Threat Protection Rules 6.12

8212019 Threat Protection Rules 612

httpslidepdfcomreaderfullthreat-protection-rules-612 130

NIOS 612 NIOS Administrator Guide (Rev A) 1497

Threat Protection Rules

This document contains information about threat protection rules for the Infoblox Advanced DNS Protection solutionIt lists rule IDs rule names descriptions enabledisable conditions parameters and corresponding default valuesfor all auto and system rules It also provides tuning information for specific rules so you can configure and betterutilize these rules to protect your environment without sacrificing performance For information about Advanced DNS

Protection see Infoblox Advanced DNS Protection on page 1333All rules are grouped by rule categories System and auto rules are automatically updated during rule updates

Note Auto rules are always enabled and you cannot disable them

You can create custom rules using rule templates For information about custom rule templates refer to Custom RuleTemplates on page 1524

This document includes the following sections

bull Overview of Packet Flow on page 1498

mdash Tuning Rule Parameters on page 1500

bull DNS Cache Poisoning on page 1501

bull DNS Message Type on page 1501bull General DDoS on page 1508

bull Reconnaissance on page 1508

bull DNS Malware on page 1509

bull DNS Protocol Anomalies on page 1509

bull Potential DDoS Related Domains on page 1510

bull TCPUDP Flood on page 1511

bull DNS DDoS on page 1512

bull DNS Tunneling on page 1513

bull DNS Amplification and Reflection on page 1513

bull NTP on page 1514

bull BGP on page 1517

bull OSPF on page 1518

bull ICMP on page 1519

bull Default PassDrop on page 1523

bull HA Support on page 1524

bull Custom Rule Templates on page 1524



1498 NIOS Administrator Guide (Rev A) NIOS 612

Overview of Packet Flow

Threat protection rules are designed to work together to provide maximum protection for your environment Thissection describes how these rules are being applied and how you can tune some of them to suit your system setupand network environment

Threat protection rules are grouped by rule categories and most of them have one or more associated rule

parameters Depending on the rules you may or may not be able to override default values for the following ruleparameters (if applicable)

bull Packets per second The rate limit or the number of packets per second that the appliance processes before itperforms a triggered action such as sending warnings or blocking traffic

bull Drop interval The time period (in seconds) for which the appliance blocks all traffic from the client or traffic thatmatches a certain pattern beyond the rate limit

bull Events per second The number of events logged per second for the rule Setting a value to 0 (zero) disables theappliance from logging events for the rule Most rules have this parameter and the default value is 1

bull Packet size DNS packet size If the DNS packet size exceeds a certain value the corresponding rule will betriggered

All incoming packets are filtered through enabled rules based on the order listed in Table H1 Note that rules are

displayed in the same order in Grid Manager For more information see Viewing Threat Protection Rules on page1352 You cannot change the filtering order of these rules Incoming packets are screened by the first rule andproceed through subsequent rules until they hit the last rule on the list provided that they are not dropped or passedby any rules in between based on the matching conditions and rule criteria

Depending on the rules following are possible actions that can be taken

bull Ratelimiting and pass magenta) Based on the configured rate limit these rules drop incoming packets if thepacket rate hits the rate limit Otherwise the packets are passed

bull Ratelimiting blue) Based on the configured rate limit these rules drop incoming packets if they hit the ratelimit Otherwise the packets are screened by subsequent rules for further actions

bull Drop salmon) These rules drop any incoming packets that match specific conditions and rule criteria

bull Pass green) These rules pass any incoming packets that match specific conditions and rule criteria

Note All rate limiting rules including custom rules operate at a per source IP basis

Table H1 Flow Order for Threat Protection Rules

Conditions if any) Rule Category Rule Name Action Reference

DNS Cache Poisoning DNS responses Ratelimiting and Pass DNS Cache Poisoning

Configured with externalDNS primaries

DNS Message Type TXFRAXFR responses Ratelimiting and Pass DNS Message Type

Allow DDNS updates DNS Message Type DNS Updates Ratelimiting and Pass DNS Message Type

General DDoS General DDoS Drop General DDoS

Reconnaissance Reconnaissance Drop Reconnaissance

DNS Malware DNS Malware Drop DNS Malware

DNS Protocol Anomalies DNS Protocol Anomal ies Drop DNS Protocol Anomalies

User-defined WhitelistUDP Packets

User-defined Whitelist UDPPackets

Pass Custom Rule Templates

User-defined WhitelistTCP Packets

User-defined Whitelist TCPPackets


User-defined BlacklistUDP Packets

User-defined Blacklist UDPPackets

Drop Custom Rule Templates





User-defined BlacklistTCP Packets

User-defined Blacklist TCPPackets


User-defined ratelimitingIP and Network UDPPackets

User-defined ratelimiting IPand Network UDP Packets

Ratelimiting Custom Rule Templates

User-defined ratelimiting

IP and Network TCPPackets

User-defined ratelimiting IP

and Network TCP Packets


User-defined ratelimitingFQDN



User-defined BlacklistFQDN

User-defined Blacklist FQDN Drop Custom Rule Templates

Potential DDoS relateddomains


Drop Potential DDoS RelatedDomains

TCPUDP Floods High Rate inbound DNSQueries

Ratelimiting TCPUDP Flood

DNS DDoS NXDomain NXRRsetServFail DNS Response

Ratelimiting DNS DDoS

DNS Tunneling DNS Tunneling Ratelimiting DNS Tunneling


Incoming zone transferis allowed

DNS Message Type DNS IXFRAXFR Requests Ratelimiting and Pass DNS Message Type


DNS Message Type Invalid DNS IXFR Queries Drop DNS Message Type

Incoming zone transferis not allowed

DNS Message Type DNS AXFRIXFR Requests Drop DNS Message Type


DNS Amplification andReflection


Ratelimiting DNS Amplification andReflection

DNS Message Type DNS Query Types DropPass depending on theconfigured action

DNS Message Type

NTP client is enabled NTP NTP Server Responses Ratelimiting and Pass NTP

NTP client is disabled NTP NTP Client Requests Drop NTP

NTP server is enabled NTP NTP Vulnerability Rules Ratelimiting NTP

NTP server is enabled NTP NTP Ratelimiting Rulesbased on NTP ACL Data

Ratelimiting and Pass NTP

NTP server is disabled NTP Invalid NTP Packets Drop NTP

BGP is enabled BGP Invalid BGP Packets Drop BGP

BGP is enabled BGP BGP Packets Ratelimiting and Pass BGP

BGP is disabled BGP BGP Packets Drop BGP

ICMP ICMP Pings Ratelimiting and Pass ICMP

OSPF is enabled OSPF OSPF Packets Ratelimiting and Pass OSPF

OSPF is disabled OSPF OSPF Packets Drop OSPF

ICMP ICMPv6 Pings Ratelimiting and Pass ICMP

Default PassDrop Unexpected DNS Packets Drop Default PassDrop

Default PassDrop TCPUDPICMP Packets Drop Default PassDrop

HA Support HA Communication Packets Pass HA Support

Default PassDrop Unexpected Packets Drop Default PassDrop





Tuning Rule Parameters

All threat protection rules contain rule parameters that you may or may not be able to configure Rule parameters arepredefined with default values that generally suit most network environments However there are times when youhave special setups or configurations in your environment that require special attention In these cases you mayneed to change some of the rule parameters to obtain optimal protection without sacrificing system performance

Table H2 lists specific conditions and corresponding rules that may require tuning when they are enabled You can

view tuning suggestions in the Comments column for each of the following condition

Table H2 Tunable Rules

Conditions Rule s) that Require Tuning Reference

Your appliance is configured as anauthoritative DNS server

Rule 100000100 in the DNS

Cache Poisoning categoryDNS Cache Poisoning Rules

Your DNS server is configured as thesecondary server with external primariesand it serves a large number of zones

Rules 100100100 to100100201 in the DNS

Message Type category

DNS Message Type Rules

You have enabled TCPUDP Flood systemrules and your network environmentconsists of the following NATdenvironments static forwarders or VPNconcentrators

All rules in the TCPUDP Flood category

TCPUDP Flood Rules

You have enabled DNS DDoS system rulesand your network environment consists ofthe following NATd environments staticforwarders or VPN concentrators

Rules 200000001 to200000003 in the DNS DDoS category

DNS DDoS Rules

You have enabled DNS Tunneling systemrules and your network environmentconsists of the following NATd

environments static forwarders and VPNconcentrators

All rules in the DNS Tunneling category

Anti DNS Tunneling Rules

Your DNS server is configured to allowincoming IPv4 and IPv6 zone transferrequests and it serves a large number ofzones




You have enabled DNS Amplification andRefection system rules

All rules in the DNS

Amplification and Reflection category

DNS Amplification andReflection Rules



DNS Cache Poisoning


DNS Cache Poisoning

DNS cache poisoning involves inserting a false address record for an Internet domain into a DNS query If the DNSserver accepts the record subsequent requests for the address of the domain are answered with the address of aserver controlled by the attacker For as long as the false entry is cached incoming web requests and emails will goto the attackerrsquos address Cache poisoning attacks such as the ldquobirthday paradoxrdquo use brute force flooding DNS

responses and queries at the same time hoping to get a match on one of the responses and poison the cacheThe following table lists auto rules that Advanced DNS Protection uses to mitigate DNS cache poisoning on youradvanced appliance

Table H3 DNS Cache Poisoning Rules

DNS Message Type

The following table lists the system and auto rules that are used to mitigate DNS message type attacks on youradvanced appliance

All rules for DNS record types are system rules By default they are configured as Pass rules You can override thisand change the rule action to Drop Note that when you do that the appliance drops all DNS packets that contain therequested record type

Table H4 DNS Message Type Rules

Rule ID

Rule

Type

Rule Name Description

EnableDisable

Condition

Parameters Comments

100000100 Auto EARLY PASSUDP responsetraffic

This rule passes UDP DNS responsepackets (from upstream DNS serversor external DNS primaries) if thepacket rate is less than the Packets

per second value If any source IPsends packets over this value the

appliance blocks all traffic from thissource IP for a time specified in Drop

interval

Always enabled Packets per second (default = 30000)

Drop interval (default = 10seconds)

Events per second

(default = 1)

Consider tuning Packets per

second to a smaller numberif your system is servingauthoritative DNS

NOTE If you set theparameter incorrectly the

rule could block legitimateDNS responses fromupstream DNS serverswhich could cause the DNSserver to exceed its quota

100000200 Auto EARLY PASSTCP responsetraffic

This rule passes TCP DNS responsesinitiated by the appliance


Consider raising the Packets

per second value if DNSSECis enabled

100000300 Auto PASS ACKpackets fromNIOS initiatedconnections

This rule passes TCP ACK packets forDNS or BGP from NIOS initiatedconnections if the packet rate is lessthan the Packets per second value Ifany source IP sends packets overthis value the appliance blocks alltraffic from this source IP for a timespecified in Drop interval



Events per second (default = 1)



Rule ID

Rule

Type


EnableDisable

Condition

Parameters Comments

100100100 Auto EARLY PASS IPv4UDP Notifymessages

This rule passes IPv4 UDP DNSNOTIFY messages if the packetrate is less than the Packets per

second value If any source IPsends packets over this value theappliance blocks all traffic fromthis source IP for a time specifiedin Drop interval

Enabled if InfobloxDNS serves as thesecondary serverwith IPv4 externalprimariesconfigured

Packets per second (default = 1000)

Drop interval (default= 10 seconds)



second if Infoblox DNSserves a large number ofzones If this rule istriggered and the source IPaddress indicates a validexternal primary servertune the Packets per second value accordingly






second value If any source IPsends packets over this value theappliance blocks all traffic fromthis source IP for a time specified

in Drop interval






second if Infoblox DNSserves a large number ofzones If this rule istriggered and the source IPaddress indicates a validexternal primary server

tune the Packets per second value accordingly

100100200 Auto EARLY PASS IPv4TCP Notifymessages

This rule passes IPv4 TCP DNSNOTIFY messages if the packetrate is less than the Packets per










second value If any source IPsends packets over this value theappliance blocks all traffic from

this source IP for a time specifiedin Drop interval






second if Infoblox DNSserves a large number ofzones If this rule istriggered and the source IPaddress indicates a valid

external primary servertune the Packets per second value accordingly

100100300 Auto EARLY PASS IPv4UDP Notifymessages forDDNS update

This rule passes IPv4 UDP NOTIFYmessages for DDNS update if thepacket rate is less than thePackets per second value If anysource IP sends packets over thisvalue the appliance blocks alltraffic from this source IP for atime specified in Drop interval

Enabled if DDNSupdate is enabledfor IPv4 clients





This rule passes IPv6 UDP NOTIFYmessages for DDNS update if thepacket rate is less than thePackets per second value If anysource IP sends packets over thisvalue the appliance blocks all

traffic from this source IP for atime specified in Drop interval





130100100 Auto RATELIMIT PASSIPv4 UDP DNSAXFR zonetransfer requests

This rule passes IPv4 UDP DNSfull zone transfer requests if thepacket rate is less than thePackets per second value If anysource IP sends packets over thisvalue the appliance blockssubsequent DNS traffic from thissource IP for a time specified inDrop interval

Enabled if InfobloxDNS allowsincoming IPv4zone transferrequests





second if Infoblox DNSserves a large number ofzones If this rule istriggered and the source IPaddress indicates a validsecondary server tune thePackets per second valueaccordingly


This rule passes IPv6 UDP DNSfull zone transfer requests if thepacket rate is less than thePackets per second value If anysource IP sends packets over thisvalue the appliance blocks

subsequent DNS traffic from thissource IP for a for a time specifiedin Drop interval







secondary server tune thePackets per second valueaccordingly

130100200 Auto RATELIMIT PASSIPv4 TCP DNSAXFR zonetransfer requests

This rule passes IPv4 TCP DNS fullzone transfer requests if thepacket rate is less than thespecified Packets per second value (default = 100) If anysource IP sends packets over thisvalue the appliance blocks allsuch traffic from this source IP fora for a time specified in Drop

interval







Rule ID

Rule

Type


EnableDisable

Condition

Parameters Comments



DNS Message Type



This rule passes IPv6 TCP DNS fullzone transfer requests if thepacket rate is less than thespecified Packets per second value (default = 100) If anysource IP sends packets over thisvalue the appliance blocks all

such traffic from this source IP fora time specified in Drop interval






second if Infoblox DNSserves a large number ofzones If this rule istriggered and the source IPaddress indicates a validsecondary server tune the

Packets per second valueaccordingly

130100300 Auto RATELIMIT PASSIPv4 UDP DNSIXFR zoneTransfer requests

This rule passes IPv4 UDP DNSincremental zone transferrequests if the packet rate is lessthan the specified Packets per

second value (default = 100) Ifany source IP sends packets overthis value the appliance blocksall such traffic from this source IPfor a time specified in Drop

interval










interval

Enabled if InfobloxDNS allowsincoming IPv6zone transfer

requests





second if Infoblox DNSserves a large number ofzones If this rule is

triggered and the source IPaddress indicates a validsecondary server tune thePackets per second valueaccordingly

