule to passor drop TCP packets that containNS record request The defaultAction = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
130503500 System DNS NSEC recordTCP
You can configure this rule to passor drop TCP packets that containNSEC record request The defaultAction = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
130503600 System DNS NSEC3record TCP
You can configure this rule to passor drop TCP packets that containNSEC3 record request Thedefault Action = Pass
Enabled bydefault
Action (default = Pass)
Events per second (default = 1)
130503700 System DNSNSEC3PARAMrecord TCP
You can configure this rule to passor drop TCP packets that containNSEC3PARAM record request Thedefault Action = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
130503800 System DNS MX recordTCP
You can configure this rule to passor drop TCP packets that containMX record request The defaultAction = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
130503900 System DNS SRV recordTCP
You can configure this rule to passor drop TCP packets that containSRV record request The default
Action = Pass
Enabled bydefault
Action
(default = Pass)
Events per second
(default = 1)
130504000 System DNS TXT recordTCP
You can configure this rule to passor drop TCP packets that containTXT record request The defaultAction = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
130504100 System DNS DNAMErecord TCP
You can configure this rule to passor drop TCP packets that containDNAME record request Thedefault Action = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
130504200 System DNS RRSIG recordTCP
You can configure this rule to passor drop TCP packets that containRRSIG record request The defaultAction = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
130504300 System DNS NAPTR
record TCP
You can configure this rule to pass
or drop TCP packets that containNAPTR record request The defaultAction = Pass
Enabled by
default
Action
(default = Pass)Events per second (default = 1)
130504400 System DNS DNSKEYrecord TCP
You can configure this rule to passor drop TCP packets that containIDNSKEY record request Thedefault Action = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
130504500 System DNS SPF recordTCP
You can configure this rule to passor drop TCP packets that containSPF record request The defaultAction = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
Rule ID
Rule
Type
Rule Name Description
EnableDisable
Condition
Parameters Comments
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 1130
DNS Message Type
NIOS 612 NIOS Administrator Guide (Rev A) 1507
130504600 System DNS DHCIDrecord TCP
You can configure this rule to passor drop TCP packets that containDHCID record request The defaultAction = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
130504700 System DNS SOA recordTCP
You can configure this rule to passor drop TCP packets that contain
SOA record request The defaultAction = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
130504800 System DNS SIG recordTCP
You can configure this rule to passor drop TCP packets that containSIG record request The defaultAction = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
130504900 System DNS ROC recordTCP
You can configure this rule to passor drop TCP packets that containROC record request The defaultAction = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
130505000 System DNS SSHFPrecord TCP
You can configure this rule to passor drop TCP packets that containSSHFP record request The defaultAction = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
130505100 System DNS IPSECKEYrecord TCP
You can configure this rule to passor drop TCP packets that containIPSECKEY record request Thedefault Action = Pass
Enabled bydefault
Action (default = Pass)
Events per second (default = 1)
130505200 System DNS TKEY recordTCP
You can configure this rule to passor drop TCP packets that containTKEY record request The defaultAction = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
130505300 System DNS TSIG recordTCP
You can configure this rule to passor drop TCP packets that containTSIG record request The defaultAction = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
130505400 System DNS TA recordTCP
You can configure this rule to passor drop TCP packets that containTA record request The default
Action = Pass
Enabled bydefault
Action
(default = Pass)
Events per second
(default = 1)
130505500 System DNS DLV recordTCP
You can configure this rule to passor drop TCP packets that containDLV record request The defaultAction = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
130505600 System DNS ANY recordTCP
You can configure this rule to passor drop TCP packets that containANY record request The defaultAction = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
Rule ID
Rule
Type
Rule Name Description
EnableDisable
Condition
Parameters Comments
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 1230
1508 NIOS Administrator Guide (Rev A) NIOS 612
General DDoS
The following table lists the auto rules that are used to mitigate general DDoS attacks on your advanced appliance
Table H5 General DDoS Rules
Reconnaissance
Reconnaissance attacks consist of attempts to get information on the network environment before launching a largeDDoS or other types of attacks Techniques include port scanning and finding versions and authors These attacksexhibit abnormal behavior patterns that if identified can provide early warnings
The following table lists the auto rules that are used to mitigate reconnaissance attacks on your advanced appliance
You can configure the following rule parameter for all rules in this category
bull Events per second The number of events logged per second for the rule Setting a value to 0 (zero) disables theappliance from logging events for the rule The default value is 10
Table H6 Reconnaissance Rules
Rule ID
Rule
Type
Rule Name Description
EnableDisable
Condition
Parameters Comments
110000100 Auto EARLY DROP DoSpackets with samesource and destinationIP
This rule drops any IP packetsthat contain the same sourceand destination IP address
Always enabled Events per second (default = 1)
110000200 Auto EARLY DROP DoS UDPpackets with samesource and destinationIP
This rule drops UDP packetsthat contain the same sourceand destination IP address
Always enabled Events per second (default = 1)
110000300 Auto EARLY DROP DoS TCPpackets with samesource and destinationIP
This rule drops TCP packetsthat contain the same sourceand destination IP address
Always enabled Events per second (default = 1)
130400300 Auto DROP IPv6 loopbackaddress spoofing
This rule blocks any IP packetsthat attempt to forge the IPv6loopback address
Always enabled Events per second (default = 1)
130400400 Auto DROP IPv6 loopbackaddress spoofing
This rule blocks any IP packetsthat attempt to forge the IPv6loopback address
Always enabled Events per second (default = 1)
Rule ID
Rule
Type
Rule Name Description
Enable
Condition
Parameters Comments
110100100 Auto EARLY DROP DNSnamed authorattempts
This rule drops UDP DNSpackets that containattempts to find AUTHOR
information
Alwaysenabled
Events per second (default = 1)
110100200 Auto EARLY DROP DNSnamed versionattempts
This rule drops UDP DNSpackets that containattempts to find VERSIONinformation
Alwaysenabled
Events per second (default = 1)
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 1330
DNS Malware
NIOS 612 NIOS Administrator Guide (Rev A) 1509
DNS Malware
DNS malware is software used to disrupt your DNS service gather sensitive information or gain access to yourappliance It can include downloaders backdoors trojan horses and other malicious software
The following table lists the auto rules that are used to mitigate DNS malware when forwarding DNS requests to aresolver such as a Microsoft DNS server
Table H7 DNS Malware Rules
DNS Protocol Anomalies
DNS protocol anomalies send malformed DNS packets including unexpected header and payload values to thetargeted server This causes the server to stop responding or crash which results in an infinite loop in server threadsThese anomalies sometimes take the form of impersonation attacks
The following table lists rules that are used to mitigate DNS protocol anomalies sent to the appliance
Table H8 DNS Protocol Anomalies Rules
Rule ID
Rule
Type
Rule Name Description
Enable
Condition
Parameters Comments
110100300 Auto EARLY DROP UDPMALWARE backdoor
This rule drops UDPpackets that contain thebackdoor malwareBKDR_QUEJOBEVL whichposes as an installer ofFaceBook messenger Thismalware may be spread asa malicious attachment inemail messages
Always enabled Events per second (default = 1)
130300300 Auto DROP MALWAREtrojan downloader
This rule drops UDPpackets that contain thetrojan downloadermalware which downloadsand installs new versionsof malicious programsincluding Trojans andAdWare
Always enabled Events per second (default = 1)
130300400 Auto DROP MALWAREpossible Hiloti
This rule drops UDPpackets that contain trojanHiloti malicious programsthat may downloadpotentially malicious filesfrom a remote server andreport system informationback to the server
Always enabled Events per second (default = 1)
Rule ID
Rule
Type
Rule Name Description
Enable
Condition
Parameters Comments
110100400 Auto EARLY DROP UDP DNSquestion name too long
This rule drops UDP DNSpackets when the DNSQuestion Name is toolong
Always enabled Events per second (default = 1)
110100500 Auto EARLY DROP UDP DNSlabel too long
This rule drops UDP DNSpackets when the DNSLabel in the name beingqueried is too long
Always enabled Events per second (default = 1)
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 1430
1510 NIOS Administrator Guide (Rev A) NIOS 612
Potential DDoS Related Domains
This rule category includes system rules the appliance uses to blacklist domains that may have been the targets orsubjects in NXDOMAIN or DDoS attacks These rules block all FQDN lookups on UDP for domains that have beenobserved to be used as targets in DDoS attacks The rules are enabled by default You can disable them whennecessary
Note that these rules capture currently observed bad domain names that can change on a regular basis Infobloxrecommends that you update to the latest ruleset to capture the most current rules in this category For informationabout how to update to the latest ruleset see Managing Threat Protection Rules on page 1352
110100600 Auto EARLY DROP UDP queryinvalid question count
This rule drops UDP DNSpackets when thenumber of entries in thequestion section isinvalid
Always enabled Events per second (default = 1)
110100700 Auto EARLY DROP UDP query
invalid question class
This rule drops UDP DNS
packets when the RR(resource record) classbeing queried is invalid
Always enabled Events per second
(default = 1)
110100800 Auto EARLY DROP UDP queryinvalid question string
This rule drops UDP DNSpackets that containinvalid question string
Always enabled Events per second (default = 1)
110100850 Auto EARLY UDP drop invalidDNS query with Authority
This rule drops UDP DNSqueries that containinvalid AUTHORITYentry
Always enabled Events per second (default = 1)
110100900 Auto EARLY DROP querymultiple questions or nonquery operation code
This rule drops UDP DNSpackets when there aremultiple questionsbeing queried at onetime or its operationcode is not Query
Always enabled Events per second (default = 1)
130000700 Auto EARLY DROP TCP non-DNSquery
This rule drops TCPpackets when itsoperation code is notQuery
Always enabled Events per second (default = 1)
130000800 Auto EARLY DROP TCP querymultiple questions
This rule drops TCP DNSpackets when there aremultiple questionsbeing queried at onetime
Always enabled Events per second (default = 1)
130100500 Auto DROP UDP DNS invalidIXFR query with zero ormore than one Authority
This rule drops UDP DNSincremental zonetransfer requests thatcontain zero or morethan one Authorityentries
Always enabled Events per second (default = 1)
130100600 Auto DROP TCP DNS invalidIXFR query with zero ormore than one Authority
This rule drops TCP DNSincremental zonetransfer requests thatcontain zero or morethan one Authorityentries
Always enabled Events per second (default = 1)
130300200 Auto DROP TCP invalid DNSquery with Authority
This rule drops TCP DNSqueries that containinvalid Authorityentries
Always enabled Events per second (default = 1)
Rule ID
Rule
Type
Rule Name Description
Enable
Condition
Parameters Comments
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 1530
TCPUDP Flood
NIOS 612 NIOS Administrator Guide (Rev A) 1511
TCP UDP Flood
TCP and UDP flood attacks are volumetric attacks with massive numbers of packets that consume network bandwidthand resources They exploit TCP and UDP
The following table lists the system and auto rules that are used to mitigate TCPUDP floods on your advancedappliance
Table H9 TCPUDP Flood Rules
Rule ID Rule Type Rule Name Description
Enable
Condition
Parameters Comments
130000100 System WARN about highrate inbound UDPDNS queries
This rule warns about anysource IP that sendsinbound UDP DNS packetsat a rate equals or exceedsthe Packets per second value
Disabled bydefault
Packets per second (default = 40)
Events per second (default = 1)
Use this rule together with rule130000200 to adjust the warningand blocking rate thresholds Thisrule only sends alerts when thepacket rate equals or exceeds thelow threshold ( Packets per second for this rule) When the packet ratereaches or exceeds the highthreshold ( Packets per second forrule 130000200) rule130000200 is triggered
NOTE The Packets per second configured for this rule should beless than that of rule 130000200
130000200 System WARN amp BLOCKhigh rate inboundUDP DNS queries
This rule warns if anysource IP sends inboundUDP DNS packets at a rateequals the Packets per
second value If the rateexceeds this value theappliance blocks all suchtraffic from this source IPfor a period of timespecified in Drop interval
Disabled bydefault
Packets per second (default = 1000)
Drop interval
(default = 5 seconds)
Events per second (default = 1)
Consider tuning Packets per
second to a higher value for NATdenvironments static forwardersand VPN concentrators
This rule may be triggered if Packet
per second is lower than that inthe custom rules created using therate limiting templates
NOTE The Packets per secondvalue for this rule must be higherthan that for rule 130000100
130000300 System WARN about highrate inbound TCP
DNS queries
This rule warns about anysource IP that sends
inbound TCP DNS packetsat a rate that equals orexceeds the Packets per
second value
Disabled bydefault
Packets per second (default = 5)
Events per second (default = 1)
Use this rule together with rule130000400 to adjust the warning
and blocking rate thresholds Thisrule only sends alerts when thepacket rate equals or exceeds thelow threshold ( Packets per second for this rule) When the packet ratereaches or exceeds the highthreshold ( Packets per second forrule 130000400) rule130000400 is triggered
NOTE The Packets per second configured for this rule should beless than that of rule 130000400
130000400 System WARN amp BLOCKhigh rate inboundTCP DNS queries
This rule warns if anysource IP sends inboundTCP DNS packets at a ratethat equals the Packets
per second value If therate exceeds this value
the appliance blocks allsuch traffic from thissource IP for a period oftime specified in Drop
interval
Disabled bydefault
Packets per second (default = 1000)
Drop interval (default = 10 seconds)
Events per second (default = 1)
Consider tuning Packets per
second to a higher value for NATdenvironments static forwardersand VPN concentrators
This rule may be triggered if Packet
per second is lower than that in
the custom rules created using therate limiting templates
NOTE DO NOT enable this rulealong with rule 130000300
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 1630
1512 NIOS Administrator Guide (Rev A) NIOS 612
DNS DDoS
The following table lists system rules that are used to mitigate DNS DDoS attacks on your advanced appliance Theserules rate limits clients that trigger the following DNS responses NXDOMAIN NXRRSET and SERVFAIL
Table H10 DNS DDoS Rules
Rule ID
Rule
Type
Rule Name Description
EnableDisable
Condition
Parameters Comments
200000001 System NXDOMAIN ratelimiting rule
This rule warns if any sourceIP sends inbound UDP DNSqueries that triggerNXDOMAIN responses at arate equals to the Packets
per second value If the rateexceeds this value theappliance blocks all UDPDNS traffic from this sourceIP for a time specified inDrop interval
Enabled bydefault
Packets per second (default = 1000)
Drop interval
(default = 5 seconds)
Events per second (default = 1)
Consider tuning Packets per
second to a higher value forNATd environments staticforwarders and VPNconcentrators
200000002 System NXRRSET ratelimiting rule
This rule warns if any sourceIP sends inbound UDP DNS
queries that trigger NXRRSETresponses at a rate equals tothe Packets per second value If the rate exceedsthis value the applianceblocks all UDP DNS trafficfrom this source IP for a timespecified in Drop interval
Enabled bydefault
Packets per second (default = 1000)
Drop interval (default = 5 seconds)
Events per second (default = 1)
Consider tuning Packets per
second to a higher value for
NATd environments staticforwarders and VPNconcentrators
NOTE NXRRSET responsesinclude NO records NOanswers and NO errors
200000003 System SERVFAIL ratelimiting rule
This rule warns if any sourceIP sends inbound UDP DNSqueries that triggerSERVFAIL responses at a rateequals to the Packets per
second value If the rateexceeds this rate theappliance blocks all UDPDNS traffic from this sourceIP for a time specified in
Drop interval
Enabled bydefault
Packets per second (default = 1000)
Drop interval
(default = 5 seconds)
Events per second (default = 1)
Consider tuning Packets per
second to a higher value forNATd environments staticforwarders and VPNconcentrators
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 1730
DNS Tunneling
NIOS 612 NIOS Administrator Guide (Rev A) 1513
DNS Tunneling
DNS tunneling attacks involve tunneling another protocol through DNS port 53 for the purpose of data exfiltrationOutbound and inbound data being communicated is encoded into small chunks and fitted into DNS queries and DNSresponses
The following table lists the system rule used to mitigate DNS tunneling on your advanced appliance
Table H11 Anti DNS Tunneling Rules
DNS Amplification and Reflection
DNS reflection attacks use a form of IP spoofing changing the source address in their DNS queries to show theaddress of their intended target such as a DNS root server or a top-level domain (TLD) name server operator DNS
reflection and amplification recognizes UDP as an asymmetrical protocol (small requests large responses) and theexistence of open DNS resolvers to the Internet cloud The result is that small DNS queries reflect large UDP datagramresponses to the target address in the original source datagrams Some recent attacks have used this DDoStechnique at a huge scale
Since DNS runs over UDP and does not require a handshake it is possible to use the protocol as a means to lock downa host or a network Designed a specific way sending a small query to any open DNS resolver can result in a singleresponse containing several kilobytes or more that are sent to the unwitting spoofed victim (This type of responsetypically is sent via TCP as UDP does not allow for more than 512 bytes in a response datagram The resulting packetusually exceeds the MTU of the recipientrsquos interfaces resulting in further packet fragmentation and processing) OpenDNS resolvers may allow for launching DDoS attacks containing hundreds of gigabytes of data Attackers may also
Rule ID
Rule
Type
Rule Name Description
EnableDisable
Condition
Parameters Comments
130000500 System RATELIMIT UDP highrate inbound largeDNS queries (antitunneling)
This rule warns If any source IPsends large UDP DNS queries(which could be DNS tunnelingattacks) at a rate equals thePackets per second value If therate exceeds this value it blocksall such traffic from this source IPfor the time in Drop interval
This rule is triggered when theDNS Packet size exceeds theconfigured value
Disabled bydefault
Packets per second (default = 100)
Drop interval (default = 5 seconds)
Events per second (default = 1)
Packet size
(default = 200)
Consider tuning Packets
per second to a highervalue for NATdenvironments staticforwarders and VPNconcentrators
130000600 Auto RATELIMIT TCP highrate inbound largeDNS queries(anti-tunneling)
This rule warns if any source IPsends large TCP DNS queries(which could be DNS tunnelingattacks) at a rate equals thePackets per second value If therate exceeds the value theappliance blocks all such trafficfrom this source IP for the Drop
interval
This rule is triggered when theDNS Packet size exceeds theconfigured value
Disabled bydefault
Packets per second (default = 100)
Drop interval
(default = 5 seconds)
Events per second (default = 1)
Packet size
(default = 200)
Consider tuning Packets
per second to a highervalue for NATdenvironments staticforwarders and VPNconcentrators
200000004 System DNS tunneling ratelimiting rule
This rule warns If any source IPsends inbound UDP DNS queriesthat trigger large TXT responses ata rate equals the Packets per
second value If the rate exceedsthis value it blocks all such t rafficfrom this source IP for the Drop
interval
This rule is triggered when the sizeof the TXT records in the DNSresponses exceeds the configuredDNS Packet size
Enabled bydefault
Packets per second (default = 1000)
Drop interval
(default = 5 seconds)
Events per second (default = 1)
Packet size
(default = 40)
Consider tuning Packets
per second to a highervalue for NATdenvironments static
forwarders and VPNconcentrators
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 1830
1514 NIOS Administrator Guide (Rev A) NIOS 612
use the EDNS0 DNS protocol extension as a means to enable larger DNS responses Many network operatorsparticularly overseas allow open DNS resolvers to run on their networks unwittingly allowing attackers to abusethem Many network operators do provide intelligent rate-limiting to prevent abuse even while supporting openrecursive DNS servers Hence issues of this type usually result from mistakes in configuration
The following table lists the system and auto rules that are used to mitigate DNS amplification and reflection attackson your advanced appliance
Table H12 DNS Amplification and Reflection Rules
NTP
The following table lists the auto rules that are used to mitigate NTP attacks and to support security for NTP traffic onyour advanced appliance These rules include support for the following NTP requests and responses NTP IPv4 andIPv6 ACLs (Access Control Lists) private mode 7 packets named ACLs and ldquoANYrdquo ACLs
Table H13 NTP Rules
Rule ID
Rule
Type
Rule Name Description
EnableDisable
Condition
Parameters Comments
130400100 Auto WARN amp DROP DoSDNS possiblereflectionamplification attackattempts
This rule warns if anysource IP sends UDP DNSpackets that containpossible reflectionamplification attacks If therate exceeds the Packets
per second value theappliance blocks all suchtraffic from this source IPfor the Drop interval Notethat this rule applies whenthe query is ldquoANYrdquo
Enabled bydefault
Packets per second (default = 5)
Drop interval (default = 5 seconds)
Events per second (default = 1)
Consider tuning Packet per
second to a higher value(approximately 100) forNATd environments staticforwarders and VPNconcentrators
130400500 System RATE LIMIT PASS UDPDNS root requestswith additional RRs
This rule passes UDP DNSroot requests that containadditional resource recordsuntil the traffic hits thePackets per second valueIt then blocks subsequentUDP DNS root requests forthe Drop interval
Disabled bydefault
Packets per second (default = 500)
Drop interval
(default = 5 seconds)
Events per second (default = 1)
130400600 System RATE LIMIT PASS UDPDNS root requests
This rule passes UDP DNSroot requests until thetraffic hits the Packets per
second value It thenblocks subsequent UDPDNS root requests for theDrop interval
Disabled bydefault
Packets per second (default = 500)
Drop interval (default = 5 seconds)
Events per second (default = 1)
Consider tuning Packet per
second to a higher valuefor NATd environmentsstatic forwarders and VPNconcentrators
Rule ID
Rule
Type
Rule Name Description
EnableDisable
Condition
Parameters Comments
130600100 Auto RATELIMIT PASS NTPTIME responses
When the NTP client isenabled this rule passesUDP NTP TIME responsesuntil the traffic hits the ratelimit of 10 packets persecond it then blocks allNTP traffic for 15 seconds
Enabled when theNTP client isenabled
Packets per second (default = 10)
Drop interval
(default = 15seconds)
Events per second (default = 1)
130600120 Auto DROP NTP TIMEresponses
This rule drops all UDP NTPTIME responses when theNTP client is disabled
Enabled when theNTP client isdisabled
Events per second (default=1)
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 1930
NTP
NIOS 612 NIOS Administrator Guide (Rev A) 1515
200001001 Auto DOS Possible NTPDDoS InboundFrequent Un-AuthedGET_RESTRICTRequests IMPL 0x02
When the NTP server isenabled this rule warnsabout possible NTP DDoSInbound FrequentUn-Authed GET_RESTRICTRequests IMPL 0x02attacks It then blocks
suspicious NTP traffic for atime period that isspecified in Drop Interval
Enabled whenNTP service isenabled on thismember
Events per second (default = 1)
200001005 Auto DOS Possible NTPDDoS InboundFrequent Un-AuthedGET_RESTRICTRequests IMPL 0x03
When the NTP server isenabled this rule warnsabout possible NTP DDoSInbound FrequentUn-Authed GET_RESTRICTRequests IMPL 0x03attacks It then blockssuspicious NTP traffic for atime period that isspecified in Drop Interval
Enabled whenNTP service isenabled on thismember
Events per second (default = 1)
200001010 Auto DOS Possible NTPDDoS InboundFrequent Un-AuthedPEER_LIST_SUM
Requests IMPL 0x02
When the NTP server isenabled this rule warnsabout possible NTP DDoSInbound Frequent
Un-AuthedPEER_LIST_SUM RequestsIMPL 0x02 attacks It thenblocks suspicious NTPtraffic for a time period thatis specified in Drop
Interval
Enabled whenNTP service isenabled on thismember
Events per second (default = 1)
200001015 Auto DOS Possible NTPDDoS InboundFrequent Un-AuthedPEER_LIST_SUMRequests IMPL 0x03
When the NTP server isenabled this rule warnsabout possible NTP DDoSInbound FrequentUn-AuthedPEER_LIST_SUM RequestsIMPL 0x03 attacks It thenblocks suspicious NTPtraffic for a time period thatis specified in Drop
Interval
Enabled whenNTP service isenabled on thismember
Events per second (default = 1)
200001020 Auto DOS Possible NTPDDoS InboundFrequent Un-AuthedPEER_LIST RequestsIMPL 0x02
When the NTP server isenabled this rule warnsabout possible NTP DDoSInbound FrequentUn-Authed PEER_LISTRequests IMPL 0x02attacks It then blockssuspicious NTP traffic for atime period that isspecified in Drop Interval
Enabled whenNTP service isenabled on thismember
Events per second (default = 1)
200001025 Auto DOS Possible NTPDDoS InboundFrequent Un-AuthedPEER_LIST RequestsIMPL 0x03
When the NTP server isenabled this rule warnsabout possible NTP DDoSInbound FrequentUn-Authed PEER_LISTRequests IMPL 0x03attacks It then blocks
suspicious NTP traffic for atime period that isspecified in Drop Interval
Enabled whenNTP service isenabled on thismember
Events per second (default = 1)
200001050 Auto RATELIMIT PASSNTPQ IPv4 requests
This rule passes UDP NTPQrequests from NTP IPv4ACLs until the traffic hitsthe rate limit ( Packets per
second ) value It thenblocks all subsequentNTPQ traffic for a timespecified in Drop Interval
Enabled whenNTP IPv4 ACLs aredefined If noACLs are definedand the NTPserver is enabledthe default ACLsare enabled andthis rule isdisabled
Packets per second (default = 10)
Drop interval
(default = 60seconds)
Events per second (default = 1)
Rule ID
Rule
Type
Rule Name Description
EnableDisable
Condition
Parameters Comments
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 2030
1516 NIOS Administrator Guide (Rev A) NIOS 612
200001055 Auto RATELIMIT PASS NTPTIME IPv4 requests
This rule passes UDP NTPTIME requests from NTPIPv4 ACLs until the traffichits the rate limit ( Packets
per second ) value It thenblocks all subsequent NTPTIME traffic for a time
specified in Drop interval
Enabled whenNTP IPv4 ACLs aredefined If noACLs are definedand the NTPserver is enabledthe default ACLs
are enabled andthis rule isenabled
Packets per second (default = 10)
Drop interval
(default = 60seconds)
Events per second (default = 1)
200001060 Auto RATELIMIT PASS NTPprivate mode IPv4requests
This rule passes UDP NTPprivate mode 7 requestsfrom NTP IPv4 ACLs untilthe traffic hits the rate limit( Packets per second ) valueIt then blocks allsubsequent NTP privatemode 7 traffic for a timespecified in Drop interval
Enabled whenNTP IPv4 ACLs aredefined If noACLs are definedand the NTPserver is enabledthe default ACLsare enabled andthis rule isdisabled
Packets per second (default = 10)
Drop interval
(default = 60seconds)
Events per second (default = 1)
200001065 Auto RATELIMIT PASSNTPQ IPv6 requests
This rule passes UDP NTPQrequests from NTP IPv6ACLs until the traffic hitsthe rate limit ( Packets per
second ) value It thenblocks all subsequentNTPQ traffic for a timespecified in Drop Interval
Enabled whenNTP IPv6 ACLs aredefined If noACLs are defined
and the NTPserver is enabledthe default ACLsare enabled andthis rule isdisabled
Packets per second (default = 10)
Drop interval
(default = 60
seconds)Events per second (default = 1)
200001070 Auto RATELIMIT PASS NTPTIME IPv6 requests
This rule passes UDP NTPTIME requests from NTPIPv6 ACLs until the traffichits the rate limit ( Packets
per second ) value It thenblocks all subsequent NTPTIME traffic for a timespecified in Drop interval
Enabled whenNTP IPv6 ACLs aredefined If noACLs are definedand the NTPserver is enabledthe default ACLsare enabled andthis rule isenabled
Packets per second (default = 10)
Drop interval
(default = 60seconds)
Events per second (default = 1)
200001075 Auto RATELIMIT PASS NTP
private mode IPv6requests
This rule passes UDP NTP
private mode 7 requestsfrom NTP IPv4 ACLs untilthe traffic hits the rate limit( Packets per second ) valueIt then blocks allsubsequent NTP privatemode 7 traffic for a timespecified in Drop interval
Enabled when
NTP IPv6 ACLs aredefined If noACLs are definedand the NTPserver is enabledthe default ACLsare enabled andthis rule isdisabled
Packets per second
(default = 10)Drop interval
(default =60seconds)
Events per second (default = 1)
200001100 Auto DROP NTPQ requestsunexpected
When NTP service isdisabled this rule drops allUDP NTPQ requests
Enabled whenNTP service isdisabled on thismember
Events per second (default=1)
200001105 Auto DROP NTP TIMErequests unexpected
When NTP service isdisabled this rule drops allUDP NTP TIME requests
Enabled whenNTP service isdisabled on thismember
Events per second (default=1)
200001110 Auto DROP NTP privatemode requestsunexpected
When NTP service isdisabled this rule drops allUDP NTP private mode 7requests
Enabled whenNTP service isdisabled on thismember
Events per second (default=1)
200001115 Auto DROP invalid NTPrequests
When NTP service isdisabled this rule drops allinvalid UDP NTP requests
Enabled whenNTP service isdisabled on thismember
Events per second (default=1)
Rule ID
Rule
Type
Rule Name Description
EnableDisable
Condition
Parameters Comments
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 2130
BGP
NIOS 612 NIOS Administrator Guide (Rev A) 1517
BGP
The following table lists the auto rules that are used to mitigate BGP attacks on your advanced appliance when BGPis enabled
Table H14 BGP Rules
Rule ID
Rule
Type
Rule Name Description
EnableDisable
Condition
Parameters Comments
130700100 AUTO DROP BGP headerlength shorter thanspec
When BGP is enabled this ruledrops TCP BGP packets thatcontain message headerlength that is shorter than theRFC specification
Enabled whenBGP service onthis member isconfigured
Events per second (default=1)
130700200 AUTO DROP BGP headerlength longer than spec
When BGP is enabled this ruledrops TCP BGP packets thatcontain message headerlength that is longer than theRFC specification
Enabled whenBGP service onthis member isconfigured
Events per second (default=1)
130700300 AUTO DROP BGP spoofedconnection reset
attempts
When BGP is enabled this ruledrops TCP BGP packets that
contain spoofed connectionreset
This rule isenabled when
BGP service onthis member isconfigured
Events per second (default=1)
130700400 AUTO DROP BGP invalid type0
When BGP is enabled this ruledrops TCP BGP packets thatcontain invalid message type0
This rule isenabled whenBGP service onthis member isconfigured
Events per second (default=1)
130700500 AUTO DROP BGP invalid typebigger than 5
When BGP is enabled this ruledrops TCP BGP packets thatcontain invalid message typegreater than 5
This rule isenabled whenBGP service onthis member isconfigured
Events per second (default=1)
130700550 AUTO RATELIMIT PASS BGPIPv4 peer TCPconnection attempts
This rule passes TCP BGP routeadvertisement connectionattempts from IPv4 peers
when BGP is enabled and ifthe packet rate is less than thePackets per second value Ifany source IP sends packetsover this value the applianceblocks all such traffic from thissource IP for a certain periodof time (specified in Drop
interval )
This rule isenabled whenBGP service on
this member isconfigured withIPv4 peers
Events per second (default=1)
Drop Interval
(default=60 sec)Packets per second (default=10)
130700600 Auto RATELIMIT PASS BGPallowed with IPv4 peer
This rule passes TCP BGP routeadvertisement to IPv4 peerswhen BGP is enabled and ifthe packet rate is less than thePackets per second value Ifany source IP sends packetsover this value the applianceblocks all such traffic from thissource IP for a certain period
of time (specified in Drop
interval
This rule isenabled whenBGP service onthis member isconfigured withIPv4 peers
Events per second (default=1)
Drop Interval (default=60 sec)
Packets per second (default=10)
130700650 AUTO RATELIMIT PASS BGPIPv6 peer TCPconnection attempts
This rule passes TCP BGP routeadvertisement connectionattempts from IPv6 peerswhen BGP is enabled and ifthe packet rate is less than thePackets per second value Ifany source IP sends packetsover this value the applianceblocks all such traffic from thissource IP for a certain periodof time (specified in Drop
interval
This rule isenabled whenBGP service onthis member isconfigured withIPv6 peers
Events per second (default=1)
Drop Interval (default=60 sec)
Packets per second (default=10)
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 2230
1518 NIOS Administrator Guide (Rev A) NIOS 612
OSPF
The following table lists auto rules that are used to mitigate OSPF attacks on your advanced appliance when OSPF isnot in use
Table H15 OSPF Rules
130700700 Auto RATELIMIT PASS BGPallowed with IPv6 peer
This rule passes TCP BGP routeadvertisement to IPv6 peerswhen BGP is enabled and ifthe packet rate is less than thePackets per second value Ifany source IP sends packetsover this value the appliance
blocks all such traffic from thissource IP for a certain periodof time (specified in Drop
interval )
This rule isenabled whenBGP service onthis member isconfigured withIPv6 peers
Events per second (default=1)
Drop Interval (default=60 sec)
Packets per second (default=10)
130800100 Auto DROP BGP unexpected When BGP is enabled this ruledrops unexpected TCP BGPpackets
This rule takeseffect when BGPservice on thismember is NOT configured
Events per second (default=1)
This rule is exclusive withother rules based onwhether BGP is configuredon the member or not
Rule ID
Rule
Type
Rule Name Description
Enable
Condition
Parameters Comments
130900300 Auto DROP OSPFunexpected
This rule drops unexpectedOSPF packets
This rule takeseffect when OSPFservice on thismember is NOT configured
Events per second (default=1)
Default drop rule for allpackets on the OSPF serviceport
130900400 Auto RATELIMIT PASS OSPFmulticast
This rule passes OSPF IPv4multicast packets if the packetrate is less than the Packets
per second value If anysource IP sends packets overthis value the applianceblocks all such traffic from thissource IP for a time specifiedin Drop interval
This rule takeseffect when OSPFservice on thismember isconfigured forIPv4
Events per second (default=1)
Drop Interval (default=60 sec)
Packets per second (default=100)
130900500 Auto RATELIMIT PASS OSPFIPv6 multicast
This rule passes OSPF IPv6multicast packets if the packetrate is less than the Packets
per second value If anysource IP sends packets overthis value the applianceblocks all such traffic from thissource IP for a time specifiedin Drop interval
This rule takeseffect when OSPFservice on thismember isconfigured forIPv6
Events per second (default=1)
Drop Interval (default=60 sec)
Packets per second (default=100)
130900600 Auto RATELIMIT PASS OSPF This rule passes OSPF packetsif the packet rate is less thanthe Packets per second valueIf any source IP sends packetsover this value the applianceblocks all such traffic from thissource IP for a time specifiedin Drop interval
This rule takeseffect when OSPFservice on thismember isconfigured
Events per second (default=1)
Drop Interval (default=10 sec)
Packets per second (default=50)
This rule works for both IPv4and IPv6
Rule ID
Rule
Type
Rule Name Description
EnableDisable
Condition
Parameters Comments
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 2330
ICMP
NIOS 612 NIOS Administrator Guide (Rev A) 1519
ICMP
ICMP attacks use network devices such as routers to send error messages when a requested service is not availableor the remote server cannot be reached Examples of ICMP attacks include ping floods ping-of-death attacks andsmurf attacks
The following table lists the system and auto rules that are used to mitigate ICMP attacks on your advanced appliance
Table H16 ICMP Rules
Rule ID Type Rule Name Description
EnableDisable
Condition
Parameters Comments
130400200 Auto DROP ICMP largepackets
This rule drops large ICMPpackets (bigger than800)
Always enabled Events per second (default=1)
130900100 Auto RATE LIMIT PASS ICMPPing
This rule passes ICMP pingpackets if the packet rate is lessthan the Packets per second value If any source IP sendspackets over this value theappliance blocks all such trafficfrom this source IP for a timespecified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=10 sec)
Packets per second (default=50)
130900200 Auto RATE LIMIT PASS ICMPv6Ping
This rule passes ICMPv6 pingpackets if the packet rate is lessthan the Packets per second value If any source IP sendspackets over this value theappliance blocks all such trafficfrom this source IP for a timespecified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=10 sec)
Packets per second (default=50)
130900700 Auto RATELIMIT PASS ICMPv6destinationunreachable
This rule passes ICMPv6Destination Unreachablemessages if the packet rate isless than the Packets per second value If any source IP sendspackets over this value theappliance blocks all such trafficfrom this source IP for a timespecified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=100)
130900800 Auto RATELIMIT PASS ICMPv6packet too big
This rule passes ICMPv6 PacketToo Big messages if the packetrate is less than the Packets per
second value If any source IPsends packets over this valuethe appliance blocks all suchtraffic from this source IP for atime specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=100)
130900900 Auto RATELIMIT PASS ICMPv6ping responses
This rule passes ICMPv6 pingresponses if the packet rate isless than the Packets per second value If any source IP sendspackets over this value theappliance blocks all such trafficfrom this source IP for a timespecified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=10 sec)
Packets per second (default=50)
130901000 Auto RATELIMIT PASS ICMPv6parameter problemerroneous header
This rule passes ICMPv6Erroneous Header messages ifthe packet rate is less than thePackets per second value If anysource IP sends packets over thisvalue the appliance blocks allsuch traffic from this source IP fora time specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=10 sec)
Packets per second (default=50)
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 2430
1520 NIOS Administrator Guide (Rev A) NIOS 612
130901100 Auto RATELIMIT PASS ICMPv6parameter problemunrecognized nextheader
This rule passes ICMPv6Unrecognized Next Headermessages if the packet rate isless than the Packets per second value If any source IP sendspackets over this value theappliance blocks all such traffic
from this source IP for a timespecified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
130901200 Auto RATELIMIT PASS ICMPv6parameter problemunrecognized IPv6option
This rule passes ICMPv6Unrecognized IPv6 Optionmessages if the packet rate isless than the Packets per second value If any source IP sendspackets over this value theappliance blocks all such trafficfrom this source IP for a timespecified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
130901300 Auto RATELIMIT PASS ICMPv6router solicitation
This rule passes ICMPv6 routersolicitation packets if the packetrate is less than the Packets per
second value If any source IPsends packets over this valuethe appliance blocks all such
traffic from this source IP for atime specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
130901400 Auto RATELIMIT PASS ICMPv6router advertisement
This rule passes ICMPv6 routeradvertisement if the packet rateis less than the Packets per
second value If any source IPsends packets over this valuethe appliance blocks all suchtraffic from this source IP for atime specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
130901500 Auto RATELIMIT PASS ICMPv6neighbor solicitation
This rule passes ICMPv6neighbor solicitation packets ifthe packet rate is less than thePackets per second value If anysource IP sends packets over thisvalue the appliance blocks allsuch traffic from this source IP for
a time specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
130901600 Auto RATELIMIT PASS ICMPv6neighbor advertisement
This rule passes ICMPv6neighbor advertisement if thepacket rate is less than thePackets per second value If anysource IP sends packets over thisvalue the appliance blocks allsuch traffic from this source IP fora time specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
130901700 Auto RATELIMIT PASS ICMPv6inverse neighborsolicitation
This rule passes ICMPv6 inverseneighbor solicitation messages ifthe packet rate is less than thePackets per second value If anysource IP sends packets over thisvalue the appliance blocks allsuch traffic from this source IP fora time specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
130901800 Auto RATELIMIT PASS ICMPv6inverse neighboradvertisement
This rule passes ICMPv6 inverseneighbor advertisement if thepacket rate is less than thePackets per second value If anysource IP sends packets over thisvalue the appliance blocks allsuch traffic from this source IP fora time specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
Rule ID Type Rule Name Description
EnableDisable
Condition
Parameters Comments
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 2530
ICMP
NIOS 612 NIOS Administrator Guide (Rev A) 1521
130901900 Auto RATELIMIT PASS ICMPv6listener query
This rule passes ICMPv6 listenerquery messages if the packetrate is less than the Packets per
second value If any source IPsends packets over this valuethe appliance blocks all suchtraffic from this source IP for a
time specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
130902000 Auto RATELIMIT PASS ICMPv6listener report
This rule passes ICMPv6 listenerreport messages if the packetrate is less than the Packets per
second value If any source IPsends packets over this valuethe appliance blocks all suchtraffic from this source IP for atime specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
130902100 Auto RATELIMIT PASS ICMPv6listener done
This rule passes ICMPv6 listenerdone messages if the packet rateis less than the Packets per
second value If any source IPsends packets over this valuethe appliance blocks all suchtraffic from this source IP for atime specified in Drop interval )
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
130902200 Auto RATELIMIT PASS ICMPv6listener report v2
This rule passes ICMPv6 listenerreport v2 messages if the packetrate is less than the Packets per
second value If any source IPsends packets over this valuethe appliance blocks all suchtraffic from this source IP for atime specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
130902300 Auto RATELIMIT PASS ICMPV6multicast routeradvertisement
This rule passes ICMPv6multicast router advertisement ifthe packet rate is less than thePackets per second value If anysource IP sends packets over thisvalue the appliance blocks allsuch traffic from this source IP fora time specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
130902400 Auto RATELIMIT PASS ICMPV6multicast routersolicitation
This rule passes ICMPv6multicast router solicitationmessages if the packet rate isless than the Packets per second value If any source IP sendspackets over this value theappliance blocks all such trafficfrom this source IP for a timespecified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
130902500 Auto RATELIMIT PASS ICMPV6multicast routeradvertisement
This rule passes ICMPv6multicast router advertisement ifthe packet rate is less than thePackets per second value If anysource IP sends packets over thisvalue the appliance blocks allsuch traffic from this source IP fora time specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
130902600 Auto RATELIMIT PASS ICMPping responses This rule passes ICMP pingresponses if the packet rate isless than the Packets per second value If any source IP sendspackets over this value theappliance blocks all such trafficfrom this source IP for a timespecified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=10 sec)
Packets per second (default=50)
Rule ID Type Rule Name Description
EnableDisable
Condition
Parameters Comments
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 2630
1522 NIOS Administrator Guide (Rev A) NIOS 612
130902700 Auto RATELIMIT PASS ICMProuter advertisement
This rule passes ICMP routeradvertisement if the packet rateis less than the Packets per
second value If any source IPsends packets over this valuethe appliance blocks all suchtraffic from this source IP for a
time specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=10 sec)
Packets per second (default=50)
130902800 Auto RATELIMIT PASS ICMProuter solicitation
This rule passes ICMP routersolicitation messages if thepacket rate is less than thePackets per second value If anysource IP sends packets over thisvalue the appliance blocks allsuch traffic from this source IP fora time specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=10 sec)
Packets per second (default=50)
130902900 Auto RATELIMIT PASS ICMPtime exceeded
This rule passes ICMP timeexceeded messages if the packetrate is less than the Packets per
second value If any source IPsends packets over this valuethe appliance blocks all suchtraffic from this source IP for atime specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=10 sec)
Packets per second (default=50)
130903000 Auto RATELIMIT PASS ICMPparameter problem
This rule passes ICMP parameterproblems if the packet rate isless than the Packets per second value If any source IP sendspackets over this value theappliance blocks all such trafficfrom this source IP for a timespecified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=10 sec)
Packets per second (default=50)
130903100 Auto RATELIMIT PASS ICMPv6hop limit exceeded orICMPv4 networkunreachable
This rule passes ICMPv6 HopLimit Exceeded messages orICMPv4 Network Unreachablemessages if the packet rate isless than the Packets per second value If any source IP sendspackets over this value theappliance blocks all such trafficfrom this source IP for a time
specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
130903200 Auto RATELIMIT PASS ICMPv6fragment reassemblytime exceeded orICMPv4 hostunreachable
This rule passes ICMPv6fragment reassembly timeexceeded messages or ICMPv4host unreachable messages ifthe packet rate is less than thePackets per second value If anysource IP sends packets over thisvalue the appliance blocks allsuch traffic from this source IP fora time specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=10 sec)
Packets per second (default=50)
130903300 Auto RATELIMIT PASS ICMPprotocol unreachable
This rule passes ICMP protocolunreachable messages if thepacket rate is less than thePackets per second value If anysource IP sends packets over thisvalue the appliance blocks all
such traffic from this source IP fora time specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=10 sec)
Packets per second (default=50)
130903400 Auto RATELIMIT ICMP portunreachable
This rule passes ICMP portunreachable messages if thepacket rate is less than thePackets per second value If anysource IP sends packets over thisvalue the appliance blocks allsuch traffic from this source IP fora certain period of time(specified in Drop interval )
Always enabled Events per second (default=10)
Drop Interval (default=10 sec)
Packets per second (default=50)
Rule ID Type Rule Name Description
EnableDisable
Condition
Parameters Comments
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 2730
Default PassDrop
NIOS 612 NIOS Administrator Guide (Rev A) 1523
Default Pass Drop
The following table lists the system rules that are used to pass or drop packets on your advanced appliance All rulesare disabled by default
Table H17 Default PassDrop Rules
130903500 Auto RATELIMIT PASS ICMPfragmentation needed
This rule passes ICMPfragmentation needed messagesif the packet rate is less than thePackets per second value If anysource IP sends packets over thisvalue the appliance blocks allsuch traffic from this source IP for
a certain period of time(specified in Drop interval )
Always enabled Events per second (default=1)
Drop Interval (default=10 sec)
Packets per second (default=50)
Rule ID
Rule
Type Rule Name Description
Enable
Condition Parameters Comments
100000050 System EARLY PASS TCPwith flowbits set
This rule passes TCP trafficthat has the flowbitsoptions set and marked OK
Enabled bydefault
NA
140000100 System DROP UDP DNSunexpected
This rule drops anyunexpected UDP DNSpackets
Enabled bydefault
Events per second (default=1)
Default drop rule for the DNSservice port If this rule istriggered most likely thispacket is an invalid DNS UDPpacket
140000200 System DROP TCP DNSunexpected
This rule drops anyunexpected TCP DNSpackets
Enabled bydefault
Events per second (default=1)
Default drop rule for the DNSservice port If this rule istriggered most likely thispacket is an invalid DNS TCPpacket
140000400 System PASS TCPestablished packets
This passes all TCPestablished packets
Enabled bydefault
Events per second (default=0)
140000500 System DROP TCPunexpected
This rule drops anyunexpected TCP packets
Enabled bydefault
Events per second (default=0)
This rule drops any TCP packeton any port If this rule istriggered most likely thispacket is not intended forservices on this member
140000600 System DROP UDPunexpected
This rule drops anyunexpected UDP packets
Enabled bydefault
Events per second (default=0)
This rule drops any UDP packeton any port If this rule istriggered most likely thispacket is not intended forservices on this member
140000700 System DROP ICMPunexpected
This rule drops anyunexpected ICMP packets
Enabled bydefault
Events per second (default=0)
This rule drops any ICMPpacket If this rule is triggeredmost likely this packet is notintended for services on thismember
140000800 System DROP unexpectedprotocol
This rule drops anyunexpected protocolpackets
Enabled bydefault
Events per second (default=0)
This is a catch all rule thatdrops anything that does notmatch any other rules in thesystem
Rule ID Type Rule Name Description
EnableDisable
Condition
Parameters Comments
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 2830
1524 NIOS Administrator Guide (Rev A) NIOS 612
HA Support
The following table lists auto rules that are used to pass packets that go through the Virtual Router RedundancyProtocol (VRRP) and Internet Group Management Protocol (IGMP) for HA (High Availability) support
Table H18 HA Support Rules
Custom Rule Templates
Advanced DNS Protection supports a few custom rule templates from which you can create new custom rules Notethat when you use a specific rule template to create custom rules the new rules reside in their respective rulecategories For information about custom rules and creating custom rules see Custom Rules on page 1341 andCreating Custom Rules on page 1343
For each rule you create you can define the Events per second value to determine the number of events per secondthat will be logged for the rule You can also define specific rule parameters for custom rules as follows
Note Custom rules do not support IDNs (Internationalized Domain Names) To use IDNs for custom rules you mustfirst convert the IDNs into puny codes You can use the IDN Converter from the Toolbar for the conversion
bull BLACKLIST FQDN lookup TCP Use this rule template to create custom rules for blacklisting DNS queries by FQDNlookups on TCP In the Rule Parameters table complete the following
mdash Blacklisted FQDN Enter the FDQN that you want the appliance to block over TCP traffic You can also enter alist of FQDNs using semicolon as the separator
bull BLACKLIST FQDN lookup UDP Use this rule template to create custom rules for blacklisting DNS queries byFQDN lookups on UDP In the Rule Parameters table complete the following
mdash Blacklisted FQDN Enter the FDQN that you want the appliance to block over UDP traffic You can also enter alist of FQDNs using semicolon as the separator
bull BLACKLIST IP TCP Drop prior to rate limiting Use this rule template to create rules for blocking IPv4 or IPv6addresses on TCP before the appliance drops the packets based on rate limiting rules you have defined usingthe RATELIMITED IP TCP template In the Rule Parameters table complete the following
mdash Blacklisted IP addressnetwork Enter the IPv4 or IPv6 address from which packets sent are dropped beforeany relevant rate limiting rules take effect Note that all TCP traffic from the specified Ipv4 and IPv6
addresses and networks will be blocked Enter network addresses in addressCIDR formatbull BLACKLIST IP UDP Drop prior to rate limiting Use this rule template to create rules for blocking IPv4 or IPv6
addresses on UDP before the appliance drops the packets based on rate limiting rules you have defined usingthe RATELIMITED IP UDP template In the Rule Parameters table complete the following
mdash Blacklisted IP addressnetwork Enter the IPv4 or IPv6 address from which packets sent are dropped beforeany relevant rate limiting rules take effect Note that all UDP traffic from the specified Ipv4 and IPv6addresses and networks will be blocked Enter network addresses in addressCIDR format
bull RATELIMITED FQDN lookup UDP Use this rule template to create custom rules that contains rate limitingrestrictions for blocking DNS queries by FQDN lookups on UDP traffic In the Rule Parameters table completethe following
Rule ID
Rule
Type
Rule Name Description Enable Condition Parameters Comments
140000750 Auto PASS VRRP This rule passes packets thatgo through VRRP for HAsupport
Enabled if HA isconfigured
NA
140000760 Auto PASS IGMP This rule passes packets thatgo through IGMP for HAsupport
Enabled if HA isconfigured
NA
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 2930
Custom Rule Templates
NIOS 612 NIOS Administrator Guide (Rev A) 1525
mdash Packets per second Enter the number of packets per second to define the rate limit for this rule You definethis value to control the rate of UDP traffic that consists of DNS lookups for the FQDN defined in this ruleThe default is 5
mdash Drop interval Enter the number of seconds for which the appliance drops packets
mdash Blacklist rate limited FQDN Enter the FQDN that is affected by the rate limit value configured for this ruleThe appliance drops the packets sent by this FQDN when the UDP traffic of DNS lookups for this FQDNexceeds the configured rate limit value
bull RATELIMITED IP TCP Use this rule template to create custom rules that contains rate limiting restrictions forblacklisting IP addresses on TCP If there are certain IP addresses that you want to block before its traffic reachesthe rate limit restrictions you can create a rule using the BLACKLIST IP TCP Drop prior to rate limiting templateIn the Rule Parameters table complete the following
mdash Packets per second Enter the number of packets per second to define the rate limit for this rule You definethis value to control the rate of TCP traffic that consists of DNS lookups for the IP address or networkdefined in this rule The default is 5
mdash Drop interval Enter the time interval in seconds the appliance drops IP packets sent by the rate limited IPaddress or network defined for this rule The default is 30 seconds
mdash Rate limited IP addressnetwork Enter the IP address or network that is affected by the rate limit valueconfigured for this rule The appliance drops the packets sent by this IP address based on the drop intervalwhen the TCP traffic of DNS lookups for this IP address exceeds the configured rate limit value
bull RATELIMITED IP UDP Use this rule template to create custom rules that contains rate limiting restrictions forblacklisting IP addresses on UDP If there are certain IP addresses that you want to block before its trafficreaches the rate limit restrictions you can create a rule using the BLACKLIST IP UDP Drop prior to rate limiting template In the Rule Parameters table complete the following
mdash Packets per second Enter the number of packets per second to define the rate limit for this rule You definethis value to control the rate of UDP traffic that consists of DNS lookups for the IP address or networkdefined in this rule The default is 5
mdash Drop interval Enter the time interval in seconds the appliance drops IP packets sent by the rate limited IPaddress or network defined for this rule The default is 30 seconds
mdash Rate limited IP addressnetwork Enter the IP address or network that is affected by the rate limit valueconfigured for this rule The appliance drops the packets sent by this IP address based on the drop interval
when the TCP traffic of DNS lookups for this IP address exceeds the configured rate limit valuebull WHITELIST IP TCP Pass prior to rate limiting Use this rule template to create custom rules for allowing certain IP
addresses on TCP before the appliance drops the packets based on rate limiting rules you have defined usingthe RATELIMITED IP TCP template In the Rule Parameters table complete the following
mdash Whitelisted IP addressnetwork Enter the IPv4 or IPv6 address from which packets sent are allowed beforeany relevant rate limiting rules take effect
bull WHITELIST IP UDP Pass prior to rate limiting Use this rule template to create custom rules for allowing certain IPaddresses on UDP before the appliance drops the packets based on rate limiting rules you have defined usingthe RATELIMITED IP UDP template In the Rule Parameters table complete the following
mdash Whitelisted IP addressnetwork Enter the IPv4 or IPv6 address from which packets sent are allowed beforeany relevant rate limiting rules take effect
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 3030
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 930
DNS Message Type
NIOS 612 NIOS Administrator Guide (Rev A) 1505
130501600 System DNS DNSKEYrecord
You can configure this rule to passor drop UDP packets that containDNSKEY record request Thedefault Action = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
130501700 System DNS SPF record You can configure this rule to passor drop UDP packets that contain
SPF record request The defaultAction = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
130501800 System DNS DHCIDrecord
You can configure this rule to passor drop UDP packets that containDHCID record request The defaultAction = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
130501900 System DNS SOA record You can configure this rule to passor drop UDP packets that containSOA record request The defaultAction = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
130502000 System DNS SIG record You can configure this rule to passor drop UDP packets that containSIG record request The defaultAction = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
130502100 System DNS LOC record You can configure this rule to passor drop UDP packets that containLOC record request The defaultAction = Pass
Enabled bydefault
Action (default = Pass)
Events per second (default = 1)
130502200 System DNS SSHFPrecord
You can configure this rule to passor drop UDP packets that containSSHFP record request The defaultAction = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
130502300 System DNS IPSECKEYrecord
You can configure this rule to passor drop UDP packets that containIPSECKEY record request Thedefault Action = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
130502400 System DNS TKEY record You can configure this rule to passor drop UDP packets that containTKEY record request The default
Action = Pass
Enabled bydefault
Action
(default = Pass)
Events per second
(default = 1)
130502500 System DNS TSIG record You can configure this rule to passor drop UDP packets that containTSIG record request The defaultAction = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
130502600 System DNS TA record You can configure this rule to passor drop UDP packets that containTA record request The defaultAction = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
130502700 System DNS DLV record You can configure this rule to passor drop UDP packets that containDLV record request The defaultAction = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
130502800 System DNS ANY record You can configure this rule to pass
or drop UDP packets that containANY record request The defaultAction = Pass
Enabled by
default
Action
(default = Pass)Events per second (default = 1)
130502900 System DNS A record TCP You can configure this rule to passor drop TCP packets that contain Arecord request The default Action = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
130503000 System DNS AAAA recordTCP
You can configure this rule to passor drop TCP packets that containAAAA record request The defaultAction = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
Rule ID
Rule
Type
Rule Name Description
EnableDisable
Condition
Parameters Comments
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 1030
1506 NIOS Administrator Guide (Rev A) NIOS 612
130503100 System DNS CNAMErecord TCP
You can configure this rule to passor drop TCP packets that containCNAME record request Thedefault Action = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
130503200 System DNS DS recordTCP
You can configure this rule to passor drop TCP packets that contain
DS record request The defaultAction = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
130503300 System DNS PTR recordTCP
You can configure this rule to passor drop TCP packets that containPTR record request The defaultAction = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
130503400 System DNS NS recordTCP
You can configure this rule to passor drop TCP packets that containNS record request The defaultAction = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
130503500 System DNS NSEC recordTCP
You can configure this rule to passor drop TCP packets that containNSEC record request The defaultAction = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
130503600 System DNS NSEC3record TCP
You can configure this rule to passor drop TCP packets that containNSEC3 record request Thedefault Action = Pass
Enabled bydefault
Action (default = Pass)
Events per second (default = 1)
130503700 System DNSNSEC3PARAMrecord TCP
You can configure this rule to passor drop TCP packets that containNSEC3PARAM record request Thedefault Action = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
130503800 System DNS MX recordTCP
You can configure this rule to passor drop TCP packets that containMX record request The defaultAction = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
130503900 System DNS SRV recordTCP
You can configure this rule to passor drop TCP packets that containSRV record request The default
Action = Pass
Enabled bydefault
Action
(default = Pass)
Events per second
(default = 1)
130504000 System DNS TXT recordTCP
You can configure this rule to passor drop TCP packets that containTXT record request The defaultAction = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
130504100 System DNS DNAMErecord TCP
You can configure this rule to passor drop TCP packets that containDNAME record request Thedefault Action = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
130504200 System DNS RRSIG recordTCP
You can configure this rule to passor drop TCP packets that containRRSIG record request The defaultAction = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
130504300 System DNS NAPTR
record TCP
You can configure this rule to pass
or drop TCP packets that containNAPTR record request The defaultAction = Pass
Enabled by
default
Action
(default = Pass)Events per second (default = 1)
130504400 System DNS DNSKEYrecord TCP
You can configure this rule to passor drop TCP packets that containIDNSKEY record request Thedefault Action = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
130504500 System DNS SPF recordTCP
You can configure this rule to passor drop TCP packets that containSPF record request The defaultAction = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
Rule ID
Rule
Type
Rule Name Description
EnableDisable
Condition
Parameters Comments
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 1130
DNS Message Type
NIOS 612 NIOS Administrator Guide (Rev A) 1507
130504600 System DNS DHCIDrecord TCP
You can configure this rule to passor drop TCP packets that containDHCID record request The defaultAction = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
130504700 System DNS SOA recordTCP
You can configure this rule to passor drop TCP packets that contain
SOA record request The defaultAction = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
130504800 System DNS SIG recordTCP
You can configure this rule to passor drop TCP packets that containSIG record request The defaultAction = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
130504900 System DNS ROC recordTCP
You can configure this rule to passor drop TCP packets that containROC record request The defaultAction = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
130505000 System DNS SSHFPrecord TCP
You can configure this rule to passor drop TCP packets that containSSHFP record request The defaultAction = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
130505100 System DNS IPSECKEYrecord TCP
You can configure this rule to passor drop TCP packets that containIPSECKEY record request Thedefault Action = Pass
Enabled bydefault
Action (default = Pass)
Events per second (default = 1)
130505200 System DNS TKEY recordTCP
You can configure this rule to passor drop TCP packets that containTKEY record request The defaultAction = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
130505300 System DNS TSIG recordTCP
You can configure this rule to passor drop TCP packets that containTSIG record request The defaultAction = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
130505400 System DNS TA recordTCP
You can configure this rule to passor drop TCP packets that containTA record request The default
Action = Pass
Enabled bydefault
Action
(default = Pass)
Events per second
(default = 1)
130505500 System DNS DLV recordTCP
You can configure this rule to passor drop TCP packets that containDLV record request The defaultAction = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
130505600 System DNS ANY recordTCP
You can configure this rule to passor drop TCP packets that containANY record request The defaultAction = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
Rule ID
Rule
Type
Rule Name Description
EnableDisable
Condition
Parameters Comments
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 1230
1508 NIOS Administrator Guide (Rev A) NIOS 612
General DDoS
The following table lists the auto rules that are used to mitigate general DDoS attacks on your advanced appliance
Table H5 General DDoS Rules
Reconnaissance
Reconnaissance attacks consist of attempts to get information on the network environment before launching a largeDDoS or other types of attacks Techniques include port scanning and finding versions and authors These attacksexhibit abnormal behavior patterns that if identified can provide early warnings
The following table lists the auto rules that are used to mitigate reconnaissance attacks on your advanced appliance
You can configure the following rule parameter for all rules in this category
bull Events per second The number of events logged per second for the rule Setting a value to 0 (zero) disables theappliance from logging events for the rule The default value is 10
Table H6 Reconnaissance Rules
Rule ID
Rule
Type
Rule Name Description
EnableDisable
Condition
Parameters Comments
110000100 Auto EARLY DROP DoSpackets with samesource and destinationIP
This rule drops any IP packetsthat contain the same sourceand destination IP address
Always enabled Events per second (default = 1)
110000200 Auto EARLY DROP DoS UDPpackets with samesource and destinationIP
This rule drops UDP packetsthat contain the same sourceand destination IP address
Always enabled Events per second (default = 1)
110000300 Auto EARLY DROP DoS TCPpackets with samesource and destinationIP
This rule drops TCP packetsthat contain the same sourceand destination IP address
Always enabled Events per second (default = 1)
130400300 Auto DROP IPv6 loopbackaddress spoofing
This rule blocks any IP packetsthat attempt to forge the IPv6loopback address
Always enabled Events per second (default = 1)
130400400 Auto DROP IPv6 loopbackaddress spoofing
This rule blocks any IP packetsthat attempt to forge the IPv6loopback address
Always enabled Events per second (default = 1)
Rule ID
Rule
Type
Rule Name Description
Enable
Condition
Parameters Comments
110100100 Auto EARLY DROP DNSnamed authorattempts
This rule drops UDP DNSpackets that containattempts to find AUTHOR
information
Alwaysenabled
Events per second (default = 1)
110100200 Auto EARLY DROP DNSnamed versionattempts
This rule drops UDP DNSpackets that containattempts to find VERSIONinformation
Alwaysenabled
Events per second (default = 1)
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 1330
DNS Malware
NIOS 612 NIOS Administrator Guide (Rev A) 1509
DNS Malware
DNS malware is software used to disrupt your DNS service gather sensitive information or gain access to yourappliance It can include downloaders backdoors trojan horses and other malicious software
The following table lists the auto rules that are used to mitigate DNS malware when forwarding DNS requests to aresolver such as a Microsoft DNS server
Table H7 DNS Malware Rules
DNS Protocol Anomalies
DNS protocol anomalies send malformed DNS packets including unexpected header and payload values to thetargeted server This causes the server to stop responding or crash which results in an infinite loop in server threadsThese anomalies sometimes take the form of impersonation attacks
The following table lists rules that are used to mitigate DNS protocol anomalies sent to the appliance
Table H8 DNS Protocol Anomalies Rules
Rule ID
Rule
Type
Rule Name Description
Enable
Condition
Parameters Comments
110100300 Auto EARLY DROP UDPMALWARE backdoor
This rule drops UDPpackets that contain thebackdoor malwareBKDR_QUEJOBEVL whichposes as an installer ofFaceBook messenger Thismalware may be spread asa malicious attachment inemail messages
Always enabled Events per second (default = 1)
130300300 Auto DROP MALWAREtrojan downloader
This rule drops UDPpackets that contain thetrojan downloadermalware which downloadsand installs new versionsof malicious programsincluding Trojans andAdWare
Always enabled Events per second (default = 1)
130300400 Auto DROP MALWAREpossible Hiloti
This rule drops UDPpackets that contain trojanHiloti malicious programsthat may downloadpotentially malicious filesfrom a remote server andreport system informationback to the server
Always enabled Events per second (default = 1)
Rule ID
Rule
Type
Rule Name Description
Enable
Condition
Parameters Comments
110100400 Auto EARLY DROP UDP DNSquestion name too long
This rule drops UDP DNSpackets when the DNSQuestion Name is toolong
Always enabled Events per second (default = 1)
110100500 Auto EARLY DROP UDP DNSlabel too long
This rule drops UDP DNSpackets when the DNSLabel in the name beingqueried is too long
Always enabled Events per second (default = 1)
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 1430
1510 NIOS Administrator Guide (Rev A) NIOS 612
Potential DDoS Related Domains
This rule category includes system rules the appliance uses to blacklist domains that may have been the targets orsubjects in NXDOMAIN or DDoS attacks These rules block all FQDN lookups on UDP for domains that have beenobserved to be used as targets in DDoS attacks The rules are enabled by default You can disable them whennecessary
Note that these rules capture currently observed bad domain names that can change on a regular basis Infobloxrecommends that you update to the latest ruleset to capture the most current rules in this category For informationabout how to update to the latest ruleset see Managing Threat Protection Rules on page 1352
110100600 Auto EARLY DROP UDP queryinvalid question count
This rule drops UDP DNSpackets when thenumber of entries in thequestion section isinvalid
Always enabled Events per second (default = 1)
110100700 Auto EARLY DROP UDP query
invalid question class
This rule drops UDP DNS
packets when the RR(resource record) classbeing queried is invalid
Always enabled Events per second
(default = 1)
110100800 Auto EARLY DROP UDP queryinvalid question string
This rule drops UDP DNSpackets that containinvalid question string
Always enabled Events per second (default = 1)
110100850 Auto EARLY UDP drop invalidDNS query with Authority
This rule drops UDP DNSqueries that containinvalid AUTHORITYentry
Always enabled Events per second (default = 1)
110100900 Auto EARLY DROP querymultiple questions or nonquery operation code
This rule drops UDP DNSpackets when there aremultiple questionsbeing queried at onetime or its operationcode is not Query
Always enabled Events per second (default = 1)
130000700 Auto EARLY DROP TCP non-DNSquery
This rule drops TCPpackets when itsoperation code is notQuery
Always enabled Events per second (default = 1)
130000800 Auto EARLY DROP TCP querymultiple questions
This rule drops TCP DNSpackets when there aremultiple questionsbeing queried at onetime
Always enabled Events per second (default = 1)
130100500 Auto DROP UDP DNS invalidIXFR query with zero ormore than one Authority
This rule drops UDP DNSincremental zonetransfer requests thatcontain zero or morethan one Authorityentries
Always enabled Events per second (default = 1)
130100600 Auto DROP TCP DNS invalidIXFR query with zero ormore than one Authority
This rule drops TCP DNSincremental zonetransfer requests thatcontain zero or morethan one Authorityentries
Always enabled Events per second (default = 1)
130300200 Auto DROP TCP invalid DNSquery with Authority
This rule drops TCP DNSqueries that containinvalid Authorityentries
Always enabled Events per second (default = 1)
Rule ID
Rule
Type
Rule Name Description
Enable
Condition
Parameters Comments
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 1530
TCPUDP Flood
NIOS 612 NIOS Administrator Guide (Rev A) 1511
TCP UDP Flood
TCP and UDP flood attacks are volumetric attacks with massive numbers of packets that consume network bandwidthand resources They exploit TCP and UDP
The following table lists the system and auto rules that are used to mitigate TCPUDP floods on your advancedappliance
Table H9 TCPUDP Flood Rules
Rule ID Rule Type Rule Name Description
Enable
Condition
Parameters Comments
130000100 System WARN about highrate inbound UDPDNS queries
This rule warns about anysource IP that sendsinbound UDP DNS packetsat a rate equals or exceedsthe Packets per second value
Disabled bydefault
Packets per second (default = 40)
Events per second (default = 1)
Use this rule together with rule130000200 to adjust the warningand blocking rate thresholds Thisrule only sends alerts when thepacket rate equals or exceeds thelow threshold ( Packets per second for this rule) When the packet ratereaches or exceeds the highthreshold ( Packets per second forrule 130000200) rule130000200 is triggered
NOTE The Packets per second configured for this rule should beless than that of rule 130000200
130000200 System WARN amp BLOCKhigh rate inboundUDP DNS queries
This rule warns if anysource IP sends inboundUDP DNS packets at a rateequals the Packets per
second value If the rateexceeds this value theappliance blocks all suchtraffic from this source IPfor a period of timespecified in Drop interval
Disabled bydefault
Packets per second (default = 1000)
Drop interval
(default = 5 seconds)
Events per second (default = 1)
Consider tuning Packets per
second to a higher value for NATdenvironments static forwardersand VPN concentrators
This rule may be triggered if Packet
per second is lower than that inthe custom rules created using therate limiting templates
NOTE The Packets per secondvalue for this rule must be higherthan that for rule 130000100
130000300 System WARN about highrate inbound TCP
DNS queries
This rule warns about anysource IP that sends
inbound TCP DNS packetsat a rate that equals orexceeds the Packets per
second value
Disabled bydefault
Packets per second (default = 5)
Events per second (default = 1)
Use this rule together with rule130000400 to adjust the warning
and blocking rate thresholds Thisrule only sends alerts when thepacket rate equals or exceeds thelow threshold ( Packets per second for this rule) When the packet ratereaches or exceeds the highthreshold ( Packets per second forrule 130000400) rule130000400 is triggered
NOTE The Packets per second configured for this rule should beless than that of rule 130000400
130000400 System WARN amp BLOCKhigh rate inboundTCP DNS queries
This rule warns if anysource IP sends inboundTCP DNS packets at a ratethat equals the Packets
per second value If therate exceeds this value
the appliance blocks allsuch traffic from thissource IP for a period oftime specified in Drop
interval
Disabled bydefault
Packets per second (default = 1000)
Drop interval (default = 10 seconds)
Events per second (default = 1)
Consider tuning Packets per
second to a higher value for NATdenvironments static forwardersand VPN concentrators
This rule may be triggered if Packet
per second is lower than that in
the custom rules created using therate limiting templates
NOTE DO NOT enable this rulealong with rule 130000300
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 1630
1512 NIOS Administrator Guide (Rev A) NIOS 612
DNS DDoS
The following table lists system rules that are used to mitigate DNS DDoS attacks on your advanced appliance Theserules rate limits clients that trigger the following DNS responses NXDOMAIN NXRRSET and SERVFAIL
Table H10 DNS DDoS Rules
Rule ID
Rule
Type
Rule Name Description
EnableDisable
Condition
Parameters Comments
200000001 System NXDOMAIN ratelimiting rule
This rule warns if any sourceIP sends inbound UDP DNSqueries that triggerNXDOMAIN responses at arate equals to the Packets
per second value If the rateexceeds this value theappliance blocks all UDPDNS traffic from this sourceIP for a time specified inDrop interval
Enabled bydefault
Packets per second (default = 1000)
Drop interval
(default = 5 seconds)
Events per second (default = 1)
Consider tuning Packets per
second to a higher value forNATd environments staticforwarders and VPNconcentrators
200000002 System NXRRSET ratelimiting rule
This rule warns if any sourceIP sends inbound UDP DNS
queries that trigger NXRRSETresponses at a rate equals tothe Packets per second value If the rate exceedsthis value the applianceblocks all UDP DNS trafficfrom this source IP for a timespecified in Drop interval
Enabled bydefault
Packets per second (default = 1000)
Drop interval (default = 5 seconds)
Events per second (default = 1)
Consider tuning Packets per
second to a higher value for
NATd environments staticforwarders and VPNconcentrators
NOTE NXRRSET responsesinclude NO records NOanswers and NO errors
200000003 System SERVFAIL ratelimiting rule
This rule warns if any sourceIP sends inbound UDP DNSqueries that triggerSERVFAIL responses at a rateequals to the Packets per
second value If the rateexceeds this rate theappliance blocks all UDPDNS traffic from this sourceIP for a time specified in
Drop interval
Enabled bydefault
Packets per second (default = 1000)
Drop interval
(default = 5 seconds)
Events per second (default = 1)
Consider tuning Packets per
second to a higher value forNATd environments staticforwarders and VPNconcentrators
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 1730
DNS Tunneling
NIOS 612 NIOS Administrator Guide (Rev A) 1513
DNS Tunneling
DNS tunneling attacks involve tunneling another protocol through DNS port 53 for the purpose of data exfiltrationOutbound and inbound data being communicated is encoded into small chunks and fitted into DNS queries and DNSresponses
The following table lists the system rule used to mitigate DNS tunneling on your advanced appliance
Table H11 Anti DNS Tunneling Rules
DNS Amplification and Reflection
DNS reflection attacks use a form of IP spoofing changing the source address in their DNS queries to show theaddress of their intended target such as a DNS root server or a top-level domain (TLD) name server operator DNS
reflection and amplification recognizes UDP as an asymmetrical protocol (small requests large responses) and theexistence of open DNS resolvers to the Internet cloud The result is that small DNS queries reflect large UDP datagramresponses to the target address in the original source datagrams Some recent attacks have used this DDoStechnique at a huge scale
Since DNS runs over UDP and does not require a handshake it is possible to use the protocol as a means to lock downa host or a network Designed a specific way sending a small query to any open DNS resolver can result in a singleresponse containing several kilobytes or more that are sent to the unwitting spoofed victim (This type of responsetypically is sent via TCP as UDP does not allow for more than 512 bytes in a response datagram The resulting packetusually exceeds the MTU of the recipientrsquos interfaces resulting in further packet fragmentation and processing) OpenDNS resolvers may allow for launching DDoS attacks containing hundreds of gigabytes of data Attackers may also
Rule ID
Rule
Type
Rule Name Description
EnableDisable
Condition
Parameters Comments
130000500 System RATELIMIT UDP highrate inbound largeDNS queries (antitunneling)
This rule warns If any source IPsends large UDP DNS queries(which could be DNS tunnelingattacks) at a rate equals thePackets per second value If therate exceeds this value it blocksall such traffic from this source IPfor the time in Drop interval
This rule is triggered when theDNS Packet size exceeds theconfigured value
Disabled bydefault
Packets per second (default = 100)
Drop interval (default = 5 seconds)
Events per second (default = 1)
Packet size
(default = 200)
Consider tuning Packets
per second to a highervalue for NATdenvironments staticforwarders and VPNconcentrators
130000600 Auto RATELIMIT TCP highrate inbound largeDNS queries(anti-tunneling)
This rule warns if any source IPsends large TCP DNS queries(which could be DNS tunnelingattacks) at a rate equals thePackets per second value If therate exceeds the value theappliance blocks all such trafficfrom this source IP for the Drop
interval
This rule is triggered when theDNS Packet size exceeds theconfigured value
Disabled bydefault
Packets per second (default = 100)
Drop interval
(default = 5 seconds)
Events per second (default = 1)
Packet size
(default = 200)
Consider tuning Packets
per second to a highervalue for NATdenvironments staticforwarders and VPNconcentrators
200000004 System DNS tunneling ratelimiting rule
This rule warns If any source IPsends inbound UDP DNS queriesthat trigger large TXT responses ata rate equals the Packets per
second value If the rate exceedsthis value it blocks all such t rafficfrom this source IP for the Drop
interval
This rule is triggered when the sizeof the TXT records in the DNSresponses exceeds the configuredDNS Packet size
Enabled bydefault
Packets per second (default = 1000)
Drop interval
(default = 5 seconds)
Events per second (default = 1)
Packet size
(default = 40)
Consider tuning Packets
per second to a highervalue for NATdenvironments static
forwarders and VPNconcentrators
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 1830
1514 NIOS Administrator Guide (Rev A) NIOS 612
use the EDNS0 DNS protocol extension as a means to enable larger DNS responses Many network operatorsparticularly overseas allow open DNS resolvers to run on their networks unwittingly allowing attackers to abusethem Many network operators do provide intelligent rate-limiting to prevent abuse even while supporting openrecursive DNS servers Hence issues of this type usually result from mistakes in configuration
The following table lists the system and auto rules that are used to mitigate DNS amplification and reflection attackson your advanced appliance
Table H12 DNS Amplification and Reflection Rules
NTP
The following table lists the auto rules that are used to mitigate NTP attacks and to support security for NTP traffic onyour advanced appliance These rules include support for the following NTP requests and responses NTP IPv4 andIPv6 ACLs (Access Control Lists) private mode 7 packets named ACLs and ldquoANYrdquo ACLs
Table H13 NTP Rules
Rule ID
Rule
Type
Rule Name Description
EnableDisable
Condition
Parameters Comments
130400100 Auto WARN amp DROP DoSDNS possiblereflectionamplification attackattempts
This rule warns if anysource IP sends UDP DNSpackets that containpossible reflectionamplification attacks If therate exceeds the Packets
per second value theappliance blocks all suchtraffic from this source IPfor the Drop interval Notethat this rule applies whenthe query is ldquoANYrdquo
Enabled bydefault
Packets per second (default = 5)
Drop interval (default = 5 seconds)
Events per second (default = 1)
Consider tuning Packet per
second to a higher value(approximately 100) forNATd environments staticforwarders and VPNconcentrators
130400500 System RATE LIMIT PASS UDPDNS root requestswith additional RRs
This rule passes UDP DNSroot requests that containadditional resource recordsuntil the traffic hits thePackets per second valueIt then blocks subsequentUDP DNS root requests forthe Drop interval
Disabled bydefault
Packets per second (default = 500)
Drop interval
(default = 5 seconds)
Events per second (default = 1)
130400600 System RATE LIMIT PASS UDPDNS root requests
This rule passes UDP DNSroot requests until thetraffic hits the Packets per
second value It thenblocks subsequent UDPDNS root requests for theDrop interval
Disabled bydefault
Packets per second (default = 500)
Drop interval (default = 5 seconds)
Events per second (default = 1)
Consider tuning Packet per
second to a higher valuefor NATd environmentsstatic forwarders and VPNconcentrators
Rule ID
Rule
Type
Rule Name Description
EnableDisable
Condition
Parameters Comments
130600100 Auto RATELIMIT PASS NTPTIME responses
When the NTP client isenabled this rule passesUDP NTP TIME responsesuntil the traffic hits the ratelimit of 10 packets persecond it then blocks allNTP traffic for 15 seconds
Enabled when theNTP client isenabled
Packets per second (default = 10)
Drop interval
(default = 15seconds)
Events per second (default = 1)
130600120 Auto DROP NTP TIMEresponses
This rule drops all UDP NTPTIME responses when theNTP client is disabled
Enabled when theNTP client isdisabled
Events per second (default=1)
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 1930
NTP
NIOS 612 NIOS Administrator Guide (Rev A) 1515
200001001 Auto DOS Possible NTPDDoS InboundFrequent Un-AuthedGET_RESTRICTRequests IMPL 0x02
When the NTP server isenabled this rule warnsabout possible NTP DDoSInbound FrequentUn-Authed GET_RESTRICTRequests IMPL 0x02attacks It then blocks
suspicious NTP traffic for atime period that isspecified in Drop Interval
Enabled whenNTP service isenabled on thismember
Events per second (default = 1)
200001005 Auto DOS Possible NTPDDoS InboundFrequent Un-AuthedGET_RESTRICTRequests IMPL 0x03
When the NTP server isenabled this rule warnsabout possible NTP DDoSInbound FrequentUn-Authed GET_RESTRICTRequests IMPL 0x03attacks It then blockssuspicious NTP traffic for atime period that isspecified in Drop Interval
Enabled whenNTP service isenabled on thismember
Events per second (default = 1)
200001010 Auto DOS Possible NTPDDoS InboundFrequent Un-AuthedPEER_LIST_SUM
Requests IMPL 0x02
When the NTP server isenabled this rule warnsabout possible NTP DDoSInbound Frequent
Un-AuthedPEER_LIST_SUM RequestsIMPL 0x02 attacks It thenblocks suspicious NTPtraffic for a time period thatis specified in Drop
Interval
Enabled whenNTP service isenabled on thismember
Events per second (default = 1)
200001015 Auto DOS Possible NTPDDoS InboundFrequent Un-AuthedPEER_LIST_SUMRequests IMPL 0x03
When the NTP server isenabled this rule warnsabout possible NTP DDoSInbound FrequentUn-AuthedPEER_LIST_SUM RequestsIMPL 0x03 attacks It thenblocks suspicious NTPtraffic for a time period thatis specified in Drop
Interval
Enabled whenNTP service isenabled on thismember
Events per second (default = 1)
200001020 Auto DOS Possible NTPDDoS InboundFrequent Un-AuthedPEER_LIST RequestsIMPL 0x02
When the NTP server isenabled this rule warnsabout possible NTP DDoSInbound FrequentUn-Authed PEER_LISTRequests IMPL 0x02attacks It then blockssuspicious NTP traffic for atime period that isspecified in Drop Interval
Enabled whenNTP service isenabled on thismember
Events per second (default = 1)
200001025 Auto DOS Possible NTPDDoS InboundFrequent Un-AuthedPEER_LIST RequestsIMPL 0x03
When the NTP server isenabled this rule warnsabout possible NTP DDoSInbound FrequentUn-Authed PEER_LISTRequests IMPL 0x03attacks It then blocks
suspicious NTP traffic for atime period that isspecified in Drop Interval
Enabled whenNTP service isenabled on thismember
Events per second (default = 1)
200001050 Auto RATELIMIT PASSNTPQ IPv4 requests
This rule passes UDP NTPQrequests from NTP IPv4ACLs until the traffic hitsthe rate limit ( Packets per
second ) value It thenblocks all subsequentNTPQ traffic for a timespecified in Drop Interval
Enabled whenNTP IPv4 ACLs aredefined If noACLs are definedand the NTPserver is enabledthe default ACLsare enabled andthis rule isdisabled
Packets per second (default = 10)
Drop interval
(default = 60seconds)
Events per second (default = 1)
Rule ID
Rule
Type
Rule Name Description
EnableDisable
Condition
Parameters Comments
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 2030
1516 NIOS Administrator Guide (Rev A) NIOS 612
200001055 Auto RATELIMIT PASS NTPTIME IPv4 requests
This rule passes UDP NTPTIME requests from NTPIPv4 ACLs until the traffichits the rate limit ( Packets
per second ) value It thenblocks all subsequent NTPTIME traffic for a time
specified in Drop interval
Enabled whenNTP IPv4 ACLs aredefined If noACLs are definedand the NTPserver is enabledthe default ACLs
are enabled andthis rule isenabled
Packets per second (default = 10)
Drop interval
(default = 60seconds)
Events per second (default = 1)
200001060 Auto RATELIMIT PASS NTPprivate mode IPv4requests
This rule passes UDP NTPprivate mode 7 requestsfrom NTP IPv4 ACLs untilthe traffic hits the rate limit( Packets per second ) valueIt then blocks allsubsequent NTP privatemode 7 traffic for a timespecified in Drop interval
Enabled whenNTP IPv4 ACLs aredefined If noACLs are definedand the NTPserver is enabledthe default ACLsare enabled andthis rule isdisabled
Packets per second (default = 10)
Drop interval
(default = 60seconds)
Events per second (default = 1)
200001065 Auto RATELIMIT PASSNTPQ IPv6 requests
This rule passes UDP NTPQrequests from NTP IPv6ACLs until the traffic hitsthe rate limit ( Packets per
second ) value It thenblocks all subsequentNTPQ traffic for a timespecified in Drop Interval
Enabled whenNTP IPv6 ACLs aredefined If noACLs are defined
and the NTPserver is enabledthe default ACLsare enabled andthis rule isdisabled
Packets per second (default = 10)
Drop interval
(default = 60
seconds)Events per second (default = 1)
200001070 Auto RATELIMIT PASS NTPTIME IPv6 requests
This rule passes UDP NTPTIME requests from NTPIPv6 ACLs until the traffichits the rate limit ( Packets
per second ) value It thenblocks all subsequent NTPTIME traffic for a timespecified in Drop interval
Enabled whenNTP IPv6 ACLs aredefined If noACLs are definedand the NTPserver is enabledthe default ACLsare enabled andthis rule isenabled
Packets per second (default = 10)
Drop interval
(default = 60seconds)
Events per second (default = 1)
200001075 Auto RATELIMIT PASS NTP
private mode IPv6requests
This rule passes UDP NTP
private mode 7 requestsfrom NTP IPv4 ACLs untilthe traffic hits the rate limit( Packets per second ) valueIt then blocks allsubsequent NTP privatemode 7 traffic for a timespecified in Drop interval
Enabled when
NTP IPv6 ACLs aredefined If noACLs are definedand the NTPserver is enabledthe default ACLsare enabled andthis rule isdisabled
Packets per second
(default = 10)Drop interval
(default =60seconds)
Events per second (default = 1)
200001100 Auto DROP NTPQ requestsunexpected
When NTP service isdisabled this rule drops allUDP NTPQ requests
Enabled whenNTP service isdisabled on thismember
Events per second (default=1)
200001105 Auto DROP NTP TIMErequests unexpected
When NTP service isdisabled this rule drops allUDP NTP TIME requests
Enabled whenNTP service isdisabled on thismember
Events per second (default=1)
200001110 Auto DROP NTP privatemode requestsunexpected
When NTP service isdisabled this rule drops allUDP NTP private mode 7requests
Enabled whenNTP service isdisabled on thismember
Events per second (default=1)
200001115 Auto DROP invalid NTPrequests
When NTP service isdisabled this rule drops allinvalid UDP NTP requests
Enabled whenNTP service isdisabled on thismember
Events per second (default=1)
Rule ID
Rule
Type
Rule Name Description
EnableDisable
Condition
Parameters Comments
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 2130
BGP
NIOS 612 NIOS Administrator Guide (Rev A) 1517
BGP
The following table lists the auto rules that are used to mitigate BGP attacks on your advanced appliance when BGPis enabled
Table H14 BGP Rules
Rule ID
Rule
Type
Rule Name Description
EnableDisable
Condition
Parameters Comments
130700100 AUTO DROP BGP headerlength shorter thanspec
When BGP is enabled this ruledrops TCP BGP packets thatcontain message headerlength that is shorter than theRFC specification
Enabled whenBGP service onthis member isconfigured
Events per second (default=1)
130700200 AUTO DROP BGP headerlength longer than spec
When BGP is enabled this ruledrops TCP BGP packets thatcontain message headerlength that is longer than theRFC specification
Enabled whenBGP service onthis member isconfigured
Events per second (default=1)
130700300 AUTO DROP BGP spoofedconnection reset
attempts
When BGP is enabled this ruledrops TCP BGP packets that
contain spoofed connectionreset
This rule isenabled when
BGP service onthis member isconfigured
Events per second (default=1)
130700400 AUTO DROP BGP invalid type0
When BGP is enabled this ruledrops TCP BGP packets thatcontain invalid message type0
This rule isenabled whenBGP service onthis member isconfigured
Events per second (default=1)
130700500 AUTO DROP BGP invalid typebigger than 5
When BGP is enabled this ruledrops TCP BGP packets thatcontain invalid message typegreater than 5
This rule isenabled whenBGP service onthis member isconfigured
Events per second (default=1)
130700550 AUTO RATELIMIT PASS BGPIPv4 peer TCPconnection attempts
This rule passes TCP BGP routeadvertisement connectionattempts from IPv4 peers
when BGP is enabled and ifthe packet rate is less than thePackets per second value Ifany source IP sends packetsover this value the applianceblocks all such traffic from thissource IP for a certain periodof time (specified in Drop
interval )
This rule isenabled whenBGP service on
this member isconfigured withIPv4 peers
Events per second (default=1)
Drop Interval
(default=60 sec)Packets per second (default=10)
130700600 Auto RATELIMIT PASS BGPallowed with IPv4 peer
This rule passes TCP BGP routeadvertisement to IPv4 peerswhen BGP is enabled and ifthe packet rate is less than thePackets per second value Ifany source IP sends packetsover this value the applianceblocks all such traffic from thissource IP for a certain period
of time (specified in Drop
interval
This rule isenabled whenBGP service onthis member isconfigured withIPv4 peers
Events per second (default=1)
Drop Interval (default=60 sec)
Packets per second (default=10)
130700650 AUTO RATELIMIT PASS BGPIPv6 peer TCPconnection attempts
