Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 12 replies
  • Answers 2 answers
  • Subscribers 29 subscribers
  • Views 25306 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Open DNS showing as attacking new firewall

JTK

I just installed a new firewall XG115 at a customer.  They have internal DNS servers and I have setup the forwarders to use open DNS servers.  I also setup open DNS servers as the DNS servers for the new firewall.

It has been running for about 4 days and when looking at the console it shows 1181 hits from Open DNS server 208.67.222.222.

Can someone shed some light on why it would think the Open DNS server is attacking the firewall?

 

Thanks,

J



This thread was automatically locked due to age.
Parents Reply
  • 0 in reply to JTK

    Joey,

    if you see the attack, you are using IPS on some firewall rules. Go to Reports > Network & Threats > Intrusion Attacks and find which intrustion attack is matched. Go to the affecting IPS rule and remove the attack pattern.

    Please note that XG uses Snort, which is signature-based IPS, so false-positive can occur.

    Regards

Children
  • 0 in reply to lferrara

    Are you talking about this?

     

     

    I also don't have any deny firewall rules setup.  All are allow.  The XG doesn't seem to add a deny all by default like most firewalls do.

  • 0 in reply to JTK

    I just checked the firewall rules as well and the #Default_Network_Policy that gets created during the setup does have generalpolicy selected for intrusion detection.

  • 0 in reply to JTK

    Joey,

    check the IPS profile attached to Defaul_Network_Policy and remove the affected IPS pattern (if you think the attack is a false positive).

    Regards

  • 0 in reply to lferrara

    Thanks for the reply.  So looking at the policy there it has select all by default which is 9068 signatures.  

    It seems the one causing the problem is ISC BIND buffer.c REQUIRE Assertion Failure Denial of Service and  ISC BIND EDNS Option Processing Denial of Service. 

     

    The only way to change it is to change the option to select individual signatures and exclude those but the entire list doesn't populate so I can't seem to select all 9068 minus those two.

    Is there a way to just tell the sophos firewall that the IP addresses from OpenDNS are ok and to ignore them from the attackers list?

     

    Thanks again,

    Joey

     

     

  • 0 in reply to JTK

    I've got the same issue with "ISC BIND EDNS Option Processing DOS" - Did you find an easy way to ignore this signature or allow the IPs?

    thanks

    Rich

  • 0 in reply to GPIT

    Sorry,  I honestly can't remember.  I think I ended up calling Sophos and they did something.  I just looked at the firewall and I don't see any modifications to any of the rules or IPS Intrusion settings that would ignore the Open DNS servers.

    Later,

    J