130100400 Auto RATELIMIT PASSIPv4 TCP DNSIXFR zoneTransfer requests

This rule passes IPv4 TCP DNSincremental zone transferrequests if the packet rate is lessthan the specified Packets per


interval







130100401 Auto RATELIMIT PASS

IPv6 TCP DNSIXFR zoneTransfer requests

This rule passes IPv6 TCP DNS

incremental zone transferrequests if the packet rate is lessthan the specified Packets per

second value If any source IPsends packets over this value theappliance blocks all such trafficfrom this source IP for a timespecified in Drop interval

Enabled if Infoblox

DNS allowsincoming IPv6zone transferrequests

Packets per second

(default = 1000)Drop interval (default= 10 seconds)




130200100 Auto DROP UDP DNSAXFR zonetransfer requests

This rule drops any DNS UDP fullzone transfer requests when zonetransfer is disabled You canconfigure only the Events per

second parameter

Enabled if InfobloxDNS does notallow incomingzone transferrequests


130200200 Auto DROP TCP DNSAXFR zonetransfer requests

This rule drops any DNS TCP fullzone transfer requests when zonetransfer is disabled You can

configure only the Events per

second parameter

Enabled if InfobloxDNS does notallow incoming

zone transferrequests


130200300 Auto DROP UDP DNSIXFR zoneTransfer requests

This rule drops any DNS UDPincremental zone transferrequests when zone transfer isdisabled You can configure onlythe Events per second parameter



130200400 Auto DROP TCP DNSIXFR zoneTransfer requests

This rule drops any DNS TCPincremental zone transferrequests when zone transfer isdisabled You can configure onlythe Events per second parameter



Rule ID

Rule

Type


EnableDisable

Condition

Parameters Comments




130500100 System DNS A record You can configure this rule to passor drop UDP packets that containA record request The defaultAction = Pass

Enabled bydefault

Action

(default = Pass)


130500200 System DNS AAAA record You can configure this rule to passor drop UDP packets that contain

AAAA record request The defaultAction = Pass

Enabled bydefault

Action

(default = Pass)


130500300 System DNS CNAMErecord

You can configure this rule to passor drop UDP packets that containCNAME record request Thedefault Action = Pass

Enabled bydefault

Action

(default = Pass)


130500400 System DNS DS record You can configure this rule to passor drop UDP packets that containDS record request The defaultAction = Pass

Enabled bydefault

Action

(default = Pass)


130500500 System DNS PTR record You can configure this rule to passor drop UDP packets that containPTR record request The defaultAction = Pass

Enabled bydefault

Action

(default = Pass)


130500600 System DNS NS record You can configure this rule to passor drop UDP packets that containNS record request The defaultAction = Pass

Enabled bydefault

Action (default = Pass)


130500700 System DNS NSEC record You can configure this rule to passor drop UDP packets that containNSEC record request The defaultAction = Pass

Enabled bydefault

Action

(default = Pass)


130500800 System DNS NSEC3record

You can configure this rule to passor drop UDP packets that containNSEC3 record request Thedefault Action = Pass

Enabled bydefault

Action

(default = Pass)


130500900 System DNSNSEC3PARAMrecord

You can configure this rule to passor drop UDP packets that containNSEC3PARAM record request The

default Action = Pass

Enabled bydefault

Action

(default = Pass)

Events per second

(default = 1)

130501000 System DNS MX record You can configure this rule to passor drop UDP packets that containMX record request The defaultAction = Pass

Enabled bydefault

Action

(default = Pass)


130501100 System DNS SRV record You can configure this rule to passor drop UDP packets that containSRV record request The defaultAction = Pass

Enabled bydefault

Action

(default = Pass)


130501200 System DNS TXT record You can configure this rule to passor drop UDP packets that containTXT record request The defaultAction = Pass

Enabled bydefault

Action

(default = Pass)


130501300 System DNS DNAME

record

You can configure this rule to pass

or drop UDP packets that containDNAME record request Thedefault Action = Pass

Enabled by

default

Action

(default = Pass)Events per second (default = 1)

130501400 System DNS RRSIG record You can configure this rule to passor drop UDP packets that containRRSIG record request The defaultAction = Pass

Enabled bydefault

Action

(default = Pass)


130501500 System DNS NAPTRrecord

You can configure this rule to passor drop UDP packets that containNAPTR record request The defaultAction = Pass

Enabled bydefault

Action

(default = Pass)


Rule ID

Rule

Type


EnableDisable

Condition

Parameters Comments



DNS Message Type


130501600 System DNS DNSKEYrecord

You can configure this rule to passor drop UDP packets that containDNSKEY record request Thedefault Action = Pass

Enabled bydefault

Action

(default = Pass)


130501700 System DNS SPF record You can configure this rule to passor drop UDP packets that contain

SPF record request The defaultAction = Pass

Enabled bydefault

Action

(default = Pass)


130501800 System DNS DHCIDrecord

You can configure this rule to passor drop UDP packets that containDHCID record request The defaultAction = Pass

Enabled bydefault

Action

(default = Pass)


130501900 System DNS SOA record You can configure this rule to passor drop UDP packets that containSOA record request The defaultAction = Pass

Enabled bydefault

Action

(default = Pass)


130502000 System DNS SIG record You can configure this rule to passor drop UDP packets that containSIG record request The defaultAction = Pass

Enabled bydefault

Action

(default = Pass)


130502100 System DNS LOC record You can configure this rule to passor drop UDP packets that containLOC record request The defaultAction = Pass

Enabled bydefault



130502200 System DNS SSHFPrecord

You can configure this rule to passor drop UDP packets that containSSHFP record request The defaultAction = Pass

Enabled bydefault

Action

(default = Pass)


130502300 System DNS IPSECKEYrecord

You can configure this rule to passor drop UDP packets that containIPSECKEY record request Thedefault Action = Pass

Enabled bydefault

Action

(default = Pass)


130502400 System DNS TKEY record You can configure this rule to passor drop UDP packets that containTKEY record request The default

Action = Pass

Enabled bydefault

Action

(default = Pass)

Events per second

(default = 1)

130502500 System DNS TSIG record You can configure this rule to passor drop UDP packets that containTSIG record request The defaultAction = Pass

Enabled bydefault

Action

(default = Pass)


130502600 System DNS TA record You can configure this rule to passor drop UDP packets that containTA record request The defaultAction = Pass

Enabled bydefault

Action

(default = Pass)


130502700 System DNS DLV record You can configure this rule to passor drop UDP packets that containDLV record request The defaultAction = Pass

Enabled bydefault

Action

(default = Pass)


130502800 System DNS ANY record You can configure this rule to pass

or drop UDP packets that containANY record request The defaultAction = Pass

Enabled by

default

Action


130502900 System DNS A record TCP You can configure this rule to passor drop TCP packets that contain Arecord request The default Action = Pass

Enabled bydefault

Action

(default = Pass)


130503000 System DNS AAAA recordTCP

You can configure this rule to passor drop TCP packets that containAAAA record request The defaultAction = Pass

Enabled bydefault

Action

(default = Pass)


Rule ID

Rule

Type


EnableDisable

Condition

Parameters Comments




130503100 System DNS CNAMErecord TCP

You can configure this rule to passor drop TCP packets that containCNAME record request Thedefault Action = Pass

Enabled bydefault

Action

(default = Pass)


130503200 System DNS DS recordTCP

You can configure this rule to passor drop TCP packets that contain

DS record request The defaultAction = Pass

Enabled bydefault

Action

(default = Pass)


130503300 System DNS PTR recordTCP

You can configure this rule to passor drop TCP packets that containPTR record request The defaultAction = Pass

Enabled bydefault

Action

(default = Pass)


130503400 System DNS NS recordTCP

You can configure this rule to passor drop TCP packets that containNS record request The defaultAction = Pass

Enabled bydefault

Action

(default = Pass)


130503500 System DNS NSEC recordTCP

You can configure this rule to passor drop TCP packets that containNSEC record request The defaultAction = Pass

Enabled bydefault

Action

(default = Pass)


130503600 System DNS NSEC3record TCP

You can configure this rule to passor drop TCP packets that containNSEC3 record request Thedefault Action = Pass

Enabled bydefault



130503700 System DNSNSEC3PARAMrecord TCP

You can configure this rule to passor drop TCP packets that containNSEC3PARAM record request Thedefault Action = Pass

Enabled bydefault

Action

(default = Pass)


130503800 System DNS MX recordTCP

You can configure this rule to passor drop TCP packets that containMX record request The defaultAction = Pass

Enabled bydefault

Action

(default = Pass)


130503900 System DNS SRV recordTCP

You can configure this rule to passor drop TCP packets that containSRV record request The default

Action = Pass

Enabled bydefault

Action

(default = Pass)

Events per second

(default = 1)

130504000 System DNS TXT recordTCP

You can configure this rule to passor drop TCP packets that containTXT record request The defaultAction = Pass

Enabled bydefault

Action

(default = Pass)


130504100 System DNS DNAMErecord TCP

You can configure this rule to passor drop TCP packets that containDNAME record request Thedefault Action = Pass

Enabled bydefault

Action

(default = Pass)


130504200 System DNS RRSIG recordTCP

You can configure this rule to passor drop TCP packets that containRRSIG record request The defaultAction = Pass

Enabled bydefault

Action

(default = Pass)


130504300 System DNS NAPTR

record TCP


or drop TCP packets that containNAPTR record request The defaultAction = Pass

Enabled by

default

Action


130504400 System DNS DNSKEYrecord TCP

You can configure this rule to passor drop TCP packets that containIDNSKEY record request Thedefault Action = Pass

Enabled bydefault

Action

(default = Pass)


130504500 System DNS SPF recordTCP

You can configure this rule to passor drop TCP packets that containSPF record request The defaultAction = Pass

Enabled bydefault

Action

(default = Pass)


Rule ID

Rule

Type


EnableDisable

Condition

Parameters Comments



DNS Message Type


130504600 System DNS DHCIDrecord TCP

You can configure this rule to passor drop TCP packets that containDHCID record request The defaultAction = Pass

Enabled bydefault

Action

(default = Pass)


130504700 System DNS SOA recordTCP


SOA record request The defaultAction = Pass

Enabled bydefault

Action

(default = Pass)


130504800 System DNS SIG recordTCP

You can configure this rule to passor drop TCP packets that containSIG record request The defaultAction = Pass

Enabled bydefault

Action

(default = Pass)


130504900 System DNS ROC recordTCP

You can configure this rule to passor drop TCP packets that containROC record request The defaultAction = Pass

Enabled bydefault

Action

(default = Pass)


130505000 System DNS SSHFPrecord TCP

You can configure this rule to passor drop TCP packets that containSSHFP record request The defaultAction = Pass

Enabled bydefault

Action

(default = Pass)


130505100 System DNS IPSECKEYrecord TCP

You can configure this rule to passor drop TCP packets that containIPSECKEY record request Thedefault Action = Pass

Enabled bydefault



130505200 System DNS TKEY recordTCP

You can configure this rule to passor drop TCP packets that containTKEY record request The defaultAction = Pass

Enabled bydefault

Action

(default = Pass)


130505300 System DNS TSIG recordTCP

You can configure this rule to passor drop TCP packets that containTSIG record request The defaultAction = Pass

Enabled bydefault

Action

(default = Pass)


130505400 System DNS TA recordTCP

You can configure this rule to passor drop TCP packets that containTA record request The default

Action = Pass

Enabled bydefault

Action

(default = Pass)

Events per second

(default = 1)

130505500 System DNS DLV recordTCP

You can configure this rule to passor drop TCP packets that containDLV record request The defaultAction = Pass

Enabled bydefault

Action

(default = Pass)


130505600 System DNS ANY recordTCP

You can configure this rule to passor drop TCP packets that containANY record request The defaultAction = Pass

Enabled bydefault

Action

(default = Pass)


Rule ID

Rule

Type


EnableDisable

Condition

Parameters Comments




General DDoS

The following table lists the auto rules that are used to mitigate general DDoS attacks on your advanced appliance

Table H5 General DDoS Rules

Reconnaissance

Reconnaissance attacks consist of attempts to get information on the network environment before launching a largeDDoS or other types of attacks Techniques include port scanning and finding versions and authors These attacksexhibit abnormal behavior patterns that if identified can provide early warnings

The following table lists the auto rules that are used to mitigate reconnaissance attacks on your advanced appliance

You can configure the following rule parameter for all rules in this category

bull Events per second The number of events logged per second for the rule Setting a value to 0 (zero) disables theappliance from logging events for the rule The default value is 10

Table H6 Reconnaissance Rules

Rule ID

Rule

Type


EnableDisable

Condition

Parameters Comments

110000100 Auto EARLY DROP DoSpackets with samesource and destinationIP

This rule drops any IP packetsthat contain the same sourceand destination IP address

Always enabled Events per second (default = 1)

110000200 Auto EARLY DROP DoS UDPpackets with samesource and destinationIP

This rule drops UDP packetsthat contain the same sourceand destination IP address


110000300 Auto EARLY DROP DoS TCPpackets with samesource and destinationIP

This rule drops TCP packetsthat contain the same sourceand destination IP address


130400300 Auto DROP IPv6 loopbackaddress spoofing

This rule blocks any IP packetsthat attempt to forge the IPv6loopback address





Rule ID

Rule

Type


Enable

Condition

Parameters Comments

110100100 Auto EARLY DROP DNSnamed authorattempts

This rule drops UDP DNSpackets that containattempts to find AUTHOR

information

Alwaysenabled


110100200 Auto EARLY DROP DNSnamed versionattempts

This rule drops UDP DNSpackets that containattempts to find VERSIONinformation

Alwaysenabled




DNS Malware


DNS Malware

DNS malware is software used to disrupt your DNS service gather sensitive information or gain access to yourappliance It can include downloaders backdoors trojan horses and other malicious software

The following table lists the auto rules that are used to mitigate DNS malware when forwarding DNS requests to aresolver such as a Microsoft DNS server

Table H7 DNS Malware Rules

DNS Protocol Anomalies

DNS protocol anomalies send malformed DNS packets including unexpected header and payload values to thetargeted server This causes the server to stop responding or crash which results in an infinite loop in server threadsThese anomalies sometimes take the form of impersonation attacks

The following table lists rules that are used to mitigate DNS protocol anomalies sent to the appliance

Table H8 DNS Protocol Anomalies Rules

Rule ID

Rule

Type


Enable

Condition

Parameters Comments

110100300 Auto EARLY DROP UDPMALWARE backdoor

This rule drops UDPpackets that contain thebackdoor malwareBKDR_QUEJOBEVL whichposes as an installer ofFaceBook messenger Thismalware may be spread asa malicious attachment inemail messages


130300300 Auto DROP MALWAREtrojan downloader

This rule drops UDPpackets that contain thetrojan downloadermalware which downloadsand installs new versionsof malicious programsincluding Trojans andAdWare