This rule passes TCP BGP routeadvertisement connectionattempts from IPv6 peerswhen BGP is enabled and ifthe packet rate is less than thePackets per second value Ifany source IP sends packetsover this value the applianceblocks all such traffic from thissource IP for a certain periodof time (specified in Drop
interval
This rule isenabled whenBGP service onthis member isconfigured withIPv6 peers
Events per second (default=1)
Drop Interval (default=60 sec)
Packets per second (default=10)
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 2230
1518 NIOS Administrator Guide (Rev A) NIOS 612
OSPF
The following table lists auto rules that are used to mitigate OSPF attacks on your advanced appliance when OSPF isnot in use
Table H15 OSPF Rules
130700700 Auto RATELIMIT PASS BGPallowed with IPv6 peer
This rule passes TCP BGP routeadvertisement to IPv6 peerswhen BGP is enabled and ifthe packet rate is less than thePackets per second value Ifany source IP sends packetsover this value the appliance
blocks all such traffic from thissource IP for a certain periodof time (specified in Drop
interval )
This rule isenabled whenBGP service onthis member isconfigured withIPv6 peers
Events per second (default=1)
Drop Interval (default=60 sec)
Packets per second (default=10)
130800100 Auto DROP BGP unexpected When BGP is enabled this ruledrops unexpected TCP BGPpackets
This rule takeseffect when BGPservice on thismember is NOT configured
Events per second (default=1)
This rule is exclusive withother rules based onwhether BGP is configuredon the member or not
Rule ID
Rule
Type
Rule Name Description
Enable
Condition
Parameters Comments
130900300 Auto DROP OSPFunexpected
This rule drops unexpectedOSPF packets
This rule takeseffect when OSPFservice on thismember is NOT configured
Events per second (default=1)
Default drop rule for allpackets on the OSPF serviceport
130900400 Auto RATELIMIT PASS OSPFmulticast
This rule passes OSPF IPv4multicast packets if the packetrate is less than the Packets
per second value If anysource IP sends packets overthis value the applianceblocks all such traffic from thissource IP for a time specifiedin Drop interval
This rule takeseffect when OSPFservice on thismember isconfigured forIPv4
Events per second (default=1)
Drop Interval (default=60 sec)
Packets per second (default=100)
130900500 Auto RATELIMIT PASS OSPFIPv6 multicast
This rule passes OSPF IPv6multicast packets if the packetrate is less than the Packets
per second value If anysource IP sends packets overthis value the applianceblocks all such traffic from thissource IP for a time specifiedin Drop interval
This rule takeseffect when OSPFservice on thismember isconfigured forIPv6
Events per second (default=1)
Drop Interval (default=60 sec)
Packets per second (default=100)
130900600 Auto RATELIMIT PASS OSPF This rule passes OSPF packetsif the packet rate is less thanthe Packets per second valueIf any source IP sends packetsover this value the applianceblocks all such traffic from thissource IP for a time specifiedin Drop interval
This rule takeseffect when OSPFservice on thismember isconfigured
Events per second (default=1)
Drop Interval (default=10 sec)
Packets per second (default=50)
This rule works for both IPv4and IPv6
Rule ID
Rule
Type
Rule Name Description
EnableDisable
Condition
Parameters Comments
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 2330
ICMP
NIOS 612 NIOS Administrator Guide (Rev A) 1519
ICMP
ICMP attacks use network devices such as routers to send error messages when a requested service is not availableor the remote server cannot be reached Examples of ICMP attacks include ping floods ping-of-death attacks andsmurf attacks
The following table lists the system and auto rules that are used to mitigate ICMP attacks on your advanced appliance
Table H16 ICMP Rules
Rule ID Type Rule Name Description
EnableDisable
Condition
Parameters Comments
130400200 Auto DROP ICMP largepackets
This rule drops large ICMPpackets (bigger than800)
Always enabled Events per second (default=1)
130900100 Auto RATE LIMIT PASS ICMPPing
This rule passes ICMP pingpackets if the packet rate is lessthan the Packets per second value If any source IP sendspackets over this value theappliance blocks all such trafficfrom this source IP for a timespecified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=10 sec)
Packets per second (default=50)
130900200 Auto RATE LIMIT PASS ICMPv6Ping
This rule passes ICMPv6 pingpackets if the packet rate is lessthan the Packets per second value If any source IP sendspackets over this value theappliance blocks all such trafficfrom this source IP for a timespecified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=10 sec)
Packets per second (default=50)
130900700 Auto RATELIMIT PASS ICMPv6destinationunreachable
This rule passes ICMPv6Destination Unreachablemessages if the packet rate isless than the Packets per second value If any source IP sendspackets over this value theappliance blocks all such trafficfrom this source IP for a timespecified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=100)
130900800 Auto RATELIMIT PASS ICMPv6packet too big
This rule passes ICMPv6 PacketToo Big messages if the packetrate is less than the Packets per
second value If any source IPsends packets over this valuethe appliance blocks all suchtraffic from this source IP for atime specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=100)
130900900 Auto RATELIMIT PASS ICMPv6ping responses
This rule passes ICMPv6 pingresponses if the packet rate isless than the Packets per second value If any source IP sendspackets over this value theappliance blocks all such trafficfrom this source IP for a timespecified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=10 sec)
Packets per second (default=50)
130901000 Auto RATELIMIT PASS ICMPv6parameter problemerroneous header
This rule passes ICMPv6Erroneous Header messages ifthe packet rate is less than thePackets per second value If anysource IP sends packets over thisvalue the appliance blocks allsuch traffic from this source IP fora time specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=10 sec)
Packets per second (default=50)
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 2430
1520 NIOS Administrator Guide (Rev A) NIOS 612
130901100 Auto RATELIMIT PASS ICMPv6parameter problemunrecognized nextheader
This rule passes ICMPv6Unrecognized Next Headermessages if the packet rate isless than the Packets per second value If any source IP sendspackets over this value theappliance blocks all such traffic
from this source IP for a timespecified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
130901200 Auto RATELIMIT PASS ICMPv6parameter problemunrecognized IPv6option
This rule passes ICMPv6Unrecognized IPv6 Optionmessages if the packet rate isless than the Packets per second value If any source IP sendspackets over this value theappliance blocks all such trafficfrom this source IP for a timespecified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
130901300 Auto RATELIMIT PASS ICMPv6router solicitation
This rule passes ICMPv6 routersolicitation packets if the packetrate is less than the Packets per
second value If any source IPsends packets over this valuethe appliance blocks all such
traffic from this source IP for atime specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
130901400 Auto RATELIMIT PASS ICMPv6router advertisement
This rule passes ICMPv6 routeradvertisement if the packet rateis less than the Packets per
second value If any source IPsends packets over this valuethe appliance blocks all suchtraffic from this source IP for atime specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
130901500 Auto RATELIMIT PASS ICMPv6neighbor solicitation
This rule passes ICMPv6neighbor solicitation packets ifthe packet rate is less than thePackets per second value If anysource IP sends packets over thisvalue the appliance blocks allsuch traffic from this source IP for
a time specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
130901600 Auto RATELIMIT PASS ICMPv6neighbor advertisement
This rule passes ICMPv6neighbor advertisement if thepacket rate is less than thePackets per second value If anysource IP sends packets over thisvalue the appliance blocks allsuch traffic from this source IP fora time specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
130901700 Auto RATELIMIT PASS ICMPv6inverse neighborsolicitation
This rule passes ICMPv6 inverseneighbor solicitation messages ifthe packet rate is less than thePackets per second value If anysource IP sends packets over thisvalue the appliance blocks allsuch traffic from this source IP fora time specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
130901800 Auto RATELIMIT PASS ICMPv6inverse neighboradvertisement
This rule passes ICMPv6 inverseneighbor advertisement if thepacket rate is less than thePackets per second value If anysource IP sends packets over thisvalue the appliance blocks allsuch traffic from this source IP fora time specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
Rule ID Type Rule Name Description
EnableDisable
Condition
Parameters Comments
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 2530
ICMP
NIOS 612 NIOS Administrator Guide (Rev A) 1521
130901900 Auto RATELIMIT PASS ICMPv6listener query
This rule passes ICMPv6 listenerquery messages if the packetrate is less than the Packets per
second value If any source IPsends packets over this valuethe appliance blocks all suchtraffic from this source IP for a
time specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
130902000 Auto RATELIMIT PASS ICMPv6listener report
This rule passes ICMPv6 listenerreport messages if the packetrate is less than the Packets per
second value If any source IPsends packets over this valuethe appliance blocks all suchtraffic from this source IP for atime specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
130902100 Auto RATELIMIT PASS ICMPv6listener done
This rule passes ICMPv6 listenerdone messages if the packet rateis less than the Packets per
second value If any source IPsends packets over this valuethe appliance blocks all suchtraffic from this source IP for atime specified in Drop interval )
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
130902200 Auto RATELIMIT PASS ICMPv6listener report v2
This rule passes ICMPv6 listenerreport v2 messages if the packetrate is less than the Packets per
second value If any source IPsends packets over this valuethe appliance blocks all suchtraffic from this source IP for atime specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
130902300 Auto RATELIMIT PASS ICMPV6multicast routeradvertisement
This rule passes ICMPv6multicast router advertisement ifthe packet rate is less than thePackets per second value If anysource IP sends packets over thisvalue the appliance blocks allsuch traffic from this source IP fora time specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
130902400 Auto RATELIMIT PASS ICMPV6multicast routersolicitation
This rule passes ICMPv6multicast router solicitationmessages if the packet rate isless than the Packets per second value If any source IP sendspackets over this value theappliance blocks all such trafficfrom this source IP for a timespecified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
130902500 Auto RATELIMIT PASS ICMPV6multicast routeradvertisement
This rule passes ICMPv6multicast router advertisement ifthe packet rate is less than thePackets per second value If anysource IP sends packets over thisvalue the appliance blocks allsuch traffic from this source IP fora time specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
130902600 Auto RATELIMIT PASS ICMPping responses This rule passes ICMP pingresponses if the packet rate isless than the Packets per second value If any source IP sendspackets over this value theappliance blocks all such trafficfrom this source IP for a timespecified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=10 sec)
Packets per second (default=50)
Rule ID Type Rule Name Description
EnableDisable
Condition
Parameters Comments
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 2630
1522 NIOS Administrator Guide (Rev A) NIOS 612
130902700 Auto RATELIMIT PASS ICMProuter advertisement
This rule passes ICMP routeradvertisement if the packet rateis less than the Packets per
second value If any source IPsends packets over this valuethe appliance blocks all suchtraffic from this source IP for a
time specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=10 sec)
Packets per second (default=50)
130902800 Auto RATELIMIT PASS ICMProuter solicitation
This rule passes ICMP routersolicitation messages if thepacket rate is less than thePackets per second value If anysource IP sends packets over thisvalue the appliance blocks allsuch traffic from this source IP fora time specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=10 sec)
Packets per second (default=50)
130902900 Auto RATELIMIT PASS ICMPtime exceeded
This rule passes ICMP timeexceeded messages if the packetrate is less than the Packets per
second value If any source IPsends packets over this valuethe appliance blocks all suchtraffic from this source IP for atime specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=10 sec)
Packets per second (default=50)
130903000 Auto RATELIMIT PASS ICMPparameter problem
This rule passes ICMP parameterproblems if the packet rate isless than the Packets per second value If any source IP sendspackets over this value theappliance blocks all such trafficfrom this source IP for a timespecified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=10 sec)
Packets per second (default=50)
130903100 Auto RATELIMIT PASS ICMPv6hop limit exceeded orICMPv4 networkunreachable
This rule passes ICMPv6 HopLimit Exceeded messages orICMPv4 Network Unreachablemessages if the packet rate isless than the Packets per second value If any source IP sendspackets over this value theappliance blocks all such trafficfrom this source IP for a time
specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
130903200 Auto RATELIMIT PASS ICMPv6fragment reassemblytime exceeded orICMPv4 hostunreachable
This rule passes ICMPv6fragment reassembly timeexceeded messages or ICMPv4host unreachable messages ifthe packet rate is less than thePackets per second value If anysource IP sends packets over thisvalue the appliance blocks allsuch traffic from this source IP fora time specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=10 sec)
Packets per second (default=50)
130903300 Auto RATELIMIT PASS ICMPprotocol unreachable
This rule passes ICMP protocolunreachable messages if thepacket rate is less than thePackets per second value If anysource IP sends packets over thisvalue the appliance blocks all
such traffic from this source IP fora time specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=10 sec)
Packets per second (default=50)
130903400 Auto RATELIMIT ICMP portunreachable
This rule passes ICMP portunreachable messages if thepacket rate is less than thePackets per second value If anysource IP sends packets over thisvalue the appliance blocks allsuch traffic from this source IP fora certain period of time(specified in Drop interval )
Always enabled Events per second (default=10)
Drop Interval (default=10 sec)
Packets per second (default=50)
Rule ID Type Rule Name Description
EnableDisable
Condition
Parameters Comments
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 2730
Default PassDrop
NIOS 612 NIOS Administrator Guide (Rev A) 1523
Default Pass Drop
The following table lists the system rules that are used to pass or drop packets on your advanced appliance All rulesare disabled by default
Table H17 Default PassDrop Rules
130903500 Auto RATELIMIT PASS ICMPfragmentation needed
This rule passes ICMPfragmentation needed messagesif the packet rate is less than thePackets per second value If anysource IP sends packets over thisvalue the appliance blocks allsuch traffic from this source IP for
a certain period of time(specified in Drop interval )
Always enabled Events per second (default=1)
Drop Interval (default=10 sec)
Packets per second (default=50)
Rule ID
Rule
Type Rule Name Description
Enable
Condition Parameters Comments
100000050 System EARLY PASS TCPwith flowbits set
This rule passes TCP trafficthat has the flowbitsoptions set and marked OK
Enabled bydefault
NA
140000100 System DROP UDP DNSunexpected
This rule drops anyunexpected UDP DNSpackets
Enabled bydefault
Events per second (default=1)
Default drop rule for the DNSservice port If this rule istriggered most likely thispacket is an invalid DNS UDPpacket
140000200 System DROP TCP DNSunexpected
This rule drops anyunexpected TCP DNSpackets
Enabled bydefault
Events per second (default=1)
Default drop rule for the DNSservice port If this rule istriggered most likely thispacket is an invalid DNS TCPpacket
140000400 System PASS TCPestablished packets
This passes all TCPestablished packets
Enabled bydefault
Events per second (default=0)
140000500 System DROP TCPunexpected
This rule drops anyunexpected TCP packets
Enabled bydefault
Events per second (default=0)
This rule drops any TCP packeton any port If this rule istriggered most likely thispacket is not intended forservices on this member
140000600 System DROP UDPunexpected
This rule drops anyunexpected UDP packets
Enabled bydefault
Events per second (default=0)
This rule drops any UDP packeton any port If this rule istriggered most likely thispacket is not intended forservices on this member
140000700 System DROP ICMPunexpected
This rule drops anyunexpected ICMP packets
Enabled bydefault
Events per second (default=0)
This rule drops any ICMPpacket If this rule is triggeredmost likely this packet is notintended for services on thismember
140000800 System DROP unexpectedprotocol
This rule drops anyunexpected protocolpackets
Enabled bydefault
Events per second (default=0)
This is a catch all rule thatdrops anything that does notmatch any other rules in thesystem
Rule ID Type Rule Name Description
EnableDisable
Condition
Parameters Comments
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 2830
1524 NIOS Administrator Guide (Rev A) NIOS 612
HA Support
The following table lists auto rules that are used to pass packets that go through the Virtual Router RedundancyProtocol (VRRP) and Internet Group Management Protocol (IGMP) for HA (High Availability) support
Table H18 HA Support Rules
Custom Rule Templates
Advanced DNS Protection supports a few custom rule templates from which you can create new custom rules Notethat when you use a specific rule template to create custom rules the new rules reside in their respective rulecategories For information about custom rules and creating custom rules see Custom Rules on page 1341 andCreating Custom Rules on page 1343
For each rule you create you can define the Events per second value to determine the number of events per secondthat will be logged for the rule You can also define specific rule parameters for custom rules as follows
Note Custom rules do not support IDNs (Internationalized Domain Names) To use IDNs for custom rules you mustfirst convert the IDNs into puny codes You can use the IDN Converter from the Toolbar for the conversion
bull BLACKLIST FQDN lookup TCP Use this rule template to create custom rules for blacklisting DNS queries by FQDNlookups on TCP In the Rule Parameters table complete the following
mdash Blacklisted FQDN Enter the FDQN that you want the appliance to block over TCP traffic You can also enter alist of FQDNs using semicolon as the separator
bull BLACKLIST FQDN lookup UDP Use this rule template to create custom rules for blacklisting DNS queries byFQDN lookups on UDP In the Rule Parameters table complete the following
mdash Blacklisted FQDN Enter the FDQN that you want the appliance to block over UDP traffic You can also enter alist of FQDNs using semicolon as the separator
bull BLACKLIST IP TCP Drop prior to rate limiting Use this rule template to create rules for blocking IPv4 or IPv6addresses on TCP before the appliance drops the packets based on rate limiting rules you have defined usingthe RATELIMITED IP TCP template In the Rule Parameters table complete the following
mdash Blacklisted IP addressnetwork Enter the IPv4 or IPv6 address from which packets sent are dropped beforeany relevant rate limiting rules take effect Note that all TCP traffic from the specified Ipv4 and IPv6
addresses and networks will be blocked Enter network addresses in addressCIDR formatbull BLACKLIST IP UDP Drop prior to rate limiting Use this rule template to create rules for blocking IPv4 or IPv6
addresses on UDP before the appliance drops the packets based on rate limiting rules you have defined usingthe RATELIMITED IP UDP template In the Rule Parameters table complete the following
mdash Blacklisted IP addressnetwork Enter the IPv4 or IPv6 address from which packets sent are dropped beforeany relevant rate limiting rules take effect Note that all UDP traffic from the specified Ipv4 and IPv6addresses and networks will be blocked Enter network addresses in addressCIDR format
bull RATELIMITED FQDN lookup UDP Use this rule template to create custom rules that contains rate limitingrestrictions for blocking DNS queries by FQDN lookups on UDP traffic In the Rule Parameters table completethe following
Rule ID
Rule
Type
Rule Name Description Enable Condition Parameters Comments
140000750 Auto PASS VRRP This rule passes packets thatgo through VRRP for HAsupport
Enabled if HA isconfigured
NA
140000760 Auto PASS IGMP This rule passes packets thatgo through IGMP for HAsupport
Enabled if HA isconfigured
NA
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 2930
Custom Rule Templates
NIOS 612 NIOS Administrator Guide (Rev A) 1525
mdash Packets per second Enter the number of packets per second to define the rate limit for this rule You definethis value to control the rate of UDP traffic that consists of DNS lookups for the FQDN defined in this ruleThe default is 5
mdash Drop interval Enter the number of seconds for which the appliance drops packets
mdash Blacklist rate limited FQDN Enter the FQDN that is affected by the rate limit value configured for this ruleThe appliance drops the packets sent by this FQDN when the UDP traffic of DNS lookups for this FQDNexceeds the configured rate limit value
bull RATELIMITED IP TCP Use this rule template to create custom rules that contains rate limiting restrictions forblacklisting IP addresses on TCP If there are certain IP addresses that you want to block before its traffic reachesthe rate limit restrictions you can create a rule using the BLACKLIST IP TCP Drop prior to rate limiting templateIn the Rule Parameters table complete the following
mdash Packets per second Enter the number of packets per second to define the rate limit for this rule You definethis value to control the rate of TCP traffic that consists of DNS lookups for the IP address or networkdefined in this rule The default is 5
mdash Drop interval Enter the time interval in seconds the appliance drops IP packets sent by the rate limited IPaddress or network defined for this rule The default is 30 seconds
mdash Rate limited IP addressnetwork Enter the IP address or network that is affected by the rate limit valueconfigured for this rule The appliance drops the packets sent by this IP address based on the drop intervalwhen the TCP traffic of DNS lookups for this IP address exceeds the configured rate limit value
bull RATELIMITED IP UDP Use this rule template to create custom rules that contains rate limiting restrictions forblacklisting IP addresses on UDP If there are certain IP addresses that you want to block before its trafficreaches the rate limit restrictions you can create a rule using the BLACKLIST IP UDP Drop prior to rate limiting template In the Rule Parameters table complete the following
mdash Packets per second Enter the number of packets per second to define the rate limit for this rule You definethis value to control the rate of UDP traffic that consists of DNS lookups for the IP address or networkdefined in this rule The default is 5
mdash Drop interval Enter the time interval in seconds the appliance drops IP packets sent by the rate limited IPaddress or network defined for this rule The default is 30 seconds
mdash Rate limited IP addressnetwork Enter the IP address or network that is affected by the rate limit valueconfigured for this rule The appliance drops the packets sent by this IP address based on the drop interval
when the TCP traffic of DNS lookups for this IP address exceeds the configured rate limit valuebull WHITELIST IP TCP Pass prior to rate limiting Use this rule template to create custom rules for allowing certain IP
addresses on TCP before the appliance drops the packets based on rate limiting rules you have defined usingthe RATELIMITED IP TCP template In the Rule Parameters table complete the following
mdash Whitelisted IP addressnetwork Enter the IPv4 or IPv6 address from which packets sent are allowed beforeany relevant rate limiting rules take effect
bull WHITELIST IP UDP Pass prior to rate limiting Use this rule template to create custom rules for allowing certain IPaddresses on UDP before the appliance drops the packets based on rate limiting rules you have defined usingthe RATELIMITED IP UDP template In the Rule Parameters table complete the following
mdash Whitelisted IP addressnetwork Enter the IPv4 or IPv6 address from which packets sent are allowed beforeany relevant rate limiting rules take effect
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 3030
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 1030
1506 NIOS Administrator Guide (Rev A) NIOS 612
130503100 System DNS CNAMErecord TCP
You can configure this rule to passor drop TCP packets that containCNAME record request Thedefault Action = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
130503200 System DNS DS recordTCP
You can configure this rule to passor drop TCP packets that contain
DS record request The defaultAction = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
130503300 System DNS PTR recordTCP
You can configure this rule to passor drop TCP packets that containPTR record request The defaultAction = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
130503400 System DNS NS recordTCP
You can configure this rule to passor drop TCP packets that containNS record request The defaultAction = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
130503500 System DNS NSEC recordTCP
You can configure this rule to passor drop TCP packets that containNSEC record request The defaultAction = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
130503600 System DNS NSEC3record TCP
You can configure this rule to passor drop TCP packets that containNSEC3 record request Thedefault Action = Pass
Enabled bydefault
Action (default = Pass)
Events per second (default = 1)
130503700 System DNSNSEC3PARAMrecord TCP
You can configure this rule to passor drop TCP packets that containNSEC3PARAM record request Thedefault Action = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
130503800 System DNS MX recordTCP
You can configure this rule to passor drop TCP packets that containMX record request The defaultAction = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
130503900 System DNS SRV recordTCP
You can configure this rule to passor drop TCP packets that containSRV record request The default
Action = Pass
Enabled bydefault
Action
(default = Pass)
Events per second
(default = 1)
130504000 System DNS TXT recordTCP
You can configure this rule to passor drop TCP packets that containTXT record request The defaultAction = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
130504100 System DNS DNAMErecord TCP
You can configure this rule to passor drop TCP packets that containDNAME record request Thedefault Action = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
130504200 System DNS RRSIG recordTCP
You can configure this rule to passor drop TCP packets that containRRSIG record request The defaultAction = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
130504300 System DNS NAPTR
record TCP
You can configure this rule to pass
or drop TCP packets that containNAPTR record request The defaultAction = Pass
Enabled by
default
Action
(default = Pass)Events per second (default = 1)
130504400 System DNS DNSKEYrecord TCP
You can configure this rule to passor drop TCP packets that containIDNSKEY record request Thedefault Action = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
130504500 System DNS SPF recordTCP
You can configure this rule to passor drop TCP packets that containSPF record request The defaultAction = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
Rule ID
Rule
Type
Rule Name Description
EnableDisable
Condition
Parameters Comments
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 1130
DNS Message Type
NIOS 612 NIOS Administrator Guide (Rev A) 1507
130504600 System DNS DHCIDrecord TCP
You can configure this rule to passor drop TCP packets that containDHCID record request The defaultAction = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
130504700 System DNS SOA recordTCP
You can configure this rule to passor drop TCP packets that contain
SOA record request The defaultAction = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
130504800 System DNS SIG recordTCP
You can configure this rule to passor drop TCP packets that containSIG record request The defaultAction = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
130504900 System DNS ROC recordTCP
You can configure this rule to passor drop TCP packets that containROC record request The defaultAction = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
130505000 System DNS SSHFPrecord TCP
You can configure this rule to passor drop TCP packets that containSSHFP record request The defaultAction = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
130505100 System DNS IPSECKEYrecord TCP
You can configure this rule to passor drop TCP packets that containIPSECKEY record request Thedefault Action = Pass
Enabled bydefault
Action (default = Pass)
Events per second (default = 1)
130505200 System DNS TKEY recordTCP
You can configure this rule to passor drop TCP packets that containTKEY record request The defaultAction = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
130505300 System DNS TSIG recordTCP
You can configure this rule to passor drop TCP packets that containTSIG record request The defaultAction = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
130505400 System DNS TA recordTCP
You can configure this rule to passor drop TCP packets that containTA record request The default
Action = Pass
Enabled bydefault
Action
(default = Pass)
Events per second
(default = 1)
130505500 System DNS DLV recordTCP
You can configure this rule to passor drop TCP packets that containDLV record request The defaultAction = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
130505600 System DNS ANY recordTCP
You can configure this rule to passor drop TCP packets that containANY record request The defaultAction = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
Rule ID
Rule
Type
Rule Name Description
EnableDisable
Condition
Parameters Comments
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 1230
1508 NIOS Administrator Guide (Rev A) NIOS 612
General DDoS
The following table lists the auto rules that are used to mitigate general DDoS attacks on your advanced appliance
Table H5 General DDoS Rules
Reconnaissance
Reconnaissance attacks consist of attempts to get information on the network environment before launching a largeDDoS or other types of attacks Techniques include port scanning and finding versions and authors These attacksexhibit abnormal behavior patterns that if identified can provide early warnings
The following table lists the auto rules that are used to mitigate reconnaissance attacks on your advanced appliance
You can configure the following rule parameter for all rules in this category
bull Events per second The number of events logged per second for the rule Setting a value to 0 (zero) disables theappliance from logging events for the rule The default value is 10
Table H6 Reconnaissance Rules
Rule ID
Rule
Type
Rule Name Description
EnableDisable
Condition
Parameters Comments
110000100 Auto EARLY DROP DoSpackets with samesource and destinationIP
This rule drops any IP packetsthat contain the same sourceand destination IP address
Always enabled Events per second (default = 1)
110000200 Auto EARLY DROP DoS UDPpackets with samesource and destinationIP
This rule drops UDP packetsthat contain the same sourceand destination IP address
Always enabled Events per second (default = 1)
110000300 Auto EARLY DROP DoS TCPpackets with samesource and destinationIP
This rule drops TCP packetsthat contain the same sourceand destination IP address
Always enabled Events per second (default = 1)
130400300 Auto DROP IPv6 loopbackaddress spoofing
This rule blocks any IP packetsthat attempt to forge the IPv6loopback address
Always enabled Events per second (default = 1)
130400400 Auto DROP IPv6 loopbackaddress spoofing
This rule blocks any IP packetsthat attempt to forge the IPv6loopback address
Always enabled Events per second (default = 1)
Rule ID
Rule
Type
Rule Name Description
Enable
Condition
Parameters Comments
110100100 Auto EARLY DROP DNSnamed authorattempts
This rule drops UDP DNSpackets that containattempts to find AUTHOR
information
Alwaysenabled
Events per second (default = 1)
110100200 Auto EARLY DROP DNSnamed versionattempts
This rule drops UDP DNSpackets that containattempts to find VERSIONinformation
Alwaysenabled
Events per second (default = 1)
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 1330
DNS Malware
NIOS 612 NIOS Administrator Guide (Rev A) 1509
DNS Malware
DNS malware is software used to disrupt your DNS service gather sensitive information or gain access to yourappliance It can include downloaders backdoors trojan horses and other malicious software
The following table lists the auto rules that are used to mitigate DNS malware when forwarding DNS requests to aresolver such as a Microsoft DNS server
Table H7 DNS Malware Rules
DNS Protocol Anomalies
DNS protocol anomalies send malformed DNS packets including unexpected header and payload values to thetargeted server This causes the server to stop responding or crash which results in an infinite loop in server threadsThese anomalies sometimes take the form of impersonation attacks
The following table lists rules that are used to mitigate DNS protocol anomalies sent to the appliance
Table H8 DNS Protocol Anomalies Rules
Rule ID
Rule
Type
Rule Name Description
Enable
Condition
Parameters Comments
110100300 Auto EARLY DROP UDPMALWARE backdoor
This rule drops UDPpackets that contain thebackdoor malwareBKDR_QUEJOBEVL whichposes as an installer ofFaceBook messenger Thismalware may be spread asa malicious attachment inemail messages
Always enabled Events per second (default = 1)
130300300 Auto DROP MALWAREtrojan downloader
This rule drops UDPpackets that contain thetrojan downloadermalware which downloadsand installs new versionsof malicious programsincluding Trojans andAdWare
Always enabled Events per second (default = 1)
130300400 Auto DROP MALWAREpossible Hiloti
This rule drops UDPpackets that contain trojanHiloti malicious programsthat may downloadpotentially malicious filesfrom a remote server andreport system informationback to the server
Always enabled Events per second (default = 1)
Rule ID
Rule
Type
Rule Name Description
Enable
Condition
Parameters Comments
110100400 Auto EARLY DROP UDP DNSquestion name too long
This rule drops UDP DNSpackets when the DNSQuestion Name is toolong
Always enabled Events per second (default = 1)
110100500 Auto EARLY DROP UDP DNSlabel too long
This rule drops UDP DNSpackets when the DNSLabel in the name beingqueried is too long
Always enabled Events per second (default = 1)
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 1430
1510 NIOS Administrator Guide (Rev A) NIOS 612
Potential DDoS Related Domains
This rule category includes system rules the appliance uses to blacklist domains that may have been the targets orsubjects in NXDOMAIN or DDoS attacks These rules block all FQDN lookups on UDP for domains that have beenobserved to be used as targets in DDoS attacks The rules are enabled by default You can disable them whennecessary
Note that these rules capture currently observed bad domain names that can change on a regular basis Infobloxrecommends that you update to the latest ruleset to capture the most current rules in this category For informationabout how to update to the latest ruleset see Managing Threat Protection Rules on page 1352
110100600 Auto EARLY DROP UDP queryinvalid question count
This rule drops UDP DNSpackets when thenumber of entries in thequestion section isinvalid
Always enabled Events per second (default = 1)
110100700 Auto EARLY DROP UDP query
invalid question class
This rule drops UDP DNS
packets when the RR(resource record) classbeing queried is invalid
Always enabled Events per second
(default = 1)
110100800 Auto EARLY DROP UDP queryinvalid question string
This rule drops UDP DNSpackets that containinvalid question string
Always enabled Events per second (default = 1)
110100850 Auto EARLY UDP drop invalidDNS query with Authority
This rule drops UDP DNSqueries that containinvalid AUTHORITYentry
Always enabled Events per second (default = 1)
110100900 Auto EARLY DROP querymultiple questions or nonquery operation code
This rule drops UDP DNSpackets when there aremultiple questionsbeing queried at onetime or its operationcode is not Query
Always enabled Events per second (default = 1)
130000700 Auto EARLY DROP TCP non-DNSquery
This rule drops TCPpackets when itsoperation code is notQuery
Always enabled Events per second (default = 1)
130000800 Auto EARLY DROP TCP querymultiple questions
This rule drops TCP DNSpackets when there aremultiple questionsbeing queried at onetime
Always enabled Events per second (default = 1)
130100500 Auto DROP UDP DNS invalidIXFR query with zero ormore than one Authority
This rule drops UDP DNSincremental zonetransfer requests thatcontain zero or morethan one Authorityentries
Always enabled Events per second (default = 1)
130100600 Auto DROP TCP DNS invalidIXFR query with zero ormore than one Authority
This rule drops TCP DNSincremental zonetransfer requests thatcontain zero or morethan one Authorityentries
Always enabled Events per second (default = 1)
130300200 Auto DROP TCP invalid DNSquery with Authority
This rule drops TCP DNSqueries that containinvalid Authorityentries
Always enabled Events per second (default = 1)
Rule ID
Rule
Type
Rule Name Description
Enable
Condition
Parameters Comments
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 1530
TCPUDP Flood
NIOS 612 NIOS Administrator Guide (Rev A) 1511
TCP UDP Flood
TCP and UDP flood attacks are volumetric attacks with massive numbers of packets that consume network bandwidthand resources They exploit TCP and UDP
The following table lists the system and auto rules that are used to mitigate TCPUDP floods on your advancedappliance
Table H9 TCPUDP Flood Rules
Rule ID Rule Type Rule Name Description
Enable
Condition
Parameters Comments
130000100 System WARN about highrate inbound UDPDNS queries
This rule warns about anysource IP that sendsinbound UDP DNS packetsat a rate equals or exceedsthe Packets per second value
Disabled bydefault
Packets per second (default = 40)
Events per second (default = 1)
Use this rule together with rule130000200 to adjust the warningand blocking rate thresholds Thisrule only sends alerts when thepacket rate equals or exceeds thelow threshold ( Packets per second for this rule) When the packet ratereaches or exceeds the highthreshold ( Packets per second forrule 130000200) rule130000200 is triggered
NOTE The Packets per second configured for this rule should beless than that of rule 130000200
130000200 System WARN amp BLOCKhigh rate inboundUDP DNS queries
This rule warns if anysource IP sends inboundUDP DNS packets at a rateequals the Packets per
second value If the rateexceeds this value theappliance blocks all suchtraffic from this source IPfor a period of timespecified in Drop interval
Disabled bydefault
Packets per second (default = 1000)
Drop interval
(default = 5 seconds)
Events per second (default = 1)
Consider tuning Packets per
second to a higher value for NATdenvironments static forwardersand VPN concentrators
This rule may be triggered if Packet
per second is lower than that inthe custom rules created using therate limiting templates
NOTE The Packets per secondvalue for this rule must be higherthan that for rule 130000100
130000300 System WARN about highrate inbound TCP
DNS queries
This rule warns about anysource IP that sends
inbound TCP DNS packetsat a rate that equals orexceeds the Packets per
second value
Disabled bydefault
Packets per second (default = 5)
Events per second (default = 1)
Use this rule together with rule130000400 to adjust the warning
and blocking rate thresholds Thisrule only sends alerts when thepacket rate equals or exceeds thelow threshold ( Packets per second for this rule) When the packet ratereaches or exceeds the highthreshold ( Packets per second forrule 130000400) rule130000400 is triggered
NOTE The Packets per second configured for this rule should beless than that of rule 130000400
130000400 System WARN amp BLOCKhigh rate inboundTCP DNS queries
This rule warns if anysource IP sends inboundTCP DNS packets at a ratethat equals the Packets
per second value If therate exceeds this value
the appliance blocks allsuch traffic from thissource IP for a period oftime specified in Drop
interval
Disabled bydefault
Packets per second (default = 1000)
Drop interval (default = 10 seconds)
Events per second (default = 1)
Consider tuning Packets per
second to a higher value for NATdenvironments static forwardersand VPN concentrators
This rule may be triggered if Packet
per second is lower than that in
the custom rules created using therate limiting templates
NOTE DO NOT enable this rulealong with rule 130000300
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 1630
1512 NIOS Administrator Guide (Rev A) NIOS 612
DNS DDoS
The following table lists system rules that are used to mitigate DNS DDoS attacks on your advanced appliance Theserules rate limits clients that trigger the following DNS responses NXDOMAIN NXRRSET and SERVFAIL
Table H10 DNS DDoS Rules
Rule ID
Rule
Type
Rule Name Description
EnableDisable
Condition
Parameters Comments
200000001 System NXDOMAIN ratelimiting rule
This rule warns if any sourceIP sends inbound UDP DNSqueries that triggerNXDOMAIN responses at arate equals to the Packets
per second value If the rateexceeds this value theappliance blocks all UDPDNS traffic from this sourceIP for a time specified inDrop interval
Enabled bydefault
Packets per second (default = 1000)
Drop interval
(default = 5 seconds)
Events per second (default = 1)
Consider tuning Packets per
second to a higher value forNATd environments staticforwarders and VPNconcentrators
200000002 System NXRRSET ratelimiting rule
This rule warns if any sourceIP sends inbound UDP DNS
queries that trigger NXRRSETresponses at a rate equals tothe Packets per second value If the rate exceedsthis value the applianceblocks all UDP DNS trafficfrom this source IP for a timespecified in Drop interval
Enabled bydefault
Packets per second (default = 1000)
Drop interval (default = 5 seconds)
Events per second (default = 1)
Consider tuning Packets per
second to a higher value for
NATd environments staticforwarders and VPNconcentrators
NOTE NXRRSET responsesinclude NO records NOanswers and NO errors
200000003 System SERVFAIL ratelimiting rule
This rule warns if any sourceIP sends inbound UDP DNSqueries that triggerSERVFAIL responses at a rateequals to the Packets per
second value If the rateexceeds this rate theappliance blocks all UDPDNS traffic from this sourceIP for a time specified in
Drop interval
Enabled bydefault
Packets per second (default = 1000)
Drop interval
(default = 5 seconds)
Events per second (default = 1)
Consider tuning Packets per
second to a higher value forNATd environments staticforwarders and VPNconcentrators
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 1730
DNS Tunneling
NIOS 612 NIOS Administrator Guide (Rev A) 1513
DNS Tunneling
DNS tunneling attacks involve tunneling another protocol through DNS port 53 for the purpose of data exfiltrationOutbound and inbound data being communicated is encoded into small chunks and fitted into DNS queries and DNSresponses
The following table lists the system rule used to mitigate DNS tunneling on your advanced appliance
Table H11 Anti DNS Tunneling Rules
DNS Amplification and Reflection
DNS reflection attacks use a form of IP spoofing changing the source address in their DNS queries to show theaddress of their intended target such as a DNS root server or a top-level domain (TLD) name server operator DNS
reflection and amplification recognizes UDP as an asymmetrical protocol (small requests large responses) and theexistence of open DNS resolvers to the Internet cloud The result is that small DNS queries reflect large UDP datagramresponses to the target address in the original source datagrams Some recent attacks have used this DDoStechnique at a huge scale
Since DNS runs over UDP and does not require a handshake it is possible to use the protocol as a means to lock downa host or a network Designed a specific way sending a small query to any open DNS resolver can result in a singleresponse containing several kilobytes or more that are sent to the unwitting spoofed victim (This type of responsetypically is sent via TCP as UDP does not allow for more than 512 bytes in a response datagram The resulting packetusually exceeds the MTU of the recipientrsquos interfaces resulting in further packet fragmentation and processing) OpenDNS resolvers may allow for launching DDoS attacks containing hundreds of gigabytes of data Attackers may also
Rule ID
Rule
Type
Rule Name Description
EnableDisable
Condition
Parameters Comments
130000500 System RATELIMIT UDP highrate inbound largeDNS queries (antitunneling)
This rule warns If any source IPsends large UDP DNS queries(which could be DNS tunnelingattacks) at a rate equals thePackets per second value If therate exceeds this value it blocksall such traffic from this source IPfor the time in Drop interval
This rule is triggered when theDNS Packet size exceeds theconfigured value
Disabled bydefault
Packets per second (default = 100)
Drop interval (default = 5 seconds)
Events per second (default = 1)
Packet size
(default = 200)
Consider tuning Packets
per second to a highervalue for NATdenvironments staticforwarders and VPNconcentrators
130000600 Auto RATELIMIT TCP highrate inbound largeDNS queries(anti-tunneling)
This rule warns if any source IPsends large TCP DNS queries(which could be DNS tunnelingattacks) at a rate equals thePackets per second value If therate exceeds the value theappliance blocks all such trafficfrom this source IP for the Drop
interval
This rule is triggered when theDNS Packet size exceeds theconfigured value
Disabled bydefault
Packets per second (default = 100)
Drop interval
(default = 5 seconds)
Events per second (default = 1)
Packet size
(default = 200)
Consider tuning Packets
per second to a highervalue for NATdenvironments staticforwarders and VPNconcentrators
200000004 System DNS tunneling ratelimiting rule
This rule warns If any source IPsends inbound UDP DNS queriesthat trigger large TXT responses ata rate equals the Packets per
second value If the rate exceedsthis value it blocks all such t rafficfrom this source IP for the Drop
interval
This rule is triggered when the sizeof the TXT records in the DNSresponses exceeds the configuredDNS Packet size
Enabled bydefault
Packets per second (default = 1000)
Drop interval
(default = 5 seconds)
Events per second (default = 1)
Packet size
(default = 40)
Consider tuning Packets
per second to a highervalue for NATdenvironments static
forwarders and VPNconcentrators
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 1830
1514 NIOS Administrator Guide (Rev A) NIOS 612
use the EDNS0 DNS protocol extension as a means to enable larger DNS responses Many network operatorsparticularly overseas allow open DNS resolvers to run on their networks unwittingly allowing attackers to abusethem Many network operators do provide intelligent rate-limiting to prevent abuse even while supporting openrecursive DNS servers Hence issues of this type usually result from mistakes in configuration
The following table lists the system and auto rules that are used to mitigate DNS amplification and reflection attackson your advanced appliance
Table H12 DNS Amplification and Reflection Rules
NTP
The following table lists the auto rules that are used to mitigate NTP attacks and to support security for NTP traffic onyour advanced appliance These rules include support for the following NTP requests and responses NTP IPv4 andIPv6 ACLs (Access Control Lists) private mode 7 packets named ACLs and ldquoANYrdquo ACLs
Table H13 NTP Rules
Rule ID
Rule
Type
Rule Name Description
EnableDisable
Condition
Parameters Comments
130400100 Auto WARN amp DROP DoSDNS possiblereflectionamplification attackattempts
This rule warns if anysource IP sends UDP DNSpackets that containpossible reflectionamplification attacks If therate exceeds the Packets
per second value theappliance blocks all suchtraffic from this source IPfor the Drop interval Notethat this rule applies whenthe query is ldquoANYrdquo
Enabled bydefault
Packets per second (default = 5)
Drop interval (default = 5 seconds)
Events per second (default = 1)
Consider tuning Packet per
second to a higher value(approximately 100) forNATd environments staticforwarders and VPNconcentrators
130400500 System RATE LIMIT PASS UDPDNS root requestswith additional RRs
This rule passes UDP DNSroot requests that containadditional resource recordsuntil the traffic hits thePackets per second valueIt then blocks subsequentUDP DNS root requests forthe Drop interval
Disabled bydefault
Packets per second (default = 500)
Drop interval
(default = 5 seconds)
Events per second (default = 1)
130400600 System RATE LIMIT PASS UDPDNS root requests
This rule passes UDP DNSroot requests until thetraffic hits the Packets per
second value It thenblocks subsequent UDPDNS root requests for theDrop interval
Disabled bydefault
Packets per second (default = 500)
Drop interval (default = 5 seconds)
Events per second (default = 1)
Consider tuning Packet per
second to a higher valuefor NATd environmentsstatic forwarders and VPNconcentrators
Rule ID
Rule
Type
Rule Name Description
EnableDisable
Condition
Parameters Comments
130600100 Auto RATELIMIT PASS NTPTIME responses
When the NTP client isenabled this rule passesUDP NTP TIME responsesuntil the traffic hits the ratelimit of 10 packets persecond it then blocks allNTP traffic for 15 seconds
Enabled when theNTP client isenabled
Packets per second (default = 10)
Drop interval
(default = 15seconds)
Events per second (default = 1)
130600120 Auto DROP NTP TIMEresponses
This rule drops all UDP NTPTIME responses when theNTP client is disabled
Enabled when theNTP client isdisabled
Events per second (default=1)
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 1930
NTP
NIOS 612 NIOS Administrator Guide (Rev A) 1515
200001001 Auto DOS Possible NTPDDoS InboundFrequent Un-AuthedGET_RESTRICTRequests IMPL 0x02
When the NTP server isenabled this rule warnsabout possible NTP DDoSInbound FrequentUn-Authed GET_RESTRICTRequests IMPL 0x02attacks It then blocks
suspicious NTP traffic for atime period that isspecified in Drop Interval
Enabled whenNTP service isenabled on thismember
Events per second (default = 1)
200001005 Auto DOS Possible NTPDDoS InboundFrequent Un-AuthedGET_RESTRICTRequests IMPL 0x03
When the NTP server isenabled this rule warnsabout possible NTP DDoSInbound FrequentUn-Authed GET_RESTRICTRequests IMPL 0x03attacks It then blockssuspicious NTP traffic for atime period that isspecified in Drop Interval
Enabled whenNTP service isenabled on thismember
Events per second (default = 1)
200001010 Auto DOS Possible NTPDDoS InboundFrequent Un-AuthedPEER_LIST_SUM
Requests IMPL 0x02
When the NTP server isenabled this rule warnsabout possible NTP DDoSInbound Frequent
Un-AuthedPEER_LIST_SUM RequestsIMPL 0x02 attacks It thenblocks suspicious NTPtraffic for a time period thatis specified in Drop
Interval
Enabled whenNTP service isenabled on thismember
Events per second (default = 1)
200001015 Auto DOS Possible NTPDDoS InboundFrequent Un-AuthedPEER_LIST_SUMRequests IMPL 0x03
When the NTP server isenabled this rule warnsabout possible NTP DDoSInbound FrequentUn-AuthedPEER_LIST_SUM RequestsIMPL 0x03 attacks It thenblocks suspicious NTPtraffic for a time period thatis specified in Drop
Interval
Enabled whenNTP service isenabled on thismember
Events per second (default = 1)
200001020 Auto DOS Possible NTPDDoS InboundFrequent Un-AuthedPEER_LIST RequestsIMPL 0x02
When the NTP server isenabled this rule warnsabout possible NTP DDoSInbound FrequentUn-Authed PEER_LISTRequests IMPL 0x02attacks It then blockssuspicious NTP traffic for atime period that isspecified in Drop Interval
Enabled whenNTP service isenabled on thismember
Events per second (default = 1)
200001025 Auto DOS Possible NTPDDoS InboundFrequent Un-AuthedPEER_LIST RequestsIMPL 0x03
When the NTP server isenabled this rule warnsabout possible NTP DDoSInbound FrequentUn-Authed PEER_LISTRequests IMPL 0x03attacks It then blocks
suspicious NTP traffic for atime period that isspecified in Drop Interval
Enabled whenNTP service isenabled on thismember
Events per second (default = 1)
200001050 Auto RATELIMIT PASSNTPQ IPv4 requests
This rule passes UDP NTPQrequests from NTP IPv4ACLs until the traffic hitsthe rate limit ( Packets per
second ) value It thenblocks all subsequentNTPQ traffic for a timespecified in Drop Interval
Enabled whenNTP IPv4 ACLs aredefined If noACLs are definedand the NTPserver is enabledthe default ACLsare enabled andthis rule isdisabled
Packets per second (default = 10)
Drop interval
(default = 60seconds)
Events per second (default = 1)
Rule ID
Rule
Type
Rule Name Description
EnableDisable
Condition
Parameters Comments
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 2030
1516 NIOS Administrator Guide (Rev A) NIOS 612
200001055 Auto RATELIMIT PASS NTPTIME IPv4 requests
This rule passes UDP NTPTIME requests from NTPIPv4 ACLs until the traffichits the rate limit ( Packets
per second ) value It thenblocks all subsequent NTPTIME traffic for a time
specified in Drop interval
Enabled whenNTP IPv4 ACLs aredefined If noACLs are definedand the NTPserver is enabledthe default ACLs
are enabled andthis rule isenabled
Packets per second (default = 10)
Drop interval
(default = 60seconds)
Events per second (default = 1)
200001060 Auto RATELIMIT PASS NTPprivate mode IPv4requests
This rule passes UDP NTPprivate mode 7 requestsfrom NTP IPv4 ACLs untilthe traffic hits the rate limit( Packets per second ) valueIt then blocks allsubsequent NTP privatemode 7 traffic for a timespecified in Drop interval
Enabled whenNTP IPv4 ACLs aredefined If noACLs are definedand the NTPserver is enabledthe default ACLsare enabled andthis rule isdisabled
Packets per second (default = 10)
Drop interval
(default = 60seconds)
Events per second (default = 1)
200001065 Auto RATELIMIT PASSNTPQ IPv6 requests
This rule passes UDP NTPQrequests from NTP IPv6ACLs until the traffic hitsthe rate limit ( Packets per
second ) value It thenblocks all subsequentNTPQ traffic for a timespecified in Drop Interval
Enabled whenNTP IPv6 ACLs aredefined If noACLs are defined
and the NTPserver is enabledthe default ACLsare enabled andthis rule isdisabled
Packets per second (default = 10)
Drop interval
(default = 60
seconds)Events per second (default = 1)
200001070 Auto RATELIMIT PASS NTPTIME IPv6 requests
This rule passes UDP NTPTIME requests from NTPIPv6 ACLs until the traffichits the rate limit ( Packets
per second ) value It thenblocks all subsequent NTPTIME traffic for a timespecified in Drop interval
Enabled whenNTP IPv6 ACLs aredefined If noACLs are definedand the NTPserver is enabledthe default ACLsare enabled andthis rule isenabled
Packets per second (default = 10)
Drop interval
(default = 60seconds)
Events per second (default = 1)
200001075 Auto RATELIMIT PASS NTP
private mode IPv6requests
This rule passes UDP NTP
private mode 7 requestsfrom NTP IPv4 ACLs untilthe traffic hits the rate limit( Packets per second ) valueIt then blocks allsubsequent NTP privatemode 7 traffic for a timespecified in Drop interval
Enabled when
NTP IPv6 ACLs aredefined If noACLs are definedand the NTPserver is enabledthe default ACLsare enabled andthis rule isdisabled
Packets per second
(default = 10)Drop interval
(default =60seconds)
Events per second (default = 1)
200001100 Auto DROP NTPQ requestsunexpected
When NTP service isdisabled this rule drops allUDP NTPQ requests
Enabled whenNTP service isdisabled on thismember
Events per second (default=1)
200001105 Auto DROP NTP TIMErequests unexpected
When NTP service isdisabled this rule drops allUDP NTP TIME requests
Enabled whenNTP service isdisabled on thismember
Events per second (default=1)
200001110 Auto DROP NTP privatemode requestsunexpected
When NTP service isdisabled this rule drops allUDP NTP private mode 7requests
Enabled whenNTP service isdisabled on thismember
Events per second (default=1)
200001115 Auto DROP invalid NTPrequests
When NTP service isdisabled this rule drops allinvalid UDP NTP requests
Enabled whenNTP service isdisabled on thismember
Events per second (default=1)
Rule ID
Rule
Type
Rule Name Description
EnableDisable
Condition
Parameters Comments
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 2130
BGP
NIOS 612 NIOS Administrator Guide (Rev A) 1517
BGP
The following table lists the auto rules that are used to mitigate BGP attacks on your advanced appliance when BGPis enabled
Table H14 BGP Rules
Rule ID
Rule
Type
Rule Name Description
EnableDisable
Condition
Parameters Comments
130700100 AUTO DROP BGP headerlength shorter thanspec
When BGP is enabled this ruledrops TCP BGP packets thatcontain message headerlength that is shorter than theRFC specification
Enabled whenBGP service onthis member isconfigured
Events per second (default=1)
130700200 AUTO DROP BGP headerlength longer than spec
When BGP is enabled this ruledrops TCP BGP packets thatcontain message headerlength that is longer than theRFC specification
Enabled whenBGP service onthis member isconfigured
Events per second (default=1)
130700300 AUTO DROP BGP spoofedconnection reset
attempts
When BGP is enabled this ruledrops TCP BGP packets that
contain spoofed connectionreset
This rule isenabled when
BGP service onthis member isconfigured
Events per second (default=1)
130700400 AUTO DROP BGP invalid type0
When BGP is enabled this ruledrops TCP BGP packets thatcontain invalid message type0
This rule isenabled whenBGP service onthis member isconfigured
Events per second (default=1)
130700500 AUTO DROP BGP invalid typebigger than 5
When BGP is enabled this ruledrops TCP BGP packets thatcontain invalid message typegreater than 5
This rule isenabled whenBGP service onthis member isconfigured
Events per second (default=1)
130700550 AUTO RATELIMIT PASS BGPIPv4 peer TCPconnection attempts
This rule passes TCP BGP routeadvertisement connectionattempts from IPv4 peers
when BGP is enabled and ifthe packet rate is less than thePackets per second value Ifany source IP sends packetsover this value the applianceblocks all such traffic from thissource IP for a certain periodof time (specified in Drop
interval )
This rule isenabled whenBGP service on
this member isconfigured withIPv4 peers
Events per second (default=1)
Drop Interval
(default=60 sec)Packets per second (default=10)
130700600 Auto RATELIMIT PASS BGPallowed with IPv4 peer
This rule passes TCP BGP routeadvertisement to IPv4 peerswhen BGP is enabled and ifthe packet rate is less than thePackets per second value Ifany source IP sends packetsover this value the applianceblocks all such traffic from thissource IP for a certain period
of time (specified in Drop
interval
This rule isenabled whenBGP service onthis member isconfigured withIPv4 peers
Events per second (default=1)
Drop Interval (default=60 sec)
Packets per second (default=10)
130700650 AUTO RATELIMIT PASS BGPIPv6 peer TCPconnection attempts
This rule passes TCP BGP routeadvertisement connectionattempts from IPv6 peerswhen BGP is enabled and ifthe packet rate is less than thePackets per second value Ifany source IP sends packetsover this value the applianceblocks all such traffic from thissource IP for a certain periodof time (specified in Drop
interval
This rule isenabled whenBGP service onthis member isconfigured withIPv6 peers
Events per second (default=1)
Drop Interval (default=60 sec)
Packets per second (default=10)
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 2230
1518 NIOS Administrator Guide (Rev A) NIOS 612
OSPF
The following table lists auto rules that are used to mitigate OSPF attacks on your advanced appliance when OSPF isnot in use
Table H15 OSPF Rules
130700700 Auto RATELIMIT PASS BGPallowed with IPv6 peer
This rule passes TCP BGP routeadvertisement to IPv6 peerswhen BGP is enabled and ifthe packet rate is less than thePackets per second value Ifany source IP sends packetsover this value the appliance
blocks all such traffic from thissource IP for a certain periodof time (specified in Drop
interval )
This rule isenabled whenBGP service onthis member isconfigured withIPv6 peers
Events per second (default=1)
Drop Interval (default=60 sec)
Packets per second (default=10)
130800100 Auto DROP BGP unexpected When BGP is enabled this ruledrops unexpected TCP BGPpackets
This rule takeseffect when BGPservice on thismember is NOT configured
Events per second (default=1)
This rule is exclusive withother rules based onwhether BGP is configuredon the member or not
Rule ID
Rule
Type
Rule Name Description
Enable
Condition
Parameters Comments
130900300 Auto DROP OSPFunexpected
This rule drops unexpectedOSPF packets
This rule takeseffect when OSPFservice on thismember is NOT configured
Events per second (default=1)
Default drop rule for allpackets on the OSPF serviceport
130900400 Auto RATELIMIT PASS OSPFmulticast
This rule passes OSPF IPv4multicast packets if the packetrate is less than the Packets
per second value If anysource IP sends packets overthis value the applianceblocks all such traffic from thissource IP for a time specifiedin Drop interval
This rule takeseffect when OSPFservice on thismember isconfigured forIPv4
Events per second (default=1)
Drop Interval (default=60 sec)
Packets per second (default=100)
130900500 Auto RATELIMIT PASS OSPFIPv6 multicast
This rule passes OSPF IPv6multicast packets if the packetrate is less than the Packets
per second value If anysource IP sends packets overthis value the applianceblocks all such traffic from thissource IP for a time specifiedin Drop interval
This rule takeseffect when OSPFservice on thismember isconfigured forIPv6
Events per second (default=1)
Drop Interval (default=60 sec)
Packets per second (default=100)
130900600 Auto RATELIMIT PASS OSPF This rule passes OSPF packetsif the packet rate is less thanthe Packets per second valueIf any source IP sends packetsover this value the applianceblocks all such traffic from thissource IP for a time specifiedin Drop interval
This rule takeseffect when OSPFservice on thismember isconfigured
Events per second (default=1)
Drop Interval (default=10 sec)
Packets per second (default=50)
This rule works for both IPv4and IPv6
Rule ID
Rule
Type
Rule Name Description
EnableDisable
Condition
Parameters Comments
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 2330
ICMP
NIOS 612 NIOS Administrator Guide (Rev A) 1519
ICMP
ICMP attacks use network devices such as routers to send error messages when a requested service is not availableor the remote server cannot be reached Examples of ICMP attacks include ping floods ping-of-death attacks andsmurf attacks
The following table lists the system and auto rules that are used to mitigate ICMP attacks on your advanced appliance
Table H16 ICMP Rules
Rule ID Type Rule Name Description
EnableDisable
Condition
Parameters Comments
130400200 Auto DROP ICMP largepackets
This rule drops large ICMPpackets (bigger than800)
Always enabled Events per second (default=1)
130900100 Auto RATE LIMIT PASS ICMPPing
This rule passes ICMP pingpackets if the packet rate is lessthan the Packets per second value If any source IP sendspackets over this value theappliance blocks all such trafficfrom this source IP for a timespecified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=10 sec)
Packets per second (default=50)
130900200 Auto RATE LIMIT PASS ICMPv6Ping
This rule passes ICMPv6 pingpackets if the packet rate is lessthan the Packets per second value If any source IP sendspackets over this value theappliance blocks all such trafficfrom this source IP for a timespecified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=10 sec)
Packets per second (default=50)
130900700 Auto RATELIMIT PASS ICMPv6destinationunreachable
This rule passes ICMPv6Destination Unreachablemessages if the packet rate isless than the Packets per second value If any source IP sendspackets over this value theappliance blocks all such trafficfrom this source IP for a timespecified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=100)
130900800 Auto RATELIMIT PASS ICMPv6packet too big
This rule passes ICMPv6 PacketToo Big messages if the packetrate is less than the Packets per
second value If any source IPsends packets over this valuethe appliance blocks all suchtraffic from this source IP for atime specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=100)
130900900 Auto RATELIMIT PASS ICMPv6ping responses
This rule passes ICMPv6 pingresponses if the packet rate isless than the Packets per second value If any source IP sendspackets over this value theappliance blocks all such trafficfrom this source IP for a timespecified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=10 sec)
Packets per second (default=50)
130901000 Auto RATELIMIT PASS ICMPv6parameter problemerroneous header
This rule passes ICMPv6Erroneous Header messages ifthe packet rate is less than thePackets per second value If anysource IP sends packets over thisvalue the appliance blocks allsuch traffic from this source IP fora time specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=10 sec)
Packets per second (default=50)
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 2430
1520 NIOS Administrator Guide (Rev A) NIOS 612
130901100 Auto RATELIMIT PASS ICMPv6parameter problemunrecognized nextheader
This rule passes ICMPv6Unrecognized Next Headermessages if the packet rate isless than the Packets per second value If any source IP sendspackets over this value theappliance blocks all such traffic
from this source IP for a timespecified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
130901200 Auto RATELIMIT PASS ICMPv6parameter problemunrecognized IPv6option
This rule passes ICMPv6Unrecognized IPv6 Optionmessages if the packet rate isless than the Packets per second value If any source IP sendspackets over this value theappliance blocks all such trafficfrom this source IP for a timespecified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
130901300 Auto RATELIMIT PASS ICMPv6router solicitation
This rule passes ICMPv6 routersolicitation packets if the packetrate is less than the Packets per
second value If any source IPsends packets over this valuethe appliance blocks all such
traffic from this source IP for atime specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
130901400 Auto RATELIMIT PASS ICMPv6router advertisement
This rule passes ICMPv6 routeradvertisement if the packet rateis less than the Packets per
second value If any source IPsends packets over this valuethe appliance blocks all suchtraffic from this source IP for atime specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
130901500 Auto RATELIMIT PASS ICMPv6neighbor solicitation
This rule passes ICMPv6neighbor solicitation packets ifthe packet rate is less than thePackets per second value If anysource IP sends packets over thisvalue the appliance blocks allsuch traffic from this source IP for
a time specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
130901600 Auto RATELIMIT PASS ICMPv6neighbor advertisement
This rule passes ICMPv6neighbor advertisement if thepacket rate is less than thePackets per second value If anysource IP sends packets over thisvalue the appliance blocks allsuch traffic from this source IP fora time specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
130901700 Auto RATELIMIT PASS ICMPv6inverse neighborsolicitation
This rule passes ICMPv6 inverseneighbor solicitation messages ifthe packet rate is less than thePackets per second value If anysource IP sends packets over thisvalue the appliance blocks allsuch traffic from this source IP fora time specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
130901800 Auto RATELIMIT PASS ICMPv6inverse neighboradvertisement
This rule passes ICMPv6 inverseneighbor advertisement if thepacket rate is less than thePackets per second value If anysource IP sends packets over thisvalue the appliance blocks allsuch traffic from this source IP fora time specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
Rule ID Type Rule Name Description
EnableDisable
Condition
Parameters Comments
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 2530
ICMP
NIOS 612 NIOS Administrator Guide (Rev A) 1521
130901900 Auto RATELIMIT PASS ICMPv6listener query
This rule passes ICMPv6 listenerquery messages if the packetrate is less than the Packets per
second value If any source IPsends packets over this valuethe appliance blocks all suchtraffic from this source IP for a
time specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
130902000 Auto RATELIMIT PASS ICMPv6listener report
This rule passes ICMPv6 listenerreport messages if the packetrate is less than the Packets per
second value If any source IPsends packets over this valuethe appliance blocks all suchtraffic from this source IP for atime specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
130902100 Auto RATELIMIT PASS ICMPv6listener done
This rule passes ICMPv6 listenerdone messages if the packet rateis less than the Packets per
second value If any source IPsends packets over this valuethe appliance blocks all suchtraffic from this source IP for atime specified in Drop interval )
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
130902200 Auto RATELIMIT PASS ICMPv6listener report v2
This rule passes ICMPv6 listenerreport v2 messages if the packetrate is less than the Packets per
second value If any source IPsends packets over this valuethe appliance blocks all suchtraffic from this source IP for atime specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
130902300 Auto RATELIMIT PASS ICMPV6multicast routeradvertisement
This rule passes ICMPv6multicast router advertisement ifthe packet rate is less than thePackets per second value If anysource IP sends packets over thisvalue the appliance blocks allsuch traffic from this source IP fora time specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
130902400 Auto RATELIMIT PASS ICMPV6multicast routersolicitation
This rule passes ICMPv6multicast router solicitationmessages if the packet rate isless than the Packets per second value If any source IP sendspackets over this value theappliance blocks all such trafficfrom this source IP for a timespecified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
130902500 Auto RATELIMIT PASS ICMPV6multicast routeradvertisement
This rule passes ICMPv6multicast router advertisement ifthe packet rate is less than thePackets per second value If anysource IP sends packets over thisvalue the appliance blocks allsuch traffic from this source IP fora time specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
130902600 Auto RATELIMIT PASS ICMPping responses This rule passes ICMP pingresponses if the packet rate isless than the Packets per second value If any source IP sendspackets over this value theappliance blocks all such trafficfrom this source IP for a timespecified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=10 sec)
Packets per second (default=50)
Rule ID Type Rule Name Description
EnableDisable
Condition
Parameters Comments
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 2630
1522 NIOS Administrator Guide (Rev A) NIOS 612
130902700 Auto RATELIMIT PASS ICMProuter advertisement
This rule passes ICMP routeradvertisement if the packet rateis less than the Packets per
second value If any source IPsends packets over this valuethe appliance blocks all suchtraffic from this source IP for a
time specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=10 sec)
Packets per second (default=50)
130902800 Auto RATELIMIT PASS ICMProuter solicitation
This rule passes ICMP routersolicitation messages if thepacket rate is less than thePackets per second value If anysource IP sends packets over thisvalue the appliance blocks allsuch traffic from this source IP fora time specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=10 sec)
Packets per second (default=50)
130902900 Auto RATELIMIT PASS ICMPtime exceeded
This rule passes ICMP timeexceeded messages if the packetrate is less than the Packets per
second value If any source IPsends packets over this valuethe appliance blocks all suchtraffic from this source IP for atime specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=10 sec)
Packets per second (default=50)
130903000 Auto RATELIMIT PASS ICMPparameter problem
This rule passes ICMP parameterproblems if the packet rate isless than the Packets per second value If any source IP sendspackets over this value theappliance blocks all such trafficfrom this source IP for a timespecified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=10 sec)
Packets per second (default=50)
130903100 Auto RATELIMIT PASS ICMPv6hop limit exceeded orICMPv4 networkunreachable
This rule passes ICMPv6 HopLimit Exceeded messages orICMPv4 Network Unreachablemessages if the packet rate isless than the Packets per second value If any source IP sendspackets over this value theappliance blocks all such trafficfrom this source IP for a time
specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
130903200 Auto RATELIMIT PASS ICMPv6fragment reassemblytime exceeded orICMPv4 hostunreachable
This rule passes ICMPv6fragment reassembly timeexceeded messages or ICMPv4host unreachable messages ifthe packet rate is less than thePackets per second value If anysource IP sends packets over thisvalue the appliance blocks allsuch traffic from this source IP fora time specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=10 sec)
Packets per second (default=50)
130903300 Auto RATELIMIT PASS ICMPprotocol unreachable
This rule passes ICMP protocolunreachable messages if thepacket rate is less than thePackets per second value If anysource IP sends packets over thisvalue the appliance blocks all
such traffic from this source IP fora time specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=10 sec)
Packets per second (default=50)
130903400 Auto RATELIMIT ICMP portunreachable
This rule passes ICMP portunreachable messages if thepacket rate is less than thePackets per second value If anysource IP sends packets over thisvalue the appliance blocks allsuch traffic from this source IP fora certain period of time(specified in Drop interval )
Always enabled Events per second (default=10)
Drop Interval (default=10 sec)
Packets per second (default=50)
Rule ID Type Rule Name Description
EnableDisable
Condition
Parameters Comments
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 2730
Default PassDrop
NIOS 612 NIOS Administrator Guide (Rev A) 1523
Default Pass Drop
The following table lists the system rules that are used to pass or drop packets on your advanced appliance All rulesare disabled by default
Table H17 Default PassDrop Rules
130903500 Auto RATELIMIT PASS ICMPfragmentation needed
This rule passes ICMPfragmentation needed messagesif the packet rate is less than thePackets per second value If anysource IP sends packets over thisvalue the appliance blocks allsuch traffic from this source IP for
a certain period of time(specified in Drop interval )
Always enabled Events per second (default=1)
Drop Interval (default=10 sec)
Packets per second (default=50)
Rule ID
Rule
Type Rule Name Description
Enable
Condition Parameters Comments
100000050 System EARLY PASS TCPwith flowbits set
This rule passes TCP trafficthat has the flowbitsoptions set and marked OK
Enabled bydefault
NA
140000100 System DROP UDP DNSunexpected
This rule drops anyunexpected UDP DNSpackets
Enabled bydefault
Events per second (default=1)
Default drop rule for the DNSservice port If this rule istriggered most likely thispacket is an invalid DNS UDPpacket
140000200 System DROP TCP DNSunexpected
This rule drops anyunexpected TCP DNSpackets
Enabled bydefault
Events per second (default=1)
Default drop rule for the DNSservice port If this rule istriggered most likely thispacket is an invalid DNS TCPpacket
140000400 System PASS TCPestablished packets
This passes all TCPestablished packets
Enabled bydefault
Events per second (default=0)
140000500 System DROP TCPunexpected
This rule drops anyunexpected TCP packets
Enabled bydefault
Events per second (default=0)
This rule drops any TCP packeton any port If this rule istriggered most likely thispacket is not intended forservices on this member
140000600 System DROP UDPunexpected
This rule drops anyunexpected UDP packets
Enabled bydefault
Events per second (default=0)
This rule drops any UDP packeton any port If this rule istriggered most likely thispacket is not intended forservices on this member
140000700 System DROP ICMPunexpected
This rule drops anyunexpected ICMP packets
Enabled bydefault
Events per second (default=0)
This rule drops any ICMPpacket If this rule is triggeredmost likely this packet is notintended for services on thismember
140000800 System DROP unexpectedprotocol
This rule drops anyunexpected protocolpackets
Enabled bydefault
Events per second (default=0)
This is a catch all rule thatdrops anything that does notmatch any other rules in thesystem
Rule ID Type Rule Name Description
EnableDisable
Condition
Parameters Comments
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 2830
1524 NIOS Administrator Guide (Rev A) NIOS 612
HA Support
The following table lists auto rules that are used to pass packets that go through the Virtual Router RedundancyProtocol (VRRP) and Internet Group Management Protocol (IGMP) for HA (High Availability) support
Table H18 HA Support Rules
Custom Rule Templates
Advanced DNS Protection supports a few custom rule templates from which you can create new custom rules Notethat when you use a specific rule template to create custom rules the new rules reside in their respective rulecategories For information about custom rules and creating custom rules see Custom Rules on page 1341 andCreating Custom Rules on page 1343
For each rule you create you can define the Events per second value to determine the number of events per secondthat will be logged for the rule You can also define specific rule parameters for custom rules as follows
Note Custom rules do not support IDNs (Internationalized Domain Names) To use IDNs for custom rules you mustfirst convert the IDNs into puny codes You can use the IDN Converter from the Toolbar for the conversion
bull BLACKLIST FQDN lookup TCP Use this rule template to create custom rules for blacklisting DNS queries by FQDNlookups on TCP In the Rule Parameters table complete the following
mdash Blacklisted FQDN Enter the FDQN that you want the appliance to block over TCP traffic You can also enter alist of FQDNs using semicolon as the separator
bull BLACKLIST FQDN lookup UDP Use this rule template to create custom rules for blacklisting DNS queries byFQDN lookups on UDP In the Rule Parameters table complete the following
mdash Blacklisted FQDN Enter the FDQN that you want the appliance to block over UDP traffic You can also enter alist of FQDNs using semicolon as the separator
bull BLACKLIST IP TCP Drop prior to rate limiting Use this rule template to create rules for blocking IPv4 or IPv6addresses on TCP before the appliance drops the packets based on rate limiting rules you have defined usingthe RATELIMITED IP TCP template In the Rule Parameters table complete the following
mdash Blacklisted IP addressnetwork Enter the IPv4 or IPv6 address from which packets sent are dropped beforeany relevant rate limiting rules take effect Note that all TCP traffic from the specified Ipv4 and IPv6
addresses and networks will be blocked Enter network addresses in addressCIDR formatbull BLACKLIST IP UDP Drop prior to rate limiting Use this rule template to create rules for blocking IPv4 or IPv6
addresses on UDP before the appliance drops the packets based on rate limiting rules you have defined usingthe RATELIMITED IP UDP template In the Rule Parameters table complete the following
mdash Blacklisted IP addressnetwork Enter the IPv4 or IPv6 address from which packets sent are dropped beforeany relevant rate limiting rules take effect Note that all UDP traffic from the specified Ipv4 and IPv6addresses and networks will be blocked Enter network addresses in addressCIDR format
bull RATELIMITED FQDN lookup UDP Use this rule template to create custom rules that contains rate limitingrestrictions for blocking DNS queries by FQDN lookups on UDP traffic In the Rule Parameters table completethe following
Rule ID
Rule
Type
Rule Name Description Enable Condition Parameters Comments
140000750 Auto PASS VRRP This rule passes packets thatgo through VRRP for HAsupport
Enabled if HA isconfigured
NA
140000760 Auto PASS IGMP This rule passes packets thatgo through IGMP for HAsupport
Enabled if HA isconfigured
NA
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 2930
Custom Rule Templates
NIOS 612 NIOS Administrator Guide (Rev A) 1525
mdash Packets per second Enter the number of packets per second to define the rate limit for this rule You definethis value to control the rate of UDP traffic that consists of DNS lookups for the FQDN defined in this ruleThe default is 5
mdash Drop interval Enter the number of seconds for which the appliance drops packets
mdash Blacklist rate limited FQDN Enter the FQDN that is affected by the rate limit value configured for this ruleThe appliance drops the packets sent by this FQDN when the UDP traffic of DNS lookups for this FQDNexceeds the configured rate limit value
bull RATELIMITED IP TCP Use this rule template to create custom rules that contains rate limiting restrictions forblacklisting IP addresses on TCP If there are certain IP addresses that you want to block before its traffic reachesthe rate limit restrictions you can create a rule using the BLACKLIST IP TCP Drop prior to rate limiting templateIn the Rule Parameters table complete the following
mdash Packets per second Enter the number of packets per second to define the rate limit for this rule You definethis value to control the rate of TCP traffic that consists of DNS lookups for the IP address or networkdefined in this rule The default is 5
mdash Drop interval Enter the time interval in seconds the appliance drops IP packets sent by the rate limited IPaddress or network defined for this rule The default is 30 seconds
mdash Rate limited IP addressnetwork Enter the IP address or network that is affected by the rate limit valueconfigured for this rule The appliance drops the packets sent by this IP address based on the drop intervalwhen the TCP traffic of DNS lookups for this IP address exceeds the configured rate limit value
bull RATELIMITED IP UDP Use this rule template to create custom rules that contains rate limiting restrictions forblacklisting IP addresses on UDP If there are certain IP addresses that you want to block before its trafficreaches the rate limit restrictions you can create a rule using the BLACKLIST IP UDP Drop prior to rate limiting template In the Rule Parameters table complete the following
mdash Packets per second Enter the number of packets per second to define the rate limit for this rule You definethis value to control the rate of UDP traffic that consists of DNS lookups for the IP address or networkdefined in this rule The default is 5
mdash Drop interval Enter the time interval in seconds the appliance drops IP packets sent by the rate limited IPaddress or network defined for this rule The default is 30 seconds
mdash Rate limited IP addressnetwork Enter the IP address or network that is affected by the rate limit valueconfigured for this rule The appliance drops the packets sent by this IP address based on the drop interval
when the TCP traffic of DNS lookups for this IP address exceeds the configured rate limit valuebull WHITELIST IP TCP Pass prior to rate limiting Use this rule template to create custom rules for allowing certain IP
addresses on TCP before the appliance drops the packets based on rate limiting rules you have defined usingthe RATELIMITED IP TCP template In the Rule Parameters table complete the following
mdash Whitelisted IP addressnetwork Enter the IPv4 or IPv6 address from which packets sent are allowed beforeany relevant rate limiting rules take effect
bull WHITELIST IP UDP Pass prior to rate limiting Use this rule template to create custom rules for allowing certain IPaddresses on UDP before the appliance drops the packets based on rate limiting rules you have defined usingthe RATELIMITED IP UDP template In the Rule Parameters table complete the following
mdash Whitelisted IP addressnetwork Enter the IPv4 or IPv6 address from which packets sent are allowed beforeany relevant rate limiting rules take effect
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 3030
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 1130
DNS Message Type
NIOS 612 NIOS Administrator Guide (Rev A) 1507
130504600 System DNS DHCIDrecord TCP
You can configure this rule to passor drop TCP packets that containDHCID record request The defaultAction = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
130504700 System DNS SOA recordTCP
You can configure this rule to passor drop TCP packets that contain
SOA record request The defaultAction = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
130504800 System DNS SIG recordTCP
You can configure this rule to passor drop TCP packets that containSIG record request The defaultAction = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
130504900 System DNS ROC recordTCP
You can configure this rule to passor drop TCP packets that containROC record request The defaultAction = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
130505000 System DNS SSHFPrecord TCP
You can configure this rule to passor drop TCP packets that containSSHFP record request The defaultAction = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
130505100 System DNS IPSECKEYrecord TCP
You can configure this rule to passor drop TCP packets that containIPSECKEY record request Thedefault Action = Pass
Enabled bydefault
Action (default = Pass)
Events per second (default = 1)
130505200 System DNS TKEY recordTCP
You can configure this rule to passor drop TCP packets that containTKEY record request The defaultAction = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
130505300 System DNS TSIG recordTCP
You can configure this rule to passor drop TCP packets that containTSIG record request The defaultAction = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
130505400 System DNS TA recordTCP
You can configure this rule to passor drop TCP packets that containTA record request The default
Action = Pass
Enabled bydefault
Action
(default = Pass)
Events per second
(default = 1)
130505500 System DNS DLV recordTCP
You can configure this rule to passor drop TCP packets that containDLV record request The defaultAction = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
130505600 System DNS ANY recordTCP
You can configure this rule to passor drop TCP packets that containANY record request The defaultAction = Pass
Enabled bydefault
Action
(default = Pass)
Events per second (default = 1)
Rule ID
Rule
Type
Rule Name Description
EnableDisable
Condition
Parameters Comments
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 1230
1508 NIOS Administrator Guide (Rev A) NIOS 612
General DDoS
The following table lists the auto rules that are used to mitigate general DDoS attacks on your advanced appliance
Table H5 General DDoS Rules
Reconnaissance
Reconnaissance attacks consist of attempts to get information on the network environment before launching a largeDDoS or other types of attacks Techniques include port scanning and finding versions and authors These attacksexhibit abnormal behavior patterns that if identified can provide early warnings
The following table lists the auto rules that are used to mitigate reconnaissance attacks on your advanced appliance
You can configure the following rule parameter for all rules in this category
bull Events per second The number of events logged per second for the rule Setting a value to 0 (zero) disables theappliance from logging events for the rule The default value is 10
Table H6 Reconnaissance Rules
Rule ID
Rule
Type
Rule Name Description
EnableDisable
Condition
Parameters Comments
110000100 Auto EARLY DROP DoSpackets with samesource and destinationIP
This rule drops any IP packetsthat contain the same sourceand destination IP address
Always enabled Events per second (default = 1)
110000200 Auto EARLY DROP DoS UDPpackets with samesource and destinationIP
This rule drops UDP packetsthat contain the same sourceand destination IP address
Always enabled Events per second (default = 1)
110000300 Auto EARLY DROP DoS TCPpackets with samesource and destinationIP
This rule drops TCP packetsthat contain the same sourceand destination IP address
Always enabled Events per second (default = 1)
130400300 Auto DROP IPv6 loopbackaddress spoofing
This rule blocks any IP packetsthat attempt to forge the IPv6loopback address
Always enabled Events per second (default = 1)
130400400 Auto DROP IPv6 loopbackaddress spoofing
This rule blocks any IP packetsthat attempt to forge the IPv6loopback address
Always enabled Events per second (default = 1)
Rule ID
Rule
Type
Rule Name Description
Enable
Condition
Parameters Comments
110100100 Auto EARLY DROP DNSnamed authorattempts
This rule drops UDP DNSpackets that containattempts to find AUTHOR
information
Alwaysenabled
Events per second (default = 1)
110100200 Auto EARLY DROP DNSnamed versionattempts
This rule drops UDP DNSpackets that containattempts to find VERSIONinformation
Alwaysenabled
Events per second (default = 1)
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 1330
DNS Malware
NIOS 612 NIOS Administrator Guide (Rev A) 1509
DNS Malware
DNS malware is software used to disrupt your DNS service gather sensitive information or gain access to yourappliance It can include downloaders backdoors trojan horses and other malicious software
The following table lists the auto rules that are used to mitigate DNS malware when forwarding DNS requests to aresolver such as a Microsoft DNS server
Table H7 DNS Malware Rules
DNS Protocol Anomalies
DNS protocol anomalies send malformed DNS packets including unexpected header and payload values to thetargeted server This causes the server to stop responding or crash which results in an infinite loop in server threadsThese anomalies sometimes take the form of impersonation attacks
The following table lists rules that are used to mitigate DNS protocol anomalies sent to the appliance
Table H8 DNS Protocol Anomalies Rules
Rule ID
Rule
Type
Rule Name Description
Enable
Condition
Parameters Comments
110100300 Auto EARLY DROP UDPMALWARE backdoor
This rule drops UDPpackets that contain thebackdoor malwareBKDR_QUEJOBEVL whichposes as an installer ofFaceBook messenger Thismalware may be spread asa malicious attachment inemail messages
Always enabled Events per second (default = 1)
130300300 Auto DROP MALWAREtrojan downloader
This rule drops UDPpackets that contain thetrojan downloadermalware which downloadsand installs new versionsof malicious programsincluding Trojans andAdWare
Always enabled Events per second (default = 1)
130300400 Auto DROP MALWAREpossible Hiloti
This rule drops UDPpackets that contain trojanHiloti malicious programsthat may downloadpotentially malicious filesfrom a remote server andreport system informationback to the server
Always enabled Events per second (default = 1)
Rule ID
Rule
Type
Rule Name Description
Enable
Condition
Parameters Comments
110100400 Auto EARLY DROP UDP DNSquestion name too long
This rule drops UDP DNSpackets when the DNSQuestion Name is toolong
Always enabled Events per second (default = 1)
110100500 Auto EARLY DROP UDP DNSlabel too long
This rule drops UDP DNSpackets when the DNSLabel in the name beingqueried is too long
Always enabled Events per second (default = 1)
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 1430
1510 NIOS Administrator Guide (Rev A) NIOS 612
Potential DDoS Related Domains
This rule category includes system rules the appliance uses to blacklist domains that may have been the targets orsubjects in NXDOMAIN or DDoS attacks These rules block all FQDN lookups on UDP for domains that have beenobserved to be used as targets in DDoS attacks The rules are enabled by default You can disable them whennecessary
Note that these rules capture currently observed bad domain names that can change on a regular basis Infobloxrecommends that you update to the latest ruleset to capture the most current rules in this category For informationabout how to update to the latest ruleset see Managing Threat Protection Rules on page 1352
110100600 Auto EARLY DROP UDP queryinvalid question count
This rule drops UDP DNSpackets when thenumber of entries in thequestion section isinvalid
Always enabled Events per second (default = 1)
110100700 Auto EARLY DROP UDP query
invalid question class
This rule drops UDP DNS
packets when the RR(resource record) classbeing queried is invalid
Always enabled Events per second
(default = 1)
110100800 Auto EARLY DROP UDP queryinvalid question string
This rule drops UDP DNSpackets that containinvalid question string
Always enabled Events per second (default = 1)
110100850 Auto EARLY UDP drop invalidDNS query with Authority
This rule drops UDP DNSqueries that containinvalid AUTHORITYentry
Always enabled Events per second (default = 1)
110100900 Auto EARLY DROP querymultiple questions or nonquery operation code
This rule drops UDP DNSpackets when there aremultiple questionsbeing queried at onetime or its operationcode is not Query
Always enabled Events per second (default = 1)
130000700 Auto EARLY DROP TCP non-DNSquery
This rule drops TCPpackets when itsoperation code is notQuery
Always enabled Events per second (default = 1)
130000800 Auto EARLY DROP TCP querymultiple questions
This rule drops TCP DNSpackets when there aremultiple questionsbeing queried at onetime
Always enabled Events per second (default = 1)
130100500 Auto DROP UDP DNS invalidIXFR query with zero ormore than one Authority
This rule drops UDP DNSincremental zonetransfer requests thatcontain zero or morethan one Authorityentries
Always enabled Events per second (default = 1)
130100600 Auto DROP TCP DNS invalidIXFR query with zero ormore than one Authority
This rule drops TCP DNSincremental zonetransfer requests thatcontain zero or morethan one Authorityentries
Always enabled Events per second (default = 1)
130300200 Auto DROP TCP invalid DNSquery with Authority
This rule drops TCP DNSqueries that containinvalid Authorityentries
Always enabled Events per second (default = 1)
Rule ID
Rule
Type
Rule Name Description
Enable
Condition
Parameters Comments
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 1530
TCPUDP Flood
NIOS 612 NIOS Administrator Guide (Rev A) 1511
TCP UDP Flood
TCP and UDP flood attacks are volumetric attacks with massive numbers of packets that consume network bandwidthand resources They exploit TCP and UDP
The following table lists the system and auto rules that are used to mitigate TCPUDP floods on your advancedappliance
Table H9 TCPUDP Flood Rules
Rule ID Rule Type Rule Name Description
Enable
Condition
Parameters Comments
130000100 System WARN about highrate inbound UDPDNS queries
This rule warns about anysource IP that sendsinbound UDP DNS packetsat a rate equals or exceedsthe Packets per second value
Disabled bydefault
Packets per second (default = 40)
Events per second (default = 1)
Use this rule together with rule130000200 to adjust the warningand blocking rate thresholds Thisrule only sends alerts when thepacket rate equals or exceeds thelow threshold ( Packets per second for this rule) When the packet ratereaches or exceeds the highthreshold ( Packets per second forrule 130000200) rule130000200 is triggered
NOTE The Packets per second configured for this rule should beless than that of rule 130000200
130000200 System WARN amp BLOCKhigh rate inboundUDP DNS queries
This rule warns if anysource IP sends inboundUDP DNS packets at a rateequals the Packets per
second value If the rateexceeds this value theappliance blocks all suchtraffic from this source IPfor a period of timespecified in Drop interval
Disabled bydefault
Packets per second (default = 1000)
Drop interval
(default = 5 seconds)
Events per second (default = 1)
Consider tuning Packets per
second to a higher value for NATdenvironments static forwardersand VPN concentrators
This rule may be triggered if Packet
per second is lower than that inthe custom rules created using therate limiting templates
NOTE The Packets per secondvalue for this rule must be higherthan that for rule 130000100
130000300 System WARN about highrate inbound TCP
DNS queries
This rule warns about anysource IP that sends
inbound TCP DNS packetsat a rate that equals orexceeds the Packets per
second value
Disabled bydefault
Packets per second (default = 5)
Events per second (default = 1)
Use this rule together with rule130000400 to adjust the warning
and blocking rate thresholds Thisrule only sends alerts when thepacket rate equals or exceeds thelow threshold ( Packets per second for this rule) When the packet ratereaches or exceeds the highthreshold ( Packets per second forrule 130000400) rule130000400 is triggered
NOTE The Packets per second configured for this rule should beless than that of rule 130000400
130000400 System WARN amp BLOCKhigh rate inboundTCP DNS queries
This rule warns if anysource IP sends inboundTCP DNS packets at a ratethat equals the Packets
per second value If therate exceeds this value
the appliance blocks allsuch traffic from thissource IP for a period oftime specified in Drop
interval
Disabled bydefault
Packets per second (default = 1000)
Drop interval (default = 10 seconds)
Events per second (default = 1)
Consider tuning Packets per
second to a higher value for NATdenvironments static forwardersand VPN concentrators
This rule may be triggered if Packet
per second is lower than that in
the custom rules created using therate limiting templates
NOTE DO NOT enable this rulealong with rule 130000300
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 1630
1512 NIOS Administrator Guide (Rev A) NIOS 612
DNS DDoS
The following table lists system rules that are used to mitigate DNS DDoS attacks on your advanced appliance Theserules rate limits clients that trigger the following DNS responses NXDOMAIN NXRRSET and SERVFAIL
Table H10 DNS DDoS Rules
Rule ID
Rule
Type
Rule Name Description
EnableDisable
Condition
Parameters Comments
200000001 System NXDOMAIN ratelimiting rule
This rule warns if any sourceIP sends inbound UDP DNSqueries that triggerNXDOMAIN responses at arate equals to the Packets
per second value If the rateexceeds this value theappliance blocks all UDPDNS traffic from this sourceIP for a time specified inDrop interval
Enabled bydefault
Packets per second (default = 1000)
Drop interval
(default = 5 seconds)
Events per second (default = 1)
Consider tuning Packets per
second to a higher value forNATd environments staticforwarders and VPNconcentrators
200000002 System NXRRSET ratelimiting rule
This rule warns if any sourceIP sends inbound UDP DNS
queries that trigger NXRRSETresponses at a rate equals tothe Packets per second value If the rate exceedsthis value the applianceblocks all UDP DNS trafficfrom this source IP for a timespecified in Drop interval
Enabled bydefault
Packets per second (default = 1000)
Drop interval (default = 5 seconds)
Events per second (default = 1)
Consider tuning Packets per
second to a higher value for
NATd environments staticforwarders and VPNconcentrators
NOTE NXRRSET responsesinclude NO records NOanswers and NO errors
200000003 System SERVFAIL ratelimiting rule
This rule warns if any sourceIP sends inbound UDP DNSqueries that triggerSERVFAIL responses at a rateequals to the Packets per
second value If the rateexceeds this rate theappliance blocks all UDPDNS traffic from this sourceIP for a time specified in
Drop interval
Enabled bydefault
Packets per second (default = 1000)
Drop interval
(default = 5 seconds)
Events per second (default = 1)
Consider tuning Packets per
second to a higher value forNATd environments staticforwarders and VPNconcentrators
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 1730
DNS Tunneling
NIOS 612 NIOS Administrator Guide (Rev A) 1513
DNS Tunneling
DNS tunneling attacks involve tunneling another protocol through DNS port 53 for the purpose of data exfiltrationOutbound and inbound data being communicated is encoded into small chunks and fitted into DNS queries and DNSresponses
The following table lists the system rule used to mitigate DNS tunneling on your advanced appliance
Table H11 Anti DNS Tunneling Rules
DNS Amplification and Reflection
DNS reflection attacks use a form of IP spoofing changing the source address in their DNS queries to show theaddress of their intended target such as a DNS root server or a top-level domain (TLD) name server operator DNS
reflection and amplification recognizes UDP as an asymmetrical protocol (small requests large responses) and theexistence of open DNS resolvers to the Internet cloud The result is that small DNS queries reflect large UDP datagramresponses to the target address in the original source datagrams Some recent attacks have used this DDoStechnique at a huge scale
Since DNS runs over UDP and does not require a handshake it is possible to use the protocol as a means to lock downa host or a network Designed a specific way sending a small query to any open DNS resolver can result in a singleresponse containing several kilobytes or more that are sent to the unwitting spoofed victim (This type of responsetypically is sent via TCP as UDP does not allow for more than 512 bytes in a response datagram The resulting packetusually exceeds the MTU of the recipientrsquos interfaces resulting in further packet fragmentation and processing) OpenDNS resolvers may allow for launching DDoS attacks containing hundreds of gigabytes of data Attackers may also
Rule ID
Rule
Type
Rule Name Description
EnableDisable
Condition
Parameters Comments
130000500 System RATELIMIT UDP highrate inbound largeDNS queries (antitunneling)
This rule warns If any source IPsends large UDP DNS queries(which could be DNS tunnelingattacks) at a rate equals thePackets per second value If therate exceeds this value it blocksall such traffic from this source IPfor the time in Drop interval
This rule is triggered when theDNS Packet size exceeds theconfigured value
Disabled bydefault
Packets per second (default = 100)
Drop interval (default = 5 seconds)
Events per second (default = 1)
Packet size
(default = 200)
Consider tuning Packets
per second to a highervalue for NATdenvironments staticforwarders and VPNconcentrators
130000600 Auto RATELIMIT TCP highrate inbound largeDNS queries(anti-tunneling)
This rule warns if any source IPsends large TCP DNS queries(which could be DNS tunnelingattacks) at a rate equals thePackets per second value If therate exceeds the value theappliance blocks all such trafficfrom this source IP for the Drop
interval
This rule is triggered when theDNS Packet size exceeds theconfigured value
Disabled bydefault
Packets per second (default = 100)
Drop interval
(default = 5 seconds)
Events per second (default = 1)
Packet size
(default = 200)
Consider tuning Packets
per second to a highervalue for NATdenvironments staticforwarders and VPNconcentrators
200000004 System DNS tunneling ratelimiting rule
This rule warns If any source IPsends inbound UDP DNS queriesthat trigger large TXT responses ata rate equals the Packets per
second value If the rate exceedsthis value it blocks all such t rafficfrom this source IP for the Drop
interval
This rule is triggered when the sizeof the TXT records in the DNSresponses exceeds the configuredDNS Packet size
Enabled bydefault
Packets per second (default = 1000)
Drop interval
(default = 5 seconds)
Events per second (default = 1)
Packet size
(default = 40)
Consider tuning Packets
per second to a highervalue for NATdenvironments static
forwarders and VPNconcentrators
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 1830
1514 NIOS Administrator Guide (Rev A) NIOS 612
use the EDNS0 DNS protocol extension as a means to enable larger DNS responses Many network operatorsparticularly overseas allow open DNS resolvers to run on their networks unwittingly allowing attackers to abusethem Many network operators do provide intelligent rate-limiting to prevent abuse even while supporting openrecursive DNS servers Hence issues of this type usually result from mistakes in configuration
The following table lists the system and auto rules that are used to mitigate DNS amplification and reflection attackson your advanced appliance
Table H12 DNS Amplification and Reflection Rules
NTP
The following table lists the auto rules that are used to mitigate NTP attacks and to support security for NTP traffic onyour advanced appliance These rules include support for the following NTP requests and responses NTP IPv4 andIPv6 ACLs (Access Control Lists) private mode 7 packets named ACLs and ldquoANYrdquo ACLs
Table H13 NTP Rules
Rule ID
Rule
Type
Rule Name Description
EnableDisable
Condition
Parameters Comments
130400100 Auto WARN amp DROP DoSDNS possiblereflectionamplification attackattempts
This rule warns if anysource IP sends UDP DNSpackets that containpossible reflectionamplification attacks If therate exceeds the Packets
per second value theappliance blocks all suchtraffic from this source IPfor the Drop interval Notethat this rule applies whenthe query is ldquoANYrdquo
Enabled bydefault
Packets per second (default = 5)
Drop interval (default = 5 seconds)
Events per second (default = 1)
Consider tuning Packet per
second to a higher value(approximately 100) forNATd environments staticforwarders and VPNconcentrators
130400500 System RATE LIMIT PASS UDPDNS root requestswith additional RRs
This rule passes UDP DNSroot requests that containadditional resource recordsuntil the traffic hits thePackets per second valueIt then blocks subsequentUDP DNS root requests forthe Drop interval
Disabled bydefault
Packets per second (default = 500)
Drop interval
(default = 5 seconds)
Events per second (default = 1)
130400600 System RATE LIMIT PASS UDPDNS root requests
This rule passes UDP DNSroot requests until thetraffic hits the Packets per
second value It thenblocks subsequent UDPDNS root requests for theDrop interval
Disabled bydefault
Packets per second (default = 500)
Drop interval (default = 5 seconds)
Events per second (default = 1)
Consider tuning Packet per
second to a higher valuefor NATd environmentsstatic forwarders and VPNconcentrators
Rule ID
Rule
Type
Rule Name Description
EnableDisable
Condition
Parameters Comments
130600100 Auto RATELIMIT PASS NTPTIME responses
When the NTP client isenabled this rule passesUDP NTP TIME responsesuntil the traffic hits the ratelimit of 10 packets persecond it then blocks allNTP traffic for 15 seconds
Enabled when theNTP client isenabled
Packets per second (default = 10)
Drop interval
(default = 15seconds)
Events per second (default = 1)
130600120 Auto DROP NTP TIMEresponses
This rule drops all UDP NTPTIME responses when theNTP client is disabled
Enabled when theNTP client isdisabled
Events per second (default=1)
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 1930
NTP
NIOS 612 NIOS Administrator Guide (Rev A) 1515
200001001 Auto DOS Possible NTPDDoS InboundFrequent Un-AuthedGET_RESTRICTRequests IMPL 0x02
When the NTP server isenabled this rule warnsabout possible NTP DDoSInbound FrequentUn-Authed GET_RESTRICTRequests IMPL 0x02attacks It then blocks
suspicious NTP traffic for atime period that isspecified in Drop Interval
Enabled whenNTP service isenabled on thismember
Events per second (default = 1)
200001005 Auto DOS Possible NTPDDoS InboundFrequent Un-AuthedGET_RESTRICTRequests IMPL 0x03
When the NTP server isenabled this rule warnsabout possible NTP DDoSInbound FrequentUn-Authed GET_RESTRICTRequests IMPL 0x03attacks It then blockssuspicious NTP traffic for atime period that isspecified in Drop Interval
Enabled whenNTP service isenabled on thismember
Events per second (default = 1)
200001010 Auto DOS Possible NTPDDoS InboundFrequent Un-AuthedPEER_LIST_SUM
Requests IMPL 0x02
When the NTP server isenabled this rule warnsabout possible NTP DDoSInbound Frequent
Un-AuthedPEER_LIST_SUM RequestsIMPL 0x02 attacks It thenblocks suspicious NTPtraffic for a time period thatis specified in Drop
Interval
Enabled whenNTP service isenabled on thismember
Events per second (default = 1)
200001015 Auto DOS Possible NTPDDoS InboundFrequent Un-AuthedPEER_LIST_SUMRequests IMPL 0x03
When the NTP server isenabled this rule warnsabout possible NTP DDoSInbound FrequentUn-AuthedPEER_LIST_SUM RequestsIMPL 0x03 attacks It thenblocks suspicious NTPtraffic for a time period thatis specified in Drop
Interval
Enabled whenNTP service isenabled on thismember
Events per second (default = 1)
200001020 Auto DOS Possible NTPDDoS InboundFrequent Un-AuthedPEER_LIST RequestsIMPL 0x02
When the NTP server isenabled this rule warnsabout possible NTP DDoSInbound FrequentUn-Authed PEER_LISTRequests IMPL 0x02attacks It then blockssuspicious NTP traffic for atime period that isspecified in Drop Interval
Enabled whenNTP service isenabled on thismember
Events per second (default = 1)
200001025 Auto DOS Possible NTPDDoS InboundFrequent Un-AuthedPEER_LIST RequestsIMPL 0x03
When the NTP server isenabled this rule warnsabout possible NTP DDoSInbound FrequentUn-Authed PEER_LISTRequests IMPL 0x03attacks It then blocks
suspicious NTP traffic for atime period that isspecified in Drop Interval
Enabled whenNTP service isenabled on thismember
Events per second (default = 1)
200001050 Auto RATELIMIT PASSNTPQ IPv4 requests
This rule passes UDP NTPQrequests from NTP IPv4ACLs until the traffic hitsthe rate limit ( Packets per
second ) value It thenblocks all subsequentNTPQ traffic for a timespecified in Drop Interval
Enabled whenNTP IPv4 ACLs aredefined If noACLs are definedand the NTPserver is enabledthe default ACLsare enabled andthis rule isdisabled
Packets per second (default = 10)
Drop interval
(default = 60seconds)
Events per second (default = 1)
Rule ID
Rule
Type
Rule Name Description
EnableDisable
Condition
Parameters Comments
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 2030
1516 NIOS Administrator Guide (Rev A) NIOS 612
200001055 Auto RATELIMIT PASS NTPTIME IPv4 requests
This rule passes UDP NTPTIME requests from NTPIPv4 ACLs until the traffichits the rate limit ( Packets
per second ) value It thenblocks all subsequent NTPTIME traffic for a time
specified in Drop interval
Enabled whenNTP IPv4 ACLs aredefined If noACLs are definedand the NTPserver is enabledthe default ACLs
are enabled andthis rule isenabled
Packets per second (default = 10)
Drop interval
(default = 60seconds)
Events per second (default = 1)
200001060 Auto RATELIMIT PASS NTPprivate mode IPv4requests
This rule passes UDP NTPprivate mode 7 requestsfrom NTP IPv4 ACLs untilthe traffic hits the rate limit( Packets per second ) valueIt then blocks allsubsequent NTP privatemode 7 traffic for a timespecified in Drop interval
Enabled whenNTP IPv4 ACLs aredefined If noACLs are definedand the NTPserver is enabledthe default ACLsare enabled andthis rule isdisabled
Packets per second (default = 10)
Drop interval
(default = 60seconds)
Events per second (default = 1)
200001065 Auto RATELIMIT PASSNTPQ IPv6 requests
This rule passes UDP NTPQrequests from NTP IPv6ACLs until the traffic hitsthe rate limit ( Packets per
second ) value It thenblocks all subsequentNTPQ traffic for a timespecified in Drop Interval
Enabled whenNTP IPv6 ACLs aredefined If noACLs are defined
and the NTPserver is enabledthe default ACLsare enabled andthis rule isdisabled
Packets per second (default = 10)
Drop interval
(default = 60
seconds)Events per second (default = 1)
200001070 Auto RATELIMIT PASS NTPTIME IPv6 requests
This rule passes UDP NTPTIME requests from NTPIPv6 ACLs until the traffichits the rate limit ( Packets
per second ) value It thenblocks all subsequent NTPTIME traffic for a timespecified in Drop interval
Enabled whenNTP IPv6 ACLs aredefined If noACLs are definedand the NTPserver is enabledthe default ACLsare enabled andthis rule isenabled
Packets per second (default = 10)
Drop interval
(default = 60seconds)
Events per second (default = 1)
200001075 Auto RATELIMIT PASS NTP
private mode IPv6requests
This rule passes UDP NTP
private mode 7 requestsfrom NTP IPv4 ACLs untilthe traffic hits the rate limit( Packets per second ) valueIt then blocks allsubsequent NTP privatemode 7 traffic for a timespecified in Drop interval
Enabled when
NTP IPv6 ACLs aredefined If noACLs are definedand the NTPserver is enabledthe default ACLsare enabled andthis rule isdisabled
Packets per second
(default = 10)Drop interval
(default =60seconds)
Events per second (default = 1)
200001100 Auto DROP NTPQ requestsunexpected
When NTP service isdisabled this rule drops allUDP NTPQ requests
Enabled whenNTP service isdisabled on thismember
Events per second (default=1)
200001105 Auto DROP NTP TIMErequests unexpected
When NTP service isdisabled this rule drops allUDP NTP TIME requests
Enabled whenNTP service isdisabled on thismember
Events per second (default=1)
200001110 Auto DROP NTP privatemode requestsunexpected
When NTP service isdisabled this rule drops allUDP NTP private mode 7requests
Enabled whenNTP service isdisabled on thismember
Events per second (default=1)
200001115 Auto DROP invalid NTPrequests
When NTP service isdisabled this rule drops allinvalid UDP NTP requests
Enabled whenNTP service isdisabled on thismember
Events per second (default=1)
Rule ID
Rule
Type
Rule Name Description
EnableDisable
Condition
Parameters Comments
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 2130
BGP
NIOS 612 NIOS Administrator Guide (Rev A) 1517
BGP
The following table lists the auto rules that are used to mitigate BGP attacks on your advanced appliance when BGPis enabled
Table H14 BGP Rules
Rule ID
Rule
Type
Rule Name Description
EnableDisable
Condition
Parameters Comments
130700100 AUTO DROP BGP headerlength shorter thanspec
When BGP is enabled this ruledrops TCP BGP packets thatcontain message headerlength that is shorter than theRFC specification
Enabled whenBGP service onthis member isconfigured
Events per second (default=1)
130700200 AUTO DROP BGP headerlength longer than spec
When BGP is enabled this ruledrops TCP BGP packets thatcontain message headerlength that is longer than theRFC specification
Enabled whenBGP service onthis member isconfigured
Events per second (default=1)
130700300 AUTO DROP BGP spoofedconnection reset
attempts
When BGP is enabled this ruledrops TCP BGP packets that
contain spoofed connectionreset
This rule isenabled when
BGP service onthis member isconfigured
Events per second (default=1)
130700400 AUTO DROP BGP invalid type0
When BGP is enabled this ruledrops TCP BGP packets thatcontain invalid message type0
This rule isenabled whenBGP service onthis member isconfigured
Events per second (default=1)
130700500 AUTO DROP BGP invalid typebigger than 5
When BGP is enabled this ruledrops TCP BGP packets thatcontain invalid message typegreater than 5
This rule isenabled whenBGP service onthis member isconfigured
Events per second (default=1)
130700550 AUTO RATELIMIT PASS BGPIPv4 peer TCPconnection attempts
This rule passes TCP BGP routeadvertisement connectionattempts from IPv4 peers
when BGP is enabled and ifthe packet rate is less than thePackets per second value Ifany source IP sends packetsover this value the applianceblocks all such traffic from thissource IP for a certain periodof time (specified in Drop
interval )
This rule isenabled whenBGP service on
this member isconfigured withIPv4 peers
Events per second (default=1)
Drop Interval
(default=60 sec)Packets per second (default=10)
130700600 Auto RATELIMIT PASS BGPallowed with IPv4 peer
This rule passes TCP BGP routeadvertisement to IPv4 peerswhen BGP is enabled and ifthe packet rate is less than thePackets per second value Ifany source IP sends packetsover this value the applianceblocks all such traffic from thissource IP for a certain period
of time (specified in Drop
interval
This rule isenabled whenBGP service onthis member isconfigured withIPv4 peers
Events per second (default=1)
Drop Interval (default=60 sec)
Packets per second (default=10)
130700650 AUTO RATELIMIT PASS BGPIPv6 peer TCPconnection attempts
This rule passes TCP BGP routeadvertisement connectionattempts from IPv6 peerswhen BGP is enabled and ifthe packet rate is less than thePackets per second value Ifany source IP sends packetsover this value the applianceblocks all such traffic from thissource IP for a certain periodof time (specified in Drop
interval
This rule isenabled whenBGP service onthis member isconfigured withIPv6 peers
Events per second (default=1)
Drop Interval (default=60 sec)
Packets per second (default=10)
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 2230
1518 NIOS Administrator Guide (Rev A) NIOS 612
OSPF
The following table lists auto rules that are used to mitigate OSPF attacks on your advanced appliance when OSPF isnot in use
Table H15 OSPF Rules
130700700 Auto RATELIMIT PASS BGPallowed with IPv6 peer
This rule passes TCP BGP routeadvertisement to IPv6 peerswhen BGP is enabled and ifthe packet rate is less than thePackets per second value Ifany source IP sends packetsover this value the appliance
blocks all such traffic from thissource IP for a certain periodof time (specified in Drop
interval )
This rule isenabled whenBGP service onthis member isconfigured withIPv6 peers
Events per second (default=1)
Drop Interval (default=60 sec)
Packets per second (default=10)
130800100 Auto DROP BGP unexpected When BGP is enabled this ruledrops unexpected TCP BGPpackets
This rule takeseffect when BGPservice on thismember is NOT configured
Events per second (default=1)
This rule is exclusive withother rules based onwhether BGP is configuredon the member or not
Rule ID
Rule
Type
Rule Name Description
Enable
Condition
Parameters Comments
130900300 Auto DROP OSPFunexpected
This rule drops unexpectedOSPF packets
This rule takeseffect when OSPFservice on thismember is NOT configured
Events per second (default=1)
Default drop rule for allpackets on the OSPF serviceport
130900400 Auto RATELIMIT PASS OSPFmulticast
This rule passes OSPF IPv4multicast packets if the packetrate is less than the Packets
per second value If anysource IP sends packets overthis value the applianceblocks all such traffic from thissource IP for a time specifiedin Drop interval
This rule takeseffect when OSPFservice on thismember isconfigured forIPv4
Events per second (default=1)
Drop Interval (default=60 sec)
Packets per second (default=100)
130900500 Auto RATELIMIT PASS OSPFIPv6 multicast
This rule passes OSPF IPv6multicast packets if the packetrate is less than the Packets
per second value If anysource IP sends packets overthis value the applianceblocks all such traffic from thissource IP for a time specifiedin Drop interval
This rule takeseffect when OSPFservice on thismember isconfigured forIPv6
Events per second (default=1)
Drop Interval (default=60 sec)
Packets per second (default=100)
130900600 Auto RATELIMIT PASS OSPF This rule passes OSPF packetsif the packet rate is less thanthe Packets per second valueIf any source IP sends packetsover this value the applianceblocks all such traffic from thissource IP for a time specifiedin Drop interval
This rule takeseffect when OSPFservice on thismember isconfigured
Events per second (default=1)
Drop Interval (default=10 sec)
Packets per second (default=50)
This rule works for both IPv4and IPv6
Rule ID
Rule
Type
Rule Name Description
EnableDisable
Condition
Parameters Comments
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 2330
ICMP
NIOS 612 NIOS Administrator Guide (Rev A) 1519
ICMP
ICMP attacks use network devices such as routers to send error messages when a requested service is not availableor the remote server cannot be reached Examples of ICMP attacks include ping floods ping-of-death attacks andsmurf attacks
The following table lists the system and auto rules that are used to mitigate ICMP attacks on your advanced appliance
Table H16 ICMP Rules
Rule ID Type Rule Name Description
EnableDisable
Condition
Parameters Comments
130400200 Auto DROP ICMP largepackets
This rule drops large ICMPpackets (bigger than800)
Always enabled Events per second (default=1)
130900100 Auto RATE LIMIT PASS ICMPPing
This rule passes ICMP pingpackets if the packet rate is lessthan the Packets per second value If any source IP sendspackets over this value theappliance blocks all such trafficfrom this source IP for a timespecified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=10 sec)
Packets per second (default=50)
130900200 Auto RATE LIMIT PASS ICMPv6Ping
This rule passes ICMPv6 pingpackets if the packet rate is lessthan the Packets per second value If any source IP sendspackets over this value theappliance blocks all such trafficfrom this source IP for a timespecified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=10 sec)
Packets per second (default=50)
130900700 Auto RATELIMIT PASS ICMPv6destinationunreachable
This rule passes ICMPv6Destination Unreachablemessages if the packet rate isless than the Packets per second value If any source IP sendspackets over this value theappliance blocks all such trafficfrom this source IP for a timespecified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=100)
130900800 Auto RATELIMIT PASS ICMPv6packet too big
This rule passes ICMPv6 PacketToo Big messages if the packetrate is less than the Packets per
second value If any source IPsends packets over this valuethe appliance blocks all suchtraffic from this source IP for atime specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=100)
130900900 Auto RATELIMIT PASS ICMPv6ping responses
This rule passes ICMPv6 pingresponses if the packet rate isless than the Packets per second value If any source IP sendspackets over this value theappliance blocks all such trafficfrom this source IP for a timespecified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=10 sec)
Packets per second (default=50)
130901000 Auto RATELIMIT PASS ICMPv6parameter problemerroneous header
This rule passes ICMPv6Erroneous Header messages ifthe packet rate is less than thePackets per second value If anysource IP sends packets over thisvalue the appliance blocks allsuch traffic from this source IP fora time specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=10 sec)
Packets per second (default=50)
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 2430
1520 NIOS Administrator Guide (Rev A) NIOS 612
130901100 Auto RATELIMIT PASS ICMPv6parameter problemunrecognized nextheader
This rule passes ICMPv6Unrecognized Next Headermessages if the packet rate isless than the Packets per second value If any source IP sendspackets over this value theappliance blocks all such traffic
from this source IP for a timespecified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
130901200 Auto RATELIMIT PASS ICMPv6parameter problemunrecognized IPv6option
This rule passes ICMPv6Unrecognized IPv6 Optionmessages if the packet rate isless than the Packets per second value If any source IP sendspackets over this value theappliance blocks all such trafficfrom this source IP for a timespecified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
130901300 Auto RATELIMIT PASS ICMPv6router solicitation
This rule passes ICMPv6 routersolicitation packets if the packetrate is less than the Packets per
second value If any source IPsends packets over this valuethe appliance blocks all such
traffic from this source IP for atime specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
130901400 Auto RATELIMIT PASS ICMPv6router advertisement
This rule passes ICMPv6 routeradvertisement if the packet rateis less than the Packets per
second value If any source IPsends packets over this valuethe appliance blocks all suchtraffic from this source IP for atime specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
130901500 Auto RATELIMIT PASS ICMPv6neighbor solicitation
This rule passes ICMPv6neighbor solicitation packets ifthe packet rate is less than thePackets per second value If anysource IP sends packets over thisvalue the appliance blocks allsuch traffic from this source IP for
a time specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
130901600 Auto RATELIMIT PASS ICMPv6neighbor advertisement
This rule passes ICMPv6neighbor advertisement if thepacket rate is less than thePackets per second value If anysource IP sends packets over thisvalue the appliance blocks allsuch traffic from this source IP fora time specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
130901700 Auto RATELIMIT PASS ICMPv6inverse neighborsolicitation
This rule passes ICMPv6 inverseneighbor solicitation messages ifthe packet rate is less than thePackets per second value If anysource IP sends packets over thisvalue the appliance blocks allsuch traffic from this source IP fora time specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
130901800 Auto RATELIMIT PASS ICMPv6inverse neighboradvertisement
This rule passes ICMPv6 inverseneighbor advertisement if thepacket rate is less than thePackets per second value If anysource IP sends packets over thisvalue the appliance blocks allsuch traffic from this source IP fora time specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
Rule ID Type Rule Name Description
EnableDisable
Condition
Parameters Comments
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 2530
ICMP
NIOS 612 NIOS Administrator Guide (Rev A) 1521
130901900 Auto RATELIMIT PASS ICMPv6listener query
This rule passes ICMPv6 listenerquery messages if the packetrate is less than the Packets per
second value If any source IPsends packets over this valuethe appliance blocks all suchtraffic from this source IP for a
time specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
130902000 Auto RATELIMIT PASS ICMPv6listener report
This rule passes ICMPv6 listenerreport messages if the packetrate is less than the Packets per
second value If any source IPsends packets over this valuethe appliance blocks all suchtraffic from this source IP for atime specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
130902100 Auto RATELIMIT PASS ICMPv6listener done
This rule passes ICMPv6 listenerdone messages if the packet rateis less than the Packets per
second value If any source IPsends packets over this valuethe appliance blocks all suchtraffic from this source IP for atime specified in Drop interval )
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
130902200 Auto RATELIMIT PASS ICMPv6listener report v2
This rule passes ICMPv6 listenerreport v2 messages if the packetrate is less than the Packets per
second value If any source IPsends packets over this valuethe appliance blocks all suchtraffic from this source IP for atime specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
130902300 Auto RATELIMIT PASS ICMPV6multicast routeradvertisement
This rule passes ICMPv6multicast router advertisement ifthe packet rate is less than thePackets per second value If anysource IP sends packets over thisvalue the appliance blocks allsuch traffic from this source IP fora time specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
130902400 Auto RATELIMIT PASS ICMPV6multicast routersolicitation
This rule passes ICMPv6multicast router solicitationmessages if the packet rate isless than the Packets per second value If any source IP sendspackets over this value theappliance blocks all such trafficfrom this source IP for a timespecified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
130902500 Auto RATELIMIT PASS ICMPV6multicast routeradvertisement
This rule passes ICMPv6multicast router advertisement ifthe packet rate is less than thePackets per second value If anysource IP sends packets over thisvalue the appliance blocks allsuch traffic from this source IP fora time specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
130902600 Auto RATELIMIT PASS ICMPping responses This rule passes ICMP pingresponses if the packet rate isless than the Packets per second value If any source IP sendspackets over this value theappliance blocks all such trafficfrom this source IP for a timespecified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=10 sec)
Packets per second (default=50)
Rule ID Type Rule Name Description
EnableDisable
Condition
Parameters Comments
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 2630
1522 NIOS Administrator Guide (Rev A) NIOS 612
130902700 Auto RATELIMIT PASS ICMProuter advertisement
This rule passes ICMP routeradvertisement if the packet rateis less than the Packets per
second value If any source IPsends packets over this valuethe appliance blocks all suchtraffic from this source IP for a
time specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=10 sec)
Packets per second (default=50)
130902800 Auto RATELIMIT PASS ICMProuter solicitation
This rule passes ICMP routersolicitation messages if thepacket rate is less than thePackets per second value If anysource IP sends packets over thisvalue the appliance blocks allsuch traffic from this source IP fora time specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=10 sec)
Packets per second (default=50)
130902900 Auto RATELIMIT PASS ICMPtime exceeded
This rule passes ICMP timeexceeded messages if the packetrate is less than the Packets per
second value If any source IPsends packets over this valuethe appliance blocks all suchtraffic from this source IP for atime specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=10 sec)
Packets per second (default=50)
130903000 Auto RATELIMIT PASS ICMPparameter problem
This rule passes ICMP parameterproblems if the packet rate isless than the Packets per second value If any source IP sendspackets over this value theappliance blocks all such trafficfrom this source IP for a timespecified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=10 sec)
Packets per second (default=50)
130903100 Auto RATELIMIT PASS ICMPv6hop limit exceeded orICMPv4 networkunreachable
This rule passes ICMPv6 HopLimit Exceeded messages orICMPv4 Network Unreachablemessages if the packet rate isless than the Packets per second value If any source IP sendspackets over this value theappliance blocks all such trafficfrom this source IP for a time
specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
130903200 Auto RATELIMIT PASS ICMPv6fragment reassemblytime exceeded orICMPv4 hostunreachable
This rule passes ICMPv6fragment reassembly timeexceeded messages or ICMPv4host unreachable messages ifthe packet rate is less than thePackets per second value If anysource IP sends packets over thisvalue the appliance blocks allsuch traffic from this source IP fora time specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=10 sec)
Packets per second (default=50)
130903300 Auto RATELIMIT PASS ICMPprotocol unreachable
This rule passes ICMP protocolunreachable messages if thepacket rate is less than thePackets per second value If anysource IP sends packets over thisvalue the appliance blocks all
such traffic from this source IP fora time specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=10 sec)
Packets per second (default=50)
130903400 Auto RATELIMIT ICMP portunreachable
This rule passes ICMP portunreachable messages if thepacket rate is less than thePackets per second value If anysource IP sends packets over thisvalue the appliance blocks allsuch traffic from this source IP fora certain period of time(specified in Drop interval )
Always enabled Events per second (default=10)
Drop Interval (default=10 sec)
Packets per second (default=50)
Rule ID Type Rule Name Description
EnableDisable
Condition
Parameters Comments
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 2730
Default PassDrop
NIOS 612 NIOS Administrator Guide (Rev A) 1523
Default Pass Drop
The following table lists the system rules that are used to pass or drop packets on your advanced appliance All rulesare disabled by default
Table H17 Default PassDrop Rules
130903500 Auto RATELIMIT PASS ICMPfragmentation needed
This rule passes ICMPfragmentation needed messagesif the packet rate is less than thePackets per second value If anysource IP sends packets over thisvalue the appliance blocks allsuch traffic from this source IP for
a certain period of time(specified in Drop interval )
Always enabled Events per second (default=1)
Drop Interval (default=10 sec)
Packets per second (default=50)
Rule ID
Rule
Type Rule Name Description
Enable
Condition Parameters Comments
100000050 System EARLY PASS TCPwith flowbits set
This rule passes TCP trafficthat has the flowbitsoptions set and marked OK
Enabled bydefault
NA
140000100 System DROP UDP DNSunexpected
This rule drops anyunexpected UDP DNSpackets
Enabled bydefault
Events per second (default=1)
Default drop rule for the DNSservice port If this rule istriggered most likely thispacket is an invalid DNS UDPpacket
140000200 System DROP TCP DNSunexpected
This rule drops anyunexpected TCP DNSpackets
Enabled bydefault
Events per second (default=1)
Default drop rule for the DNSservice port If this rule istriggered most likely thispacket is an invalid DNS TCPpacket
140000400 System PASS TCPestablished packets
This passes all TCPestablished packets
Enabled bydefault
Events per second (default=0)
140000500 System DROP TCPunexpected
This rule drops anyunexpected TCP packets
Enabled bydefault
Events per second (default=0)
This rule drops any TCP packeton any port If this rule istriggered most likely thispacket is not intended forservices on this member
140000600 System DROP UDPunexpected
This rule drops anyunexpected UDP packets
Enabled bydefault
Events per second (default=0)
This rule drops any UDP packeton any port If this rule istriggered most likely thispacket is not intended forservices on this member
140000700 System DROP ICMPunexpected
This rule drops anyunexpected ICMP packets
Enabled bydefault
Events per second (default=0)
This rule drops any ICMPpacket If this rule is triggeredmost likely this packet is notintended for services on thismember
140000800 System DROP unexpectedprotocol
This rule drops anyunexpected protocolpackets
Enabled bydefault
Events per second (default=0)
This is a catch all rule thatdrops anything that does notmatch any other rules in thesystem
Rule ID Type Rule Name Description
EnableDisable
Condition
Parameters Comments
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 2830
1524 NIOS Administrator Guide (Rev A) NIOS 612
HA Support
The following table lists auto rules that are used to pass packets that go through the Virtual Router RedundancyProtocol (VRRP) and Internet Group Management Protocol (IGMP) for HA (High Availability) support
Table H18 HA Support Rules
Custom Rule Templates
Advanced DNS Protection supports a few custom rule templates from which you can create new custom rules Notethat when you use a specific rule template to create custom rules the new rules reside in their respective rulecategories For information about custom rules and creating custom rules see Custom Rules on page 1341 andCreating Custom Rules on page 1343
For each rule you create you can define the Events per second value to determine the number of events per secondthat will be logged for the rule You can also define specific rule parameters for custom rules as follows
Note Custom rules do not support IDNs (Internationalized Domain Names) To use IDNs for custom rules you mustfirst convert the IDNs into puny codes You can use the IDN Converter from the Toolbar for the conversion
bull BLACKLIST FQDN lookup TCP Use this rule template to create custom rules for blacklisting DNS queries by FQDNlookups on TCP In the Rule Parameters table complete the following
mdash Blacklisted FQDN Enter the FDQN that you want the appliance to block over TCP traffic You can also enter alist of FQDNs using semicolon as the separator
bull BLACKLIST FQDN lookup UDP Use this rule template to create custom rules for blacklisting DNS queries byFQDN lookups on UDP In the Rule Parameters table complete the following
mdash Blacklisted FQDN Enter the FDQN that you want the appliance to block over UDP traffic You can also enter alist of FQDNs using semicolon as the separator
bull BLACKLIST IP TCP Drop prior to rate limiting Use this rule template to create rules for blocking IPv4 or IPv6addresses on TCP before the appliance drops the packets based on rate limiting rules you have defined usingthe RATELIMITED IP TCP template In the Rule Parameters table complete the following
mdash Blacklisted IP addressnetwork Enter the IPv4 or IPv6 address from which packets sent are dropped beforeany relevant rate limiting rules take effect Note that all TCP traffic from the specified Ipv4 and IPv6
addresses and networks will be blocked Enter network addresses in addressCIDR formatbull BLACKLIST IP UDP Drop prior to rate limiting Use this rule template to create rules for blocking IPv4 or IPv6
addresses on UDP before the appliance drops the packets based on rate limiting rules you have defined usingthe RATELIMITED IP UDP template In the Rule Parameters table complete the following
mdash Blacklisted IP addressnetwork Enter the IPv4 or IPv6 address from which packets sent are dropped beforeany relevant rate limiting rules take effect Note that all UDP traffic from the specified Ipv4 and IPv6addresses and networks will be blocked Enter network addresses in addressCIDR format
bull RATELIMITED FQDN lookup UDP Use this rule template to create custom rules that contains rate limitingrestrictions for blocking DNS queries by FQDN lookups on UDP traffic In the Rule Parameters table completethe following
Rule ID
Rule
Type
Rule Name Description Enable Condition Parameters Comments
140000750 Auto PASS VRRP This rule passes packets thatgo through VRRP for HAsupport
Enabled if HA isconfigured
NA
140000760 Auto PASS IGMP This rule passes packets thatgo through IGMP for HAsupport
Enabled if HA isconfigured
NA
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 2930
Custom Rule Templates
NIOS 612 NIOS Administrator Guide (Rev A) 1525
mdash Packets per second Enter the number of packets per second to define the rate limit for this rule You definethis value to control the rate of UDP traffic that consists of DNS lookups for the FQDN defined in this ruleThe default is 5
mdash Drop interval Enter the number of seconds for which the appliance drops packets
mdash Blacklist rate limited FQDN Enter the FQDN that is affected by the rate limit value configured for this ruleThe appliance drops the packets sent by this FQDN when the UDP traffic of DNS lookups for this FQDNexceeds the configured rate limit value
bull RATELIMITED IP TCP Use this rule template to create custom rules that contains rate limiting restrictions forblacklisting IP addresses on TCP If there are certain IP addresses that you want to block before its traffic reachesthe rate limit restrictions you can create a rule using the BLACKLIST IP TCP Drop prior to rate limiting templateIn the Rule Parameters table complete the following
mdash Packets per second Enter the number of packets per second to define the rate limit for this rule You definethis value to control the rate of TCP traffic that consists of DNS lookups for the IP address or networkdefined in this rule The default is 5
mdash Drop interval Enter the time interval in seconds the appliance drops IP packets sent by the rate limited IPaddress or network defined for this rule The default is 30 seconds
mdash Rate limited IP addressnetwork Enter the IP address or network that is affected by the rate limit valueconfigured for this rule The appliance drops the packets sent by this IP address based on the drop intervalwhen the TCP traffic of DNS lookups for this IP address exceeds the configured rate limit value
bull RATELIMITED IP UDP Use this rule template to create custom rules that contains rate limiting restrictions forblacklisting IP addresses on UDP If there are certain IP addresses that you want to block before its trafficreaches the rate limit restrictions you can create a rule using the BLACKLIST IP UDP Drop prior to rate limiting template In the Rule Parameters table complete the following
mdash Packets per second Enter the number of packets per second to define the rate limit for this rule You definethis value to control the rate of UDP traffic that consists of DNS lookups for the IP address or networkdefined in this rule The default is 5
mdash Drop interval Enter the time interval in seconds the appliance drops IP packets sent by the rate limited IPaddress or network defined for this rule The default is 30 seconds
mdash Rate limited IP addressnetwork Enter the IP address or network that is affected by the rate limit valueconfigured for this rule The appliance drops the packets sent by this IP address based on the drop interval
when the TCP traffic of DNS lookups for this IP address exceeds the configured rate limit valuebull WHITELIST IP TCP Pass prior to rate limiting Use this rule template to create custom rules for allowing certain IP
addresses on TCP before the appliance drops the packets based on rate limiting rules you have defined usingthe RATELIMITED IP TCP template In the Rule Parameters table complete the following
mdash Whitelisted IP addressnetwork Enter the IPv4 or IPv6 address from which packets sent are allowed beforeany relevant rate limiting rules take effect
bull WHITELIST IP UDP Pass prior to rate limiting Use this rule template to create custom rules for allowing certain IPaddresses on UDP before the appliance drops the packets based on rate limiting rules you have defined usingthe RATELIMITED IP UDP template In the Rule Parameters table complete the following
mdash Whitelisted IP addressnetwork Enter the IPv4 or IPv6 address from which packets sent are allowed beforeany relevant rate limiting rules take effect
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 3030
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 1230
1508 NIOS Administrator Guide (Rev A) NIOS 612
General DDoS
The following table lists the auto rules that are used to mitigate general DDoS attacks on your advanced appliance
Table H5 General DDoS Rules
Reconnaissance
Reconnaissance attacks consist of attempts to get information on the network environment before launching a largeDDoS or other types of attacks Techniques include port scanning and finding versions and authors These attacksexhibit abnormal behavior patterns that if identified can provide early warnings
The following table lists the auto rules that are used to mitigate reconnaissance attacks on your advanced appliance
You can configure the following rule parameter for all rules in this category
bull Events per second The number of events logged per second for the rule Setting a value to 0 (zero) disables theappliance from logging events for the rule The default value is 10
Table H6 Reconnaissance Rules
Rule ID
Rule
Type
Rule Name Description
EnableDisable
Condition
Parameters Comments
110000100 Auto EARLY DROP DoSpackets with samesource and destinationIP
This rule drops any IP packetsthat contain the same sourceand destination IP address
Always enabled Events per second (default = 1)
110000200 Auto EARLY DROP DoS UDPpackets with samesource and destinationIP
This rule drops UDP packetsthat contain the same sourceand destination IP address
Always enabled Events per second (default = 1)
110000300 Auto EARLY DROP DoS TCPpackets with samesource and destinationIP
This rule drops TCP packetsthat contain the same sourceand destination IP address
Always enabled Events per second (default = 1)
130400300 Auto DROP IPv6 loopbackaddress spoofing
This rule blocks any IP packetsthat attempt to forge the IPv6loopback address
Always enabled Events per second (default = 1)
130400400 Auto DROP IPv6 loopbackaddress spoofing
This rule blocks any IP packetsthat attempt to forge the IPv6loopback address
Always enabled Events per second (default = 1)
Rule ID
Rule
Type
Rule Name Description
Enable
Condition
Parameters Comments
110100100 Auto EARLY DROP DNSnamed authorattempts
This rule drops UDP DNSpackets that containattempts to find AUTHOR
information
Alwaysenabled
Events per second (default = 1)
110100200 Auto EARLY DROP DNSnamed versionattempts
This rule drops UDP DNSpackets that containattempts to find VERSIONinformation
Alwaysenabled
Events per second (default = 1)
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 1330
DNS Malware
NIOS 612 NIOS Administrator Guide (Rev A) 1509
DNS Malware
DNS malware is software used to disrupt your DNS service gather sensitive information or gain access to yourappliance It can include downloaders backdoors trojan horses and other malicious software
The following table lists the auto rules that are used to mitigate DNS malware when forwarding DNS requests to aresolver such as a Microsoft DNS server
Table H7 DNS Malware Rules
DNS Protocol Anomalies
DNS protocol anomalies send malformed DNS packets including unexpected header and payload values to thetargeted server This causes the server to stop responding or crash which results in an infinite loop in server threadsThese anomalies sometimes take the form of impersonation attacks
The following table lists rules that are used to mitigate DNS protocol anomalies sent to the appliance
Table H8 DNS Protocol Anomalies Rules
Rule ID
Rule
Type
Rule Name Description
Enable
Condition
Parameters Comments
110100300 Auto EARLY DROP UDPMALWARE backdoor
This rule drops UDPpackets that contain thebackdoor malwareBKDR_QUEJOBEVL whichposes as an installer ofFaceBook messenger Thismalware may be spread asa malicious attachment inemail messages
Always enabled Events per second (default = 1)
130300300 Auto DROP MALWAREtrojan downloader
This rule drops UDPpackets that contain thetrojan downloadermalware which downloadsand installs new versionsof malicious programsincluding Trojans andAdWare
Always enabled Events per second (default = 1)
130300400 Auto DROP MALWAREpossible Hiloti
This rule drops UDPpackets that contain trojanHiloti malicious programsthat may downloadpotentially malicious filesfrom a remote server andreport system informationback to the server
Always enabled Events per second (default = 1)
Rule ID
Rule
Type
Rule Name Description
Enable
Condition
Parameters Comments
110100400 Auto EARLY DROP UDP DNSquestion name too long
This rule drops UDP DNSpackets when the DNSQuestion Name is toolong
Always enabled Events per second (default = 1)
110100500 Auto EARLY DROP UDP DNSlabel too long
This rule drops UDP DNSpackets when the DNSLabel in the name beingqueried is too long
Always enabled Events per second (default = 1)
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 1430
1510 NIOS Administrator Guide (Rev A) NIOS 612
Potential DDoS Related Domains
This rule category includes system rules the appliance uses to blacklist domains that may have been the targets orsubjects in NXDOMAIN or DDoS attacks These rules block all FQDN lookups on UDP for domains that have beenobserved to be used as targets in DDoS attacks The rules are enabled by default You can disable them whennecessary
Note that these rules capture currently observed bad domain names that can change on a regular basis Infobloxrecommends that you update to the latest ruleset to capture the most current rules in this category For informationabout how to update to the latest ruleset see Managing Threat Protection Rules on page 1352
110100600 Auto EARLY DROP UDP queryinvalid question count
This rule drops UDP DNSpackets when thenumber of entries in thequestion section isinvalid
Always enabled Events per second (default = 1)
110100700 Auto EARLY DROP UDP query
invalid question class
This rule drops UDP DNS
packets when the RR(resource record) classbeing queried is invalid
Always enabled Events per second
(default = 1)
110100800 Auto EARLY DROP UDP queryinvalid question string
This rule drops UDP DNSpackets that containinvalid question string
Always enabled Events per second (default = 1)
110100850 Auto EARLY UDP drop invalidDNS query with Authority
This rule drops UDP DNSqueries that containinvalid AUTHORITYentry
Always enabled Events per second (default = 1)
110100900 Auto EARLY DROP querymultiple questions or nonquery operation code
This rule drops UDP DNSpackets when there aremultiple questionsbeing queried at onetime or its operationcode is not Query
Always enabled Events per second (default = 1)
130000700 Auto EARLY DROP TCP non-DNSquery
This rule drops TCPpackets when itsoperation code is notQuery
Always enabled Events per second (default = 1)
130000800 Auto EARLY DROP TCP querymultiple questions
This rule drops TCP DNSpackets when there aremultiple questionsbeing queried at onetime
Always enabled Events per second (default = 1)
130100500 Auto DROP UDP DNS invalidIXFR query with zero ormore than one Authority
This rule drops UDP DNSincremental zonetransfer requests thatcontain zero or morethan one Authorityentries
Always enabled Events per second (default = 1)
130100600 Auto DROP TCP DNS invalidIXFR query with zero ormore than one Authority
This rule drops TCP DNSincremental zonetransfer requests thatcontain zero or morethan one Authorityentries
Always enabled Events per second (default = 1)
130300200 Auto DROP TCP invalid DNSquery with Authority
This rule drops TCP DNSqueries that containinvalid Authorityentries
Always enabled Events per second (default = 1)
Rule ID
Rule
Type
Rule Name Description
Enable
Condition
Parameters Comments
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 1530
TCPUDP Flood
NIOS 612 NIOS Administrator Guide (Rev A) 1511
TCP UDP Flood
TCP and UDP flood attacks are volumetric attacks with massive numbers of packets that consume network bandwidthand resources They exploit TCP and UDP
The following table lists the system and auto rules that are used to mitigate TCPUDP floods on your advancedappliance
Table H9 TCPUDP Flood Rules
Rule ID Rule Type Rule Name Description
Enable
Condition
Parameters Comments
130000100 System WARN about highrate inbound UDPDNS queries
This rule warns about anysource IP that sendsinbound UDP DNS packetsat a rate equals or exceedsthe Packets per second value
Disabled bydefault
Packets per second (default = 40)
Events per second (default = 1)
Use this rule together with rule130000200 to adjust the warningand blocking rate thresholds Thisrule only sends alerts when thepacket rate equals or exceeds thelow threshold ( Packets per second for this rule) When the packet ratereaches or exceeds the highthreshold ( Packets per second forrule 130000200) rule130000200 is triggered
NOTE The Packets per second configured for this rule should beless than that of rule 130000200
130000200 System WARN amp BLOCKhigh rate inboundUDP DNS queries
This rule warns if anysource IP sends inboundUDP DNS packets at a rateequals the Packets per
second value If the rateexceeds this value theappliance blocks all suchtraffic from this source IPfor a period of timespecified in Drop interval
Disabled bydefault
Packets per second (default = 1000)
Drop interval
(default = 5 seconds)
Events per second (default = 1)
Consider tuning Packets per
second to a higher value for NATdenvironments static forwardersand VPN concentrators
This rule may be triggered if Packet
per second is lower than that inthe custom rules created using therate limiting templates
NOTE The Packets per secondvalue for this rule must be higherthan that for rule 130000100
130000300 System WARN about highrate inbound TCP
DNS queries
This rule warns about anysource IP that sends
inbound TCP DNS packetsat a rate that equals orexceeds the Packets per
second value
Disabled bydefault
Packets per second (default = 5)
Events per second (default = 1)
Use this rule together with rule130000400 to adjust the warning
and blocking rate thresholds Thisrule only sends alerts when thepacket rate equals or exceeds thelow threshold ( Packets per second for this rule) When the packet ratereaches or exceeds the highthreshold ( Packets per second forrule 130000400) rule130000400 is triggered
NOTE The Packets per second configured for this rule should beless than that of rule 130000400
130000400 System WARN amp BLOCKhigh rate inboundTCP DNS queries
This rule warns if anysource IP sends inboundTCP DNS packets at a ratethat equals the Packets
per second value If therate exceeds this value
the appliance blocks allsuch traffic from thissource IP for a period oftime specified in Drop
interval
Disabled bydefault
Packets per second (default = 1000)
Drop interval (default = 10 seconds)
Events per second (default = 1)
Consider tuning Packets per
second to a higher value for NATdenvironments static forwardersand VPN concentrators
This rule may be triggered if Packet
per second is lower than that in
the custom rules created using therate limiting templates
NOTE DO NOT enable this rulealong with rule 130000300
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 1630
1512 NIOS Administrator Guide (Rev A) NIOS 612
DNS DDoS
The following table lists system rules that are used to mitigate DNS DDoS attacks on your advanced appliance Theserules rate limits clients that trigger the following DNS responses NXDOMAIN NXRRSET and SERVFAIL
Table H10 DNS DDoS Rules
Rule ID
Rule
Type
Rule Name Description
EnableDisable
Condition
Parameters Comments
200000001 System NXDOMAIN ratelimiting rule
This rule warns if any sourceIP sends inbound UDP DNSqueries that triggerNXDOMAIN responses at arate equals to the Packets
per second value If the rateexceeds this value theappliance blocks all UDPDNS traffic from this sourceIP for a time specified inDrop interval
Enabled bydefault
Packets per second (default = 1000)
Drop interval
(default = 5 seconds)
Events per second (default = 1)
Consider tuning Packets per
second to a higher value forNATd environments staticforwarders and VPNconcentrators
200000002 System NXRRSET ratelimiting rule
This rule warns if any sourceIP sends inbound UDP DNS
queries that trigger NXRRSETresponses at a rate equals tothe Packets per second value If the rate exceedsthis value the applianceblocks all UDP DNS trafficfrom this source IP for a timespecified in Drop interval
Enabled bydefault
Packets per second (default = 1000)
Drop interval (default = 5 seconds)
Events per second (default = 1)
Consider tuning Packets per
second to a higher value for
NATd environments staticforwarders and VPNconcentrators
NOTE NXRRSET responsesinclude NO records NOanswers and NO errors
200000003 System SERVFAIL ratelimiting rule
This rule warns if any sourceIP sends inbound UDP DNSqueries that triggerSERVFAIL responses at a rateequals to the Packets per
second value If the rateexceeds this rate theappliance blocks all UDPDNS traffic from this sourceIP for a time specified in
Drop interval
Enabled bydefault
Packets per second (default = 1000)
Drop interval
(default = 5 seconds)
Events per second (default = 1)
Consider tuning Packets per
second to a higher value forNATd environments staticforwarders and VPNconcentrators
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 1730
DNS Tunneling
NIOS 612 NIOS Administrator Guide (Rev A) 1513
DNS Tunneling
DNS tunneling attacks involve tunneling another protocol through DNS port 53 for the purpose of data exfiltrationOutbound and inbound data being communicated is encoded into small chunks and fitted into DNS queries and DNSresponses
The following table lists the system rule used to mitigate DNS tunneling on your advanced appliance
Table H11 Anti DNS Tunneling Rules
DNS Amplification and Reflection
DNS reflection attacks use a form of IP spoofing changing the source address in their DNS queries to show theaddress of their intended target such as a DNS root server or a top-level domain (TLD) name server operator DNS
reflection and amplification recognizes UDP as an asymmetrical protocol (small requests large responses) and theexistence of open DNS resolvers to the Internet cloud The result is that small DNS queries reflect large UDP datagramresponses to the target address in the original source datagrams Some recent attacks have used this DDoStechnique at a huge scale
Since DNS runs over UDP and does not require a handshake it is possible to use the protocol as a means to lock downa host or a network Designed a specific way sending a small query to any open DNS resolver can result in a singleresponse containing several kilobytes or more that are sent to the unwitting spoofed victim (This type of responsetypically is sent via TCP as UDP does not allow for more than 512 bytes in a response datagram The resulting packetusually exceeds the MTU of the recipientrsquos interfaces resulting in further packet fragmentation and processing) OpenDNS resolvers may allow for launching DDoS attacks containing hundreds of gigabytes of data Attackers may also
Rule ID
Rule
Type
Rule Name Description
EnableDisable
Condition
Parameters Comments
130000500 System RATELIMIT UDP highrate inbound largeDNS queries (antitunneling)
This rule warns If any source IPsends large UDP DNS queries(which could be DNS tunnelingattacks) at a rate equals thePackets per second value If therate exceeds this value it blocksall such traffic from this source IPfor the time in Drop interval
This rule is triggered when theDNS Packet size exceeds theconfigured value
Disabled bydefault
Packets per second (default = 100)
Drop interval (default = 5 seconds)
Events per second (default = 1)
Packet size
(default = 200)
Consider tuning Packets
per second to a highervalue for NATdenvironments staticforwarders and VPNconcentrators
130000600 Auto RATELIMIT TCP highrate inbound largeDNS queries(anti-tunneling)
This rule warns if any source IPsends large TCP DNS queries(which could be DNS tunnelingattacks) at a rate equals thePackets per second value If therate exceeds the value theappliance blocks all such trafficfrom this source IP for the Drop
interval
This rule is triggered when theDNS Packet size exceeds theconfigured value
Disabled bydefault
Packets per second (default = 100)
Drop interval
(default = 5 seconds)
Events per second (default = 1)
Packet size
(default = 200)
Consider tuning Packets
per second to a highervalue for NATdenvironments staticforwarders and VPNconcentrators
200000004 System DNS tunneling ratelimiting rule
This rule warns If any source IPsends inbound UDP DNS queriesthat trigger large TXT responses ata rate equals the Packets per
second value If the rate exceedsthis value it blocks all such t rafficfrom this source IP for the Drop
interval
This rule is triggered when the sizeof the TXT records in the DNSresponses exceeds the configuredDNS Packet size
Enabled bydefault
Packets per second (default = 1000)
Drop interval
(default = 5 seconds)
Events per second (default = 1)
Packet size
(default = 40)
Consider tuning Packets
per second to a highervalue for NATdenvironments static
forwarders and VPNconcentrators
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 1830
1514 NIOS Administrator Guide (Rev A) NIOS 612
use the EDNS0 DNS protocol extension as a means to enable larger DNS responses Many network operatorsparticularly overseas allow open DNS resolvers to run on their networks unwittingly allowing attackers to abusethem Many network operators do provide intelligent rate-limiting to prevent abuse even while supporting openrecursive DNS servers Hence issues of this type usually result from mistakes in configuration
The following table lists the system and auto rules that are used to mitigate DNS amplification and reflection attackson your advanced appliance
Table H12 DNS Amplification and Reflection Rules
NTP
The following table lists the auto rules that are used to mitigate NTP attacks and to support security for NTP traffic onyour advanced appliance These rules include support for the following NTP requests and responses NTP IPv4 andIPv6 ACLs (Access Control Lists) private mode 7 packets named ACLs and ldquoANYrdquo ACLs
Table H13 NTP Rules
Rule ID
Rule
Type
Rule Name Description
EnableDisable
Condition
Parameters Comments
130400100 Auto WARN amp DROP DoSDNS possiblereflectionamplification attackattempts
This rule warns if anysource IP sends UDP DNSpackets that containpossible reflectionamplification attacks If therate exceeds the Packets
per second value theappliance blocks all suchtraffic from this source IPfor the Drop interval Notethat this rule applies whenthe query is ldquoANYrdquo
Enabled bydefault
Packets per second (default = 5)
Drop interval (default = 5 seconds)
Events per second (default = 1)
Consider tuning Packet per
second to a higher value(approximately 100) forNATd environments staticforwarders and VPNconcentrators
130400500 System RATE LIMIT PASS UDPDNS root requestswith additional RRs
This rule passes UDP DNSroot requests that containadditional resource recordsuntil the traffic hits thePackets per second valueIt then blocks subsequentUDP DNS root requests forthe Drop interval
Disabled bydefault
Packets per second (default = 500)
Drop interval
(default = 5 seconds)
Events per second (default = 1)
130400600 System RATE LIMIT PASS UDPDNS root requests
This rule passes UDP DNSroot requests until thetraffic hits the Packets per
second value It thenblocks subsequent UDPDNS root requests for theDrop interval
Disabled bydefault
Packets per second (default = 500)
Drop interval (default = 5 seconds)
Events per second (default = 1)
Consider tuning Packet per
second to a higher valuefor NATd environmentsstatic forwarders and VPNconcentrators
Rule ID
Rule
Type
Rule Name Description
EnableDisable
Condition
Parameters Comments
130600100 Auto RATELIMIT PASS NTPTIME responses
When the NTP client isenabled this rule passesUDP NTP TIME responsesuntil the traffic hits the ratelimit of 10 packets persecond it then blocks allNTP traffic for 15 seconds
Enabled when theNTP client isenabled
Packets per second (default = 10)
Drop interval
(default = 15seconds)
Events per second (default = 1)
130600120 Auto DROP NTP TIMEresponses
This rule drops all UDP NTPTIME responses when theNTP client is disabled
Enabled when theNTP client isdisabled
Events per second (default=1)
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 1930
NTP
NIOS 612 NIOS Administrator Guide (Rev A) 1515
200001001 Auto DOS Possible NTPDDoS InboundFrequent Un-AuthedGET_RESTRICTRequests IMPL 0x02
When the NTP server isenabled this rule warnsabout possible NTP DDoSInbound FrequentUn-Authed GET_RESTRICTRequests IMPL 0x02attacks It then blocks
suspicious NTP traffic for atime period that isspecified in Drop Interval
Enabled whenNTP service isenabled on thismember
Events per second (default = 1)
200001005 Auto DOS Possible NTPDDoS InboundFrequent Un-AuthedGET_RESTRICTRequests IMPL 0x03
When the NTP server isenabled this rule warnsabout possible NTP DDoSInbound FrequentUn-Authed GET_RESTRICTRequests IMPL 0x03attacks It then blockssuspicious NTP traffic for atime period that isspecified in Drop Interval
Enabled whenNTP service isenabled on thismember
Events per second (default = 1)
200001010 Auto DOS Possible NTPDDoS InboundFrequent Un-AuthedPEER_LIST_SUM
Requests IMPL 0x02
When the NTP server isenabled this rule warnsabout possible NTP DDoSInbound Frequent
Un-AuthedPEER_LIST_SUM RequestsIMPL 0x02 attacks It thenblocks suspicious NTPtraffic for a time period thatis specified in Drop
Interval
Enabled whenNTP service isenabled on thismember
Events per second (default = 1)
200001015 Auto DOS Possible NTPDDoS InboundFrequent Un-AuthedPEER_LIST_SUMRequests IMPL 0x03
When the NTP server isenabled this rule warnsabout possible NTP DDoSInbound FrequentUn-AuthedPEER_LIST_SUM RequestsIMPL 0x03 attacks It thenblocks suspicious NTPtraffic for a time period thatis specified in Drop
Interval
Enabled whenNTP service isenabled on thismember
Events per second (default = 1)
200001020 Auto DOS Possible NTPDDoS InboundFrequent Un-AuthedPEER_LIST RequestsIMPL 0x02
When the NTP server isenabled this rule warnsabout possible NTP DDoSInbound FrequentUn-Authed PEER_LISTRequests IMPL 0x02attacks It then blockssuspicious NTP traffic for atime period that isspecified in Drop Interval
Enabled whenNTP service isenabled on thismember
Events per second (default = 1)
200001025 Auto DOS Possible NTPDDoS InboundFrequent Un-AuthedPEER_LIST RequestsIMPL 0x03
When the NTP server isenabled this rule warnsabout possible NTP DDoSInbound FrequentUn-Authed PEER_LISTRequests IMPL 0x03attacks It then blocks
suspicious NTP traffic for atime period that isspecified in Drop Interval
Enabled whenNTP service isenabled on thismember
Events per second (default = 1)
200001050 Auto RATELIMIT PASSNTPQ IPv4 requests
This rule passes UDP NTPQrequests from NTP IPv4ACLs until the traffic hitsthe rate limit ( Packets per
second ) value It thenblocks all subsequentNTPQ traffic for a timespecified in Drop Interval
Enabled whenNTP IPv4 ACLs aredefined If noACLs are definedand the NTPserver is enabledthe default ACLsare enabled andthis rule isdisabled
Packets per second (default = 10)
Drop interval
(default = 60seconds)
Events per second (default = 1)
Rule ID
Rule
Type
Rule Name Description
EnableDisable
Condition
Parameters Comments
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 2030
1516 NIOS Administrator Guide (Rev A) NIOS 612
200001055 Auto RATELIMIT PASS NTPTIME IPv4 requests
This rule passes UDP NTPTIME requests from NTPIPv4 ACLs until the traffichits the rate limit ( Packets
per second ) value It thenblocks all subsequent NTPTIME traffic for a time
specified in Drop interval
Enabled whenNTP IPv4 ACLs aredefined If noACLs are definedand the NTPserver is enabledthe default ACLs
are enabled andthis rule isenabled
Packets per second (default = 10)
Drop interval
(default = 60seconds)
Events per second (default = 1)
200001060 Auto RATELIMIT PASS NTPprivate mode IPv4requests
This rule passes UDP NTPprivate mode 7 requestsfrom NTP IPv4 ACLs untilthe traffic hits the rate limit( Packets per second ) valueIt then blocks allsubsequent NTP privatemode 7 traffic for a timespecified in Drop interval
Enabled whenNTP IPv4 ACLs aredefined If noACLs are definedand the NTPserver is enabledthe default ACLsare enabled andthis rule isdisabled
Packets per second (default = 10)
Drop interval
(default = 60seconds)
Events per second (default = 1)
200001065 Auto RATELIMIT PASSNTPQ IPv6 requests
This rule passes UDP NTPQrequests from NTP IPv6ACLs until the traffic hitsthe rate limit ( Packets per
second ) value It thenblocks all subsequentNTPQ traffic for a timespecified in Drop Interval
Enabled whenNTP IPv6 ACLs aredefined If noACLs are defined
and the NTPserver is enabledthe default ACLsare enabled andthis rule isdisabled
Packets per second (default = 10)
Drop interval
(default = 60
seconds)Events per second (default = 1)
200001070 Auto RATELIMIT PASS NTPTIME IPv6 requests
This rule passes UDP NTPTIME requests from NTPIPv6 ACLs until the traffichits the rate limit ( Packets
per second ) value It thenblocks all subsequent NTPTIME traffic for a timespecified in Drop interval
Enabled whenNTP IPv6 ACLs aredefined If noACLs are definedand the NTPserver is enabledthe default ACLsare enabled andthis rule isenabled
Packets per second (default = 10)
Drop interval
(default = 60seconds)
Events per second (default = 1)
200001075 Auto RATELIMIT PASS NTP
private mode IPv6requests
This rule passes UDP NTP
private mode 7 requestsfrom NTP IPv4 ACLs untilthe traffic hits the rate limit( Packets per second ) valueIt then blocks allsubsequent NTP privatemode 7 traffic for a timespecified in Drop interval
Enabled when
NTP IPv6 ACLs aredefined If noACLs are definedand the NTPserver is enabledthe default ACLsare enabled andthis rule isdisabled
Packets per second
(default = 10)Drop interval
(default =60seconds)
Events per second (default = 1)
200001100 Auto DROP NTPQ requestsunexpected
When NTP service isdisabled this rule drops allUDP NTPQ requests
Enabled whenNTP service isdisabled on thismember
Events per second (default=1)
200001105 Auto DROP NTP TIMErequests unexpected
When NTP service isdisabled this rule drops allUDP NTP TIME requests
Enabled whenNTP service isdisabled on thismember
Events per second (default=1)
200001110 Auto DROP NTP privatemode requestsunexpected
When NTP service isdisabled this rule drops allUDP NTP private mode 7requests
Enabled whenNTP service isdisabled on thismember
Events per second (default=1)
200001115 Auto DROP invalid NTPrequests
When NTP service isdisabled this rule drops allinvalid UDP NTP requests
Enabled whenNTP service isdisabled on thismember
Events per second (default=1)
Rule ID
Rule
Type
Rule Name Description
EnableDisable
Condition
Parameters Comments
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 2130
BGP
NIOS 612 NIOS Administrator Guide (Rev A) 1517
BGP
The following table lists the auto rules that are used to mitigate BGP attacks on your advanced appliance when BGPis enabled
Table H14 BGP Rules
Rule ID
Rule
Type
Rule Name Description
EnableDisable
Condition
Parameters Comments
130700100 AUTO DROP BGP headerlength shorter thanspec
When BGP is enabled this ruledrops TCP BGP packets thatcontain message headerlength that is shorter than theRFC specification
Enabled whenBGP service onthis member isconfigured
Events per second (default=1)
130700200 AUTO DROP BGP headerlength longer than spec
When BGP is enabled this ruledrops TCP BGP packets thatcontain message headerlength that is longer than theRFC specification
Enabled whenBGP service onthis member isconfigured
Events per second (default=1)
130700300 AUTO DROP BGP spoofedconnection reset
attempts
When BGP is enabled this ruledrops TCP BGP packets that
contain spoofed connectionreset
This rule isenabled when
BGP service onthis member isconfigured
Events per second (default=1)
130700400 AUTO DROP BGP invalid type0
When BGP is enabled this ruledrops TCP BGP packets thatcontain invalid message type0
This rule isenabled whenBGP service onthis member isconfigured
Events per second (default=1)
130700500 AUTO DROP BGP invalid typebigger than 5
When BGP is enabled this ruledrops TCP BGP packets thatcontain invalid message typegreater than 5
This rule isenabled whenBGP service onthis member isconfigured
Events per second (default=1)
130700550 AUTO RATELIMIT PASS BGPIPv4 peer TCPconnection attempts
This rule passes TCP BGP routeadvertisement connectionattempts from IPv4 peers
when BGP is enabled and ifthe packet rate is less than thePackets per second value Ifany source IP sends packetsover this value the applianceblocks all such traffic from thissource IP for a certain periodof time (specified in Drop
interval )
This rule isenabled whenBGP service on
this member isconfigured withIPv4 peers
Events per second (default=1)
Drop Interval
(default=60 sec)Packets per second (default=10)
130700600 Auto RATELIMIT PASS BGPallowed with IPv4 peer
This rule passes TCP BGP routeadvertisement to IPv4 peerswhen BGP is enabled and ifthe packet rate is less than thePackets per second value Ifany source IP sends packetsover this value the applianceblocks all such traffic from thissource IP for a certain period
of time (specified in Drop
interval
This rule isenabled whenBGP service onthis member isconfigured withIPv4 peers
Events per second (default=1)
Drop Interval (default=60 sec)
Packets per second (default=10)
130700650 AUTO RATELIMIT PASS BGPIPv6 peer TCPconnection attempts
This rule passes TCP BGP routeadvertisement connectionattempts from IPv6 peerswhen BGP is enabled and ifthe packet rate is less than thePackets per second value Ifany source IP sends packetsover this value the applianceblocks all such traffic from thissource IP for a certain periodof time (specified in Drop
interval
This rule isenabled whenBGP service onthis member isconfigured withIPv6 peers
Events per second (default=1)
Drop Interval (default=60 sec)
Packets per second (default=10)
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 2230
1518 NIOS Administrator Guide (Rev A) NIOS 612
OSPF
The following table lists auto rules that are used to mitigate OSPF attacks on your advanced appliance when OSPF isnot in use
Table H15 OSPF Rules
130700700 Auto RATELIMIT PASS BGPallowed with IPv6 peer
This rule passes TCP BGP routeadvertisement to IPv6 peerswhen BGP is enabled and ifthe packet rate is less than thePackets per second value Ifany source IP sends packetsover this value the appliance
blocks all such traffic from thissource IP for a certain periodof time (specified in Drop
interval )
This rule isenabled whenBGP service onthis member isconfigured withIPv6 peers
Events per second (default=1)
Drop Interval (default=60 sec)
Packets per second (default=10)
130800100 Auto DROP BGP unexpected When BGP is enabled this ruledrops unexpected TCP BGPpackets
This rule takeseffect when BGPservice on thismember is NOT configured
Events per second (default=1)
This rule is exclusive withother rules based onwhether BGP is configuredon the member or not
Rule ID
Rule
Type
Rule Name Description
Enable
Condition
Parameters Comments
130900300 Auto DROP OSPFunexpected
This rule drops unexpectedOSPF packets
This rule takeseffect when OSPFservice on thismember is NOT configured
Events per second (default=1)
Default drop rule for allpackets on the OSPF serviceport
130900400 Auto RATELIMIT PASS OSPFmulticast
This rule passes OSPF IPv4multicast packets if the packetrate is less than the Packets
per second value If anysource IP sends packets overthis value the applianceblocks all such traffic from thissource IP for a time specifiedin Drop interval
This rule takeseffect when OSPFservice on thismember isconfigured forIPv4
Events per second (default=1)
Drop Interval (default=60 sec)
Packets per second (default=100)
130900500 Auto RATELIMIT PASS OSPFIPv6 multicast
This rule passes OSPF IPv6multicast packets if the packetrate is less than the Packets
per second value If anysource IP sends packets overthis value the applianceblocks all such traffic from thissource IP for a time specifiedin Drop interval
This rule takeseffect when OSPFservice on thismember isconfigured forIPv6
Events per second (default=1)
Drop Interval (default=60 sec)
Packets per second (default=100)
130900600 Auto RATELIMIT PASS OSPF This rule passes OSPF packetsif the packet rate is less thanthe Packets per second valueIf any source IP sends packetsover this value the applianceblocks all such traffic from thissource IP for a time specifiedin Drop interval
This rule takeseffect when OSPFservice on thismember isconfigured
Events per second (default=1)
Drop Interval (default=10 sec)
Packets per second (default=50)
This rule works for both IPv4and IPv6
Rule ID
Rule
Type
Rule Name Description
EnableDisable
Condition
Parameters Comments
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 2330
ICMP
NIOS 612 NIOS Administrator Guide (Rev A) 1519
ICMP
ICMP attacks use network devices such as routers to send error messages when a requested service is not availableor the remote server cannot be reached Examples of ICMP attacks include ping floods ping-of-death attacks andsmurf attacks
The following table lists the system and auto rules that are used to mitigate ICMP attacks on your advanced appliance
Table H16 ICMP Rules
Rule ID Type Rule Name Description
EnableDisable
Condition
Parameters Comments
130400200 Auto DROP ICMP largepackets
This rule drops large ICMPpackets (bigger than800)
Always enabled Events per second (default=1)
130900100 Auto RATE LIMIT PASS ICMPPing
This rule passes ICMP pingpackets if the packet rate is lessthan the Packets per second value If any source IP sendspackets over this value theappliance blocks all such trafficfrom this source IP for a timespecified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=10 sec)
Packets per second (default=50)
130900200 Auto RATE LIMIT PASS ICMPv6Ping
This rule passes ICMPv6 pingpackets if the packet rate is lessthan the Packets per second value If any source IP sendspackets over this value theappliance blocks all such trafficfrom this source IP for a timespecified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=10 sec)
Packets per second (default=50)
130900700 Auto RATELIMIT PASS ICMPv6destinationunreachable
This rule passes ICMPv6Destination Unreachablemessages if the packet rate isless than the Packets per second value If any source IP sendspackets over this value theappliance blocks all such trafficfrom this source IP for a timespecified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=100)
130900800 Auto RATELIMIT PASS ICMPv6packet too big
This rule passes ICMPv6 PacketToo Big messages if the packetrate is less than the Packets per
second value If any source IPsends packets over this valuethe appliance blocks all suchtraffic from this source IP for atime specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=100)
130900900 Auto RATELIMIT PASS ICMPv6ping responses
This rule passes ICMPv6 pingresponses if the packet rate isless than the Packets per second value If any source IP sendspackets over this value theappliance blocks all such trafficfrom this source IP for a timespecified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=10 sec)
Packets per second (default=50)
130901000 Auto RATELIMIT PASS ICMPv6parameter problemerroneous header
This rule passes ICMPv6Erroneous Header messages ifthe packet rate is less than thePackets per second value If anysource IP sends packets over thisvalue the appliance blocks allsuch traffic from this source IP fora time specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=10 sec)
Packets per second (default=50)
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 2430
1520 NIOS Administrator Guide (Rev A) NIOS 612
130901100 Auto RATELIMIT PASS ICMPv6parameter problemunrecognized nextheader
This rule passes ICMPv6Unrecognized Next Headermessages if the packet rate isless than the Packets per second value If any source IP sendspackets over this value theappliance blocks all such traffic
from this source IP for a timespecified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
130901200 Auto RATELIMIT PASS ICMPv6parameter problemunrecognized IPv6option
This rule passes ICMPv6Unrecognized IPv6 Optionmessages if the packet rate isless than the Packets per second value If any source IP sendspackets over this value theappliance blocks all such trafficfrom this source IP for a timespecified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
130901300 Auto RATELIMIT PASS ICMPv6router solicitation
This rule passes ICMPv6 routersolicitation packets if the packetrate is less than the Packets per
second value If any source IPsends packets over this valuethe appliance blocks all such
traffic from this source IP for atime specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
130901400 Auto RATELIMIT PASS ICMPv6router advertisement
This rule passes ICMPv6 routeradvertisement if the packet rateis less than the Packets per
second value If any source IPsends packets over this valuethe appliance blocks all suchtraffic from this source IP for atime specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
130901500 Auto RATELIMIT PASS ICMPv6neighbor solicitation
This rule passes ICMPv6neighbor solicitation packets ifthe packet rate is less than thePackets per second value If anysource IP sends packets over thisvalue the appliance blocks allsuch traffic from this source IP for
a time specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
130901600 Auto RATELIMIT PASS ICMPv6neighbor advertisement
This rule passes ICMPv6neighbor advertisement if thepacket rate is less than thePackets per second value If anysource IP sends packets over thisvalue the appliance blocks allsuch traffic from this source IP fora time specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
130901700 Auto RATELIMIT PASS ICMPv6inverse neighborsolicitation
This rule passes ICMPv6 inverseneighbor solicitation messages ifthe packet rate is less than thePackets per second value If anysource IP sends packets over thisvalue the appliance blocks allsuch traffic from this source IP fora time specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
130901800 Auto RATELIMIT PASS ICMPv6inverse neighboradvertisement
This rule passes ICMPv6 inverseneighbor advertisement if thepacket rate is less than thePackets per second value If anysource IP sends packets over thisvalue the appliance blocks allsuch traffic from this source IP fora time specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
Rule ID Type Rule Name Description
EnableDisable
Condition
Parameters Comments
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 2530
ICMP
NIOS 612 NIOS Administrator Guide (Rev A) 1521
130901900 Auto RATELIMIT PASS ICMPv6listener query
This rule passes ICMPv6 listenerquery messages if the packetrate is less than the Packets per
second value If any source IPsends packets over this valuethe appliance blocks all suchtraffic from this source IP for a
time specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
130902000 Auto RATELIMIT PASS ICMPv6listener report
This rule passes ICMPv6 listenerreport messages if the packetrate is less than the Packets per
second value If any source IPsends packets over this valuethe appliance blocks all suchtraffic from this source IP for atime specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
130902100 Auto RATELIMIT PASS ICMPv6listener done
This rule passes ICMPv6 listenerdone messages if the packet rateis less than the Packets per
second value If any source IPsends packets over this valuethe appliance blocks all suchtraffic from this source IP for atime specified in Drop interval )
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
130902200 Auto RATELIMIT PASS ICMPv6listener report v2
This rule passes ICMPv6 listenerreport v2 messages if the packetrate is less than the Packets per
second value If any source IPsends packets over this valuethe appliance blocks all suchtraffic from this source IP for atime specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
130902300 Auto RATELIMIT PASS ICMPV6multicast routeradvertisement
This rule passes ICMPv6multicast router advertisement ifthe packet rate is less than thePackets per second value If anysource IP sends packets over thisvalue the appliance blocks allsuch traffic from this source IP fora time specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
130902400 Auto RATELIMIT PASS ICMPV6multicast routersolicitation
This rule passes ICMPv6multicast router solicitationmessages if the packet rate isless than the Packets per second value If any source IP sendspackets over this value theappliance blocks all such trafficfrom this source IP for a timespecified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
130902500 Auto RATELIMIT PASS ICMPV6multicast routeradvertisement
This rule passes ICMPv6multicast router advertisement ifthe packet rate is less than thePackets per second value If anysource IP sends packets over thisvalue the appliance blocks allsuch traffic from this source IP fora time specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
130902600 Auto RATELIMIT PASS ICMPping responses This rule passes ICMP pingresponses if the packet rate isless than the Packets per second value If any source IP sendspackets over this value theappliance blocks all such trafficfrom this source IP for a timespecified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=10 sec)
Packets per second (default=50)
Rule ID Type Rule Name Description
EnableDisable
Condition
Parameters Comments
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 2630
1522 NIOS Administrator Guide (Rev A) NIOS 612
130902700 Auto RATELIMIT PASS ICMProuter advertisement
This rule passes ICMP routeradvertisement if the packet rateis less than the Packets per
second value If any source IPsends packets over this valuethe appliance blocks all suchtraffic from this source IP for a
time specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=10 sec)
Packets per second (default=50)
130902800 Auto RATELIMIT PASS ICMProuter solicitation
This rule passes ICMP routersolicitation messages if thepacket rate is less than thePackets per second value If anysource IP sends packets over thisvalue the appliance blocks allsuch traffic from this source IP fora time specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=10 sec)
Packets per second (default=50)
130902900 Auto RATELIMIT PASS ICMPtime exceeded
This rule passes ICMP timeexceeded messages if the packetrate is less than the Packets per
second value If any source IPsends packets over this valuethe appliance blocks all suchtraffic from this source IP for atime specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=10 sec)
Packets per second (default=50)
130903000 Auto RATELIMIT PASS ICMPparameter problem
This rule passes ICMP parameterproblems if the packet rate isless than the Packets per second value If any source IP sendspackets over this value theappliance blocks all such trafficfrom this source IP for a timespecified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=10 sec)
Packets per second (default=50)
130903100 Auto RATELIMIT PASS ICMPv6hop limit exceeded orICMPv4 networkunreachable
This rule passes ICMPv6 HopLimit Exceeded messages orICMPv4 Network Unreachablemessages if the packet rate isless than the Packets per second value If any source IP sendspackets over this value theappliance blocks all such trafficfrom this source IP for a time
specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
130903200 Auto RATELIMIT PASS ICMPv6fragment reassemblytime exceeded orICMPv4 hostunreachable
This rule passes ICMPv6fragment reassembly timeexceeded messages or ICMPv4host unreachable messages ifthe packet rate is less than thePackets per second value If anysource IP sends packets over thisvalue the appliance blocks allsuch traffic from this source IP fora time specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=10 sec)
Packets per second (default=50)
130903300 Auto RATELIMIT PASS ICMPprotocol unreachable
This rule passes ICMP protocolunreachable messages if thepacket rate is less than thePackets per second value If anysource IP sends packets over thisvalue the appliance blocks all
such traffic from this source IP fora time specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=10 sec)
Packets per second (default=50)
130903400 Auto RATELIMIT ICMP portunreachable
This rule passes ICMP portunreachable messages if thepacket rate is less than thePackets per second value If anysource IP sends packets over thisvalue the appliance blocks allsuch traffic from this source IP fora certain period of time(specified in Drop interval )
Always enabled Events per second (default=10)
Drop Interval (default=10 sec)
Packets per second (default=50)
Rule ID Type Rule Name Description
EnableDisable
Condition
Parameters Comments
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 2730
Default PassDrop
NIOS 612 NIOS Administrator Guide (Rev A) 1523
Default Pass Drop
The following table lists the system rules that are used to pass or drop packets on your advanced appliance All rulesare disabled by default
Table H17 Default PassDrop Rules
130903500 Auto RATELIMIT PASS ICMPfragmentation needed
This rule passes ICMPfragmentation needed messagesif the packet rate is less than thePackets per second value If anysource IP sends packets over thisvalue the appliance blocks allsuch traffic from this source IP for
a certain period of time(specified in Drop interval )
Always enabled Events per second (default=1)
Drop Interval (default=10 sec)
Packets per second (default=50)
Rule ID
Rule
Type Rule Name Description
Enable
Condition Parameters Comments
100000050 System EARLY PASS TCPwith flowbits set
This rule passes TCP trafficthat has the flowbitsoptions set and marked OK
Enabled bydefault
NA
140000100 System DROP UDP DNSunexpected
This rule drops anyunexpected UDP DNSpackets
Enabled bydefault
Events per second (default=1)
Default drop rule for the DNSservice port If this rule istriggered most likely thispacket is an invalid DNS UDPpacket
140000200 System DROP TCP DNSunexpected
This rule drops anyunexpected TCP DNSpackets
Enabled bydefault
Events per second (default=1)
Default drop rule for the DNSservice port If this rule istriggered most likely thispacket is an invalid DNS TCPpacket
140000400 System PASS TCPestablished packets
This passes all TCPestablished packets
Enabled bydefault
Events per second (default=0)
140000500 System DROP TCPunexpected
This rule drops anyunexpected TCP packets
Enabled bydefault
Events per second (default=0)
This rule drops any TCP packeton any port If this rule istriggered most likely thispacket is not intended forservices on this member
140000600 System DROP UDPunexpected
This rule drops anyunexpected UDP packets
Enabled bydefault
Events per second (default=0)
This rule drops any UDP packeton any port If this rule istriggered most likely thispacket is not intended forservices on this member
140000700 System DROP ICMPunexpected
This rule drops anyunexpected ICMP packets
Enabled bydefault
Events per second (default=0)
This rule drops any ICMPpacket If this rule is triggeredmost likely this packet is notintended for services on thismember
140000800 System DROP unexpectedprotocol
This rule drops anyunexpected protocolpackets
Enabled bydefault
Events per second (default=0)
This is a catch all rule thatdrops anything that does notmatch any other rules in thesystem
Rule ID Type Rule Name Description
EnableDisable
Condition
Parameters Comments
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 2830
1524 NIOS Administrator Guide (Rev A) NIOS 612
HA Support
The following table lists auto rules that are used to pass packets that go through the Virtual Router RedundancyProtocol (VRRP) and Internet Group Management Protocol (IGMP) for HA (High Availability) support
Table H18 HA Support Rules
Custom Rule Templates
Advanced DNS Protection supports a few custom rule templates from which you can create new custom rules Notethat when you use a specific rule template to create custom rules the new rules reside in their respective rulecategories For information about custom rules and creating custom rules see Custom Rules on page 1341 andCreating Custom Rules on page 1343
For each rule you create you can define the Events per second value to determine the number of events per secondthat will be logged for the rule You can also define specific rule parameters for custom rules as follows
Note Custom rules do not support IDNs (Internationalized Domain Names) To use IDNs for custom rules you mustfirst convert the IDNs into puny codes You can use the IDN Converter from the Toolbar for the conversion
bull BLACKLIST FQDN lookup TCP Use this rule template to create custom rules for blacklisting DNS queries by FQDNlookups on TCP In the Rule Parameters table complete the following
mdash Blacklisted FQDN Enter the FDQN that you want the appliance to block over TCP traffic You can also enter alist of FQDNs using semicolon as the separator
bull BLACKLIST FQDN lookup UDP Use this rule template to create custom rules for blacklisting DNS queries byFQDN lookups on UDP In the Rule Parameters table complete the following
mdash Blacklisted FQDN Enter the FDQN that you want the appliance to block over UDP traffic You can also enter alist of FQDNs using semicolon as the separator
bull BLACKLIST IP TCP Drop prior to rate limiting Use this rule template to create rules for blocking IPv4 or IPv6addresses on TCP before the appliance drops the packets based on rate limiting rules you have defined usingthe RATELIMITED IP TCP template In the Rule Parameters table complete the following
mdash Blacklisted IP addressnetwork Enter the IPv4 or IPv6 address from which packets sent are dropped beforeany relevant rate limiting rules take effect Note that all TCP traffic from the specified Ipv4 and IPv6
addresses and networks will be blocked Enter network addresses in addressCIDR formatbull BLACKLIST IP UDP Drop prior to rate limiting Use this rule template to create rules for blocking IPv4 or IPv6
addresses on UDP before the appliance drops the packets based on rate limiting rules you have defined usingthe RATELIMITED IP UDP template In the Rule Parameters table complete the following
mdash Blacklisted IP addressnetwork Enter the IPv4 or IPv6 address from which packets sent are dropped beforeany relevant rate limiting rules take effect Note that all UDP traffic from the specified Ipv4 and IPv6addresses and networks will be blocked Enter network addresses in addressCIDR format
bull RATELIMITED FQDN lookup UDP Use this rule template to create custom rules that contains rate limitingrestrictions for blocking DNS queries by FQDN lookups on UDP traffic In the Rule Parameters table completethe following
Rule ID
Rule
Type
Rule Name Description Enable Condition Parameters Comments
140000750 Auto PASS VRRP This rule passes packets thatgo through VRRP for HAsupport
Enabled if HA isconfigured
NA
140000760 Auto PASS IGMP This rule passes packets thatgo through IGMP for HAsupport
Enabled if HA isconfigured
NA
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 2930
Custom Rule Templates
NIOS 612 NIOS Administrator Guide (Rev A) 1525
mdash Packets per second Enter the number of packets per second to define the rate limit for this rule You definethis value to control the rate of UDP traffic that consists of DNS lookups for the FQDN defined in this ruleThe default is 5
mdash Drop interval Enter the number of seconds for which the appliance drops packets
mdash Blacklist rate limited FQDN Enter the FQDN that is affected by the rate limit value configured for this ruleThe appliance drops the packets sent by this FQDN when the UDP traffic of DNS lookups for this FQDNexceeds the configured rate limit value
bull RATELIMITED IP TCP Use this rule template to create custom rules that contains rate limiting restrictions forblacklisting IP addresses on TCP If there are certain IP addresses that you want to block before its traffic reachesthe rate limit restrictions you can create a rule using the BLACKLIST IP TCP Drop prior to rate limiting templateIn the Rule Parameters table complete the following
mdash Packets per second Enter the number of packets per second to define the rate limit for this rule You definethis value to control the rate of TCP traffic that consists of DNS lookups for the IP address or networkdefined in this rule The default is 5
mdash Drop interval Enter the time interval in seconds the appliance drops IP packets sent by the rate limited IPaddress or network defined for this rule The default is 30 seconds