130300400 Auto DROP MALWAREpossible Hiloti

This rule drops UDPpackets that contain trojanHiloti malicious programsthat may downloadpotentially malicious filesfrom a remote server andreport system informationback to the server


Rule ID

Rule

Type


Enable

Condition

Parameters Comments

110100400 Auto EARLY DROP UDP DNSquestion name too long

This rule drops UDP DNSpackets when the DNSQuestion Name is toolong


110100500 Auto EARLY DROP UDP DNSlabel too long

This rule drops UDP DNSpackets when the DNSLabel in the name beingqueried is too long





Potential DDoS Related Domains

This rule category includes system rules the appliance uses to blacklist domains that may have been the targets orsubjects in NXDOMAIN or DDoS attacks These rules block all FQDN lookups on UDP for domains that have beenobserved to be used as targets in DDoS attacks The rules are enabled by default You can disable them whennecessary

Note that these rules capture currently observed bad domain names that can change on a regular basis Infobloxrecommends that you update to the latest ruleset to capture the most current rules in this category For informationabout how to update to the latest ruleset see Managing Threat Protection Rules on page 1352

110100600 Auto EARLY DROP UDP queryinvalid question count

This rule drops UDP DNSpackets when thenumber of entries in thequestion section isinvalid


110100700 Auto EARLY DROP UDP query

invalid question class

This rule drops UDP DNS

packets when the RR(resource record) classbeing queried is invalid

Always enabled Events per second

(default = 1)

110100800 Auto EARLY DROP UDP queryinvalid question string

This rule drops UDP DNSpackets that containinvalid question string


110100850 Auto EARLY UDP drop invalidDNS query with Authority

This rule drops UDP DNSqueries that containinvalid AUTHORITYentry


110100900 Auto EARLY DROP querymultiple questions or nonquery operation code

This rule drops UDP DNSpackets when there aremultiple questionsbeing queried at onetime or its operationcode is not Query


130000700 Auto EARLY DROP TCP non-DNSquery

This rule drops TCPpackets when itsoperation code is notQuery


130000800 Auto EARLY DROP TCP querymultiple questions

This rule drops TCP DNSpackets when there aremultiple questionsbeing queried at onetime


130100500 Auto DROP UDP DNS invalidIXFR query with zero ormore than one Authority

This rule drops UDP DNSincremental zonetransfer requests thatcontain zero or morethan one Authorityentries


130100600 Auto DROP TCP DNS invalidIXFR query with zero ormore than one Authority

This rule drops TCP DNSincremental zonetransfer requests thatcontain zero or morethan one Authorityentries


130300200 Auto DROP TCP invalid DNSquery with Authority

This rule drops TCP DNSqueries that containinvalid Authorityentries


Rule ID

Rule

Type


Enable

Condition

Parameters Comments



TCPUDP Flood


TCP UDP Flood

TCP and UDP flood attacks are volumetric attacks with massive numbers of packets that consume network bandwidthand resources They exploit TCP and UDP

The following table lists the system and auto rules that are used to mitigate TCPUDP floods on your advancedappliance

Table H9 TCPUDP Flood Rules

Rule ID Rule Type Rule Name Description

Enable

Condition

Parameters Comments

130000100 System WARN about highrate inbound UDPDNS queries

This rule warns about anysource IP that sendsinbound UDP DNS packetsat a rate equals or exceedsthe Packets per second value

Disabled bydefault



Use this rule together with rule130000200 to adjust the warningand blocking rate thresholds Thisrule only sends alerts when thepacket rate equals or exceeds thelow threshold ( Packets per second for this rule) When the packet ratereaches or exceeds the highthreshold ( Packets per second forrule 130000200) rule130000200 is triggered

NOTE The Packets per second configured for this rule should beless than that of rule 130000200

130000200 System WARN amp BLOCKhigh rate inboundUDP DNS queries

This rule warns if anysource IP sends inboundUDP DNS packets at a rateequals the Packets per

second value If the rateexceeds this value theappliance blocks all suchtraffic from this source IPfor a period of timespecified in Drop interval

Disabled bydefault


Drop interval

(default = 5 seconds)



second to a higher value for NATdenvironments static forwardersand VPN concentrators

This rule may be triggered if Packet

per second is lower than that inthe custom rules created using therate limiting templates

NOTE The Packets per secondvalue for this rule must be higherthan that for rule 130000100

130000300 System WARN about highrate inbound TCP

DNS queries

This rule warns about anysource IP that sends

inbound TCP DNS packetsat a rate that equals orexceeds the Packets per

second value

Disabled bydefault



Use this rule together with rule130000400 to adjust the warning

and blocking rate thresholds Thisrule only sends alerts when thepacket rate equals or exceeds thelow threshold ( Packets per second for this rule) When the packet ratereaches or exceeds the highthreshold ( Packets per second forrule 130000400) rule130000400 is triggered


130000400 System WARN amp BLOCKhigh rate inboundTCP DNS queries

This rule warns if anysource IP sends inboundTCP DNS packets at a ratethat equals the Packets

per second value If therate exceeds this value

the appliance blocks allsuch traffic from thissource IP for a period oftime specified in Drop

interval

Disabled bydefault


Drop interval (default = 10 seconds)





per second is lower than that in

the custom rules created using therate limiting templates

NOTE DO NOT enable this rulealong with rule 130000300




DNS DDoS

The following table lists system rules that are used to mitigate DNS DDoS attacks on your advanced appliance Theserules rate limits clients that trigger the following DNS responses NXDOMAIN NXRRSET and SERVFAIL

Table H10 DNS DDoS Rules

Rule ID

Rule

Type


EnableDisable

Condition

Parameters Comments

200000001 System NXDOMAIN ratelimiting rule

This rule warns if any sourceIP sends inbound UDP DNSqueries that triggerNXDOMAIN responses at arate equals to the Packets

per second value If the rateexceeds this value theappliance blocks all UDPDNS traffic from this sourceIP for a time specified inDrop interval

Enabled bydefault


Drop interval




second to a higher value forNATd environments staticforwarders and VPNconcentrators

200000002 System NXRRSET ratelimiting rule

This rule warns if any sourceIP sends inbound UDP DNS

queries that trigger NXRRSETresponses at a rate equals tothe Packets per second value If the rate exceedsthis value the applianceblocks all UDP DNS trafficfrom this source IP for a timespecified in Drop interval

Enabled bydefault





second to a higher value for

NATd environments staticforwarders and VPNconcentrators

NOTE NXRRSET responsesinclude NO records NOanswers and NO errors

200000003 System SERVFAIL ratelimiting rule

This rule warns if any sourceIP sends inbound UDP DNSqueries that triggerSERVFAIL responses at a rateequals to the Packets per

second value If the rateexceeds this rate theappliance blocks all UDPDNS traffic from this sourceIP for a time specified in

Drop interval

Enabled bydefault


Drop interval







DNS Tunneling


DNS Tunneling

DNS tunneling attacks involve tunneling another protocol through DNS port 53 for the purpose of data exfiltrationOutbound and inbound data being communicated is encoded into small chunks and fitted into DNS queries and DNSresponses

The following table lists the system rule used to mitigate DNS tunneling on your advanced appliance

Table H11 Anti DNS Tunneling Rules

DNS Amplification and Reflection

DNS reflection attacks use a form of IP spoofing changing the source address in their DNS queries to show theaddress of their intended target such as a DNS root server or a top-level domain (TLD) name server operator DNS

reflection and amplification recognizes UDP as an asymmetrical protocol (small requests large responses) and theexistence of open DNS resolvers to the Internet cloud The result is that small DNS queries reflect large UDP datagramresponses to the target address in the original source datagrams Some recent attacks have used this DDoStechnique at a huge scale

Since DNS runs over UDP and does not require a handshake it is possible to use the protocol as a means to lock downa host or a network Designed a specific way sending a small query to any open DNS resolver can result in a singleresponse containing several kilobytes or more that are sent to the unwitting spoofed victim (This type of responsetypically is sent via TCP as UDP does not allow for more than 512 bytes in a response datagram The resulting packetusually exceeds the MTU of the recipientrsquos interfaces resulting in further packet fragmentation and processing) OpenDNS resolvers may allow for launching DDoS attacks containing hundreds of gigabytes of data Attackers may also

Rule ID

Rule

Type


EnableDisable

Condition

Parameters Comments

130000500 System RATELIMIT UDP highrate inbound largeDNS queries (antitunneling)

This rule warns If any source IPsends large UDP DNS queries(which could be DNS tunnelingattacks) at a rate equals thePackets per second value If therate exceeds this value it blocksall such traffic from this source IPfor the time in Drop interval

This rule is triggered when theDNS Packet size exceeds theconfigured value

Disabled bydefault




Packet size

(default = 200)

Consider tuning Packets

per second to a highervalue for NATdenvironments staticforwarders and VPNconcentrators

130000600 Auto RATELIMIT TCP highrate inbound largeDNS queries(anti-tunneling)

This rule warns if any source IPsends large TCP DNS queries(which could be DNS tunnelingattacks) at a rate equals thePackets per second value If therate exceeds the value theappliance blocks all such trafficfrom this source IP for the Drop

interval


Disabled bydefault


Drop interval



Packet size

(default = 200)



200000004 System DNS tunneling ratelimiting rule

This rule warns If any source IPsends inbound UDP DNS queriesthat trigger large TXT responses ata rate equals the Packets per

second value If the rate exceedsthis value it blocks all such t rafficfrom this source IP for the Drop

interval

This rule is triggered when the sizeof the TXT records in the DNSresponses exceeds the configuredDNS Packet size

Enabled bydefault


Drop interval



Packet size

(default = 40)


per second to a highervalue for NATdenvironments static

forwarders and VPNconcentrators




use the EDNS0 DNS protocol extension as a means to enable larger DNS responses Many network operatorsparticularly overseas allow open DNS resolvers to run on their networks unwittingly allowing attackers to abusethem Many network operators do provide intelligent rate-limiting to prevent abuse even while supporting openrecursive DNS servers Hence issues of this type usually result from mistakes in configuration

The following table lists the system and auto rules that are used to mitigate DNS amplification and reflection attackson your advanced appliance

Table H12 DNS Amplification and Reflection Rules

NTP

The following table lists the auto rules that are used to mitigate NTP attacks and to support security for NTP traffic onyour advanced appliance These rules include support for the following NTP requests and responses NTP IPv4 andIPv6 ACLs (Access Control Lists) private mode 7 packets named ACLs and ldquoANYrdquo ACLs

Table H13 NTP Rules

Rule ID

Rule

Type


EnableDisable

Condition

Parameters Comments

130400100 Auto WARN amp DROP DoSDNS possiblereflectionamplification attackattempts

This rule warns if anysource IP sends UDP DNSpackets that containpossible reflectionamplification attacks If therate exceeds the Packets

per second value theappliance blocks all suchtraffic from this source IPfor the Drop interval Notethat this rule applies whenthe query is ldquoANYrdquo

Enabled bydefault




Consider tuning Packet per

second to a higher value(approximately 100) forNATd environments staticforwarders and VPNconcentrators

130400500 System RATE LIMIT PASS UDPDNS root requestswith additional RRs

This rule passes UDP DNSroot requests that containadditional resource recordsuntil the traffic hits thePackets per second valueIt then blocks subsequentUDP DNS root requests forthe Drop interval

Disabled bydefault


Drop interval



130400600 System RATE LIMIT PASS UDPDNS root requests

This rule passes UDP DNSroot requests until thetraffic hits the Packets per

second value It thenblocks subsequent UDPDNS root requests for theDrop interval

Disabled bydefault





second to a higher valuefor NATd environmentsstatic forwarders and VPNconcentrators

Rule ID

Rule

Type


EnableDisable

Condition

Parameters Comments

130600100 Auto RATELIMIT PASS NTPTIME responses

When the NTP client isenabled this rule passesUDP NTP TIME responsesuntil the traffic hits the ratelimit of 10 packets persecond it then blocks allNTP traffic for 15 seconds

Enabled when theNTP client isenabled


Drop interval

(default = 15seconds)


130600120 Auto DROP NTP TIMEresponses

This rule drops all UDP NTPTIME responses when theNTP client is disabled

Enabled when theNTP client isdisabled

Events per second (default=1)



NTP


200001001 Auto DOS Possible NTPDDoS InboundFrequent Un-AuthedGET_RESTRICTRequests IMPL 0x02

When the NTP server isenabled this rule warnsabout possible NTP DDoSInbound FrequentUn-Authed GET_RESTRICTRequests IMPL 0x02attacks It then blocks

suspicious NTP traffic for atime period that isspecified in Drop Interval

Enabled whenNTP service isenabled on thismember



When the NTP server isenabled this rule warnsabout possible NTP DDoSInbound FrequentUn-Authed GET_RESTRICTRequests IMPL 0x03attacks It then blockssuspicious NTP traffic for atime period that isspecified in Drop Interval



200001010 Auto DOS Possible NTPDDoS InboundFrequent Un-AuthedPEER_LIST_SUM

Requests IMPL 0x02

When the NTP server isenabled this rule warnsabout possible NTP DDoSInbound Frequent

Un-AuthedPEER_LIST_SUM RequestsIMPL 0x02 attacks It thenblocks suspicious NTPtraffic for a time period thatis specified in Drop

Interval



200001015 Auto DOS Possible NTPDDoS InboundFrequent Un-AuthedPEER_LIST_SUMRequests IMPL 0x03

When the NTP server isenabled this rule warnsabout possible NTP DDoSInbound FrequentUn-AuthedPEER_LIST_SUM RequestsIMPL 0x03 attacks It thenblocks suspicious NTPtraffic for a time period thatis specified in Drop

Interval



200001020 Auto DOS Possible NTPDDoS InboundFrequent Un-AuthedPEER_LIST RequestsIMPL 0x02

When the NTP server isenabled this rule warnsabout possible NTP DDoSInbound FrequentUn-Authed PEER_LISTRequests IMPL 0x02attacks It then blockssuspicious NTP traffic for atime period that isspecified in Drop Interval




When the NTP server isenabled this rule warnsabout possible NTP DDoSInbound FrequentUn-Authed PEER_LISTRequests IMPL 0x03attacks It then blocks




200001050 Auto RATELIMIT PASSNTPQ IPv4 requests

This rule passes UDP NTPQrequests from NTP IPv4ACLs until the traffic hitsthe rate limit ( Packets per

second ) value It thenblocks all subsequentNTPQ traffic for a timespecified in Drop Interval

Enabled whenNTP IPv4 ACLs aredefined If noACLs are definedand the NTPserver is enabledthe default ACLsare enabled andthis rule isdisabled