mdash Rate limited IP addressnetwork Enter the IP address or network that is affected by the rate limit valueconfigured for this rule The appliance drops the packets sent by this IP address based on the drop intervalwhen the TCP traffic of DNS lookups for this IP address exceeds the configured rate limit value
bull RATELIMITED IP UDP Use this rule template to create custom rules that contains rate limiting restrictions forblacklisting IP addresses on UDP If there are certain IP addresses that you want to block before its trafficreaches the rate limit restrictions you can create a rule using the BLACKLIST IP UDP Drop prior to rate limiting template In the Rule Parameters table complete the following
mdash Packets per second Enter the number of packets per second to define the rate limit for this rule You definethis value to control the rate of UDP traffic that consists of DNS lookups for the IP address or networkdefined in this rule The default is 5
mdash Drop interval Enter the time interval in seconds the appliance drops IP packets sent by the rate limited IPaddress or network defined for this rule The default is 30 seconds
mdash Rate limited IP addressnetwork Enter the IP address or network that is affected by the rate limit valueconfigured for this rule The appliance drops the packets sent by this IP address based on the drop interval
when the TCP traffic of DNS lookups for this IP address exceeds the configured rate limit valuebull WHITELIST IP TCP Pass prior to rate limiting Use this rule template to create custom rules for allowing certain IP
addresses on TCP before the appliance drops the packets based on rate limiting rules you have defined usingthe RATELIMITED IP TCP template In the Rule Parameters table complete the following
mdash Whitelisted IP addressnetwork Enter the IPv4 or IPv6 address from which packets sent are allowed beforeany relevant rate limiting rules take effect
bull WHITELIST IP UDP Pass prior to rate limiting Use this rule template to create custom rules for allowing certain IPaddresses on UDP before the appliance drops the packets based on rate limiting rules you have defined usingthe RATELIMITED IP UDP template In the Rule Parameters table complete the following
mdash Whitelisted IP addressnetwork Enter the IPv4 or IPv6 address from which packets sent are allowed beforeany relevant rate limiting rules take effect
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 3030
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 1330
DNS Malware
NIOS 612 NIOS Administrator Guide (Rev A) 1509
DNS Malware
DNS malware is software used to disrupt your DNS service gather sensitive information or gain access to yourappliance It can include downloaders backdoors trojan horses and other malicious software
The following table lists the auto rules that are used to mitigate DNS malware when forwarding DNS requests to aresolver such as a Microsoft DNS server
Table H7 DNS Malware Rules
DNS Protocol Anomalies
DNS protocol anomalies send malformed DNS packets including unexpected header and payload values to thetargeted server This causes the server to stop responding or crash which results in an infinite loop in server threadsThese anomalies sometimes take the form of impersonation attacks
The following table lists rules that are used to mitigate DNS protocol anomalies sent to the appliance
Table H8 DNS Protocol Anomalies Rules
Rule ID
Rule
Type
Rule Name Description
Enable
Condition
Parameters Comments
110100300 Auto EARLY DROP UDPMALWARE backdoor
This rule drops UDPpackets that contain thebackdoor malwareBKDR_QUEJOBEVL whichposes as an installer ofFaceBook messenger Thismalware may be spread asa malicious attachment inemail messages
Always enabled Events per second (default = 1)
130300300 Auto DROP MALWAREtrojan downloader
This rule drops UDPpackets that contain thetrojan downloadermalware which downloadsand installs new versionsof malicious programsincluding Trojans andAdWare
Always enabled Events per second (default = 1)
130300400 Auto DROP MALWAREpossible Hiloti
This rule drops UDPpackets that contain trojanHiloti malicious programsthat may downloadpotentially malicious filesfrom a remote server andreport system informationback to the server
Always enabled Events per second (default = 1)
Rule ID
Rule
Type
Rule Name Description
Enable
Condition
Parameters Comments
110100400 Auto EARLY DROP UDP DNSquestion name too long
This rule drops UDP DNSpackets when the DNSQuestion Name is toolong
Always enabled Events per second (default = 1)
110100500 Auto EARLY DROP UDP DNSlabel too long
This rule drops UDP DNSpackets when the DNSLabel in the name beingqueried is too long
Always enabled Events per second (default = 1)
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 1430
1510 NIOS Administrator Guide (Rev A) NIOS 612
Potential DDoS Related Domains
This rule category includes system rules the appliance uses to blacklist domains that may have been the targets orsubjects in NXDOMAIN or DDoS attacks These rules block all FQDN lookups on UDP for domains that have beenobserved to be used as targets in DDoS attacks The rules are enabled by default You can disable them whennecessary
Note that these rules capture currently observed bad domain names that can change on a regular basis Infobloxrecommends that you update to the latest ruleset to capture the most current rules in this category For informationabout how to update to the latest ruleset see Managing Threat Protection Rules on page 1352
110100600 Auto EARLY DROP UDP queryinvalid question count
This rule drops UDP DNSpackets when thenumber of entries in thequestion section isinvalid
Always enabled Events per second (default = 1)
110100700 Auto EARLY DROP UDP query
invalid question class
This rule drops UDP DNS
packets when the RR(resource record) classbeing queried is invalid
Always enabled Events per second
(default = 1)
110100800 Auto EARLY DROP UDP queryinvalid question string
This rule drops UDP DNSpackets that containinvalid question string
Always enabled Events per second (default = 1)
110100850 Auto EARLY UDP drop invalidDNS query with Authority
This rule drops UDP DNSqueries that containinvalid AUTHORITYentry
Always enabled Events per second (default = 1)
110100900 Auto EARLY DROP querymultiple questions or nonquery operation code
This rule drops UDP DNSpackets when there aremultiple questionsbeing queried at onetime or its operationcode is not Query
Always enabled Events per second (default = 1)
130000700 Auto EARLY DROP TCP non-DNSquery
This rule drops TCPpackets when itsoperation code is notQuery
Always enabled Events per second (default = 1)
130000800 Auto EARLY DROP TCP querymultiple questions
This rule drops TCP DNSpackets when there aremultiple questionsbeing queried at onetime
Always enabled Events per second (default = 1)
130100500 Auto DROP UDP DNS invalidIXFR query with zero ormore than one Authority
This rule drops UDP DNSincremental zonetransfer requests thatcontain zero or morethan one Authorityentries
Always enabled Events per second (default = 1)
130100600 Auto DROP TCP DNS invalidIXFR query with zero ormore than one Authority
This rule drops TCP DNSincremental zonetransfer requests thatcontain zero or morethan one Authorityentries
Always enabled Events per second (default = 1)
130300200 Auto DROP TCP invalid DNSquery with Authority
This rule drops TCP DNSqueries that containinvalid Authorityentries
Always enabled Events per second (default = 1)
Rule ID
Rule
Type
Rule Name Description
Enable
Condition
Parameters Comments
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 1530
TCPUDP Flood
NIOS 612 NIOS Administrator Guide (Rev A) 1511
TCP UDP Flood
TCP and UDP flood attacks are volumetric attacks with massive numbers of packets that consume network bandwidthand resources They exploit TCP and UDP
The following table lists the system and auto rules that are used to mitigate TCPUDP floods on your advancedappliance
Table H9 TCPUDP Flood Rules
Rule ID Rule Type Rule Name Description
Enable
Condition
Parameters Comments
130000100 System WARN about highrate inbound UDPDNS queries
This rule warns about anysource IP that sendsinbound UDP DNS packetsat a rate equals or exceedsthe Packets per second value
Disabled bydefault
Packets per second (default = 40)
Events per second (default = 1)
Use this rule together with rule130000200 to adjust the warningand blocking rate thresholds Thisrule only sends alerts when thepacket rate equals or exceeds thelow threshold ( Packets per second for this rule) When the packet ratereaches or exceeds the highthreshold ( Packets per second forrule 130000200) rule130000200 is triggered
NOTE The Packets per second configured for this rule should beless than that of rule 130000200
130000200 System WARN amp BLOCKhigh rate inboundUDP DNS queries
This rule warns if anysource IP sends inboundUDP DNS packets at a rateequals the Packets per
second value If the rateexceeds this value theappliance blocks all suchtraffic from this source IPfor a period of timespecified in Drop interval
Disabled bydefault
Packets per second (default = 1000)
Drop interval
(default = 5 seconds)
Events per second (default = 1)
Consider tuning Packets per
second to a higher value for NATdenvironments static forwardersand VPN concentrators
This rule may be triggered if Packet
per second is lower than that inthe custom rules created using therate limiting templates
NOTE The Packets per secondvalue for this rule must be higherthan that for rule 130000100
130000300 System WARN about highrate inbound TCP
DNS queries
This rule warns about anysource IP that sends
inbound TCP DNS packetsat a rate that equals orexceeds the Packets per
second value
Disabled bydefault
Packets per second (default = 5)
Events per second (default = 1)
Use this rule together with rule130000400 to adjust the warning
and blocking rate thresholds Thisrule only sends alerts when thepacket rate equals or exceeds thelow threshold ( Packets per second for this rule) When the packet ratereaches or exceeds the highthreshold ( Packets per second forrule 130000400) rule130000400 is triggered
NOTE The Packets per second configured for this rule should beless than that of rule 130000400
130000400 System WARN amp BLOCKhigh rate inboundTCP DNS queries
This rule warns if anysource IP sends inboundTCP DNS packets at a ratethat equals the Packets
per second value If therate exceeds this value
the appliance blocks allsuch traffic from thissource IP for a period oftime specified in Drop
interval
Disabled bydefault
Packets per second (default = 1000)
Drop interval (default = 10 seconds)
Events per second (default = 1)
Consider tuning Packets per
second to a higher value for NATdenvironments static forwardersand VPN concentrators
This rule may be triggered if Packet
per second is lower than that in
the custom rules created using therate limiting templates
NOTE DO NOT enable this rulealong with rule 130000300
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 1630
1512 NIOS Administrator Guide (Rev A) NIOS 612
DNS DDoS
The following table lists system rules that are used to mitigate DNS DDoS attacks on your advanced appliance Theserules rate limits clients that trigger the following DNS responses NXDOMAIN NXRRSET and SERVFAIL
Table H10 DNS DDoS Rules
Rule ID
Rule
Type
Rule Name Description
EnableDisable
Condition
Parameters Comments
200000001 System NXDOMAIN ratelimiting rule
This rule warns if any sourceIP sends inbound UDP DNSqueries that triggerNXDOMAIN responses at arate equals to the Packets
per second value If the rateexceeds this value theappliance blocks all UDPDNS traffic from this sourceIP for a time specified inDrop interval
Enabled bydefault
Packets per second (default = 1000)
Drop interval
(default = 5 seconds)
Events per second (default = 1)
Consider tuning Packets per
second to a higher value forNATd environments staticforwarders and VPNconcentrators
200000002 System NXRRSET ratelimiting rule
This rule warns if any sourceIP sends inbound UDP DNS
queries that trigger NXRRSETresponses at a rate equals tothe Packets per second value If the rate exceedsthis value the applianceblocks all UDP DNS trafficfrom this source IP for a timespecified in Drop interval
Enabled bydefault
Packets per second (default = 1000)
Drop interval (default = 5 seconds)
Events per second (default = 1)
Consider tuning Packets per
second to a higher value for
NATd environments staticforwarders and VPNconcentrators
NOTE NXRRSET responsesinclude NO records NOanswers and NO errors
200000003 System SERVFAIL ratelimiting rule
This rule warns if any sourceIP sends inbound UDP DNSqueries that triggerSERVFAIL responses at a rateequals to the Packets per
second value If the rateexceeds this rate theappliance blocks all UDPDNS traffic from this sourceIP for a time specified in
Drop interval
Enabled bydefault
Packets per second (default = 1000)
Drop interval
(default = 5 seconds)
Events per second (default = 1)
Consider tuning Packets per
second to a higher value forNATd environments staticforwarders and VPNconcentrators
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 1730
DNS Tunneling
NIOS 612 NIOS Administrator Guide (Rev A) 1513
DNS Tunneling
DNS tunneling attacks involve tunneling another protocol through DNS port 53 for the purpose of data exfiltrationOutbound and inbound data being communicated is encoded into small chunks and fitted into DNS queries and DNSresponses
The following table lists the system rule used to mitigate DNS tunneling on your advanced appliance
Table H11 Anti DNS Tunneling Rules
DNS Amplification and Reflection
DNS reflection attacks use a form of IP spoofing changing the source address in their DNS queries to show theaddress of their intended target such as a DNS root server or a top-level domain (TLD) name server operator DNS
reflection and amplification recognizes UDP as an asymmetrical protocol (small requests large responses) and theexistence of open DNS resolvers to the Internet cloud The result is that small DNS queries reflect large UDP datagramresponses to the target address in the original source datagrams Some recent attacks have used this DDoStechnique at a huge scale
Since DNS runs over UDP and does not require a handshake it is possible to use the protocol as a means to lock downa host or a network Designed a specific way sending a small query to any open DNS resolver can result in a singleresponse containing several kilobytes or more that are sent to the unwitting spoofed victim (This type of responsetypically is sent via TCP as UDP does not allow for more than 512 bytes in a response datagram The resulting packetusually exceeds the MTU of the recipientrsquos interfaces resulting in further packet fragmentation and processing) OpenDNS resolvers may allow for launching DDoS attacks containing hundreds of gigabytes of data Attackers may also
Rule ID
Rule
Type
Rule Name Description
EnableDisable
Condition
Parameters Comments
130000500 System RATELIMIT UDP highrate inbound largeDNS queries (antitunneling)
This rule warns If any source IPsends large UDP DNS queries(which could be DNS tunnelingattacks) at a rate equals thePackets per second value If therate exceeds this value it blocksall such traffic from this source IPfor the time in Drop interval
This rule is triggered when theDNS Packet size exceeds theconfigured value
Disabled bydefault
Packets per second (default = 100)
Drop interval (default = 5 seconds)
Events per second (default = 1)
Packet size
(default = 200)
Consider tuning Packets
per second to a highervalue for NATdenvironments staticforwarders and VPNconcentrators
130000600 Auto RATELIMIT TCP highrate inbound largeDNS queries(anti-tunneling)
This rule warns if any source IPsends large TCP DNS queries(which could be DNS tunnelingattacks) at a rate equals thePackets per second value If therate exceeds the value theappliance blocks all such trafficfrom this source IP for the Drop
interval
This rule is triggered when theDNS Packet size exceeds theconfigured value
Disabled bydefault
Packets per second (default = 100)
Drop interval
(default = 5 seconds)
Events per second (default = 1)
Packet size
(default = 200)
Consider tuning Packets
per second to a highervalue for NATdenvironments staticforwarders and VPNconcentrators
200000004 System DNS tunneling ratelimiting rule
This rule warns If any source IPsends inbound UDP DNS queriesthat trigger large TXT responses ata rate equals the Packets per
second value If the rate exceedsthis value it blocks all such t rafficfrom this source IP for the Drop
interval
This rule is triggered when the sizeof the TXT records in the DNSresponses exceeds the configuredDNS Packet size
Enabled bydefault
Packets per second (default = 1000)
Drop interval
(default = 5 seconds)
Events per second (default = 1)
Packet size
(default = 40)
Consider tuning Packets
per second to a highervalue for NATdenvironments static
forwarders and VPNconcentrators
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 1830
1514 NIOS Administrator Guide (Rev A) NIOS 612
use the EDNS0 DNS protocol extension as a means to enable larger DNS responses Many network operatorsparticularly overseas allow open DNS resolvers to run on their networks unwittingly allowing attackers to abusethem Many network operators do provide intelligent rate-limiting to prevent abuse even while supporting openrecursive DNS servers Hence issues of this type usually result from mistakes in configuration
The following table lists the system and auto rules that are used to mitigate DNS amplification and reflection attackson your advanced appliance
Table H12 DNS Amplification and Reflection Rules
NTP
The following table lists the auto rules that are used to mitigate NTP attacks and to support security for NTP traffic onyour advanced appliance These rules include support for the following NTP requests and responses NTP IPv4 andIPv6 ACLs (Access Control Lists) private mode 7 packets named ACLs and ldquoANYrdquo ACLs
Table H13 NTP Rules
Rule ID
Rule
Type
Rule Name Description
EnableDisable
Condition
Parameters Comments
130400100 Auto WARN amp DROP DoSDNS possiblereflectionamplification attackattempts
This rule warns if anysource IP sends UDP DNSpackets that containpossible reflectionamplification attacks If therate exceeds the Packets
per second value theappliance blocks all suchtraffic from this source IPfor the Drop interval Notethat this rule applies whenthe query is ldquoANYrdquo
Enabled bydefault
Packets per second (default = 5)
Drop interval (default = 5 seconds)
Events per second (default = 1)
Consider tuning Packet per
second to a higher value(approximately 100) forNATd environments staticforwarders and VPNconcentrators
130400500 System RATE LIMIT PASS UDPDNS root requestswith additional RRs
This rule passes UDP DNSroot requests that containadditional resource recordsuntil the traffic hits thePackets per second valueIt then blocks subsequentUDP DNS root requests forthe Drop interval
Disabled bydefault
Packets per second (default = 500)
Drop interval
(default = 5 seconds)
Events per second (default = 1)
130400600 System RATE LIMIT PASS UDPDNS root requests
This rule passes UDP DNSroot requests until thetraffic hits the Packets per
second value It thenblocks subsequent UDPDNS root requests for theDrop interval
Disabled bydefault
Packets per second (default = 500)
Drop interval (default = 5 seconds)
Events per second (default = 1)
Consider tuning Packet per
second to a higher valuefor NATd environmentsstatic forwarders and VPNconcentrators
Rule ID
Rule
Type
Rule Name Description
EnableDisable
Condition
Parameters Comments
130600100 Auto RATELIMIT PASS NTPTIME responses
When the NTP client isenabled this rule passesUDP NTP TIME responsesuntil the traffic hits the ratelimit of 10 packets persecond it then blocks allNTP traffic for 15 seconds
Enabled when theNTP client isenabled
Packets per second (default = 10)
Drop interval
(default = 15seconds)
Events per second (default = 1)
130600120 Auto DROP NTP TIMEresponses
This rule drops all UDP NTPTIME responses when theNTP client is disabled
Enabled when theNTP client isdisabled
Events per second (default=1)
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 1930
NTP
NIOS 612 NIOS Administrator Guide (Rev A) 1515
200001001 Auto DOS Possible NTPDDoS InboundFrequent Un-AuthedGET_RESTRICTRequests IMPL 0x02
When the NTP server isenabled this rule warnsabout possible NTP DDoSInbound FrequentUn-Authed GET_RESTRICTRequests IMPL 0x02attacks It then blocks
suspicious NTP traffic for atime period that isspecified in Drop Interval
Enabled whenNTP service isenabled on thismember
Events per second (default = 1)
200001005 Auto DOS Possible NTPDDoS InboundFrequent Un-AuthedGET_RESTRICTRequests IMPL 0x03
When the NTP server isenabled this rule warnsabout possible NTP DDoSInbound FrequentUn-Authed GET_RESTRICTRequests IMPL 0x03attacks It then blockssuspicious NTP traffic for atime period that isspecified in Drop Interval
Enabled whenNTP service isenabled on thismember
Events per second (default = 1)
200001010 Auto DOS Possible NTPDDoS InboundFrequent Un-AuthedPEER_LIST_SUM
Requests IMPL 0x02
When the NTP server isenabled this rule warnsabout possible NTP DDoSInbound Frequent
Un-AuthedPEER_LIST_SUM RequestsIMPL 0x02 attacks It thenblocks suspicious NTPtraffic for a time period thatis specified in Drop
Interval
Enabled whenNTP service isenabled on thismember
Events per second (default = 1)
200001015 Auto DOS Possible NTPDDoS InboundFrequent Un-AuthedPEER_LIST_SUMRequests IMPL 0x03
When the NTP server isenabled this rule warnsabout possible NTP DDoSInbound FrequentUn-AuthedPEER_LIST_SUM RequestsIMPL 0x03 attacks It thenblocks suspicious NTPtraffic for a time period thatis specified in Drop
Interval
Enabled whenNTP service isenabled on thismember
Events per second (default = 1)
200001020 Auto DOS Possible NTPDDoS InboundFrequent Un-AuthedPEER_LIST RequestsIMPL 0x02
When the NTP server isenabled this rule warnsabout possible NTP DDoSInbound FrequentUn-Authed PEER_LISTRequests IMPL 0x02attacks It then blockssuspicious NTP traffic for atime period that isspecified in Drop Interval
Enabled whenNTP service isenabled on thismember
Events per second (default = 1)
200001025 Auto DOS Possible NTPDDoS InboundFrequent Un-AuthedPEER_LIST RequestsIMPL 0x03
When the NTP server isenabled this rule warnsabout possible NTP DDoSInbound FrequentUn-Authed PEER_LISTRequests IMPL 0x03attacks It then blocks
suspicious NTP traffic for atime period that isspecified in Drop Interval
Enabled whenNTP service isenabled on thismember
Events per second (default = 1)
200001050 Auto RATELIMIT PASSNTPQ IPv4 requests
This rule passes UDP NTPQrequests from NTP IPv4ACLs until the traffic hitsthe rate limit ( Packets per
second ) value It thenblocks all subsequentNTPQ traffic for a timespecified in Drop Interval
Enabled whenNTP IPv4 ACLs aredefined If noACLs are definedand the NTPserver is enabledthe default ACLsare enabled andthis rule isdisabled
Packets per second (default = 10)
Drop interval
(default = 60seconds)
Events per second (default = 1)
Rule ID
Rule
Type
Rule Name Description
EnableDisable
Condition
Parameters Comments
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 2030
1516 NIOS Administrator Guide (Rev A) NIOS 612
200001055 Auto RATELIMIT PASS NTPTIME IPv4 requests
This rule passes UDP NTPTIME requests from NTPIPv4 ACLs until the traffichits the rate limit ( Packets
per second ) value It thenblocks all subsequent NTPTIME traffic for a time
specified in Drop interval
Enabled whenNTP IPv4 ACLs aredefined If noACLs are definedand the NTPserver is enabledthe default ACLs
are enabled andthis rule isenabled
Packets per second (default = 10)
Drop interval
(default = 60seconds)
Events per second (default = 1)
200001060 Auto RATELIMIT PASS NTPprivate mode IPv4requests
This rule passes UDP NTPprivate mode 7 requestsfrom NTP IPv4 ACLs untilthe traffic hits the rate limit( Packets per second ) valueIt then blocks allsubsequent NTP privatemode 7 traffic for a timespecified in Drop interval
Enabled whenNTP IPv4 ACLs aredefined If noACLs are definedand the NTPserver is enabledthe default ACLsare enabled andthis rule isdisabled
Packets per second (default = 10)
Drop interval
(default = 60seconds)
Events per second (default = 1)
200001065 Auto RATELIMIT PASSNTPQ IPv6 requests
This rule passes UDP NTPQrequests from NTP IPv6ACLs until the traffic hitsthe rate limit ( Packets per
second ) value It thenblocks all subsequentNTPQ traffic for a timespecified in Drop Interval
Enabled whenNTP IPv6 ACLs aredefined If noACLs are defined
and the NTPserver is enabledthe default ACLsare enabled andthis rule isdisabled
Packets per second (default = 10)
Drop interval
(default = 60
seconds)Events per second (default = 1)
200001070 Auto RATELIMIT PASS NTPTIME IPv6 requests
This rule passes UDP NTPTIME requests from NTPIPv6 ACLs until the traffichits the rate limit ( Packets
per second ) value It thenblocks all subsequent NTPTIME traffic for a timespecified in Drop interval
Enabled whenNTP IPv6 ACLs aredefined If noACLs are definedand the NTPserver is enabledthe default ACLsare enabled andthis rule isenabled
Packets per second (default = 10)
Drop interval
(default = 60seconds)
Events per second (default = 1)
200001075 Auto RATELIMIT PASS NTP
private mode IPv6requests
This rule passes UDP NTP
private mode 7 requestsfrom NTP IPv4 ACLs untilthe traffic hits the rate limit( Packets per second ) valueIt then blocks allsubsequent NTP privatemode 7 traffic for a timespecified in Drop interval
Enabled when
NTP IPv6 ACLs aredefined If noACLs are definedand the NTPserver is enabledthe default ACLsare enabled andthis rule isdisabled
Packets per second
(default = 10)Drop interval
(default =60seconds)
Events per second (default = 1)
200001100 Auto DROP NTPQ requestsunexpected
When NTP service isdisabled this rule drops allUDP NTPQ requests
Enabled whenNTP service isdisabled on thismember
Events per second (default=1)
200001105 Auto DROP NTP TIMErequests unexpected
When NTP service isdisabled this rule drops allUDP NTP TIME requests
Enabled whenNTP service isdisabled on thismember
Events per second (default=1)
200001110 Auto DROP NTP privatemode requestsunexpected
When NTP service isdisabled this rule drops allUDP NTP private mode 7requests
Enabled whenNTP service isdisabled on thismember
Events per second (default=1)
200001115 Auto DROP invalid NTPrequests
When NTP service isdisabled this rule drops allinvalid UDP NTP requests
Enabled whenNTP service isdisabled on thismember
Events per second (default=1)
Rule ID
Rule
Type
Rule Name Description
EnableDisable
Condition
Parameters Comments
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 2130
BGP
NIOS 612 NIOS Administrator Guide (Rev A) 1517
BGP
The following table lists the auto rules that are used to mitigate BGP attacks on your advanced appliance when BGPis enabled
Table H14 BGP Rules
Rule ID
Rule
Type
Rule Name Description
EnableDisable
Condition
Parameters Comments
130700100 AUTO DROP BGP headerlength shorter thanspec
When BGP is enabled this ruledrops TCP BGP packets thatcontain message headerlength that is shorter than theRFC specification
Enabled whenBGP service onthis member isconfigured
Events per second (default=1)
130700200 AUTO DROP BGP headerlength longer than spec
When BGP is enabled this ruledrops TCP BGP packets thatcontain message headerlength that is longer than theRFC specification
Enabled whenBGP service onthis member isconfigured
Events per second (default=1)
130700300 AUTO DROP BGP spoofedconnection reset
attempts
When BGP is enabled this ruledrops TCP BGP packets that
contain spoofed connectionreset
This rule isenabled when
BGP service onthis member isconfigured
Events per second (default=1)
130700400 AUTO DROP BGP invalid type0
When BGP is enabled this ruledrops TCP BGP packets thatcontain invalid message type0
This rule isenabled whenBGP service onthis member isconfigured
Events per second (default=1)
130700500 AUTO DROP BGP invalid typebigger than 5
When BGP is enabled this ruledrops TCP BGP packets thatcontain invalid message typegreater than 5
This rule isenabled whenBGP service onthis member isconfigured
Events per second (default=1)
130700550 AUTO RATELIMIT PASS BGPIPv4 peer TCPconnection attempts
This rule passes TCP BGP routeadvertisement connectionattempts from IPv4 peers
when BGP is enabled and ifthe packet rate is less than thePackets per second value Ifany source IP sends packetsover this value the applianceblocks all such traffic from thissource IP for a certain periodof time (specified in Drop
interval )
This rule isenabled whenBGP service on
this member isconfigured withIPv4 peers
Events per second (default=1)
Drop Interval
(default=60 sec)Packets per second (default=10)
130700600 Auto RATELIMIT PASS BGPallowed with IPv4 peer
This rule passes TCP BGP routeadvertisement to IPv4 peerswhen BGP is enabled and ifthe packet rate is less than thePackets per second value Ifany source IP sends packetsover this value the applianceblocks all such traffic from thissource IP for a certain period
of time (specified in Drop
interval
This rule isenabled whenBGP service onthis member isconfigured withIPv4 peers
Events per second (default=1)
Drop Interval (default=60 sec)
Packets per second (default=10)
130700650 AUTO RATELIMIT PASS BGPIPv6 peer TCPconnection attempts
This rule passes TCP BGP routeadvertisement connectionattempts from IPv6 peerswhen BGP is enabled and ifthe packet rate is less than thePackets per second value Ifany source IP sends packetsover this value the applianceblocks all such traffic from thissource IP for a certain periodof time (specified in Drop
interval
This rule isenabled whenBGP service onthis member isconfigured withIPv6 peers
Events per second (default=1)
Drop Interval (default=60 sec)
Packets per second (default=10)
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 2230
1518 NIOS Administrator Guide (Rev A) NIOS 612
OSPF
The following table lists auto rules that are used to mitigate OSPF attacks on your advanced appliance when OSPF isnot in use
Table H15 OSPF Rules
130700700 Auto RATELIMIT PASS BGPallowed with IPv6 peer
This rule passes TCP BGP routeadvertisement to IPv6 peerswhen BGP is enabled and ifthe packet rate is less than thePackets per second value Ifany source IP sends packetsover this value the appliance
blocks all such traffic from thissource IP for a certain periodof time (specified in Drop
interval )
This rule isenabled whenBGP service onthis member isconfigured withIPv6 peers
Events per second (default=1)
Drop Interval (default=60 sec)
Packets per second (default=10)
130800100 Auto DROP BGP unexpected When BGP is enabled this ruledrops unexpected TCP BGPpackets
This rule takeseffect when BGPservice on thismember is NOT configured
Events per second (default=1)
This rule is exclusive withother rules based onwhether BGP is configuredon the member or not
Rule ID
Rule
Type
Rule Name Description
Enable
Condition
Parameters Comments
130900300 Auto DROP OSPFunexpected
This rule drops unexpectedOSPF packets
This rule takeseffect when OSPFservice on thismember is NOT configured
Events per second (default=1)
Default drop rule for allpackets on the OSPF serviceport
130900400 Auto RATELIMIT PASS OSPFmulticast
This rule passes OSPF IPv4multicast packets if the packetrate is less than the Packets
per second value If anysource IP sends packets overthis value the applianceblocks all such traffic from thissource IP for a time specifiedin Drop interval
This rule takeseffect when OSPFservice on thismember isconfigured forIPv4
Events per second (default=1)
Drop Interval (default=60 sec)
Packets per second (default=100)
130900500 Auto RATELIMIT PASS OSPFIPv6 multicast
This rule passes OSPF IPv6multicast packets if the packetrate is less than the Packets
per second value If anysource IP sends packets overthis value the applianceblocks all such traffic from thissource IP for a time specifiedin Drop interval
This rule takeseffect when OSPFservice on thismember isconfigured forIPv6
Events per second (default=1)
Drop Interval (default=60 sec)
Packets per second (default=100)
130900600 Auto RATELIMIT PASS OSPF This rule passes OSPF packetsif the packet rate is less thanthe Packets per second valueIf any source IP sends packetsover this value the applianceblocks all such traffic from thissource IP for a time specifiedin Drop interval
This rule takeseffect when OSPFservice on thismember isconfigured
Events per second (default=1)
Drop Interval (default=10 sec)
Packets per second (default=50)
This rule works for both IPv4and IPv6
Rule ID
Rule
Type
Rule Name Description
EnableDisable
Condition
Parameters Comments
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 2330
ICMP
NIOS 612 NIOS Administrator Guide (Rev A) 1519
ICMP
ICMP attacks use network devices such as routers to send error messages when a requested service is not availableor the remote server cannot be reached Examples of ICMP attacks include ping floods ping-of-death attacks andsmurf attacks
The following table lists the system and auto rules that are used to mitigate ICMP attacks on your advanced appliance
Table H16 ICMP Rules
Rule ID Type Rule Name Description
EnableDisable
Condition
Parameters Comments
130400200 Auto DROP ICMP largepackets
This rule drops large ICMPpackets (bigger than800)
Always enabled Events per second (default=1)
130900100 Auto RATE LIMIT PASS ICMPPing
This rule passes ICMP pingpackets if the packet rate is lessthan the Packets per second value If any source IP sendspackets over this value theappliance blocks all such trafficfrom this source IP for a timespecified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=10 sec)
Packets per second (default=50)
130900200 Auto RATE LIMIT PASS ICMPv6Ping
This rule passes ICMPv6 pingpackets if the packet rate is lessthan the Packets per second value If any source IP sendspackets over this value theappliance blocks all such trafficfrom this source IP for a timespecified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=10 sec)
Packets per second (default=50)
130900700 Auto RATELIMIT PASS ICMPv6destinationunreachable
This rule passes ICMPv6Destination Unreachablemessages if the packet rate isless than the Packets per second value If any source IP sendspackets over this value theappliance blocks all such trafficfrom this source IP for a timespecified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=100)
130900800 Auto RATELIMIT PASS ICMPv6packet too big
This rule passes ICMPv6 PacketToo Big messages if the packetrate is less than the Packets per
second value If any source IPsends packets over this valuethe appliance blocks all suchtraffic from this source IP for atime specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=100)
130900900 Auto RATELIMIT PASS ICMPv6ping responses
This rule passes ICMPv6 pingresponses if the packet rate isless than the Packets per second value If any source IP sendspackets over this value theappliance blocks all such trafficfrom this source IP for a timespecified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=10 sec)
Packets per second (default=50)
130901000 Auto RATELIMIT PASS ICMPv6parameter problemerroneous header
This rule passes ICMPv6Erroneous Header messages ifthe packet rate is less than thePackets per second value If anysource IP sends packets over thisvalue the appliance blocks allsuch traffic from this source IP fora time specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=10 sec)
Packets per second (default=50)
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 2430
1520 NIOS Administrator Guide (Rev A) NIOS 612
130901100 Auto RATELIMIT PASS ICMPv6parameter problemunrecognized nextheader
This rule passes ICMPv6Unrecognized Next Headermessages if the packet rate isless than the Packets per second value If any source IP sendspackets over this value theappliance blocks all such traffic
from this source IP for a timespecified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
130901200 Auto RATELIMIT PASS ICMPv6parameter problemunrecognized IPv6option
This rule passes ICMPv6Unrecognized IPv6 Optionmessages if the packet rate isless than the Packets per second value If any source IP sendspackets over this value theappliance blocks all such trafficfrom this source IP for a timespecified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
130901300 Auto RATELIMIT PASS ICMPv6router solicitation
This rule passes ICMPv6 routersolicitation packets if the packetrate is less than the Packets per
second value If any source IPsends packets over this valuethe appliance blocks all such
traffic from this source IP for atime specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
130901400 Auto RATELIMIT PASS ICMPv6router advertisement
This rule passes ICMPv6 routeradvertisement if the packet rateis less than the Packets per
second value If any source IPsends packets over this valuethe appliance blocks all suchtraffic from this source IP for atime specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
130901500 Auto RATELIMIT PASS ICMPv6neighbor solicitation
This rule passes ICMPv6neighbor solicitation packets ifthe packet rate is less than thePackets per second value If anysource IP sends packets over thisvalue the appliance blocks allsuch traffic from this source IP for
a time specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
130901600 Auto RATELIMIT PASS ICMPv6neighbor advertisement
This rule passes ICMPv6neighbor advertisement if thepacket rate is less than thePackets per second value If anysource IP sends packets over thisvalue the appliance blocks allsuch traffic from this source IP fora time specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
130901700 Auto RATELIMIT PASS ICMPv6inverse neighborsolicitation
This rule passes ICMPv6 inverseneighbor solicitation messages ifthe packet rate is less than thePackets per second value If anysource IP sends packets over thisvalue the appliance blocks allsuch traffic from this source IP fora time specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
130901800 Auto RATELIMIT PASS ICMPv6inverse neighboradvertisement
This rule passes ICMPv6 inverseneighbor advertisement if thepacket rate is less than thePackets per second value If anysource IP sends packets over thisvalue the appliance blocks allsuch traffic from this source IP fora time specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
Rule ID Type Rule Name Description
EnableDisable
Condition
Parameters Comments
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 2530
ICMP
NIOS 612 NIOS Administrator Guide (Rev A) 1521
130901900 Auto RATELIMIT PASS ICMPv6listener query
This rule passes ICMPv6 listenerquery messages if the packetrate is less than the Packets per
second value If any source IPsends packets over this valuethe appliance blocks all suchtraffic from this source IP for a
time specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
130902000 Auto RATELIMIT PASS ICMPv6listener report
This rule passes ICMPv6 listenerreport messages if the packetrate is less than the Packets per
second value If any source IPsends packets over this valuethe appliance blocks all suchtraffic from this source IP for atime specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
130902100 Auto RATELIMIT PASS ICMPv6listener done
This rule passes ICMPv6 listenerdone messages if the packet rateis less than the Packets per
second value If any source IPsends packets over this valuethe appliance blocks all suchtraffic from this source IP for atime specified in Drop interval )
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
130902200 Auto RATELIMIT PASS ICMPv6listener report v2
This rule passes ICMPv6 listenerreport v2 messages if the packetrate is less than the Packets per
second value If any source IPsends packets over this valuethe appliance blocks all suchtraffic from this source IP for atime specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
130902300 Auto RATELIMIT PASS ICMPV6multicast routeradvertisement
This rule passes ICMPv6multicast router advertisement ifthe packet rate is less than thePackets per second value If anysource IP sends packets over thisvalue the appliance blocks allsuch traffic from this source IP fora time specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
130902400 Auto RATELIMIT PASS ICMPV6multicast routersolicitation
This rule passes ICMPv6multicast router solicitationmessages if the packet rate isless than the Packets per second value If any source IP sendspackets over this value theappliance blocks all such trafficfrom this source IP for a timespecified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
130902500 Auto RATELIMIT PASS ICMPV6multicast routeradvertisement
This rule passes ICMPv6multicast router advertisement ifthe packet rate is less than thePackets per second value If anysource IP sends packets over thisvalue the appliance blocks allsuch traffic from this source IP fora time specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
130902600 Auto RATELIMIT PASS ICMPping responses This rule passes ICMP pingresponses if the packet rate isless than the Packets per second value If any source IP sendspackets over this value theappliance blocks all such trafficfrom this source IP for a timespecified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=10 sec)
Packets per second (default=50)
Rule ID Type Rule Name Description
EnableDisable
Condition
Parameters Comments
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 2630
1522 NIOS Administrator Guide (Rev A) NIOS 612
130902700 Auto RATELIMIT PASS ICMProuter advertisement
This rule passes ICMP routeradvertisement if the packet rateis less than the Packets per
second value If any source IPsends packets over this valuethe appliance blocks all suchtraffic from this source IP for a
time specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=10 sec)
Packets per second (default=50)
130902800 Auto RATELIMIT PASS ICMProuter solicitation
This rule passes ICMP routersolicitation messages if thepacket rate is less than thePackets per second value If anysource IP sends packets over thisvalue the appliance blocks allsuch traffic from this source IP fora time specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=10 sec)
Packets per second (default=50)
130902900 Auto RATELIMIT PASS ICMPtime exceeded
This rule passes ICMP timeexceeded messages if the packetrate is less than the Packets per
second value If any source IPsends packets over this valuethe appliance blocks all suchtraffic from this source IP for atime specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=10 sec)
Packets per second (default=50)
130903000 Auto RATELIMIT PASS ICMPparameter problem
This rule passes ICMP parameterproblems if the packet rate isless than the Packets per second value If any source IP sendspackets over this value theappliance blocks all such trafficfrom this source IP for a timespecified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=10 sec)
Packets per second (default=50)
130903100 Auto RATELIMIT PASS ICMPv6hop limit exceeded orICMPv4 networkunreachable
This rule passes ICMPv6 HopLimit Exceeded messages orICMPv4 Network Unreachablemessages if the packet rate isless than the Packets per second value If any source IP sendspackets over this value theappliance blocks all such trafficfrom this source IP for a time
specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
130903200 Auto RATELIMIT PASS ICMPv6fragment reassemblytime exceeded orICMPv4 hostunreachable
This rule passes ICMPv6fragment reassembly timeexceeded messages or ICMPv4host unreachable messages ifthe packet rate is less than thePackets per second value If anysource IP sends packets over thisvalue the appliance blocks allsuch traffic from this source IP fora time specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=10 sec)
Packets per second (default=50)
130903300 Auto RATELIMIT PASS ICMPprotocol unreachable
This rule passes ICMP protocolunreachable messages if thepacket rate is less than thePackets per second value If anysource IP sends packets over thisvalue the appliance blocks all
such traffic from this source IP fora time specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=10 sec)
Packets per second (default=50)
130903400 Auto RATELIMIT ICMP portunreachable
This rule passes ICMP portunreachable messages if thepacket rate is less than thePackets per second value If anysource IP sends packets over thisvalue the appliance blocks allsuch traffic from this source IP fora certain period of time(specified in Drop interval )
Always enabled Events per second (default=10)
Drop Interval (default=10 sec)
Packets per second (default=50)
Rule ID Type Rule Name Description
EnableDisable
Condition
Parameters Comments
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 2730
Default PassDrop
NIOS 612 NIOS Administrator Guide (Rev A) 1523
Default Pass Drop
The following table lists the system rules that are used to pass or drop packets on your advanced appliance All rulesare disabled by default
Table H17 Default PassDrop Rules
130903500 Auto RATELIMIT PASS ICMPfragmentation needed
This rule passes ICMPfragmentation needed messagesif the packet rate is less than thePackets per second value If anysource IP sends packets over thisvalue the appliance blocks allsuch traffic from this source IP for
a certain period of time(specified in Drop interval )
Always enabled Events per second (default=1)
Drop Interval (default=10 sec)
Packets per second (default=50)
Rule ID
Rule
Type Rule Name Description
Enable
Condition Parameters Comments
100000050 System EARLY PASS TCPwith flowbits set
This rule passes TCP trafficthat has the flowbitsoptions set and marked OK
Enabled bydefault
NA
140000100 System DROP UDP DNSunexpected
This rule drops anyunexpected UDP DNSpackets
Enabled bydefault
Events per second (default=1)
Default drop rule for the DNSservice port If this rule istriggered most likely thispacket is an invalid DNS UDPpacket
140000200 System DROP TCP DNSunexpected
This rule drops anyunexpected TCP DNSpackets
Enabled bydefault
Events per second (default=1)
Default drop rule for the DNSservice port If this rule istriggered most likely thispacket is an invalid DNS TCPpacket
140000400 System PASS TCPestablished packets
This passes all TCPestablished packets
Enabled bydefault
Events per second (default=0)
140000500 System DROP TCPunexpected
This rule drops anyunexpected TCP packets
Enabled bydefault
Events per second (default=0)
This rule drops any TCP packeton any port If this rule istriggered most likely thispacket is not intended forservices on this member
140000600 System DROP UDPunexpected
This rule drops anyunexpected UDP packets
Enabled bydefault
Events per second (default=0)
This rule drops any UDP packeton any port If this rule istriggered most likely thispacket is not intended forservices on this member
140000700 System DROP ICMPunexpected
This rule drops anyunexpected ICMP packets
Enabled bydefault
Events per second (default=0)
This rule drops any ICMPpacket If this rule is triggeredmost likely this packet is notintended for services on thismember
140000800 System DROP unexpectedprotocol
This rule drops anyunexpected protocolpackets
Enabled bydefault
Events per second (default=0)
This is a catch all rule thatdrops anything that does notmatch any other rules in thesystem
Rule ID Type Rule Name Description
EnableDisable
Condition
Parameters Comments
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 2830
1524 NIOS Administrator Guide (Rev A) NIOS 612
HA Support
The following table lists auto rules that are used to pass packets that go through the Virtual Router RedundancyProtocol (VRRP) and Internet Group Management Protocol (IGMP) for HA (High Availability) support
Table H18 HA Support Rules
Custom Rule Templates
Advanced DNS Protection supports a few custom rule templates from which you can create new custom rules Notethat when you use a specific rule template to create custom rules the new rules reside in their respective rulecategories For information about custom rules and creating custom rules see Custom Rules on page 1341 andCreating Custom Rules on page 1343
For each rule you create you can define the Events per second value to determine the number of events per secondthat will be logged for the rule You can also define specific rule parameters for custom rules as follows
Note Custom rules do not support IDNs (Internationalized Domain Names) To use IDNs for custom rules you mustfirst convert the IDNs into puny codes You can use the IDN Converter from the Toolbar for the conversion
bull BLACKLIST FQDN lookup TCP Use this rule template to create custom rules for blacklisting DNS queries by FQDNlookups on TCP In the Rule Parameters table complete the following
mdash Blacklisted FQDN Enter the FDQN that you want the appliance to block over TCP traffic You can also enter alist of FQDNs using semicolon as the separator
bull BLACKLIST FQDN lookup UDP Use this rule template to create custom rules for blacklisting DNS queries byFQDN lookups on UDP In the Rule Parameters table complete the following
mdash Blacklisted FQDN Enter the FDQN that you want the appliance to block over UDP traffic You can also enter alist of FQDNs using semicolon as the separator
bull BLACKLIST IP TCP Drop prior to rate limiting Use this rule template to create rules for blocking IPv4 or IPv6addresses on TCP before the appliance drops the packets based on rate limiting rules you have defined usingthe RATELIMITED IP TCP template In the Rule Parameters table complete the following
mdash Blacklisted IP addressnetwork Enter the IPv4 or IPv6 address from which packets sent are dropped beforeany relevant rate limiting rules take effect Note that all TCP traffic from the specified Ipv4 and IPv6
addresses and networks will be blocked Enter network addresses in addressCIDR formatbull BLACKLIST IP UDP Drop prior to rate limiting Use this rule template to create rules for blocking IPv4 or IPv6
addresses on UDP before the appliance drops the packets based on rate limiting rules you have defined usingthe RATELIMITED IP UDP template In the Rule Parameters table complete the following
mdash Blacklisted IP addressnetwork Enter the IPv4 or IPv6 address from which packets sent are dropped beforeany relevant rate limiting rules take effect Note that all UDP traffic from the specified Ipv4 and IPv6addresses and networks will be blocked Enter network addresses in addressCIDR format
bull RATELIMITED FQDN lookup UDP Use this rule template to create custom rules that contains rate limitingrestrictions for blocking DNS queries by FQDN lookups on UDP traffic In the Rule Parameters table completethe following
Rule ID
Rule
Type
Rule Name Description Enable Condition Parameters Comments
140000750 Auto PASS VRRP This rule passes packets thatgo through VRRP for HAsupport
Enabled if HA isconfigured
NA
140000760 Auto PASS IGMP This rule passes packets thatgo through IGMP for HAsupport
Enabled if HA isconfigured
NA
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 2930
Custom Rule Templates
NIOS 612 NIOS Administrator Guide (Rev A) 1525
mdash Packets per second Enter the number of packets per second to define the rate limit for this rule You definethis value to control the rate of UDP traffic that consists of DNS lookups for the FQDN defined in this ruleThe default is 5
mdash Drop interval Enter the number of seconds for which the appliance drops packets
mdash Blacklist rate limited FQDN Enter the FQDN that is affected by the rate limit value configured for this ruleThe appliance drops the packets sent by this FQDN when the UDP traffic of DNS lookups for this FQDNexceeds the configured rate limit value
bull RATELIMITED IP TCP Use this rule template to create custom rules that contains rate limiting restrictions forblacklisting IP addresses on TCP If there are certain IP addresses that you want to block before its traffic reachesthe rate limit restrictions you can create a rule using the BLACKLIST IP TCP Drop prior to rate limiting templateIn the Rule Parameters table complete the following
mdash Packets per second Enter the number of packets per second to define the rate limit for this rule You definethis value to control the rate of TCP traffic that consists of DNS lookups for the IP address or networkdefined in this rule The default is 5
mdash Drop interval Enter the time interval in seconds the appliance drops IP packets sent by the rate limited IPaddress or network defined for this rule The default is 30 seconds
mdash Rate limited IP addressnetwork Enter the IP address or network that is affected by the rate limit valueconfigured for this rule The appliance drops the packets sent by this IP address based on the drop intervalwhen the TCP traffic of DNS lookups for this IP address exceeds the configured rate limit value
bull RATELIMITED IP UDP Use this rule template to create custom rules that contains rate limiting restrictions forblacklisting IP addresses on UDP If there are certain IP addresses that you want to block before its trafficreaches the rate limit restrictions you can create a rule using the BLACKLIST IP UDP Drop prior to rate limiting template In the Rule Parameters table complete the following
mdash Packets per second Enter the number of packets per second to define the rate limit for this rule You definethis value to control the rate of UDP traffic that consists of DNS lookups for the IP address or networkdefined in this rule The default is 5
mdash Drop interval Enter the time interval in seconds the appliance drops IP packets sent by the rate limited IPaddress or network defined for this rule The default is 30 seconds
mdash Rate limited IP addressnetwork Enter the IP address or network that is affected by the rate limit valueconfigured for this rule The appliance drops the packets sent by this IP address based on the drop interval
when the TCP traffic of DNS lookups for this IP address exceeds the configured rate limit valuebull WHITELIST IP TCP Pass prior to rate limiting Use this rule template to create custom rules for allowing certain IP
addresses on TCP before the appliance drops the packets based on rate limiting rules you have defined usingthe RATELIMITED IP TCP template In the Rule Parameters table complete the following
mdash Whitelisted IP addressnetwork Enter the IPv4 or IPv6 address from which packets sent are allowed beforeany relevant rate limiting rules take effect
bull WHITELIST IP UDP Pass prior to rate limiting Use this rule template to create custom rules for allowing certain IPaddresses on UDP before the appliance drops the packets based on rate limiting rules you have defined usingthe RATELIMITED IP UDP template In the Rule Parameters table complete the following
mdash Whitelisted IP addressnetwork Enter the IPv4 or IPv6 address from which packets sent are allowed beforeany relevant rate limiting rules take effect
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 3030
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 1430
1510 NIOS Administrator Guide (Rev A) NIOS 612
Potential DDoS Related Domains
This rule category includes system rules the appliance uses to blacklist domains that may have been the targets orsubjects in NXDOMAIN or DDoS attacks These rules block all FQDN lookups on UDP for domains that have beenobserved to be used as targets in DDoS attacks The rules are enabled by default You can disable them whennecessary
Note that these rules capture currently observed bad domain names that can change on a regular basis Infobloxrecommends that you update to the latest ruleset to capture the most current rules in this category For informationabout how to update to the latest ruleset see Managing Threat Protection Rules on page 1352
110100600 Auto EARLY DROP UDP queryinvalid question count
This rule drops UDP DNSpackets when thenumber of entries in thequestion section isinvalid
Always enabled Events per second (default = 1)
110100700 Auto EARLY DROP UDP query
invalid question class
This rule drops UDP DNS
packets when the RR(resource record) classbeing queried is invalid
Always enabled Events per second
(default = 1)
110100800 Auto EARLY DROP UDP queryinvalid question string
This rule drops UDP DNSpackets that containinvalid question string
Always enabled Events per second (default = 1)
110100850 Auto EARLY UDP drop invalidDNS query with Authority
This rule drops UDP DNSqueries that containinvalid AUTHORITYentry
Always enabled Events per second (default = 1)
110100900 Auto EARLY DROP querymultiple questions or nonquery operation code
This rule drops UDP DNSpackets when there aremultiple questionsbeing queried at onetime or its operationcode is not Query
Always enabled Events per second (default = 1)
130000700 Auto EARLY DROP TCP non-DNSquery
This rule drops TCPpackets when itsoperation code is notQuery
Always enabled Events per second (default = 1)
130000800 Auto EARLY DROP TCP querymultiple questions
This rule drops TCP DNSpackets when there aremultiple questionsbeing queried at onetime
Always enabled Events per second (default = 1)
130100500 Auto DROP UDP DNS invalidIXFR query with zero ormore than one Authority
This rule drops UDP DNSincremental zonetransfer requests thatcontain zero or morethan one Authorityentries
Always enabled Events per second (default = 1)
130100600 Auto DROP TCP DNS invalidIXFR query with zero ormore than one Authority
This rule drops TCP DNSincremental zonetransfer requests thatcontain zero or morethan one Authorityentries
Always enabled Events per second (default = 1)
130300200 Auto DROP TCP invalid DNSquery with Authority
This rule drops TCP DNSqueries that containinvalid Authorityentries
Always enabled Events per second (default = 1)
Rule ID
Rule
Type
Rule Name Description
Enable
Condition
Parameters Comments
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 1530
TCPUDP Flood
NIOS 612 NIOS Administrator Guide (Rev A) 1511
TCP UDP Flood
TCP and UDP flood attacks are volumetric attacks with massive numbers of packets that consume network bandwidthand resources They exploit TCP and UDP
The following table lists the system and auto rules that are used to mitigate TCPUDP floods on your advancedappliance
Table H9 TCPUDP Flood Rules
Rule ID Rule Type Rule Name Description
Enable
Condition
Parameters Comments
130000100 System WARN about highrate inbound UDPDNS queries
This rule warns about anysource IP that sendsinbound UDP DNS packetsat a rate equals or exceedsthe Packets per second value
Disabled bydefault
Packets per second (default = 40)
Events per second (default = 1)
Use this rule together with rule130000200 to adjust the warningand blocking rate thresholds Thisrule only sends alerts when thepacket rate equals or exceeds thelow threshold ( Packets per second for this rule) When the packet ratereaches or exceeds the highthreshold ( Packets per second forrule 130000200) rule130000200 is triggered
NOTE The Packets per second configured for this rule should beless than that of rule 130000200
130000200 System WARN amp BLOCKhigh rate inboundUDP DNS queries
This rule warns if anysource IP sends inboundUDP DNS packets at a rateequals the Packets per
second value If the rateexceeds this value theappliance blocks all suchtraffic from this source IPfor a period of timespecified in Drop interval
Disabled bydefault
Packets per second (default = 1000)
Drop interval
(default = 5 seconds)
Events per second (default = 1)
Consider tuning Packets per
second to a higher value for NATdenvironments static forwardersand VPN concentrators
This rule may be triggered if Packet
per second is lower than that inthe custom rules created using therate limiting templates
NOTE The Packets per secondvalue for this rule must be higherthan that for rule 130000100
130000300 System WARN about highrate inbound TCP
DNS queries
This rule warns about anysource IP that sends
inbound TCP DNS packetsat a rate that equals orexceeds the Packets per
second value
Disabled bydefault
Packets per second (default = 5)
Events per second (default = 1)
Use this rule together with rule130000400 to adjust the warning
and blocking rate thresholds Thisrule only sends alerts when thepacket rate equals or exceeds thelow threshold ( Packets per second for this rule) When the packet ratereaches or exceeds the highthreshold ( Packets per second forrule 130000400) rule130000400 is triggered
NOTE The Packets per second configured for this rule should beless than that of rule 130000400
130000400 System WARN amp BLOCKhigh rate inboundTCP DNS queries
This rule warns if anysource IP sends inboundTCP DNS packets at a ratethat equals the Packets
per second value If therate exceeds this value
the appliance blocks allsuch traffic from thissource IP for a period oftime specified in Drop
interval
Disabled bydefault
Packets per second (default = 1000)
Drop interval (default = 10 seconds)
Events per second (default = 1)
Consider tuning Packets per
second to a higher value for NATdenvironments static forwardersand VPN concentrators
This rule may be triggered if Packet
per second is lower than that in
the custom rules created using therate limiting templates
NOTE DO NOT enable this rulealong with rule 130000300
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 1630
1512 NIOS Administrator Guide (Rev A) NIOS 612
DNS DDoS
The following table lists system rules that are used to mitigate DNS DDoS attacks on your advanced appliance Theserules rate limits clients that trigger the following DNS responses NXDOMAIN NXRRSET and SERVFAIL
Table H10 DNS DDoS Rules
Rule ID
Rule
Type
Rule Name Description
EnableDisable
Condition
Parameters Comments
200000001 System NXDOMAIN ratelimiting rule
This rule warns if any sourceIP sends inbound UDP DNSqueries that triggerNXDOMAIN responses at arate equals to the Packets
per second value If the rateexceeds this value theappliance blocks all UDPDNS traffic from this sourceIP for a time specified inDrop interval
Enabled bydefault
Packets per second (default = 1000)
Drop interval
(default = 5 seconds)
Events per second (default = 1)
Consider tuning Packets per
second to a higher value forNATd environments staticforwarders and VPNconcentrators
200000002 System NXRRSET ratelimiting rule
This rule warns if any sourceIP sends inbound UDP DNS
queries that trigger NXRRSETresponses at a rate equals tothe Packets per second value If the rate exceedsthis value the applianceblocks all UDP DNS trafficfrom this source IP for a timespecified in Drop interval
Enabled bydefault
Packets per second (default = 1000)
Drop interval (default = 5 seconds)
Events per second (default = 1)
Consider tuning Packets per
second to a higher value for
NATd environments staticforwarders and VPNconcentrators
NOTE NXRRSET responsesinclude NO records NOanswers and NO errors
200000003 System SERVFAIL ratelimiting rule
This rule warns if any sourceIP sends inbound UDP DNSqueries that triggerSERVFAIL responses at a rateequals to the Packets per
second value If the rateexceeds this rate theappliance blocks all UDPDNS traffic from this sourceIP for a time specified in
Drop interval
Enabled bydefault
Packets per second (default = 1000)
Drop interval
(default = 5 seconds)
Events per second (default = 1)
Consider tuning Packets per
second to a higher value forNATd environments staticforwarders and VPNconcentrators
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 1730
DNS Tunneling
NIOS 612 NIOS Administrator Guide (Rev A) 1513
DNS Tunneling
DNS tunneling attacks involve tunneling another protocol through DNS port 53 for the purpose of data exfiltrationOutbound and inbound data being communicated is encoded into small chunks and fitted into DNS queries and DNSresponses
The following table lists the system rule used to mitigate DNS tunneling on your advanced appliance
Table H11 Anti DNS Tunneling Rules
DNS Amplification and Reflection
DNS reflection attacks use a form of IP spoofing changing the source address in their DNS queries to show theaddress of their intended target such as a DNS root server or a top-level domain (TLD) name server operator DNS
reflection and amplification recognizes UDP as an asymmetrical protocol (small requests large responses) and theexistence of open DNS resolvers to the Internet cloud The result is that small DNS queries reflect large UDP datagramresponses to the target address in the original source datagrams Some recent attacks have used this DDoStechnique at a huge scale
Since DNS runs over UDP and does not require a handshake it is possible to use the protocol as a means to lock downa host or a network Designed a specific way sending a small query to any open DNS resolver can result in a singleresponse containing several kilobytes or more that are sent to the unwitting spoofed victim (This type of responsetypically is sent via TCP as UDP does not allow for more than 512 bytes in a response datagram The resulting packetusually exceeds the MTU of the recipientrsquos interfaces resulting in further packet fragmentation and processing) OpenDNS resolvers may allow for launching DDoS attacks containing hundreds of gigabytes of data Attackers may also
Rule ID
Rule
Type
Rule Name Description
EnableDisable
Condition
Parameters Comments
130000500 System RATELIMIT UDP highrate inbound largeDNS queries (antitunneling)
This rule warns If any source IPsends large UDP DNS queries(which could be DNS tunnelingattacks) at a rate equals thePackets per second value If therate exceeds this value it blocksall such traffic from this source IPfor the time in Drop interval
This rule is triggered when theDNS Packet size exceeds theconfigured value
Disabled bydefault
Packets per second (default = 100)
Drop interval (default = 5 seconds)
Events per second (default = 1)
Packet size
(default = 200)
Consider tuning Packets
per second to a highervalue for NATdenvironments staticforwarders and VPNconcentrators
130000600 Auto RATELIMIT TCP highrate inbound largeDNS queries(anti-tunneling)
This rule warns if any source IPsends large TCP DNS queries(which could be DNS tunnelingattacks) at a rate equals thePackets per second value If therate exceeds the value theappliance blocks all such trafficfrom this source IP for the Drop
interval
This rule is triggered when theDNS Packet size exceeds theconfigured value
Disabled bydefault
Packets per second (default = 100)
Drop interval
(default = 5 seconds)
Events per second (default = 1)
Packet size
(default = 200)
Consider tuning Packets
per second to a highervalue for NATdenvironments staticforwarders and VPNconcentrators
200000004 System DNS tunneling ratelimiting rule
This rule warns If any source IPsends inbound UDP DNS queriesthat trigger large TXT responses ata rate equals the Packets per
second value If the rate exceedsthis value it blocks all such t rafficfrom this source IP for the Drop
interval
This rule is triggered when the sizeof the TXT records in the DNSresponses exceeds the configuredDNS Packet size
Enabled bydefault
Packets per second (default = 1000)
Drop interval
(default = 5 seconds)
Events per second (default = 1)
Packet size
(default = 40)
Consider tuning Packets
per second to a highervalue for NATdenvironments static
forwarders and VPNconcentrators
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 1830
1514 NIOS Administrator Guide (Rev A) NIOS 612
use the EDNS0 DNS protocol extension as a means to enable larger DNS responses Many network operatorsparticularly overseas allow open DNS resolvers to run on their networks unwittingly allowing attackers to abusethem Many network operators do provide intelligent rate-limiting to prevent abuse even while supporting openrecursive DNS servers Hence issues of this type usually result from mistakes in configuration
The following table lists the system and auto rules that are used to mitigate DNS amplification and reflection attackson your advanced appliance
Table H12 DNS Amplification and Reflection Rules
NTP
The following table lists the auto rules that are used to mitigate NTP attacks and to support security for NTP traffic onyour advanced appliance These rules include support for the following NTP requests and responses NTP IPv4 andIPv6 ACLs (Access Control Lists) private mode 7 packets named ACLs and ldquoANYrdquo ACLs
Table H13 NTP Rules
Rule ID
Rule
Type
Rule Name Description
EnableDisable
Condition
Parameters Comments
130400100 Auto WARN amp DROP DoSDNS possiblereflectionamplification attackattempts
This rule warns if anysource IP sends UDP DNSpackets that containpossible reflectionamplification attacks If therate exceeds the Packets
per second value theappliance blocks all suchtraffic from this source IPfor the Drop interval Notethat this rule applies whenthe query is ldquoANYrdquo
Enabled bydefault
Packets per second (default = 5)
Drop interval (default = 5 seconds)
Events per second (default = 1)
Consider tuning Packet per
second to a higher value(approximately 100) forNATd environments staticforwarders and VPNconcentrators
130400500 System RATE LIMIT PASS UDPDNS root requestswith additional RRs
This rule passes UDP DNSroot requests that containadditional resource recordsuntil the traffic hits thePackets per second valueIt then blocks subsequentUDP DNS root requests forthe Drop interval
Disabled bydefault
Packets per second (default = 500)
Drop interval
(default = 5 seconds)
Events per second (default = 1)
130400600 System RATE LIMIT PASS UDPDNS root requests
This rule passes UDP DNSroot requests until thetraffic hits the Packets per
second value It thenblocks subsequent UDPDNS root requests for theDrop interval
Disabled bydefault
Packets per second (default = 500)
Drop interval (default = 5 seconds)
Events per second (default = 1)
Consider tuning Packet per
second to a higher valuefor NATd environmentsstatic forwarders and VPNconcentrators
Rule ID
Rule
Type
Rule Name Description
EnableDisable
Condition
Parameters Comments
130600100 Auto RATELIMIT PASS NTPTIME responses
When the NTP client isenabled this rule passesUDP NTP TIME responsesuntil the traffic hits the ratelimit of 10 packets persecond it then blocks allNTP traffic for 15 seconds
Enabled when theNTP client isenabled
Packets per second (default = 10)
Drop interval
(default = 15seconds)
Events per second (default = 1)
130600120 Auto DROP NTP TIMEresponses
This rule drops all UDP NTPTIME responses when theNTP client is disabled
Enabled when theNTP client isdisabled
Events per second (default=1)
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 1930
NTP
NIOS 612 NIOS Administrator Guide (Rev A) 1515
200001001 Auto DOS Possible NTPDDoS InboundFrequent Un-AuthedGET_RESTRICTRequests IMPL 0x02
When the NTP server isenabled this rule warnsabout possible NTP DDoSInbound FrequentUn-Authed GET_RESTRICTRequests IMPL 0x02attacks It then blocks
suspicious NTP traffic for atime period that isspecified in Drop Interval
Enabled whenNTP service isenabled on thismember
Events per second (default = 1)
200001005 Auto DOS Possible NTPDDoS InboundFrequent Un-AuthedGET_RESTRICTRequests IMPL 0x03
When the NTP server isenabled this rule warnsabout possible NTP DDoSInbound FrequentUn-Authed GET_RESTRICTRequests IMPL 0x03attacks It then blockssuspicious NTP traffic for atime period that isspecified in Drop Interval
Enabled whenNTP service isenabled on thismember
Events per second (default = 1)
200001010 Auto DOS Possible NTPDDoS InboundFrequent Un-AuthedPEER_LIST_SUM
Requests IMPL 0x02
When the NTP server isenabled this rule warnsabout possible NTP DDoSInbound Frequent
Un-AuthedPEER_LIST_SUM RequestsIMPL 0x02 attacks It thenblocks suspicious NTPtraffic for a time period thatis specified in Drop
Interval
Enabled whenNTP service isenabled on thismember
Events per second (default = 1)
200001015 Auto DOS Possible NTPDDoS InboundFrequent Un-AuthedPEER_LIST_SUMRequests IMPL 0x03
When the NTP server isenabled this rule warnsabout possible NTP DDoSInbound FrequentUn-AuthedPEER_LIST_SUM RequestsIMPL 0x03 attacks It thenblocks suspicious NTPtraffic for a time period thatis specified in Drop
Interval
Enabled whenNTP service isenabled on thismember
Events per second (default = 1)
200001020 Auto DOS Possible NTPDDoS InboundFrequent Un-AuthedPEER_LIST RequestsIMPL 0x02
When the NTP server isenabled this rule warnsabout possible NTP DDoSInbound FrequentUn-Authed PEER_LISTRequests IMPL 0x02attacks It then blockssuspicious NTP traffic for atime period that isspecified in Drop Interval
Enabled whenNTP service isenabled on thismember
Events per second (default = 1)
200001025 Auto DOS Possible NTPDDoS InboundFrequent Un-AuthedPEER_LIST RequestsIMPL 0x03
When the NTP server isenabled this rule warnsabout possible NTP DDoSInbound FrequentUn-Authed PEER_LISTRequests IMPL 0x03attacks It then blocks
suspicious NTP traffic for atime period that isspecified in Drop Interval
Enabled whenNTP service isenabled on thismember
Events per second (default = 1)
200001050 Auto RATELIMIT PASSNTPQ IPv4 requests
This rule passes UDP NTPQrequests from NTP IPv4ACLs until the traffic hitsthe rate limit ( Packets per
second ) value It thenblocks all subsequentNTPQ traffic for a timespecified in Drop Interval
Enabled whenNTP IPv4 ACLs aredefined If noACLs are definedand the NTPserver is enabledthe default ACLsare enabled andthis rule isdisabled
Packets per second (default = 10)
Drop interval
(default = 60seconds)
Events per second (default = 1)
Rule ID
Rule
Type
Rule Name Description
EnableDisable
Condition
Parameters Comments
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 2030
1516 NIOS Administrator Guide (Rev A) NIOS 612
200001055 Auto RATELIMIT PASS NTPTIME IPv4 requests
This rule passes UDP NTPTIME requests from NTPIPv4 ACLs until the traffichits the rate limit ( Packets
per second ) value It thenblocks all subsequent NTPTIME traffic for a time
specified in Drop interval
Enabled whenNTP IPv4 ACLs aredefined If noACLs are definedand the NTPserver is enabledthe default ACLs
are enabled andthis rule isenabled
Packets per second (default = 10)
Drop interval
(default = 60seconds)
Events per second (default = 1)
200001060 Auto RATELIMIT PASS NTPprivate mode IPv4requests
This rule passes UDP NTPprivate mode 7 requestsfrom NTP IPv4 ACLs untilthe traffic hits the rate limit( Packets per second ) valueIt then blocks allsubsequent NTP privatemode 7 traffic for a timespecified in Drop interval
Enabled whenNTP IPv4 ACLs aredefined If noACLs are definedand the NTPserver is enabledthe default ACLsare enabled andthis rule isdisabled
Packets per second (default = 10)
Drop interval
(default = 60seconds)
Events per second (default = 1)
200001065 Auto RATELIMIT PASSNTPQ IPv6 requests
This rule passes UDP NTPQrequests from NTP IPv6ACLs until the traffic hitsthe rate limit ( Packets per
second ) value It thenblocks all subsequentNTPQ traffic for a timespecified in Drop Interval
Enabled whenNTP IPv6 ACLs aredefined If noACLs are defined
and the NTPserver is enabledthe default ACLsare enabled andthis rule isdisabled
Packets per second (default = 10)
Drop interval
(default = 60
seconds)Events per second (default = 1)
200001070 Auto RATELIMIT PASS NTPTIME IPv6 requests
This rule passes UDP NTPTIME requests from NTPIPv6 ACLs until the traffichits the rate limit ( Packets
per second ) value It thenblocks all subsequent NTPTIME traffic for a timespecified in Drop interval
Enabled whenNTP IPv6 ACLs aredefined If noACLs are definedand the NTPserver is enabledthe default ACLsare enabled andthis rule isenabled
Packets per second (default = 10)
Drop interval
(default = 60seconds)
Events per second (default = 1)
200001075 Auto RATELIMIT PASS NTP
private mode IPv6requests
This rule passes UDP NTP
private mode 7 requestsfrom NTP IPv4 ACLs untilthe traffic hits the rate limit( Packets per second ) valueIt then blocks allsubsequent NTP privatemode 7 traffic for a timespecified in Drop interval
Enabled when
NTP IPv6 ACLs aredefined If noACLs are definedand the NTPserver is enabledthe default ACLsare enabled andthis rule isdisabled
Packets per second
(default = 10)Drop interval
(default =60seconds)
Events per second (default = 1)
200001100 Auto DROP NTPQ requestsunexpected
When NTP service isdisabled this rule drops allUDP NTPQ requests
Enabled whenNTP service isdisabled on thismember
Events per second (default=1)
200001105 Auto DROP NTP TIMErequests unexpected
When NTP service isdisabled this rule drops allUDP NTP TIME requests
Enabled whenNTP service isdisabled on thismember
Events per second (default=1)
200001110 Auto DROP NTP privatemode requestsunexpected
When NTP service isdisabled this rule drops allUDP NTP private mode 7requests
Enabled whenNTP service isdisabled on thismember
Events per second (default=1)
200001115 Auto DROP invalid NTPrequests
When NTP service isdisabled this rule drops allinvalid UDP NTP requests
Enabled whenNTP service isdisabled on thismember
Events per second (default=1)
Rule ID
Rule
Type
Rule Name Description
EnableDisable
Condition
Parameters Comments
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 2130
BGP
NIOS 612 NIOS Administrator Guide (Rev A) 1517
BGP
The following table lists the auto rules that are used to mitigate BGP attacks on your advanced appliance when BGPis enabled
Table H14 BGP Rules
Rule ID
Rule
Type
Rule Name Description
EnableDisable
Condition
Parameters Comments
130700100 AUTO DROP BGP headerlength shorter thanspec
When BGP is enabled this ruledrops TCP BGP packets thatcontain message headerlength that is shorter than theRFC specification
Enabled whenBGP service onthis member isconfigured
Events per second (default=1)
130700200 AUTO DROP BGP headerlength longer than spec
When BGP is enabled this ruledrops TCP BGP packets thatcontain message headerlength that is longer than theRFC specification
Enabled whenBGP service onthis member isconfigured
Events per second (default=1)
130700300 AUTO DROP BGP spoofedconnection reset
attempts
When BGP is enabled this ruledrops TCP BGP packets that
contain spoofed connectionreset
This rule isenabled when
BGP service onthis member isconfigured
Events per second (default=1)
130700400 AUTO DROP BGP invalid type0
When BGP is enabled this ruledrops TCP BGP packets thatcontain invalid message type0
This rule isenabled whenBGP service onthis member isconfigured
Events per second (default=1)
130700500 AUTO DROP BGP invalid typebigger than 5
When BGP is enabled this ruledrops TCP BGP packets thatcontain invalid message typegreater than 5
This rule isenabled whenBGP service onthis member isconfigured
Events per second (default=1)
130700550 AUTO RATELIMIT PASS BGPIPv4 peer TCPconnection attempts
This rule passes TCP BGP routeadvertisement connectionattempts from IPv4 peers
when BGP is enabled and ifthe packet rate is less than thePackets per second value Ifany source IP sends packetsover this value the applianceblocks all such traffic from thissource IP for a certain periodof time (specified in Drop
interval )
This rule isenabled whenBGP service on
this member isconfigured withIPv4 peers
Events per second (default=1)
Drop Interval
(default=60 sec)Packets per second (default=10)
130700600 Auto RATELIMIT PASS BGPallowed with IPv4 peer
This rule passes TCP BGP routeadvertisement to IPv4 peerswhen BGP is enabled and ifthe packet rate is less than thePackets per second value Ifany source IP sends packetsover this value the applianceblocks all such traffic from thissource IP for a certain period
of time (specified in Drop
interval
This rule isenabled whenBGP service onthis member isconfigured withIPv4 peers
Events per second (default=1)
Drop Interval (default=60 sec)
Packets per second (default=10)
130700650 AUTO RATELIMIT PASS BGPIPv6 peer TCPconnection attempts
This rule passes TCP BGP routeadvertisement connectionattempts from IPv6 peerswhen BGP is enabled and ifthe packet rate is less than thePackets per second value Ifany source IP sends packetsover this value the applianceblocks all such traffic from thissource IP for a certain periodof time (specified in Drop
interval
This rule isenabled whenBGP service onthis member isconfigured withIPv6 peers
Events per second (default=1)
Drop Interval (default=60 sec)
Packets per second (default=10)
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 2230
1518 NIOS Administrator Guide (Rev A) NIOS 612
OSPF
The following table lists auto rules that are used to mitigate OSPF attacks on your advanced appliance when OSPF isnot in use
Table H15 OSPF Rules
130700700 Auto RATELIMIT PASS BGPallowed with IPv6 peer
This rule passes TCP BGP routeadvertisement to IPv6 peerswhen BGP is enabled and ifthe packet rate is less than thePackets per second value Ifany source IP sends packetsover this value the appliance
blocks all such traffic from thissource IP for a certain periodof time (specified in Drop
interval )
This rule isenabled whenBGP service onthis member isconfigured withIPv6 peers
Events per second (default=1)
Drop Interval (default=60 sec)
Packets per second (default=10)
130800100 Auto DROP BGP unexpected When BGP is enabled this ruledrops unexpected TCP BGPpackets
This rule takeseffect when BGPservice on thismember is NOT configured
Events per second (default=1)
This rule is exclusive withother rules based onwhether BGP is configuredon the member or not
Rule ID
Rule
Type
Rule Name Description
Enable
Condition
Parameters Comments
130900300 Auto DROP OSPFunexpected
This rule drops unexpectedOSPF packets
This rule takeseffect when OSPFservice on thismember is NOT configured
Events per second (default=1)
Default drop rule for allpackets on the OSPF serviceport
130900400 Auto RATELIMIT PASS OSPFmulticast
This rule passes OSPF IPv4multicast packets if the packetrate is less than the Packets
per second value If anysource IP sends packets overthis value the applianceblocks all such traffic from thissource IP for a time specifiedin Drop interval
This rule takeseffect when OSPFservice on thismember isconfigured forIPv4
Events per second (default=1)
Drop Interval (default=60 sec)
Packets per second (default=100)
130900500 Auto RATELIMIT PASS OSPFIPv6 multicast
This rule passes OSPF IPv6multicast packets if the packetrate is less than the Packets
per second value If anysource IP sends packets overthis value the applianceblocks all such traffic from thissource IP for a time specifiedin Drop interval
This rule takeseffect when OSPFservice on thismember isconfigured forIPv6
Events per second (default=1)
Drop Interval (default=60 sec)
Packets per second (default=100)
130900600 Auto RATELIMIT PASS OSPF This rule passes OSPF packetsif the packet rate is less thanthe Packets per second valueIf any source IP sends packetsover this value the applianceblocks all such traffic from thissource IP for a time specifiedin Drop interval
This rule takeseffect when OSPFservice on thismember isconfigured
Events per second (default=1)
Drop Interval (default=10 sec)
Packets per second (default=50)
This rule works for both IPv4and IPv6
Rule ID
Rule
Type
Rule Name Description
EnableDisable
Condition
Parameters Comments
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 2330
ICMP
NIOS 612 NIOS Administrator Guide (Rev A) 1519
ICMP
ICMP attacks use network devices such as routers to send error messages when a requested service is not availableor the remote server cannot be reached Examples of ICMP attacks include ping floods ping-of-death attacks andsmurf attacks
The following table lists the system and auto rules that are used to mitigate ICMP attacks on your advanced appliance
Table H16 ICMP Rules
Rule ID Type Rule Name Description
EnableDisable
Condition
Parameters Comments
130400200 Auto DROP ICMP largepackets
This rule drops large ICMPpackets (bigger than800)
Always enabled Events per second (default=1)
130900100 Auto RATE LIMIT PASS ICMPPing
This rule passes ICMP pingpackets if the packet rate is lessthan the Packets per second value If any source IP sendspackets over this value theappliance blocks all such trafficfrom this source IP for a timespecified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=10 sec)
Packets per second (default=50)
130900200 Auto RATE LIMIT PASS ICMPv6Ping
This rule passes ICMPv6 pingpackets if the packet rate is lessthan the Packets per second value If any source IP sendspackets over this value theappliance blocks all such trafficfrom this source IP for a timespecified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=10 sec)
Packets per second (default=50)
130900700 Auto RATELIMIT PASS ICMPv6destinationunreachable
This rule passes ICMPv6Destination Unreachablemessages if the packet rate isless than the Packets per second value If any source IP sendspackets over this value theappliance blocks all such trafficfrom this source IP for a timespecified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=100)
130900800 Auto RATELIMIT PASS ICMPv6packet too big
This rule passes ICMPv6 PacketToo Big messages if the packetrate is less than the Packets per
second value If any source IPsends packets over this valuethe appliance blocks all suchtraffic from this source IP for atime specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=100)
130900900 Auto RATELIMIT PASS ICMPv6ping responses
This rule passes ICMPv6 pingresponses if the packet rate isless than the Packets per second value If any source IP sendspackets over this value theappliance blocks all such trafficfrom this source IP for a timespecified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=10 sec)
Packets per second (default=50)
130901000 Auto RATELIMIT PASS ICMPv6parameter problemerroneous header
This rule passes ICMPv6Erroneous Header messages ifthe packet rate is less than thePackets per second value If anysource IP sends packets over thisvalue the appliance blocks allsuch traffic from this source IP fora time specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=10 sec)
Packets per second (default=50)
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 2430
1520 NIOS Administrator Guide (Rev A) NIOS 612
130901100 Auto RATELIMIT PASS ICMPv6parameter problemunrecognized nextheader
This rule passes ICMPv6Unrecognized Next Headermessages if the packet rate isless than the Packets per second value If any source IP sendspackets over this value theappliance blocks all such traffic
from this source IP for a timespecified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
130901200 Auto RATELIMIT PASS ICMPv6parameter problemunrecognized IPv6option
This rule passes ICMPv6Unrecognized IPv6 Optionmessages if the packet rate isless than the Packets per second value If any source IP sendspackets over this value theappliance blocks all such trafficfrom this source IP for a timespecified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
130901300 Auto RATELIMIT PASS ICMPv6router solicitation
This rule passes ICMPv6 routersolicitation packets if the packetrate is less than the Packets per
second value If any source IPsends packets over this valuethe appliance blocks all such
traffic from this source IP for atime specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
130901400 Auto RATELIMIT PASS ICMPv6router advertisement
This rule passes ICMPv6 routeradvertisement if the packet rateis less than the Packets per
second value If any source IPsends packets over this valuethe appliance blocks all suchtraffic from this source IP for atime specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
130901500 Auto RATELIMIT PASS ICMPv6neighbor solicitation
This rule passes ICMPv6neighbor solicitation packets ifthe packet rate is less than thePackets per second value If anysource IP sends packets over thisvalue the appliance blocks allsuch traffic from this source IP for
a time specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
130901600 Auto RATELIMIT PASS ICMPv6neighbor advertisement
This rule passes ICMPv6neighbor advertisement if thepacket rate is less than thePackets per second value If anysource IP sends packets over thisvalue the appliance blocks allsuch traffic from this source IP fora time specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
130901700 Auto RATELIMIT PASS ICMPv6inverse neighborsolicitation
This rule passes ICMPv6 inverseneighbor solicitation messages ifthe packet rate is less than thePackets per second value If anysource IP sends packets over thisvalue the appliance blocks allsuch traffic from this source IP fora time specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
130901800 Auto RATELIMIT PASS ICMPv6inverse neighboradvertisement
This rule passes ICMPv6 inverseneighbor advertisement if thepacket rate is less than thePackets per second value If anysource IP sends packets over thisvalue the appliance blocks allsuch traffic from this source IP fora time specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
Rule ID Type Rule Name Description
EnableDisable
Condition
Parameters Comments
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 2530
ICMP
NIOS 612 NIOS Administrator Guide (Rev A) 1521
130901900 Auto RATELIMIT PASS ICMPv6listener query
This rule passes ICMPv6 listenerquery messages if the packetrate is less than the Packets per
second value If any source IPsends packets over this valuethe appliance blocks all suchtraffic from this source IP for a
time specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
130902000 Auto RATELIMIT PASS ICMPv6listener report
This rule passes ICMPv6 listenerreport messages if the packetrate is less than the Packets per
second value If any source IPsends packets over this valuethe appliance blocks all suchtraffic from this source IP for atime specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
130902100 Auto RATELIMIT PASS ICMPv6listener done
This rule passes ICMPv6 listenerdone messages if the packet rateis less than the Packets per
second value If any source IPsends packets over this valuethe appliance blocks all suchtraffic from this source IP for atime specified in Drop interval )
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
130902200 Auto RATELIMIT PASS ICMPv6listener report v2
This rule passes ICMPv6 listenerreport v2 messages if the packetrate is less than the Packets per
second value If any source IPsends packets over this valuethe appliance blocks all suchtraffic from this source IP for atime specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
130902300 Auto RATELIMIT PASS ICMPV6multicast routeradvertisement
This rule passes ICMPv6multicast router advertisement ifthe packet rate is less than thePackets per second value If anysource IP sends packets over thisvalue the appliance blocks allsuch traffic from this source IP fora time specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
130902400 Auto RATELIMIT PASS ICMPV6multicast routersolicitation
This rule passes ICMPv6multicast router solicitationmessages if the packet rate isless than the Packets per second value If any source IP sendspackets over this value theappliance blocks all such trafficfrom this source IP for a timespecified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
130902500 Auto RATELIMIT PASS ICMPV6multicast routeradvertisement
This rule passes ICMPv6multicast router advertisement ifthe packet rate is less than thePackets per second value If anysource IP sends packets over thisvalue the appliance blocks allsuch traffic from this source IP fora time specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
130902600 Auto RATELIMIT PASS ICMPping responses This rule passes ICMP pingresponses if the packet rate isless than the Packets per second value If any source IP sendspackets over this value theappliance blocks all such trafficfrom this source IP for a timespecified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=10 sec)
Packets per second (default=50)
Rule ID Type Rule Name Description
EnableDisable
Condition
Parameters Comments
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 2630
1522 NIOS Administrator Guide (Rev A) NIOS 612
130902700 Auto RATELIMIT PASS ICMProuter advertisement
This rule passes ICMP routeradvertisement if the packet rateis less than the Packets per
second value If any source IPsends packets over this valuethe appliance blocks all suchtraffic from this source IP for a
time specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=10 sec)
Packets per second (default=50)
130902800 Auto RATELIMIT PASS ICMProuter solicitation
This rule passes ICMP routersolicitation messages if thepacket rate is less than thePackets per second value If anysource IP sends packets over thisvalue the appliance blocks allsuch traffic from this source IP fora time specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=10 sec)
Packets per second (default=50)
130902900 Auto RATELIMIT PASS ICMPtime exceeded
This rule passes ICMP timeexceeded messages if the packetrate is less than the Packets per
second value If any source IPsends packets over this valuethe appliance blocks all suchtraffic from this source IP for atime specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=10 sec)
Packets per second (default=50)
130903000 Auto RATELIMIT PASS ICMPparameter problem
This rule passes ICMP parameterproblems if the packet rate isless than the Packets per second value If any source IP sendspackets over this value theappliance blocks all such trafficfrom this source IP for a timespecified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=10 sec)
Packets per second (default=50)
130903100 Auto RATELIMIT PASS ICMPv6hop limit exceeded orICMPv4 networkunreachable
This rule passes ICMPv6 HopLimit Exceeded messages orICMPv4 Network Unreachablemessages if the packet rate isless than the Packets per second value If any source IP sendspackets over this value theappliance blocks all such trafficfrom this source IP for a time
specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
130903200 Auto RATELIMIT PASS ICMPv6fragment reassemblytime exceeded orICMPv4 hostunreachable
This rule passes ICMPv6fragment reassembly timeexceeded messages or ICMPv4host unreachable messages ifthe packet rate is less than thePackets per second value If anysource IP sends packets over thisvalue the appliance blocks allsuch traffic from this source IP fora time specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=10 sec)
Packets per second (default=50)
130903300 Auto RATELIMIT PASS ICMPprotocol unreachable
This rule passes ICMP protocolunreachable messages if thepacket rate is less than thePackets per second value If anysource IP sends packets over thisvalue the appliance blocks all
such traffic from this source IP fora time specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=10 sec)
Packets per second (default=50)
130903400 Auto RATELIMIT ICMP portunreachable
This rule passes ICMP portunreachable messages if thepacket rate is less than thePackets per second value If anysource IP sends packets over thisvalue the appliance blocks allsuch traffic from this source IP fora certain period of time(specified in Drop interval )
Always enabled Events per second (default=10)
Drop Interval (default=10 sec)
Packets per second (default=50)
Rule ID Type Rule Name Description
EnableDisable
Condition
Parameters Comments
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 2730
Default PassDrop
NIOS 612 NIOS Administrator Guide (Rev A) 1523
Default Pass Drop
The following table lists the system rules that are used to pass or drop packets on your advanced appliance All rulesare disabled by default
Table H17 Default PassDrop Rules
130903500 Auto RATELIMIT PASS ICMPfragmentation needed
This rule passes ICMPfragmentation needed messagesif the packet rate is less than thePackets per second value If anysource IP sends packets over thisvalue the appliance blocks allsuch traffic from this source IP for
a certain period of time(specified in Drop interval )
Always enabled Events per second (default=1)
Drop Interval (default=10 sec)
Packets per second (default=50)
Rule ID
Rule
Type Rule Name Description
Enable
Condition Parameters Comments
100000050 System EARLY PASS TCPwith flowbits set
This rule passes TCP trafficthat has the flowbitsoptions set and marked OK
Enabled bydefault
NA
140000100 System DROP UDP DNSunexpected
This rule drops anyunexpected UDP DNSpackets
Enabled bydefault
Events per second (default=1)
Default drop rule for the DNSservice port If this rule istriggered most likely thispacket is an invalid DNS UDPpacket
140000200 System DROP TCP DNSunexpected
This rule drops anyunexpected TCP DNSpackets
Enabled bydefault
Events per second (default=1)
Default drop rule for the DNSservice port If this rule istriggered most likely thispacket is an invalid DNS TCPpacket
140000400 System PASS TCPestablished packets
This passes all TCPestablished packets
Enabled bydefault
Events per second (default=0)
140000500 System DROP TCPunexpected
This rule drops anyunexpected TCP packets
Enabled bydefault
Events per second (default=0)
This rule drops any TCP packeton any port If this rule istriggered most likely thispacket is not intended forservices on this member
140000600 System DROP UDPunexpected
This rule drops anyunexpected UDP packets
Enabled bydefault
Events per second (default=0)
This rule drops any UDP packeton any port If this rule istriggered most likely thispacket is not intended forservices on this member
140000700 System DROP ICMPunexpected
This rule drops anyunexpected ICMP packets
Enabled bydefault
Events per second (default=0)
This rule drops any ICMPpacket If this rule is triggeredmost likely this packet is notintended for services on thismember
140000800 System DROP unexpectedprotocol
This rule drops anyunexpected protocolpackets
Enabled bydefault
Events per second (default=0)
This is a catch all rule thatdrops anything that does notmatch any other rules in thesystem
Rule ID Type Rule Name Description
EnableDisable
Condition
Parameters Comments
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 2830
1524 NIOS Administrator Guide (Rev A) NIOS 612
HA Support
The following table lists auto rules that are used to pass packets that go through the Virtual Router RedundancyProtocol (VRRP) and Internet Group Management Protocol (IGMP) for HA (High Availability) support
Table H18 HA Support Rules
Custom Rule Templates