Drop interval



Rule ID

Rule

Type


EnableDisable

Condition

Parameters Comments




200001055 Auto RATELIMIT PASS NTPTIME IPv4 requests

This rule passes UDP NTPTIME requests from NTPIPv4 ACLs until the traffichits the rate limit ( Packets

per second ) value It thenblocks all subsequent NTPTIME traffic for a time

specified in Drop interval

Enabled whenNTP IPv4 ACLs aredefined If noACLs are definedand the NTPserver is enabledthe default ACLs

are enabled andthis rule isenabled


Drop interval



200001060 Auto RATELIMIT PASS NTPprivate mode IPv4requests

This rule passes UDP NTPprivate mode 7 requestsfrom NTP IPv4 ACLs untilthe traffic hits the rate limit( Packets per second ) valueIt then blocks allsubsequent NTP privatemode 7 traffic for a timespecified in Drop interval



Drop interval






Enabled whenNTP IPv6 ACLs aredefined If noACLs are defined

and the NTPserver is enabledthe default ACLsare enabled andthis rule isdisabled


Drop interval

(default = 60

seconds)Events per second (default = 1)



per second ) value It thenblocks all subsequent NTPTIME traffic for a timespecified in Drop interval

Enabled whenNTP IPv6 ACLs aredefined If noACLs are definedand the NTPserver is enabledthe default ACLsare enabled andthis rule isenabled


Drop interval



200001075 Auto RATELIMIT PASS NTP

private mode IPv6requests

This rule passes UDP NTP

private mode 7 requestsfrom NTP IPv4 ACLs untilthe traffic hits the rate limit( Packets per second ) valueIt then blocks allsubsequent NTP privatemode 7 traffic for a timespecified in Drop interval

Enabled when

NTP IPv6 ACLs aredefined If noACLs are definedand the NTPserver is enabledthe default ACLsare enabled andthis rule isdisabled

Packets per second

(default = 10)Drop interval

(default =60seconds)


200001100 Auto DROP NTPQ requestsunexpected

When NTP service isdisabled this rule drops allUDP NTPQ requests

Enabled whenNTP service isdisabled on thismember


200001105 Auto DROP NTP TIMErequests unexpected

When NTP service isdisabled this rule drops allUDP NTP TIME requests



200001110 Auto DROP NTP privatemode requestsunexpected

When NTP service isdisabled this rule drops allUDP NTP private mode 7requests



200001115 Auto DROP invalid NTPrequests

When NTP service isdisabled this rule drops allinvalid UDP NTP requests



Rule ID

Rule

Type


EnableDisable

Condition

Parameters Comments



BGP


BGP

The following table lists the auto rules that are used to mitigate BGP attacks on your advanced appliance when BGPis enabled

Table H14 BGP Rules

Rule ID

Rule

Type


EnableDisable

Condition

Parameters Comments

130700100 AUTO DROP BGP headerlength shorter thanspec

When BGP is enabled this ruledrops TCP BGP packets thatcontain message headerlength that is shorter than theRFC specification

Enabled whenBGP service onthis member isconfigured


130700200 AUTO DROP BGP headerlength longer than spec

When BGP is enabled this ruledrops TCP BGP packets thatcontain message headerlength that is longer than theRFC specification



130700300 AUTO DROP BGP spoofedconnection reset

attempts

When BGP is enabled this ruledrops TCP BGP packets that

contain spoofed connectionreset

This rule isenabled when

BGP service onthis member isconfigured


130700400 AUTO DROP BGP invalid type0

When BGP is enabled this ruledrops TCP BGP packets thatcontain invalid message type0

This rule isenabled whenBGP service onthis member isconfigured


130700500 AUTO DROP BGP invalid typebigger than 5

When BGP is enabled this ruledrops TCP BGP packets thatcontain invalid message typegreater than 5



130700550 AUTO RATELIMIT PASS BGPIPv4 peer TCPconnection attempts

This rule passes TCP BGP routeadvertisement connectionattempts from IPv4 peers

when BGP is enabled and ifthe packet rate is less than thePackets per second value Ifany source IP sends packetsover this value the applianceblocks all such traffic from thissource IP for a certain periodof time (specified in Drop

interval )

This rule isenabled whenBGP service on

this member isconfigured withIPv4 peers


Drop Interval

(default=60 sec)Packets per second (default=10)

130700600 Auto RATELIMIT PASS BGPallowed with IPv4 peer

This rule passes TCP BGP routeadvertisement to IPv4 peerswhen BGP is enabled and ifthe packet rate is less than thePackets per second value Ifany source IP sends packetsover this value the applianceblocks all such traffic from thissource IP for a certain period

of time (specified in Drop

interval

This rule isenabled whenBGP service onthis member isconfigured withIPv4 peers


Drop Interval (default=60 sec)

Packets per second (default=10)


This rule passes TCP BGP routeadvertisement connectionattempts from IPv6 peerswhen BGP is enabled and ifthe packet rate is less than thePackets per second value Ifany source IP sends packetsover this value the applianceblocks all such traffic from thissource IP for a certain periodof time (specified in Drop

interval








OSPF

The following table lists auto rules that are used to mitigate OSPF attacks on your advanced appliance when OSPF isnot in use

Table H15 OSPF Rules


This rule passes TCP BGP routeadvertisement to IPv6 peerswhen BGP is enabled and ifthe packet rate is less than thePackets per second value Ifany source IP sends packetsover this value the appliance

blocks all such traffic from thissource IP for a certain periodof time (specified in Drop

interval )





130800100 Auto DROP BGP unexpected When BGP is enabled this ruledrops unexpected TCP BGPpackets

This rule takeseffect when BGPservice on thismember is NOT configured


This rule is exclusive withother rules based onwhether BGP is configuredon the member or not

Rule ID

Rule

Type


Enable

Condition

Parameters Comments

130900300 Auto DROP OSPFunexpected

This rule drops unexpectedOSPF packets

This rule takeseffect when OSPFservice on thismember is NOT configured


Default drop rule for allpackets on the OSPF serviceport

130900400 Auto RATELIMIT PASS OSPFmulticast

This rule passes OSPF IPv4multicast packets if the packetrate is less than the Packets

per second value If anysource IP sends packets overthis value the applianceblocks all such traffic from thissource IP for a time specifiedin Drop interval

This rule takeseffect when OSPFservice on thismember isconfigured forIPv4




130900500 Auto RATELIMIT PASS OSPFIPv6 multicast







130900600 Auto RATELIMIT PASS OSPF This rule passes OSPF packetsif the packet rate is less thanthe Packets per second valueIf any source IP sends packetsover this value the applianceblocks all such traffic from thissource IP for a time specifiedin Drop interval

This rule takeseffect when OSPFservice on thismember isconfigured




This rule works for both IPv4and IPv6

Rule ID

Rule

Type


EnableDisable

Condition

Parameters Comments



ICMP


ICMP

ICMP attacks use network devices such as routers to send error messages when a requested service is not availableor the remote server cannot be reached Examples of ICMP attacks include ping floods ping-of-death attacks andsmurf attacks

The following table lists the system and auto rules that are used to mitigate ICMP attacks on your advanced appliance

Table H16 ICMP Rules

Rule ID Type Rule Name Description

EnableDisable

Condition

Parameters Comments

130400200 Auto DROP ICMP largepackets

This rule drops large ICMPpackets (bigger than800)

Always enabled Events per second (default=1)

130900100 Auto RATE LIMIT PASS ICMPPing

This rule passes ICMP pingpackets if the packet rate is lessthan the Packets per second value If any source IP sendspackets over this value theappliance blocks all such trafficfrom this source IP for a timespecified in Drop interval




130900200 Auto RATE LIMIT PASS ICMPv6Ping

This rule passes ICMPv6 pingpackets if the packet rate is lessthan the Packets per second value If any source IP sendspackets over this value theappliance blocks all such trafficfrom this source IP for a timespecified in Drop interval




130900700 Auto RATELIMIT PASS ICMPv6destinationunreachable

This rule passes ICMPv6Destination Unreachablemessages if the packet rate isless than the Packets per second value If any source IP sendspackets over this value theappliance blocks all such trafficfrom this source IP for a timespecified in Drop interval




130900800 Auto RATELIMIT PASS ICMPv6packet too big

This rule passes ICMPv6 PacketToo Big messages if the packetrate is less than the Packets per

second value If any source IPsends packets over this valuethe appliance blocks all suchtraffic from this source IP for atime specified in Drop interval




130900900 Auto RATELIMIT PASS ICMPv6ping responses

This rule passes ICMPv6 pingresponses if the packet rate isless than the Packets per second value If any source IP sendspackets over this value theappliance blocks all such trafficfrom this source IP for a timespecified in Drop interval




130901000 Auto RATELIMIT PASS ICMPv6parameter problemerroneous header

This rule passes ICMPv6Erroneous Header messages ifthe packet rate is less than thePackets per second value If anysource IP sends packets over thisvalue the appliance blocks allsuch traffic from this source IP fora time specified in Drop interval







130901100 Auto RATELIMIT PASS ICMPv6parameter problemunrecognized nextheader

This rule passes ICMPv6Unrecognized Next Headermessages if the packet rate isless than the Packets per second value If any source IP sendspackets over this value theappliance blocks all such traffic

from this source IP for a timespecified in Drop interval




130901200 Auto RATELIMIT PASS ICMPv6parameter problemunrecognized IPv6option

This rule passes ICMPv6Unrecognized IPv6 Optionmessages if the packet rate isless than the Packets per second value If any source IP sendspackets over this value theappliance blocks all such trafficfrom this source IP for a timespecified in Drop interval




130901300 Auto RATELIMIT PASS ICMPv6router solicitation

This rule passes ICMPv6 routersolicitation packets if the packetrate is less than the Packets per

second value If any source IPsends packets over this valuethe appliance blocks all such





130901400 Auto RATELIMIT PASS ICMPv6router advertisement

This rule passes ICMPv6 routeradvertisement if the packet rateis less than the Packets per





130901500 Auto RATELIMIT PASS ICMPv6neighbor solicitation

This rule passes ICMPv6neighbor solicitation packets ifthe packet rate is less than thePackets per second value If anysource IP sends packets over thisvalue the appliance blocks allsuch traffic from this source IP for

a time specified in Drop interval




130901600 Auto RATELIMIT PASS ICMPv6neighbor advertisement

This rule passes ICMPv6neighbor advertisement if thepacket rate is less than thePackets per second value If anysource IP sends packets over thisvalue the appliance blocks allsuch traffic from this source IP fora time specified in Drop interval




130901700 Auto RATELIMIT PASS ICMPv6inverse neighborsolicitation

This rule passes ICMPv6 inverseneighbor solicitation messages ifthe packet rate is less than thePackets per second value If anysource IP sends packets over thisvalue the appliance blocks allsuch traffic from this source IP fora time specified in Drop interval




130901800 Auto RATELIMIT PASS ICMPv6inverse neighboradvertisement

This rule passes ICMPv6 inverseneighbor advertisement if thepacket rate is less than thePackets per second value If anysource IP sends packets over thisvalue the appliance blocks allsuch traffic from this source IP fora time specified in Drop interval





EnableDisable

Condition

Parameters Comments



ICMP


130901900 Auto RATELIMIT PASS ICMPv6listener query

This rule passes ICMPv6 listenerquery messages if the packetrate is less than the Packets per

second value If any source IPsends packets over this valuethe appliance blocks all suchtraffic from this source IP for a

time specified in Drop interval




130902000 Auto RATELIMIT PASS ICMPv6listener report

This rule passes ICMPv6 listenerreport messages if the packetrate is less than the Packets per





130902100 Auto RATELIMIT PASS ICMPv6listener done

This rule passes ICMPv6 listenerdone messages if the packet rateis less than the Packets per

second value If any source IPsends packets over this valuethe appliance blocks all suchtraffic from this source IP for atime specified in Drop interval )




130902200 Auto RATELIMIT PASS ICMPv6listener report v2

This rule passes ICMPv6 listenerreport v2 messages if the packetrate is less than the Packets per





130902300 Auto RATELIMIT PASS ICMPV6multicast routeradvertisement

This rule passes ICMPv6multicast router advertisement ifthe packet rate is less than thePackets per second value If anysource IP sends packets over thisvalue the appliance blocks allsuch traffic from this source IP fora time specified in Drop interval




130902400 Auto RATELIMIT PASS ICMPV6multicast routersolicitation

This rule passes ICMPv6multicast router solicitationmessages if the packet rate isless than the Packets per second value If any source IP sendspackets over this value theappliance blocks all such trafficfrom this source IP for a timespecified in Drop interval









130902600 Auto RATELIMIT PASS ICMPping responses This rule passes ICMP pingresponses if the packet rate isless than the Packets per second value If any source IP sendspackets over this value theappliance blocks all such trafficfrom this source IP for a timespecified in Drop interval





EnableDisable

Condition

Parameters Comments




130902700 Auto RATELIMIT PASS ICMProuter advertisement

This rule passes ICMP routeradvertisement if the packet rateis less than the Packets per






130902800 Auto RATELIMIT PASS ICMProuter solicitation

This rule passes ICMP routersolicitation messages if thepacket rate is less than thePackets per second value If anysource IP sends packets over thisvalue the appliance blocks allsuch traffic from this source IP fora time specified in Drop interval




130902900 Auto RATELIMIT PASS ICMPtime exceeded

This rule passes ICMP timeexceeded messages if the packetrate is less than the Packets per





130903000 Auto RATELIMIT PASS ICMPparameter problem

This rule passes ICMP parameterproblems if the packet rate isless than the Packets per second value If any source IP sendspackets over this value theappliance blocks all such trafficfrom this source IP for a timespecified in Drop interval




130903100 Auto RATELIMIT PASS ICMPv6hop limit exceeded orICMPv4 networkunreachable

This rule passes ICMPv6 HopLimit Exceeded messages orICMPv4 Network Unreachablemessages if the packet rate isless than the Packets per second value If any source IP sendspackets over this value theappliance blocks all such trafficfrom this source IP for a time





130903200 Auto RATELIMIT PASS ICMPv6fragment reassemblytime exceeded orICMPv4 hostunreachable

This rule passes ICMPv6fragment reassembly timeexceeded messages or ICMPv4host unreachable messages ifthe packet rate is less than thePackets per second value If anysource IP sends packets over thisvalue the appliance blocks allsuch traffic from this source IP fora time specified in Drop interval




130903300 Auto RATELIMIT PASS ICMPprotocol unreachable

This rule passes ICMP protocolunreachable messages if thepacket rate is less than thePackets per second value If anysource IP sends packets over thisvalue the appliance blocks all





130903400 Auto RATELIMIT ICMP portunreachable

This rule passes ICMP portunreachable messages if thepacket rate is less than thePackets per second value If anysource IP sends packets over thisvalue the appliance blocks allsuch traffic from this source IP fora certain period of time(specified in Drop interval )





EnableDisable

Condition

Parameters Comments



Default PassDrop


Default Pass Drop

The following table lists the system rules that are used to pass or drop packets on your advanced appliance All rulesare disabled by default

Table H17 Default PassDrop Rules

130903500 Auto RATELIMIT PASS ICMPfragmentation needed

This rule passes ICMPfragmentation needed messagesif the packet rate is less than thePackets per second value If anysource IP sends packets over thisvalue the appliance blocks allsuch traffic from this source IP for

a certain period of time(specified in Drop interval )