Advanced DNS Protection supports a few custom rule templates from which you can create new custom rules Notethat when you use a specific rule template to create custom rules the new rules reside in their respective rulecategories For information about custom rules and creating custom rules see Custom Rules on page 1341 andCreating Custom Rules on page 1343
For each rule you create you can define the Events per second value to determine the number of events per secondthat will be logged for the rule You can also define specific rule parameters for custom rules as follows
Note Custom rules do not support IDNs (Internationalized Domain Names) To use IDNs for custom rules you mustfirst convert the IDNs into puny codes You can use the IDN Converter from the Toolbar for the conversion
bull BLACKLIST FQDN lookup TCP Use this rule template to create custom rules for blacklisting DNS queries by FQDNlookups on TCP In the Rule Parameters table complete the following
mdash Blacklisted FQDN Enter the FDQN that you want the appliance to block over TCP traffic You can also enter alist of FQDNs using semicolon as the separator
bull BLACKLIST FQDN lookup UDP Use this rule template to create custom rules for blacklisting DNS queries byFQDN lookups on UDP In the Rule Parameters table complete the following
mdash Blacklisted FQDN Enter the FDQN that you want the appliance to block over UDP traffic You can also enter alist of FQDNs using semicolon as the separator
bull BLACKLIST IP TCP Drop prior to rate limiting Use this rule template to create rules for blocking IPv4 or IPv6addresses on TCP before the appliance drops the packets based on rate limiting rules you have defined usingthe RATELIMITED IP TCP template In the Rule Parameters table complete the following
mdash Blacklisted IP addressnetwork Enter the IPv4 or IPv6 address from which packets sent are dropped beforeany relevant rate limiting rules take effect Note that all TCP traffic from the specified Ipv4 and IPv6
addresses and networks will be blocked Enter network addresses in addressCIDR formatbull BLACKLIST IP UDP Drop prior to rate limiting Use this rule template to create rules for blocking IPv4 or IPv6
addresses on UDP before the appliance drops the packets based on rate limiting rules you have defined usingthe RATELIMITED IP UDP template In the Rule Parameters table complete the following
mdash Blacklisted IP addressnetwork Enter the IPv4 or IPv6 address from which packets sent are dropped beforeany relevant rate limiting rules take effect Note that all UDP traffic from the specified Ipv4 and IPv6addresses and networks will be blocked Enter network addresses in addressCIDR format
bull RATELIMITED FQDN lookup UDP Use this rule template to create custom rules that contains rate limitingrestrictions for blocking DNS queries by FQDN lookups on UDP traffic In the Rule Parameters table completethe following
Rule ID
Rule
Type
Rule Name Description Enable Condition Parameters Comments
140000750 Auto PASS VRRP This rule passes packets thatgo through VRRP for HAsupport
Enabled if HA isconfigured
NA
140000760 Auto PASS IGMP This rule passes packets thatgo through IGMP for HAsupport
Enabled if HA isconfigured
NA
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 2930
Custom Rule Templates
NIOS 612 NIOS Administrator Guide (Rev A) 1525
mdash Packets per second Enter the number of packets per second to define the rate limit for this rule You definethis value to control the rate of UDP traffic that consists of DNS lookups for the FQDN defined in this ruleThe default is 5
mdash Drop interval Enter the number of seconds for which the appliance drops packets
mdash Blacklist rate limited FQDN Enter the FQDN that is affected by the rate limit value configured for this ruleThe appliance drops the packets sent by this FQDN when the UDP traffic of DNS lookups for this FQDNexceeds the configured rate limit value
bull RATELIMITED IP TCP Use this rule template to create custom rules that contains rate limiting restrictions forblacklisting IP addresses on TCP If there are certain IP addresses that you want to block before its traffic reachesthe rate limit restrictions you can create a rule using the BLACKLIST IP TCP Drop prior to rate limiting templateIn the Rule Parameters table complete the following
mdash Packets per second Enter the number of packets per second to define the rate limit for this rule You definethis value to control the rate of TCP traffic that consists of DNS lookups for the IP address or networkdefined in this rule The default is 5
mdash Drop interval Enter the time interval in seconds the appliance drops IP packets sent by the rate limited IPaddress or network defined for this rule The default is 30 seconds
mdash Rate limited IP addressnetwork Enter the IP address or network that is affected by the rate limit valueconfigured for this rule The appliance drops the packets sent by this IP address based on the drop intervalwhen the TCP traffic of DNS lookups for this IP address exceeds the configured rate limit value
bull RATELIMITED IP UDP Use this rule template to create custom rules that contains rate limiting restrictions forblacklisting IP addresses on UDP If there are certain IP addresses that you want to block before its trafficreaches the rate limit restrictions you can create a rule using the BLACKLIST IP UDP Drop prior to rate limiting template In the Rule Parameters table complete the following
mdash Packets per second Enter the number of packets per second to define the rate limit for this rule You definethis value to control the rate of UDP traffic that consists of DNS lookups for the IP address or networkdefined in this rule The default is 5
mdash Drop interval Enter the time interval in seconds the appliance drops IP packets sent by the rate limited IPaddress or network defined for this rule The default is 30 seconds
mdash Rate limited IP addressnetwork Enter the IP address or network that is affected by the rate limit valueconfigured for this rule The appliance drops the packets sent by this IP address based on the drop interval
when the TCP traffic of DNS lookups for this IP address exceeds the configured rate limit valuebull WHITELIST IP TCP Pass prior to rate limiting Use this rule template to create custom rules for allowing certain IP
addresses on TCP before the appliance drops the packets based on rate limiting rules you have defined usingthe RATELIMITED IP TCP template In the Rule Parameters table complete the following
mdash Whitelisted IP addressnetwork Enter the IPv4 or IPv6 address from which packets sent are allowed beforeany relevant rate limiting rules take effect
bull WHITELIST IP UDP Pass prior to rate limiting Use this rule template to create custom rules for allowing certain IPaddresses on UDP before the appliance drops the packets based on rate limiting rules you have defined usingthe RATELIMITED IP UDP template In the Rule Parameters table complete the following
mdash Whitelisted IP addressnetwork Enter the IPv4 or IPv6 address from which packets sent are allowed beforeany relevant rate limiting rules take effect
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 3030
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 1530
TCPUDP Flood
NIOS 612 NIOS Administrator Guide (Rev A) 1511
TCP UDP Flood
TCP and UDP flood attacks are volumetric attacks with massive numbers of packets that consume network bandwidthand resources They exploit TCP and UDP
The following table lists the system and auto rules that are used to mitigate TCPUDP floods on your advancedappliance
Table H9 TCPUDP Flood Rules
Rule ID Rule Type Rule Name Description
Enable
Condition
Parameters Comments
130000100 System WARN about highrate inbound UDPDNS queries
This rule warns about anysource IP that sendsinbound UDP DNS packetsat a rate equals or exceedsthe Packets per second value
Disabled bydefault
Packets per second (default = 40)
Events per second (default = 1)
Use this rule together with rule130000200 to adjust the warningand blocking rate thresholds Thisrule only sends alerts when thepacket rate equals or exceeds thelow threshold ( Packets per second for this rule) When the packet ratereaches or exceeds the highthreshold ( Packets per second forrule 130000200) rule130000200 is triggered
NOTE The Packets per second configured for this rule should beless than that of rule 130000200
130000200 System WARN amp BLOCKhigh rate inboundUDP DNS queries
This rule warns if anysource IP sends inboundUDP DNS packets at a rateequals the Packets per
second value If the rateexceeds this value theappliance blocks all suchtraffic from this source IPfor a period of timespecified in Drop interval
Disabled bydefault
Packets per second (default = 1000)
Drop interval
(default = 5 seconds)
Events per second (default = 1)
Consider tuning Packets per
second to a higher value for NATdenvironments static forwardersand VPN concentrators
This rule may be triggered if Packet
per second is lower than that inthe custom rules created using therate limiting templates
NOTE The Packets per secondvalue for this rule must be higherthan that for rule 130000100
130000300 System WARN about highrate inbound TCP
DNS queries
This rule warns about anysource IP that sends
inbound TCP DNS packetsat a rate that equals orexceeds the Packets per
second value
Disabled bydefault
Packets per second (default = 5)
Events per second (default = 1)
Use this rule together with rule130000400 to adjust the warning
and blocking rate thresholds Thisrule only sends alerts when thepacket rate equals or exceeds thelow threshold ( Packets per second for this rule) When the packet ratereaches or exceeds the highthreshold ( Packets per second forrule 130000400) rule130000400 is triggered
NOTE The Packets per second configured for this rule should beless than that of rule 130000400
130000400 System WARN amp BLOCKhigh rate inboundTCP DNS queries
This rule warns if anysource IP sends inboundTCP DNS packets at a ratethat equals the Packets
per second value If therate exceeds this value
the appliance blocks allsuch traffic from thissource IP for a period oftime specified in Drop
interval
Disabled bydefault
Packets per second (default = 1000)
Drop interval (default = 10 seconds)
Events per second (default = 1)
Consider tuning Packets per
second to a higher value for NATdenvironments static forwardersand VPN concentrators
This rule may be triggered if Packet
per second is lower than that in
the custom rules created using therate limiting templates
NOTE DO NOT enable this rulealong with rule 130000300
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 1630
1512 NIOS Administrator Guide (Rev A) NIOS 612
DNS DDoS
The following table lists system rules that are used to mitigate DNS DDoS attacks on your advanced appliance Theserules rate limits clients that trigger the following DNS responses NXDOMAIN NXRRSET and SERVFAIL
Table H10 DNS DDoS Rules
Rule ID
Rule
Type
Rule Name Description
EnableDisable
Condition
Parameters Comments
200000001 System NXDOMAIN ratelimiting rule
This rule warns if any sourceIP sends inbound UDP DNSqueries that triggerNXDOMAIN responses at arate equals to the Packets
per second value If the rateexceeds this value theappliance blocks all UDPDNS traffic from this sourceIP for a time specified inDrop interval
Enabled bydefault
Packets per second (default = 1000)
Drop interval
(default = 5 seconds)
Events per second (default = 1)
Consider tuning Packets per
second to a higher value forNATd environments staticforwarders and VPNconcentrators
200000002 System NXRRSET ratelimiting rule
This rule warns if any sourceIP sends inbound UDP DNS
queries that trigger NXRRSETresponses at a rate equals tothe Packets per second value If the rate exceedsthis value the applianceblocks all UDP DNS trafficfrom this source IP for a timespecified in Drop interval
Enabled bydefault
Packets per second (default = 1000)
Drop interval (default = 5 seconds)
Events per second (default = 1)
Consider tuning Packets per
second to a higher value for
NATd environments staticforwarders and VPNconcentrators
NOTE NXRRSET responsesinclude NO records NOanswers and NO errors
200000003 System SERVFAIL ratelimiting rule
This rule warns if any sourceIP sends inbound UDP DNSqueries that triggerSERVFAIL responses at a rateequals to the Packets per
second value If the rateexceeds this rate theappliance blocks all UDPDNS traffic from this sourceIP for a time specified in
Drop interval
Enabled bydefault
Packets per second (default = 1000)
Drop interval
(default = 5 seconds)
Events per second (default = 1)
Consider tuning Packets per
second to a higher value forNATd environments staticforwarders and VPNconcentrators
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 1730
DNS Tunneling
NIOS 612 NIOS Administrator Guide (Rev A) 1513
DNS Tunneling
DNS tunneling attacks involve tunneling another protocol through DNS port 53 for the purpose of data exfiltrationOutbound and inbound data being communicated is encoded into small chunks and fitted into DNS queries and DNSresponses
The following table lists the system rule used to mitigate DNS tunneling on your advanced appliance
Table H11 Anti DNS Tunneling Rules
DNS Amplification and Reflection
DNS reflection attacks use a form of IP spoofing changing the source address in their DNS queries to show theaddress of their intended target such as a DNS root server or a top-level domain (TLD) name server operator DNS
reflection and amplification recognizes UDP as an asymmetrical protocol (small requests large responses) and theexistence of open DNS resolvers to the Internet cloud The result is that small DNS queries reflect large UDP datagramresponses to the target address in the original source datagrams Some recent attacks have used this DDoStechnique at a huge scale
Since DNS runs over UDP and does not require a handshake it is possible to use the protocol as a means to lock downa host or a network Designed a specific way sending a small query to any open DNS resolver can result in a singleresponse containing several kilobytes or more that are sent to the unwitting spoofed victim (This type of responsetypically is sent via TCP as UDP does not allow for more than 512 bytes in a response datagram The resulting packetusually exceeds the MTU of the recipientrsquos interfaces resulting in further packet fragmentation and processing) OpenDNS resolvers may allow for launching DDoS attacks containing hundreds of gigabytes of data Attackers may also
Rule ID
Rule
Type
Rule Name Description
EnableDisable
Condition
Parameters Comments
130000500 System RATELIMIT UDP highrate inbound largeDNS queries (antitunneling)
This rule warns If any source IPsends large UDP DNS queries(which could be DNS tunnelingattacks) at a rate equals thePackets per second value If therate exceeds this value it blocksall such traffic from this source IPfor the time in Drop interval
This rule is triggered when theDNS Packet size exceeds theconfigured value
Disabled bydefault
Packets per second (default = 100)
Drop interval (default = 5 seconds)
Events per second (default = 1)
Packet size
(default = 200)
Consider tuning Packets
per second to a highervalue for NATdenvironments staticforwarders and VPNconcentrators
130000600 Auto RATELIMIT TCP highrate inbound largeDNS queries(anti-tunneling)
This rule warns if any source IPsends large TCP DNS queries(which could be DNS tunnelingattacks) at a rate equals thePackets per second value If therate exceeds the value theappliance blocks all such trafficfrom this source IP for the Drop
interval
This rule is triggered when theDNS Packet size exceeds theconfigured value
Disabled bydefault
Packets per second (default = 100)
Drop interval
(default = 5 seconds)
Events per second (default = 1)
Packet size
(default = 200)
Consider tuning Packets
per second to a highervalue for NATdenvironments staticforwarders and VPNconcentrators
200000004 System DNS tunneling ratelimiting rule
This rule warns If any source IPsends inbound UDP DNS queriesthat trigger large TXT responses ata rate equals the Packets per
second value If the rate exceedsthis value it blocks all such t rafficfrom this source IP for the Drop
interval
This rule is triggered when the sizeof the TXT records in the DNSresponses exceeds the configuredDNS Packet size
Enabled bydefault
Packets per second (default = 1000)
Drop interval
(default = 5 seconds)
Events per second (default = 1)
Packet size
(default = 40)
Consider tuning Packets
per second to a highervalue for NATdenvironments static
forwarders and VPNconcentrators
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 1830
1514 NIOS Administrator Guide (Rev A) NIOS 612
use the EDNS0 DNS protocol extension as a means to enable larger DNS responses Many network operatorsparticularly overseas allow open DNS resolvers to run on their networks unwittingly allowing attackers to abusethem Many network operators do provide intelligent rate-limiting to prevent abuse even while supporting openrecursive DNS servers Hence issues of this type usually result from mistakes in configuration
The following table lists the system and auto rules that are used to mitigate DNS amplification and reflection attackson your advanced appliance
Table H12 DNS Amplification and Reflection Rules
NTP
The following table lists the auto rules that are used to mitigate NTP attacks and to support security for NTP traffic onyour advanced appliance These rules include support for the following NTP requests and responses NTP IPv4 andIPv6 ACLs (Access Control Lists) private mode 7 packets named ACLs and ldquoANYrdquo ACLs
Table H13 NTP Rules
Rule ID
Rule
Type
Rule Name Description
EnableDisable
Condition
Parameters Comments
130400100 Auto WARN amp DROP DoSDNS possiblereflectionamplification attackattempts
This rule warns if anysource IP sends UDP DNSpackets that containpossible reflectionamplification attacks If therate exceeds the Packets
per second value theappliance blocks all suchtraffic from this source IPfor the Drop interval Notethat this rule applies whenthe query is ldquoANYrdquo
Enabled bydefault
Packets per second (default = 5)
Drop interval (default = 5 seconds)
Events per second (default = 1)
Consider tuning Packet per
second to a higher value(approximately 100) forNATd environments staticforwarders and VPNconcentrators
130400500 System RATE LIMIT PASS UDPDNS root requestswith additional RRs
This rule passes UDP DNSroot requests that containadditional resource recordsuntil the traffic hits thePackets per second valueIt then blocks subsequentUDP DNS root requests forthe Drop interval
Disabled bydefault
Packets per second (default = 500)
Drop interval
(default = 5 seconds)
Events per second (default = 1)
130400600 System RATE LIMIT PASS UDPDNS root requests
This rule passes UDP DNSroot requests until thetraffic hits the Packets per
second value It thenblocks subsequent UDPDNS root requests for theDrop interval
Disabled bydefault
Packets per second (default = 500)
Drop interval (default = 5 seconds)
Events per second (default = 1)
Consider tuning Packet per
second to a higher valuefor NATd environmentsstatic forwarders and VPNconcentrators
Rule ID
Rule
Type
Rule Name Description
EnableDisable
Condition
Parameters Comments
130600100 Auto RATELIMIT PASS NTPTIME responses
When the NTP client isenabled this rule passesUDP NTP TIME responsesuntil the traffic hits the ratelimit of 10 packets persecond it then blocks allNTP traffic for 15 seconds
Enabled when theNTP client isenabled
Packets per second (default = 10)
Drop interval
(default = 15seconds)
Events per second (default = 1)
130600120 Auto DROP NTP TIMEresponses
This rule drops all UDP NTPTIME responses when theNTP client is disabled
Enabled when theNTP client isdisabled
Events per second (default=1)
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 1930
NTP
NIOS 612 NIOS Administrator Guide (Rev A) 1515
200001001 Auto DOS Possible NTPDDoS InboundFrequent Un-AuthedGET_RESTRICTRequests IMPL 0x02
When the NTP server isenabled this rule warnsabout possible NTP DDoSInbound FrequentUn-Authed GET_RESTRICTRequests IMPL 0x02attacks It then blocks
suspicious NTP traffic for atime period that isspecified in Drop Interval
Enabled whenNTP service isenabled on thismember
Events per second (default = 1)
200001005 Auto DOS Possible NTPDDoS InboundFrequent Un-AuthedGET_RESTRICTRequests IMPL 0x03
When the NTP server isenabled this rule warnsabout possible NTP DDoSInbound FrequentUn-Authed GET_RESTRICTRequests IMPL 0x03attacks It then blockssuspicious NTP traffic for atime period that isspecified in Drop Interval
Enabled whenNTP service isenabled on thismember
Events per second (default = 1)
200001010 Auto DOS Possible NTPDDoS InboundFrequent Un-AuthedPEER_LIST_SUM
Requests IMPL 0x02
When the NTP server isenabled this rule warnsabout possible NTP DDoSInbound Frequent
Un-AuthedPEER_LIST_SUM RequestsIMPL 0x02 attacks It thenblocks suspicious NTPtraffic for a time period thatis specified in Drop
Interval
Enabled whenNTP service isenabled on thismember
Events per second (default = 1)
200001015 Auto DOS Possible NTPDDoS InboundFrequent Un-AuthedPEER_LIST_SUMRequests IMPL 0x03
When the NTP server isenabled this rule warnsabout possible NTP DDoSInbound FrequentUn-AuthedPEER_LIST_SUM RequestsIMPL 0x03 attacks It thenblocks suspicious NTPtraffic for a time period thatis specified in Drop
Interval
Enabled whenNTP service isenabled on thismember
Events per second (default = 1)
200001020 Auto DOS Possible NTPDDoS InboundFrequent Un-AuthedPEER_LIST RequestsIMPL 0x02
When the NTP server isenabled this rule warnsabout possible NTP DDoSInbound FrequentUn-Authed PEER_LISTRequests IMPL 0x02attacks It then blockssuspicious NTP traffic for atime period that isspecified in Drop Interval
Enabled whenNTP service isenabled on thismember
Events per second (default = 1)
200001025 Auto DOS Possible NTPDDoS InboundFrequent Un-AuthedPEER_LIST RequestsIMPL 0x03
When the NTP server isenabled this rule warnsabout possible NTP DDoSInbound FrequentUn-Authed PEER_LISTRequests IMPL 0x03attacks It then blocks
suspicious NTP traffic for atime period that isspecified in Drop Interval
Enabled whenNTP service isenabled on thismember
Events per second (default = 1)
200001050 Auto RATELIMIT PASSNTPQ IPv4 requests
This rule passes UDP NTPQrequests from NTP IPv4ACLs until the traffic hitsthe rate limit ( Packets per
second ) value It thenblocks all subsequentNTPQ traffic for a timespecified in Drop Interval
Enabled whenNTP IPv4 ACLs aredefined If noACLs are definedand the NTPserver is enabledthe default ACLsare enabled andthis rule isdisabled
Packets per second (default = 10)
Drop interval
(default = 60seconds)
Events per second (default = 1)
Rule ID
Rule
Type
Rule Name Description
EnableDisable
Condition
Parameters Comments
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 2030
1516 NIOS Administrator Guide (Rev A) NIOS 612
200001055 Auto RATELIMIT PASS NTPTIME IPv4 requests
This rule passes UDP NTPTIME requests from NTPIPv4 ACLs until the traffichits the rate limit ( Packets
per second ) value It thenblocks all subsequent NTPTIME traffic for a time
specified in Drop interval
Enabled whenNTP IPv4 ACLs aredefined If noACLs are definedand the NTPserver is enabledthe default ACLs
are enabled andthis rule isenabled
Packets per second (default = 10)
Drop interval
(default = 60seconds)
Events per second (default = 1)
200001060 Auto RATELIMIT PASS NTPprivate mode IPv4requests
This rule passes UDP NTPprivate mode 7 requestsfrom NTP IPv4 ACLs untilthe traffic hits the rate limit( Packets per second ) valueIt then blocks allsubsequent NTP privatemode 7 traffic for a timespecified in Drop interval
Enabled whenNTP IPv4 ACLs aredefined If noACLs are definedand the NTPserver is enabledthe default ACLsare enabled andthis rule isdisabled
Packets per second (default = 10)
Drop interval
(default = 60seconds)
Events per second (default = 1)
200001065 Auto RATELIMIT PASSNTPQ IPv6 requests
This rule passes UDP NTPQrequests from NTP IPv6ACLs until the traffic hitsthe rate limit ( Packets per
second ) value It thenblocks all subsequentNTPQ traffic for a timespecified in Drop Interval
Enabled whenNTP IPv6 ACLs aredefined If noACLs are defined
and the NTPserver is enabledthe default ACLsare enabled andthis rule isdisabled
Packets per second (default = 10)
Drop interval
(default = 60
seconds)Events per second (default = 1)
200001070 Auto RATELIMIT PASS NTPTIME IPv6 requests
This rule passes UDP NTPTIME requests from NTPIPv6 ACLs until the traffichits the rate limit ( Packets
per second ) value It thenblocks all subsequent NTPTIME traffic for a timespecified in Drop interval
Enabled whenNTP IPv6 ACLs aredefined If noACLs are definedand the NTPserver is enabledthe default ACLsare enabled andthis rule isenabled
Packets per second (default = 10)
Drop interval
(default = 60seconds)
Events per second (default = 1)
200001075 Auto RATELIMIT PASS NTP
private mode IPv6requests
This rule passes UDP NTP
private mode 7 requestsfrom NTP IPv4 ACLs untilthe traffic hits the rate limit( Packets per second ) valueIt then blocks allsubsequent NTP privatemode 7 traffic for a timespecified in Drop interval
Enabled when
NTP IPv6 ACLs aredefined If noACLs are definedand the NTPserver is enabledthe default ACLsare enabled andthis rule isdisabled
Packets per second
(default = 10)Drop interval
(default =60seconds)
Events per second (default = 1)
200001100 Auto DROP NTPQ requestsunexpected
When NTP service isdisabled this rule drops allUDP NTPQ requests
Enabled whenNTP service isdisabled on thismember
Events per second (default=1)
200001105 Auto DROP NTP TIMErequests unexpected
When NTP service isdisabled this rule drops allUDP NTP TIME requests
Enabled whenNTP service isdisabled on thismember
Events per second (default=1)
200001110 Auto DROP NTP privatemode requestsunexpected
When NTP service isdisabled this rule drops allUDP NTP private mode 7requests
Enabled whenNTP service isdisabled on thismember
Events per second (default=1)
200001115 Auto DROP invalid NTPrequests
When NTP service isdisabled this rule drops allinvalid UDP NTP requests
Enabled whenNTP service isdisabled on thismember
Events per second (default=1)
Rule ID
Rule
Type
Rule Name Description
EnableDisable
Condition
Parameters Comments
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 2130
BGP
NIOS 612 NIOS Administrator Guide (Rev A) 1517
BGP
The following table lists the auto rules that are used to mitigate BGP attacks on your advanced appliance when BGPis enabled
Table H14 BGP Rules
Rule ID
Rule
Type
Rule Name Description
EnableDisable
Condition
Parameters Comments
130700100 AUTO DROP BGP headerlength shorter thanspec
When BGP is enabled this ruledrops TCP BGP packets thatcontain message headerlength that is shorter than theRFC specification
Enabled whenBGP service onthis member isconfigured
Events per second (default=1)
130700200 AUTO DROP BGP headerlength longer than spec
When BGP is enabled this ruledrops TCP BGP packets thatcontain message headerlength that is longer than theRFC specification
Enabled whenBGP service onthis member isconfigured
Events per second (default=1)
130700300 AUTO DROP BGP spoofedconnection reset
attempts
When BGP is enabled this ruledrops TCP BGP packets that
contain spoofed connectionreset
This rule isenabled when
BGP service onthis member isconfigured
Events per second (default=1)
130700400 AUTO DROP BGP invalid type0
When BGP is enabled this ruledrops TCP BGP packets thatcontain invalid message type0
This rule isenabled whenBGP service onthis member isconfigured
Events per second (default=1)
130700500 AUTO DROP BGP invalid typebigger than 5
When BGP is enabled this ruledrops TCP BGP packets thatcontain invalid message typegreater than 5
This rule isenabled whenBGP service onthis member isconfigured
Events per second (default=1)
130700550 AUTO RATELIMIT PASS BGPIPv4 peer TCPconnection attempts
This rule passes TCP BGP routeadvertisement connectionattempts from IPv4 peers
when BGP is enabled and ifthe packet rate is less than thePackets per second value Ifany source IP sends packetsover this value the applianceblocks all such traffic from thissource IP for a certain periodof time (specified in Drop
interval )
This rule isenabled whenBGP service on
this member isconfigured withIPv4 peers
Events per second (default=1)
Drop Interval
(default=60 sec)Packets per second (default=10)
130700600 Auto RATELIMIT PASS BGPallowed with IPv4 peer
This rule passes TCP BGP routeadvertisement to IPv4 peerswhen BGP is enabled and ifthe packet rate is less than thePackets per second value Ifany source IP sends packetsover this value the applianceblocks all such traffic from thissource IP for a certain period
of time (specified in Drop
interval
This rule isenabled whenBGP service onthis member isconfigured withIPv4 peers
Events per second (default=1)
Drop Interval (default=60 sec)
Packets per second (default=10)
130700650 AUTO RATELIMIT PASS BGPIPv6 peer TCPconnection attempts
This rule passes TCP BGP routeadvertisement connectionattempts from IPv6 peerswhen BGP is enabled and ifthe packet rate is less than thePackets per second value Ifany source IP sends packetsover this value the applianceblocks all such traffic from thissource IP for a certain periodof time (specified in Drop
interval
This rule isenabled whenBGP service onthis member isconfigured withIPv6 peers
Events per second (default=1)
Drop Interval (default=60 sec)
Packets per second (default=10)
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 2230
1518 NIOS Administrator Guide (Rev A) NIOS 612
OSPF
The following table lists auto rules that are used to mitigate OSPF attacks on your advanced appliance when OSPF isnot in use
Table H15 OSPF Rules
130700700 Auto RATELIMIT PASS BGPallowed with IPv6 peer
This rule passes TCP BGP routeadvertisement to IPv6 peerswhen BGP is enabled and ifthe packet rate is less than thePackets per second value Ifany source IP sends packetsover this value the appliance
blocks all such traffic from thissource IP for a certain periodof time (specified in Drop
interval )
This rule isenabled whenBGP service onthis member isconfigured withIPv6 peers
Events per second (default=1)
Drop Interval (default=60 sec)
Packets per second (default=10)
130800100 Auto DROP BGP unexpected When BGP is enabled this ruledrops unexpected TCP BGPpackets
This rule takeseffect when BGPservice on thismember is NOT configured
Events per second (default=1)
This rule is exclusive withother rules based onwhether BGP is configuredon the member or not
Rule ID
Rule
Type
Rule Name Description
Enable
Condition
Parameters Comments
130900300 Auto DROP OSPFunexpected
This rule drops unexpectedOSPF packets
This rule takeseffect when OSPFservice on thismember is NOT configured
Events per second (default=1)
Default drop rule for allpackets on the OSPF serviceport
130900400 Auto RATELIMIT PASS OSPFmulticast
This rule passes OSPF IPv4multicast packets if the packetrate is less than the Packets
per second value If anysource IP sends packets overthis value the applianceblocks all such traffic from thissource IP for a time specifiedin Drop interval
This rule takeseffect when OSPFservice on thismember isconfigured forIPv4
Events per second (default=1)
Drop Interval (default=60 sec)
Packets per second (default=100)
130900500 Auto RATELIMIT PASS OSPFIPv6 multicast
This rule passes OSPF IPv6multicast packets if the packetrate is less than the Packets
per second value If anysource IP sends packets overthis value the applianceblocks all such traffic from thissource IP for a time specifiedin Drop interval
This rule takeseffect when OSPFservice on thismember isconfigured forIPv6
Events per second (default=1)
Drop Interval (default=60 sec)
Packets per second (default=100)
130900600 Auto RATELIMIT PASS OSPF This rule passes OSPF packetsif the packet rate is less thanthe Packets per second valueIf any source IP sends packetsover this value the applianceblocks all such traffic from thissource IP for a time specifiedin Drop interval
This rule takeseffect when OSPFservice on thismember isconfigured
Events per second (default=1)
Drop Interval (default=10 sec)
Packets per second (default=50)
This rule works for both IPv4and IPv6
Rule ID
Rule
Type
Rule Name Description
EnableDisable
Condition
Parameters Comments
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 2330
ICMP
NIOS 612 NIOS Administrator Guide (Rev A) 1519
ICMP
ICMP attacks use network devices such as routers to send error messages when a requested service is not availableor the remote server cannot be reached Examples of ICMP attacks include ping floods ping-of-death attacks andsmurf attacks
The following table lists the system and auto rules that are used to mitigate ICMP attacks on your advanced appliance
Table H16 ICMP Rules
Rule ID Type Rule Name Description
EnableDisable
Condition
Parameters Comments
130400200 Auto DROP ICMP largepackets
This rule drops large ICMPpackets (bigger than800)
Always enabled Events per second (default=1)
130900100 Auto RATE LIMIT PASS ICMPPing
This rule passes ICMP pingpackets if the packet rate is lessthan the Packets per second value If any source IP sendspackets over this value theappliance blocks all such trafficfrom this source IP for a timespecified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=10 sec)
Packets per second (default=50)
130900200 Auto RATE LIMIT PASS ICMPv6Ping
This rule passes ICMPv6 pingpackets if the packet rate is lessthan the Packets per second value If any source IP sendspackets over this value theappliance blocks all such trafficfrom this source IP for a timespecified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=10 sec)
Packets per second (default=50)
130900700 Auto RATELIMIT PASS ICMPv6destinationunreachable
This rule passes ICMPv6Destination Unreachablemessages if the packet rate isless than the Packets per second value If any source IP sendspackets over this value theappliance blocks all such trafficfrom this source IP for a timespecified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=100)
130900800 Auto RATELIMIT PASS ICMPv6packet too big
This rule passes ICMPv6 PacketToo Big messages if the packetrate is less than the Packets per
second value If any source IPsends packets over this valuethe appliance blocks all suchtraffic from this source IP for atime specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=100)
130900900 Auto RATELIMIT PASS ICMPv6ping responses
This rule passes ICMPv6 pingresponses if the packet rate isless than the Packets per second value If any source IP sendspackets over this value theappliance blocks all such trafficfrom this source IP for a timespecified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=10 sec)
Packets per second (default=50)
130901000 Auto RATELIMIT PASS ICMPv6parameter problemerroneous header
This rule passes ICMPv6Erroneous Header messages ifthe packet rate is less than thePackets per second value If anysource IP sends packets over thisvalue the appliance blocks allsuch traffic from this source IP fora time specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=10 sec)
Packets per second (default=50)
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 2430
1520 NIOS Administrator Guide (Rev A) NIOS 612
130901100 Auto RATELIMIT PASS ICMPv6parameter problemunrecognized nextheader
This rule passes ICMPv6Unrecognized Next Headermessages if the packet rate isless than the Packets per second value If any source IP sendspackets over this value theappliance blocks all such traffic
from this source IP for a timespecified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
130901200 Auto RATELIMIT PASS ICMPv6parameter problemunrecognized IPv6option
This rule passes ICMPv6Unrecognized IPv6 Optionmessages if the packet rate isless than the Packets per second value If any source IP sendspackets over this value theappliance blocks all such trafficfrom this source IP for a timespecified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
130901300 Auto RATELIMIT PASS ICMPv6router solicitation
This rule passes ICMPv6 routersolicitation packets if the packetrate is less than the Packets per
second value If any source IPsends packets over this valuethe appliance blocks all such
traffic from this source IP for atime specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
130901400 Auto RATELIMIT PASS ICMPv6router advertisement
This rule passes ICMPv6 routeradvertisement if the packet rateis less than the Packets per
second value If any source IPsends packets over this valuethe appliance blocks all suchtraffic from this source IP for atime specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
130901500 Auto RATELIMIT PASS ICMPv6neighbor solicitation
This rule passes ICMPv6neighbor solicitation packets ifthe packet rate is less than thePackets per second value If anysource IP sends packets over thisvalue the appliance blocks allsuch traffic from this source IP for
a time specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
130901600 Auto RATELIMIT PASS ICMPv6neighbor advertisement
This rule passes ICMPv6neighbor advertisement if thepacket rate is less than thePackets per second value If anysource IP sends packets over thisvalue the appliance blocks allsuch traffic from this source IP fora time specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
130901700 Auto RATELIMIT PASS ICMPv6inverse neighborsolicitation
This rule passes ICMPv6 inverseneighbor solicitation messages ifthe packet rate is less than thePackets per second value If anysource IP sends packets over thisvalue the appliance blocks allsuch traffic from this source IP fora time specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
130901800 Auto RATELIMIT PASS ICMPv6inverse neighboradvertisement
This rule passes ICMPv6 inverseneighbor advertisement if thepacket rate is less than thePackets per second value If anysource IP sends packets over thisvalue the appliance blocks allsuch traffic from this source IP fora time specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
Rule ID Type Rule Name Description
EnableDisable
Condition
Parameters Comments
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 2530
ICMP
NIOS 612 NIOS Administrator Guide (Rev A) 1521
130901900 Auto RATELIMIT PASS ICMPv6listener query
This rule passes ICMPv6 listenerquery messages if the packetrate is less than the Packets per
second value If any source IPsends packets over this valuethe appliance blocks all suchtraffic from this source IP for a
time specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
130902000 Auto RATELIMIT PASS ICMPv6listener report
This rule passes ICMPv6 listenerreport messages if the packetrate is less than the Packets per
second value If any source IPsends packets over this valuethe appliance blocks all suchtraffic from this source IP for atime specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
130902100 Auto RATELIMIT PASS ICMPv6listener done
This rule passes ICMPv6 listenerdone messages if the packet rateis less than the Packets per
second value If any source IPsends packets over this valuethe appliance blocks all suchtraffic from this source IP for atime specified in Drop interval )
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
130902200 Auto RATELIMIT PASS ICMPv6listener report v2
This rule passes ICMPv6 listenerreport v2 messages if the packetrate is less than the Packets per
second value If any source IPsends packets over this valuethe appliance blocks all suchtraffic from this source IP for atime specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
130902300 Auto RATELIMIT PASS ICMPV6multicast routeradvertisement
This rule passes ICMPv6multicast router advertisement ifthe packet rate is less than thePackets per second value If anysource IP sends packets over thisvalue the appliance blocks allsuch traffic from this source IP fora time specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
130902400 Auto RATELIMIT PASS ICMPV6multicast routersolicitation
This rule passes ICMPv6multicast router solicitationmessages if the packet rate isless than the Packets per second value If any source IP sendspackets over this value theappliance blocks all such trafficfrom this source IP for a timespecified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
130902500 Auto RATELIMIT PASS ICMPV6multicast routeradvertisement
This rule passes ICMPv6multicast router advertisement ifthe packet rate is less than thePackets per second value If anysource IP sends packets over thisvalue the appliance blocks allsuch traffic from this source IP fora time specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
130902600 Auto RATELIMIT PASS ICMPping responses This rule passes ICMP pingresponses if the packet rate isless than the Packets per second value If any source IP sendspackets over this value theappliance blocks all such trafficfrom this source IP for a timespecified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=10 sec)
Packets per second (default=50)
Rule ID Type Rule Name Description
EnableDisable
Condition
Parameters Comments
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 2630
1522 NIOS Administrator Guide (Rev A) NIOS 612
130902700 Auto RATELIMIT PASS ICMProuter advertisement
This rule passes ICMP routeradvertisement if the packet rateis less than the Packets per
second value If any source IPsends packets over this valuethe appliance blocks all suchtraffic from this source IP for a
time specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=10 sec)
Packets per second (default=50)
130902800 Auto RATELIMIT PASS ICMProuter solicitation
This rule passes ICMP routersolicitation messages if thepacket rate is less than thePackets per second value If anysource IP sends packets over thisvalue the appliance blocks allsuch traffic from this source IP fora time specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=10 sec)
Packets per second (default=50)
130902900 Auto RATELIMIT PASS ICMPtime exceeded
This rule passes ICMP timeexceeded messages if the packetrate is less than the Packets per
second value If any source IPsends packets over this valuethe appliance blocks all suchtraffic from this source IP for atime specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=10 sec)
Packets per second (default=50)
130903000 Auto RATELIMIT PASS ICMPparameter problem
This rule passes ICMP parameterproblems if the packet rate isless than the Packets per second value If any source IP sendspackets over this value theappliance blocks all such trafficfrom this source IP for a timespecified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=10 sec)
Packets per second (default=50)
130903100 Auto RATELIMIT PASS ICMPv6hop limit exceeded orICMPv4 networkunreachable
This rule passes ICMPv6 HopLimit Exceeded messages orICMPv4 Network Unreachablemessages if the packet rate isless than the Packets per second value If any source IP sendspackets over this value theappliance blocks all such trafficfrom this source IP for a time
specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
130903200 Auto RATELIMIT PASS ICMPv6fragment reassemblytime exceeded orICMPv4 hostunreachable
This rule passes ICMPv6fragment reassembly timeexceeded messages or ICMPv4host unreachable messages ifthe packet rate is less than thePackets per second value If anysource IP sends packets over thisvalue the appliance blocks allsuch traffic from this source IP fora time specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=10 sec)
Packets per second (default=50)
130903300 Auto RATELIMIT PASS ICMPprotocol unreachable
This rule passes ICMP protocolunreachable messages if thepacket rate is less than thePackets per second value If anysource IP sends packets over thisvalue the appliance blocks all
such traffic from this source IP fora time specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=10 sec)
Packets per second (default=50)
130903400 Auto RATELIMIT ICMP portunreachable
This rule passes ICMP portunreachable messages if thepacket rate is less than thePackets per second value If anysource IP sends packets over thisvalue the appliance blocks allsuch traffic from this source IP fora certain period of time(specified in Drop interval )
Always enabled Events per second (default=10)
Drop Interval (default=10 sec)
Packets per second (default=50)
Rule ID Type Rule Name Description
EnableDisable
Condition
Parameters Comments
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 2730
Default PassDrop
NIOS 612 NIOS Administrator Guide (Rev A) 1523
Default Pass Drop
The following table lists the system rules that are used to pass or drop packets on your advanced appliance All rulesare disabled by default
Table H17 Default PassDrop Rules
130903500 Auto RATELIMIT PASS ICMPfragmentation needed
This rule passes ICMPfragmentation needed messagesif the packet rate is less than thePackets per second value If anysource IP sends packets over thisvalue the appliance blocks allsuch traffic from this source IP for
a certain period of time(specified in Drop interval )
Always enabled Events per second (default=1)
Drop Interval (default=10 sec)
Packets per second (default=50)
Rule ID
Rule
Type Rule Name Description
Enable
Condition Parameters Comments
100000050 System EARLY PASS TCPwith flowbits set
This rule passes TCP trafficthat has the flowbitsoptions set and marked OK
Enabled bydefault
NA
140000100 System DROP UDP DNSunexpected
This rule drops anyunexpected UDP DNSpackets
Enabled bydefault
Events per second (default=1)
Default drop rule for the DNSservice port If this rule istriggered most likely thispacket is an invalid DNS UDPpacket
140000200 System DROP TCP DNSunexpected
This rule drops anyunexpected TCP DNSpackets
Enabled bydefault
Events per second (default=1)
Default drop rule for the DNSservice port If this rule istriggered most likely thispacket is an invalid DNS TCPpacket
140000400 System PASS TCPestablished packets
This passes all TCPestablished packets
Enabled bydefault
Events per second (default=0)
140000500 System DROP TCPunexpected
This rule drops anyunexpected TCP packets
Enabled bydefault
Events per second (default=0)
This rule drops any TCP packeton any port If this rule istriggered most likely thispacket is not intended forservices on this member
140000600 System DROP UDPunexpected
This rule drops anyunexpected UDP packets
Enabled bydefault
Events per second (default=0)
This rule drops any UDP packeton any port If this rule istriggered most likely thispacket is not intended forservices on this member
140000700 System DROP ICMPunexpected
This rule drops anyunexpected ICMP packets
Enabled bydefault
Events per second (default=0)
This rule drops any ICMPpacket If this rule is triggeredmost likely this packet is notintended for services on thismember
140000800 System DROP unexpectedprotocol
This rule drops anyunexpected protocolpackets
Enabled bydefault
Events per second (default=0)
This is a catch all rule thatdrops anything that does notmatch any other rules in thesystem
Rule ID Type Rule Name Description
EnableDisable
Condition
Parameters Comments
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 2830
1524 NIOS Administrator Guide (Rev A) NIOS 612
HA Support
The following table lists auto rules that are used to pass packets that go through the Virtual Router RedundancyProtocol (VRRP) and Internet Group Management Protocol (IGMP) for HA (High Availability) support
Table H18 HA Support Rules
Custom Rule Templates
Advanced DNS Protection supports a few custom rule templates from which you can create new custom rules Notethat when you use a specific rule template to create custom rules the new rules reside in their respective rulecategories For information about custom rules and creating custom rules see Custom Rules on page 1341 andCreating Custom Rules on page 1343
For each rule you create you can define the Events per second value to determine the number of events per secondthat will be logged for the rule You can also define specific rule parameters for custom rules as follows
Note Custom rules do not support IDNs (Internationalized Domain Names) To use IDNs for custom rules you mustfirst convert the IDNs into puny codes You can use the IDN Converter from the Toolbar for the conversion
bull BLACKLIST FQDN lookup TCP Use this rule template to create custom rules for blacklisting DNS queries by FQDNlookups on TCP In the Rule Parameters table complete the following
mdash Blacklisted FQDN Enter the FDQN that you want the appliance to block over TCP traffic You can also enter alist of FQDNs using semicolon as the separator
bull BLACKLIST FQDN lookup UDP Use this rule template to create custom rules for blacklisting DNS queries byFQDN lookups on UDP In the Rule Parameters table complete the following
mdash Blacklisted FQDN Enter the FDQN that you want the appliance to block over UDP traffic You can also enter alist of FQDNs using semicolon as the separator
bull BLACKLIST IP TCP Drop prior to rate limiting Use this rule template to create rules for blocking IPv4 or IPv6addresses on TCP before the appliance drops the packets based on rate limiting rules you have defined usingthe RATELIMITED IP TCP template In the Rule Parameters table complete the following
mdash Blacklisted IP addressnetwork Enter the IPv4 or IPv6 address from which packets sent are dropped beforeany relevant rate limiting rules take effect Note that all TCP traffic from the specified Ipv4 and IPv6
addresses and networks will be blocked Enter network addresses in addressCIDR formatbull BLACKLIST IP UDP Drop prior to rate limiting Use this rule template to create rules for blocking IPv4 or IPv6
addresses on UDP before the appliance drops the packets based on rate limiting rules you have defined usingthe RATELIMITED IP UDP template In the Rule Parameters table complete the following
mdash Blacklisted IP addressnetwork Enter the IPv4 or IPv6 address from which packets sent are dropped beforeany relevant rate limiting rules take effect Note that all UDP traffic from the specified Ipv4 and IPv6addresses and networks will be blocked Enter network addresses in addressCIDR format
bull RATELIMITED FQDN lookup UDP Use this rule template to create custom rules that contains rate limitingrestrictions for blocking DNS queries by FQDN lookups on UDP traffic In the Rule Parameters table completethe following
Rule ID
Rule
Type
Rule Name Description Enable Condition Parameters Comments
140000750 Auto PASS VRRP This rule passes packets thatgo through VRRP for HAsupport
Enabled if HA isconfigured
NA
140000760 Auto PASS IGMP This rule passes packets thatgo through IGMP for HAsupport
Enabled if HA isconfigured
NA
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 2930
Custom Rule Templates
NIOS 612 NIOS Administrator Guide (Rev A) 1525
mdash Packets per second Enter the number of packets per second to define the rate limit for this rule You definethis value to control the rate of UDP traffic that consists of DNS lookups for the FQDN defined in this ruleThe default is 5
mdash Drop interval Enter the number of seconds for which the appliance drops packets
mdash Blacklist rate limited FQDN Enter the FQDN that is affected by the rate limit value configured for this ruleThe appliance drops the packets sent by this FQDN when the UDP traffic of DNS lookups for this FQDNexceeds the configured rate limit value
bull RATELIMITED IP TCP Use this rule template to create custom rules that contains rate limiting restrictions forblacklisting IP addresses on TCP If there are certain IP addresses that you want to block before its traffic reachesthe rate limit restrictions you can create a rule using the BLACKLIST IP TCP Drop prior to rate limiting templateIn the Rule Parameters table complete the following
mdash Packets per second Enter the number of packets per second to define the rate limit for this rule You definethis value to control the rate of TCP traffic that consists of DNS lookups for the IP address or networkdefined in this rule The default is 5
mdash Drop interval Enter the time interval in seconds the appliance drops IP packets sent by the rate limited IPaddress or network defined for this rule The default is 30 seconds
mdash Rate limited IP addressnetwork Enter the IP address or network that is affected by the rate limit valueconfigured for this rule The appliance drops the packets sent by this IP address based on the drop intervalwhen the TCP traffic of DNS lookups for this IP address exceeds the configured rate limit value
bull RATELIMITED IP UDP Use this rule template to create custom rules that contains rate limiting restrictions forblacklisting IP addresses on UDP If there are certain IP addresses that you want to block before its trafficreaches the rate limit restrictions you can create a rule using the BLACKLIST IP UDP Drop prior to rate limiting template In the Rule Parameters table complete the following
mdash Packets per second Enter the number of packets per second to define the rate limit for this rule You definethis value to control the rate of UDP traffic that consists of DNS lookups for the IP address or networkdefined in this rule The default is 5
mdash Drop interval Enter the time interval in seconds the appliance drops IP packets sent by the rate limited IPaddress or network defined for this rule The default is 30 seconds
mdash Rate limited IP addressnetwork Enter the IP address or network that is affected by the rate limit valueconfigured for this rule The appliance drops the packets sent by this IP address based on the drop interval
when the TCP traffic of DNS lookups for this IP address exceeds the configured rate limit valuebull WHITELIST IP TCP Pass prior to rate limiting Use this rule template to create custom rules for allowing certain IP
addresses on TCP before the appliance drops the packets based on rate limiting rules you have defined usingthe RATELIMITED IP TCP template In the Rule Parameters table complete the following
mdash Whitelisted IP addressnetwork Enter the IPv4 or IPv6 address from which packets sent are allowed beforeany relevant rate limiting rules take effect
bull WHITELIST IP UDP Pass prior to rate limiting Use this rule template to create custom rules for allowing certain IPaddresses on UDP before the appliance drops the packets based on rate limiting rules you have defined usingthe RATELIMITED IP UDP template In the Rule Parameters table complete the following
mdash Whitelisted IP addressnetwork Enter the IPv4 or IPv6 address from which packets sent are allowed beforeany relevant rate limiting rules take effect
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 3030
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 1630
1512 NIOS Administrator Guide (Rev A) NIOS 612
DNS DDoS
The following table lists system rules that are used to mitigate DNS DDoS attacks on your advanced appliance Theserules rate limits clients that trigger the following DNS responses NXDOMAIN NXRRSET and SERVFAIL
Table H10 DNS DDoS Rules
Rule ID
Rule
Type
Rule Name Description
EnableDisable
Condition
Parameters Comments
200000001 System NXDOMAIN ratelimiting rule
This rule warns if any sourceIP sends inbound UDP DNSqueries that triggerNXDOMAIN responses at arate equals to the Packets
per second value If the rateexceeds this value theappliance blocks all UDPDNS traffic from this sourceIP for a time specified inDrop interval
Enabled bydefault
Packets per second (default = 1000)
Drop interval
(default = 5 seconds)
Events per second (default = 1)
Consider tuning Packets per
second to a higher value forNATd environments staticforwarders and VPNconcentrators
200000002 System NXRRSET ratelimiting rule
This rule warns if any sourceIP sends inbound UDP DNS
queries that trigger NXRRSETresponses at a rate equals tothe Packets per second value If the rate exceedsthis value the applianceblocks all UDP DNS trafficfrom this source IP for a timespecified in Drop interval
Enabled bydefault
Packets per second (default = 1000)
Drop interval (default = 5 seconds)
Events per second (default = 1)
Consider tuning Packets per
second to a higher value for
NATd environments staticforwarders and VPNconcentrators
NOTE NXRRSET responsesinclude NO records NOanswers and NO errors
200000003 System SERVFAIL ratelimiting rule
This rule warns if any sourceIP sends inbound UDP DNSqueries that triggerSERVFAIL responses at a rateequals to the Packets per
second value If the rateexceeds this rate theappliance blocks all UDPDNS traffic from this sourceIP for a time specified in
Drop interval
Enabled bydefault
Packets per second (default = 1000)
Drop interval
(default = 5 seconds)
Events per second (default = 1)
Consider tuning Packets per
second to a higher value forNATd environments staticforwarders and VPNconcentrators
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 1730
DNS Tunneling
NIOS 612 NIOS Administrator Guide (Rev A) 1513
DNS Tunneling
DNS tunneling attacks involve tunneling another protocol through DNS port 53 for the purpose of data exfiltrationOutbound and inbound data being communicated is encoded into small chunks and fitted into DNS queries and DNSresponses
The following table lists the system rule used to mitigate DNS tunneling on your advanced appliance
Table H11 Anti DNS Tunneling Rules
DNS Amplification and Reflection
DNS reflection attacks use a form of IP spoofing changing the source address in their DNS queries to show theaddress of their intended target such as a DNS root server or a top-level domain (TLD) name server operator DNS
reflection and amplification recognizes UDP as an asymmetrical protocol (small requests large responses) and theexistence of open DNS resolvers to the Internet cloud The result is that small DNS queries reflect large UDP datagramresponses to the target address in the original source datagrams Some recent attacks have used this DDoStechnique at a huge scale
Since DNS runs over UDP and does not require a handshake it is possible to use the protocol as a means to lock downa host or a network Designed a specific way sending a small query to any open DNS resolver can result in a singleresponse containing several kilobytes or more that are sent to the unwitting spoofed victim (This type of responsetypically is sent via TCP as UDP does not allow for more than 512 bytes in a response datagram The resulting packetusually exceeds the MTU of the recipientrsquos interfaces resulting in further packet fragmentation and processing) OpenDNS resolvers may allow for launching DDoS attacks containing hundreds of gigabytes of data Attackers may also
Rule ID
Rule
Type
Rule Name Description
EnableDisable
Condition
Parameters Comments
130000500 System RATELIMIT UDP highrate inbound largeDNS queries (antitunneling)
This rule warns If any source IPsends large UDP DNS queries(which could be DNS tunnelingattacks) at a rate equals thePackets per second value If therate exceeds this value it blocksall such traffic from this source IPfor the time in Drop interval
This rule is triggered when theDNS Packet size exceeds theconfigured value
Disabled bydefault
Packets per second (default = 100)
Drop interval (default = 5 seconds)
Events per second (default = 1)
Packet size
(default = 200)
Consider tuning Packets
per second to a highervalue for NATdenvironments staticforwarders and VPNconcentrators
130000600 Auto RATELIMIT TCP highrate inbound largeDNS queries(anti-tunneling)
This rule warns if any source IPsends large TCP DNS queries(which could be DNS tunnelingattacks) at a rate equals thePackets per second value If therate exceeds the value theappliance blocks all such trafficfrom this source IP for the Drop
interval
This rule is triggered when theDNS Packet size exceeds theconfigured value
Disabled bydefault
Packets per second (default = 100)
Drop interval
(default = 5 seconds)
Events per second (default = 1)
Packet size
(default = 200)
Consider tuning Packets
per second to a highervalue for NATdenvironments staticforwarders and VPNconcentrators
200000004 System DNS tunneling ratelimiting rule
This rule warns If any source IPsends inbound UDP DNS queriesthat trigger large TXT responses ata rate equals the Packets per
second value If the rate exceedsthis value it blocks all such t rafficfrom this source IP for the Drop
interval
This rule is triggered when the sizeof the TXT records in the DNSresponses exceeds the configuredDNS Packet size
Enabled bydefault
Packets per second (default = 1000)
Drop interval
(default = 5 seconds)
Events per second (default = 1)
Packet size
(default = 40)
Consider tuning Packets
per second to a highervalue for NATdenvironments static
forwarders and VPNconcentrators
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 1830
1514 NIOS Administrator Guide (Rev A) NIOS 612
use the EDNS0 DNS protocol extension as a means to enable larger DNS responses Many network operatorsparticularly overseas allow open DNS resolvers to run on their networks unwittingly allowing attackers to abusethem Many network operators do provide intelligent rate-limiting to prevent abuse even while supporting openrecursive DNS servers Hence issues of this type usually result from mistakes in configuration
The following table lists the system and auto rules that are used to mitigate DNS amplification and reflection attackson your advanced appliance
Table H12 DNS Amplification and Reflection Rules
NTP
The following table lists the auto rules that are used to mitigate NTP attacks and to support security for NTP traffic onyour advanced appliance These rules include support for the following NTP requests and responses NTP IPv4 andIPv6 ACLs (Access Control Lists) private mode 7 packets named ACLs and ldquoANYrdquo ACLs
Table H13 NTP Rules
Rule ID
Rule
Type
Rule Name Description
EnableDisable
Condition
Parameters Comments
130400100 Auto WARN amp DROP DoSDNS possiblereflectionamplification attackattempts
This rule warns if anysource IP sends UDP DNSpackets that containpossible reflectionamplification attacks If therate exceeds the Packets
per second value theappliance blocks all suchtraffic from this source IPfor the Drop interval Notethat this rule applies whenthe query is ldquoANYrdquo
Enabled bydefault
Packets per second (default = 5)
Drop interval (default = 5 seconds)
Events per second (default = 1)
Consider tuning Packet per
second to a higher value(approximately 100) forNATd environments staticforwarders and VPNconcentrators
130400500 System RATE LIMIT PASS UDPDNS root requestswith additional RRs
This rule passes UDP DNSroot requests that containadditional resource recordsuntil the traffic hits thePackets per second valueIt then blocks subsequentUDP DNS root requests forthe Drop interval
Disabled bydefault
Packets per second (default = 500)
Drop interval
(default = 5 seconds)
Events per second (default = 1)
130400600 System RATE LIMIT PASS UDPDNS root requests
This rule passes UDP DNSroot requests until thetraffic hits the Packets per
second value It thenblocks subsequent UDPDNS root requests for theDrop interval
Disabled bydefault
Packets per second (default = 500)
Drop interval (default = 5 seconds)
Events per second (default = 1)
Consider tuning Packet per
second to a higher valuefor NATd environmentsstatic forwarders and VPNconcentrators
Rule ID
Rule
Type
Rule Name Description
EnableDisable
Condition
Parameters Comments
130600100 Auto RATELIMIT PASS NTPTIME responses
When the NTP client isenabled this rule passesUDP NTP TIME responsesuntil the traffic hits the ratelimit of 10 packets persecond it then blocks allNTP traffic for 15 seconds
Enabled when theNTP client isenabled
Packets per second (default = 10)
Drop interval
(default = 15seconds)
Events per second (default = 1)
130600120 Auto DROP NTP TIMEresponses
This rule drops all UDP NTPTIME responses when theNTP client is disabled
Enabled when theNTP client isdisabled
Events per second (default=1)
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 1930
NTP
NIOS 612 NIOS Administrator Guide (Rev A) 1515
200001001 Auto DOS Possible NTPDDoS InboundFrequent Un-AuthedGET_RESTRICTRequests IMPL 0x02
When the NTP server isenabled this rule warnsabout possible NTP DDoSInbound FrequentUn-Authed GET_RESTRICTRequests IMPL 0x02attacks It then blocks
suspicious NTP traffic for atime period that isspecified in Drop Interval
Enabled whenNTP service isenabled on thismember
Events per second (default = 1)
200001005 Auto DOS Possible NTPDDoS InboundFrequent Un-AuthedGET_RESTRICTRequests IMPL 0x03
When the NTP server isenabled this rule warnsabout possible NTP DDoSInbound FrequentUn-Authed GET_RESTRICTRequests IMPL 0x03attacks It then blockssuspicious NTP traffic for atime period that isspecified in Drop Interval
Enabled whenNTP service isenabled on thismember
Events per second (default = 1)
200001010 Auto DOS Possible NTPDDoS InboundFrequent Un-AuthedPEER_LIST_SUM
Requests IMPL 0x02
When the NTP server isenabled this rule warnsabout possible NTP DDoSInbound Frequent
Un-AuthedPEER_LIST_SUM RequestsIMPL 0x02 attacks It thenblocks suspicious NTPtraffic for a time period thatis specified in Drop
Interval
Enabled whenNTP service isenabled on thismember
Events per second (default = 1)
200001015 Auto DOS Possible NTPDDoS InboundFrequent Un-AuthedPEER_LIST_SUMRequests IMPL 0x03
When the NTP server isenabled this rule warnsabout possible NTP DDoSInbound FrequentUn-AuthedPEER_LIST_SUM RequestsIMPL 0x03 attacks It thenblocks suspicious NTPtraffic for a time period thatis specified in Drop
Interval
Enabled whenNTP service isenabled on thismember
Events per second (default = 1)
200001020 Auto DOS Possible NTPDDoS InboundFrequent Un-AuthedPEER_LIST RequestsIMPL 0x02
When the NTP server isenabled this rule warnsabout possible NTP DDoSInbound FrequentUn-Authed PEER_LISTRequests IMPL 0x02attacks It then blockssuspicious NTP traffic for atime period that isspecified in Drop Interval
Enabled whenNTP service isenabled on thismember
Events per second (default = 1)
200001025 Auto DOS Possible NTPDDoS InboundFrequent Un-AuthedPEER_LIST RequestsIMPL 0x03
When the NTP server isenabled this rule warnsabout possible NTP DDoSInbound FrequentUn-Authed PEER_LISTRequests IMPL 0x03attacks It then blocks
suspicious NTP traffic for atime period that isspecified in Drop Interval
Enabled whenNTP service isenabled on thismember
Events per second (default = 1)
200001050 Auto RATELIMIT PASSNTPQ IPv4 requests
This rule passes UDP NTPQrequests from NTP IPv4ACLs until the traffic hitsthe rate limit ( Packets per
second ) value It thenblocks all subsequentNTPQ traffic for a timespecified in Drop Interval
Enabled whenNTP IPv4 ACLs aredefined If noACLs are definedand the NTPserver is enabledthe default ACLsare enabled andthis rule isdisabled
Packets per second (default = 10)
Drop interval
(default = 60seconds)
Events per second (default = 1)
Rule ID
Rule
Type
Rule Name Description
EnableDisable
Condition
Parameters Comments
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 2030
1516 NIOS Administrator Guide (Rev A) NIOS 612
200001055 Auto RATELIMIT PASS NTPTIME IPv4 requests
This rule passes UDP NTPTIME requests from NTPIPv4 ACLs until the traffichits the rate limit ( Packets
per second ) value It thenblocks all subsequent NTPTIME traffic for a time
specified in Drop interval
Enabled whenNTP IPv4 ACLs aredefined If noACLs are definedand the NTPserver is enabledthe default ACLs
are enabled andthis rule isenabled
Packets per second (default = 10)
Drop interval
(default = 60seconds)
Events per second (default = 1)
200001060 Auto RATELIMIT PASS NTPprivate mode IPv4requests
This rule passes UDP NTPprivate mode 7 requestsfrom NTP IPv4 ACLs untilthe traffic hits the rate limit( Packets per second ) valueIt then blocks allsubsequent NTP privatemode 7 traffic for a timespecified in Drop interval
Enabled whenNTP IPv4 ACLs aredefined If noACLs are definedand the NTPserver is enabledthe default ACLsare enabled andthis rule isdisabled
Packets per second (default = 10)
Drop interval
(default = 60seconds)
Events per second (default = 1)
200001065 Auto RATELIMIT PASSNTPQ IPv6 requests
This rule passes UDP NTPQrequests from NTP IPv6ACLs until the traffic hitsthe rate limit ( Packets per
second ) value It thenblocks all subsequentNTPQ traffic for a timespecified in Drop Interval
Enabled whenNTP IPv6 ACLs aredefined If noACLs are defined
and the NTPserver is enabledthe default ACLsare enabled andthis rule isdisabled
Packets per second (default = 10)
Drop interval
(default = 60
seconds)Events per second (default = 1)
200001070 Auto RATELIMIT PASS NTPTIME IPv6 requests
This rule passes UDP NTPTIME requests from NTPIPv6 ACLs until the traffichits the rate limit ( Packets
per second ) value It thenblocks all subsequent NTPTIME traffic for a timespecified in Drop interval
Enabled whenNTP IPv6 ACLs aredefined If noACLs are definedand the NTPserver is enabledthe default ACLsare enabled andthis rule isenabled
Packets per second (default = 10)
Drop interval
(default = 60seconds)
Events per second (default = 1)
200001075 Auto RATELIMIT PASS NTP
private mode IPv6requests
This rule passes UDP NTP
private mode 7 requestsfrom NTP IPv4 ACLs untilthe traffic hits the rate limit( Packets per second ) valueIt then blocks allsubsequent NTP privatemode 7 traffic for a timespecified in Drop interval
Enabled when
NTP IPv6 ACLs aredefined If noACLs are definedand the NTPserver is enabledthe default ACLsare enabled andthis rule isdisabled
Packets per second
(default = 10)Drop interval
(default =60seconds)
Events per second (default = 1)
200001100 Auto DROP NTPQ requestsunexpected
When NTP service isdisabled this rule drops allUDP NTPQ requests
Enabled whenNTP service isdisabled on thismember
Events per second (default=1)
200001105 Auto DROP NTP TIMErequests unexpected
When NTP service isdisabled this rule drops allUDP NTP TIME requests
Enabled whenNTP service isdisabled on thismember
Events per second (default=1)
200001110 Auto DROP NTP privatemode requestsunexpected
When NTP service isdisabled this rule drops allUDP NTP private mode 7requests
Enabled whenNTP service isdisabled on thismember
Events per second (default=1)
200001115 Auto DROP invalid NTPrequests
When NTP service isdisabled this rule drops allinvalid UDP NTP requests
Enabled whenNTP service isdisabled on thismember
Events per second (default=1)
Rule ID
Rule
Type
Rule Name Description
EnableDisable
Condition
Parameters Comments
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 2130
BGP
NIOS 612 NIOS Administrator Guide (Rev A) 1517
BGP
The following table lists the auto rules that are used to mitigate BGP attacks on your advanced appliance when BGPis enabled
Table H14 BGP Rules
Rule ID
Rule
Type
Rule Name Description
EnableDisable
Condition
Parameters Comments
130700100 AUTO DROP BGP headerlength shorter thanspec
When BGP is enabled this ruledrops TCP BGP packets thatcontain message headerlength that is shorter than theRFC specification
Enabled whenBGP service onthis member isconfigured
Events per second (default=1)
130700200 AUTO DROP BGP headerlength longer than spec
When BGP is enabled this ruledrops TCP BGP packets thatcontain message headerlength that is longer than theRFC specification
Enabled whenBGP service onthis member isconfigured
Events per second (default=1)
130700300 AUTO DROP BGP spoofedconnection reset
attempts
When BGP is enabled this ruledrops TCP BGP packets that
contain spoofed connectionreset
This rule isenabled when
BGP service onthis member isconfigured
Events per second (default=1)
130700400 AUTO DROP BGP invalid type0
When BGP is enabled this ruledrops TCP BGP packets thatcontain invalid message type0
This rule isenabled whenBGP service onthis member isconfigured
Events per second (default=1)
130700500 AUTO DROP BGP invalid typebigger than 5
When BGP is enabled this ruledrops TCP BGP packets thatcontain invalid message typegreater than 5
This rule isenabled whenBGP service onthis member isconfigured
Events per second (default=1)
130700550 AUTO RATELIMIT PASS BGPIPv4 peer TCPconnection attempts
This rule passes TCP BGP routeadvertisement connectionattempts from IPv4 peers
when BGP is enabled and ifthe packet rate is less than thePackets per second value Ifany source IP sends packetsover this value the applianceblocks all such traffic from thissource IP for a certain periodof time (specified in Drop
interval )
This rule isenabled whenBGP service on
this member isconfigured withIPv4 peers
Events per second (default=1)
Drop Interval
(default=60 sec)Packets per second (default=10)
130700600 Auto RATELIMIT PASS BGPallowed with IPv4 peer
This rule passes TCP BGP routeadvertisement to IPv4 peerswhen BGP is enabled and ifthe packet rate is less than thePackets per second value Ifany source IP sends packetsover this value the applianceblocks all such traffic from thissource IP for a certain period
of time (specified in Drop
interval
This rule isenabled whenBGP service onthis member isconfigured withIPv4 peers
Events per second (default=1)
Drop Interval (default=60 sec)
Packets per second (default=10)
130700650 AUTO RATELIMIT PASS BGPIPv6 peer TCPconnection attempts
This rule passes TCP BGP routeadvertisement connectionattempts from IPv6 peerswhen BGP is enabled and ifthe packet rate is less than thePackets per second value Ifany source IP sends packetsover this value the applianceblocks all such traffic from thissource IP for a certain periodof time (specified in Drop
interval
This rule isenabled whenBGP service onthis member isconfigured withIPv6 peers
Events per second (default=1)
Drop Interval (default=60 sec)
Packets per second (default=10)
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 2230
1518 NIOS Administrator Guide (Rev A) NIOS 612
OSPF
The following table lists auto rules that are used to mitigate OSPF attacks on your advanced appliance when OSPF isnot in use
Table H15 OSPF Rules
130700700 Auto RATELIMIT PASS BGPallowed with IPv6 peer
This rule passes TCP BGP routeadvertisement to IPv6 peerswhen BGP is enabled and ifthe packet rate is less than thePackets per second value Ifany source IP sends packetsover this value the appliance
blocks all such traffic from thissource IP for a certain periodof time (specified in Drop
interval )
This rule isenabled whenBGP service onthis member isconfigured withIPv6 peers
Events per second (default=1)
Drop Interval (default=60 sec)
Packets per second (default=10)
130800100 Auto DROP BGP unexpected When BGP is enabled this ruledrops unexpected TCP BGPpackets
This rule takeseffect when BGPservice on thismember is NOT configured
Events per second (default=1)
This rule is exclusive withother rules based onwhether BGP is configuredon the member or not
Rule ID
Rule
Type
Rule Name Description
Enable
Condition
Parameters Comments
130900300 Auto DROP OSPFunexpected
This rule drops unexpectedOSPF packets
This rule takeseffect when OSPFservice on thismember is NOT configured
Events per second (default=1)
Default drop rule for allpackets on the OSPF serviceport
130900400 Auto RATELIMIT PASS OSPFmulticast
This rule passes OSPF IPv4multicast packets if the packetrate is less than the Packets
per second value If anysource IP sends packets overthis value the applianceblocks all such traffic from thissource IP for a time specifiedin Drop interval
This rule takeseffect when OSPFservice on thismember isconfigured forIPv4
Events per second (default=1)
Drop Interval (default=60 sec)
Packets per second (default=100)
130900500 Auto RATELIMIT PASS OSPFIPv6 multicast
This rule passes OSPF IPv6multicast packets if the packetrate is less than the Packets
per second value If anysource IP sends packets overthis value the applianceblocks all such traffic from thissource IP for a time specifiedin Drop interval
This rule takeseffect when OSPFservice on thismember isconfigured forIPv6
Events per second (default=1)
Drop Interval (default=60 sec)
Packets per second (default=100)
130900600 Auto RATELIMIT PASS OSPF This rule passes OSPF packetsif the packet rate is less thanthe Packets per second valueIf any source IP sends packetsover this value the applianceblocks all such traffic from thissource IP for a time specifiedin Drop interval
This rule takeseffect when OSPFservice on thismember isconfigured
Events per second (default=1)
Drop Interval (default=10 sec)
Packets per second (default=50)
This rule works for both IPv4and IPv6
Rule ID
Rule
Type
Rule Name Description
EnableDisable
Condition
Parameters Comments
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 2330
ICMP
NIOS 612 NIOS Administrator Guide (Rev A) 1519
ICMP
ICMP attacks use network devices such as routers to send error messages when a requested service is not availableor the remote server cannot be reached Examples of ICMP attacks include ping floods ping-of-death attacks andsmurf attacks
The following table lists the system and auto rules that are used to mitigate ICMP attacks on your advanced appliance
Table H16 ICMP Rules
Rule ID Type Rule Name Description
EnableDisable
Condition
Parameters Comments
130400200 Auto DROP ICMP largepackets
This rule drops large ICMPpackets (bigger than800)
Always enabled Events per second (default=1)
130900100 Auto RATE LIMIT PASS ICMPPing
This rule passes ICMP pingpackets if the packet rate is lessthan the Packets per second value If any source IP sendspackets over this value theappliance blocks all such trafficfrom this source IP for a timespecified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=10 sec)
Packets per second (default=50)
130900200 Auto RATE LIMIT PASS ICMPv6Ping
This rule passes ICMPv6 pingpackets if the packet rate is lessthan the Packets per second value If any source IP sendspackets over this value theappliance blocks all such trafficfrom this source IP for a timespecified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=10 sec)
Packets per second (default=50)
130900700 Auto RATELIMIT PASS ICMPv6destinationunreachable
This rule passes ICMPv6Destination Unreachablemessages if the packet rate isless than the Packets per second value If any source IP sendspackets over this value theappliance blocks all such trafficfrom this source IP for a timespecified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=100)
130900800 Auto RATELIMIT PASS ICMPv6packet too big
This rule passes ICMPv6 PacketToo Big messages if the packetrate is less than the Packets per
second value If any source IPsends packets over this valuethe appliance blocks all suchtraffic from this source IP for atime specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=100)
130900900 Auto RATELIMIT PASS ICMPv6ping responses
This rule passes ICMPv6 pingresponses if the packet rate isless than the Packets per second value If any source IP sendspackets over this value theappliance blocks all such trafficfrom this source IP for a timespecified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=10 sec)
Packets per second (default=50)
130901000 Auto RATELIMIT PASS ICMPv6parameter problemerroneous header
This rule passes ICMPv6Erroneous Header messages ifthe packet rate is less than thePackets per second value If anysource IP sends packets over thisvalue the appliance blocks allsuch traffic from this source IP fora time specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=10 sec)
Packets per second (default=50)
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 2430
1520 NIOS Administrator Guide (Rev A) NIOS 612
130901100 Auto RATELIMIT PASS ICMPv6parameter problemunrecognized nextheader
This rule passes ICMPv6Unrecognized Next Headermessages if the packet rate isless than the Packets per second value If any source IP sendspackets over this value theappliance blocks all such traffic
from this source IP for a timespecified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
130901200 Auto RATELIMIT PASS ICMPv6parameter problemunrecognized IPv6option
This rule passes ICMPv6Unrecognized IPv6 Optionmessages if the packet rate isless than the Packets per second value If any source IP sendspackets over this value theappliance blocks all such trafficfrom this source IP for a timespecified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
130901300 Auto RATELIMIT PASS ICMPv6router solicitation
This rule passes ICMPv6 routersolicitation packets if the packetrate is less than the Packets per
second value If any source IPsends packets over this valuethe appliance blocks all such
traffic from this source IP for atime specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
130901400 Auto RATELIMIT PASS ICMPv6router advertisement
This rule passes ICMPv6 routeradvertisement if the packet rateis less than the Packets per
second value If any source IPsends packets over this valuethe appliance blocks all suchtraffic from this source IP for atime specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
130901500 Auto RATELIMIT PASS ICMPv6neighbor solicitation
This rule passes ICMPv6neighbor solicitation packets ifthe packet rate is less than thePackets per second value If anysource IP sends packets over thisvalue the appliance blocks allsuch traffic from this source IP for
a time specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
130901600 Auto RATELIMIT PASS ICMPv6neighbor advertisement
This rule passes ICMPv6neighbor advertisement if thepacket rate is less than thePackets per second value If anysource IP sends packets over thisvalue the appliance blocks allsuch traffic from this source IP fora time specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
130901700 Auto RATELIMIT PASS ICMPv6inverse neighborsolicitation
This rule passes ICMPv6 inverseneighbor solicitation messages ifthe packet rate is less than thePackets per second value If anysource IP sends packets over thisvalue the appliance blocks allsuch traffic from this source IP fora time specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
130901800 Auto RATELIMIT PASS ICMPv6inverse neighboradvertisement
This rule passes ICMPv6 inverseneighbor advertisement if thepacket rate is less than thePackets per second value If anysource IP sends packets over thisvalue the appliance blocks allsuch traffic from this source IP fora time specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
Rule ID Type Rule Name Description
EnableDisable
Condition
Parameters Comments
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 2530
ICMP
NIOS 612 NIOS Administrator Guide (Rev A) 1521
130901900 Auto RATELIMIT PASS ICMPv6listener query
This rule passes ICMPv6 listenerquery messages if the packetrate is less than the Packets per
second value If any source IPsends packets over this valuethe appliance blocks all suchtraffic from this source IP for a
time specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
130902000 Auto RATELIMIT PASS ICMPv6listener report
This rule passes ICMPv6 listenerreport messages if the packetrate is less than the Packets per
second value If any source IPsends packets over this valuethe appliance blocks all suchtraffic from this source IP for atime specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
130902100 Auto RATELIMIT PASS ICMPv6listener done
This rule passes ICMPv6 listenerdone messages if the packet rateis less than the Packets per
second value If any source IPsends packets over this valuethe appliance blocks all suchtraffic from this source IP for atime specified in Drop interval )
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
130902200 Auto RATELIMIT PASS ICMPv6listener report v2
This rule passes ICMPv6 listenerreport v2 messages if the packetrate is less than the Packets per
second value If any source IPsends packets over this valuethe appliance blocks all suchtraffic from this source IP for atime specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
130902300 Auto RATELIMIT PASS ICMPV6multicast routeradvertisement
This rule passes ICMPv6multicast router advertisement ifthe packet rate is less than thePackets per second value If anysource IP sends packets over thisvalue the appliance blocks allsuch traffic from this source IP fora time specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
130902400 Auto RATELIMIT PASS ICMPV6multicast routersolicitation
This rule passes ICMPv6multicast router solicitationmessages if the packet rate isless than the Packets per second value If any source IP sendspackets over this value theappliance blocks all such trafficfrom this source IP for a timespecified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
130902500 Auto RATELIMIT PASS ICMPV6multicast routeradvertisement
This rule passes ICMPv6multicast router advertisement ifthe packet rate is less than thePackets per second value If anysource IP sends packets over thisvalue the appliance blocks allsuch traffic from this source IP fora time specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
130902600 Auto RATELIMIT PASS ICMPping responses This rule passes ICMP pingresponses if the packet rate isless than the Packets per second value If any source IP sendspackets over this value theappliance blocks all such trafficfrom this source IP for a timespecified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=10 sec)
Packets per second (default=50)
Rule ID Type Rule Name Description
EnableDisable
Condition
Parameters Comments
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 2630
1522 NIOS Administrator Guide (Rev A) NIOS 612
130902700 Auto RATELIMIT PASS ICMProuter advertisement
This rule passes ICMP routeradvertisement if the packet rateis less than the Packets per
second value If any source IPsends packets over this valuethe appliance blocks all suchtraffic from this source IP for a
time specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=10 sec)
Packets per second (default=50)
130902800 Auto RATELIMIT PASS ICMProuter solicitation
This rule passes ICMP routersolicitation messages if thepacket rate is less than thePackets per second value If anysource IP sends packets over thisvalue the appliance blocks allsuch traffic from this source IP fora time specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=10 sec)
Packets per second (default=50)
130902900 Auto RATELIMIT PASS ICMPtime exceeded
This rule passes ICMP timeexceeded messages if the packetrate is less than the Packets per
second value If any source IPsends packets over this valuethe appliance blocks all suchtraffic from this source IP for atime specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=10 sec)
Packets per second (default=50)
130903000 Auto RATELIMIT PASS ICMPparameter problem
This rule passes ICMP parameterproblems if the packet rate isless than the Packets per second value If any source IP sendspackets over this value theappliance blocks all such trafficfrom this source IP for a timespecified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=10 sec)
Packets per second (default=50)
130903100 Auto RATELIMIT PASS ICMPv6hop limit exceeded orICMPv4 networkunreachable
This rule passes ICMPv6 HopLimit Exceeded messages orICMPv4 Network Unreachablemessages if the packet rate isless than the Packets per second value If any source IP sendspackets over this value theappliance blocks all such trafficfrom this source IP for a time
specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
130903200 Auto RATELIMIT PASS ICMPv6fragment reassemblytime exceeded orICMPv4 hostunreachable
This rule passes ICMPv6fragment reassembly timeexceeded messages or ICMPv4host unreachable messages ifthe packet rate is less than thePackets per second value If anysource IP sends packets over thisvalue the appliance blocks allsuch traffic from this source IP fora time specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=10 sec)
Packets per second (default=50)
130903300 Auto RATELIMIT PASS ICMPprotocol unreachable
This rule passes ICMP protocolunreachable messages if thepacket rate is less than thePackets per second value If anysource IP sends packets over thisvalue the appliance blocks all
such traffic from this source IP fora time specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=10 sec)
Packets per second (default=50)
130903400 Auto RATELIMIT ICMP portunreachable
This rule passes ICMP portunreachable messages if thepacket rate is less than thePackets per second value If anysource IP sends packets over thisvalue the appliance blocks allsuch traffic from this source IP fora certain period of time(specified in Drop interval )
Always enabled Events per second (default=10)
Drop Interval (default=10 sec)
Packets per second (default=50)
Rule ID Type Rule Name Description
EnableDisable
Condition
Parameters Comments
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 2730
Default PassDrop
NIOS 612 NIOS Administrator Guide (Rev A) 1523
Default Pass Drop
The following table lists the system rules that are used to pass or drop packets on your advanced appliance All rulesare disabled by default
Table H17 Default PassDrop Rules
130903500 Auto RATELIMIT PASS ICMPfragmentation needed
This rule passes ICMPfragmentation needed messagesif the packet rate is less than thePackets per second value If anysource IP sends packets over thisvalue the appliance blocks allsuch traffic from this source IP for
a certain period of time(specified in Drop interval )
Always enabled Events per second (default=1)
Drop Interval (default=10 sec)
Packets per second (default=50)
Rule ID
Rule
Type Rule Name Description
Enable
Condition Parameters Comments
100000050 System EARLY PASS TCPwith flowbits set
This rule passes TCP trafficthat has the flowbitsoptions set and marked OK
Enabled bydefault
NA
140000100 System DROP UDP DNSunexpected
This rule drops anyunexpected UDP DNSpackets
Enabled bydefault
Events per second (default=1)
Default drop rule for the DNSservice port If this rule istriggered most likely thispacket is an invalid DNS UDPpacket
140000200 System DROP TCP DNSunexpected
This rule drops anyunexpected TCP DNSpackets
Enabled bydefault
Events per second (default=1)
Default drop rule for the DNSservice port If this rule istriggered most likely thispacket is an invalid DNS TCPpacket
140000400 System PASS TCPestablished packets
This passes all TCPestablished packets
Enabled bydefault
Events per second (default=0)
140000500 System DROP TCPunexpected
This rule drops anyunexpected TCP packets
Enabled bydefault
Events per second (default=0)
This rule drops any TCP packeton any port If this rule istriggered most likely thispacket is not intended forservices on this member
140000600 System DROP UDPunexpected
This rule drops anyunexpected UDP packets
Enabled bydefault
Events per second (default=0)
This rule drops any UDP packeton any port If this rule istriggered most likely thispacket is not intended forservices on this member
140000700 System DROP ICMPunexpected
This rule drops anyunexpected ICMP packets
Enabled bydefault
Events per second (default=0)
This rule drops any ICMPpacket If this rule is triggeredmost likely this packet is notintended for services on thismember
140000800 System DROP unexpectedprotocol
This rule drops anyunexpected protocolpackets
Enabled bydefault
Events per second (default=0)
This is a catch all rule thatdrops anything that does notmatch any other rules in thesystem
Rule ID Type Rule Name Description
EnableDisable
Condition
Parameters Comments
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 2830
1524 NIOS Administrator Guide (Rev A) NIOS 612
HA Support
The following table lists auto rules that are used to pass packets that go through the Virtual Router RedundancyProtocol (VRRP) and Internet Group Management Protocol (IGMP) for HA (High Availability) support
Table H18 HA Support Rules
Custom Rule Templates
Advanced DNS Protection supports a few custom rule templates from which you can create new custom rules Notethat when you use a specific rule template to create custom rules the new rules reside in their respective rulecategories For information about custom rules and creating custom rules see Custom Rules on page 1341 andCreating Custom Rules on page 1343
For each rule you create you can define the Events per second value to determine the number of events per secondthat will be logged for the rule You can also define specific rule parameters for custom rules as follows
Note Custom rules do not support IDNs (Internationalized Domain Names) To use IDNs for custom rules you mustfirst convert the IDNs into puny codes You can use the IDN Converter from the Toolbar for the conversion
bull BLACKLIST FQDN lookup TCP Use this rule template to create custom rules for blacklisting DNS queries by FQDNlookups on TCP In the Rule Parameters table complete the following
mdash Blacklisted FQDN Enter the FDQN that you want the appliance to block over TCP traffic You can also enter alist of FQDNs using semicolon as the separator
bull BLACKLIST FQDN lookup UDP Use this rule template to create custom rules for blacklisting DNS queries byFQDN lookups on UDP In the Rule Parameters table complete the following
mdash Blacklisted FQDN Enter the FDQN that you want the appliance to block over UDP traffic You can also enter alist of FQDNs using semicolon as the separator
bull BLACKLIST IP TCP Drop prior to rate limiting Use this rule template to create rules for blocking IPv4 or IPv6addresses on TCP before the appliance drops the packets based on rate limiting rules you have defined usingthe RATELIMITED IP TCP template In the Rule Parameters table complete the following
mdash Blacklisted IP addressnetwork Enter the IPv4 or IPv6 address from which packets sent are dropped beforeany relevant rate limiting rules take effect Note that all TCP traffic from the specified Ipv4 and IPv6
addresses and networks will be blocked Enter network addresses in addressCIDR formatbull BLACKLIST IP UDP Drop prior to rate limiting Use this rule template to create rules for blocking IPv4 or IPv6
addresses on UDP before the appliance drops the packets based on rate limiting rules you have defined usingthe RATELIMITED IP UDP template In the Rule Parameters table complete the following
mdash Blacklisted IP addressnetwork Enter the IPv4 or IPv6 address from which packets sent are dropped beforeany relevant rate limiting rules take effect Note that all UDP traffic from the specified Ipv4 and IPv6addresses and networks will be blocked Enter network addresses in addressCIDR format
bull RATELIMITED FQDN lookup UDP Use this rule template to create custom rules that contains rate limitingrestrictions for blocking DNS queries by FQDN lookups on UDP traffic In the Rule Parameters table completethe following
Rule ID
Rule
Type
Rule Name Description Enable Condition Parameters Comments
140000750 Auto PASS VRRP This rule passes packets thatgo through VRRP for HAsupport
Enabled if HA isconfigured
NA
140000760 Auto PASS IGMP This rule passes packets thatgo through IGMP for HAsupport
Enabled if HA isconfigured
NA
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 2930
Custom Rule Templates
NIOS 612 NIOS Administrator Guide (Rev A) 1525
mdash Packets per second Enter the number of packets per second to define the rate limit for this rule You definethis value to control the rate of UDP traffic that consists of DNS lookups for the FQDN defined in this ruleThe default is 5
mdash Drop interval Enter the number of seconds for which the appliance drops packets
mdash Blacklist rate limited FQDN Enter the FQDN that is affected by the rate limit value configured for this ruleThe appliance drops the packets sent by this FQDN when the UDP traffic of DNS lookups for this FQDNexceeds the configured rate limit value
bull RATELIMITED IP TCP Use this rule template to create custom rules that contains rate limiting restrictions forblacklisting IP addresses on TCP If there are certain IP addresses that you want to block before its traffic reachesthe rate limit restrictions you can create a rule using the BLACKLIST IP TCP Drop prior to rate limiting templateIn the Rule Parameters table complete the following
mdash Packets per second Enter the number of packets per second to define the rate limit for this rule You definethis value to control the rate of TCP traffic that consists of DNS lookups for the IP address or networkdefined in this rule The default is 5
mdash Drop interval Enter the time interval in seconds the appliance drops IP packets sent by the rate limited IPaddress or network defined for this rule The default is 30 seconds
mdash Rate limited IP addressnetwork Enter the IP address or network that is affected by the rate limit valueconfigured for this rule The appliance drops the packets sent by this IP address based on the drop intervalwhen the TCP traffic of DNS lookups for this IP address exceeds the configured rate limit value
bull RATELIMITED IP UDP Use this rule template to create custom rules that contains rate limiting restrictions forblacklisting IP addresses on UDP If there are certain IP addresses that you want to block before its trafficreaches the rate limit restrictions you can create a rule using the BLACKLIST IP UDP Drop prior to rate limiting template In the Rule Parameters table complete the following
mdash Packets per second Enter the number of packets per second to define the rate limit for this rule You definethis value to control the rate of UDP traffic that consists of DNS lookups for the IP address or networkdefined in this rule The default is 5
mdash Drop interval Enter the time interval in seconds the appliance drops IP packets sent by the rate limited IPaddress or network defined for this rule The default is 30 seconds
mdash Rate limited IP addressnetwork Enter the IP address or network that is affected by the rate limit valueconfigured for this rule The appliance drops the packets sent by this IP address based on the drop interval
when the TCP traffic of DNS lookups for this IP address exceeds the configured rate limit valuebull WHITELIST IP TCP Pass prior to rate limiting Use this rule template to create custom rules for allowing certain IP
addresses on TCP before the appliance drops the packets based on rate limiting rules you have defined usingthe RATELIMITED IP TCP template In the Rule Parameters table complete the following
mdash Whitelisted IP addressnetwork Enter the IPv4 or IPv6 address from which packets sent are allowed beforeany relevant rate limiting rules take effect
bull WHITELIST IP UDP Pass prior to rate limiting Use this rule template to create custom rules for allowing certain IPaddresses on UDP before the appliance drops the packets based on rate limiting rules you have defined usingthe RATELIMITED IP UDP template In the Rule Parameters table complete the following
mdash Whitelisted IP addressnetwork Enter the IPv4 or IPv6 address from which packets sent are allowed beforeany relevant rate limiting rules take effect
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 3030
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 1730
DNS Tunneling
NIOS 612 NIOS Administrator Guide (Rev A) 1513
DNS Tunneling
DNS tunneling attacks involve tunneling another protocol through DNS port 53 for the purpose of data exfiltrationOutbound and inbound data being communicated is encoded into small chunks and fitted into DNS queries and DNSresponses
The following table lists the system rule used to mitigate DNS tunneling on your advanced appliance
Table H11 Anti DNS Tunneling Rules
DNS Amplification and Reflection
DNS reflection attacks use a form of IP spoofing changing the source address in their DNS queries to show theaddress of their intended target such as a DNS root server or a top-level domain (TLD) name server operator DNS
reflection and amplification recognizes UDP as an asymmetrical protocol (small requests large responses) and theexistence of open DNS resolvers to the Internet cloud The result is that small DNS queries reflect large UDP datagramresponses to the target address in the original source datagrams Some recent attacks have used this DDoStechnique at a huge scale
Since DNS runs over UDP and does not require a handshake it is possible to use the protocol as a means to lock downa host or a network Designed a specific way sending a small query to any open DNS resolver can result in a singleresponse containing several kilobytes or more that are sent to the unwitting spoofed victim (This type of responsetypically is sent via TCP as UDP does not allow for more than 512 bytes in a response datagram The resulting packetusually exceeds the MTU of the recipientrsquos interfaces resulting in further packet fragmentation and processing) OpenDNS resolvers may allow for launching DDoS attacks containing hundreds of gigabytes of data Attackers may also
Rule ID
Rule
Type
Rule Name Description
EnableDisable
Condition
Parameters Comments
130000500 System RATELIMIT UDP highrate inbound largeDNS queries (antitunneling)
This rule warns If any source IPsends large UDP DNS queries(which could be DNS tunnelingattacks) at a rate equals thePackets per second value If therate exceeds this value it blocksall such traffic from this source IPfor the time in Drop interval
This rule is triggered when theDNS Packet size exceeds theconfigured value
Disabled bydefault
Packets per second (default = 100)
Drop interval (default = 5 seconds)
Events per second (default = 1)
Packet size
(default = 200)
Consider tuning Packets
per second to a highervalue for NATdenvironments staticforwarders and VPNconcentrators
130000600 Auto RATELIMIT TCP highrate inbound largeDNS queries(anti-tunneling)
This rule warns if any source IPsends large TCP DNS queries(which could be DNS tunnelingattacks) at a rate equals thePackets per second value If therate exceeds the value theappliance blocks all such trafficfrom this source IP for the Drop
interval
This rule is triggered when theDNS Packet size exceeds theconfigured value
Disabled bydefault
Packets per second (default = 100)
Drop interval
(default = 5 seconds)
Events per second (default = 1)
Packet size
(default = 200)
Consider tuning Packets
per second to a highervalue for NATdenvironments staticforwarders and VPNconcentrators
200000004 System DNS tunneling ratelimiting rule
This rule warns If any source IPsends inbound UDP DNS queriesthat trigger large TXT responses ata rate equals the Packets per
second value If the rate exceedsthis value it blocks all such t rafficfrom this source IP for the Drop
interval
This rule is triggered when the sizeof the TXT records in the DNSresponses exceeds the configuredDNS Packet size
Enabled bydefault
Packets per second (default = 1000)
Drop interval
(default = 5 seconds)
Events per second (default = 1)
Packet size
(default = 40)
Consider tuning Packets
per second to a highervalue for NATdenvironments static
forwarders and VPNconcentrators
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 1830
1514 NIOS Administrator Guide (Rev A) NIOS 612
use the EDNS0 DNS protocol extension as a means to enable larger DNS responses Many network operatorsparticularly overseas allow open DNS resolvers to run on their networks unwittingly allowing attackers to abusethem Many network operators do provide intelligent rate-limiting to prevent abuse even while supporting openrecursive DNS servers Hence issues of this type usually result from mistakes in configuration
The following table lists the system and auto rules that are used to mitigate DNS amplification and reflection attackson your advanced appliance
Table H12 DNS Amplification and Reflection Rules
NTP
The following table lists the auto rules that are used to mitigate NTP attacks and to support security for NTP traffic onyour advanced appliance These rules include support for the following NTP requests and responses NTP IPv4 andIPv6 ACLs (Access Control Lists) private mode 7 packets named ACLs and ldquoANYrdquo ACLs
Table H13 NTP Rules
Rule ID
Rule
Type
Rule Name Description
EnableDisable
Condition
Parameters Comments
130400100 Auto WARN amp DROP DoSDNS possiblereflectionamplification attackattempts
This rule warns if anysource IP sends UDP DNSpackets that containpossible reflectionamplification attacks If therate exceeds the Packets
per second value theappliance blocks all suchtraffic from this source IPfor the Drop interval Notethat this rule applies whenthe query is ldquoANYrdquo
Enabled bydefault
Packets per second (default = 5)
Drop interval (default = 5 seconds)
Events per second (default = 1)
Consider tuning Packet per
second to a higher value(approximately 100) forNATd environments staticforwarders and VPNconcentrators
130400500 System RATE LIMIT PASS UDPDNS root requestswith additional RRs
This rule passes UDP DNSroot requests that containadditional resource recordsuntil the traffic hits thePackets per second valueIt then blocks subsequentUDP DNS root requests forthe Drop interval
Disabled bydefault
Packets per second (default = 500)
Drop interval
(default = 5 seconds)
Events per second (default = 1)
130400600 System RATE LIMIT PASS UDPDNS root requests
This rule passes UDP DNSroot requests until thetraffic hits the Packets per
second value It thenblocks subsequent UDPDNS root requests for theDrop interval
Disabled bydefault
Packets per second (default = 500)
Drop interval (default = 5 seconds)
Events per second (default = 1)
Consider tuning Packet per
second to a higher valuefor NATd environmentsstatic forwarders and VPNconcentrators
Rule ID
Rule
Type
Rule Name Description
EnableDisable
Condition
Parameters Comments
130600100 Auto RATELIMIT PASS NTPTIME responses
When the NTP client isenabled this rule passesUDP NTP TIME responsesuntil the traffic hits the ratelimit of 10 packets persecond it then blocks allNTP traffic for 15 seconds
Enabled when theNTP client isenabled
Packets per second (default = 10)
Drop interval
(default = 15seconds)
Events per second (default = 1)
130600120 Auto DROP NTP TIMEresponses
This rule drops all UDP NTPTIME responses when theNTP client is disabled
Enabled when theNTP client isdisabled
Events per second (default=1)
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 1930
NTP
NIOS 612 NIOS Administrator Guide (Rev A) 1515
200001001 Auto DOS Possible NTPDDoS InboundFrequent Un-AuthedGET_RESTRICTRequests IMPL 0x02
When the NTP server isenabled this rule warnsabout possible NTP DDoSInbound FrequentUn-Authed GET_RESTRICTRequests IMPL 0x02attacks It then blocks
suspicious NTP traffic for atime period that isspecified in Drop Interval
Enabled whenNTP service isenabled on thismember
Events per second (default = 1)
200001005 Auto DOS Possible NTPDDoS InboundFrequent Un-AuthedGET_RESTRICTRequests IMPL 0x03
When the NTP server isenabled this rule warnsabout possible NTP DDoSInbound FrequentUn-Authed GET_RESTRICTRequests IMPL 0x03attacks It then blockssuspicious NTP traffic for atime period that isspecified in Drop Interval
Enabled whenNTP service isenabled on thismember
Events per second (default = 1)
200001010 Auto DOS Possible NTPDDoS InboundFrequent Un-AuthedPEER_LIST_SUM
Requests IMPL 0x02
When the NTP server isenabled this rule warnsabout possible NTP DDoSInbound Frequent
Un-AuthedPEER_LIST_SUM RequestsIMPL 0x02 attacks It thenblocks suspicious NTPtraffic for a time period thatis specified in Drop
Interval
Enabled whenNTP service isenabled on thismember
Events per second (default = 1)
200001015 Auto DOS Possible NTPDDoS InboundFrequent Un-AuthedPEER_LIST_SUMRequests IMPL 0x03
When the NTP server isenabled this rule warnsabout possible NTP DDoSInbound FrequentUn-AuthedPEER_LIST_SUM RequestsIMPL 0x03 attacks It thenblocks suspicious NTPtraffic for a time period thatis specified in Drop
Interval
Enabled whenNTP service isenabled on thismember
Events per second (default = 1)
200001020 Auto DOS Possible NTPDDoS InboundFrequent Un-AuthedPEER_LIST RequestsIMPL 0x02
When the NTP server isenabled this rule warnsabout possible NTP DDoSInbound FrequentUn-Authed PEER_LISTRequests IMPL 0x02attacks It then blockssuspicious NTP traffic for atime period that isspecified in Drop Interval
Enabled whenNTP service isenabled on thismember
Events per second (default = 1)
200001025 Auto DOS Possible NTPDDoS InboundFrequent Un-AuthedPEER_LIST RequestsIMPL 0x03
When the NTP server isenabled this rule warnsabout possible NTP DDoSInbound FrequentUn-Authed PEER_LISTRequests IMPL 0x03attacks It then blocks
suspicious NTP traffic for atime period that isspecified in Drop Interval
Enabled whenNTP service isenabled on thismember
Events per second (default = 1)
200001050 Auto RATELIMIT PASSNTPQ IPv4 requests
This rule passes UDP NTPQrequests from NTP IPv4ACLs until the traffic hitsthe rate limit ( Packets per
second ) value It thenblocks all subsequentNTPQ traffic for a timespecified in Drop Interval
Enabled whenNTP IPv4 ACLs aredefined If noACLs are definedand the NTPserver is enabledthe default ACLsare enabled andthis rule isdisabled
Packets per second (default = 10)
Drop interval
(default = 60seconds)
Events per second (default = 1)
Rule ID
Rule
Type
Rule Name Description
EnableDisable
Condition
Parameters Comments
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 2030
1516 NIOS Administrator Guide (Rev A) NIOS 612
200001055 Auto RATELIMIT PASS NTPTIME IPv4 requests
This rule passes UDP NTPTIME requests from NTPIPv4 ACLs until the traffichits the rate limit ( Packets
per second ) value It thenblocks all subsequent NTPTIME traffic for a time
specified in Drop interval
Enabled whenNTP IPv4 ACLs aredefined If noACLs are definedand the NTPserver is enabledthe default ACLs
are enabled andthis rule isenabled
Packets per second (default = 10)
Drop interval
(default = 60seconds)
Events per second (default = 1)
200001060 Auto RATELIMIT PASS NTPprivate mode IPv4requests
This rule passes UDP NTPprivate mode 7 requestsfrom NTP IPv4 ACLs untilthe traffic hits the rate limit( Packets per second ) valueIt then blocks allsubsequent NTP privatemode 7 traffic for a timespecified in Drop interval
Enabled whenNTP IPv4 ACLs aredefined If noACLs are definedand the NTPserver is enabledthe default ACLsare enabled andthis rule isdisabled
Packets per second (default = 10)
Drop interval
(default = 60seconds)
Events per second (default = 1)
200001065 Auto RATELIMIT PASSNTPQ IPv6 requests
This rule passes UDP NTPQrequests from NTP IPv6ACLs until the traffic hitsthe rate limit ( Packets per
second ) value It thenblocks all subsequentNTPQ traffic for a timespecified in Drop Interval
Enabled whenNTP IPv6 ACLs aredefined If noACLs are defined
and the NTPserver is enabledthe default ACLsare enabled andthis rule isdisabled
Packets per second (default = 10)
Drop interval
(default = 60
seconds)Events per second (default = 1)
200001070 Auto RATELIMIT PASS NTPTIME IPv6 requests
This rule passes UDP NTPTIME requests from NTPIPv6 ACLs until the traffichits the rate limit ( Packets
per second ) value It thenblocks all subsequent NTPTIME traffic for a timespecified in Drop interval
Enabled whenNTP IPv6 ACLs aredefined If noACLs are definedand the NTPserver is enabledthe default ACLsare enabled andthis rule isenabled
Packets per second (default = 10)
Drop interval
(default = 60seconds)
Events per second (default = 1)
200001075 Auto RATELIMIT PASS NTP
private mode IPv6requests
This rule passes UDP NTP
private mode 7 requestsfrom NTP IPv4 ACLs untilthe traffic hits the rate limit( Packets per second ) valueIt then blocks allsubsequent NTP privatemode 7 traffic for a timespecified in Drop interval
Enabled when
NTP IPv6 ACLs aredefined If noACLs are definedand the NTPserver is enabledthe default ACLsare enabled andthis rule isdisabled
Packets per second
(default = 10)Drop interval
(default =60seconds)
Events per second (default = 1)
200001100 Auto DROP NTPQ requestsunexpected
When NTP service isdisabled this rule drops allUDP NTPQ requests
Enabled whenNTP service isdisabled on thismember
Events per second (default=1)
200001105 Auto DROP NTP TIMErequests unexpected
When NTP service isdisabled this rule drops allUDP NTP TIME requests
Enabled whenNTP service isdisabled on thismember
Events per second (default=1)
200001110 Auto DROP NTP privatemode requestsunexpected
When NTP service isdisabled this rule drops allUDP NTP private mode 7requests
Enabled whenNTP service isdisabled on thismember
Events per second (default=1)
200001115 Auto DROP invalid NTPrequests
When NTP service isdisabled this rule drops allinvalid UDP NTP requests
Enabled whenNTP service isdisabled on thismember
Events per second (default=1)
Rule ID
Rule
Type
Rule Name Description
EnableDisable
Condition
Parameters Comments
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 2130
BGP
NIOS 612 NIOS Administrator Guide (Rev A) 1517
BGP
The following table lists the auto rules that are used to mitigate BGP attacks on your advanced appliance when BGPis enabled
Table H14 BGP Rules
Rule ID
Rule
Type
Rule Name Description
EnableDisable
Condition
Parameters Comments
130700100 AUTO DROP BGP headerlength shorter thanspec
When BGP is enabled this ruledrops TCP BGP packets thatcontain message headerlength that is shorter than theRFC specification
Enabled whenBGP service onthis member isconfigured
Events per second (default=1)
130700200 AUTO DROP BGP headerlength longer than spec
When BGP is enabled this ruledrops TCP BGP packets thatcontain message headerlength that is longer than theRFC specification
Enabled whenBGP service onthis member isconfigured
Events per second (default=1)
130700300 AUTO DROP BGP spoofedconnection reset
attempts
When BGP is enabled this ruledrops TCP BGP packets that
contain spoofed connectionreset
This rule isenabled when
BGP service onthis member isconfigured
Events per second (default=1)
130700400 AUTO DROP BGP invalid type0
When BGP is enabled this ruledrops TCP BGP packets thatcontain invalid message type0
This rule isenabled whenBGP service onthis member isconfigured
Events per second (default=1)
130700500 AUTO DROP BGP invalid typebigger than 5
When BGP is enabled this ruledrops TCP BGP packets thatcontain invalid message typegreater than 5
This rule isenabled whenBGP service onthis member isconfigured
Events per second (default=1)
130700550 AUTO RATELIMIT PASS BGPIPv4 peer TCPconnection attempts
This rule passes TCP BGP routeadvertisement connectionattempts from IPv4 peers
when BGP is enabled and ifthe packet rate is less than thePackets per second value Ifany source IP sends packetsover this value the applianceblocks all such traffic from thissource IP for a certain periodof time (specified in Drop
interval )
This rule isenabled whenBGP service on
this member isconfigured withIPv4 peers
Events per second (default=1)
Drop Interval
(default=60 sec)Packets per second (default=10)
130700600 Auto RATELIMIT PASS BGPallowed with IPv4 peer
This rule passes TCP BGP routeadvertisement to IPv4 peerswhen BGP is enabled and ifthe packet rate is less than thePackets per second value Ifany source IP sends packetsover this value the applianceblocks all such traffic from thissource IP for a certain period
of time (specified in Drop
interval
This rule isenabled whenBGP service onthis member isconfigured withIPv4 peers
Events per second (default=1)
Drop Interval (default=60 sec)
Packets per second (default=10)
130700650 AUTO RATELIMIT PASS BGPIPv6 peer TCPconnection attempts
This rule passes TCP BGP routeadvertisement connectionattempts from IPv6 peerswhen BGP is enabled and ifthe packet rate is less than thePackets per second value Ifany source IP sends packetsover this value the applianceblocks all such traffic from thissource IP for a certain periodof time (specified in Drop
interval
This rule isenabled whenBGP service onthis member isconfigured withIPv6 peers
Events per second (default=1)
Drop Interval (default=60 sec)
Packets per second (default=10)
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 2230
1518 NIOS Administrator Guide (Rev A) NIOS 612
OSPF
The following table lists auto rules that are used to mitigate OSPF attacks on your advanced appliance when OSPF isnot in use
Table H15 OSPF Rules
130700700 Auto RATELIMIT PASS BGPallowed with IPv6 peer
This rule passes TCP BGP routeadvertisement to IPv6 peerswhen BGP is enabled and ifthe packet rate is less than thePackets per second value Ifany source IP sends packetsover this value the appliance
blocks all such traffic from thissource IP for a certain periodof time (specified in Drop
interval )
This rule isenabled whenBGP service onthis member isconfigured withIPv6 peers
Events per second (default=1)
Drop Interval (default=60 sec)
Packets per second (default=10)
130800100 Auto DROP BGP unexpected When BGP is enabled this ruledrops unexpected TCP BGPpackets
This rule takeseffect when BGPservice on thismember is NOT configured
Events per second (default=1)
This rule is exclusive withother rules based onwhether BGP is configuredon the member or not
Rule ID
Rule
Type
Rule Name Description
Enable
Condition
Parameters Comments
130900300 Auto DROP OSPFunexpected
This rule drops unexpectedOSPF packets
This rule takeseffect when OSPFservice on thismember is NOT configured
Events per second (default=1)
Default drop rule for allpackets on the OSPF serviceport
130900400 Auto RATELIMIT PASS OSPFmulticast
This rule passes OSPF IPv4multicast packets if the packetrate is less than the Packets
per second value If anysource IP sends packets overthis value the applianceblocks all such traffic from thissource IP for a time specifiedin Drop interval
This rule takeseffect when OSPFservice on thismember isconfigured forIPv4
Events per second (default=1)
Drop Interval (default=60 sec)
Packets per second (default=100)
130900500 Auto RATELIMIT PASS OSPFIPv6 multicast
This rule passes OSPF IPv6multicast packets if the packetrate is less than the Packets
per second value If anysource IP sends packets overthis value the applianceblocks all such traffic from thissource IP for a time specifiedin Drop interval
This rule takeseffect when OSPFservice on thismember isconfigured forIPv6
Events per second (default=1)
Drop Interval (default=60 sec)
Packets per second (default=100)
130900600 Auto RATELIMIT PASS OSPF This rule passes OSPF packetsif the packet rate is less thanthe Packets per second valueIf any source IP sends packetsover this value the applianceblocks all such traffic from thissource IP for a time specifiedin Drop interval
This rule takeseffect when OSPFservice on thismember isconfigured
Events per second (default=1)
Drop Interval (default=10 sec)
Packets per second (default=50)
This rule works for both IPv4and IPv6
Rule ID
Rule
Type
Rule Name Description
EnableDisable
Condition
Parameters Comments
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 2330
ICMP
NIOS 612 NIOS Administrator Guide (Rev A) 1519
ICMP
ICMP attacks use network devices such as routers to send error messages when a requested service is not availableor the remote server cannot be reached Examples of ICMP attacks include ping floods ping-of-death attacks andsmurf attacks
The following table lists the system and auto rules that are used to mitigate ICMP attacks on your advanced appliance
Table H16 ICMP Rules
Rule ID Type Rule Name Description
EnableDisable
Condition
Parameters Comments
130400200 Auto DROP ICMP largepackets
This rule drops large ICMPpackets (bigger than800)
Always enabled Events per second (default=1)
130900100 Auto RATE LIMIT PASS ICMPPing
This rule passes ICMP pingpackets if the packet rate is lessthan the Packets per second value If any source IP sendspackets over this value theappliance blocks all such trafficfrom this source IP for a timespecified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=10 sec)
Packets per second (default=50)
130900200 Auto RATE LIMIT PASS ICMPv6Ping
This rule passes ICMPv6 pingpackets if the packet rate is lessthan the Packets per second value If any source IP sendspackets over this value theappliance blocks all such trafficfrom this source IP for a timespecified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=10 sec)
Packets per second (default=50)
130900700 Auto RATELIMIT PASS ICMPv6destinationunreachable
This rule passes ICMPv6Destination Unreachablemessages if the packet rate isless than the Packets per second value If any source IP sendspackets over this value theappliance blocks all such trafficfrom this source IP for a timespecified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=100)
130900800 Auto RATELIMIT PASS ICMPv6packet too big
This rule passes ICMPv6 PacketToo Big messages if the packetrate is less than the Packets per
second value If any source IPsends packets over this valuethe appliance blocks all suchtraffic from this source IP for atime specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=100)
130900900 Auto RATELIMIT PASS ICMPv6ping responses
This rule passes ICMPv6 pingresponses if the packet rate isless than the Packets per second value If any source IP sendspackets over this value theappliance blocks all such trafficfrom this source IP for a timespecified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=10 sec)
Packets per second (default=50)
130901000 Auto RATELIMIT PASS ICMPv6parameter problemerroneous header
This rule passes ICMPv6Erroneous Header messages ifthe packet rate is less than thePackets per second value If anysource IP sends packets over thisvalue the appliance blocks allsuch traffic from this source IP fora time specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=10 sec)
Packets per second (default=50)
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 2430
1520 NIOS Administrator Guide (Rev A) NIOS 612
130901100 Auto RATELIMIT PASS ICMPv6parameter problemunrecognized nextheader
This rule passes ICMPv6Unrecognized Next Headermessages if the packet rate isless than the Packets per second value If any source IP sendspackets over this value theappliance blocks all such traffic
from this source IP for a timespecified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
130901200 Auto RATELIMIT PASS ICMPv6parameter problemunrecognized IPv6option
This rule passes ICMPv6Unrecognized IPv6 Optionmessages if the packet rate isless than the Packets per second value If any source IP sendspackets over this value theappliance blocks all such trafficfrom this source IP for a timespecified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
130901300 Auto RATELIMIT PASS ICMPv6router solicitation
This rule passes ICMPv6 routersolicitation packets if the packetrate is less than the Packets per
second value If any source IPsends packets over this valuethe appliance blocks all such
traffic from this source IP for atime specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
130901400 Auto RATELIMIT PASS ICMPv6router advertisement
This rule passes ICMPv6 routeradvertisement if the packet rateis less than the Packets per
second value If any source IPsends packets over this valuethe appliance blocks all suchtraffic from this source IP for atime specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
130901500 Auto RATELIMIT PASS ICMPv6neighbor solicitation
This rule passes ICMPv6neighbor solicitation packets ifthe packet rate is less than thePackets per second value If anysource IP sends packets over thisvalue the appliance blocks allsuch traffic from this source IP for
a time specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
130901600 Auto RATELIMIT PASS ICMPv6neighbor advertisement
This rule passes ICMPv6neighbor advertisement if thepacket rate is less than thePackets per second value If anysource IP sends packets over thisvalue the appliance blocks allsuch traffic from this source IP fora time specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
130901700 Auto RATELIMIT PASS ICMPv6inverse neighborsolicitation
This rule passes ICMPv6 inverseneighbor solicitation messages ifthe packet rate is less than thePackets per second value If anysource IP sends packets over thisvalue the appliance blocks allsuch traffic from this source IP fora time specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
130901800 Auto RATELIMIT PASS ICMPv6inverse neighboradvertisement
This rule passes ICMPv6 inverseneighbor advertisement if thepacket rate is less than thePackets per second value If anysource IP sends packets over thisvalue the appliance blocks allsuch traffic from this source IP fora time specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
Rule ID Type Rule Name Description
EnableDisable
Condition
Parameters Comments
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 2530
ICMP
NIOS 612 NIOS Administrator Guide (Rev A) 1521
130901900 Auto RATELIMIT PASS ICMPv6listener query
This rule passes ICMPv6 listenerquery messages if the packetrate is less than the Packets per
second value If any source IPsends packets over this valuethe appliance blocks all suchtraffic from this source IP for a
time specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
130902000 Auto RATELIMIT PASS ICMPv6listener report
This rule passes ICMPv6 listenerreport messages if the packetrate is less than the Packets per
second value If any source IPsends packets over this valuethe appliance blocks all suchtraffic from this source IP for atime specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
130902100 Auto RATELIMIT PASS ICMPv6listener done
This rule passes ICMPv6 listenerdone messages if the packet rateis less than the Packets per
second value If any source IPsends packets over this valuethe appliance blocks all suchtraffic from this source IP for atime specified in Drop interval )
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
130902200 Auto RATELIMIT PASS ICMPv6listener report v2
This rule passes ICMPv6 listenerreport v2 messages if the packetrate is less than the Packets per
second value If any source IPsends packets over this valuethe appliance blocks all suchtraffic from this source IP for atime specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
130902300 Auto RATELIMIT PASS ICMPV6multicast routeradvertisement
This rule passes ICMPv6multicast router advertisement ifthe packet rate is less than thePackets per second value If anysource IP sends packets over thisvalue the appliance blocks allsuch traffic from this source IP fora time specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
130902400 Auto RATELIMIT PASS ICMPV6multicast routersolicitation
This rule passes ICMPv6multicast router solicitationmessages if the packet rate isless than the Packets per second value If any source IP sendspackets over this value theappliance blocks all such trafficfrom this source IP for a timespecified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
130902500 Auto RATELIMIT PASS ICMPV6multicast routeradvertisement
This rule passes ICMPv6multicast router advertisement ifthe packet rate is less than thePackets per second value If anysource IP sends packets over thisvalue the appliance blocks allsuch traffic from this source IP fora time specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
130902600 Auto RATELIMIT PASS ICMPping responses This rule passes ICMP pingresponses if the packet rate isless than the Packets per second value If any source IP sendspackets over this value theappliance blocks all such trafficfrom this source IP for a timespecified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=10 sec)
Packets per second (default=50)
Rule ID Type Rule Name Description
EnableDisable
Condition
Parameters Comments
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 2630
1522 NIOS Administrator Guide (Rev A) NIOS 612
130902700 Auto RATELIMIT PASS ICMProuter advertisement
This rule passes ICMP routeradvertisement if the packet rateis less than the Packets per
second value If any source IPsends packets over this valuethe appliance blocks all suchtraffic from this source IP for a
time specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=10 sec)
Packets per second (default=50)
130902800 Auto RATELIMIT PASS ICMProuter solicitation
This rule passes ICMP routersolicitation messages if thepacket rate is less than thePackets per second value If anysource IP sends packets over thisvalue the appliance blocks allsuch traffic from this source IP fora time specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=10 sec)
Packets per second (default=50)
130902900 Auto RATELIMIT PASS ICMPtime exceeded
This rule passes ICMP timeexceeded messages if the packetrate is less than the Packets per
second value If any source IPsends packets over this valuethe appliance blocks all suchtraffic from this source IP for atime specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=10 sec)
Packets per second (default=50)
130903000 Auto RATELIMIT PASS ICMPparameter problem
This rule passes ICMP parameterproblems if the packet rate isless than the Packets per second value If any source IP sendspackets over this value theappliance blocks all such trafficfrom this source IP for a timespecified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=10 sec)
Packets per second (default=50)
130903100 Auto RATELIMIT PASS ICMPv6hop limit exceeded orICMPv4 networkunreachable
This rule passes ICMPv6 HopLimit Exceeded messages orICMPv4 Network Unreachablemessages if the packet rate isless than the Packets per second value If any source IP sendspackets over this value theappliance blocks all such trafficfrom this source IP for a time
specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
130903200 Auto RATELIMIT PASS ICMPv6fragment reassemblytime exceeded orICMPv4 hostunreachable
This rule passes ICMPv6fragment reassembly timeexceeded messages or ICMPv4host unreachable messages ifthe packet rate is less than thePackets per second value If anysource IP sends packets over thisvalue the appliance blocks allsuch traffic from this source IP fora time specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=10 sec)
Packets per second (default=50)
130903300 Auto RATELIMIT PASS ICMPprotocol unreachable
This rule passes ICMP protocolunreachable messages if thepacket rate is less than thePackets per second value If anysource IP sends packets over thisvalue the appliance blocks all
such traffic from this source IP fora time specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=10 sec)
Packets per second (default=50)
130903400 Auto RATELIMIT ICMP portunreachable
This rule passes ICMP portunreachable messages if thepacket rate is less than thePackets per second value If anysource IP sends packets over thisvalue the appliance blocks allsuch traffic from this source IP fora certain period of time(specified in Drop interval )
Always enabled Events per second (default=10)
Drop Interval (default=10 sec)
Packets per second (default=50)
Rule ID Type Rule Name Description
EnableDisable
Condition
Parameters Comments
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 2730
Default PassDrop
NIOS 612 NIOS Administrator Guide (Rev A) 1523
Default Pass Drop
The following table lists the system rules that are used to pass or drop packets on your advanced appliance All rulesare disabled by default
Table H17 Default PassDrop Rules
130903500 Auto RATELIMIT PASS ICMPfragmentation needed
This rule passes ICMPfragmentation needed messagesif the packet rate is less than thePackets per second value If anysource IP sends packets over thisvalue the appliance blocks allsuch traffic from this source IP for
a certain period of time(specified in Drop interval )
Always enabled Events per second (default=1)
Drop Interval (default=10 sec)
Packets per second (default=50)
Rule ID
Rule
Type Rule Name Description
Enable
Condition Parameters Comments
100000050 System EARLY PASS TCPwith flowbits set
This rule passes TCP trafficthat has the flowbitsoptions set and marked OK
Enabled bydefault
NA
140000100 System DROP UDP DNSunexpected
This rule drops anyunexpected UDP DNSpackets
Enabled bydefault
Events per second (default=1)
Default drop rule for the DNSservice port If this rule istriggered most likely thispacket is an invalid DNS UDPpacket
140000200 System DROP TCP DNSunexpected
This rule drops anyunexpected TCP DNSpackets
Enabled bydefault
Events per second (default=1)
Default drop rule for the DNSservice port If this rule istriggered most likely thispacket is an invalid DNS TCPpacket
140000400 System PASS TCPestablished packets
This passes all TCPestablished packets
Enabled bydefault
Events per second (default=0)
140000500 System DROP TCPunexpected
This rule drops anyunexpected TCP packets
Enabled bydefault
Events per second (default=0)
This rule drops any TCP packeton any port If this rule istriggered most likely thispacket is not intended forservices on this member
140000600 System DROP UDPunexpected
This rule drops anyunexpected UDP packets
Enabled bydefault
Events per second (default=0)
This rule drops any UDP packeton any port If this rule istriggered most likely thispacket is not intended forservices on this member
140000700 System DROP ICMPunexpected
This rule drops anyunexpected ICMP packets
Enabled bydefault
Events per second (default=0)
This rule drops any ICMPpacket If this rule is triggeredmost likely this packet is notintended for services on thismember
140000800 System DROP unexpectedprotocol
This rule drops anyunexpected protocolpackets
Enabled bydefault
Events per second (default=0)
This is a catch all rule thatdrops anything that does notmatch any other rules in thesystem
Rule ID Type Rule Name Description
EnableDisable
Condition
Parameters Comments
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 2830
1524 NIOS Administrator Guide (Rev A) NIOS 612
HA Support
The following table lists auto rules that are used to pass packets that go through the Virtual Router RedundancyProtocol (VRRP) and Internet Group Management Protocol (IGMP) for HA (High Availability) support
Table H18 HA Support Rules
Custom Rule Templates
Advanced DNS Protection supports a few custom rule templates from which you can create new custom rules Notethat when you use a specific rule template to create custom rules the new rules reside in their respective rulecategories For information about custom rules and creating custom rules see Custom Rules on page 1341 andCreating Custom Rules on page 1343
For each rule you create you can define the Events per second value to determine the number of events per secondthat will be logged for the rule You can also define specific rule parameters for custom rules as follows
Note Custom rules do not support IDNs (Internationalized Domain Names) To use IDNs for custom rules you mustfirst convert the IDNs into puny codes You can use the IDN Converter from the Toolbar for the conversion
bull BLACKLIST FQDN lookup TCP Use this rule template to create custom rules for blacklisting DNS queries by FQDNlookups on TCP In the Rule Parameters table complete the following
mdash Blacklisted FQDN Enter the FDQN that you want the appliance to block over TCP traffic You can also enter alist of FQDNs using semicolon as the separator
bull BLACKLIST FQDN lookup UDP Use this rule template to create custom rules for blacklisting DNS queries byFQDN lookups on UDP In the Rule Parameters table complete the following
mdash Blacklisted FQDN Enter the FDQN that you want the appliance to block over UDP traffic You can also enter alist of FQDNs using semicolon as the separator
bull BLACKLIST IP TCP Drop prior to rate limiting Use this rule template to create rules for blocking IPv4 or IPv6addresses on TCP before the appliance drops the packets based on rate limiting rules you have defined usingthe RATELIMITED IP TCP template In the Rule Parameters table complete the following
mdash Blacklisted IP addressnetwork Enter the IPv4 or IPv6 address from which packets sent are dropped beforeany relevant rate limiting rules take effect Note that all TCP traffic from the specified Ipv4 and IPv6
addresses and networks will be blocked Enter network addresses in addressCIDR formatbull BLACKLIST IP UDP Drop prior to rate limiting Use this rule template to create rules for blocking IPv4 or IPv6
addresses on UDP before the appliance drops the packets based on rate limiting rules you have defined usingthe RATELIMITED IP UDP template In the Rule Parameters table complete the following
mdash Blacklisted IP addressnetwork Enter the IPv4 or IPv6 address from which packets sent are dropped beforeany relevant rate limiting rules take effect Note that all UDP traffic from the specified Ipv4 and IPv6addresses and networks will be blocked Enter network addresses in addressCIDR format
bull RATELIMITED FQDN lookup UDP Use this rule template to create custom rules that contains rate limitingrestrictions for blocking DNS queries by FQDN lookups on UDP traffic In the Rule Parameters table completethe following
Rule ID
Rule
Type
Rule Name Description Enable Condition Parameters Comments
140000750 Auto PASS VRRP This rule passes packets thatgo through VRRP for HAsupport
Enabled if HA isconfigured
NA
140000760 Auto PASS IGMP This rule passes packets thatgo through IGMP for HAsupport
Enabled if HA isconfigured
NA
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 2930
Custom Rule Templates
NIOS 612 NIOS Administrator Guide (Rev A) 1525
mdash Packets per second Enter the number of packets per second to define the rate limit for this rule You definethis value to control the rate of UDP traffic that consists of DNS lookups for the FQDN defined in this ruleThe default is 5
mdash Drop interval Enter the number of seconds for which the appliance drops packets
mdash Blacklist rate limited FQDN Enter the FQDN that is affected by the rate limit value configured for this ruleThe appliance drops the packets sent by this FQDN when the UDP traffic of DNS lookups for this FQDNexceeds the configured rate limit value
bull RATELIMITED IP TCP Use this rule template to create custom rules that contains rate limiting restrictions forblacklisting IP addresses on TCP If there are certain IP addresses that you want to block before its traffic reachesthe rate limit restrictions you can create a rule using the BLACKLIST IP TCP Drop prior to rate limiting templateIn the Rule Parameters table complete the following
mdash Packets per second Enter the number of packets per second to define the rate limit for this rule You definethis value to control the rate of TCP traffic that consists of DNS lookups for the IP address or networkdefined in this rule The default is 5
mdash Drop interval Enter the time interval in seconds the appliance drops IP packets sent by the rate limited IPaddress or network defined for this rule The default is 30 seconds
mdash Rate limited IP addressnetwork Enter the IP address or network that is affected by the rate limit valueconfigured for this rule The appliance drops the packets sent by this IP address based on the drop intervalwhen the TCP traffic of DNS lookups for this IP address exceeds the configured rate limit value
bull RATELIMITED IP UDP Use this rule template to create custom rules that contains rate limiting restrictions forblacklisting IP addresses on UDP If there are certain IP addresses that you want to block before its trafficreaches the rate limit restrictions you can create a rule using the BLACKLIST IP UDP Drop prior to rate limiting template In the Rule Parameters table complete the following
mdash Packets per second Enter the number of packets per second to define the rate limit for this rule You definethis value to control the rate of UDP traffic that consists of DNS lookups for the IP address or networkdefined in this rule The default is 5
mdash Drop interval Enter the time interval in seconds the appliance drops IP packets sent by the rate limited IPaddress or network defined for this rule The default is 30 seconds
mdash Rate limited IP addressnetwork Enter the IP address or network that is affected by the rate limit valueconfigured for this rule The appliance drops the packets sent by this IP address based on the drop interval
when the TCP traffic of DNS lookups for this IP address exceeds the configured rate limit valuebull WHITELIST IP TCP Pass prior to rate limiting Use this rule template to create custom rules for allowing certain IP
addresses on TCP before the appliance drops the packets based on rate limiting rules you have defined usingthe RATELIMITED IP TCP template In the Rule Parameters table complete the following
mdash Whitelisted IP addressnetwork Enter the IPv4 or IPv6 address from which packets sent are allowed beforeany relevant rate limiting rules take effect
bull WHITELIST IP UDP Pass prior to rate limiting Use this rule template to create custom rules for allowing certain IPaddresses on UDP before the appliance drops the packets based on rate limiting rules you have defined usingthe RATELIMITED IP UDP template In the Rule Parameters table complete the following
mdash Whitelisted IP addressnetwork Enter the IPv4 or IPv6 address from which packets sent are allowed beforeany relevant rate limiting rules take effect
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 3030
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 1830
1514 NIOS Administrator Guide (Rev A) NIOS 612
use the EDNS0 DNS protocol extension as a means to enable larger DNS responses Many network operatorsparticularly overseas allow open DNS resolvers to run on their networks unwittingly allowing attackers to abusethem Many network operators do provide intelligent rate-limiting to prevent abuse even while supporting openrecursive DNS servers Hence issues of this type usually result from mistakes in configuration
The following table lists the system and auto rules that are used to mitigate DNS amplification and reflection attackson your advanced appliance
Table H12 DNS Amplification and Reflection Rules
NTP
The following table lists the auto rules that are used to mitigate NTP attacks and to support security for NTP traffic onyour advanced appliance These rules include support for the following NTP requests and responses NTP IPv4 andIPv6 ACLs (Access Control Lists) private mode 7 packets named ACLs and ldquoANYrdquo ACLs
Table H13 NTP Rules
Rule ID
Rule
Type
Rule Name Description
EnableDisable
Condition
Parameters Comments
130400100 Auto WARN amp DROP DoSDNS possiblereflectionamplification attackattempts
This rule warns if anysource IP sends UDP DNSpackets that containpossible reflectionamplification attacks If therate exceeds the Packets
per second value theappliance blocks all suchtraffic from this source IPfor the Drop interval Notethat this rule applies whenthe query is ldquoANYrdquo
Enabled bydefault
Packets per second (default = 5)
Drop interval (default = 5 seconds)
Events per second (default = 1)
Consider tuning Packet per
second to a higher value(approximately 100) forNATd environments staticforwarders and VPNconcentrators
130400500 System RATE LIMIT PASS UDPDNS root requestswith additional RRs
This rule passes UDP DNSroot requests that containadditional resource recordsuntil the traffic hits thePackets per second valueIt then blocks subsequentUDP DNS root requests forthe Drop interval
Disabled bydefault
Packets per second (default = 500)
Drop interval
(default = 5 seconds)
Events per second (default = 1)
130400600 System RATE LIMIT PASS UDPDNS root requests
This rule passes UDP DNSroot requests until thetraffic hits the Packets per
second value It thenblocks subsequent UDPDNS root requests for theDrop interval
Disabled bydefault
Packets per second (default = 500)
Drop interval (default = 5 seconds)
Events per second (default = 1)
Consider tuning Packet per
second to a higher valuefor NATd environmentsstatic forwarders and VPNconcentrators
Rule ID
Rule
Type
Rule Name Description
EnableDisable
Condition
Parameters Comments
130600100 Auto RATELIMIT PASS NTPTIME responses
When the NTP client isenabled this rule passesUDP NTP TIME responsesuntil the traffic hits the ratelimit of 10 packets persecond it then blocks allNTP traffic for 15 seconds
Enabled when theNTP client isenabled
Packets per second (default = 10)
Drop interval
(default = 15seconds)
Events per second (default = 1)
130600120 Auto DROP NTP TIMEresponses
This rule drops all UDP NTPTIME responses when theNTP client is disabled
Enabled when theNTP client isdisabled
Events per second (default=1)
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 1930
NTP
NIOS 612 NIOS Administrator Guide (Rev A) 1515
200001001 Auto DOS Possible NTPDDoS InboundFrequent Un-AuthedGET_RESTRICTRequests IMPL 0x02
When the NTP server isenabled this rule warnsabout possible NTP DDoSInbound FrequentUn-Authed GET_RESTRICTRequests IMPL 0x02attacks It then blocks
suspicious NTP traffic for atime period that isspecified in Drop Interval
Enabled whenNTP service isenabled on thismember
Events per second (default = 1)
200001005 Auto DOS Possible NTPDDoS InboundFrequent Un-AuthedGET_RESTRICTRequests IMPL 0x03
When the NTP server isenabled this rule warnsabout possible NTP DDoSInbound FrequentUn-Authed GET_RESTRICTRequests IMPL 0x03attacks It then blockssuspicious NTP traffic for atime period that isspecified in Drop Interval
Enabled whenNTP service isenabled on thismember
Events per second (default = 1)
200001010 Auto DOS Possible NTPDDoS InboundFrequent Un-AuthedPEER_LIST_SUM
Requests IMPL 0x02
When the NTP server isenabled this rule warnsabout possible NTP DDoSInbound Frequent
Un-AuthedPEER_LIST_SUM RequestsIMPL 0x02 attacks It thenblocks suspicious NTPtraffic for a time period thatis specified in Drop
Interval
Enabled whenNTP service isenabled on thismember
Events per second (default = 1)
200001015 Auto DOS Possible NTPDDoS InboundFrequent Un-AuthedPEER_LIST_SUMRequests IMPL 0x03
When the NTP server isenabled this rule warnsabout possible NTP DDoSInbound FrequentUn-AuthedPEER_LIST_SUM RequestsIMPL 0x03 attacks It thenblocks suspicious NTPtraffic for a time period thatis specified in Drop
Interval
Enabled whenNTP service isenabled on thismember
Events per second (default = 1)
200001020 Auto DOS Possible NTPDDoS InboundFrequent Un-AuthedPEER_LIST RequestsIMPL 0x02
When the NTP server isenabled this rule warnsabout possible NTP DDoSInbound FrequentUn-Authed PEER_LISTRequests IMPL 0x02attacks It then blockssuspicious NTP traffic for atime period that isspecified in Drop Interval
Enabled whenNTP service isenabled on thismember
Events per second (default = 1)
200001025 Auto DOS Possible NTPDDoS InboundFrequent Un-AuthedPEER_LIST RequestsIMPL 0x03
When the NTP server isenabled this rule warnsabout possible NTP DDoSInbound FrequentUn-Authed PEER_LISTRequests IMPL 0x03attacks It then blocks
suspicious NTP traffic for atime period that isspecified in Drop Interval
Enabled whenNTP service isenabled on thismember
Events per second (default = 1)
200001050 Auto RATELIMIT PASSNTPQ IPv4 requests
This rule passes UDP NTPQrequests from NTP IPv4ACLs until the traffic hitsthe rate limit ( Packets per
second ) value It thenblocks all subsequentNTPQ traffic for a timespecified in Drop Interval
Enabled whenNTP IPv4 ACLs aredefined If noACLs are definedand the NTPserver is enabledthe default ACLsare enabled andthis rule isdisabled
Packets per second (default = 10)
Drop interval
(default = 60seconds)
Events per second (default = 1)
Rule ID
Rule
Type
Rule Name Description
EnableDisable
Condition
Parameters Comments
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 2030
1516 NIOS Administrator Guide (Rev A) NIOS 612
200001055 Auto RATELIMIT PASS NTPTIME IPv4 requests
This rule passes UDP NTPTIME requests from NTPIPv4 ACLs until the traffichits the rate limit ( Packets
per second ) value It thenblocks all subsequent NTPTIME traffic for a time
specified in Drop interval
Enabled whenNTP IPv4 ACLs aredefined If noACLs are definedand the NTPserver is enabledthe default ACLs
are enabled andthis rule isenabled
Packets per second (default = 10)
Drop interval
(default = 60seconds)
Events per second (default = 1)
200001060 Auto RATELIMIT PASS NTPprivate mode IPv4requests
This rule passes UDP NTPprivate mode 7 requestsfrom NTP IPv4 ACLs untilthe traffic hits the rate limit( Packets per second ) valueIt then blocks allsubsequent NTP privatemode 7 traffic for a timespecified in Drop interval
Enabled whenNTP IPv4 ACLs aredefined If noACLs are definedand the NTPserver is enabledthe default ACLsare enabled andthis rule isdisabled
Packets per second (default = 10)
Drop interval
(default = 60seconds)
Events per second (default = 1)
200001065 Auto RATELIMIT PASSNTPQ IPv6 requests
This rule passes UDP NTPQrequests from NTP IPv6ACLs until the traffic hitsthe rate limit ( Packets per
second ) value It thenblocks all subsequentNTPQ traffic for a timespecified in Drop Interval
Enabled whenNTP IPv6 ACLs aredefined If noACLs are defined
and the NTPserver is enabledthe default ACLsare enabled andthis rule isdisabled
Packets per second (default = 10)
Drop interval
(default = 60
seconds)Events per second (default = 1)
200001070 Auto RATELIMIT PASS NTPTIME IPv6 requests
This rule passes UDP NTPTIME requests from NTPIPv6 ACLs until the traffichits the rate limit ( Packets
per second ) value It thenblocks all subsequent NTPTIME traffic for a timespecified in Drop interval
Enabled whenNTP IPv6 ACLs aredefined If noACLs are definedand the NTPserver is enabledthe default ACLsare enabled andthis rule isenabled
Packets per second (default = 10)
Drop interval
(default = 60seconds)
Events per second (default = 1)
200001075 Auto RATELIMIT PASS NTP
private mode IPv6requests
This rule passes UDP NTP
private mode 7 requestsfrom NTP IPv4 ACLs untilthe traffic hits the rate limit( Packets per second ) valueIt then blocks allsubsequent NTP privatemode 7 traffic for a timespecified in Drop interval
Enabled when
NTP IPv6 ACLs aredefined If noACLs are definedand the NTPserver is enabledthe default ACLsare enabled andthis rule isdisabled
Packets per second
(default = 10)Drop interval
(default =60seconds)
Events per second (default = 1)
200001100 Auto DROP NTPQ requestsunexpected
When NTP service isdisabled this rule drops allUDP NTPQ requests
Enabled whenNTP service isdisabled on thismember
Events per second (default=1)
200001105 Auto DROP NTP TIMErequests unexpected
When NTP service isdisabled this rule drops allUDP NTP TIME requests
Enabled whenNTP service isdisabled on thismember
Events per second (default=1)
200001110 Auto DROP NTP privatemode requestsunexpected
When NTP service isdisabled this rule drops allUDP NTP private mode 7requests
Enabled whenNTP service isdisabled on thismember
Events per second (default=1)
200001115 Auto DROP invalid NTPrequests
When NTP service isdisabled this rule drops allinvalid UDP NTP requests
Enabled whenNTP service isdisabled on thismember
Events per second (default=1)
Rule ID
Rule
Type
Rule Name Description
EnableDisable
Condition
Parameters Comments
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 2130
BGP
NIOS 612 NIOS Administrator Guide (Rev A) 1517
BGP
The following table lists the auto rules that are used to mitigate BGP attacks on your advanced appliance when BGPis enabled
Table H14 BGP Rules
Rule ID
Rule
Type
Rule Name Description
EnableDisable
Condition
Parameters Comments
130700100 AUTO DROP BGP headerlength shorter thanspec
When BGP is enabled this ruledrops TCP BGP packets thatcontain message headerlength that is shorter than theRFC specification
Enabled whenBGP service onthis member isconfigured
Events per second (default=1)
130700200 AUTO DROP BGP headerlength longer than spec
When BGP is enabled this ruledrops TCP BGP packets thatcontain message headerlength that is longer than theRFC specification
Enabled whenBGP service onthis member isconfigured
Events per second (default=1)
130700300 AUTO DROP BGP spoofedconnection reset
attempts
When BGP is enabled this ruledrops TCP BGP packets that
contain spoofed connectionreset
This rule isenabled when
BGP service onthis member isconfigured
Events per second (default=1)
130700400 AUTO DROP BGP invalid type0
When BGP is enabled this ruledrops TCP BGP packets thatcontain invalid message type0
This rule isenabled whenBGP service onthis member isconfigured
Events per second (default=1)
130700500 AUTO DROP BGP invalid typebigger than 5
When BGP is enabled this ruledrops TCP BGP packets thatcontain invalid message typegreater than 5
This rule isenabled whenBGP service onthis member isconfigured
Events per second (default=1)
130700550 AUTO RATELIMIT PASS BGPIPv4 peer TCPconnection attempts
This rule passes TCP BGP routeadvertisement connectionattempts from IPv4 peers
when BGP is enabled and ifthe packet rate is less than thePackets per second value Ifany source IP sends packetsover this value the applianceblocks all such traffic from thissource IP for a certain periodof time (specified in Drop
interval )
This rule isenabled whenBGP service on
this member isconfigured withIPv4 peers
Events per second (default=1)
Drop Interval
(default=60 sec)Packets per second (default=10)
130700600 Auto RATELIMIT PASS BGPallowed with IPv4 peer
This rule passes TCP BGP routeadvertisement to IPv4 peerswhen BGP is enabled and ifthe packet rate is less than thePackets per second value Ifany source IP sends packetsover this value the applianceblocks all such traffic from thissource IP for a certain period
of time (specified in Drop
interval
This rule isenabled whenBGP service onthis member isconfigured withIPv4 peers
Events per second (default=1)
Drop Interval (default=60 sec)
Packets per second (default=10)
130700650 AUTO RATELIMIT PASS BGPIPv6 peer TCPconnection attempts
This rule passes TCP BGP routeadvertisement connectionattempts from IPv6 peerswhen BGP is enabled and ifthe packet rate is less than thePackets per second value Ifany source IP sends packetsover this value the applianceblocks all such traffic from thissource IP for a certain periodof time (specified in Drop
interval
This rule isenabled whenBGP service onthis member isconfigured withIPv6 peers
Events per second (default=1)
Drop Interval (default=60 sec)
Packets per second (default=10)
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 2230
1518 NIOS Administrator Guide (Rev A) NIOS 612
OSPF
The following table lists auto rules that are used to mitigate OSPF attacks on your advanced appliance when OSPF isnot in use
Table H15 OSPF Rules
130700700 Auto RATELIMIT PASS BGPallowed with IPv6 peer
This rule passes TCP BGP routeadvertisement to IPv6 peerswhen BGP is enabled and ifthe packet rate is less than thePackets per second value Ifany source IP sends packetsover this value the appliance
blocks all such traffic from thissource IP for a certain periodof time (specified in Drop
interval )
This rule isenabled whenBGP service onthis member isconfigured withIPv6 peers
Events per second (default=1)
Drop Interval (default=60 sec)
Packets per second (default=10)
130800100 Auto DROP BGP unexpected When BGP is enabled this ruledrops unexpected TCP BGPpackets
This rule takeseffect when BGPservice on thismember is NOT configured
Events per second (default=1)
This rule is exclusive withother rules based onwhether BGP is configuredon the member or not
Rule ID
Rule
Type
Rule Name Description
Enable
Condition
Parameters Comments
130900300 Auto DROP OSPFunexpected
This rule drops unexpectedOSPF packets
This rule takeseffect when OSPFservice on thismember is NOT configured
Events per second (default=1)
Default drop rule for allpackets on the OSPF serviceport
130900400 Auto RATELIMIT PASS OSPFmulticast
This rule passes OSPF IPv4multicast packets if the packetrate is less than the Packets
per second value If anysource IP sends packets overthis value the applianceblocks all such traffic from thissource IP for a time specifiedin Drop interval
This rule takeseffect when OSPFservice on thismember isconfigured forIPv4
Events per second (default=1)
Drop Interval (default=60 sec)
Packets per second (default=100)
130900500 Auto RATELIMIT PASS OSPFIPv6 multicast
This rule passes OSPF IPv6multicast packets if the packetrate is less than the Packets
per second value If anysource IP sends packets overthis value the applianceblocks all such traffic from thissource IP for a time specifiedin Drop interval
This rule takeseffect when OSPFservice on thismember isconfigured forIPv6
Events per second (default=1)
Drop Interval (default=60 sec)
Packets per second (default=100)
130900600 Auto RATELIMIT PASS OSPF This rule passes OSPF packetsif the packet rate is less thanthe Packets per second valueIf any source IP sends packetsover this value the applianceblocks all such traffic from thissource IP for a time specifiedin Drop interval
This rule takeseffect when OSPFservice on thismember isconfigured
Events per second (default=1)
Drop Interval (default=10 sec)
Packets per second (default=50)
This rule works for both IPv4and IPv6
Rule ID
Rule
Type
Rule Name Description
EnableDisable
Condition
Parameters Comments
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 2330
ICMP
NIOS 612 NIOS Administrator Guide (Rev A) 1519
ICMP
ICMP attacks use network devices such as routers to send error messages when a requested service is not availableor the remote server cannot be reached Examples of ICMP attacks include ping floods ping-of-death attacks andsmurf attacks
The following table lists the system and auto rules that are used to mitigate ICMP attacks on your advanced appliance
Table H16 ICMP Rules
Rule ID Type Rule Name Description
EnableDisable
Condition
Parameters Comments
130400200 Auto DROP ICMP largepackets
This rule drops large ICMPpackets (bigger than800)
Always enabled Events per second (default=1)
130900100 Auto RATE LIMIT PASS ICMPPing
This rule passes ICMP pingpackets if the packet rate is lessthan the Packets per second value If any source IP sendspackets over this value theappliance blocks all such trafficfrom this source IP for a timespecified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=10 sec)
Packets per second (default=50)
130900200 Auto RATE LIMIT PASS ICMPv6Ping
This rule passes ICMPv6 pingpackets if the packet rate is lessthan the Packets per second value If any source IP sendspackets over this value theappliance blocks all such trafficfrom this source IP for a timespecified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=10 sec)
Packets per second (default=50)
130900700 Auto RATELIMIT PASS ICMPv6destinationunreachable
This rule passes ICMPv6Destination Unreachablemessages if the packet rate isless than the Packets per second value If any source IP sendspackets over this value theappliance blocks all such trafficfrom this source IP for a timespecified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=100)
130900800 Auto RATELIMIT PASS ICMPv6packet too big
This rule passes ICMPv6 PacketToo Big messages if the packetrate is less than the Packets per
second value If any source IPsends packets over this valuethe appliance blocks all suchtraffic from this source IP for atime specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=100)
130900900 Auto RATELIMIT PASS ICMPv6ping responses
This rule passes ICMPv6 pingresponses if the packet rate isless than the Packets per second value If any source IP sendspackets over this value theappliance blocks all such trafficfrom this source IP for a timespecified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=10 sec)
Packets per second (default=50)
130901000 Auto RATELIMIT PASS ICMPv6parameter problemerroneous header
This rule passes ICMPv6Erroneous Header messages ifthe packet rate is less than thePackets per second value If anysource IP sends packets over thisvalue the appliance blocks allsuch traffic from this source IP fora time specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=10 sec)
Packets per second (default=50)
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 2430
1520 NIOS Administrator Guide (Rev A) NIOS 612
130901100 Auto RATELIMIT PASS ICMPv6parameter problemunrecognized nextheader
This rule passes ICMPv6Unrecognized Next Headermessages if the packet rate isless than the Packets per second value If any source IP sendspackets over this value theappliance blocks all such traffic
from this source IP for a timespecified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
130901200 Auto RATELIMIT PASS ICMPv6parameter problemunrecognized IPv6option
This rule passes ICMPv6Unrecognized IPv6 Optionmessages if the packet rate isless than the Packets per second value If any source IP sendspackets over this value theappliance blocks all such trafficfrom this source IP for a timespecified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
130901300 Auto RATELIMIT PASS ICMPv6router solicitation
This rule passes ICMPv6 routersolicitation packets if the packetrate is less than the Packets per
second value If any source IPsends packets over this valuethe appliance blocks all such
traffic from this source IP for atime specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
130901400 Auto RATELIMIT PASS ICMPv6router advertisement
This rule passes ICMPv6 routeradvertisement if the packet rateis less than the Packets per
second value If any source IPsends packets over this valuethe appliance blocks all suchtraffic from this source IP for atime specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
130901500 Auto RATELIMIT PASS ICMPv6neighbor solicitation
This rule passes ICMPv6neighbor solicitation packets ifthe packet rate is less than thePackets per second value If anysource IP sends packets over thisvalue the appliance blocks allsuch traffic from this source IP for
a time specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
130901600 Auto RATELIMIT PASS ICMPv6neighbor advertisement
This rule passes ICMPv6neighbor advertisement if thepacket rate is less than thePackets per second value If anysource IP sends packets over thisvalue the appliance blocks allsuch traffic from this source IP fora time specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
130901700 Auto RATELIMIT PASS ICMPv6inverse neighborsolicitation
This rule passes ICMPv6 inverseneighbor solicitation messages ifthe packet rate is less than thePackets per second value If anysource IP sends packets over thisvalue the appliance blocks allsuch traffic from this source IP fora time specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
130901800 Auto RATELIMIT PASS ICMPv6inverse neighboradvertisement
This rule passes ICMPv6 inverseneighbor advertisement if thepacket rate is less than thePackets per second value If anysource IP sends packets over thisvalue the appliance blocks allsuch traffic from this source IP fora time specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
Rule ID Type Rule Name Description
EnableDisable
Condition
Parameters Comments
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 2530
ICMP
NIOS 612 NIOS Administrator Guide (Rev A) 1521
130901900 Auto RATELIMIT PASS ICMPv6listener query
This rule passes ICMPv6 listenerquery messages if the packetrate is less than the Packets per
second value If any source IPsends packets over this valuethe appliance blocks all suchtraffic from this source IP for a
time specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
130902000 Auto RATELIMIT PASS ICMPv6listener report
This rule passes ICMPv6 listenerreport messages if the packetrate is less than the Packets per
second value If any source IPsends packets over this valuethe appliance blocks all suchtraffic from this source IP for atime specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
130902100 Auto RATELIMIT PASS ICMPv6listener done
This rule passes ICMPv6 listenerdone messages if the packet rateis less than the Packets per
second value If any source IPsends packets over this valuethe appliance blocks all suchtraffic from this source IP for atime specified in Drop interval )
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
130902200 Auto RATELIMIT PASS ICMPv6listener report v2
This rule passes ICMPv6 listenerreport v2 messages if the packetrate is less than the Packets per
second value If any source IPsends packets over this valuethe appliance blocks all suchtraffic from this source IP for atime specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
130902300 Auto RATELIMIT PASS ICMPV6multicast routeradvertisement
This rule passes ICMPv6multicast router advertisement ifthe packet rate is less than thePackets per second value If anysource IP sends packets over thisvalue the appliance blocks allsuch traffic from this source IP fora time specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
130902400 Auto RATELIMIT PASS ICMPV6multicast routersolicitation
This rule passes ICMPv6multicast router solicitationmessages if the packet rate isless than the Packets per second value If any source IP sendspackets over this value theappliance blocks all such trafficfrom this source IP for a timespecified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
130902500 Auto RATELIMIT PASS ICMPV6multicast routeradvertisement
This rule passes ICMPv6multicast router advertisement ifthe packet rate is less than thePackets per second value If anysource IP sends packets over thisvalue the appliance blocks allsuch traffic from this source IP fora time specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
130902600 Auto RATELIMIT PASS ICMPping responses This rule passes ICMP pingresponses if the packet rate isless than the Packets per second value If any source IP sendspackets over this value theappliance blocks all such trafficfrom this source IP for a timespecified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=10 sec)
Packets per second (default=50)
Rule ID Type Rule Name Description
EnableDisable
Condition
Parameters Comments
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 2630
1522 NIOS Administrator Guide (Rev A) NIOS 612
130902700 Auto RATELIMIT PASS ICMProuter advertisement
This rule passes ICMP routeradvertisement if the packet rateis less than the Packets per
second value If any source IPsends packets over this valuethe appliance blocks all suchtraffic from this source IP for a
time specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=10 sec)
Packets per second (default=50)
130902800 Auto RATELIMIT PASS ICMProuter solicitation
This rule passes ICMP routersolicitation messages if thepacket rate is less than thePackets per second value If anysource IP sends packets over thisvalue the appliance blocks allsuch traffic from this source IP fora time specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=10 sec)
Packets per second (default=50)
130902900 Auto RATELIMIT PASS ICMPtime exceeded
This rule passes ICMP timeexceeded messages if the packetrate is less than the Packets per
second value If any source IPsends packets over this valuethe appliance blocks all suchtraffic from this source IP for atime specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=10 sec)
Packets per second (default=50)
130903000 Auto RATELIMIT PASS ICMPparameter problem
This rule passes ICMP parameterproblems if the packet rate isless than the Packets per second value If any source IP sendspackets over this value theappliance blocks all such trafficfrom this source IP for a timespecified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=10 sec)
Packets per second (default=50)
130903100 Auto RATELIMIT PASS ICMPv6hop limit exceeded orICMPv4 networkunreachable
This rule passes ICMPv6 HopLimit Exceeded messages orICMPv4 Network Unreachablemessages if the packet rate isless than the Packets per second value If any source IP sendspackets over this value theappliance blocks all such trafficfrom this source IP for a time
specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
130903200 Auto RATELIMIT PASS ICMPv6fragment reassemblytime exceeded orICMPv4 hostunreachable
This rule passes ICMPv6fragment reassembly timeexceeded messages or ICMPv4host unreachable messages ifthe packet rate is less than thePackets per second value If anysource IP sends packets over thisvalue the appliance blocks allsuch traffic from this source IP fora time specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=10 sec)
Packets per second (default=50)
130903300 Auto RATELIMIT PASS ICMPprotocol unreachable
This rule passes ICMP protocolunreachable messages if thepacket rate is less than thePackets per second value If anysource IP sends packets over thisvalue the appliance blocks all
such traffic from this source IP fora time specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=10 sec)
Packets per second (default=50)
130903400 Auto RATELIMIT ICMP portunreachable
This rule passes ICMP portunreachable messages if thepacket rate is less than thePackets per second value If anysource IP sends packets over thisvalue the appliance blocks allsuch traffic from this source IP fora certain period of time(specified in Drop interval )
Always enabled Events per second (default=10)
Drop Interval (default=10 sec)
Packets per second (default=50)
Rule ID Type Rule Name Description
EnableDisable
Condition
Parameters Comments
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 2730
Default PassDrop
NIOS 612 NIOS Administrator Guide (Rev A) 1523
Default Pass Drop
The following table lists the system rules that are used to pass or drop packets on your advanced appliance All rulesare disabled by default
Table H17 Default PassDrop Rules
130903500 Auto RATELIMIT PASS ICMPfragmentation needed
This rule passes ICMPfragmentation needed messagesif the packet rate is less than thePackets per second value If anysource IP sends packets over thisvalue the appliance blocks allsuch traffic from this source IP for
a certain period of time(specified in Drop interval )
Always enabled Events per second (default=1)
Drop Interval (default=10 sec)
Packets per second (default=50)
Rule ID
Rule
Type Rule Name Description
Enable
Condition Parameters Comments
100000050 System EARLY PASS TCPwith flowbits set
This rule passes TCP trafficthat has the flowbitsoptions set and marked OK
Enabled bydefault
NA
140000100 System DROP UDP DNSunexpected
This rule drops anyunexpected UDP DNSpackets
Enabled bydefault
Events per second (default=1)
Default drop rule for the DNSservice port If this rule istriggered most likely thispacket is an invalid DNS UDPpacket
140000200 System DROP TCP DNSunexpected
This rule drops anyunexpected TCP DNSpackets
Enabled bydefault
Events per second (default=1)
Default drop rule for the DNSservice port If this rule istriggered most likely thispacket is an invalid DNS TCPpacket
140000400 System PASS TCPestablished packets
This passes all TCPestablished packets
Enabled bydefault
Events per second (default=0)
140000500 System DROP TCPunexpected
This rule drops anyunexpected TCP packets
Enabled bydefault
Events per second (default=0)
This rule drops any TCP packeton any port If this rule istriggered most likely thispacket is not intended forservices on this member
140000600 System DROP UDPunexpected
This rule drops anyunexpected UDP packets
Enabled bydefault
Events per second (default=0)
This rule drops any UDP packeton any port If this rule istriggered most likely thispacket is not intended forservices on this member
140000700 System DROP ICMPunexpected
This rule drops anyunexpected ICMP packets
Enabled bydefault
Events per second (default=0)
This rule drops any ICMPpacket If this rule is triggeredmost likely this packet is notintended for services on thismember
140000800 System DROP unexpectedprotocol
This rule drops anyunexpected protocolpackets
Enabled bydefault
Events per second (default=0)
This is a catch all rule thatdrops anything that does notmatch any other rules in thesystem
Rule ID Type Rule Name Description
EnableDisable
Condition
Parameters Comments
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 2830
1524 NIOS Administrator Guide (Rev A) NIOS 612
HA Support
The following table lists auto rules that are used to pass packets that go through the Virtual Router RedundancyProtocol (VRRP) and Internet Group Management Protocol (IGMP) for HA (High Availability) support
Table H18 HA Support Rules
Custom Rule Templates
Advanced DNS Protection supports a few custom rule templates from which you can create new custom rules Notethat when you use a specific rule template to create custom rules the new rules reside in their respective rulecategories For information about custom rules and creating custom rules see Custom Rules on page 1341 andCreating Custom Rules on page 1343
For each rule you create you can define the Events per second value to determine the number of events per secondthat will be logged for the rule You can also define specific rule parameters for custom rules as follows
Note Custom rules do not support IDNs (Internationalized Domain Names) To use IDNs for custom rules you mustfirst convert the IDNs into puny codes You can use the IDN Converter from the Toolbar for the conversion
bull BLACKLIST FQDN lookup TCP Use this rule template to create custom rules for blacklisting DNS queries by FQDNlookups on TCP In the Rule Parameters table complete the following
mdash Blacklisted FQDN Enter the FDQN that you want the appliance to block over TCP traffic You can also enter alist of FQDNs using semicolon as the separator
bull BLACKLIST FQDN lookup UDP Use this rule template to create custom rules for blacklisting DNS queries byFQDN lookups on UDP In the Rule Parameters table complete the following
mdash Blacklisted FQDN Enter the FDQN that you want the appliance to block over UDP traffic You can also enter alist of FQDNs using semicolon as the separator
bull BLACKLIST IP TCP Drop prior to rate limiting Use this rule template to create rules for blocking IPv4 or IPv6addresses on TCP before the appliance drops the packets based on rate limiting rules you have defined usingthe RATELIMITED IP TCP template In the Rule Parameters table complete the following
mdash Blacklisted IP addressnetwork Enter the IPv4 or IPv6 address from which packets sent are dropped beforeany relevant rate limiting rules take effect Note that all TCP traffic from the specified Ipv4 and IPv6
addresses and networks will be blocked Enter network addresses in addressCIDR formatbull BLACKLIST IP UDP Drop prior to rate limiting Use this rule template to create rules for blocking IPv4 or IPv6
addresses on UDP before the appliance drops the packets based on rate limiting rules you have defined usingthe RATELIMITED IP UDP template In the Rule Parameters table complete the following
mdash Blacklisted IP addressnetwork Enter the IPv4 or IPv6 address from which packets sent are dropped beforeany relevant rate limiting rules take effect Note that all UDP traffic from the specified Ipv4 and IPv6addresses and networks will be blocked Enter network addresses in addressCIDR format
bull RATELIMITED FQDN lookup UDP Use this rule template to create custom rules that contains rate limitingrestrictions for blocking DNS queries by FQDN lookups on UDP traffic In the Rule Parameters table completethe following
Rule ID
Rule
Type
Rule Name Description Enable Condition Parameters Comments
140000750 Auto PASS VRRP This rule passes packets thatgo through VRRP for HAsupport
Enabled if HA isconfigured
NA
140000760 Auto PASS IGMP This rule passes packets thatgo through IGMP for HAsupport
Enabled if HA isconfigured
NA
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 2930
Custom Rule Templates
NIOS 612 NIOS Administrator Guide (Rev A) 1525
mdash Packets per second Enter the number of packets per second to define the rate limit for this rule You definethis value to control the rate of UDP traffic that consists of DNS lookups for the FQDN defined in this ruleThe default is 5
mdash Drop interval Enter the number of seconds for which the appliance drops packets
mdash Blacklist rate limited FQDN Enter the FQDN that is affected by the rate limit value configured for this ruleThe appliance drops the packets sent by this FQDN when the UDP traffic of DNS lookups for this FQDNexceeds the configured rate limit value
bull RATELIMITED IP TCP Use this rule template to create custom rules that contains rate limiting restrictions forblacklisting IP addresses on TCP If there are certain IP addresses that you want to block before its traffic reachesthe rate limit restrictions you can create a rule using the BLACKLIST IP TCP Drop prior to rate limiting templateIn the Rule Parameters table complete the following
mdash Packets per second Enter the number of packets per second to define the rate limit for this rule You definethis value to control the rate of TCP traffic that consists of DNS lookups for the IP address or networkdefined in this rule The default is 5
mdash Drop interval Enter the time interval in seconds the appliance drops IP packets sent by the rate limited IPaddress or network defined for this rule The default is 30 seconds
mdash Rate limited IP addressnetwork Enter the IP address or network that is affected by the rate limit valueconfigured for this rule The appliance drops the packets sent by this IP address based on the drop intervalwhen the TCP traffic of DNS lookups for this IP address exceeds the configured rate limit value
bull RATELIMITED IP UDP Use this rule template to create custom rules that contains rate limiting restrictions forblacklisting IP addresses on UDP If there are certain IP addresses that you want to block before its trafficreaches the rate limit restrictions you can create a rule using the BLACKLIST IP UDP Drop prior to rate limiting template In the Rule Parameters table complete the following
mdash Packets per second Enter the number of packets per second to define the rate limit for this rule You definethis value to control the rate of UDP traffic that consists of DNS lookups for the IP address or networkdefined in this rule The default is 5
mdash Drop interval Enter the time interval in seconds the appliance drops IP packets sent by the rate limited IPaddress or network defined for this rule The default is 30 seconds
mdash Rate limited IP addressnetwork Enter the IP address or network that is affected by the rate limit valueconfigured for this rule The appliance drops the packets sent by this IP address based on the drop interval
when the TCP traffic of DNS lookups for this IP address exceeds the configured rate limit valuebull WHITELIST IP TCP Pass prior to rate limiting Use this rule template to create custom rules for allowing certain IP
addresses on TCP before the appliance drops the packets based on rate limiting rules you have defined usingthe RATELIMITED IP TCP template In the Rule Parameters table complete the following
mdash Whitelisted IP addressnetwork Enter the IPv4 or IPv6 address from which packets sent are allowed beforeany relevant rate limiting rules take effect
bull WHITELIST IP UDP Pass prior to rate limiting Use this rule template to create custom rules for allowing certain IPaddresses on UDP before the appliance drops the packets based on rate limiting rules you have defined usingthe RATELIMITED IP UDP template In the Rule Parameters table complete the following
mdash Whitelisted IP addressnetwork Enter the IPv4 or IPv6 address from which packets sent are allowed beforeany relevant rate limiting rules take effect
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 3030
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 1930
NTP
NIOS 612 NIOS Administrator Guide (Rev A) 1515
200001001 Auto DOS Possible NTPDDoS InboundFrequent Un-AuthedGET_RESTRICTRequests IMPL 0x02
When the NTP server isenabled this rule warnsabout possible NTP DDoSInbound FrequentUn-Authed GET_RESTRICTRequests IMPL 0x02attacks It then blocks
suspicious NTP traffic for atime period that isspecified in Drop Interval
Enabled whenNTP service isenabled on thismember
Events per second (default = 1)
200001005 Auto DOS Possible NTPDDoS InboundFrequent Un-AuthedGET_RESTRICTRequests IMPL 0x03
When the NTP server isenabled this rule warnsabout possible NTP DDoSInbound FrequentUn-Authed GET_RESTRICTRequests IMPL 0x03attacks It then blockssuspicious NTP traffic for atime period that isspecified in Drop Interval
Enabled whenNTP service isenabled on thismember
Events per second (default = 1)
200001010 Auto DOS Possible NTPDDoS InboundFrequent Un-AuthedPEER_LIST_SUM
Requests IMPL 0x02
When the NTP server isenabled this rule warnsabout possible NTP DDoSInbound Frequent
Un-AuthedPEER_LIST_SUM RequestsIMPL 0x02 attacks It thenblocks suspicious NTPtraffic for a time period thatis specified in Drop
Interval
Enabled whenNTP service isenabled on thismember
Events per second (default = 1)
200001015 Auto DOS Possible NTPDDoS InboundFrequent Un-AuthedPEER_LIST_SUMRequests IMPL 0x03
When the NTP server isenabled this rule warnsabout possible NTP DDoSInbound FrequentUn-AuthedPEER_LIST_SUM RequestsIMPL 0x03 attacks It thenblocks suspicious NTPtraffic for a time period thatis specified in Drop
Interval
Enabled whenNTP service isenabled on thismember
Events per second (default = 1)
200001020 Auto DOS Possible NTPDDoS InboundFrequent Un-AuthedPEER_LIST RequestsIMPL 0x02
When the NTP server isenabled this rule warnsabout possible NTP DDoSInbound FrequentUn-Authed PEER_LISTRequests IMPL 0x02attacks It then blockssuspicious NTP traffic for atime period that isspecified in Drop Interval
Enabled whenNTP service isenabled on thismember
Events per second (default = 1)
200001025 Auto DOS Possible NTPDDoS InboundFrequent Un-AuthedPEER_LIST RequestsIMPL 0x03
When the NTP server isenabled this rule warnsabout possible NTP DDoSInbound FrequentUn-Authed PEER_LISTRequests IMPL 0x03attacks It then blocks
suspicious NTP traffic for atime period that isspecified in Drop Interval
Enabled whenNTP service isenabled on thismember
Events per second (default = 1)
200001050 Auto RATELIMIT PASSNTPQ IPv4 requests
This rule passes UDP NTPQrequests from NTP IPv4ACLs until the traffic hitsthe rate limit ( Packets per
second ) value It thenblocks all subsequentNTPQ traffic for a timespecified in Drop Interval
Enabled whenNTP IPv4 ACLs aredefined If noACLs are definedand the NTPserver is enabledthe default ACLsare enabled andthis rule isdisabled
Packets per second (default = 10)
Drop interval
(default = 60seconds)
Events per second (default = 1)
Rule ID
Rule
Type
Rule Name Description
EnableDisable
Condition
Parameters Comments
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 2030
1516 NIOS Administrator Guide (Rev A) NIOS 612
200001055 Auto RATELIMIT PASS NTPTIME IPv4 requests
This rule passes UDP NTPTIME requests from NTPIPv4 ACLs until the traffichits the rate limit ( Packets
per second ) value It thenblocks all subsequent NTPTIME traffic for a time
specified in Drop interval
Enabled whenNTP IPv4 ACLs aredefined If noACLs are definedand the NTPserver is enabledthe default ACLs
are enabled andthis rule isenabled
Packets per second (default = 10)
Drop interval
(default = 60seconds)
Events per second (default = 1)
200001060 Auto RATELIMIT PASS NTPprivate mode IPv4requests
This rule passes UDP NTPprivate mode 7 requestsfrom NTP IPv4 ACLs untilthe traffic hits the rate limit( Packets per second ) valueIt then blocks allsubsequent NTP privatemode 7 traffic for a timespecified in Drop interval
Enabled whenNTP IPv4 ACLs aredefined If noACLs are definedand the NTPserver is enabledthe default ACLsare enabled andthis rule isdisabled
Packets per second (default = 10)
Drop interval
(default = 60seconds)
Events per second (default = 1)
200001065 Auto RATELIMIT PASSNTPQ IPv6 requests
This rule passes UDP NTPQrequests from NTP IPv6ACLs until the traffic hitsthe rate limit ( Packets per
second ) value It thenblocks all subsequentNTPQ traffic for a timespecified in Drop Interval
Enabled whenNTP IPv6 ACLs aredefined If noACLs are defined
and the NTPserver is enabledthe default ACLsare enabled andthis rule isdisabled
Packets per second (default = 10)
Drop interval
(default = 60
seconds)Events per second (default = 1)
200001070 Auto RATELIMIT PASS NTPTIME IPv6 requests
This rule passes UDP NTPTIME requests from NTPIPv6 ACLs until the traffichits the rate limit ( Packets
per second ) value It thenblocks all subsequent NTPTIME traffic for a timespecified in Drop interval
Enabled whenNTP IPv6 ACLs aredefined If noACLs are definedand the NTPserver is enabledthe default ACLsare enabled andthis rule isenabled
Packets per second (default = 10)
Drop interval
(default = 60seconds)
Events per second (default = 1)
200001075 Auto RATELIMIT PASS NTP
private mode IPv6requests
This rule passes UDP NTP
private mode 7 requestsfrom NTP IPv4 ACLs untilthe traffic hits the rate limit( Packets per second ) valueIt then blocks allsubsequent NTP privatemode 7 traffic for a timespecified in Drop interval
Enabled when
NTP IPv6 ACLs aredefined If noACLs are definedand the NTPserver is enabledthe default ACLsare enabled andthis rule isdisabled
Packets per second
(default = 10)Drop interval
(default =60seconds)
Events per second (default = 1)
200001100 Auto DROP NTPQ requestsunexpected
When NTP service isdisabled this rule drops allUDP NTPQ requests
Enabled whenNTP service isdisabled on thismember
Events per second (default=1)
200001105 Auto DROP NTP TIMErequests unexpected
When NTP service isdisabled this rule drops allUDP NTP TIME requests
Enabled whenNTP service isdisabled on thismember
Events per second (default=1)
200001110 Auto DROP NTP privatemode requestsunexpected
When NTP service isdisabled this rule drops allUDP NTP private mode 7requests
Enabled whenNTP service isdisabled on thismember
Events per second (default=1)
200001115 Auto DROP invalid NTPrequests
When NTP service isdisabled this rule drops allinvalid UDP NTP requests
Enabled whenNTP service isdisabled on thismember
Events per second (default=1)
Rule ID
Rule
Type
Rule Name Description
EnableDisable
Condition
Parameters Comments
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 2130
BGP
NIOS 612 NIOS Administrator Guide (Rev A) 1517
BGP
The following table lists the auto rules that are used to mitigate BGP attacks on your advanced appliance when BGPis enabled
Table H14 BGP Rules
Rule ID
Rule
Type
Rule Name Description
EnableDisable
Condition
Parameters Comments
130700100 AUTO DROP BGP headerlength shorter thanspec
When BGP is enabled this ruledrops TCP BGP packets thatcontain message headerlength that is shorter than theRFC specification
Enabled whenBGP service onthis member isconfigured
Events per second (default=1)
130700200 AUTO DROP BGP headerlength longer than spec
When BGP is enabled this ruledrops TCP BGP packets thatcontain message headerlength that is longer than theRFC specification
Enabled whenBGP service onthis member isconfigured
Events per second (default=1)
130700300 AUTO DROP BGP spoofedconnection reset
attempts
When BGP is enabled this ruledrops TCP BGP packets that
contain spoofed connectionreset
This rule isenabled when
BGP service onthis member isconfigured
Events per second (default=1)
130700400 AUTO DROP BGP invalid type0
When BGP is enabled this ruledrops TCP BGP packets thatcontain invalid message type0
This rule isenabled whenBGP service onthis member isconfigured
Events per second (default=1)
130700500 AUTO DROP BGP invalid typebigger than 5
When BGP is enabled this ruledrops TCP BGP packets thatcontain invalid message typegreater than 5
This rule isenabled whenBGP service onthis member isconfigured
Events per second (default=1)
130700550 AUTO RATELIMIT PASS BGPIPv4 peer TCPconnection attempts
This rule passes TCP BGP routeadvertisement connectionattempts from IPv4 peers
when BGP is enabled and ifthe packet rate is less than thePackets per second value Ifany source IP sends packetsover this value the applianceblocks all such traffic from thissource IP for a certain periodof time (specified in Drop
interval )
This rule isenabled whenBGP service on
this member isconfigured withIPv4 peers
Events per second (default=1)
Drop Interval
(default=60 sec)Packets per second (default=10)
130700600 Auto RATELIMIT PASS BGPallowed with IPv4 peer
This rule passes TCP BGP routeadvertisement to IPv4 peerswhen BGP is enabled and ifthe packet rate is less than thePackets per second value Ifany source IP sends packetsover this value the applianceblocks all such traffic from thissource IP for a certain period
of time (specified in Drop
interval
This rule isenabled whenBGP service onthis member isconfigured withIPv4 peers
Events per second (default=1)
Drop Interval (default=60 sec)
Packets per second (default=10)
130700650 AUTO RATELIMIT PASS BGPIPv6 peer TCPconnection attempts
This rule passes TCP BGP routeadvertisement connectionattempts from IPv6 peerswhen BGP is enabled and ifthe packet rate is less than thePackets per second value Ifany source IP sends packetsover this value the applianceblocks all such traffic from thissource IP for a certain periodof time (specified in Drop
interval
This rule isenabled whenBGP service onthis member isconfigured withIPv6 peers
Events per second (default=1)
Drop Interval (default=60 sec)
Packets per second (default=10)
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 2230
1518 NIOS Administrator Guide (Rev A) NIOS 612
OSPF
The following table lists auto rules that are used to mitigate OSPF attacks on your advanced appliance when OSPF isnot in use
Table H15 OSPF Rules
130700700 Auto RATELIMIT PASS BGPallowed with IPv6 peer
This rule passes TCP BGP routeadvertisement to IPv6 peerswhen BGP is enabled and ifthe packet rate is less than thePackets per second value Ifany source IP sends packetsover this value the appliance
blocks all such traffic from thissource IP for a certain periodof time (specified in Drop
interval )
This rule isenabled whenBGP service onthis member isconfigured withIPv6 peers
Events per second (default=1)
Drop Interval (default=60 sec)
Packets per second (default=10)
130800100 Auto DROP BGP unexpected When BGP is enabled this ruledrops unexpected TCP BGPpackets
This rule takeseffect when BGPservice on thismember is NOT configured
Events per second (default=1)
This rule is exclusive withother rules based onwhether BGP is configuredon the member or not
Rule ID
Rule
Type
Rule Name Description
Enable
Condition
Parameters Comments
130900300 Auto DROP OSPFunexpected
This rule drops unexpectedOSPF packets
This rule takeseffect when OSPFservice on thismember is NOT configured
Events per second (default=1)
Default drop rule for allpackets on the OSPF serviceport
130900400 Auto RATELIMIT PASS OSPFmulticast
This rule passes OSPF IPv4multicast packets if the packetrate is less than the Packets
per second value If anysource IP sends packets overthis value the applianceblocks all such traffic from thissource IP for a time specifiedin Drop interval
This rule takeseffect when OSPFservice on thismember isconfigured forIPv4
Events per second (default=1)
Drop Interval (default=60 sec)
Packets per second (default=100)
130900500 Auto RATELIMIT PASS OSPFIPv6 multicast
This rule passes OSPF IPv6multicast packets if the packetrate is less than the Packets
per second value If anysource IP sends packets overthis value the applianceblocks all such traffic from thissource IP for a time specifiedin Drop interval
This rule takeseffect when OSPFservice on thismember isconfigured forIPv6
Events per second (default=1)
Drop Interval (default=60 sec)
Packets per second (default=100)
130900600 Auto RATELIMIT PASS OSPF This rule passes OSPF packetsif the packet rate is less thanthe Packets per second valueIf any source IP sends packetsover this value the applianceblocks all such traffic from thissource IP for a time specifiedin Drop interval
This rule takeseffect when OSPFservice on thismember isconfigured
Events per second (default=1)
Drop Interval (default=10 sec)
Packets per second (default=50)
This rule works for both IPv4and IPv6
Rule ID
Rule
Type
Rule Name Description
EnableDisable
Condition
Parameters Comments
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 2330
ICMP
NIOS 612 NIOS Administrator Guide (Rev A) 1519
ICMP
ICMP attacks use network devices such as routers to send error messages when a requested service is not availableor the remote server cannot be reached Examples of ICMP attacks include ping floods ping-of-death attacks andsmurf attacks
The following table lists the system and auto rules that are used to mitigate ICMP attacks on your advanced appliance
Table H16 ICMP Rules
Rule ID Type Rule Name Description
EnableDisable
Condition
Parameters Comments
130400200 Auto DROP ICMP largepackets
This rule drops large ICMPpackets (bigger than800)
Always enabled Events per second (default=1)
130900100 Auto RATE LIMIT PASS ICMPPing
This rule passes ICMP pingpackets if the packet rate is lessthan the Packets per second value If any source IP sendspackets over this value theappliance blocks all such trafficfrom this source IP for a timespecified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=10 sec)
Packets per second (default=50)
130900200 Auto RATE LIMIT PASS ICMPv6Ping
This rule passes ICMPv6 pingpackets if the packet rate is lessthan the Packets per second value If any source IP sendspackets over this value theappliance blocks all such trafficfrom this source IP for a timespecified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=10 sec)
Packets per second (default=50)
130900700 Auto RATELIMIT PASS ICMPv6destinationunreachable
This rule passes ICMPv6Destination Unreachablemessages if the packet rate isless than the Packets per second value If any source IP sendspackets over this value theappliance blocks all such trafficfrom this source IP for a timespecified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=100)
130900800 Auto RATELIMIT PASS ICMPv6packet too big
This rule passes ICMPv6 PacketToo Big messages if the packetrate is less than the Packets per
second value If any source IPsends packets over this valuethe appliance blocks all suchtraffic from this source IP for atime specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=100)
130900900 Auto RATELIMIT PASS ICMPv6ping responses
This rule passes ICMPv6 pingresponses if the packet rate isless than the Packets per second value If any source IP sendspackets over this value theappliance blocks all such trafficfrom this source IP for a timespecified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=10 sec)
Packets per second (default=50)
130901000 Auto RATELIMIT PASS ICMPv6parameter problemerroneous header
This rule passes ICMPv6Erroneous Header messages ifthe packet rate is less than thePackets per second value If anysource IP sends packets over thisvalue the appliance blocks allsuch traffic from this source IP fora time specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=10 sec)
Packets per second (default=50)
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 2430
1520 NIOS Administrator Guide (Rev A) NIOS 612
130901100 Auto RATELIMIT PASS ICMPv6parameter problemunrecognized nextheader
This rule passes ICMPv6Unrecognized Next Headermessages if the packet rate isless than the Packets per second value If any source IP sendspackets over this value theappliance blocks all such traffic
from this source IP for a timespecified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
130901200 Auto RATELIMIT PASS ICMPv6parameter problemunrecognized IPv6option
This rule passes ICMPv6Unrecognized IPv6 Optionmessages if the packet rate isless than the Packets per second value If any source IP sendspackets over this value theappliance blocks all such trafficfrom this source IP for a timespecified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
130901300 Auto RATELIMIT PASS ICMPv6router solicitation
This rule passes ICMPv6 routersolicitation packets if the packetrate is less than the Packets per
second value If any source IPsends packets over this valuethe appliance blocks all such
traffic from this source IP for atime specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
130901400 Auto RATELIMIT PASS ICMPv6router advertisement
This rule passes ICMPv6 routeradvertisement if the packet rateis less than the Packets per
second value If any source IPsends packets over this valuethe appliance blocks all suchtraffic from this source IP for atime specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
130901500 Auto RATELIMIT PASS ICMPv6neighbor solicitation
This rule passes ICMPv6neighbor solicitation packets ifthe packet rate is less than thePackets per second value If anysource IP sends packets over thisvalue the appliance blocks allsuch traffic from this source IP for
a time specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
130901600 Auto RATELIMIT PASS ICMPv6neighbor advertisement
This rule passes ICMPv6neighbor advertisement if thepacket rate is less than thePackets per second value If anysource IP sends packets over thisvalue the appliance blocks allsuch traffic from this source IP fora time specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