Rule ID

Rule

Type Rule Name Description

Enable

Condition Parameters Comments

100000050 System EARLY PASS TCPwith flowbits set

This rule passes TCP trafficthat has the flowbitsoptions set and marked OK

Enabled bydefault

NA

140000100 System DROP UDP DNSunexpected

This rule drops anyunexpected UDP DNSpackets

Enabled bydefault


Default drop rule for the DNSservice port If this rule istriggered most likely thispacket is an invalid DNS UDPpacket

140000200 System DROP TCP DNSunexpected

This rule drops anyunexpected TCP DNSpackets

Enabled bydefault


Default drop rule for the DNSservice port If this rule istriggered most likely thispacket is an invalid DNS TCPpacket

140000400 System PASS TCPestablished packets

This passes all TCPestablished packets

Enabled bydefault


140000500 System DROP TCPunexpected

This rule drops anyunexpected TCP packets

Enabled bydefault


This rule drops any TCP packeton any port If this rule istriggered most likely thispacket is not intended forservices on this member

140000600 System DROP UDPunexpected

This rule drops anyunexpected UDP packets

Enabled bydefault


This rule drops any UDP packeton any port If this rule istriggered most likely thispacket is not intended forservices on this member

140000700 System DROP ICMPunexpected

This rule drops anyunexpected ICMP packets

Enabled bydefault


This rule drops any ICMPpacket If this rule is triggeredmost likely this packet is notintended for services on thismember

140000800 System DROP unexpectedprotocol

This rule drops anyunexpected protocolpackets

Enabled bydefault


This is a catch all rule thatdrops anything that does notmatch any other rules in thesystem


EnableDisable

Condition

Parameters Comments




HA Support

The following table lists auto rules that are used to pass packets that go through the Virtual Router RedundancyProtocol (VRRP) and Internet Group Management Protocol (IGMP) for HA (High Availability) support

Table H18 HA Support Rules

Custom Rule Templates

Advanced DNS Protection supports a few custom rule templates from which you can create new custom rules Notethat when you use a specific rule template to create custom rules the new rules reside in their respective rulecategories For information about custom rules and creating custom rules see Custom Rules on page 1341 andCreating Custom Rules on page 1343

For each rule you create you can define the Events per second value to determine the number of events per secondthat will be logged for the rule You can also define specific rule parameters for custom rules as follows

Note Custom rules do not support IDNs (Internationalized Domain Names) To use IDNs for custom rules you mustfirst convert the IDNs into puny codes You can use the IDN Converter from the Toolbar for the conversion

bull BLACKLIST FQDN lookup TCP Use this rule template to create custom rules for blacklisting DNS queries by FQDNlookups on TCP In the Rule Parameters table complete the following

mdash Blacklisted FQDN Enter the FDQN that you want the appliance to block over TCP traffic You can also enter alist of FQDNs using semicolon as the separator

bull BLACKLIST FQDN lookup UDP Use this rule template to create custom rules for blacklisting DNS queries byFQDN lookups on UDP In the Rule Parameters table complete the following

mdash Blacklisted FQDN Enter the FDQN that you want the appliance to block over UDP traffic You can also enter alist of FQDNs using semicolon as the separator

bull BLACKLIST IP TCP Drop prior to rate limiting Use this rule template to create rules for blocking IPv4 or IPv6addresses on TCP before the appliance drops the packets based on rate limiting rules you have defined usingthe RATELIMITED IP TCP template In the Rule Parameters table complete the following

mdash Blacklisted IP addressnetwork Enter the IPv4 or IPv6 address from which packets sent are dropped beforeany relevant rate limiting rules take effect Note that all TCP traffic from the specified Ipv4 and IPv6

addresses and networks will be blocked Enter network addresses in addressCIDR formatbull BLACKLIST IP UDP Drop prior to rate limiting Use this rule template to create rules for blocking IPv4 or IPv6

addresses on UDP before the appliance drops the packets based on rate limiting rules you have defined usingthe RATELIMITED IP UDP template In the Rule Parameters table complete the following

mdash Blacklisted IP addressnetwork Enter the IPv4 or IPv6 address from which packets sent are dropped beforeany relevant rate limiting rules take effect Note that all UDP traffic from the specified Ipv4 and IPv6addresses and networks will be blocked Enter network addresses in addressCIDR format

bull RATELIMITED FQDN lookup UDP Use this rule template to create custom rules that contains rate limitingrestrictions for blocking DNS queries by FQDN lookups on UDP traffic In the Rule Parameters table completethe following

Rule ID

Rule

Type

Rule Name Description Enable Condition Parameters Comments

140000750 Auto PASS VRRP This rule passes packets thatgo through VRRP for HAsupport

Enabled if HA isconfigured

NA

140000760 Auto PASS IGMP This rule passes packets thatgo through IGMP for HAsupport


NA





mdash Packets per second Enter the number of packets per second to define the rate limit for this rule You definethis value to control the rate of UDP traffic that consists of DNS lookups for the FQDN defined in this ruleThe default is 5

mdash Drop interval Enter the number of seconds for which the appliance drops packets

mdash Blacklist rate limited FQDN Enter the FQDN that is affected by the rate limit value configured for this ruleThe appliance drops the packets sent by this FQDN when the UDP traffic of DNS lookups for this FQDNexceeds the configured rate limit value

bull RATELIMITED IP TCP Use this rule template to create custom rules that contains rate limiting restrictions forblacklisting IP addresses on TCP If there are certain IP addresses that you want to block before its traffic reachesthe rate limit restrictions you can create a rule using the BLACKLIST IP TCP Drop prior to rate limiting templateIn the Rule Parameters table complete the following

mdash Packets per second Enter the number of packets per second to define the rate limit for this rule You definethis value to control the rate of TCP traffic that consists of DNS lookups for the IP address or networkdefined in this rule The default is 5

mdash Drop interval Enter the time interval in seconds the appliance drops IP packets sent by the rate limited IPaddress or network defined for this rule The default is 30 seconds

mdash Rate limited IP addressnetwork Enter the IP address or network that is affected by the rate limit valueconfigured for this rule The appliance drops the packets sent by this IP address based on the drop intervalwhen the TCP traffic of DNS lookups for this IP address exceeds the configured rate limit value

bull RATELIMITED IP UDP Use this rule template to create custom rules that contains rate limiting restrictions forblacklisting IP addresses on UDP If there are certain IP addresses that you want to block before its trafficreaches the rate limit restrictions you can create a rule using the BLACKLIST IP UDP Drop prior to rate limiting template In the Rule Parameters table complete the following

mdash Packets per second Enter the number of packets per second to define the rate limit for this rule You definethis value to control the rate of UDP traffic that consists of DNS lookups for the IP address or networkdefined in this rule The default is 5


mdash Rate limited IP addressnetwork Enter the IP address or network that is affected by the rate limit valueconfigured for this rule The appliance drops the packets sent by this IP address based on the drop interval

when the TCP traffic of DNS lookups for this IP address exceeds the configured rate limit valuebull WHITELIST IP TCP Pass prior to rate limiting Use this rule template to create custom rules for allowing certain IP

addresses on TCP before the appliance drops the packets based on rate limiting rules you have defined usingthe RATELIMITED IP TCP template In the Rule Parameters table complete the following

mdash Whitelisted IP addressnetwork Enter the IPv4 or IPv6 address from which packets sent are allowed beforeany relevant rate limiting rules take effect

bull WHITELIST IP UDP Pass prior to rate limiting Use this rule template to create custom rules for allowing certain IPaddresses on UDP before the appliance drops the packets based on rate limiting rules you have defined usingthe RATELIMITED IP UDP template In the Rule Parameters table complete the following








Threat protection rules are designed to work together to provide maximum protection for your environment Thissection describes how these rules are being applied and how you can tune some of them to suit your system setupand network environment

Threat protection rules are grouped by rule categories and most of them have one or more associated rule

parameters Depending on the rules you may or may not be able to override default values for the following ruleparameters (if applicable)

bull Packets per second The rate limit or the number of packets per second that the appliance processes before itperforms a triggered action such as sending warnings or blocking traffic

bull Drop interval The time period (in seconds) for which the appliance blocks all traffic from the client or traffic thatmatches a certain pattern beyond the rate limit

bull Events per second The number of events logged per second for the rule Setting a value to 0 (zero) disables theappliance from logging events for the rule Most rules have this parameter and the default value is 1

bull Packet size DNS packet size If the DNS packet size exceeds a certain value the corresponding rule will betriggered

All incoming packets are filtered through enabled rules based on the order listed in Table H1 Note that rules are

displayed in the same order in Grid Manager For more information see Viewing Threat Protection Rules on page1352 You cannot change the filtering order of these rules Incoming packets are screened by the first rule andproceed through subsequent rules until they hit the last rule on the list provided that they are not dropped or passedby any rules in between based on the matching conditions and rule criteria

Depending on the rules following are possible actions that can be taken

bull Ratelimiting and pass magenta) Based on the configured rate limit these rules drop incoming packets if thepacket rate hits the rate limit Otherwise the packets are passed

bull Ratelimiting blue) Based on the configured rate limit these rules drop incoming packets if they hit the ratelimit Otherwise the packets are screened by subsequent rules for further actions

bull Drop salmon) These rules drop any incoming packets that match specific conditions and rule criteria

bull Pass green) These rules pass any incoming packets that match specific conditions and rule criteria

Note All rate limiting rules including custom rules operate at a per source IP basis

Table H1 Flow Order for Threat Protection Rules


DNS Cache Poisoning DNS responses Ratelimiting and Pass DNS Cache Poisoning

Configured with externalDNS primaries

DNS Message Type TXFRAXFR responses Ratelimiting and Pass DNS Message Type

Allow DDNS updates DNS Message Type DNS Updates Ratelimiting and Pass DNS Message Type

General DDoS General DDoS Drop General DDoS

Reconnaissance Reconnaissance Drop Reconnaissance



User-defined WhitelistUDP Packets

User-defined Whitelist UDPPackets


User-defined WhitelistTCP Packets

User-defined Whitelist TCPPackets


User-defined BlacklistUDP Packets

User-defined Blacklist UDPPackets










































DNS Message Type





































TCPUDP Flood Rules



DNS DDoS Rules















DNS Cache Poisoning


DNS Cache Poisoning




DNS Message Type




Rule ID

Rule

Type


EnableDisable

Condition

Parameters Comments





interval



Events per second

(default = 1)

















Rule ID

Rule

Type


EnableDisable

Condition

Parameters Comments
















in Drop interval





























































interval







Rule ID

Rule

Type


EnableDisable

Condition

Parameters Comments



DNS Message Type















interval










interval


requests










interval












Enabled if Infoblox


Packets per second







second parameter






second parameter












Rule ID

Rule

Type


EnableDisable

Condition

Parameters Comments





Enabled bydefault

Action

(default = Pass)




Enabled bydefault

Action

(default = Pass)




Enabled bydefault

Action

(default = Pass)



Enabled bydefault

Action

(default = Pass)



Enabled bydefault

Action

(default = Pass)



Enabled bydefault




Enabled bydefault

Action

(default = Pass)




Enabled bydefault

Action

(default = Pass)





Enabled bydefault

Action

(default = Pass)

Events per second

(default = 1)


Enabled bydefault

Action

(default = Pass)



Enabled bydefault

Action

(default = Pass)



Enabled bydefault

Action

(default = Pass)



record



Enabled by

default

Action



Enabled bydefault

Action

(default = Pass)




Enabled bydefault

Action

(default = Pass)


Rule ID

Rule

Type


EnableDisable

Condition

Parameters Comments



DNS Message Type




Enabled bydefault

Action

(default = Pass)




Enabled bydefault

Action

(default = Pass)




Enabled bydefault

Action

(default = Pass)



Enabled bydefault

Action

(default = Pass)



Enabled bydefault

Action

(default = Pass)



Enabled bydefault





Enabled bydefault

Action

(default = Pass)




Enabled bydefault

Action

(default = Pass)



Action = Pass

Enabled bydefault

Action

(default = Pass)

Events per second

(default = 1)


Enabled bydefault

Action

(default = Pass)



Enabled bydefault

Action

(default = Pass)



Enabled bydefault

Action

(default = Pass)




Enabled by

default

Action



Enabled bydefault

Action

(default = Pass)




Enabled bydefault

Action

(default = Pass)


Rule ID

Rule

Type


EnableDisable

Condition

Parameters Comments






Enabled bydefault

Action

(default = Pass)





Enabled bydefault

Action

(default = Pass)




Enabled bydefault

Action

(default = Pass)




Enabled bydefault

Action

(default = Pass)




Enabled bydefault

Action

(default = Pass)




Enabled bydefault





Enabled bydefault

Action

(default = Pass)




Enabled bydefault

Action

(default = Pass)




Action = Pass

Enabled bydefault

Action

(default = Pass)

Events per second

(default = 1)



Enabled bydefault

Action

(default = Pass)




Enabled bydefault

Action

(default = Pass)




Enabled bydefault

Action

(default = Pass)



record TCP



Enabled by

default

Action




Enabled bydefault

Action

(default = Pass)




Enabled bydefault

Action

(default = Pass)


Rule ID

Rule

Type


EnableDisable

Condition

Parameters Comments



DNS Message Type




Enabled bydefault

Action

(default = Pass)





Enabled bydefault

Action

(default = Pass)




Enabled bydefault

Action

(default = Pass)




Enabled bydefault

Action

(default = Pass)




Enabled bydefault

Action

(default = Pass)




Enabled bydefault





Enabled bydefault

Action

(default = Pass)




Enabled bydefault

Action

(default = Pass)




Action = Pass

Enabled bydefault

Action

(default = Pass)

Events per second

(default = 1)



Enabled bydefault

Action

(default = Pass)




Enabled bydefault

Action

(default = Pass)


Rule ID

Rule

Type


EnableDisable

Condition

Parameters Comments




General DDoS



Reconnaissance






Rule ID

Rule

Type


EnableDisable

Condition

Parameters Comments
















Rule ID

Rule

Type


Enable

Condition

Parameters Comments



information

Alwaysenabled




Alwaysenabled




DNS Malware


DNS Malware








Rule ID

Rule

Type


Enable

Condition

Parameters Comments










Rule ID

Rule

Type


Enable

Condition

Parameters Comments





















(default = 1)

























Rule ID

Rule

Type


Enable

Condition

Parameters Comments



TCPUDP Flood


TCP UDP Flood





Enable

Condition

Parameters Comments



Disabled bydefault








Disabled bydefault


Drop interval









DNS queries



second value

Disabled bydefault










interval

Disabled bydefault













DNS DDoS



Rule ID

Rule

Type


EnableDisable

Condition

Parameters Comments




Enabled bydefault


Drop interval








Enabled bydefault











Drop interval

Enabled bydefault


Drop interval







DNS Tunneling


DNS Tunneling








Rule ID

Rule

Type


EnableDisable

Condition

Parameters Comments




Disabled bydefault




Packet size

(default = 200)





interval


Disabled bydefault


Drop interval



Packet size

(default = 200)






interval


Enabled bydefault


Drop interval



Packet size

(default = 40)