130901700 Auto RATELIMIT PASS ICMPv6inverse neighborsolicitation
This rule passes ICMPv6 inverseneighbor solicitation messages ifthe packet rate is less than thePackets per second value If anysource IP sends packets over thisvalue the appliance blocks allsuch traffic from this source IP fora time specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
130901800 Auto RATELIMIT PASS ICMPv6inverse neighboradvertisement
This rule passes ICMPv6 inverseneighbor advertisement if thepacket rate is less than thePackets per second value If anysource IP sends packets over thisvalue the appliance blocks allsuch traffic from this source IP fora time specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
Rule ID Type Rule Name Description
EnableDisable
Condition
Parameters Comments
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 2530
ICMP
NIOS 612 NIOS Administrator Guide (Rev A) 1521
130901900 Auto RATELIMIT PASS ICMPv6listener query
This rule passes ICMPv6 listenerquery messages if the packetrate is less than the Packets per
second value If any source IPsends packets over this valuethe appliance blocks all suchtraffic from this source IP for a
time specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
130902000 Auto RATELIMIT PASS ICMPv6listener report
This rule passes ICMPv6 listenerreport messages if the packetrate is less than the Packets per
second value If any source IPsends packets over this valuethe appliance blocks all suchtraffic from this source IP for atime specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
130902100 Auto RATELIMIT PASS ICMPv6listener done
This rule passes ICMPv6 listenerdone messages if the packet rateis less than the Packets per
second value If any source IPsends packets over this valuethe appliance blocks all suchtraffic from this source IP for atime specified in Drop interval )
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
130902200 Auto RATELIMIT PASS ICMPv6listener report v2
This rule passes ICMPv6 listenerreport v2 messages if the packetrate is less than the Packets per
second value If any source IPsends packets over this valuethe appliance blocks all suchtraffic from this source IP for atime specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
130902300 Auto RATELIMIT PASS ICMPV6multicast routeradvertisement
This rule passes ICMPv6multicast router advertisement ifthe packet rate is less than thePackets per second value If anysource IP sends packets over thisvalue the appliance blocks allsuch traffic from this source IP fora time specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
130902400 Auto RATELIMIT PASS ICMPV6multicast routersolicitation
This rule passes ICMPv6multicast router solicitationmessages if the packet rate isless than the Packets per second value If any source IP sendspackets over this value theappliance blocks all such trafficfrom this source IP for a timespecified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
130902500 Auto RATELIMIT PASS ICMPV6multicast routeradvertisement
This rule passes ICMPv6multicast router advertisement ifthe packet rate is less than thePackets per second value If anysource IP sends packets over thisvalue the appliance blocks allsuch traffic from this source IP fora time specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
130902600 Auto RATELIMIT PASS ICMPping responses This rule passes ICMP pingresponses if the packet rate isless than the Packets per second value If any source IP sendspackets over this value theappliance blocks all such trafficfrom this source IP for a timespecified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=10 sec)
Packets per second (default=50)
Rule ID Type Rule Name Description
EnableDisable
Condition
Parameters Comments
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 2630
1522 NIOS Administrator Guide (Rev A) NIOS 612
130902700 Auto RATELIMIT PASS ICMProuter advertisement
This rule passes ICMP routeradvertisement if the packet rateis less than the Packets per
second value If any source IPsends packets over this valuethe appliance blocks all suchtraffic from this source IP for a
time specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=10 sec)
Packets per second (default=50)
130902800 Auto RATELIMIT PASS ICMProuter solicitation
This rule passes ICMP routersolicitation messages if thepacket rate is less than thePackets per second value If anysource IP sends packets over thisvalue the appliance blocks allsuch traffic from this source IP fora time specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=10 sec)
Packets per second (default=50)
130902900 Auto RATELIMIT PASS ICMPtime exceeded
This rule passes ICMP timeexceeded messages if the packetrate is less than the Packets per
second value If any source IPsends packets over this valuethe appliance blocks all suchtraffic from this source IP for atime specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=10 sec)
Packets per second (default=50)
130903000 Auto RATELIMIT PASS ICMPparameter problem
This rule passes ICMP parameterproblems if the packet rate isless than the Packets per second value If any source IP sendspackets over this value theappliance blocks all such trafficfrom this source IP for a timespecified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=10 sec)
Packets per second (default=50)
130903100 Auto RATELIMIT PASS ICMPv6hop limit exceeded orICMPv4 networkunreachable
This rule passes ICMPv6 HopLimit Exceeded messages orICMPv4 Network Unreachablemessages if the packet rate isless than the Packets per second value If any source IP sendspackets over this value theappliance blocks all such trafficfrom this source IP for a time
specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
130903200 Auto RATELIMIT PASS ICMPv6fragment reassemblytime exceeded orICMPv4 hostunreachable
This rule passes ICMPv6fragment reassembly timeexceeded messages or ICMPv4host unreachable messages ifthe packet rate is less than thePackets per second value If anysource IP sends packets over thisvalue the appliance blocks allsuch traffic from this source IP fora time specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=10 sec)
Packets per second (default=50)
130903300 Auto RATELIMIT PASS ICMPprotocol unreachable
This rule passes ICMP protocolunreachable messages if thepacket rate is less than thePackets per second value If anysource IP sends packets over thisvalue the appliance blocks all
such traffic from this source IP fora time specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=10 sec)
Packets per second (default=50)
130903400 Auto RATELIMIT ICMP portunreachable
This rule passes ICMP portunreachable messages if thepacket rate is less than thePackets per second value If anysource IP sends packets over thisvalue the appliance blocks allsuch traffic from this source IP fora certain period of time(specified in Drop interval )
Always enabled Events per second (default=10)
Drop Interval (default=10 sec)
Packets per second (default=50)
Rule ID Type Rule Name Description
EnableDisable
Condition
Parameters Comments
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 2730
Default PassDrop
NIOS 612 NIOS Administrator Guide (Rev A) 1523
Default Pass Drop
The following table lists the system rules that are used to pass or drop packets on your advanced appliance All rulesare disabled by default
Table H17 Default PassDrop Rules
130903500 Auto RATELIMIT PASS ICMPfragmentation needed
This rule passes ICMPfragmentation needed messagesif the packet rate is less than thePackets per second value If anysource IP sends packets over thisvalue the appliance blocks allsuch traffic from this source IP for
a certain period of time(specified in Drop interval )
Always enabled Events per second (default=1)
Drop Interval (default=10 sec)
Packets per second (default=50)
Rule ID
Rule
Type Rule Name Description
Enable
Condition Parameters Comments
100000050 System EARLY PASS TCPwith flowbits set
This rule passes TCP trafficthat has the flowbitsoptions set and marked OK
Enabled bydefault
NA
140000100 System DROP UDP DNSunexpected
This rule drops anyunexpected UDP DNSpackets
Enabled bydefault
Events per second (default=1)
Default drop rule for the DNSservice port If this rule istriggered most likely thispacket is an invalid DNS UDPpacket
140000200 System DROP TCP DNSunexpected
This rule drops anyunexpected TCP DNSpackets
Enabled bydefault
Events per second (default=1)
Default drop rule for the DNSservice port If this rule istriggered most likely thispacket is an invalid DNS TCPpacket
140000400 System PASS TCPestablished packets
This passes all TCPestablished packets
Enabled bydefault
Events per second (default=0)
140000500 System DROP TCPunexpected
This rule drops anyunexpected TCP packets
Enabled bydefault
Events per second (default=0)
This rule drops any TCP packeton any port If this rule istriggered most likely thispacket is not intended forservices on this member
140000600 System DROP UDPunexpected
This rule drops anyunexpected UDP packets
Enabled bydefault
Events per second (default=0)
This rule drops any UDP packeton any port If this rule istriggered most likely thispacket is not intended forservices on this member
140000700 System DROP ICMPunexpected
This rule drops anyunexpected ICMP packets
Enabled bydefault
Events per second (default=0)
This rule drops any ICMPpacket If this rule is triggeredmost likely this packet is notintended for services on thismember
140000800 System DROP unexpectedprotocol
This rule drops anyunexpected protocolpackets
Enabled bydefault
Events per second (default=0)
This is a catch all rule thatdrops anything that does notmatch any other rules in thesystem
Rule ID Type Rule Name Description
EnableDisable
Condition
Parameters Comments
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 2830
1524 NIOS Administrator Guide (Rev A) NIOS 612
HA Support
The following table lists auto rules that are used to pass packets that go through the Virtual Router RedundancyProtocol (VRRP) and Internet Group Management Protocol (IGMP) for HA (High Availability) support
Table H18 HA Support Rules
Custom Rule Templates
Advanced DNS Protection supports a few custom rule templates from which you can create new custom rules Notethat when you use a specific rule template to create custom rules the new rules reside in their respective rulecategories For information about custom rules and creating custom rules see Custom Rules on page 1341 andCreating Custom Rules on page 1343
For each rule you create you can define the Events per second value to determine the number of events per secondthat will be logged for the rule You can also define specific rule parameters for custom rules as follows
Note Custom rules do not support IDNs (Internationalized Domain Names) To use IDNs for custom rules you mustfirst convert the IDNs into puny codes You can use the IDN Converter from the Toolbar for the conversion
bull BLACKLIST FQDN lookup TCP Use this rule template to create custom rules for blacklisting DNS queries by FQDNlookups on TCP In the Rule Parameters table complete the following
mdash Blacklisted FQDN Enter the FDQN that you want the appliance to block over TCP traffic You can also enter alist of FQDNs using semicolon as the separator
bull BLACKLIST FQDN lookup UDP Use this rule template to create custom rules for blacklisting DNS queries byFQDN lookups on UDP In the Rule Parameters table complete the following
mdash Blacklisted FQDN Enter the FDQN that you want the appliance to block over UDP traffic You can also enter alist of FQDNs using semicolon as the separator
bull BLACKLIST IP TCP Drop prior to rate limiting Use this rule template to create rules for blocking IPv4 or IPv6addresses on TCP before the appliance drops the packets based on rate limiting rules you have defined usingthe RATELIMITED IP TCP template In the Rule Parameters table complete the following
mdash Blacklisted IP addressnetwork Enter the IPv4 or IPv6 address from which packets sent are dropped beforeany relevant rate limiting rules take effect Note that all TCP traffic from the specified Ipv4 and IPv6
addresses and networks will be blocked Enter network addresses in addressCIDR formatbull BLACKLIST IP UDP Drop prior to rate limiting Use this rule template to create rules for blocking IPv4 or IPv6
addresses on UDP before the appliance drops the packets based on rate limiting rules you have defined usingthe RATELIMITED IP UDP template In the Rule Parameters table complete the following
mdash Blacklisted IP addressnetwork Enter the IPv4 or IPv6 address from which packets sent are dropped beforeany relevant rate limiting rules take effect Note that all UDP traffic from the specified Ipv4 and IPv6addresses and networks will be blocked Enter network addresses in addressCIDR format
bull RATELIMITED FQDN lookup UDP Use this rule template to create custom rules that contains rate limitingrestrictions for blocking DNS queries by FQDN lookups on UDP traffic In the Rule Parameters table completethe following
Rule ID
Rule
Type
Rule Name Description Enable Condition Parameters Comments
140000750 Auto PASS VRRP This rule passes packets thatgo through VRRP for HAsupport
Enabled if HA isconfigured
NA
140000760 Auto PASS IGMP This rule passes packets thatgo through IGMP for HAsupport
Enabled if HA isconfigured
NA
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 2930
Custom Rule Templates
NIOS 612 NIOS Administrator Guide (Rev A) 1525
mdash Packets per second Enter the number of packets per second to define the rate limit for this rule You definethis value to control the rate of UDP traffic that consists of DNS lookups for the FQDN defined in this ruleThe default is 5
mdash Drop interval Enter the number of seconds for which the appliance drops packets
mdash Blacklist rate limited FQDN Enter the FQDN that is affected by the rate limit value configured for this ruleThe appliance drops the packets sent by this FQDN when the UDP traffic of DNS lookups for this FQDNexceeds the configured rate limit value
bull RATELIMITED IP TCP Use this rule template to create custom rules that contains rate limiting restrictions forblacklisting IP addresses on TCP If there are certain IP addresses that you want to block before its traffic reachesthe rate limit restrictions you can create a rule using the BLACKLIST IP TCP Drop prior to rate limiting templateIn the Rule Parameters table complete the following
mdash Packets per second Enter the number of packets per second to define the rate limit for this rule You definethis value to control the rate of TCP traffic that consists of DNS lookups for the IP address or networkdefined in this rule The default is 5
mdash Drop interval Enter the time interval in seconds the appliance drops IP packets sent by the rate limited IPaddress or network defined for this rule The default is 30 seconds
mdash Rate limited IP addressnetwork Enter the IP address or network that is affected by the rate limit valueconfigured for this rule The appliance drops the packets sent by this IP address based on the drop intervalwhen the TCP traffic of DNS lookups for this IP address exceeds the configured rate limit value
bull RATELIMITED IP UDP Use this rule template to create custom rules that contains rate limiting restrictions forblacklisting IP addresses on UDP If there are certain IP addresses that you want to block before its trafficreaches the rate limit restrictions you can create a rule using the BLACKLIST IP UDP Drop prior to rate limiting template In the Rule Parameters table complete the following
mdash Packets per second Enter the number of packets per second to define the rate limit for this rule You definethis value to control the rate of UDP traffic that consists of DNS lookups for the IP address or networkdefined in this rule The default is 5
mdash Drop interval Enter the time interval in seconds the appliance drops IP packets sent by the rate limited IPaddress or network defined for this rule The default is 30 seconds
mdash Rate limited IP addressnetwork Enter the IP address or network that is affected by the rate limit valueconfigured for this rule The appliance drops the packets sent by this IP address based on the drop interval
when the TCP traffic of DNS lookups for this IP address exceeds the configured rate limit valuebull WHITELIST IP TCP Pass prior to rate limiting Use this rule template to create custom rules for allowing certain IP
addresses on TCP before the appliance drops the packets based on rate limiting rules you have defined usingthe RATELIMITED IP TCP template In the Rule Parameters table complete the following
mdash Whitelisted IP addressnetwork Enter the IPv4 or IPv6 address from which packets sent are allowed beforeany relevant rate limiting rules take effect
bull WHITELIST IP UDP Pass prior to rate limiting Use this rule template to create custom rules for allowing certain IPaddresses on UDP before the appliance drops the packets based on rate limiting rules you have defined usingthe RATELIMITED IP UDP template In the Rule Parameters table complete the following
mdash Whitelisted IP addressnetwork Enter the IPv4 or IPv6 address from which packets sent are allowed beforeany relevant rate limiting rules take effect
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 3030
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 2030
1516 NIOS Administrator Guide (Rev A) NIOS 612
200001055 Auto RATELIMIT PASS NTPTIME IPv4 requests
This rule passes UDP NTPTIME requests from NTPIPv4 ACLs until the traffichits the rate limit ( Packets
per second ) value It thenblocks all subsequent NTPTIME traffic for a time
specified in Drop interval
Enabled whenNTP IPv4 ACLs aredefined If noACLs are definedand the NTPserver is enabledthe default ACLs
are enabled andthis rule isenabled
Packets per second (default = 10)
Drop interval
(default = 60seconds)
Events per second (default = 1)
200001060 Auto RATELIMIT PASS NTPprivate mode IPv4requests
This rule passes UDP NTPprivate mode 7 requestsfrom NTP IPv4 ACLs untilthe traffic hits the rate limit( Packets per second ) valueIt then blocks allsubsequent NTP privatemode 7 traffic for a timespecified in Drop interval
Enabled whenNTP IPv4 ACLs aredefined If noACLs are definedand the NTPserver is enabledthe default ACLsare enabled andthis rule isdisabled
Packets per second (default = 10)
Drop interval
(default = 60seconds)
Events per second (default = 1)
200001065 Auto RATELIMIT PASSNTPQ IPv6 requests
This rule passes UDP NTPQrequests from NTP IPv6ACLs until the traffic hitsthe rate limit ( Packets per
second ) value It thenblocks all subsequentNTPQ traffic for a timespecified in Drop Interval
Enabled whenNTP IPv6 ACLs aredefined If noACLs are defined
and the NTPserver is enabledthe default ACLsare enabled andthis rule isdisabled
Packets per second (default = 10)
Drop interval
(default = 60
seconds)Events per second (default = 1)
200001070 Auto RATELIMIT PASS NTPTIME IPv6 requests
This rule passes UDP NTPTIME requests from NTPIPv6 ACLs until the traffichits the rate limit ( Packets
per second ) value It thenblocks all subsequent NTPTIME traffic for a timespecified in Drop interval
Enabled whenNTP IPv6 ACLs aredefined If noACLs are definedand the NTPserver is enabledthe default ACLsare enabled andthis rule isenabled
Packets per second (default = 10)
Drop interval
(default = 60seconds)
Events per second (default = 1)
200001075 Auto RATELIMIT PASS NTP
private mode IPv6requests
This rule passes UDP NTP
private mode 7 requestsfrom NTP IPv4 ACLs untilthe traffic hits the rate limit( Packets per second ) valueIt then blocks allsubsequent NTP privatemode 7 traffic for a timespecified in Drop interval
Enabled when
NTP IPv6 ACLs aredefined If noACLs are definedand the NTPserver is enabledthe default ACLsare enabled andthis rule isdisabled
Packets per second
(default = 10)Drop interval
(default =60seconds)
Events per second (default = 1)
200001100 Auto DROP NTPQ requestsunexpected
When NTP service isdisabled this rule drops allUDP NTPQ requests
Enabled whenNTP service isdisabled on thismember
Events per second (default=1)
200001105 Auto DROP NTP TIMErequests unexpected
When NTP service isdisabled this rule drops allUDP NTP TIME requests
Enabled whenNTP service isdisabled on thismember
Events per second (default=1)
200001110 Auto DROP NTP privatemode requestsunexpected
When NTP service isdisabled this rule drops allUDP NTP private mode 7requests
Enabled whenNTP service isdisabled on thismember
Events per second (default=1)
200001115 Auto DROP invalid NTPrequests
When NTP service isdisabled this rule drops allinvalid UDP NTP requests
Enabled whenNTP service isdisabled on thismember
Events per second (default=1)
Rule ID
Rule
Type
Rule Name Description
EnableDisable
Condition
Parameters Comments
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 2130
BGP
NIOS 612 NIOS Administrator Guide (Rev A) 1517
BGP
The following table lists the auto rules that are used to mitigate BGP attacks on your advanced appliance when BGPis enabled
Table H14 BGP Rules
Rule ID
Rule
Type
Rule Name Description
EnableDisable
Condition
Parameters Comments
130700100 AUTO DROP BGP headerlength shorter thanspec
When BGP is enabled this ruledrops TCP BGP packets thatcontain message headerlength that is shorter than theRFC specification
Enabled whenBGP service onthis member isconfigured
Events per second (default=1)
130700200 AUTO DROP BGP headerlength longer than spec
When BGP is enabled this ruledrops TCP BGP packets thatcontain message headerlength that is longer than theRFC specification
Enabled whenBGP service onthis member isconfigured
Events per second (default=1)
130700300 AUTO DROP BGP spoofedconnection reset
attempts
When BGP is enabled this ruledrops TCP BGP packets that
contain spoofed connectionreset
This rule isenabled when
BGP service onthis member isconfigured
Events per second (default=1)
130700400 AUTO DROP BGP invalid type0
When BGP is enabled this ruledrops TCP BGP packets thatcontain invalid message type0
This rule isenabled whenBGP service onthis member isconfigured
Events per second (default=1)
130700500 AUTO DROP BGP invalid typebigger than 5
When BGP is enabled this ruledrops TCP BGP packets thatcontain invalid message typegreater than 5
This rule isenabled whenBGP service onthis member isconfigured
Events per second (default=1)
130700550 AUTO RATELIMIT PASS BGPIPv4 peer TCPconnection attempts
This rule passes TCP BGP routeadvertisement connectionattempts from IPv4 peers
when BGP is enabled and ifthe packet rate is less than thePackets per second value Ifany source IP sends packetsover this value the applianceblocks all such traffic from thissource IP for a certain periodof time (specified in Drop
interval )
This rule isenabled whenBGP service on
this member isconfigured withIPv4 peers
Events per second (default=1)
Drop Interval
(default=60 sec)Packets per second (default=10)
130700600 Auto RATELIMIT PASS BGPallowed with IPv4 peer
This rule passes TCP BGP routeadvertisement to IPv4 peerswhen BGP is enabled and ifthe packet rate is less than thePackets per second value Ifany source IP sends packetsover this value the applianceblocks all such traffic from thissource IP for a certain period
of time (specified in Drop
interval
This rule isenabled whenBGP service onthis member isconfigured withIPv4 peers
Events per second (default=1)
Drop Interval (default=60 sec)
Packets per second (default=10)
130700650 AUTO RATELIMIT PASS BGPIPv6 peer TCPconnection attempts
This rule passes TCP BGP routeadvertisement connectionattempts from IPv6 peerswhen BGP is enabled and ifthe packet rate is less than thePackets per second value Ifany source IP sends packetsover this value the applianceblocks all such traffic from thissource IP for a certain periodof time (specified in Drop
interval
This rule isenabled whenBGP service onthis member isconfigured withIPv6 peers
Events per second (default=1)
Drop Interval (default=60 sec)
Packets per second (default=10)
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 2230
1518 NIOS Administrator Guide (Rev A) NIOS 612
OSPF
The following table lists auto rules that are used to mitigate OSPF attacks on your advanced appliance when OSPF isnot in use
Table H15 OSPF Rules
130700700 Auto RATELIMIT PASS BGPallowed with IPv6 peer
This rule passes TCP BGP routeadvertisement to IPv6 peerswhen BGP is enabled and ifthe packet rate is less than thePackets per second value Ifany source IP sends packetsover this value the appliance
blocks all such traffic from thissource IP for a certain periodof time (specified in Drop
interval )
This rule isenabled whenBGP service onthis member isconfigured withIPv6 peers
Events per second (default=1)
Drop Interval (default=60 sec)
Packets per second (default=10)
130800100 Auto DROP BGP unexpected When BGP is enabled this ruledrops unexpected TCP BGPpackets
This rule takeseffect when BGPservice on thismember is NOT configured
Events per second (default=1)
This rule is exclusive withother rules based onwhether BGP is configuredon the member or not
Rule ID
Rule
Type
Rule Name Description
Enable
Condition
Parameters Comments
130900300 Auto DROP OSPFunexpected
This rule drops unexpectedOSPF packets
This rule takeseffect when OSPFservice on thismember is NOT configured
Events per second (default=1)
Default drop rule for allpackets on the OSPF serviceport
130900400 Auto RATELIMIT PASS OSPFmulticast
This rule passes OSPF IPv4multicast packets if the packetrate is less than the Packets
per second value If anysource IP sends packets overthis value the applianceblocks all such traffic from thissource IP for a time specifiedin Drop interval
This rule takeseffect when OSPFservice on thismember isconfigured forIPv4
Events per second (default=1)
Drop Interval (default=60 sec)
Packets per second (default=100)
130900500 Auto RATELIMIT PASS OSPFIPv6 multicast
This rule passes OSPF IPv6multicast packets if the packetrate is less than the Packets
per second value If anysource IP sends packets overthis value the applianceblocks all such traffic from thissource IP for a time specifiedin Drop interval
This rule takeseffect when OSPFservice on thismember isconfigured forIPv6
Events per second (default=1)
Drop Interval (default=60 sec)
Packets per second (default=100)
130900600 Auto RATELIMIT PASS OSPF This rule passes OSPF packetsif the packet rate is less thanthe Packets per second valueIf any source IP sends packetsover this value the applianceblocks all such traffic from thissource IP for a time specifiedin Drop interval
This rule takeseffect when OSPFservice on thismember isconfigured
Events per second (default=1)
Drop Interval (default=10 sec)
Packets per second (default=50)
This rule works for both IPv4and IPv6
Rule ID
Rule
Type
Rule Name Description
EnableDisable
Condition
Parameters Comments
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 2330
ICMP
NIOS 612 NIOS Administrator Guide (Rev A) 1519
ICMP
ICMP attacks use network devices such as routers to send error messages when a requested service is not availableor the remote server cannot be reached Examples of ICMP attacks include ping floods ping-of-death attacks andsmurf attacks
The following table lists the system and auto rules that are used to mitigate ICMP attacks on your advanced appliance
Table H16 ICMP Rules
Rule ID Type Rule Name Description
EnableDisable
Condition
Parameters Comments
130400200 Auto DROP ICMP largepackets
This rule drops large ICMPpackets (bigger than800)
Always enabled Events per second (default=1)
130900100 Auto RATE LIMIT PASS ICMPPing
This rule passes ICMP pingpackets if the packet rate is lessthan the Packets per second value If any source IP sendspackets over this value theappliance blocks all such trafficfrom this source IP for a timespecified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=10 sec)
Packets per second (default=50)
130900200 Auto RATE LIMIT PASS ICMPv6Ping
This rule passes ICMPv6 pingpackets if the packet rate is lessthan the Packets per second value If any source IP sendspackets over this value theappliance blocks all such trafficfrom this source IP for a timespecified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=10 sec)
Packets per second (default=50)
130900700 Auto RATELIMIT PASS ICMPv6destinationunreachable
This rule passes ICMPv6Destination Unreachablemessages if the packet rate isless than the Packets per second value If any source IP sendspackets over this value theappliance blocks all such trafficfrom this source IP for a timespecified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=100)
130900800 Auto RATELIMIT PASS ICMPv6packet too big
This rule passes ICMPv6 PacketToo Big messages if the packetrate is less than the Packets per
second value If any source IPsends packets over this valuethe appliance blocks all suchtraffic from this source IP for atime specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=100)
130900900 Auto RATELIMIT PASS ICMPv6ping responses
This rule passes ICMPv6 pingresponses if the packet rate isless than the Packets per second value If any source IP sendspackets over this value theappliance blocks all such trafficfrom this source IP for a timespecified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=10 sec)
Packets per second (default=50)
130901000 Auto RATELIMIT PASS ICMPv6parameter problemerroneous header
This rule passes ICMPv6Erroneous Header messages ifthe packet rate is less than thePackets per second value If anysource IP sends packets over thisvalue the appliance blocks allsuch traffic from this source IP fora time specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=10 sec)
Packets per second (default=50)
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 2430
1520 NIOS Administrator Guide (Rev A) NIOS 612
130901100 Auto RATELIMIT PASS ICMPv6parameter problemunrecognized nextheader
This rule passes ICMPv6Unrecognized Next Headermessages if the packet rate isless than the Packets per second value If any source IP sendspackets over this value theappliance blocks all such traffic
from this source IP for a timespecified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
130901200 Auto RATELIMIT PASS ICMPv6parameter problemunrecognized IPv6option
This rule passes ICMPv6Unrecognized IPv6 Optionmessages if the packet rate isless than the Packets per second value If any source IP sendspackets over this value theappliance blocks all such trafficfrom this source IP for a timespecified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
130901300 Auto RATELIMIT PASS ICMPv6router solicitation
This rule passes ICMPv6 routersolicitation packets if the packetrate is less than the Packets per
second value If any source IPsends packets over this valuethe appliance blocks all such
traffic from this source IP for atime specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
130901400 Auto RATELIMIT PASS ICMPv6router advertisement
This rule passes ICMPv6 routeradvertisement if the packet rateis less than the Packets per
second value If any source IPsends packets over this valuethe appliance blocks all suchtraffic from this source IP for atime specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
130901500 Auto RATELIMIT PASS ICMPv6neighbor solicitation
This rule passes ICMPv6neighbor solicitation packets ifthe packet rate is less than thePackets per second value If anysource IP sends packets over thisvalue the appliance blocks allsuch traffic from this source IP for
a time specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
130901600 Auto RATELIMIT PASS ICMPv6neighbor advertisement
This rule passes ICMPv6neighbor advertisement if thepacket rate is less than thePackets per second value If anysource IP sends packets over thisvalue the appliance blocks allsuch traffic from this source IP fora time specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
130901700 Auto RATELIMIT PASS ICMPv6inverse neighborsolicitation
This rule passes ICMPv6 inverseneighbor solicitation messages ifthe packet rate is less than thePackets per second value If anysource IP sends packets over thisvalue the appliance blocks allsuch traffic from this source IP fora time specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
130901800 Auto RATELIMIT PASS ICMPv6inverse neighboradvertisement
This rule passes ICMPv6 inverseneighbor advertisement if thepacket rate is less than thePackets per second value If anysource IP sends packets over thisvalue the appliance blocks allsuch traffic from this source IP fora time specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
Rule ID Type Rule Name Description
EnableDisable
Condition
Parameters Comments
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 2530
ICMP
NIOS 612 NIOS Administrator Guide (Rev A) 1521
130901900 Auto RATELIMIT PASS ICMPv6listener query
This rule passes ICMPv6 listenerquery messages if the packetrate is less than the Packets per
second value If any source IPsends packets over this valuethe appliance blocks all suchtraffic from this source IP for a
time specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
130902000 Auto RATELIMIT PASS ICMPv6listener report
This rule passes ICMPv6 listenerreport messages if the packetrate is less than the Packets per
second value If any source IPsends packets over this valuethe appliance blocks all suchtraffic from this source IP for atime specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
130902100 Auto RATELIMIT PASS ICMPv6listener done
This rule passes ICMPv6 listenerdone messages if the packet rateis less than the Packets per
second value If any source IPsends packets over this valuethe appliance blocks all suchtraffic from this source IP for atime specified in Drop interval )
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
130902200 Auto RATELIMIT PASS ICMPv6listener report v2
This rule passes ICMPv6 listenerreport v2 messages if the packetrate is less than the Packets per
second value If any source IPsends packets over this valuethe appliance blocks all suchtraffic from this source IP for atime specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
130902300 Auto RATELIMIT PASS ICMPV6multicast routeradvertisement
This rule passes ICMPv6multicast router advertisement ifthe packet rate is less than thePackets per second value If anysource IP sends packets over thisvalue the appliance blocks allsuch traffic from this source IP fora time specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
130902400 Auto RATELIMIT PASS ICMPV6multicast routersolicitation
This rule passes ICMPv6multicast router solicitationmessages if the packet rate isless than the Packets per second value If any source IP sendspackets over this value theappliance blocks all such trafficfrom this source IP for a timespecified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
130902500 Auto RATELIMIT PASS ICMPV6multicast routeradvertisement
This rule passes ICMPv6multicast router advertisement ifthe packet rate is less than thePackets per second value If anysource IP sends packets over thisvalue the appliance blocks allsuch traffic from this source IP fora time specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
130902600 Auto RATELIMIT PASS ICMPping responses This rule passes ICMP pingresponses if the packet rate isless than the Packets per second value If any source IP sendspackets over this value theappliance blocks all such trafficfrom this source IP for a timespecified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=10 sec)
Packets per second (default=50)
Rule ID Type Rule Name Description
EnableDisable
Condition
Parameters Comments
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 2630
1522 NIOS Administrator Guide (Rev A) NIOS 612
130902700 Auto RATELIMIT PASS ICMProuter advertisement
This rule passes ICMP routeradvertisement if the packet rateis less than the Packets per
second value If any source IPsends packets over this valuethe appliance blocks all suchtraffic from this source IP for a
time specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=10 sec)
Packets per second (default=50)
130902800 Auto RATELIMIT PASS ICMProuter solicitation
This rule passes ICMP routersolicitation messages if thepacket rate is less than thePackets per second value If anysource IP sends packets over thisvalue the appliance blocks allsuch traffic from this source IP fora time specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=10 sec)
Packets per second (default=50)
130902900 Auto RATELIMIT PASS ICMPtime exceeded
This rule passes ICMP timeexceeded messages if the packetrate is less than the Packets per
second value If any source IPsends packets over this valuethe appliance blocks all suchtraffic from this source IP for atime specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=10 sec)
Packets per second (default=50)
130903000 Auto RATELIMIT PASS ICMPparameter problem
This rule passes ICMP parameterproblems if the packet rate isless than the Packets per second value If any source IP sendspackets over this value theappliance blocks all such trafficfrom this source IP for a timespecified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=10 sec)
Packets per second (default=50)
130903100 Auto RATELIMIT PASS ICMPv6hop limit exceeded orICMPv4 networkunreachable
This rule passes ICMPv6 HopLimit Exceeded messages orICMPv4 Network Unreachablemessages if the packet rate isless than the Packets per second value If any source IP sendspackets over this value theappliance blocks all such trafficfrom this source IP for a time
specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
130903200 Auto RATELIMIT PASS ICMPv6fragment reassemblytime exceeded orICMPv4 hostunreachable
This rule passes ICMPv6fragment reassembly timeexceeded messages or ICMPv4host unreachable messages ifthe packet rate is less than thePackets per second value If anysource IP sends packets over thisvalue the appliance blocks allsuch traffic from this source IP fora time specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=10 sec)
Packets per second (default=50)
130903300 Auto RATELIMIT PASS ICMPprotocol unreachable
This rule passes ICMP protocolunreachable messages if thepacket rate is less than thePackets per second value If anysource IP sends packets over thisvalue the appliance blocks all
such traffic from this source IP fora time specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=10 sec)
Packets per second (default=50)
130903400 Auto RATELIMIT ICMP portunreachable
This rule passes ICMP portunreachable messages if thepacket rate is less than thePackets per second value If anysource IP sends packets over thisvalue the appliance blocks allsuch traffic from this source IP fora certain period of time(specified in Drop interval )
Always enabled Events per second (default=10)
Drop Interval (default=10 sec)
Packets per second (default=50)
Rule ID Type Rule Name Description
EnableDisable
Condition
Parameters Comments
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 2730
Default PassDrop
NIOS 612 NIOS Administrator Guide (Rev A) 1523
Default Pass Drop
The following table lists the system rules that are used to pass or drop packets on your advanced appliance All rulesare disabled by default
Table H17 Default PassDrop Rules
130903500 Auto RATELIMIT PASS ICMPfragmentation needed
This rule passes ICMPfragmentation needed messagesif the packet rate is less than thePackets per second value If anysource IP sends packets over thisvalue the appliance blocks allsuch traffic from this source IP for
a certain period of time(specified in Drop interval )
Always enabled Events per second (default=1)
Drop Interval (default=10 sec)
Packets per second (default=50)
Rule ID
Rule
Type Rule Name Description
Enable
Condition Parameters Comments
100000050 System EARLY PASS TCPwith flowbits set
This rule passes TCP trafficthat has the flowbitsoptions set and marked OK
Enabled bydefault
NA
140000100 System DROP UDP DNSunexpected
This rule drops anyunexpected UDP DNSpackets
Enabled bydefault
Events per second (default=1)
Default drop rule for the DNSservice port If this rule istriggered most likely thispacket is an invalid DNS UDPpacket
140000200 System DROP TCP DNSunexpected
This rule drops anyunexpected TCP DNSpackets
Enabled bydefault
Events per second (default=1)
Default drop rule for the DNSservice port If this rule istriggered most likely thispacket is an invalid DNS TCPpacket
140000400 System PASS TCPestablished packets
This passes all TCPestablished packets
Enabled bydefault
Events per second (default=0)
140000500 System DROP TCPunexpected
This rule drops anyunexpected TCP packets
Enabled bydefault
Events per second (default=0)
This rule drops any TCP packeton any port If this rule istriggered most likely thispacket is not intended forservices on this member
140000600 System DROP UDPunexpected
This rule drops anyunexpected UDP packets
Enabled bydefault
Events per second (default=0)
This rule drops any UDP packeton any port If this rule istriggered most likely thispacket is not intended forservices on this member
140000700 System DROP ICMPunexpected
This rule drops anyunexpected ICMP packets
Enabled bydefault
Events per second (default=0)
This rule drops any ICMPpacket If this rule is triggeredmost likely this packet is notintended for services on thismember
140000800 System DROP unexpectedprotocol
This rule drops anyunexpected protocolpackets
Enabled bydefault
Events per second (default=0)
This is a catch all rule thatdrops anything that does notmatch any other rules in thesystem
Rule ID Type Rule Name Description
EnableDisable
Condition
Parameters Comments
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 2830
1524 NIOS Administrator Guide (Rev A) NIOS 612
HA Support
The following table lists auto rules that are used to pass packets that go through the Virtual Router RedundancyProtocol (VRRP) and Internet Group Management Protocol (IGMP) for HA (High Availability) support
Table H18 HA Support Rules
Custom Rule Templates
Advanced DNS Protection supports a few custom rule templates from which you can create new custom rules Notethat when you use a specific rule template to create custom rules the new rules reside in their respective rulecategories For information about custom rules and creating custom rules see Custom Rules on page 1341 andCreating Custom Rules on page 1343
For each rule you create you can define the Events per second value to determine the number of events per secondthat will be logged for the rule You can also define specific rule parameters for custom rules as follows
Note Custom rules do not support IDNs (Internationalized Domain Names) To use IDNs for custom rules you mustfirst convert the IDNs into puny codes You can use the IDN Converter from the Toolbar for the conversion
bull BLACKLIST FQDN lookup TCP Use this rule template to create custom rules for blacklisting DNS queries by FQDNlookups on TCP In the Rule Parameters table complete the following
mdash Blacklisted FQDN Enter the FDQN that you want the appliance to block over TCP traffic You can also enter alist of FQDNs using semicolon as the separator
bull BLACKLIST FQDN lookup UDP Use this rule template to create custom rules for blacklisting DNS queries byFQDN lookups on UDP In the Rule Parameters table complete the following
mdash Blacklisted FQDN Enter the FDQN that you want the appliance to block over UDP traffic You can also enter alist of FQDNs using semicolon as the separator
bull BLACKLIST IP TCP Drop prior to rate limiting Use this rule template to create rules for blocking IPv4 or IPv6addresses on TCP before the appliance drops the packets based on rate limiting rules you have defined usingthe RATELIMITED IP TCP template In the Rule Parameters table complete the following
mdash Blacklisted IP addressnetwork Enter the IPv4 or IPv6 address from which packets sent are dropped beforeany relevant rate limiting rules take effect Note that all TCP traffic from the specified Ipv4 and IPv6
addresses and networks will be blocked Enter network addresses in addressCIDR formatbull BLACKLIST IP UDP Drop prior to rate limiting Use this rule template to create rules for blocking IPv4 or IPv6
addresses on UDP before the appliance drops the packets based on rate limiting rules you have defined usingthe RATELIMITED IP UDP template In the Rule Parameters table complete the following
mdash Blacklisted IP addressnetwork Enter the IPv4 or IPv6 address from which packets sent are dropped beforeany relevant rate limiting rules take effect Note that all UDP traffic from the specified Ipv4 and IPv6addresses and networks will be blocked Enter network addresses in addressCIDR format
bull RATELIMITED FQDN lookup UDP Use this rule template to create custom rules that contains rate limitingrestrictions for blocking DNS queries by FQDN lookups on UDP traffic In the Rule Parameters table completethe following
Rule ID
Rule
Type
Rule Name Description Enable Condition Parameters Comments
140000750 Auto PASS VRRP This rule passes packets thatgo through VRRP for HAsupport
Enabled if HA isconfigured
NA
140000760 Auto PASS IGMP This rule passes packets thatgo through IGMP for HAsupport
Enabled if HA isconfigured
NA
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 2930
Custom Rule Templates
NIOS 612 NIOS Administrator Guide (Rev A) 1525
mdash Packets per second Enter the number of packets per second to define the rate limit for this rule You definethis value to control the rate of UDP traffic that consists of DNS lookups for the FQDN defined in this ruleThe default is 5
mdash Drop interval Enter the number of seconds for which the appliance drops packets
mdash Blacklist rate limited FQDN Enter the FQDN that is affected by the rate limit value configured for this ruleThe appliance drops the packets sent by this FQDN when the UDP traffic of DNS lookups for this FQDNexceeds the configured rate limit value
bull RATELIMITED IP TCP Use this rule template to create custom rules that contains rate limiting restrictions forblacklisting IP addresses on TCP If there are certain IP addresses that you want to block before its traffic reachesthe rate limit restrictions you can create a rule using the BLACKLIST IP TCP Drop prior to rate limiting templateIn the Rule Parameters table complete the following
mdash Packets per second Enter the number of packets per second to define the rate limit for this rule You definethis value to control the rate of TCP traffic that consists of DNS lookups for the IP address or networkdefined in this rule The default is 5
mdash Drop interval Enter the time interval in seconds the appliance drops IP packets sent by the rate limited IPaddress or network defined for this rule The default is 30 seconds
mdash Rate limited IP addressnetwork Enter the IP address or network that is affected by the rate limit valueconfigured for this rule The appliance drops the packets sent by this IP address based on the drop intervalwhen the TCP traffic of DNS lookups for this IP address exceeds the configured rate limit value
bull RATELIMITED IP UDP Use this rule template to create custom rules that contains rate limiting restrictions forblacklisting IP addresses on UDP If there are certain IP addresses that you want to block before its trafficreaches the rate limit restrictions you can create a rule using the BLACKLIST IP UDP Drop prior to rate limiting template In the Rule Parameters table complete the following
mdash Packets per second Enter the number of packets per second to define the rate limit for this rule You definethis value to control the rate of UDP traffic that consists of DNS lookups for the IP address or networkdefined in this rule The default is 5
mdash Drop interval Enter the time interval in seconds the appliance drops IP packets sent by the rate limited IPaddress or network defined for this rule The default is 30 seconds
mdash Rate limited IP addressnetwork Enter the IP address or network that is affected by the rate limit valueconfigured for this rule The appliance drops the packets sent by this IP address based on the drop interval
when the TCP traffic of DNS lookups for this IP address exceeds the configured rate limit valuebull WHITELIST IP TCP Pass prior to rate limiting Use this rule template to create custom rules for allowing certain IP
addresses on TCP before the appliance drops the packets based on rate limiting rules you have defined usingthe RATELIMITED IP TCP template In the Rule Parameters table complete the following
mdash Whitelisted IP addressnetwork Enter the IPv4 or IPv6 address from which packets sent are allowed beforeany relevant rate limiting rules take effect
bull WHITELIST IP UDP Pass prior to rate limiting Use this rule template to create custom rules for allowing certain IPaddresses on UDP before the appliance drops the packets based on rate limiting rules you have defined usingthe RATELIMITED IP UDP template In the Rule Parameters table complete the following
mdash Whitelisted IP addressnetwork Enter the IPv4 or IPv6 address from which packets sent are allowed beforeany relevant rate limiting rules take effect
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 3030
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 2130
BGP
NIOS 612 NIOS Administrator Guide (Rev A) 1517
BGP
The following table lists the auto rules that are used to mitigate BGP attacks on your advanced appliance when BGPis enabled
Table H14 BGP Rules
Rule ID
Rule
Type
Rule Name Description
EnableDisable
Condition
Parameters Comments
130700100 AUTO DROP BGP headerlength shorter thanspec
When BGP is enabled this ruledrops TCP BGP packets thatcontain message headerlength that is shorter than theRFC specification
Enabled whenBGP service onthis member isconfigured
Events per second (default=1)
130700200 AUTO DROP BGP headerlength longer than spec
When BGP is enabled this ruledrops TCP BGP packets thatcontain message headerlength that is longer than theRFC specification
Enabled whenBGP service onthis member isconfigured
Events per second (default=1)
130700300 AUTO DROP BGP spoofedconnection reset
attempts
When BGP is enabled this ruledrops TCP BGP packets that
contain spoofed connectionreset
This rule isenabled when
BGP service onthis member isconfigured
Events per second (default=1)
130700400 AUTO DROP BGP invalid type0
When BGP is enabled this ruledrops TCP BGP packets thatcontain invalid message type0
This rule isenabled whenBGP service onthis member isconfigured
Events per second (default=1)
130700500 AUTO DROP BGP invalid typebigger than 5
When BGP is enabled this ruledrops TCP BGP packets thatcontain invalid message typegreater than 5
This rule isenabled whenBGP service onthis member isconfigured
Events per second (default=1)
130700550 AUTO RATELIMIT PASS BGPIPv4 peer TCPconnection attempts
This rule passes TCP BGP routeadvertisement connectionattempts from IPv4 peers
when BGP is enabled and ifthe packet rate is less than thePackets per second value Ifany source IP sends packetsover this value the applianceblocks all such traffic from thissource IP for a certain periodof time (specified in Drop
interval )
This rule isenabled whenBGP service on
this member isconfigured withIPv4 peers
Events per second (default=1)
Drop Interval
(default=60 sec)Packets per second (default=10)
130700600 Auto RATELIMIT PASS BGPallowed with IPv4 peer
This rule passes TCP BGP routeadvertisement to IPv4 peerswhen BGP is enabled and ifthe packet rate is less than thePackets per second value Ifany source IP sends packetsover this value the applianceblocks all such traffic from thissource IP for a certain period
of time (specified in Drop
interval
This rule isenabled whenBGP service onthis member isconfigured withIPv4 peers
Events per second (default=1)
Drop Interval (default=60 sec)
Packets per second (default=10)
130700650 AUTO RATELIMIT PASS BGPIPv6 peer TCPconnection attempts
This rule passes TCP BGP routeadvertisement connectionattempts from IPv6 peerswhen BGP is enabled and ifthe packet rate is less than thePackets per second value Ifany source IP sends packetsover this value the applianceblocks all such traffic from thissource IP for a certain periodof time (specified in Drop
interval
This rule isenabled whenBGP service onthis member isconfigured withIPv6 peers
Events per second (default=1)
Drop Interval (default=60 sec)
Packets per second (default=10)
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 2230
1518 NIOS Administrator Guide (Rev A) NIOS 612
OSPF
The following table lists auto rules that are used to mitigate OSPF attacks on your advanced appliance when OSPF isnot in use
Table H15 OSPF Rules
130700700 Auto RATELIMIT PASS BGPallowed with IPv6 peer
This rule passes TCP BGP routeadvertisement to IPv6 peerswhen BGP is enabled and ifthe packet rate is less than thePackets per second value Ifany source IP sends packetsover this value the appliance
blocks all such traffic from thissource IP for a certain periodof time (specified in Drop
interval )
This rule isenabled whenBGP service onthis member isconfigured withIPv6 peers
Events per second (default=1)
Drop Interval (default=60 sec)
Packets per second (default=10)
130800100 Auto DROP BGP unexpected When BGP is enabled this ruledrops unexpected TCP BGPpackets
This rule takeseffect when BGPservice on thismember is NOT configured
Events per second (default=1)
This rule is exclusive withother rules based onwhether BGP is configuredon the member or not
Rule ID
Rule
Type
Rule Name Description
Enable
Condition
Parameters Comments
130900300 Auto DROP OSPFunexpected
This rule drops unexpectedOSPF packets
This rule takeseffect when OSPFservice on thismember is NOT configured
Events per second (default=1)
Default drop rule for allpackets on the OSPF serviceport
130900400 Auto RATELIMIT PASS OSPFmulticast
This rule passes OSPF IPv4multicast packets if the packetrate is less than the Packets
per second value If anysource IP sends packets overthis value the applianceblocks all such traffic from thissource IP for a time specifiedin Drop interval
This rule takeseffect when OSPFservice on thismember isconfigured forIPv4
Events per second (default=1)
Drop Interval (default=60 sec)
Packets per second (default=100)
130900500 Auto RATELIMIT PASS OSPFIPv6 multicast
This rule passes OSPF IPv6multicast packets if the packetrate is less than the Packets
per second value If anysource IP sends packets overthis value the applianceblocks all such traffic from thissource IP for a time specifiedin Drop interval
This rule takeseffect when OSPFservice on thismember isconfigured forIPv6
Events per second (default=1)
Drop Interval (default=60 sec)
Packets per second (default=100)
130900600 Auto RATELIMIT PASS OSPF This rule passes OSPF packetsif the packet rate is less thanthe Packets per second valueIf any source IP sends packetsover this value the applianceblocks all such traffic from thissource IP for a time specifiedin Drop interval
This rule takeseffect when OSPFservice on thismember isconfigured
Events per second (default=1)
Drop Interval (default=10 sec)
Packets per second (default=50)
This rule works for both IPv4and IPv6
Rule ID
Rule
Type
Rule Name Description
EnableDisable
Condition
Parameters Comments
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 2330
ICMP
NIOS 612 NIOS Administrator Guide (Rev A) 1519
ICMP
ICMP attacks use network devices such as routers to send error messages when a requested service is not availableor the remote server cannot be reached Examples of ICMP attacks include ping floods ping-of-death attacks andsmurf attacks
The following table lists the system and auto rules that are used to mitigate ICMP attacks on your advanced appliance
Table H16 ICMP Rules
Rule ID Type Rule Name Description
EnableDisable
Condition
Parameters Comments
130400200 Auto DROP ICMP largepackets
This rule drops large ICMPpackets (bigger than800)
Always enabled Events per second (default=1)
130900100 Auto RATE LIMIT PASS ICMPPing
This rule passes ICMP pingpackets if the packet rate is lessthan the Packets per second value If any source IP sendspackets over this value theappliance blocks all such trafficfrom this source IP for a timespecified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=10 sec)
Packets per second (default=50)
130900200 Auto RATE LIMIT PASS ICMPv6Ping
This rule passes ICMPv6 pingpackets if the packet rate is lessthan the Packets per second value If any source IP sendspackets over this value theappliance blocks all such trafficfrom this source IP for a timespecified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=10 sec)
Packets per second (default=50)
130900700 Auto RATELIMIT PASS ICMPv6destinationunreachable
This rule passes ICMPv6Destination Unreachablemessages if the packet rate isless than the Packets per second value If any source IP sendspackets over this value theappliance blocks all such trafficfrom this source IP for a timespecified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=100)
130900800 Auto RATELIMIT PASS ICMPv6packet too big
This rule passes ICMPv6 PacketToo Big messages if the packetrate is less than the Packets per
second value If any source IPsends packets over this valuethe appliance blocks all suchtraffic from this source IP for atime specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=100)
130900900 Auto RATELIMIT PASS ICMPv6ping responses
This rule passes ICMPv6 pingresponses if the packet rate isless than the Packets per second value If any source IP sendspackets over this value theappliance blocks all such trafficfrom this source IP for a timespecified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=10 sec)
Packets per second (default=50)
130901000 Auto RATELIMIT PASS ICMPv6parameter problemerroneous header
This rule passes ICMPv6Erroneous Header messages ifthe packet rate is less than thePackets per second value If anysource IP sends packets over thisvalue the appliance blocks allsuch traffic from this source IP fora time specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=10 sec)
Packets per second (default=50)
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 2430
1520 NIOS Administrator Guide (Rev A) NIOS 612
130901100 Auto RATELIMIT PASS ICMPv6parameter problemunrecognized nextheader
This rule passes ICMPv6Unrecognized Next Headermessages if the packet rate isless than the Packets per second value If any source IP sendspackets over this value theappliance blocks all such traffic
from this source IP for a timespecified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
130901200 Auto RATELIMIT PASS ICMPv6parameter problemunrecognized IPv6option
This rule passes ICMPv6Unrecognized IPv6 Optionmessages if the packet rate isless than the Packets per second value If any source IP sendspackets over this value theappliance blocks all such trafficfrom this source IP for a timespecified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
130901300 Auto RATELIMIT PASS ICMPv6router solicitation
This rule passes ICMPv6 routersolicitation packets if the packetrate is less than the Packets per
second value If any source IPsends packets over this valuethe appliance blocks all such
traffic from this source IP for atime specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
130901400 Auto RATELIMIT PASS ICMPv6router advertisement
This rule passes ICMPv6 routeradvertisement if the packet rateis less than the Packets per
second value If any source IPsends packets over this valuethe appliance blocks all suchtraffic from this source IP for atime specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
130901500 Auto RATELIMIT PASS ICMPv6neighbor solicitation
This rule passes ICMPv6neighbor solicitation packets ifthe packet rate is less than thePackets per second value If anysource IP sends packets over thisvalue the appliance blocks allsuch traffic from this source IP for
a time specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
130901600 Auto RATELIMIT PASS ICMPv6neighbor advertisement
This rule passes ICMPv6neighbor advertisement if thepacket rate is less than thePackets per second value If anysource IP sends packets over thisvalue the appliance blocks allsuch traffic from this source IP fora time specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
130901700 Auto RATELIMIT PASS ICMPv6inverse neighborsolicitation
This rule passes ICMPv6 inverseneighbor solicitation messages ifthe packet rate is less than thePackets per second value If anysource IP sends packets over thisvalue the appliance blocks allsuch traffic from this source IP fora time specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
130901800 Auto RATELIMIT PASS ICMPv6inverse neighboradvertisement
This rule passes ICMPv6 inverseneighbor advertisement if thepacket rate is less than thePackets per second value If anysource IP sends packets over thisvalue the appliance blocks allsuch traffic from this source IP fora time specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
Rule ID Type Rule Name Description
EnableDisable
Condition
Parameters Comments
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 2530
ICMP
NIOS 612 NIOS Administrator Guide (Rev A) 1521
130901900 Auto RATELIMIT PASS ICMPv6listener query
This rule passes ICMPv6 listenerquery messages if the packetrate is less than the Packets per
second value If any source IPsends packets over this valuethe appliance blocks all suchtraffic from this source IP for a
time specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
130902000 Auto RATELIMIT PASS ICMPv6listener report
This rule passes ICMPv6 listenerreport messages if the packetrate is less than the Packets per
second value If any source IPsends packets over this valuethe appliance blocks all suchtraffic from this source IP for atime specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
130902100 Auto RATELIMIT PASS ICMPv6listener done
This rule passes ICMPv6 listenerdone messages if the packet rateis less than the Packets per
second value If any source IPsends packets over this valuethe appliance blocks all suchtraffic from this source IP for atime specified in Drop interval )
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
130902200 Auto RATELIMIT PASS ICMPv6listener report v2
This rule passes ICMPv6 listenerreport v2 messages if the packetrate is less than the Packets per
second value If any source IPsends packets over this valuethe appliance blocks all suchtraffic from this source IP for atime specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
130902300 Auto RATELIMIT PASS ICMPV6multicast routeradvertisement
This rule passes ICMPv6multicast router advertisement ifthe packet rate is less than thePackets per second value If anysource IP sends packets over thisvalue the appliance blocks allsuch traffic from this source IP fora time specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
130902400 Auto RATELIMIT PASS ICMPV6multicast routersolicitation
This rule passes ICMPv6multicast router solicitationmessages if the packet rate isless than the Packets per second value If any source IP sendspackets over this value theappliance blocks all such trafficfrom this source IP for a timespecified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
130902500 Auto RATELIMIT PASS ICMPV6multicast routeradvertisement
This rule passes ICMPv6multicast router advertisement ifthe packet rate is less than thePackets per second value If anysource IP sends packets over thisvalue the appliance blocks allsuch traffic from this source IP fora time specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
130902600 Auto RATELIMIT PASS ICMPping responses This rule passes ICMP pingresponses if the packet rate isless than the Packets per second value If any source IP sendspackets over this value theappliance blocks all such trafficfrom this source IP for a timespecified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=10 sec)
Packets per second (default=50)
Rule ID Type Rule Name Description
EnableDisable
Condition
Parameters Comments
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 2630
1522 NIOS Administrator Guide (Rev A) NIOS 612
130902700 Auto RATELIMIT PASS ICMProuter advertisement
This rule passes ICMP routeradvertisement if the packet rateis less than the Packets per
second value If any source IPsends packets over this valuethe appliance blocks all suchtraffic from this source IP for a
time specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=10 sec)
Packets per second (default=50)
130902800 Auto RATELIMIT PASS ICMProuter solicitation
This rule passes ICMP routersolicitation messages if thepacket rate is less than thePackets per second value If anysource IP sends packets over thisvalue the appliance blocks allsuch traffic from this source IP fora time specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=10 sec)
Packets per second (default=50)
130902900 Auto RATELIMIT PASS ICMPtime exceeded
This rule passes ICMP timeexceeded messages if the packetrate is less than the Packets per
second value If any source IPsends packets over this valuethe appliance blocks all suchtraffic from this source IP for atime specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=10 sec)
Packets per second (default=50)
130903000 Auto RATELIMIT PASS ICMPparameter problem
This rule passes ICMP parameterproblems if the packet rate isless than the Packets per second value If any source IP sendspackets over this value theappliance blocks all such trafficfrom this source IP for a timespecified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=10 sec)
Packets per second (default=50)
130903100 Auto RATELIMIT PASS ICMPv6hop limit exceeded orICMPv4 networkunreachable
This rule passes ICMPv6 HopLimit Exceeded messages orICMPv4 Network Unreachablemessages if the packet rate isless than the Packets per second value If any source IP sendspackets over this value theappliance blocks all such trafficfrom this source IP for a time
specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
130903200 Auto RATELIMIT PASS ICMPv6fragment reassemblytime exceeded orICMPv4 hostunreachable
This rule passes ICMPv6fragment reassembly timeexceeded messages or ICMPv4host unreachable messages ifthe packet rate is less than thePackets per second value If anysource IP sends packets over thisvalue the appliance blocks allsuch traffic from this source IP fora time specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=10 sec)
Packets per second (default=50)
130903300 Auto RATELIMIT PASS ICMPprotocol unreachable
This rule passes ICMP protocolunreachable messages if thepacket rate is less than thePackets per second value If anysource IP sends packets over thisvalue the appliance blocks all
such traffic from this source IP fora time specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=10 sec)
Packets per second (default=50)
130903400 Auto RATELIMIT ICMP portunreachable
This rule passes ICMP portunreachable messages if thepacket rate is less than thePackets per second value If anysource IP sends packets over thisvalue the appliance blocks allsuch traffic from this source IP fora certain period of time(specified in Drop interval )
Always enabled Events per second (default=10)
Drop Interval (default=10 sec)
Packets per second (default=50)
Rule ID Type Rule Name Description
EnableDisable
Condition
Parameters Comments
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 2730
Default PassDrop
NIOS 612 NIOS Administrator Guide (Rev A) 1523
Default Pass Drop
The following table lists the system rules that are used to pass or drop packets on your advanced appliance All rulesare disabled by default
Table H17 Default PassDrop Rules
130903500 Auto RATELIMIT PASS ICMPfragmentation needed
This rule passes ICMPfragmentation needed messagesif the packet rate is less than thePackets per second value If anysource IP sends packets over thisvalue the appliance blocks allsuch traffic from this source IP for
a certain period of time(specified in Drop interval )
Always enabled Events per second (default=1)
Drop Interval (default=10 sec)
Packets per second (default=50)
Rule ID
Rule
Type Rule Name Description
Enable
Condition Parameters Comments
100000050 System EARLY PASS TCPwith flowbits set
This rule passes TCP trafficthat has the flowbitsoptions set and marked OK
Enabled bydefault
NA
140000100 System DROP UDP DNSunexpected
This rule drops anyunexpected UDP DNSpackets
Enabled bydefault
Events per second (default=1)
Default drop rule for the DNSservice port If this rule istriggered most likely thispacket is an invalid DNS UDPpacket
140000200 System DROP TCP DNSunexpected
This rule drops anyunexpected TCP DNSpackets
Enabled bydefault
Events per second (default=1)
Default drop rule for the DNSservice port If this rule istriggered most likely thispacket is an invalid DNS TCPpacket
140000400 System PASS TCPestablished packets
This passes all TCPestablished packets
Enabled bydefault
Events per second (default=0)
140000500 System DROP TCPunexpected
This rule drops anyunexpected TCP packets
Enabled bydefault
Events per second (default=0)
This rule drops any TCP packeton any port If this rule istriggered most likely thispacket is not intended forservices on this member
140000600 System DROP UDPunexpected
This rule drops anyunexpected UDP packets
Enabled bydefault
Events per second (default=0)
This rule drops any UDP packeton any port If this rule istriggered most likely thispacket is not intended forservices on this member
140000700 System DROP ICMPunexpected
This rule drops anyunexpected ICMP packets
Enabled bydefault
Events per second (default=0)
This rule drops any ICMPpacket If this rule is triggeredmost likely this packet is notintended for services on thismember
140000800 System DROP unexpectedprotocol
This rule drops anyunexpected protocolpackets
Enabled bydefault
Events per second (default=0)
This is a catch all rule thatdrops anything that does notmatch any other rules in thesystem
Rule ID Type Rule Name Description
EnableDisable
Condition
Parameters Comments
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 2830
1524 NIOS Administrator Guide (Rev A) NIOS 612
HA Support
The following table lists auto rules that are used to pass packets that go through the Virtual Router RedundancyProtocol (VRRP) and Internet Group Management Protocol (IGMP) for HA (High Availability) support
Table H18 HA Support Rules
Custom Rule Templates
Advanced DNS Protection supports a few custom rule templates from which you can create new custom rules Notethat when you use a specific rule template to create custom rules the new rules reside in their respective rulecategories For information about custom rules and creating custom rules see Custom Rules on page 1341 andCreating Custom Rules on page 1343
For each rule you create you can define the Events per second value to determine the number of events per secondthat will be logged for the rule You can also define specific rule parameters for custom rules as follows
Note Custom rules do not support IDNs (Internationalized Domain Names) To use IDNs for custom rules you mustfirst convert the IDNs into puny codes You can use the IDN Converter from the Toolbar for the conversion
bull BLACKLIST FQDN lookup TCP Use this rule template to create custom rules for blacklisting DNS queries by FQDNlookups on TCP In the Rule Parameters table complete the following
mdash Blacklisted FQDN Enter the FDQN that you want the appliance to block over TCP traffic You can also enter alist of FQDNs using semicolon as the separator
bull BLACKLIST FQDN lookup UDP Use this rule template to create custom rules for blacklisting DNS queries byFQDN lookups on UDP In the Rule Parameters table complete the following
mdash Blacklisted FQDN Enter the FDQN that you want the appliance to block over UDP traffic You can also enter alist of FQDNs using semicolon as the separator
bull BLACKLIST IP TCP Drop prior to rate limiting Use this rule template to create rules for blocking IPv4 or IPv6addresses on TCP before the appliance drops the packets based on rate limiting rules you have defined usingthe RATELIMITED IP TCP template In the Rule Parameters table complete the following
mdash Blacklisted IP addressnetwork Enter the IPv4 or IPv6 address from which packets sent are dropped beforeany relevant rate limiting rules take effect Note that all TCP traffic from the specified Ipv4 and IPv6
addresses and networks will be blocked Enter network addresses in addressCIDR formatbull BLACKLIST IP UDP Drop prior to rate limiting Use this rule template to create rules for blocking IPv4 or IPv6
addresses on UDP before the appliance drops the packets based on rate limiting rules you have defined usingthe RATELIMITED IP UDP template In the Rule Parameters table complete the following
mdash Blacklisted IP addressnetwork Enter the IPv4 or IPv6 address from which packets sent are dropped beforeany relevant rate limiting rules take effect Note that all UDP traffic from the specified Ipv4 and IPv6addresses and networks will be blocked Enter network addresses in addressCIDR format
bull RATELIMITED FQDN lookup UDP Use this rule template to create custom rules that contains rate limitingrestrictions for blocking DNS queries by FQDN lookups on UDP traffic In the Rule Parameters table completethe following
Rule ID
Rule
Type
Rule Name Description Enable Condition Parameters Comments
140000750 Auto PASS VRRP This rule passes packets thatgo through VRRP for HAsupport
Enabled if HA isconfigured
NA
140000760 Auto PASS IGMP This rule passes packets thatgo through IGMP for HAsupport
Enabled if HA isconfigured
NA
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 2930
Custom Rule Templates
NIOS 612 NIOS Administrator Guide (Rev A) 1525
mdash Packets per second Enter the number of packets per second to define the rate limit for this rule You definethis value to control the rate of UDP traffic that consists of DNS lookups for the FQDN defined in this ruleThe default is 5
mdash Drop interval Enter the number of seconds for which the appliance drops packets
mdash Blacklist rate limited FQDN Enter the FQDN that is affected by the rate limit value configured for this ruleThe appliance drops the packets sent by this FQDN when the UDP traffic of DNS lookups for this FQDNexceeds the configured rate limit value
bull RATELIMITED IP TCP Use this rule template to create custom rules that contains rate limiting restrictions forblacklisting IP addresses on TCP If there are certain IP addresses that you want to block before its traffic reachesthe rate limit restrictions you can create a rule using the BLACKLIST IP TCP Drop prior to rate limiting templateIn the Rule Parameters table complete the following
mdash Packets per second Enter the number of packets per second to define the rate limit for this rule You definethis value to control the rate of TCP traffic that consists of DNS lookups for the IP address or networkdefined in this rule The default is 5
mdash Drop interval Enter the time interval in seconds the appliance drops IP packets sent by the rate limited IPaddress or network defined for this rule The default is 30 seconds
mdash Rate limited IP addressnetwork Enter the IP address or network that is affected by the rate limit valueconfigured for this rule The appliance drops the packets sent by this IP address based on the drop intervalwhen the TCP traffic of DNS lookups for this IP address exceeds the configured rate limit value
bull RATELIMITED IP UDP Use this rule template to create custom rules that contains rate limiting restrictions forblacklisting IP addresses on UDP If there are certain IP addresses that you want to block before its trafficreaches the rate limit restrictions you can create a rule using the BLACKLIST IP UDP Drop prior to rate limiting template In the Rule Parameters table complete the following
mdash Packets per second Enter the number of packets per second to define the rate limit for this rule You definethis value to control the rate of UDP traffic that consists of DNS lookups for the IP address or networkdefined in this rule The default is 5
mdash Drop interval Enter the time interval in seconds the appliance drops IP packets sent by the rate limited IPaddress or network defined for this rule The default is 30 seconds
mdash Rate limited IP addressnetwork Enter the IP address or network that is affected by the rate limit valueconfigured for this rule The appliance drops the packets sent by this IP address based on the drop interval
when the TCP traffic of DNS lookups for this IP address exceeds the configured rate limit valuebull WHITELIST IP TCP Pass prior to rate limiting Use this rule template to create custom rules for allowing certain IP
addresses on TCP before the appliance drops the packets based on rate limiting rules you have defined usingthe RATELIMITED IP TCP template In the Rule Parameters table complete the following
mdash Whitelisted IP addressnetwork Enter the IPv4 or IPv6 address from which packets sent are allowed beforeany relevant rate limiting rules take effect
bull WHITELIST IP UDP Pass prior to rate limiting Use this rule template to create custom rules for allowing certain IPaddresses on UDP before the appliance drops the packets based on rate limiting rules you have defined usingthe RATELIMITED IP UDP template In the Rule Parameters table complete the following
mdash Whitelisted IP addressnetwork Enter the IPv4 or IPv6 address from which packets sent are allowed beforeany relevant rate limiting rules take effect
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 3030
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 2230
1518 NIOS Administrator Guide (Rev A) NIOS 612
OSPF
The following table lists auto rules that are used to mitigate OSPF attacks on your advanced appliance when OSPF isnot in use
Table H15 OSPF Rules
130700700 Auto RATELIMIT PASS BGPallowed with IPv6 peer
This rule passes TCP BGP routeadvertisement to IPv6 peerswhen BGP is enabled and ifthe packet rate is less than thePackets per second value Ifany source IP sends packetsover this value the appliance
blocks all such traffic from thissource IP for a certain periodof time (specified in Drop
interval )
This rule isenabled whenBGP service onthis member isconfigured withIPv6 peers
Events per second (default=1)
Drop Interval (default=60 sec)
Packets per second (default=10)
130800100 Auto DROP BGP unexpected When BGP is enabled this ruledrops unexpected TCP BGPpackets
This rule takeseffect when BGPservice on thismember is NOT configured
Events per second (default=1)
This rule is exclusive withother rules based onwhether BGP is configuredon the member or not
Rule ID
Rule
Type
Rule Name Description
Enable
Condition
Parameters Comments
130900300 Auto DROP OSPFunexpected
This rule drops unexpectedOSPF packets
This rule takeseffect when OSPFservice on thismember is NOT configured
Events per second (default=1)
Default drop rule for allpackets on the OSPF serviceport
130900400 Auto RATELIMIT PASS OSPFmulticast
This rule passes OSPF IPv4multicast packets if the packetrate is less than the Packets
per second value If anysource IP sends packets overthis value the applianceblocks all such traffic from thissource IP for a time specifiedin Drop interval
This rule takeseffect when OSPFservice on thismember isconfigured forIPv4
Events per second (default=1)
Drop Interval (default=60 sec)
Packets per second (default=100)
130900500 Auto RATELIMIT PASS OSPFIPv6 multicast
This rule passes OSPF IPv6multicast packets if the packetrate is less than the Packets
per second value If anysource IP sends packets overthis value the applianceblocks all such traffic from thissource IP for a time specifiedin Drop interval
This rule takeseffect when OSPFservice on thismember isconfigured forIPv6
Events per second (default=1)
Drop Interval (default=60 sec)
Packets per second (default=100)
130900600 Auto RATELIMIT PASS OSPF This rule passes OSPF packetsif the packet rate is less thanthe Packets per second valueIf any source IP sends packetsover this value the applianceblocks all such traffic from thissource IP for a time specifiedin Drop interval
This rule takeseffect when OSPFservice on thismember isconfigured
Events per second (default=1)
Drop Interval (default=10 sec)
Packets per second (default=50)
This rule works for both IPv4and IPv6
Rule ID
Rule
Type
Rule Name Description
EnableDisable
Condition
Parameters Comments
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 2330
ICMP
NIOS 612 NIOS Administrator Guide (Rev A) 1519
ICMP
ICMP attacks use network devices such as routers to send error messages when a requested service is not availableor the remote server cannot be reached Examples of ICMP attacks include ping floods ping-of-death attacks andsmurf attacks
The following table lists the system and auto rules that are used to mitigate ICMP attacks on your advanced appliance
Table H16 ICMP Rules
Rule ID Type Rule Name Description
EnableDisable
Condition
Parameters Comments
130400200 Auto DROP ICMP largepackets
This rule drops large ICMPpackets (bigger than800)
Always enabled Events per second (default=1)
130900100 Auto RATE LIMIT PASS ICMPPing
This rule passes ICMP pingpackets if the packet rate is lessthan the Packets per second value If any source IP sendspackets over this value theappliance blocks all such trafficfrom this source IP for a timespecified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=10 sec)
Packets per second (default=50)
130900200 Auto RATE LIMIT PASS ICMPv6Ping
This rule passes ICMPv6 pingpackets if the packet rate is lessthan the Packets per second value If any source IP sendspackets over this value theappliance blocks all such trafficfrom this source IP for a timespecified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=10 sec)
Packets per second (default=50)
130900700 Auto RATELIMIT PASS ICMPv6destinationunreachable
This rule passes ICMPv6Destination Unreachablemessages if the packet rate isless than the Packets per second value If any source IP sendspackets over this value theappliance blocks all such trafficfrom this source IP for a timespecified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=100)
130900800 Auto RATELIMIT PASS ICMPv6packet too big
This rule passes ICMPv6 PacketToo Big messages if the packetrate is less than the Packets per
second value If any source IPsends packets over this valuethe appliance blocks all suchtraffic from this source IP for atime specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=100)
130900900 Auto RATELIMIT PASS ICMPv6ping responses
This rule passes ICMPv6 pingresponses if the packet rate isless than the Packets per second value If any source IP sendspackets over this value theappliance blocks all such trafficfrom this source IP for a timespecified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=10 sec)
Packets per second (default=50)
130901000 Auto RATELIMIT PASS ICMPv6parameter problemerroneous header
This rule passes ICMPv6Erroneous Header messages ifthe packet rate is less than thePackets per second value If anysource IP sends packets over thisvalue the appliance blocks allsuch traffic from this source IP fora time specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=10 sec)
Packets per second (default=50)
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 2430
1520 NIOS Administrator Guide (Rev A) NIOS 612
130901100 Auto RATELIMIT PASS ICMPv6parameter problemunrecognized nextheader
This rule passes ICMPv6Unrecognized Next Headermessages if the packet rate isless than the Packets per second value If any source IP sendspackets over this value theappliance blocks all such traffic
from this source IP for a timespecified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
130901200 Auto RATELIMIT PASS ICMPv6parameter problemunrecognized IPv6option
This rule passes ICMPv6Unrecognized IPv6 Optionmessages if the packet rate isless than the Packets per second value If any source IP sendspackets over this value theappliance blocks all such trafficfrom this source IP for a timespecified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
130901300 Auto RATELIMIT PASS ICMPv6router solicitation
This rule passes ICMPv6 routersolicitation packets if the packetrate is less than the Packets per
second value If any source IPsends packets over this valuethe appliance blocks all such
traffic from this source IP for atime specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
130901400 Auto RATELIMIT PASS ICMPv6router advertisement
This rule passes ICMPv6 routeradvertisement if the packet rateis less than the Packets per
second value If any source IPsends packets over this valuethe appliance blocks all suchtraffic from this source IP for atime specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
130901500 Auto RATELIMIT PASS ICMPv6neighbor solicitation
This rule passes ICMPv6neighbor solicitation packets ifthe packet rate is less than thePackets per second value If anysource IP sends packets over thisvalue the appliance blocks allsuch traffic from this source IP for
a time specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
130901600 Auto RATELIMIT PASS ICMPv6neighbor advertisement
This rule passes ICMPv6neighbor advertisement if thepacket rate is less than thePackets per second value If anysource IP sends packets over thisvalue the appliance blocks allsuch traffic from this source IP fora time specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
130901700 Auto RATELIMIT PASS ICMPv6inverse neighborsolicitation
This rule passes ICMPv6 inverseneighbor solicitation messages ifthe packet rate is less than thePackets per second value If anysource IP sends packets over thisvalue the appliance blocks allsuch traffic from this source IP fora time specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
130901800 Auto RATELIMIT PASS ICMPv6inverse neighboradvertisement
This rule passes ICMPv6 inverseneighbor advertisement if thepacket rate is less than thePackets per second value If anysource IP sends packets over thisvalue the appliance blocks allsuch traffic from this source IP fora time specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
Rule ID Type Rule Name Description
EnableDisable
Condition
Parameters Comments
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 2530
ICMP
NIOS 612 NIOS Administrator Guide (Rev A) 1521
130901900 Auto RATELIMIT PASS ICMPv6listener query
This rule passes ICMPv6 listenerquery messages if the packetrate is less than the Packets per
second value If any source IPsends packets over this valuethe appliance blocks all suchtraffic from this source IP for a
time specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
130902000 Auto RATELIMIT PASS ICMPv6listener report
This rule passes ICMPv6 listenerreport messages if the packetrate is less than the Packets per
second value If any source IPsends packets over this valuethe appliance blocks all suchtraffic from this source IP for atime specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
130902100 Auto RATELIMIT PASS ICMPv6listener done
This rule passes ICMPv6 listenerdone messages if the packet rateis less than the Packets per
second value If any source IPsends packets over this valuethe appliance blocks all suchtraffic from this source IP for atime specified in Drop interval )
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
130902200 Auto RATELIMIT PASS ICMPv6listener report v2
This rule passes ICMPv6 listenerreport v2 messages if the packetrate is less than the Packets per
second value If any source IPsends packets over this valuethe appliance blocks all suchtraffic from this source IP for atime specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
130902300 Auto RATELIMIT PASS ICMPV6multicast routeradvertisement
This rule passes ICMPv6multicast router advertisement ifthe packet rate is less than thePackets per second value If anysource IP sends packets over thisvalue the appliance blocks allsuch traffic from this source IP fora time specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
130902400 Auto RATELIMIT PASS ICMPV6multicast routersolicitation
This rule passes ICMPv6multicast router solicitationmessages if the packet rate isless than the Packets per second value If any source IP sendspackets over this value theappliance blocks all such trafficfrom this source IP for a timespecified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
130902500 Auto RATELIMIT PASS ICMPV6multicast routeradvertisement
This rule passes ICMPv6multicast router advertisement ifthe packet rate is less than thePackets per second value If anysource IP sends packets over thisvalue the appliance blocks allsuch traffic from this source IP fora time specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
130902600 Auto RATELIMIT PASS ICMPping responses This rule passes ICMP pingresponses if the packet rate isless than the Packets per second value If any source IP sendspackets over this value theappliance blocks all such trafficfrom this source IP for a timespecified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=10 sec)
Packets per second (default=50)
Rule ID Type Rule Name Description
EnableDisable
Condition
Parameters Comments
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 2630
1522 NIOS Administrator Guide (Rev A) NIOS 612
130902700 Auto RATELIMIT PASS ICMProuter advertisement
This rule passes ICMP routeradvertisement if the packet rateis less than the Packets per
second value If any source IPsends packets over this valuethe appliance blocks all suchtraffic from this source IP for a
time specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=10 sec)
Packets per second (default=50)
130902800 Auto RATELIMIT PASS ICMProuter solicitation
This rule passes ICMP routersolicitation messages if thepacket rate is less than thePackets per second value If anysource IP sends packets over thisvalue the appliance blocks allsuch traffic from this source IP fora time specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=10 sec)
Packets per second (default=50)
130902900 Auto RATELIMIT PASS ICMPtime exceeded
This rule passes ICMP timeexceeded messages if the packetrate is less than the Packets per
second value If any source IPsends packets over this valuethe appliance blocks all suchtraffic from this source IP for atime specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=10 sec)
Packets per second (default=50)
130903000 Auto RATELIMIT PASS ICMPparameter problem
This rule passes ICMP parameterproblems if the packet rate isless than the Packets per second value If any source IP sendspackets over this value theappliance blocks all such trafficfrom this source IP for a timespecified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=10 sec)
Packets per second (default=50)
130903100 Auto RATELIMIT PASS ICMPv6hop limit exceeded orICMPv4 networkunreachable
This rule passes ICMPv6 HopLimit Exceeded messages orICMPv4 Network Unreachablemessages if the packet rate isless than the Packets per second value If any source IP sendspackets over this value theappliance blocks all such trafficfrom this source IP for a time
specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
130903200 Auto RATELIMIT PASS ICMPv6fragment reassemblytime exceeded orICMPv4 hostunreachable
This rule passes ICMPv6fragment reassembly timeexceeded messages or ICMPv4host unreachable messages ifthe packet rate is less than thePackets per second value If anysource IP sends packets over thisvalue the appliance blocks allsuch traffic from this source IP fora time specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=10 sec)
Packets per second (default=50)
130903300 Auto RATELIMIT PASS ICMPprotocol unreachable
This rule passes ICMP protocolunreachable messages if thepacket rate is less than thePackets per second value If anysource IP sends packets over thisvalue the appliance blocks all
such traffic from this source IP fora time specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=10 sec)
Packets per second (default=50)
130903400 Auto RATELIMIT ICMP portunreachable
This rule passes ICMP portunreachable messages if thepacket rate is less than thePackets per second value If anysource IP sends packets over thisvalue the appliance blocks allsuch traffic from this source IP fora certain period of time(specified in Drop interval )
Always enabled Events per second (default=10)
Drop Interval (default=10 sec)
Packets per second (default=50)
Rule ID Type Rule Name Description
EnableDisable
Condition
Parameters Comments
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 2730
Default PassDrop
NIOS 612 NIOS Administrator Guide (Rev A) 1523
Default Pass Drop
The following table lists the system rules that are used to pass or drop packets on your advanced appliance All rulesare disabled by default
Table H17 Default PassDrop Rules
130903500 Auto RATELIMIT PASS ICMPfragmentation needed
This rule passes ICMPfragmentation needed messagesif the packet rate is less than thePackets per second value If anysource IP sends packets over thisvalue the appliance blocks allsuch traffic from this source IP for
a certain period of time(specified in Drop interval )
Always enabled Events per second (default=1)
Drop Interval (default=10 sec)
Packets per second (default=50)
Rule ID
Rule
Type Rule Name Description
Enable
Condition Parameters Comments
100000050 System EARLY PASS TCPwith flowbits set
This rule passes TCP trafficthat has the flowbitsoptions set and marked OK
Enabled bydefault
NA
140000100 System DROP UDP DNSunexpected
This rule drops anyunexpected UDP DNSpackets
Enabled bydefault
Events per second (default=1)
Default drop rule for the DNSservice port If this rule istriggered most likely thispacket is an invalid DNS UDPpacket
140000200 System DROP TCP DNSunexpected
This rule drops anyunexpected TCP DNSpackets
Enabled bydefault
Events per second (default=1)
Default drop rule for the DNSservice port If this rule istriggered most likely thispacket is an invalid DNS TCPpacket
140000400 System PASS TCPestablished packets
This passes all TCPestablished packets
Enabled bydefault
Events per second (default=0)
140000500 System DROP TCPunexpected
This rule drops anyunexpected TCP packets
Enabled bydefault
Events per second (default=0)
This rule drops any TCP packeton any port If this rule istriggered most likely thispacket is not intended forservices on this member
140000600 System DROP UDPunexpected
This rule drops anyunexpected UDP packets
Enabled bydefault
Events per second (default=0)
This rule drops any UDP packeton any port If this rule istriggered most likely thispacket is not intended forservices on this member
140000700 System DROP ICMPunexpected
This rule drops anyunexpected ICMP packets
Enabled bydefault
Events per second (default=0)
This rule drops any ICMPpacket If this rule is triggeredmost likely this packet is notintended for services on thismember
140000800 System DROP unexpectedprotocol
This rule drops anyunexpected protocolpackets
Enabled bydefault
Events per second (default=0)
This is a catch all rule thatdrops anything that does notmatch any other rules in thesystem
Rule ID Type Rule Name Description
EnableDisable
Condition
Parameters Comments
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 2830
1524 NIOS Administrator Guide (Rev A) NIOS 612
HA Support
The following table lists auto rules that are used to pass packets that go through the Virtual Router RedundancyProtocol (VRRP) and Internet Group Management Protocol (IGMP) for HA (High Availability) support
Table H18 HA Support Rules
Custom Rule Templates
Advanced DNS Protection supports a few custom rule templates from which you can create new custom rules Notethat when you use a specific rule template to create custom rules the new rules reside in their respective rulecategories For information about custom rules and creating custom rules see Custom Rules on page 1341 andCreating Custom Rules on page 1343
For each rule you create you can define the Events per second value to determine the number of events per secondthat will be logged for the rule You can also define specific rule parameters for custom rules as follows
Note Custom rules do not support IDNs (Internationalized Domain Names) To use IDNs for custom rules you mustfirst convert the IDNs into puny codes You can use the IDN Converter from the Toolbar for the conversion
bull BLACKLIST FQDN lookup TCP Use this rule template to create custom rules for blacklisting DNS queries by FQDNlookups on TCP In the Rule Parameters table complete the following
mdash Blacklisted FQDN Enter the FDQN that you want the appliance to block over TCP traffic You can also enter alist of FQDNs using semicolon as the separator
bull BLACKLIST FQDN lookup UDP Use this rule template to create custom rules for blacklisting DNS queries byFQDN lookups on UDP In the Rule Parameters table complete the following
mdash Blacklisted FQDN Enter the FDQN that you want the appliance to block over UDP traffic You can also enter alist of FQDNs using semicolon as the separator
bull BLACKLIST IP TCP Drop prior to rate limiting Use this rule template to create rules for blocking IPv4 or IPv6addresses on TCP before the appliance drops the packets based on rate limiting rules you have defined usingthe RATELIMITED IP TCP template In the Rule Parameters table complete the following
mdash Blacklisted IP addressnetwork Enter the IPv4 or IPv6 address from which packets sent are dropped beforeany relevant rate limiting rules take effect Note that all TCP traffic from the specified Ipv4 and IPv6
addresses and networks will be blocked Enter network addresses in addressCIDR formatbull BLACKLIST IP UDP Drop prior to rate limiting Use this rule template to create rules for blocking IPv4 or IPv6
addresses on UDP before the appliance drops the packets based on rate limiting rules you have defined usingthe RATELIMITED IP UDP template In the Rule Parameters table complete the following
mdash Blacklisted IP addressnetwork Enter the IPv4 or IPv6 address from which packets sent are dropped beforeany relevant rate limiting rules take effect Note that all UDP traffic from the specified Ipv4 and IPv6addresses and networks will be blocked Enter network addresses in addressCIDR format