NTP


Table H13 NTP Rules

Rule ID

Rule

Type


EnableDisable

Condition

Parameters Comments




Enabled bydefault








Disabled bydefault


Drop interval






Disabled bydefault






Rule ID

Rule

Type


EnableDisable

Condition

Parameters Comments





Drop interval









NTP












Requests IMPL 0x02



Interval





Interval

















Drop interval



Rule ID

Rule

Type


EnableDisable

Condition

Parameters Comments











Drop interval







Drop interval









Drop interval

(default = 60







Drop interval







Enabled when


Packets per second




















Rule ID

Rule

Type


EnableDisable

Condition

Parameters Comments



BGP


BGP


Table H14 BGP Rules

Rule ID

Rule

Type


EnableDisable

Condition

Parameters Comments










attempts

















interval )




Drop Interval





interval







interval








OSPF






interval )









Rule ID

Rule

Type


Enable

Condition

Parameters Comments


























Rule ID

Rule

Type


EnableDisable

Condition

Parameters Comments



ICMP


ICMP





EnableDisable

Condition

Parameters Comments




















































































EnableDisable

Condition

Parameters Comments



ICMP















































EnableDisable

Condition

Parameters Comments


















































EnableDisable

Condition

Parameters Comments



Default PassDrop


Default Pass Drop









Rule ID

Rule


Enable




Enabled bydefault

NA



Enabled bydefault





Enabled bydefault





Enabled bydefault




Enabled bydefault





Enabled bydefault





Enabled bydefault





Enabled bydefault




EnableDisable

Condition

Parameters Comments




HA Support

















Rule ID

Rule

Type




NA



NA































































DNS Message Type





































TCPUDP Flood Rules



DNS DDoS Rules















DNS Cache Poisoning


DNS Cache Poisoning




DNS Message Type




Rule ID

Rule

Type


EnableDisable

Condition

Parameters Comments





interval



Events per second

(default = 1)

















Rule ID

Rule

Type


EnableDisable

Condition

Parameters Comments
















in Drop interval





























































interval







Rule ID

Rule

Type


EnableDisable

Condition

Parameters Comments



DNS Message Type















interval










interval


requests










interval












Enabled if Infoblox


Packets per second







second parameter






second parameter












Rule ID

Rule

Type


EnableDisable

Condition

Parameters Comments





Enabled bydefault

Action

(default = Pass)




Enabled bydefault

Action

(default = Pass)




Enabled bydefault

Action

(default = Pass)



Enabled bydefault

Action

(default = Pass)



Enabled bydefault

Action

(default = Pass)



Enabled bydefault




Enabled bydefault

Action

(default = Pass)




Enabled bydefault

Action

(default = Pass)





Enabled bydefault

Action

(default = Pass)

Events per second

(default = 1)


Enabled bydefault

Action

(default = Pass)



Enabled bydefault

Action

(default = Pass)



Enabled bydefault

Action

(default = Pass)



record



Enabled by

default

Action



Enabled bydefault

Action

(default = Pass)




Enabled bydefault

Action

(default = Pass)


Rule ID

Rule

Type


EnableDisable

Condition

Parameters Comments



DNS Message Type




Enabled bydefault

Action

(default = Pass)




Enabled bydefault

Action

(default = Pass)




Enabled bydefault

Action

(default = Pass)



Enabled bydefault

Action

(default = Pass)



Enabled bydefault

Action

(default = Pass)



Enabled bydefault





Enabled bydefault

Action

(default = Pass)




Enabled bydefault

Action

(default = Pass)



Action = Pass

Enabled bydefault

Action

(default = Pass)

Events per second

(default = 1)


Enabled bydefault

Action

(default = Pass)



Enabled bydefault

Action

(default = Pass)



Enabled bydefault

Action

(default = Pass)




Enabled by

default

Action



Enabled bydefault

Action

(default = Pass)




Enabled bydefault

Action

(default = Pass)


Rule ID

Rule

Type


EnableDisable

Condition

Parameters Comments






Enabled bydefault

Action

(default = Pass)





Enabled bydefault

Action

(default = Pass)




Enabled bydefault

Action

(default = Pass)




Enabled bydefault

Action

(default = Pass)




Enabled bydefault

Action

(default = Pass)




Enabled bydefault





Enabled bydefault

Action

(default = Pass)




Enabled bydefault

Action

(default = Pass)




Action = Pass

Enabled bydefault

Action

(default = Pass)

Events per second

(default = 1)



Enabled bydefault

Action

(default = Pass)




Enabled bydefault

Action

(default = Pass)




Enabled bydefault

Action

(default = Pass)



record TCP



Enabled by

default

Action




Enabled bydefault

Action

(default = Pass)




Enabled bydefault

Action

(default = Pass)


Rule ID

Rule

Type


EnableDisable

Condition

Parameters Comments



DNS Message Type




Enabled bydefault

Action

(default = Pass)





Enabled bydefault

Action

(default = Pass)




Enabled bydefault

Action

(default = Pass)




Enabled bydefault

Action

(default = Pass)




Enabled bydefault

Action

(default = Pass)




Enabled bydefault





Enabled bydefault

Action

(default = Pass)




Enabled bydefault

Action

(default = Pass)




Action = Pass

Enabled bydefault

Action

(default = Pass)

Events per second

(default = 1)



Enabled bydefault

Action

(default = Pass)




Enabled bydefault

Action

(default = Pass)


Rule ID

Rule

Type


EnableDisable

Condition

Parameters Comments




General DDoS



Reconnaissance






Rule ID

Rule

Type


EnableDisable

Condition

Parameters Comments
















Rule ID

Rule

Type


Enable

Condition

Parameters Comments



information

Alwaysenabled




Alwaysenabled




DNS Malware


DNS Malware








Rule ID

Rule

Type


Enable

Condition

Parameters Comments










Rule ID

Rule

Type


Enable

Condition

Parameters Comments





















(default = 1)

























Rule ID

Rule

Type


Enable

Condition

Parameters Comments



TCPUDP Flood


TCP UDP Flood





Enable

Condition

Parameters Comments



Disabled bydefault








Disabled bydefault


Drop interval









DNS queries



second value

Disabled bydefault










interval

Disabled bydefault













DNS DDoS



Rule ID

Rule

Type


EnableDisable

Condition

Parameters Comments




Enabled bydefault


Drop interval








Enabled bydefault











Drop interval

Enabled bydefault


Drop interval







DNS Tunneling


DNS Tunneling








Rule ID

Rule

Type


EnableDisable

Condition

Parameters Comments




Disabled bydefault




Packet size

(default = 200)





interval


Disabled bydefault


Drop interval



Packet size

(default = 200)






interval


Enabled bydefault


Drop interval



Packet size

(default = 40)










NTP


Table H13 NTP Rules

Rule ID

Rule

Type


EnableDisable

Condition

Parameters Comments




Enabled bydefault








Disabled bydefault


Drop interval






Disabled bydefault






Rule ID

Rule

Type


EnableDisable

Condition

Parameters Comments





Drop interval









NTP












Requests IMPL 0x02



Interval





Interval

















Drop interval



Rule ID

Rule

Type


EnableDisable

Condition

Parameters Comments











Drop interval







Drop interval









Drop interval

(default = 60







Drop interval







Enabled when


Packets per second




















Rule ID

Rule

Type


EnableDisable

Condition

Parameters Comments



BGP


BGP


Table H14 BGP Rules

Rule ID

Rule

Type


EnableDisable

Condition

Parameters Comments










attempts

















interval )




Drop Interval





interval







interval








OSPF






interval )









Rule ID

Rule

Type


Enable

Condition

Parameters Comments


























Rule ID

Rule

Type


EnableDisable

Condition

Parameters Comments



ICMP


ICMP





EnableDisable

Condition

Parameters Comments




















































































EnableDisable

Condition

Parameters Comments



ICMP















































EnableDisable

Condition

Parameters Comments


















































EnableDisable

Condition

Parameters Comments



Default PassDrop


Default Pass Drop









Rule ID

Rule


Enable




Enabled bydefault

NA



Enabled bydefault





Enabled bydefault





Enabled bydefault




Enabled bydefault





Enabled bydefault





Enabled bydefault





Enabled bydefault




EnableDisable

Condition

Parameters Comments




HA Support

















Rule ID

Rule

Type




NA



NA









































TCPUDP Flood Rules



DNS DDoS Rules















DNS Cache Poisoning


DNS Cache Poisoning




DNS Message Type




Rule ID

Rule

Type


EnableDisable

Condition

Parameters Comments





interval



Events per second

(default = 1)

















Rule ID

Rule

Type


EnableDisable

Condition

Parameters Comments
















in Drop interval





























































interval







Rule ID

Rule

Type


EnableDisable

Condition

Parameters Comments



DNS Message Type















interval










interval


requests










interval












Enabled if Infoblox


Packets per second







second parameter






second parameter












Rule ID

Rule

Type


EnableDisable

Condition

Parameters Comments





Enabled bydefault

Action

(default = Pass)




Enabled bydefault

Action

(default = Pass)




Enabled bydefault

Action

(default = Pass)



Enabled bydefault

Action

(default = Pass)



Enabled bydefault

Action

(default = Pass)



Enabled bydefault




Enabled bydefault

Action

(default = Pass)




Enabled bydefault

Action

(default = Pass)





Enabled bydefault

Action

(default = Pass)

Events per second

(default = 1)


Enabled bydefault

Action

(default = Pass)



Enabled bydefault

Action

(default = Pass)



Enabled bydefault

Action

(default = Pass)



record



Enabled by

default

Action



Enabled bydefault

Action

(default = Pass)




Enabled bydefault

Action

(default = Pass)


Rule ID

Rule

Type


EnableDisable

Condition

Parameters Comments



DNS Message Type




Enabled bydefault

Action

(default = Pass)




Enabled bydefault

Action

(default = Pass)




Enabled bydefault

Action

(default = Pass)



Enabled bydefault

Action

(default = Pass)



Enabled bydefault

Action

(default = Pass)



Enabled bydefault





Enabled bydefault

Action

(default = Pass)




Enabled bydefault

Action

(default = Pass)



Action = Pass

Enabled bydefault

Action

(default = Pass)

Events per second

(default = 1)


Enabled bydefault

Action

(default = Pass)



Enabled bydefault

Action

(default = Pass)



Enabled bydefault

Action

(default = Pass)




Enabled by

default

Action



Enabled bydefault

Action

(default = Pass)




Enabled bydefault

Action

(default = Pass)


Rule ID

Rule

Type


EnableDisable

Condition

Parameters Comments






Enabled bydefault

Action

(default = Pass)





Enabled bydefault

Action

(default = Pass)




Enabled bydefault

Action

(default = Pass)




Enabled bydefault

Action

(default = Pass)




Enabled bydefault

Action

(default = Pass)




Enabled bydefault





Enabled bydefault

Action

(default = Pass)




Enabled bydefault

Action

(default = Pass)




Action = Pass

Enabled bydefault

Action

(default = Pass)

Events per second

(default = 1)



Enabled bydefault

Action

(default = Pass)




Enabled bydefault

Action

(default = Pass)




Enabled bydefault

Action

(default = Pass)



record TCP



Enabled by

default

Action




Enabled bydefault

Action

(default = Pass)




Enabled bydefault

Action

(default = Pass)


Rule ID

Rule

Type


EnableDisable

Condition

Parameters Comments



DNS Message Type




Enabled bydefault

Action

(default = Pass)





Enabled bydefault

Action

(default = Pass)




Enabled bydefault

Action

(default = Pass)




Enabled bydefault

Action

(default = Pass)




Enabled bydefault

Action

(default = Pass)




Enabled bydefault





Enabled bydefault

Action

(default = Pass)




Enabled bydefault

Action

(default = Pass)




Action = Pass

Enabled bydefault

Action

(default = Pass)

Events per second

(default = 1)



Enabled bydefault

Action

(default = Pass)




Enabled bydefault

Action

(default = Pass)


Rule ID

Rule

Type


EnableDisable

Condition

Parameters Comments




General DDoS



Reconnaissance






Rule ID

Rule

Type


EnableDisable

Condition

Parameters Comments
















Rule ID

Rule

Type


Enable

Condition

Parameters Comments



information

Alwaysenabled




Alwaysenabled




DNS Malware


DNS Malware








Rule ID

Rule

Type


Enable

Condition

Parameters Comments










Rule ID

Rule

Type


Enable

Condition

Parameters Comments





















(default = 1)

























Rule ID

Rule

Type


Enable

Condition

Parameters Comments



TCPUDP Flood


TCP UDP Flood





Enable

Condition

Parameters Comments



Disabled bydefault








Disabled bydefault


Drop interval









DNS queries



second value

Disabled bydefault










interval

Disabled bydefault













DNS DDoS



Rule ID

Rule

Type


EnableDisable

Condition

Parameters Comments




Enabled bydefault


Drop interval








Enabled bydefault











Drop interval

Enabled bydefault


Drop interval







DNS Tunneling


DNS Tunneling








Rule ID

Rule

Type


EnableDisable

Condition

Parameters Comments




Disabled bydefault




Packet size

(default = 200)





interval


Disabled bydefault


Drop interval



Packet size

(default = 200)






interval


Enabled bydefault


Drop interval



Packet size

(default = 40)










NTP


Table H13 NTP Rules

Rule ID

Rule

Type


EnableDisable

Condition

Parameters Comments




Enabled bydefault








Disabled bydefault


Drop interval






Disabled bydefault






Rule ID

Rule

Type


EnableDisable

Condition

Parameters Comments





Drop interval









NTP












Requests IMPL 0x02



Interval





Interval

















Drop interval



Rule ID

Rule

Type


EnableDisable

Condition

Parameters Comments











Drop interval







Drop interval









Drop interval

(default = 60







Drop interval







Enabled when


Packets per second




















Rule ID

Rule

Type


EnableDisable

Condition

Parameters Comments



BGP


BGP


Table H14 BGP Rules

Rule ID

Rule

Type


EnableDisable

Condition

Parameters Comments










attempts

















interval )




Drop Interval





interval







interval








OSPF






interval )









Rule ID

Rule

Type


Enable

Condition

Parameters Comments


























Rule ID

Rule

Type


EnableDisable

Condition

Parameters Comments



ICMP


ICMP





EnableDisable

Condition

Parameters Comments




















































































EnableDisable

Condition

Parameters Comments



ICMP















































EnableDisable

Condition

Parameters Comments


















































EnableDisable

Condition

Parameters Comments



Default PassDrop


Default Pass Drop









Rule ID

Rule


Enable




Enabled bydefault

NA



Enabled bydefault





Enabled bydefault





Enabled bydefault




Enabled bydefault





Enabled bydefault





Enabled bydefault





Enabled bydefault




EnableDisable

Condition

Parameters Comments




HA Support

















Rule ID

Rule

Type




NA



NA

























DNS Cache Poisoning


DNS Cache Poisoning




DNS Message Type




Rule ID

Rule

Type


EnableDisable

Condition

Parameters Comments





interval



Events per second

(default = 1)

















Rule ID

Rule

Type


EnableDisable

Condition

Parameters Comments
















in Drop interval





























































interval







Rule ID

Rule

Type


EnableDisable

Condition

Parameters Comments



DNS Message Type















interval










interval


requests










interval












Enabled if Infoblox


Packets per second







second parameter






second parameter












Rule ID

Rule

Type


EnableDisable

Condition

Parameters Comments





Enabled bydefault

Action

(default = Pass)




Enabled bydefault

Action

(default = Pass)




Enabled bydefault

Action

(default = Pass)



Enabled bydefault

Action

(default = Pass)



Enabled bydefault

Action

(default = Pass)



Enabled bydefault




Enabled bydefault

Action

(default = Pass)




Enabled bydefault

Action

(default = Pass)





Enabled bydefault

Action

(default = Pass)

Events per second

(default = 1)


Enabled bydefault

Action

(default = Pass)



Enabled bydefault

Action

(default = Pass)



Enabled bydefault

Action

(default = Pass)



record



Enabled by

default

Action



Enabled bydefault

Action

(default = Pass)




Enabled bydefault

Action

(default = Pass)


Rule ID

Rule

Type


EnableDisable

Condition

Parameters Comments



DNS Message Type




Enabled bydefault

Action

(default = Pass)




Enabled bydefault

Action

(default = Pass)




Enabled bydefault

Action

(default = Pass)



Enabled bydefault

Action

(default = Pass)



Enabled bydefault

Action

(default = Pass)



Enabled bydefault





Enabled bydefault

Action

(default = Pass)




Enabled bydefault

Action

(default = Pass)



Action = Pass

Enabled bydefault

Action

(default = Pass)

Events per second

(default = 1)


Enabled bydefault

Action

(default = Pass)



Enabled bydefault

Action

(default = Pass)



Enabled bydefault

Action

(default = Pass)




Enabled by

default

Action



Enabled bydefault

Action

(default = Pass)




Enabled bydefault

Action

(default = Pass)


Rule ID

Rule

Type


EnableDisable

Condition

Parameters Comments






Enabled bydefault

Action

(default = Pass)





Enabled bydefault

Action

(default = Pass)




Enabled bydefault

Action

(default = Pass)




Enabled bydefault

Action

(default = Pass)




Enabled bydefault

Action

(default = Pass)




Enabled bydefault





Enabled bydefault

Action

(default = Pass)




Enabled bydefault

Action

(default = Pass)




Action = Pass

Enabled bydefault

Action

(default = Pass)

Events per second

(default = 1)



Enabled bydefault

Action

(default = Pass)




Enabled bydefault

Action

(default = Pass)




Enabled bydefault

Action

(default = Pass)



record TCP



Enabled by

default

Action




Enabled bydefault

Action

(default = Pass)




Enabled bydefault

Action

(default = Pass)


Rule ID

Rule

Type


EnableDisable

Condition

Parameters Comments



DNS Message Type




Enabled bydefault

Action

(default = Pass)





Enabled bydefault

Action

(default = Pass)




Enabled bydefault

Action

(default = Pass)




Enabled bydefault

Action

(default = Pass)




Enabled bydefault

Action

(default = Pass)




Enabled bydefault





Enabled bydefault

Action

(default = Pass)




Enabled bydefault

Action

(default = Pass)




Action = Pass

Enabled bydefault

Action

(default = Pass)

Events per second

(default = 1)



Enabled bydefault

Action

(default = Pass)




Enabled bydefault

Action

(default = Pass)


Rule ID

Rule

Type


EnableDisable

Condition

Parameters Comments




General DDoS



Reconnaissance






Rule ID

Rule

Type


EnableDisable

Condition

Parameters Comments
















Rule ID

Rule

Type


Enable

Condition

Parameters Comments



information

Alwaysenabled




Alwaysenabled




DNS Malware


DNS Malware








Rule ID

Rule

Type


Enable

Condition

Parameters Comments










Rule ID

Rule

Type


Enable

Condition

Parameters Comments





















(default = 1)

























Rule ID

Rule

Type


Enable

Condition

Parameters Comments



TCPUDP Flood


TCP UDP Flood





Enable

Condition

Parameters Comments



Disabled bydefault








Disabled bydefault


Drop interval









DNS queries



second value

Disabled bydefault










interval

Disabled bydefault













DNS DDoS



Rule ID

Rule

Type


EnableDisable

Condition

Parameters Comments




Enabled bydefault


Drop interval








Enabled bydefault











Drop interval

Enabled bydefault


Drop interval







DNS Tunneling


DNS Tunneling








Rule ID

Rule

Type


EnableDisable

Condition

Parameters Comments




Disabled bydefault




Packet size

(default = 200)





interval


Disabled bydefault


Drop interval



Packet size

(default = 200)






interval


Enabled bydefault


Drop interval



Packet size

(default = 40)










NTP


Table H13 NTP Rules

Rule ID

Rule

Type


EnableDisable

Condition

Parameters Comments




Enabled bydefault








Disabled bydefault


Drop interval






Disabled bydefault






Rule ID

Rule

Type


EnableDisable

Condition

Parameters Comments





Drop interval









NTP












Requests IMPL 0x02



Interval





Interval

















Drop interval



Rule ID

Rule

Type


EnableDisable

Condition

Parameters Comments











Drop interval







Drop interval









Drop interval

(default = 60







Drop interval







Enabled when


Packets per second




















Rule ID

Rule

Type


EnableDisable

Condition

Parameters Comments



BGP


BGP


Table H14 BGP Rules

Rule ID

Rule

Type


EnableDisable

Condition

Parameters Comments










attempts

















interval )




Drop Interval





interval







interval








OSPF






interval )









Rule ID

Rule

Type


Enable

Condition

Parameters Comments


























Rule ID

Rule

Type


EnableDisable

Condition

Parameters Comments



ICMP


ICMP





EnableDisable

Condition

Parameters Comments




















































































EnableDisable

Condition

Parameters Comments



ICMP















































EnableDisable

Condition

Parameters Comments


















































EnableDisable

Condition

Parameters Comments



Default PassDrop


Default Pass Drop









Rule ID

Rule


Enable




Enabled bydefault

NA



Enabled bydefault





Enabled bydefault





Enabled bydefault




Enabled bydefault





Enabled bydefault





Enabled bydefault





Enabled bydefault




EnableDisable

Condition

Parameters Comments




HA Support

















Rule ID

Rule

Type




NA



NA





























in Drop interval





























































interval







Rule ID

Rule

Type


EnableDisable

Condition

Parameters Comments



DNS Message Type















interval










interval


requests










interval












Enabled if Infoblox


Packets per second







second parameter






second parameter












Rule ID

Rule

Type


EnableDisable

Condition

Parameters Comments





Enabled bydefault

Action

(default = Pass)




Enabled bydefault

Action

(default = Pass)




Enabled bydefault

Action

(default = Pass)



Enabled bydefault

Action

(default = Pass)



Enabled bydefault

Action

(default = Pass)



Enabled bydefault




Enabled bydefault

Action

(default = Pass)




Enabled bydefault

Action

(default = Pass)





Enabled bydefault

Action

(default = Pass)

Events per second

(default = 1)


Enabled bydefault

Action

(default = Pass)



Enabled bydefault

Action

(default = Pass)



Enabled bydefault

Action

(default = Pass)



record



Enabled by

default

Action



Enabled bydefault

Action

(default = Pass)




Enabled bydefault

Action

(default = Pass)


Rule ID

Rule

Type


EnableDisable

Condition

Parameters Comments



DNS Message Type




Enabled bydefault

Action

(default = Pass)




Enabled bydefault

Action

(default = Pass)




Enabled bydefault

Action

(default = Pass)



Enabled bydefault

Action

(default = Pass)



Enabled bydefault

Action

(default = Pass)



Enabled bydefault





Enabled bydefault

Action

(default = Pass)




Enabled bydefault

Action

(default = Pass)



Action = Pass

Enabled bydefault

Action

(default = Pass)

Events per second

(default = 1)


Enabled bydefault

Action

(default = Pass)



Enabled bydefault

Action

(default = Pass)



Enabled bydefault

Action

(default = Pass)




Enabled by

default

Action



Enabled bydefault

Action

(default = Pass)




Enabled bydefault

Action

(default = Pass)


Rule ID

Rule

Type


EnableDisable

Condition

Parameters Comments






Enabled bydefault

Action

(default = Pass)





Enabled bydefault

Action

(default = Pass)




Enabled bydefault

Action

(default = Pass)




Enabled bydefault

Action

(default = Pass)




Enabled bydefault

Action

(default = Pass)




Enabled bydefault





Enabled bydefault

Action

(default = Pass)




Enabled bydefault

Action

(default = Pass)




Action = Pass

Enabled bydefault

Action

(default = Pass)

Events per second

(default = 1)



Enabled bydefault

Action

(default = Pass)




Enabled bydefault

Action

(default = Pass)




Enabled bydefault

Action

(default = Pass)



record TCP



Enabled by

default

Action




Enabled bydefault

Action

(default = Pass)




Enabled bydefault

Action

(default = Pass)


Rule ID

Rule

Type


EnableDisable

Condition

Parameters Comments



DNS Message Type




Enabled bydefault

Action

(default = Pass)





Enabled bydefault

Action

(default = Pass)




Enabled bydefault

Action

(default = Pass)




Enabled bydefault

Action

(default = Pass)




Enabled bydefault

Action

(default = Pass)




Enabled bydefault





Enabled bydefault

Action

(default = Pass)




Enabled bydefault

Action

(default = Pass)




Action = Pass

Enabled bydefault

Action

(default = Pass)

Events per second

(default = 1)



Enabled bydefault

Action

(default = Pass)




Enabled bydefault

Action

(default = Pass)


Rule ID

Rule

Type


EnableDisable

Condition

Parameters Comments




General DDoS



Reconnaissance






Rule ID

Rule

Type


EnableDisable

Condition

Parameters Comments
















Rule ID

Rule

Type


Enable

Condition

Parameters Comments



information

Alwaysenabled




Alwaysenabled




DNS Malware


DNS Malware








Rule ID

Rule

Type


Enable

Condition

Parameters Comments










Rule ID

Rule

Type


Enable

Condition

Parameters Comments





















(default = 1)

























Rule ID

Rule

Type


Enable

Condition

Parameters Comments



TCPUDP Flood


TCP UDP Flood





Enable

Condition

Parameters Comments



Disabled bydefault








Disabled bydefault


Drop interval









DNS queries



second value

Disabled bydefault










interval

Disabled bydefault













DNS DDoS



Rule ID

Rule

Type


EnableDisable

Condition

Parameters Comments




Enabled bydefault


Drop interval








Enabled bydefault











Drop interval

Enabled bydefault


Drop interval







DNS Tunneling


DNS Tunneling








Rule ID

Rule

Type


EnableDisable

Condition

Parameters Comments




Disabled bydefault




Packet size

(default = 200)





interval


Disabled bydefault


Drop interval



Packet size

(default = 200)






interval


Enabled bydefault


Drop interval



Packet size

(default = 40)










NTP


Table H13 NTP Rules

Rule ID

Rule

Type


EnableDisable

Condition

Parameters Comments




Enabled bydefault








Disabled bydefault


Drop interval






Disabled bydefault






Rule ID

Rule

Type


EnableDisable

Condition

Parameters Comments





Drop interval









NTP












Requests IMPL 0x02



Interval





Interval

















Drop interval



Rule ID

Rule

Type


EnableDisable

Condition

Parameters Comments











Drop interval







Drop interval









Drop interval

(default = 60







Drop interval







Enabled when


Packets per second




















Rule ID

Rule

Type


EnableDisable

Condition

Parameters Comments



BGP


BGP


Table H14 BGP Rules

Rule ID

Rule

Type


EnableDisable

Condition

Parameters Comments










attempts

















interval )




Drop Interval





interval







interval








OSPF






interval )









Rule ID

Rule

Type


Enable

Condition

Parameters Comments


























Rule ID

Rule

Type


EnableDisable

Condition

Parameters Comments



ICMP


ICMP





EnableDisable

Condition

Parameters Comments




















































































EnableDisable

Condition

Parameters Comments



ICMP















































EnableDisable

Condition

Parameters Comments


















































EnableDisable

Condition

Parameters Comments



Default PassDrop


Default Pass Drop









Rule ID

Rule


Enable




Enabled bydefault

NA



Enabled bydefault





Enabled bydefault





Enabled bydefault




Enabled bydefault





Enabled bydefault





Enabled bydefault





Enabled bydefault




EnableDisable

Condition

Parameters Comments




HA Support

















Rule ID

Rule

Type




NA



NA

























DNS Message Type















interval










interval


requests










interval












Enabled if Infoblox


Packets per second







second parameter






second parameter












Rule ID

Rule

Type


EnableDisable

Condition

Parameters Comments





Enabled bydefault

Action

(default = Pass)




Enabled bydefault

Action

(default = Pass)




Enabled bydefault

Action

(default = Pass)



Enabled bydefault

Action

(default = Pass)



Enabled bydefault

Action

(default = Pass)



Enabled bydefault




Enabled bydefault

Action

(default = Pass)




Enabled bydefault

Action

(default = Pass)





Enabled bydefault

Action

(default = Pass)

Events per second

(default = 1)


Enabled bydefault

Action

(default = Pass)



Enabled bydefault

Action

(default = Pass)



Enabled bydefault

Action

(default = Pass)



record



Enabled by

default

Action



Enabled bydefault

Action

(default = Pass)




Enabled bydefault

Action

(default = Pass)


Rule ID

Rule

Type


EnableDisable

Condition

Parameters Comments



DNS Message Type




Enabled bydefault

Action

(default = Pass)




Enabled bydefault

Action

(default = Pass)




Enabled bydefault

Action

(default = Pass)



Enabled bydefault

Action

(default = Pass)



Enabled bydefault

Action

(default = Pass)



Enabled bydefault





Enabled bydefault

Action

(default = Pass)




Enabled bydefault

Action

(default = Pass)



Action = Pass

Enabled bydefault

Action

(default = Pass)

Events per second

(default = 1)


Enabled bydefault

Action

(default = Pass)



Enabled bydefault

Action

(default = Pass)



Enabled bydefault

Action

(default = Pass)




Enabled by

default

Action



Enabled bydefault

Action

(default = Pass)




Enabled bydefault

Action

(default = Pass)


Rule ID

Rule

Type


EnableDisable

Condition

Parameters Comments






Enabled bydefault

Action

(default = Pass)





Enabled bydefault

Action

(default = Pass)