bull RATELIMITED FQDN lookup UDP Use this rule template to create custom rules that contains rate limitingrestrictions for blocking DNS queries by FQDN lookups on UDP traffic In the Rule Parameters table completethe following
Rule ID
Rule
Type
Rule Name Description Enable Condition Parameters Comments
140000750 Auto PASS VRRP This rule passes packets thatgo through VRRP for HAsupport
Enabled if HA isconfigured
NA
140000760 Auto PASS IGMP This rule passes packets thatgo through IGMP for HAsupport
Enabled if HA isconfigured
NA
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 2930
Custom Rule Templates
NIOS 612 NIOS Administrator Guide (Rev A) 1525
mdash Packets per second Enter the number of packets per second to define the rate limit for this rule You definethis value to control the rate of UDP traffic that consists of DNS lookups for the FQDN defined in this ruleThe default is 5
mdash Drop interval Enter the number of seconds for which the appliance drops packets
mdash Blacklist rate limited FQDN Enter the FQDN that is affected by the rate limit value configured for this ruleThe appliance drops the packets sent by this FQDN when the UDP traffic of DNS lookups for this FQDNexceeds the configured rate limit value
bull RATELIMITED IP TCP Use this rule template to create custom rules that contains rate limiting restrictions forblacklisting IP addresses on TCP If there are certain IP addresses that you want to block before its traffic reachesthe rate limit restrictions you can create a rule using the BLACKLIST IP TCP Drop prior to rate limiting templateIn the Rule Parameters table complete the following
mdash Packets per second Enter the number of packets per second to define the rate limit for this rule You definethis value to control the rate of TCP traffic that consists of DNS lookups for the IP address or networkdefined in this rule The default is 5
mdash Drop interval Enter the time interval in seconds the appliance drops IP packets sent by the rate limited IPaddress or network defined for this rule The default is 30 seconds
mdash Rate limited IP addressnetwork Enter the IP address or network that is affected by the rate limit valueconfigured for this rule The appliance drops the packets sent by this IP address based on the drop intervalwhen the TCP traffic of DNS lookups for this IP address exceeds the configured rate limit value
bull RATELIMITED IP UDP Use this rule template to create custom rules that contains rate limiting restrictions forblacklisting IP addresses on UDP If there are certain IP addresses that you want to block before its trafficreaches the rate limit restrictions you can create a rule using the BLACKLIST IP UDP Drop prior to rate limiting template In the Rule Parameters table complete the following
mdash Packets per second Enter the number of packets per second to define the rate limit for this rule You definethis value to control the rate of UDP traffic that consists of DNS lookups for the IP address or networkdefined in this rule The default is 5
mdash Drop interval Enter the time interval in seconds the appliance drops IP packets sent by the rate limited IPaddress or network defined for this rule The default is 30 seconds
mdash Rate limited IP addressnetwork Enter the IP address or network that is affected by the rate limit valueconfigured for this rule The appliance drops the packets sent by this IP address based on the drop interval
when the TCP traffic of DNS lookups for this IP address exceeds the configured rate limit valuebull WHITELIST IP TCP Pass prior to rate limiting Use this rule template to create custom rules for allowing certain IP
addresses on TCP before the appliance drops the packets based on rate limiting rules you have defined usingthe RATELIMITED IP TCP template In the Rule Parameters table complete the following
mdash Whitelisted IP addressnetwork Enter the IPv4 or IPv6 address from which packets sent are allowed beforeany relevant rate limiting rules take effect
bull WHITELIST IP UDP Pass prior to rate limiting Use this rule template to create custom rules for allowing certain IPaddresses on UDP before the appliance drops the packets based on rate limiting rules you have defined usingthe RATELIMITED IP UDP template In the Rule Parameters table complete the following
mdash Whitelisted IP addressnetwork Enter the IPv4 or IPv6 address from which packets sent are allowed beforeany relevant rate limiting rules take effect
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 3030
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 2330
ICMP
NIOS 612 NIOS Administrator Guide (Rev A) 1519
ICMP
ICMP attacks use network devices such as routers to send error messages when a requested service is not availableor the remote server cannot be reached Examples of ICMP attacks include ping floods ping-of-death attacks andsmurf attacks
The following table lists the system and auto rules that are used to mitigate ICMP attacks on your advanced appliance
Table H16 ICMP Rules
Rule ID Type Rule Name Description
EnableDisable
Condition
Parameters Comments
130400200 Auto DROP ICMP largepackets
This rule drops large ICMPpackets (bigger than800)
Always enabled Events per second (default=1)
130900100 Auto RATE LIMIT PASS ICMPPing
This rule passes ICMP pingpackets if the packet rate is lessthan the Packets per second value If any source IP sendspackets over this value theappliance blocks all such trafficfrom this source IP for a timespecified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=10 sec)
Packets per second (default=50)
130900200 Auto RATE LIMIT PASS ICMPv6Ping
This rule passes ICMPv6 pingpackets if the packet rate is lessthan the Packets per second value If any source IP sendspackets over this value theappliance blocks all such trafficfrom this source IP for a timespecified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=10 sec)
Packets per second (default=50)
130900700 Auto RATELIMIT PASS ICMPv6destinationunreachable
This rule passes ICMPv6Destination Unreachablemessages if the packet rate isless than the Packets per second value If any source IP sendspackets over this value theappliance blocks all such trafficfrom this source IP for a timespecified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=100)
130900800 Auto RATELIMIT PASS ICMPv6packet too big
This rule passes ICMPv6 PacketToo Big messages if the packetrate is less than the Packets per
second value If any source IPsends packets over this valuethe appliance blocks all suchtraffic from this source IP for atime specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=100)
130900900 Auto RATELIMIT PASS ICMPv6ping responses
This rule passes ICMPv6 pingresponses if the packet rate isless than the Packets per second value If any source IP sendspackets over this value theappliance blocks all such trafficfrom this source IP for a timespecified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=10 sec)
Packets per second (default=50)
130901000 Auto RATELIMIT PASS ICMPv6parameter problemerroneous header
This rule passes ICMPv6Erroneous Header messages ifthe packet rate is less than thePackets per second value If anysource IP sends packets over thisvalue the appliance blocks allsuch traffic from this source IP fora time specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=10 sec)
Packets per second (default=50)
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 2430
1520 NIOS Administrator Guide (Rev A) NIOS 612
130901100 Auto RATELIMIT PASS ICMPv6parameter problemunrecognized nextheader
This rule passes ICMPv6Unrecognized Next Headermessages if the packet rate isless than the Packets per second value If any source IP sendspackets over this value theappliance blocks all such traffic
from this source IP for a timespecified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
130901200 Auto RATELIMIT PASS ICMPv6parameter problemunrecognized IPv6option
This rule passes ICMPv6Unrecognized IPv6 Optionmessages if the packet rate isless than the Packets per second value If any source IP sendspackets over this value theappliance blocks all such trafficfrom this source IP for a timespecified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
130901300 Auto RATELIMIT PASS ICMPv6router solicitation
This rule passes ICMPv6 routersolicitation packets if the packetrate is less than the Packets per
second value If any source IPsends packets over this valuethe appliance blocks all such
traffic from this source IP for atime specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
130901400 Auto RATELIMIT PASS ICMPv6router advertisement
This rule passes ICMPv6 routeradvertisement if the packet rateis less than the Packets per
second value If any source IPsends packets over this valuethe appliance blocks all suchtraffic from this source IP for atime specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
130901500 Auto RATELIMIT PASS ICMPv6neighbor solicitation
This rule passes ICMPv6neighbor solicitation packets ifthe packet rate is less than thePackets per second value If anysource IP sends packets over thisvalue the appliance blocks allsuch traffic from this source IP for
a time specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
130901600 Auto RATELIMIT PASS ICMPv6neighbor advertisement
This rule passes ICMPv6neighbor advertisement if thepacket rate is less than thePackets per second value If anysource IP sends packets over thisvalue the appliance blocks allsuch traffic from this source IP fora time specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
130901700 Auto RATELIMIT PASS ICMPv6inverse neighborsolicitation
This rule passes ICMPv6 inverseneighbor solicitation messages ifthe packet rate is less than thePackets per second value If anysource IP sends packets over thisvalue the appliance blocks allsuch traffic from this source IP fora time specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
130901800 Auto RATELIMIT PASS ICMPv6inverse neighboradvertisement
This rule passes ICMPv6 inverseneighbor advertisement if thepacket rate is less than thePackets per second value If anysource IP sends packets over thisvalue the appliance blocks allsuch traffic from this source IP fora time specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
Rule ID Type Rule Name Description
EnableDisable
Condition
Parameters Comments
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 2530
ICMP
NIOS 612 NIOS Administrator Guide (Rev A) 1521
130901900 Auto RATELIMIT PASS ICMPv6listener query
This rule passes ICMPv6 listenerquery messages if the packetrate is less than the Packets per
second value If any source IPsends packets over this valuethe appliance blocks all suchtraffic from this source IP for a
time specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
130902000 Auto RATELIMIT PASS ICMPv6listener report
This rule passes ICMPv6 listenerreport messages if the packetrate is less than the Packets per
second value If any source IPsends packets over this valuethe appliance blocks all suchtraffic from this source IP for atime specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
130902100 Auto RATELIMIT PASS ICMPv6listener done
This rule passes ICMPv6 listenerdone messages if the packet rateis less than the Packets per
second value If any source IPsends packets over this valuethe appliance blocks all suchtraffic from this source IP for atime specified in Drop interval )
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
130902200 Auto RATELIMIT PASS ICMPv6listener report v2
This rule passes ICMPv6 listenerreport v2 messages if the packetrate is less than the Packets per
second value If any source IPsends packets over this valuethe appliance blocks all suchtraffic from this source IP for atime specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
130902300 Auto RATELIMIT PASS ICMPV6multicast routeradvertisement
This rule passes ICMPv6multicast router advertisement ifthe packet rate is less than thePackets per second value If anysource IP sends packets over thisvalue the appliance blocks allsuch traffic from this source IP fora time specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
130902400 Auto RATELIMIT PASS ICMPV6multicast routersolicitation
This rule passes ICMPv6multicast router solicitationmessages if the packet rate isless than the Packets per second value If any source IP sendspackets over this value theappliance blocks all such trafficfrom this source IP for a timespecified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
130902500 Auto RATELIMIT PASS ICMPV6multicast routeradvertisement
This rule passes ICMPv6multicast router advertisement ifthe packet rate is less than thePackets per second value If anysource IP sends packets over thisvalue the appliance blocks allsuch traffic from this source IP fora time specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
130902600 Auto RATELIMIT PASS ICMPping responses This rule passes ICMP pingresponses if the packet rate isless than the Packets per second value If any source IP sendspackets over this value theappliance blocks all such trafficfrom this source IP for a timespecified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=10 sec)
Packets per second (default=50)
Rule ID Type Rule Name Description
EnableDisable
Condition
Parameters Comments
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 2630
1522 NIOS Administrator Guide (Rev A) NIOS 612
130902700 Auto RATELIMIT PASS ICMProuter advertisement
This rule passes ICMP routeradvertisement if the packet rateis less than the Packets per
second value If any source IPsends packets over this valuethe appliance blocks all suchtraffic from this source IP for a
time specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=10 sec)
Packets per second (default=50)
130902800 Auto RATELIMIT PASS ICMProuter solicitation
This rule passes ICMP routersolicitation messages if thepacket rate is less than thePackets per second value If anysource IP sends packets over thisvalue the appliance blocks allsuch traffic from this source IP fora time specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=10 sec)
Packets per second (default=50)
130902900 Auto RATELIMIT PASS ICMPtime exceeded
This rule passes ICMP timeexceeded messages if the packetrate is less than the Packets per
second value If any source IPsends packets over this valuethe appliance blocks all suchtraffic from this source IP for atime specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=10 sec)
Packets per second (default=50)
130903000 Auto RATELIMIT PASS ICMPparameter problem
This rule passes ICMP parameterproblems if the packet rate isless than the Packets per second value If any source IP sendspackets over this value theappliance blocks all such trafficfrom this source IP for a timespecified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=10 sec)
Packets per second (default=50)
130903100 Auto RATELIMIT PASS ICMPv6hop limit exceeded orICMPv4 networkunreachable
This rule passes ICMPv6 HopLimit Exceeded messages orICMPv4 Network Unreachablemessages if the packet rate isless than the Packets per second value If any source IP sendspackets over this value theappliance blocks all such trafficfrom this source IP for a time
specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
130903200 Auto RATELIMIT PASS ICMPv6fragment reassemblytime exceeded orICMPv4 hostunreachable
This rule passes ICMPv6fragment reassembly timeexceeded messages or ICMPv4host unreachable messages ifthe packet rate is less than thePackets per second value If anysource IP sends packets over thisvalue the appliance blocks allsuch traffic from this source IP fora time specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=10 sec)
Packets per second (default=50)
130903300 Auto RATELIMIT PASS ICMPprotocol unreachable
This rule passes ICMP protocolunreachable messages if thepacket rate is less than thePackets per second value If anysource IP sends packets over thisvalue the appliance blocks all
such traffic from this source IP fora time specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=10 sec)
Packets per second (default=50)
130903400 Auto RATELIMIT ICMP portunreachable
This rule passes ICMP portunreachable messages if thepacket rate is less than thePackets per second value If anysource IP sends packets over thisvalue the appliance blocks allsuch traffic from this source IP fora certain period of time(specified in Drop interval )
Always enabled Events per second (default=10)
Drop Interval (default=10 sec)
Packets per second (default=50)
Rule ID Type Rule Name Description
EnableDisable
Condition
Parameters Comments
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 2730
Default PassDrop
NIOS 612 NIOS Administrator Guide (Rev A) 1523
Default Pass Drop
The following table lists the system rules that are used to pass or drop packets on your advanced appliance All rulesare disabled by default
Table H17 Default PassDrop Rules
130903500 Auto RATELIMIT PASS ICMPfragmentation needed
This rule passes ICMPfragmentation needed messagesif the packet rate is less than thePackets per second value If anysource IP sends packets over thisvalue the appliance blocks allsuch traffic from this source IP for
a certain period of time(specified in Drop interval )
Always enabled Events per second (default=1)
Drop Interval (default=10 sec)
Packets per second (default=50)
Rule ID
Rule
Type Rule Name Description
Enable
Condition Parameters Comments
100000050 System EARLY PASS TCPwith flowbits set
This rule passes TCP trafficthat has the flowbitsoptions set and marked OK
Enabled bydefault
NA
140000100 System DROP UDP DNSunexpected
This rule drops anyunexpected UDP DNSpackets
Enabled bydefault
Events per second (default=1)
Default drop rule for the DNSservice port If this rule istriggered most likely thispacket is an invalid DNS UDPpacket
140000200 System DROP TCP DNSunexpected
This rule drops anyunexpected TCP DNSpackets
Enabled bydefault
Events per second (default=1)
Default drop rule for the DNSservice port If this rule istriggered most likely thispacket is an invalid DNS TCPpacket
140000400 System PASS TCPestablished packets
This passes all TCPestablished packets
Enabled bydefault
Events per second (default=0)
140000500 System DROP TCPunexpected
This rule drops anyunexpected TCP packets
Enabled bydefault
Events per second (default=0)
This rule drops any TCP packeton any port If this rule istriggered most likely thispacket is not intended forservices on this member
140000600 System DROP UDPunexpected
This rule drops anyunexpected UDP packets
Enabled bydefault
Events per second (default=0)
This rule drops any UDP packeton any port If this rule istriggered most likely thispacket is not intended forservices on this member
140000700 System DROP ICMPunexpected
This rule drops anyunexpected ICMP packets
Enabled bydefault
Events per second (default=0)
This rule drops any ICMPpacket If this rule is triggeredmost likely this packet is notintended for services on thismember
140000800 System DROP unexpectedprotocol
This rule drops anyunexpected protocolpackets
Enabled bydefault
Events per second (default=0)
This is a catch all rule thatdrops anything that does notmatch any other rules in thesystem
Rule ID Type Rule Name Description
EnableDisable
Condition
Parameters Comments
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 2830
1524 NIOS Administrator Guide (Rev A) NIOS 612
HA Support
The following table lists auto rules that are used to pass packets that go through the Virtual Router RedundancyProtocol (VRRP) and Internet Group Management Protocol (IGMP) for HA (High Availability) support
Table H18 HA Support Rules
Custom Rule Templates
Advanced DNS Protection supports a few custom rule templates from which you can create new custom rules Notethat when you use a specific rule template to create custom rules the new rules reside in their respective rulecategories For information about custom rules and creating custom rules see Custom Rules on page 1341 andCreating Custom Rules on page 1343
For each rule you create you can define the Events per second value to determine the number of events per secondthat will be logged for the rule You can also define specific rule parameters for custom rules as follows
Note Custom rules do not support IDNs (Internationalized Domain Names) To use IDNs for custom rules you mustfirst convert the IDNs into puny codes You can use the IDN Converter from the Toolbar for the conversion
bull BLACKLIST FQDN lookup TCP Use this rule template to create custom rules for blacklisting DNS queries by FQDNlookups on TCP In the Rule Parameters table complete the following
mdash Blacklisted FQDN Enter the FDQN that you want the appliance to block over TCP traffic You can also enter alist of FQDNs using semicolon as the separator
bull BLACKLIST FQDN lookup UDP Use this rule template to create custom rules for blacklisting DNS queries byFQDN lookups on UDP In the Rule Parameters table complete the following
mdash Blacklisted FQDN Enter the FDQN that you want the appliance to block over UDP traffic You can also enter alist of FQDNs using semicolon as the separator
bull BLACKLIST IP TCP Drop prior to rate limiting Use this rule template to create rules for blocking IPv4 or IPv6addresses on TCP before the appliance drops the packets based on rate limiting rules you have defined usingthe RATELIMITED IP TCP template In the Rule Parameters table complete the following
mdash Blacklisted IP addressnetwork Enter the IPv4 or IPv6 address from which packets sent are dropped beforeany relevant rate limiting rules take effect Note that all TCP traffic from the specified Ipv4 and IPv6
addresses and networks will be blocked Enter network addresses in addressCIDR formatbull BLACKLIST IP UDP Drop prior to rate limiting Use this rule template to create rules for blocking IPv4 or IPv6
addresses on UDP before the appliance drops the packets based on rate limiting rules you have defined usingthe RATELIMITED IP UDP template In the Rule Parameters table complete the following
mdash Blacklisted IP addressnetwork Enter the IPv4 or IPv6 address from which packets sent are dropped beforeany relevant rate limiting rules take effect Note that all UDP traffic from the specified Ipv4 and IPv6addresses and networks will be blocked Enter network addresses in addressCIDR format
bull RATELIMITED FQDN lookup UDP Use this rule template to create custom rules that contains rate limitingrestrictions for blocking DNS queries by FQDN lookups on UDP traffic In the Rule Parameters table completethe following
Rule ID
Rule
Type
Rule Name Description Enable Condition Parameters Comments
140000750 Auto PASS VRRP This rule passes packets thatgo through VRRP for HAsupport
Enabled if HA isconfigured
NA
140000760 Auto PASS IGMP This rule passes packets thatgo through IGMP for HAsupport
Enabled if HA isconfigured
NA
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 2930
Custom Rule Templates
NIOS 612 NIOS Administrator Guide (Rev A) 1525
mdash Packets per second Enter the number of packets per second to define the rate limit for this rule You definethis value to control the rate of UDP traffic that consists of DNS lookups for the FQDN defined in this ruleThe default is 5
mdash Drop interval Enter the number of seconds for which the appliance drops packets
mdash Blacklist rate limited FQDN Enter the FQDN that is affected by the rate limit value configured for this ruleThe appliance drops the packets sent by this FQDN when the UDP traffic of DNS lookups for this FQDNexceeds the configured rate limit value
bull RATELIMITED IP TCP Use this rule template to create custom rules that contains rate limiting restrictions forblacklisting IP addresses on TCP If there are certain IP addresses that you want to block before its traffic reachesthe rate limit restrictions you can create a rule using the BLACKLIST IP TCP Drop prior to rate limiting templateIn the Rule Parameters table complete the following
mdash Packets per second Enter the number of packets per second to define the rate limit for this rule You definethis value to control the rate of TCP traffic that consists of DNS lookups for the IP address or networkdefined in this rule The default is 5
mdash Drop interval Enter the time interval in seconds the appliance drops IP packets sent by the rate limited IPaddress or network defined for this rule The default is 30 seconds
mdash Rate limited IP addressnetwork Enter the IP address or network that is affected by the rate limit valueconfigured for this rule The appliance drops the packets sent by this IP address based on the drop intervalwhen the TCP traffic of DNS lookups for this IP address exceeds the configured rate limit value
bull RATELIMITED IP UDP Use this rule template to create custom rules that contains rate limiting restrictions forblacklisting IP addresses on UDP If there are certain IP addresses that you want to block before its trafficreaches the rate limit restrictions you can create a rule using the BLACKLIST IP UDP Drop prior to rate limiting template In the Rule Parameters table complete the following
mdash Packets per second Enter the number of packets per second to define the rate limit for this rule You definethis value to control the rate of UDP traffic that consists of DNS lookups for the IP address or networkdefined in this rule The default is 5
mdash Drop interval Enter the time interval in seconds the appliance drops IP packets sent by the rate limited IPaddress or network defined for this rule The default is 30 seconds
mdash Rate limited IP addressnetwork Enter the IP address or network that is affected by the rate limit valueconfigured for this rule The appliance drops the packets sent by this IP address based on the drop interval
when the TCP traffic of DNS lookups for this IP address exceeds the configured rate limit valuebull WHITELIST IP TCP Pass prior to rate limiting Use this rule template to create custom rules for allowing certain IP
addresses on TCP before the appliance drops the packets based on rate limiting rules you have defined usingthe RATELIMITED IP TCP template In the Rule Parameters table complete the following
mdash Whitelisted IP addressnetwork Enter the IPv4 or IPv6 address from which packets sent are allowed beforeany relevant rate limiting rules take effect
bull WHITELIST IP UDP Pass prior to rate limiting Use this rule template to create custom rules for allowing certain IPaddresses on UDP before the appliance drops the packets based on rate limiting rules you have defined usingthe RATELIMITED IP UDP template In the Rule Parameters table complete the following
mdash Whitelisted IP addressnetwork Enter the IPv4 or IPv6 address from which packets sent are allowed beforeany relevant rate limiting rules take effect
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 3030
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 2430
1520 NIOS Administrator Guide (Rev A) NIOS 612
130901100 Auto RATELIMIT PASS ICMPv6parameter problemunrecognized nextheader
This rule passes ICMPv6Unrecognized Next Headermessages if the packet rate isless than the Packets per second value If any source IP sendspackets over this value theappliance blocks all such traffic
from this source IP for a timespecified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
130901200 Auto RATELIMIT PASS ICMPv6parameter problemunrecognized IPv6option
This rule passes ICMPv6Unrecognized IPv6 Optionmessages if the packet rate isless than the Packets per second value If any source IP sendspackets over this value theappliance blocks all such trafficfrom this source IP for a timespecified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
130901300 Auto RATELIMIT PASS ICMPv6router solicitation
This rule passes ICMPv6 routersolicitation packets if the packetrate is less than the Packets per
second value If any source IPsends packets over this valuethe appliance blocks all such
traffic from this source IP for atime specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
130901400 Auto RATELIMIT PASS ICMPv6router advertisement
This rule passes ICMPv6 routeradvertisement if the packet rateis less than the Packets per
second value If any source IPsends packets over this valuethe appliance blocks all suchtraffic from this source IP for atime specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
130901500 Auto RATELIMIT PASS ICMPv6neighbor solicitation
This rule passes ICMPv6neighbor solicitation packets ifthe packet rate is less than thePackets per second value If anysource IP sends packets over thisvalue the appliance blocks allsuch traffic from this source IP for
a time specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
130901600 Auto RATELIMIT PASS ICMPv6neighbor advertisement
This rule passes ICMPv6neighbor advertisement if thepacket rate is less than thePackets per second value If anysource IP sends packets over thisvalue the appliance blocks allsuch traffic from this source IP fora time specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
130901700 Auto RATELIMIT PASS ICMPv6inverse neighborsolicitation
This rule passes ICMPv6 inverseneighbor solicitation messages ifthe packet rate is less than thePackets per second value If anysource IP sends packets over thisvalue the appliance blocks allsuch traffic from this source IP fora time specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
130901800 Auto RATELIMIT PASS ICMPv6inverse neighboradvertisement
This rule passes ICMPv6 inverseneighbor advertisement if thepacket rate is less than thePackets per second value If anysource IP sends packets over thisvalue the appliance blocks allsuch traffic from this source IP fora time specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
Rule ID Type Rule Name Description
EnableDisable
Condition
Parameters Comments
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 2530
ICMP
NIOS 612 NIOS Administrator Guide (Rev A) 1521
130901900 Auto RATELIMIT PASS ICMPv6listener query
This rule passes ICMPv6 listenerquery messages if the packetrate is less than the Packets per
second value If any source IPsends packets over this valuethe appliance blocks all suchtraffic from this source IP for a
time specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
130902000 Auto RATELIMIT PASS ICMPv6listener report
This rule passes ICMPv6 listenerreport messages if the packetrate is less than the Packets per
second value If any source IPsends packets over this valuethe appliance blocks all suchtraffic from this source IP for atime specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
130902100 Auto RATELIMIT PASS ICMPv6listener done
This rule passes ICMPv6 listenerdone messages if the packet rateis less than the Packets per
second value If any source IPsends packets over this valuethe appliance blocks all suchtraffic from this source IP for atime specified in Drop interval )
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
130902200 Auto RATELIMIT PASS ICMPv6listener report v2
This rule passes ICMPv6 listenerreport v2 messages if the packetrate is less than the Packets per
second value If any source IPsends packets over this valuethe appliance blocks all suchtraffic from this source IP for atime specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
130902300 Auto RATELIMIT PASS ICMPV6multicast routeradvertisement
This rule passes ICMPv6multicast router advertisement ifthe packet rate is less than thePackets per second value If anysource IP sends packets over thisvalue the appliance blocks allsuch traffic from this source IP fora time specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
130902400 Auto RATELIMIT PASS ICMPV6multicast routersolicitation
This rule passes ICMPv6multicast router solicitationmessages if the packet rate isless than the Packets per second value If any source IP sendspackets over this value theappliance blocks all such trafficfrom this source IP for a timespecified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
130902500 Auto RATELIMIT PASS ICMPV6multicast routeradvertisement
This rule passes ICMPv6multicast router advertisement ifthe packet rate is less than thePackets per second value If anysource IP sends packets over thisvalue the appliance blocks allsuch traffic from this source IP fora time specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
130902600 Auto RATELIMIT PASS ICMPping responses This rule passes ICMP pingresponses if the packet rate isless than the Packets per second value If any source IP sendspackets over this value theappliance blocks all such trafficfrom this source IP for a timespecified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=10 sec)
Packets per second (default=50)
Rule ID Type Rule Name Description
EnableDisable
Condition
Parameters Comments
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 2630
1522 NIOS Administrator Guide (Rev A) NIOS 612
130902700 Auto RATELIMIT PASS ICMProuter advertisement
This rule passes ICMP routeradvertisement if the packet rateis less than the Packets per
second value If any source IPsends packets over this valuethe appliance blocks all suchtraffic from this source IP for a
time specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=10 sec)
Packets per second (default=50)
130902800 Auto RATELIMIT PASS ICMProuter solicitation
This rule passes ICMP routersolicitation messages if thepacket rate is less than thePackets per second value If anysource IP sends packets over thisvalue the appliance blocks allsuch traffic from this source IP fora time specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=10 sec)
Packets per second (default=50)
130902900 Auto RATELIMIT PASS ICMPtime exceeded
This rule passes ICMP timeexceeded messages if the packetrate is less than the Packets per
second value If any source IPsends packets over this valuethe appliance blocks all suchtraffic from this source IP for atime specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=10 sec)
Packets per second (default=50)
130903000 Auto RATELIMIT PASS ICMPparameter problem
This rule passes ICMP parameterproblems if the packet rate isless than the Packets per second value If any source IP sendspackets over this value theappliance blocks all such trafficfrom this source IP for a timespecified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=10 sec)
Packets per second (default=50)
130903100 Auto RATELIMIT PASS ICMPv6hop limit exceeded orICMPv4 networkunreachable
This rule passes ICMPv6 HopLimit Exceeded messages orICMPv4 Network Unreachablemessages if the packet rate isless than the Packets per second value If any source IP sendspackets over this value theappliance blocks all such trafficfrom this source IP for a time
specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
130903200 Auto RATELIMIT PASS ICMPv6fragment reassemblytime exceeded orICMPv4 hostunreachable
This rule passes ICMPv6fragment reassembly timeexceeded messages or ICMPv4host unreachable messages ifthe packet rate is less than thePackets per second value If anysource IP sends packets over thisvalue the appliance blocks allsuch traffic from this source IP fora time specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=10 sec)
Packets per second (default=50)
130903300 Auto RATELIMIT PASS ICMPprotocol unreachable
This rule passes ICMP protocolunreachable messages if thepacket rate is less than thePackets per second value If anysource IP sends packets over thisvalue the appliance blocks all
such traffic from this source IP fora time specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=10 sec)
Packets per second (default=50)
130903400 Auto RATELIMIT ICMP portunreachable
This rule passes ICMP portunreachable messages if thepacket rate is less than thePackets per second value If anysource IP sends packets over thisvalue the appliance blocks allsuch traffic from this source IP fora certain period of time(specified in Drop interval )
Always enabled Events per second (default=10)
Drop Interval (default=10 sec)
Packets per second (default=50)
Rule ID Type Rule Name Description
EnableDisable
Condition
Parameters Comments
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 2730
Default PassDrop
NIOS 612 NIOS Administrator Guide (Rev A) 1523
Default Pass Drop
The following table lists the system rules that are used to pass or drop packets on your advanced appliance All rulesare disabled by default
Table H17 Default PassDrop Rules
130903500 Auto RATELIMIT PASS ICMPfragmentation needed
This rule passes ICMPfragmentation needed messagesif the packet rate is less than thePackets per second value If anysource IP sends packets over thisvalue the appliance blocks allsuch traffic from this source IP for
a certain period of time(specified in Drop interval )
Always enabled Events per second (default=1)
Drop Interval (default=10 sec)
Packets per second (default=50)
Rule ID
Rule
Type Rule Name Description
Enable
Condition Parameters Comments
100000050 System EARLY PASS TCPwith flowbits set
This rule passes TCP trafficthat has the flowbitsoptions set and marked OK
Enabled bydefault
NA
140000100 System DROP UDP DNSunexpected
This rule drops anyunexpected UDP DNSpackets
Enabled bydefault
Events per second (default=1)
Default drop rule for the DNSservice port If this rule istriggered most likely thispacket is an invalid DNS UDPpacket
140000200 System DROP TCP DNSunexpected
This rule drops anyunexpected TCP DNSpackets
Enabled bydefault
Events per second (default=1)
Default drop rule for the DNSservice port If this rule istriggered most likely thispacket is an invalid DNS TCPpacket
140000400 System PASS TCPestablished packets
This passes all TCPestablished packets
Enabled bydefault
Events per second (default=0)
140000500 System DROP TCPunexpected
This rule drops anyunexpected TCP packets
Enabled bydefault
Events per second (default=0)
This rule drops any TCP packeton any port If this rule istriggered most likely thispacket is not intended forservices on this member
140000600 System DROP UDPunexpected
This rule drops anyunexpected UDP packets
Enabled bydefault
Events per second (default=0)
This rule drops any UDP packeton any port If this rule istriggered most likely thispacket is not intended forservices on this member
140000700 System DROP ICMPunexpected
This rule drops anyunexpected ICMP packets
Enabled bydefault
Events per second (default=0)
This rule drops any ICMPpacket If this rule is triggeredmost likely this packet is notintended for services on thismember
140000800 System DROP unexpectedprotocol
This rule drops anyunexpected protocolpackets
Enabled bydefault
Events per second (default=0)
This is a catch all rule thatdrops anything that does notmatch any other rules in thesystem
Rule ID Type Rule Name Description
EnableDisable
Condition
Parameters Comments
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 2830
1524 NIOS Administrator Guide (Rev A) NIOS 612
HA Support
The following table lists auto rules that are used to pass packets that go through the Virtual Router RedundancyProtocol (VRRP) and Internet Group Management Protocol (IGMP) for HA (High Availability) support
Table H18 HA Support Rules
Custom Rule Templates
Advanced DNS Protection supports a few custom rule templates from which you can create new custom rules Notethat when you use a specific rule template to create custom rules the new rules reside in their respective rulecategories For information about custom rules and creating custom rules see Custom Rules on page 1341 andCreating Custom Rules on page 1343
For each rule you create you can define the Events per second value to determine the number of events per secondthat will be logged for the rule You can also define specific rule parameters for custom rules as follows
Note Custom rules do not support IDNs (Internationalized Domain Names) To use IDNs for custom rules you mustfirst convert the IDNs into puny codes You can use the IDN Converter from the Toolbar for the conversion
bull BLACKLIST FQDN lookup TCP Use this rule template to create custom rules for blacklisting DNS queries by FQDNlookups on TCP In the Rule Parameters table complete the following
mdash Blacklisted FQDN Enter the FDQN that you want the appliance to block over TCP traffic You can also enter alist of FQDNs using semicolon as the separator
bull BLACKLIST FQDN lookup UDP Use this rule template to create custom rules for blacklisting DNS queries byFQDN lookups on UDP In the Rule Parameters table complete the following
mdash Blacklisted FQDN Enter the FDQN that you want the appliance to block over UDP traffic You can also enter alist of FQDNs using semicolon as the separator
bull BLACKLIST IP TCP Drop prior to rate limiting Use this rule template to create rules for blocking IPv4 or IPv6addresses on TCP before the appliance drops the packets based on rate limiting rules you have defined usingthe RATELIMITED IP TCP template In the Rule Parameters table complete the following
mdash Blacklisted IP addressnetwork Enter the IPv4 or IPv6 address from which packets sent are dropped beforeany relevant rate limiting rules take effect Note that all TCP traffic from the specified Ipv4 and IPv6
addresses and networks will be blocked Enter network addresses in addressCIDR formatbull BLACKLIST IP UDP Drop prior to rate limiting Use this rule template to create rules for blocking IPv4 or IPv6
addresses on UDP before the appliance drops the packets based on rate limiting rules you have defined usingthe RATELIMITED IP UDP template In the Rule Parameters table complete the following
mdash Blacklisted IP addressnetwork Enter the IPv4 or IPv6 address from which packets sent are dropped beforeany relevant rate limiting rules take effect Note that all UDP traffic from the specified Ipv4 and IPv6addresses and networks will be blocked Enter network addresses in addressCIDR format
bull RATELIMITED FQDN lookup UDP Use this rule template to create custom rules that contains rate limitingrestrictions for blocking DNS queries by FQDN lookups on UDP traffic In the Rule Parameters table completethe following
Rule ID
Rule
Type
Rule Name Description Enable Condition Parameters Comments
140000750 Auto PASS VRRP This rule passes packets thatgo through VRRP for HAsupport
Enabled if HA isconfigured
NA
140000760 Auto PASS IGMP This rule passes packets thatgo through IGMP for HAsupport
Enabled if HA isconfigured
NA
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 2930
Custom Rule Templates
NIOS 612 NIOS Administrator Guide (Rev A) 1525
mdash Packets per second Enter the number of packets per second to define the rate limit for this rule You definethis value to control the rate of UDP traffic that consists of DNS lookups for the FQDN defined in this ruleThe default is 5
mdash Drop interval Enter the number of seconds for which the appliance drops packets
mdash Blacklist rate limited FQDN Enter the FQDN that is affected by the rate limit value configured for this ruleThe appliance drops the packets sent by this FQDN when the UDP traffic of DNS lookups for this FQDNexceeds the configured rate limit value
bull RATELIMITED IP TCP Use this rule template to create custom rules that contains rate limiting restrictions forblacklisting IP addresses on TCP If there are certain IP addresses that you want to block before its traffic reachesthe rate limit restrictions you can create a rule using the BLACKLIST IP TCP Drop prior to rate limiting templateIn the Rule Parameters table complete the following
mdash Packets per second Enter the number of packets per second to define the rate limit for this rule You definethis value to control the rate of TCP traffic that consists of DNS lookups for the IP address or networkdefined in this rule The default is 5
mdash Drop interval Enter the time interval in seconds the appliance drops IP packets sent by the rate limited IPaddress or network defined for this rule The default is 30 seconds
mdash Rate limited IP addressnetwork Enter the IP address or network that is affected by the rate limit valueconfigured for this rule The appliance drops the packets sent by this IP address based on the drop intervalwhen the TCP traffic of DNS lookups for this IP address exceeds the configured rate limit value
bull RATELIMITED IP UDP Use this rule template to create custom rules that contains rate limiting restrictions forblacklisting IP addresses on UDP If there are certain IP addresses that you want to block before its trafficreaches the rate limit restrictions you can create a rule using the BLACKLIST IP UDP Drop prior to rate limiting template In the Rule Parameters table complete the following
mdash Packets per second Enter the number of packets per second to define the rate limit for this rule You definethis value to control the rate of UDP traffic that consists of DNS lookups for the IP address or networkdefined in this rule The default is 5
mdash Drop interval Enter the time interval in seconds the appliance drops IP packets sent by the rate limited IPaddress or network defined for this rule The default is 30 seconds
mdash Rate limited IP addressnetwork Enter the IP address or network that is affected by the rate limit valueconfigured for this rule The appliance drops the packets sent by this IP address based on the drop interval
when the TCP traffic of DNS lookups for this IP address exceeds the configured rate limit valuebull WHITELIST IP TCP Pass prior to rate limiting Use this rule template to create custom rules for allowing certain IP
addresses on TCP before the appliance drops the packets based on rate limiting rules you have defined usingthe RATELIMITED IP TCP template In the Rule Parameters table complete the following
mdash Whitelisted IP addressnetwork Enter the IPv4 or IPv6 address from which packets sent are allowed beforeany relevant rate limiting rules take effect
bull WHITELIST IP UDP Pass prior to rate limiting Use this rule template to create custom rules for allowing certain IPaddresses on UDP before the appliance drops the packets based on rate limiting rules you have defined usingthe RATELIMITED IP UDP template In the Rule Parameters table complete the following
mdash Whitelisted IP addressnetwork Enter the IPv4 or IPv6 address from which packets sent are allowed beforeany relevant rate limiting rules take effect
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 3030
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 2530
ICMP
NIOS 612 NIOS Administrator Guide (Rev A) 1521
130901900 Auto RATELIMIT PASS ICMPv6listener query
This rule passes ICMPv6 listenerquery messages if the packetrate is less than the Packets per
second value If any source IPsends packets over this valuethe appliance blocks all suchtraffic from this source IP for a
time specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
130902000 Auto RATELIMIT PASS ICMPv6listener report
This rule passes ICMPv6 listenerreport messages if the packetrate is less than the Packets per
second value If any source IPsends packets over this valuethe appliance blocks all suchtraffic from this source IP for atime specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
130902100 Auto RATELIMIT PASS ICMPv6listener done
This rule passes ICMPv6 listenerdone messages if the packet rateis less than the Packets per
second value If any source IPsends packets over this valuethe appliance blocks all suchtraffic from this source IP for atime specified in Drop interval )
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
130902200 Auto RATELIMIT PASS ICMPv6listener report v2
This rule passes ICMPv6 listenerreport v2 messages if the packetrate is less than the Packets per
second value If any source IPsends packets over this valuethe appliance blocks all suchtraffic from this source IP for atime specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
130902300 Auto RATELIMIT PASS ICMPV6multicast routeradvertisement
This rule passes ICMPv6multicast router advertisement ifthe packet rate is less than thePackets per second value If anysource IP sends packets over thisvalue the appliance blocks allsuch traffic from this source IP fora time specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
130902400 Auto RATELIMIT PASS ICMPV6multicast routersolicitation
This rule passes ICMPv6multicast router solicitationmessages if the packet rate isless than the Packets per second value If any source IP sendspackets over this value theappliance blocks all such trafficfrom this source IP for a timespecified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
130902500 Auto RATELIMIT PASS ICMPV6multicast routeradvertisement
This rule passes ICMPv6multicast router advertisement ifthe packet rate is less than thePackets per second value If anysource IP sends packets over thisvalue the appliance blocks allsuch traffic from this source IP fora time specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
130902600 Auto RATELIMIT PASS ICMPping responses This rule passes ICMP pingresponses if the packet rate isless than the Packets per second value If any source IP sendspackets over this value theappliance blocks all such trafficfrom this source IP for a timespecified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=10 sec)
Packets per second (default=50)
Rule ID Type Rule Name Description
EnableDisable
Condition
Parameters Comments
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 2630
1522 NIOS Administrator Guide (Rev A) NIOS 612
130902700 Auto RATELIMIT PASS ICMProuter advertisement
This rule passes ICMP routeradvertisement if the packet rateis less than the Packets per
second value If any source IPsends packets over this valuethe appliance blocks all suchtraffic from this source IP for a
time specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=10 sec)
Packets per second (default=50)
130902800 Auto RATELIMIT PASS ICMProuter solicitation
This rule passes ICMP routersolicitation messages if thepacket rate is less than thePackets per second value If anysource IP sends packets over thisvalue the appliance blocks allsuch traffic from this source IP fora time specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=10 sec)
Packets per second (default=50)
130902900 Auto RATELIMIT PASS ICMPtime exceeded
This rule passes ICMP timeexceeded messages if the packetrate is less than the Packets per
second value If any source IPsends packets over this valuethe appliance blocks all suchtraffic from this source IP for atime specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=10 sec)
Packets per second (default=50)
130903000 Auto RATELIMIT PASS ICMPparameter problem
This rule passes ICMP parameterproblems if the packet rate isless than the Packets per second value If any source IP sendspackets over this value theappliance blocks all such trafficfrom this source IP for a timespecified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=10 sec)
Packets per second (default=50)
130903100 Auto RATELIMIT PASS ICMPv6hop limit exceeded orICMPv4 networkunreachable
This rule passes ICMPv6 HopLimit Exceeded messages orICMPv4 Network Unreachablemessages if the packet rate isless than the Packets per second value If any source IP sendspackets over this value theappliance blocks all such trafficfrom this source IP for a time
specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
130903200 Auto RATELIMIT PASS ICMPv6fragment reassemblytime exceeded orICMPv4 hostunreachable
This rule passes ICMPv6fragment reassembly timeexceeded messages or ICMPv4host unreachable messages ifthe packet rate is less than thePackets per second value If anysource IP sends packets over thisvalue the appliance blocks allsuch traffic from this source IP fora time specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=10 sec)
Packets per second (default=50)
130903300 Auto RATELIMIT PASS ICMPprotocol unreachable
This rule passes ICMP protocolunreachable messages if thepacket rate is less than thePackets per second value If anysource IP sends packets over thisvalue the appliance blocks all
such traffic from this source IP fora time specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=10 sec)
Packets per second (default=50)
130903400 Auto RATELIMIT ICMP portunreachable
This rule passes ICMP portunreachable messages if thepacket rate is less than thePackets per second value If anysource IP sends packets over thisvalue the appliance blocks allsuch traffic from this source IP fora certain period of time(specified in Drop interval )
Always enabled Events per second (default=10)
Drop Interval (default=10 sec)
Packets per second (default=50)
Rule ID Type Rule Name Description
EnableDisable
Condition
Parameters Comments
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 2730
Default PassDrop
NIOS 612 NIOS Administrator Guide (Rev A) 1523
Default Pass Drop
The following table lists the system rules that are used to pass or drop packets on your advanced appliance All rulesare disabled by default
Table H17 Default PassDrop Rules
130903500 Auto RATELIMIT PASS ICMPfragmentation needed
This rule passes ICMPfragmentation needed messagesif the packet rate is less than thePackets per second value If anysource IP sends packets over thisvalue the appliance blocks allsuch traffic from this source IP for
a certain period of time(specified in Drop interval )
Always enabled Events per second (default=1)
Drop Interval (default=10 sec)
Packets per second (default=50)
Rule ID
Rule
Type Rule Name Description
Enable
Condition Parameters Comments
100000050 System EARLY PASS TCPwith flowbits set
This rule passes TCP trafficthat has the flowbitsoptions set and marked OK
Enabled bydefault
NA
140000100 System DROP UDP DNSunexpected
This rule drops anyunexpected UDP DNSpackets
Enabled bydefault
Events per second (default=1)
Default drop rule for the DNSservice port If this rule istriggered most likely thispacket is an invalid DNS UDPpacket
140000200 System DROP TCP DNSunexpected
This rule drops anyunexpected TCP DNSpackets
Enabled bydefault
Events per second (default=1)
Default drop rule for the DNSservice port If this rule istriggered most likely thispacket is an invalid DNS TCPpacket
140000400 System PASS TCPestablished packets
This passes all TCPestablished packets
Enabled bydefault
Events per second (default=0)
140000500 System DROP TCPunexpected
This rule drops anyunexpected TCP packets
Enabled bydefault
Events per second (default=0)
This rule drops any TCP packeton any port If this rule istriggered most likely thispacket is not intended forservices on this member
140000600 System DROP UDPunexpected
This rule drops anyunexpected UDP packets
Enabled bydefault
Events per second (default=0)
This rule drops any UDP packeton any port If this rule istriggered most likely thispacket is not intended forservices on this member
140000700 System DROP ICMPunexpected
This rule drops anyunexpected ICMP packets
Enabled bydefault
Events per second (default=0)
This rule drops any ICMPpacket If this rule is triggeredmost likely this packet is notintended for services on thismember
140000800 System DROP unexpectedprotocol
This rule drops anyunexpected protocolpackets
Enabled bydefault
Events per second (default=0)
This is a catch all rule thatdrops anything that does notmatch any other rules in thesystem
Rule ID Type Rule Name Description
EnableDisable
Condition
Parameters Comments
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 2830
1524 NIOS Administrator Guide (Rev A) NIOS 612
HA Support
The following table lists auto rules that are used to pass packets that go through the Virtual Router RedundancyProtocol (VRRP) and Internet Group Management Protocol (IGMP) for HA (High Availability) support
Table H18 HA Support Rules
Custom Rule Templates
Advanced DNS Protection supports a few custom rule templates from which you can create new custom rules Notethat when you use a specific rule template to create custom rules the new rules reside in their respective rulecategories For information about custom rules and creating custom rules see Custom Rules on page 1341 andCreating Custom Rules on page 1343
For each rule you create you can define the Events per second value to determine the number of events per secondthat will be logged for the rule You can also define specific rule parameters for custom rules as follows
Note Custom rules do not support IDNs (Internationalized Domain Names) To use IDNs for custom rules you mustfirst convert the IDNs into puny codes You can use the IDN Converter from the Toolbar for the conversion
bull BLACKLIST FQDN lookup TCP Use this rule template to create custom rules for blacklisting DNS queries by FQDNlookups on TCP In the Rule Parameters table complete the following
mdash Blacklisted FQDN Enter the FDQN that you want the appliance to block over TCP traffic You can also enter alist of FQDNs using semicolon as the separator
bull BLACKLIST FQDN lookup UDP Use this rule template to create custom rules for blacklisting DNS queries byFQDN lookups on UDP In the Rule Parameters table complete the following
mdash Blacklisted FQDN Enter the FDQN that you want the appliance to block over UDP traffic You can also enter alist of FQDNs using semicolon as the separator
bull BLACKLIST IP TCP Drop prior to rate limiting Use this rule template to create rules for blocking IPv4 or IPv6addresses on TCP before the appliance drops the packets based on rate limiting rules you have defined usingthe RATELIMITED IP TCP template In the Rule Parameters table complete the following
mdash Blacklisted IP addressnetwork Enter the IPv4 or IPv6 address from which packets sent are dropped beforeany relevant rate limiting rules take effect Note that all TCP traffic from the specified Ipv4 and IPv6
addresses and networks will be blocked Enter network addresses in addressCIDR formatbull BLACKLIST IP UDP Drop prior to rate limiting Use this rule template to create rules for blocking IPv4 or IPv6
addresses on UDP before the appliance drops the packets based on rate limiting rules you have defined usingthe RATELIMITED IP UDP template In the Rule Parameters table complete the following
mdash Blacklisted IP addressnetwork Enter the IPv4 or IPv6 address from which packets sent are dropped beforeany relevant rate limiting rules take effect Note that all UDP traffic from the specified Ipv4 and IPv6addresses and networks will be blocked Enter network addresses in addressCIDR format
bull RATELIMITED FQDN lookup UDP Use this rule template to create custom rules that contains rate limitingrestrictions for blocking DNS queries by FQDN lookups on UDP traffic In the Rule Parameters table completethe following
Rule ID
Rule
Type
Rule Name Description Enable Condition Parameters Comments
140000750 Auto PASS VRRP This rule passes packets thatgo through VRRP for HAsupport
Enabled if HA isconfigured
NA
140000760 Auto PASS IGMP This rule passes packets thatgo through IGMP for HAsupport
Enabled if HA isconfigured
NA
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 2930
Custom Rule Templates
NIOS 612 NIOS Administrator Guide (Rev A) 1525
mdash Packets per second Enter the number of packets per second to define the rate limit for this rule You definethis value to control the rate of UDP traffic that consists of DNS lookups for the FQDN defined in this ruleThe default is 5
mdash Drop interval Enter the number of seconds for which the appliance drops packets
mdash Blacklist rate limited FQDN Enter the FQDN that is affected by the rate limit value configured for this ruleThe appliance drops the packets sent by this FQDN when the UDP traffic of DNS lookups for this FQDNexceeds the configured rate limit value
bull RATELIMITED IP TCP Use this rule template to create custom rules that contains rate limiting restrictions forblacklisting IP addresses on TCP If there are certain IP addresses that you want to block before its traffic reachesthe rate limit restrictions you can create a rule using the BLACKLIST IP TCP Drop prior to rate limiting templateIn the Rule Parameters table complete the following
mdash Packets per second Enter the number of packets per second to define the rate limit for this rule You definethis value to control the rate of TCP traffic that consists of DNS lookups for the IP address or networkdefined in this rule The default is 5
mdash Drop interval Enter the time interval in seconds the appliance drops IP packets sent by the rate limited IPaddress or network defined for this rule The default is 30 seconds
mdash Rate limited IP addressnetwork Enter the IP address or network that is affected by the rate limit valueconfigured for this rule The appliance drops the packets sent by this IP address based on the drop intervalwhen the TCP traffic of DNS lookups for this IP address exceeds the configured rate limit value
bull RATELIMITED IP UDP Use this rule template to create custom rules that contains rate limiting restrictions forblacklisting IP addresses on UDP If there are certain IP addresses that you want to block before its trafficreaches the rate limit restrictions you can create a rule using the BLACKLIST IP UDP Drop prior to rate limiting template In the Rule Parameters table complete the following
mdash Packets per second Enter the number of packets per second to define the rate limit for this rule You definethis value to control the rate of UDP traffic that consists of DNS lookups for the IP address or networkdefined in this rule The default is 5
mdash Drop interval Enter the time interval in seconds the appliance drops IP packets sent by the rate limited IPaddress or network defined for this rule The default is 30 seconds
mdash Rate limited IP addressnetwork Enter the IP address or network that is affected by the rate limit valueconfigured for this rule The appliance drops the packets sent by this IP address based on the drop interval
when the TCP traffic of DNS lookups for this IP address exceeds the configured rate limit valuebull WHITELIST IP TCP Pass prior to rate limiting Use this rule template to create custom rules for allowing certain IP
addresses on TCP before the appliance drops the packets based on rate limiting rules you have defined usingthe RATELIMITED IP TCP template In the Rule Parameters table complete the following
mdash Whitelisted IP addressnetwork Enter the IPv4 or IPv6 address from which packets sent are allowed beforeany relevant rate limiting rules take effect
bull WHITELIST IP UDP Pass prior to rate limiting Use this rule template to create custom rules for allowing certain IPaddresses on UDP before the appliance drops the packets based on rate limiting rules you have defined usingthe RATELIMITED IP UDP template In the Rule Parameters table complete the following
mdash Whitelisted IP addressnetwork Enter the IPv4 or IPv6 address from which packets sent are allowed beforeany relevant rate limiting rules take effect
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 3030
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 2630
1522 NIOS Administrator Guide (Rev A) NIOS 612
130902700 Auto RATELIMIT PASS ICMProuter advertisement
This rule passes ICMP routeradvertisement if the packet rateis less than the Packets per
second value If any source IPsends packets over this valuethe appliance blocks all suchtraffic from this source IP for a
time specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=10 sec)
Packets per second (default=50)
130902800 Auto RATELIMIT PASS ICMProuter solicitation
This rule passes ICMP routersolicitation messages if thepacket rate is less than thePackets per second value If anysource IP sends packets over thisvalue the appliance blocks allsuch traffic from this source IP fora time specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=10 sec)
Packets per second (default=50)
130902900 Auto RATELIMIT PASS ICMPtime exceeded
This rule passes ICMP timeexceeded messages if the packetrate is less than the Packets per
second value If any source IPsends packets over this valuethe appliance blocks all suchtraffic from this source IP for atime specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=10 sec)
Packets per second (default=50)
130903000 Auto RATELIMIT PASS ICMPparameter problem
This rule passes ICMP parameterproblems if the packet rate isless than the Packets per second value If any source IP sendspackets over this value theappliance blocks all such trafficfrom this source IP for a timespecified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=10 sec)
Packets per second (default=50)
130903100 Auto RATELIMIT PASS ICMPv6hop limit exceeded orICMPv4 networkunreachable
This rule passes ICMPv6 HopLimit Exceeded messages orICMPv4 Network Unreachablemessages if the packet rate isless than the Packets per second value If any source IP sendspackets over this value theappliance blocks all such trafficfrom this source IP for a time
specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=30 sec)
Packets per second (default=50)
130903200 Auto RATELIMIT PASS ICMPv6fragment reassemblytime exceeded orICMPv4 hostunreachable
This rule passes ICMPv6fragment reassembly timeexceeded messages or ICMPv4host unreachable messages ifthe packet rate is less than thePackets per second value If anysource IP sends packets over thisvalue the appliance blocks allsuch traffic from this source IP fora time specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=10 sec)
Packets per second (default=50)
130903300 Auto RATELIMIT PASS ICMPprotocol unreachable
This rule passes ICMP protocolunreachable messages if thepacket rate is less than thePackets per second value If anysource IP sends packets over thisvalue the appliance blocks all
such traffic from this source IP fora time specified in Drop interval
Always enabled Events per second (default=1)
Drop Interval (default=10 sec)
Packets per second (default=50)
130903400 Auto RATELIMIT ICMP portunreachable
This rule passes ICMP portunreachable messages if thepacket rate is less than thePackets per second value If anysource IP sends packets over thisvalue the appliance blocks allsuch traffic from this source IP fora certain period of time(specified in Drop interval )
Always enabled Events per second (default=10)
Drop Interval (default=10 sec)
Packets per second (default=50)
Rule ID Type Rule Name Description
EnableDisable
Condition
Parameters Comments
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 2730
Default PassDrop
NIOS 612 NIOS Administrator Guide (Rev A) 1523
Default Pass Drop
The following table lists the system rules that are used to pass or drop packets on your advanced appliance All rulesare disabled by default
Table H17 Default PassDrop Rules
130903500 Auto RATELIMIT PASS ICMPfragmentation needed
This rule passes ICMPfragmentation needed messagesif the packet rate is less than thePackets per second value If anysource IP sends packets over thisvalue the appliance blocks allsuch traffic from this source IP for
a certain period of time(specified in Drop interval )
Always enabled Events per second (default=1)
Drop Interval (default=10 sec)
Packets per second (default=50)
Rule ID
Rule
Type Rule Name Description
Enable
Condition Parameters Comments
100000050 System EARLY PASS TCPwith flowbits set
This rule passes TCP trafficthat has the flowbitsoptions set and marked OK
Enabled bydefault
NA
140000100 System DROP UDP DNSunexpected
This rule drops anyunexpected UDP DNSpackets
Enabled bydefault
Events per second (default=1)
Default drop rule for the DNSservice port If this rule istriggered most likely thispacket is an invalid DNS UDPpacket
140000200 System DROP TCP DNSunexpected
This rule drops anyunexpected TCP DNSpackets
Enabled bydefault
Events per second (default=1)
Default drop rule for the DNSservice port If this rule istriggered most likely thispacket is an invalid DNS TCPpacket
140000400 System PASS TCPestablished packets
This passes all TCPestablished packets
Enabled bydefault
Events per second (default=0)
140000500 System DROP TCPunexpected
This rule drops anyunexpected TCP packets
Enabled bydefault
Events per second (default=0)
This rule drops any TCP packeton any port If this rule istriggered most likely thispacket is not intended forservices on this member
140000600 System DROP UDPunexpected
This rule drops anyunexpected UDP packets
Enabled bydefault
Events per second (default=0)
This rule drops any UDP packeton any port If this rule istriggered most likely thispacket is not intended forservices on this member
140000700 System DROP ICMPunexpected
This rule drops anyunexpected ICMP packets
Enabled bydefault
Events per second (default=0)
This rule drops any ICMPpacket If this rule is triggeredmost likely this packet is notintended for services on thismember
140000800 System DROP unexpectedprotocol
This rule drops anyunexpected protocolpackets
Enabled bydefault
Events per second (default=0)
This is a catch all rule thatdrops anything that does notmatch any other rules in thesystem
Rule ID Type Rule Name Description
EnableDisable
Condition
Parameters Comments
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 2830
1524 NIOS Administrator Guide (Rev A) NIOS 612
HA Support
The following table lists auto rules that are used to pass packets that go through the Virtual Router RedundancyProtocol (VRRP) and Internet Group Management Protocol (IGMP) for HA (High Availability) support
Table H18 HA Support Rules
Custom Rule Templates
Advanced DNS Protection supports a few custom rule templates from which you can create new custom rules Notethat when you use a specific rule template to create custom rules the new rules reside in their respective rulecategories For information about custom rules and creating custom rules see Custom Rules on page 1341 andCreating Custom Rules on page 1343
For each rule you create you can define the Events per second value to determine the number of events per secondthat will be logged for the rule You can also define specific rule parameters for custom rules as follows
Note Custom rules do not support IDNs (Internationalized Domain Names) To use IDNs for custom rules you mustfirst convert the IDNs into puny codes You can use the IDN Converter from the Toolbar for the conversion
bull BLACKLIST FQDN lookup TCP Use this rule template to create custom rules for blacklisting DNS queries by FQDNlookups on TCP In the Rule Parameters table complete the following
mdash Blacklisted FQDN Enter the FDQN that you want the appliance to block over TCP traffic You can also enter alist of FQDNs using semicolon as the separator
bull BLACKLIST FQDN lookup UDP Use this rule template to create custom rules for blacklisting DNS queries byFQDN lookups on UDP In the Rule Parameters table complete the following
mdash Blacklisted FQDN Enter the FDQN that you want the appliance to block over UDP traffic You can also enter alist of FQDNs using semicolon as the separator
bull BLACKLIST IP TCP Drop prior to rate limiting Use this rule template to create rules for blocking IPv4 or IPv6addresses on TCP before the appliance drops the packets based on rate limiting rules you have defined usingthe RATELIMITED IP TCP template In the Rule Parameters table complete the following
mdash Blacklisted IP addressnetwork Enter the IPv4 or IPv6 address from which packets sent are dropped beforeany relevant rate limiting rules take effect Note that all TCP traffic from the specified Ipv4 and IPv6
addresses and networks will be blocked Enter network addresses in addressCIDR formatbull BLACKLIST IP UDP Drop prior to rate limiting Use this rule template to create rules for blocking IPv4 or IPv6
addresses on UDP before the appliance drops the packets based on rate limiting rules you have defined usingthe RATELIMITED IP UDP template In the Rule Parameters table complete the following
mdash Blacklisted IP addressnetwork Enter the IPv4 or IPv6 address from which packets sent are dropped beforeany relevant rate limiting rules take effect Note that all UDP traffic from the specified Ipv4 and IPv6addresses and networks will be blocked Enter network addresses in addressCIDR format
bull RATELIMITED FQDN lookup UDP Use this rule template to create custom rules that contains rate limitingrestrictions for blocking DNS queries by FQDN lookups on UDP traffic In the Rule Parameters table completethe following
Rule ID
Rule
Type
Rule Name Description Enable Condition Parameters Comments
140000750 Auto PASS VRRP This rule passes packets thatgo through VRRP for HAsupport
Enabled if HA isconfigured
NA
140000760 Auto PASS IGMP This rule passes packets thatgo through IGMP for HAsupport
Enabled if HA isconfigured
NA
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 2930
Custom Rule Templates
NIOS 612 NIOS Administrator Guide (Rev A) 1525
mdash Packets per second Enter the number of packets per second to define the rate limit for this rule You definethis value to control the rate of UDP traffic that consists of DNS lookups for the FQDN defined in this ruleThe default is 5
mdash Drop interval Enter the number of seconds for which the appliance drops packets
mdash Blacklist rate limited FQDN Enter the FQDN that is affected by the rate limit value configured for this ruleThe appliance drops the packets sent by this FQDN when the UDP traffic of DNS lookups for this FQDNexceeds the configured rate limit value
bull RATELIMITED IP TCP Use this rule template to create custom rules that contains rate limiting restrictions forblacklisting IP addresses on TCP If there are certain IP addresses that you want to block before its traffic reachesthe rate limit restrictions you can create a rule using the BLACKLIST IP TCP Drop prior to rate limiting templateIn the Rule Parameters table complete the following
mdash Packets per second Enter the number of packets per second to define the rate limit for this rule You definethis value to control the rate of TCP traffic that consists of DNS lookups for the IP address or networkdefined in this rule The default is 5
mdash Drop interval Enter the time interval in seconds the appliance drops IP packets sent by the rate limited IPaddress or network defined for this rule The default is 30 seconds
mdash Rate limited IP addressnetwork Enter the IP address or network that is affected by the rate limit valueconfigured for this rule The appliance drops the packets sent by this IP address based on the drop intervalwhen the TCP traffic of DNS lookups for this IP address exceeds the configured rate limit value
bull RATELIMITED IP UDP Use this rule template to create custom rules that contains rate limiting restrictions forblacklisting IP addresses on UDP If there are certain IP addresses that you want to block before its trafficreaches the rate limit restrictions you can create a rule using the BLACKLIST IP UDP Drop prior to rate limiting template In the Rule Parameters table complete the following
mdash Packets per second Enter the number of packets per second to define the rate limit for this rule You definethis value to control the rate of UDP traffic that consists of DNS lookups for the IP address or networkdefined in this rule The default is 5
mdash Drop interval Enter the time interval in seconds the appliance drops IP packets sent by the rate limited IPaddress or network defined for this rule The default is 30 seconds
mdash Rate limited IP addressnetwork Enter the IP address or network that is affected by the rate limit valueconfigured for this rule The appliance drops the packets sent by this IP address based on the drop interval
when the TCP traffic of DNS lookups for this IP address exceeds the configured rate limit valuebull WHITELIST IP TCP Pass prior to rate limiting Use this rule template to create custom rules for allowing certain IP
addresses on TCP before the appliance drops the packets based on rate limiting rules you have defined usingthe RATELIMITED IP TCP template In the Rule Parameters table complete the following
mdash Whitelisted IP addressnetwork Enter the IPv4 or IPv6 address from which packets sent are allowed beforeany relevant rate limiting rules take effect
bull WHITELIST IP UDP Pass prior to rate limiting Use this rule template to create custom rules for allowing certain IPaddresses on UDP before the appliance drops the packets based on rate limiting rules you have defined usingthe RATELIMITED IP UDP template In the Rule Parameters table complete the following
mdash Whitelisted IP addressnetwork Enter the IPv4 or IPv6 address from which packets sent are allowed beforeany relevant rate limiting rules take effect
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 3030
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 2730
Default PassDrop
NIOS 612 NIOS Administrator Guide (Rev A) 1523
Default Pass Drop
The following table lists the system rules that are used to pass or drop packets on your advanced appliance All rulesare disabled by default
Table H17 Default PassDrop Rules
130903500 Auto RATELIMIT PASS ICMPfragmentation needed
This rule passes ICMPfragmentation needed messagesif the packet rate is less than thePackets per second value If anysource IP sends packets over thisvalue the appliance blocks allsuch traffic from this source IP for
a certain period of time(specified in Drop interval )
Always enabled Events per second (default=1)
Drop Interval (default=10 sec)
Packets per second (default=50)
Rule ID
Rule
Type Rule Name Description
Enable
Condition Parameters Comments
100000050 System EARLY PASS TCPwith flowbits set
This rule passes TCP trafficthat has the flowbitsoptions set and marked OK
Enabled bydefault
NA
140000100 System DROP UDP DNSunexpected
This rule drops anyunexpected UDP DNSpackets
Enabled bydefault
Events per second (default=1)
Default drop rule for the DNSservice port If this rule istriggered most likely thispacket is an invalid DNS UDPpacket
140000200 System DROP TCP DNSunexpected
This rule drops anyunexpected TCP DNSpackets
Enabled bydefault
Events per second (default=1)
Default drop rule for the DNSservice port If this rule istriggered most likely thispacket is an invalid DNS TCPpacket
140000400 System PASS TCPestablished packets
This passes all TCPestablished packets
Enabled bydefault
Events per second (default=0)
140000500 System DROP TCPunexpected
This rule drops anyunexpected TCP packets
Enabled bydefault
Events per second (default=0)
This rule drops any TCP packeton any port If this rule istriggered most likely thispacket is not intended forservices on this member
140000600 System DROP UDPunexpected
This rule drops anyunexpected UDP packets
Enabled bydefault
Events per second (default=0)
This rule drops any UDP packeton any port If this rule istriggered most likely thispacket is not intended forservices on this member
140000700 System DROP ICMPunexpected
This rule drops anyunexpected ICMP packets
Enabled bydefault
Events per second (default=0)
This rule drops any ICMPpacket If this rule is triggeredmost likely this packet is notintended for services on thismember
140000800 System DROP unexpectedprotocol
This rule drops anyunexpected protocolpackets
Enabled bydefault
Events per second (default=0)
This is a catch all rule thatdrops anything that does notmatch any other rules in thesystem
Rule ID Type Rule Name Description
EnableDisable
Condition
Parameters Comments
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 2830
1524 NIOS Administrator Guide (Rev A) NIOS 612
HA Support
The following table lists auto rules that are used to pass packets that go through the Virtual Router RedundancyProtocol (VRRP) and Internet Group Management Protocol (IGMP) for HA (High Availability) support
Table H18 HA Support Rules
Custom Rule Templates
Advanced DNS Protection supports a few custom rule templates from which you can create new custom rules Notethat when you use a specific rule template to create custom rules the new rules reside in their respective rulecategories For information about custom rules and creating custom rules see Custom Rules on page 1341 andCreating Custom Rules on page 1343
For each rule you create you can define the Events per second value to determine the number of events per secondthat will be logged for the rule You can also define specific rule parameters for custom rules as follows
Note Custom rules do not support IDNs (Internationalized Domain Names) To use IDNs for custom rules you mustfirst convert the IDNs into puny codes You can use the IDN Converter from the Toolbar for the conversion
bull BLACKLIST FQDN lookup TCP Use this rule template to create custom rules for blacklisting DNS queries by FQDNlookups on TCP In the Rule Parameters table complete the following
mdash Blacklisted FQDN Enter the FDQN that you want the appliance to block over TCP traffic You can also enter alist of FQDNs using semicolon as the separator
bull BLACKLIST FQDN lookup UDP Use this rule template to create custom rules for blacklisting DNS queries byFQDN lookups on UDP In the Rule Parameters table complete the following
mdash Blacklisted FQDN Enter the FDQN that you want the appliance to block over UDP traffic You can also enter alist of FQDNs using semicolon as the separator
bull BLACKLIST IP TCP Drop prior to rate limiting Use this rule template to create rules for blocking IPv4 or IPv6addresses on TCP before the appliance drops the packets based on rate limiting rules you have defined usingthe RATELIMITED IP TCP template In the Rule Parameters table complete the following
mdash Blacklisted IP addressnetwork Enter the IPv4 or IPv6 address from which packets sent are dropped beforeany relevant rate limiting rules take effect Note that all TCP traffic from the specified Ipv4 and IPv6
addresses and networks will be blocked Enter network addresses in addressCIDR formatbull BLACKLIST IP UDP Drop prior to rate limiting Use this rule template to create rules for blocking IPv4 or IPv6
addresses on UDP before the appliance drops the packets based on rate limiting rules you have defined usingthe RATELIMITED IP UDP template In the Rule Parameters table complete the following
mdash Blacklisted IP addressnetwork Enter the IPv4 or IPv6 address from which packets sent are dropped beforeany relevant rate limiting rules take effect Note that all UDP traffic from the specified Ipv4 and IPv6addresses and networks will be blocked Enter network addresses in addressCIDR format
bull RATELIMITED FQDN lookup UDP Use this rule template to create custom rules that contains rate limitingrestrictions for blocking DNS queries by FQDN lookups on UDP traffic In the Rule Parameters table completethe following
Rule ID
Rule
Type
Rule Name Description Enable Condition Parameters Comments
140000750 Auto PASS VRRP This rule passes packets thatgo through VRRP for HAsupport
Enabled if HA isconfigured
NA
140000760 Auto PASS IGMP This rule passes packets thatgo through IGMP for HAsupport
Enabled if HA isconfigured
NA
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 2930
Custom Rule Templates
NIOS 612 NIOS Administrator Guide (Rev A) 1525
mdash Packets per second Enter the number of packets per second to define the rate limit for this rule You definethis value to control the rate of UDP traffic that consists of DNS lookups for the FQDN defined in this ruleThe default is 5
mdash Drop interval Enter the number of seconds for which the appliance drops packets
mdash Blacklist rate limited FQDN Enter the FQDN that is affected by the rate limit value configured for this ruleThe appliance drops the packets sent by this FQDN when the UDP traffic of DNS lookups for this FQDNexceeds the configured rate limit value
bull RATELIMITED IP TCP Use this rule template to create custom rules that contains rate limiting restrictions forblacklisting IP addresses on TCP If there are certain IP addresses that you want to block before its traffic reachesthe rate limit restrictions you can create a rule using the BLACKLIST IP TCP Drop prior to rate limiting templateIn the Rule Parameters table complete the following
mdash Packets per second Enter the number of packets per second to define the rate limit for this rule You definethis value to control the rate of TCP traffic that consists of DNS lookups for the IP address or networkdefined in this rule The default is 5
mdash Drop interval Enter the time interval in seconds the appliance drops IP packets sent by the rate limited IPaddress or network defined for this rule The default is 30 seconds
mdash Rate limited IP addressnetwork Enter the IP address or network that is affected by the rate limit valueconfigured for this rule The appliance drops the packets sent by this IP address based on the drop intervalwhen the TCP traffic of DNS lookups for this IP address exceeds the configured rate limit value
bull RATELIMITED IP UDP Use this rule template to create custom rules that contains rate limiting restrictions forblacklisting IP addresses on UDP If there are certain IP addresses that you want to block before its trafficreaches the rate limit restrictions you can create a rule using the BLACKLIST IP UDP Drop prior to rate limiting template In the Rule Parameters table complete the following
mdash Packets per second Enter the number of packets per second to define the rate limit for this rule You definethis value to control the rate of UDP traffic that consists of DNS lookups for the IP address or networkdefined in this rule The default is 5
mdash Drop interval Enter the time interval in seconds the appliance drops IP packets sent by the rate limited IPaddress or network defined for this rule The default is 30 seconds
mdash Rate limited IP addressnetwork Enter the IP address or network that is affected by the rate limit valueconfigured for this rule The appliance drops the packets sent by this IP address based on the drop interval
when the TCP traffic of DNS lookups for this IP address exceeds the configured rate limit valuebull WHITELIST IP TCP Pass prior to rate limiting Use this rule template to create custom rules for allowing certain IP
addresses on TCP before the appliance drops the packets based on rate limiting rules you have defined usingthe RATELIMITED IP TCP template In the Rule Parameters table complete the following
mdash Whitelisted IP addressnetwork Enter the IPv4 or IPv6 address from which packets sent are allowed beforeany relevant rate limiting rules take effect
bull WHITELIST IP UDP Pass prior to rate limiting Use this rule template to create custom rules for allowing certain IPaddresses on UDP before the appliance drops the packets based on rate limiting rules you have defined usingthe RATELIMITED IP UDP template In the Rule Parameters table complete the following
mdash Whitelisted IP addressnetwork Enter the IPv4 or IPv6 address from which packets sent are allowed beforeany relevant rate limiting rules take effect
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 3030
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 2830
1524 NIOS Administrator Guide (Rev A) NIOS 612
HA Support
The following table lists auto rules that are used to pass packets that go through the Virtual Router RedundancyProtocol (VRRP) and Internet Group Management Protocol (IGMP) for HA (High Availability) support
Table H18 HA Support Rules
Custom Rule Templates
Advanced DNS Protection supports a few custom rule templates from which you can create new custom rules Notethat when you use a specific rule template to create custom rules the new rules reside in their respective rulecategories For information about custom rules and creating custom rules see Custom Rules on page 1341 andCreating Custom Rules on page 1343
For each rule you create you can define the Events per second value to determine the number of events per secondthat will be logged for the rule You can also define specific rule parameters for custom rules as follows
Note Custom rules do not support IDNs (Internationalized Domain Names) To use IDNs for custom rules you mustfirst convert the IDNs into puny codes You can use the IDN Converter from the Toolbar for the conversion
bull BLACKLIST FQDN lookup TCP Use this rule template to create custom rules for blacklisting DNS queries by FQDNlookups on TCP In the Rule Parameters table complete the following
mdash Blacklisted FQDN Enter the FDQN that you want the appliance to block over TCP traffic You can also enter alist of FQDNs using semicolon as the separator
bull BLACKLIST FQDN lookup UDP Use this rule template to create custom rules for blacklisting DNS queries byFQDN lookups on UDP In the Rule Parameters table complete the following
mdash Blacklisted FQDN Enter the FDQN that you want the appliance to block over UDP traffic You can also enter alist of FQDNs using semicolon as the separator
bull BLACKLIST IP TCP Drop prior to rate limiting Use this rule template to create rules for blocking IPv4 or IPv6addresses on TCP before the appliance drops the packets based on rate limiting rules you have defined usingthe RATELIMITED IP TCP template In the Rule Parameters table complete the following
mdash Blacklisted IP addressnetwork Enter the IPv4 or IPv6 address from which packets sent are dropped beforeany relevant rate limiting rules take effect Note that all TCP traffic from the specified Ipv4 and IPv6
addresses and networks will be blocked Enter network addresses in addressCIDR formatbull BLACKLIST IP UDP Drop prior to rate limiting Use this rule template to create rules for blocking IPv4 or IPv6
addresses on UDP before the appliance drops the packets based on rate limiting rules you have defined usingthe RATELIMITED IP UDP template In the Rule Parameters table complete the following
mdash Blacklisted IP addressnetwork Enter the IPv4 or IPv6 address from which packets sent are dropped beforeany relevant rate limiting rules take effect Note that all UDP traffic from the specified Ipv4 and IPv6addresses and networks will be blocked Enter network addresses in addressCIDR format
bull RATELIMITED FQDN lookup UDP Use this rule template to create custom rules that contains rate limitingrestrictions for blocking DNS queries by FQDN lookups on UDP traffic In the Rule Parameters table completethe following
Rule ID
Rule
Type
Rule Name Description Enable Condition Parameters Comments
140000750 Auto PASS VRRP This rule passes packets thatgo through VRRP for HAsupport
Enabled if HA isconfigured
NA
140000760 Auto PASS IGMP This rule passes packets thatgo through IGMP for HAsupport
Enabled if HA isconfigured
NA
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 2930
Custom Rule Templates
NIOS 612 NIOS Administrator Guide (Rev A) 1525
mdash Packets per second Enter the number of packets per second to define the rate limit for this rule You definethis value to control the rate of UDP traffic that consists of DNS lookups for the FQDN defined in this ruleThe default is 5
mdash Drop interval Enter the number of seconds for which the appliance drops packets
mdash Blacklist rate limited FQDN Enter the FQDN that is affected by the rate limit value configured for this ruleThe appliance drops the packets sent by this FQDN when the UDP traffic of DNS lookups for this FQDNexceeds the configured rate limit value
bull RATELIMITED IP TCP Use this rule template to create custom rules that contains rate limiting restrictions forblacklisting IP addresses on TCP If there are certain IP addresses that you want to block before its traffic reachesthe rate limit restrictions you can create a rule using the BLACKLIST IP TCP Drop prior to rate limiting templateIn the Rule Parameters table complete the following
mdash Packets per second Enter the number of packets per second to define the rate limit for this rule You definethis value to control the rate of TCP traffic that consists of DNS lookups for the IP address or networkdefined in this rule The default is 5
mdash Drop interval Enter the time interval in seconds the appliance drops IP packets sent by the rate limited IPaddress or network defined for this rule The default is 30 seconds
mdash Rate limited IP addressnetwork Enter the IP address or network that is affected by the rate limit valueconfigured for this rule The appliance drops the packets sent by this IP address based on the drop intervalwhen the TCP traffic of DNS lookups for this IP address exceeds the configured rate limit value
bull RATELIMITED IP UDP Use this rule template to create custom rules that contains rate limiting restrictions forblacklisting IP addresses on UDP If there are certain IP addresses that you want to block before its trafficreaches the rate limit restrictions you can create a rule using the BLACKLIST IP UDP Drop prior to rate limiting template In the Rule Parameters table complete the following
mdash Packets per second Enter the number of packets per second to define the rate limit for this rule You definethis value to control the rate of UDP traffic that consists of DNS lookups for the IP address or networkdefined in this rule The default is 5
mdash Drop interval Enter the time interval in seconds the appliance drops IP packets sent by the rate limited IPaddress or network defined for this rule The default is 30 seconds
mdash Rate limited IP addressnetwork Enter the IP address or network that is affected by the rate limit valueconfigured for this rule The appliance drops the packets sent by this IP address based on the drop interval
when the TCP traffic of DNS lookups for this IP address exceeds the configured rate limit valuebull WHITELIST IP TCP Pass prior to rate limiting Use this rule template to create custom rules for allowing certain IP
addresses on TCP before the appliance drops the packets based on rate limiting rules you have defined usingthe RATELIMITED IP TCP template In the Rule Parameters table complete the following
mdash Whitelisted IP addressnetwork Enter the IPv4 or IPv6 address from which packets sent are allowed beforeany relevant rate limiting rules take effect
bull WHITELIST IP UDP Pass prior to rate limiting Use this rule template to create custom rules for allowing certain IPaddresses on UDP before the appliance drops the packets based on rate limiting rules you have defined usingthe RATELIMITED IP UDP template In the Rule Parameters table complete the following
mdash Whitelisted IP addressnetwork Enter the IPv4 or IPv6 address from which packets sent are allowed beforeany relevant rate limiting rules take effect
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 3030
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 2930
Custom Rule Templates
NIOS 612 NIOS Administrator Guide (Rev A) 1525
mdash Packets per second Enter the number of packets per second to define the rate limit for this rule You definethis value to control the rate of UDP traffic that consists of DNS lookups for the FQDN defined in this ruleThe default is 5
mdash Drop interval Enter the number of seconds for which the appliance drops packets
mdash Blacklist rate limited FQDN Enter the FQDN that is affected by the rate limit value configured for this ruleThe appliance drops the packets sent by this FQDN when the UDP traffic of DNS lookups for this FQDNexceeds the configured rate limit value
bull RATELIMITED IP TCP Use this rule template to create custom rules that contains rate limiting restrictions forblacklisting IP addresses on TCP If there are certain IP addresses that you want to block before its traffic reachesthe rate limit restrictions you can create a rule using the BLACKLIST IP TCP Drop prior to rate limiting templateIn the Rule Parameters table complete the following
mdash Packets per second Enter the number of packets per second to define the rate limit for this rule You definethis value to control the rate of TCP traffic that consists of DNS lookups for the IP address or networkdefined in this rule The default is 5
mdash Drop interval Enter the time interval in seconds the appliance drops IP packets sent by the rate limited IPaddress or network defined for this rule The default is 30 seconds
mdash Rate limited IP addressnetwork Enter the IP address or network that is affected by the rate limit valueconfigured for this rule The appliance drops the packets sent by this IP address based on the drop intervalwhen the TCP traffic of DNS lookups for this IP address exceeds the configured rate limit value
bull RATELIMITED IP UDP Use this rule template to create custom rules that contains rate limiting restrictions forblacklisting IP addresses on UDP If there are certain IP addresses that you want to block before its trafficreaches the rate limit restrictions you can create a rule using the BLACKLIST IP UDP Drop prior to rate limiting template In the Rule Parameters table complete the following
mdash Packets per second Enter the number of packets per second to define the rate limit for this rule You definethis value to control the rate of UDP traffic that consists of DNS lookups for the IP address or networkdefined in this rule The default is 5
mdash Drop interval Enter the time interval in seconds the appliance drops IP packets sent by the rate limited IPaddress or network defined for this rule The default is 30 seconds
mdash Rate limited IP addressnetwork Enter the IP address or network that is affected by the rate limit valueconfigured for this rule The appliance drops the packets sent by this IP address based on the drop interval
when the TCP traffic of DNS lookups for this IP address exceeds the configured rate limit valuebull WHITELIST IP TCP Pass prior to rate limiting Use this rule template to create custom rules for allowing certain IP
addresses on TCP before the appliance drops the packets based on rate limiting rules you have defined usingthe RATELIMITED IP TCP template In the Rule Parameters table complete the following
mdash Whitelisted IP addressnetwork Enter the IPv4 or IPv6 address from which packets sent are allowed beforeany relevant rate limiting rules take effect
bull WHITELIST IP UDP Pass prior to rate limiting Use this rule template to create custom rules for allowing certain IPaddresses on UDP before the appliance drops the packets based on rate limiting rules you have defined usingthe RATELIMITED IP UDP template In the Rule Parameters table complete the following
mdash Whitelisted IP addressnetwork Enter the IPv4 or IPv6 address from which packets sent are allowed beforeany relevant rate limiting rules take effect
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 3030
8212019 Threat Protection Rules 612
httpslidepdfcomreaderfullthreat-protection-rules-612 3030