Enabled bydefault

Action

(default = Pass)




Enabled bydefault

Action

(default = Pass)




Enabled bydefault

Action

(default = Pass)




Enabled bydefault





Enabled bydefault

Action

(default = Pass)




Enabled bydefault

Action

(default = Pass)




Action = Pass

Enabled bydefault

Action

(default = Pass)

Events per second

(default = 1)



Enabled bydefault

Action

(default = Pass)




Enabled bydefault

Action

(default = Pass)




Enabled bydefault

Action

(default = Pass)



record TCP



Enabled by

default

Action




Enabled bydefault

Action

(default = Pass)




Enabled bydefault

Action

(default = Pass)


Rule ID

Rule

Type


EnableDisable

Condition

Parameters Comments



DNS Message Type




Enabled bydefault

Action

(default = Pass)





Enabled bydefault

Action

(default = Pass)




Enabled bydefault

Action

(default = Pass)




Enabled bydefault

Action

(default = Pass)




Enabled bydefault

Action

(default = Pass)




Enabled bydefault





Enabled bydefault

Action

(default = Pass)




Enabled bydefault

Action

(default = Pass)




Action = Pass

Enabled bydefault

Action

(default = Pass)

Events per second

(default = 1)



Enabled bydefault

Action

(default = Pass)




Enabled bydefault

Action

(default = Pass)


Rule ID

Rule

Type


EnableDisable

Condition

Parameters Comments




General DDoS



Reconnaissance






Rule ID

Rule

Type


EnableDisable

Condition

Parameters Comments
















Rule ID

Rule

Type


Enable

Condition

Parameters Comments



information

Alwaysenabled




Alwaysenabled




DNS Malware


DNS Malware








Rule ID

Rule

Type


Enable

Condition

Parameters Comments










Rule ID

Rule

Type


Enable

Condition

Parameters Comments





















(default = 1)

























Rule ID

Rule

Type


Enable

Condition

Parameters Comments



TCPUDP Flood


TCP UDP Flood





Enable

Condition

Parameters Comments



Disabled bydefault








Disabled bydefault


Drop interval









DNS queries



second value

Disabled bydefault










interval

Disabled bydefault













DNS DDoS



Rule ID

Rule

Type


EnableDisable

Condition

Parameters Comments




Enabled bydefault


Drop interval








Enabled bydefault











Drop interval

Enabled bydefault


Drop interval







DNS Tunneling


DNS Tunneling








Rule ID

Rule

Type


EnableDisable

Condition

Parameters Comments




Disabled bydefault




Packet size

(default = 200)





interval


Disabled bydefault


Drop interval



Packet size

(default = 200)






interval


Enabled bydefault


Drop interval



Packet size

(default = 40)










NTP


Table H13 NTP Rules

Rule ID

Rule

Type


EnableDisable

Condition

Parameters Comments




Enabled bydefault








Disabled bydefault


Drop interval






Disabled bydefault






Rule ID

Rule

Type


EnableDisable

Condition

Parameters Comments





Drop interval









NTP












Requests IMPL 0x02



Interval





Interval

















Drop interval



Rule ID

Rule

Type


EnableDisable

Condition

Parameters Comments











Drop interval







Drop interval









Drop interval

(default = 60







Drop interval







Enabled when


Packets per second




















Rule ID

Rule

Type


EnableDisable

Condition

Parameters Comments



BGP


BGP


Table H14 BGP Rules

Rule ID

Rule

Type


EnableDisable

Condition

Parameters Comments










attempts

















interval )




Drop Interval





interval







interval








OSPF






interval )









Rule ID

Rule

Type


Enable

Condition

Parameters Comments


























Rule ID

Rule

Type


EnableDisable

Condition

Parameters Comments



ICMP


ICMP





EnableDisable

Condition

Parameters Comments




















































































EnableDisable

Condition

Parameters Comments



ICMP















































EnableDisable

Condition

Parameters Comments


















































EnableDisable

Condition

Parameters Comments



Default PassDrop


Default Pass Drop









Rule ID

Rule


Enable




Enabled bydefault

NA



Enabled bydefault





Enabled bydefault





Enabled bydefault




Enabled bydefault





Enabled bydefault





Enabled bydefault





Enabled bydefault




EnableDisable

Condition

Parameters Comments




HA Support

















Rule ID

Rule

Type




NA



NA



























Enabled bydefault

Action

(default = Pass)




Enabled bydefault

Action

(default = Pass)




Enabled bydefault

Action

(default = Pass)



Enabled bydefault

Action

(default = Pass)



Enabled bydefault

Action

(default = Pass)



Enabled bydefault




Enabled bydefault

Action

(default = Pass)




Enabled bydefault

Action

(default = Pass)





Enabled bydefault

Action

(default = Pass)

Events per second

(default = 1)


Enabled bydefault

Action

(default = Pass)



Enabled bydefault

Action

(default = Pass)



Enabled bydefault

Action

(default = Pass)



record



Enabled by

default

Action



Enabled bydefault

Action

(default = Pass)




Enabled bydefault

Action

(default = Pass)


Rule ID

Rule

Type


EnableDisable

Condition

Parameters Comments



DNS Message Type




Enabled bydefault

Action

(default = Pass)




Enabled bydefault

Action

(default = Pass)




Enabled bydefault

Action

(default = Pass)



Enabled bydefault

Action

(default = Pass)



Enabled bydefault

Action

(default = Pass)



Enabled bydefault





Enabled bydefault

Action

(default = Pass)




Enabled bydefault

Action

(default = Pass)



Action = Pass

Enabled bydefault

Action

(default = Pass)

Events per second

(default = 1)


Enabled bydefault

Action

(default = Pass)



Enabled bydefault

Action

(default = Pass)



Enabled bydefault

Action

(default = Pass)




Enabled by

default

Action



Enabled bydefault

Action

(default = Pass)




Enabled bydefault

Action

(default = Pass)


Rule ID

Rule

Type


EnableDisable

Condition

Parameters Comments






Enabled bydefault

Action

(default = Pass)





Enabled bydefault

Action

(default = Pass)




Enabled bydefault

Action

(default = Pass)




Enabled bydefault

Action

(default = Pass)




Enabled bydefault

Action

(default = Pass)




Enabled bydefault





Enabled bydefault

Action

(default = Pass)




Enabled bydefault

Action

(default = Pass)




Action = Pass

Enabled bydefault

Action

(default = Pass)

Events per second

(default = 1)



Enabled bydefault

Action

(default = Pass)




Enabled bydefault

Action

(default = Pass)




Enabled bydefault

Action

(default = Pass)



record TCP



Enabled by

default

Action




Enabled bydefault

Action

(default = Pass)




Enabled bydefault

Action

(default = Pass)


Rule ID

Rule

Type


EnableDisable

Condition

Parameters Comments



DNS Message Type




Enabled bydefault

Action

(default = Pass)





Enabled bydefault

Action

(default = Pass)




Enabled bydefault

Action

(default = Pass)




Enabled bydefault

Action

(default = Pass)




Enabled bydefault

Action

(default = Pass)




Enabled bydefault





Enabled bydefault

Action

(default = Pass)




Enabled bydefault

Action

(default = Pass)




Action = Pass

Enabled bydefault

Action

(default = Pass)

Events per second

(default = 1)



Enabled bydefault

Action

(default = Pass)




Enabled bydefault

Action

(default = Pass)


Rule ID

Rule

Type


EnableDisable

Condition

Parameters Comments




General DDoS



Reconnaissance






Rule ID

Rule

Type


EnableDisable

Condition

Parameters Comments
















Rule ID

Rule

Type


Enable

Condition

Parameters Comments



information

Alwaysenabled




Alwaysenabled




DNS Malware


DNS Malware








Rule ID

Rule

Type


Enable

Condition

Parameters Comments










Rule ID

Rule

Type


Enable

Condition

Parameters Comments





















(default = 1)

























Rule ID

Rule

Type


Enable

Condition

Parameters Comments



TCPUDP Flood


TCP UDP Flood





Enable

Condition

Parameters Comments



Disabled bydefault








Disabled bydefault


Drop interval









DNS queries



second value

Disabled bydefault










interval

Disabled bydefault













DNS DDoS



Rule ID

Rule

Type


EnableDisable

Condition

Parameters Comments




Enabled bydefault


Drop interval








Enabled bydefault











Drop interval

Enabled bydefault


Drop interval







DNS Tunneling


DNS Tunneling








Rule ID

Rule

Type


EnableDisable

Condition

Parameters Comments




Disabled bydefault




Packet size

(default = 200)





interval


Disabled bydefault


Drop interval



Packet size

(default = 200)






interval


Enabled bydefault


Drop interval



Packet size

(default = 40)










NTP


Table H13 NTP Rules

Rule ID

Rule

Type


EnableDisable

Condition

Parameters Comments




Enabled bydefault








Disabled bydefault


Drop interval






Disabled bydefault






Rule ID

Rule

Type


EnableDisable

Condition

Parameters Comments





Drop interval









NTP












Requests IMPL 0x02



Interval





Interval

















Drop interval



Rule ID

Rule

Type


EnableDisable

Condition

Parameters Comments











Drop interval







Drop interval









Drop interval

(default = 60







Drop interval







Enabled when


Packets per second




















Rule ID

Rule

Type


EnableDisable

Condition

Parameters Comments



BGP


BGP


Table H14 BGP Rules

Rule ID

Rule

Type


EnableDisable

Condition

Parameters Comments










attempts

















interval )




Drop Interval





interval







interval








OSPF






interval )









Rule ID

Rule

Type


Enable

Condition

Parameters Comments


























Rule ID

Rule

Type


EnableDisable

Condition

Parameters Comments



ICMP


ICMP





EnableDisable

Condition

Parameters Comments




















































































EnableDisable

Condition

Parameters Comments



ICMP















































EnableDisable

Condition

Parameters Comments


















































EnableDisable

Condition

Parameters Comments



Default PassDrop


Default Pass Drop









Rule ID

Rule


Enable




Enabled bydefault

NA



Enabled bydefault





Enabled bydefault





Enabled bydefault




Enabled bydefault





Enabled bydefault





Enabled bydefault





Enabled bydefault




EnableDisable

Condition

Parameters Comments




HA Support

















Rule ID

Rule

Type




NA



NA

























DNS Message Type




Enabled bydefault

Action

(default = Pass)




Enabled bydefault

Action

(default = Pass)




Enabled bydefault

Action

(default = Pass)



Enabled bydefault

Action

(default = Pass)



Enabled bydefault

Action

(default = Pass)



Enabled bydefault





Enabled bydefault

Action

(default = Pass)




Enabled bydefault

Action

(default = Pass)



Action = Pass

Enabled bydefault

Action

(default = Pass)

Events per second

(default = 1)


Enabled bydefault

Action

(default = Pass)



Enabled bydefault

Action

(default = Pass)



Enabled bydefault

Action

(default = Pass)




Enabled by

default

Action



Enabled bydefault

Action

(default = Pass)




Enabled bydefault

Action

(default = Pass)


Rule ID

Rule

Type


EnableDisable

Condition

Parameters Comments






Enabled bydefault

Action

(default = Pass)





Enabled bydefault

Action

(default = Pass)




Enabled bydefault

Action

(default = Pass)




Enabled bydefault

Action

(default = Pass)




Enabled bydefault

Action

(default = Pass)




Enabled bydefault





Enabled bydefault

Action

(default = Pass)




Enabled bydefault

Action

(default = Pass)




Action = Pass

Enabled bydefault

Action

(default = Pass)

Events per second

(default = 1)



Enabled bydefault

Action

(default = Pass)




Enabled bydefault

Action

(default = Pass)




Enabled bydefault

Action

(default = Pass)



record TCP



Enabled by

default

Action




Enabled bydefault

Action

(default = Pass)




Enabled bydefault

Action

(default = Pass)


Rule ID

Rule

Type


EnableDisable

Condition

Parameters Comments



DNS Message Type




Enabled bydefault

Action

(default = Pass)





Enabled bydefault

Action

(default = Pass)




Enabled bydefault

Action

(default = Pass)




Enabled bydefault

Action

(default = Pass)




Enabled bydefault

Action

(default = Pass)




Enabled bydefault





Enabled bydefault

Action

(default = Pass)




Enabled bydefault

Action

(default = Pass)




Action = Pass

Enabled bydefault

Action

(default = Pass)

Events per second

(default = 1)



Enabled bydefault

Action

(default = Pass)




Enabled bydefault

Action

(default = Pass)


Rule ID

Rule

Type


EnableDisable

Condition

Parameters Comments




General DDoS



Reconnaissance






Rule ID

Rule

Type


EnableDisable

Condition

Parameters Comments
















Rule ID

Rule

Type


Enable

Condition

Parameters Comments



information

Alwaysenabled




Alwaysenabled




DNS Malware


DNS Malware








Rule ID

Rule

Type


Enable

Condition

Parameters Comments










Rule ID

Rule

Type


Enable

Condition

Parameters Comments





















(default = 1)

























Rule ID

Rule

Type


Enable

Condition

Parameters Comments



TCPUDP Flood


TCP UDP Flood





Enable

Condition

Parameters Comments



Disabled bydefault








Disabled bydefault


Drop interval









DNS queries



second value

Disabled bydefault










interval

Disabled bydefault













DNS DDoS



Rule ID

Rule

Type


EnableDisable

Condition

Parameters Comments




Enabled bydefault


Drop interval








Enabled bydefault











Drop interval

Enabled bydefault


Drop interval







DNS Tunneling


DNS Tunneling








Rule ID

Rule

Type


EnableDisable

Condition

Parameters Comments




Disabled bydefault




Packet size

(default = 200)





interval


Disabled bydefault


Drop interval



Packet size

(default = 200)






interval


Enabled bydefault


Drop interval



Packet size

(default = 40)










NTP


Table H13 NTP Rules

Rule ID

Rule

Type


EnableDisable

Condition

Parameters Comments




Enabled bydefault








Disabled bydefault


Drop interval






Disabled bydefault






Rule ID

Rule

Type


EnableDisable

Condition

Parameters Comments





Drop interval









NTP












Requests IMPL 0x02



Interval





Interval

















Drop interval



Rule ID

Rule

Type


EnableDisable

Condition

Parameters Comments











Drop interval







Drop interval









Drop interval

(default = 60







Drop interval







Enabled when


Packets per second




















Rule ID

Rule

Type


EnableDisable

Condition

Parameters Comments



BGP


BGP


Table H14 BGP Rules

Rule ID

Rule

Type


EnableDisable

Condition

Parameters Comments










attempts

















interval )




Drop Interval





interval







interval








OSPF






interval )









Rule ID

Rule

Type


Enable

Condition

Parameters Comments


























Rule ID

Rule

Type


EnableDisable

Condition

Parameters Comments



ICMP


ICMP





EnableDisable

Condition

Parameters Comments




















































































EnableDisable

Condition

Parameters Comments



ICMP















































EnableDisable

Condition

Parameters Comments


















































EnableDisable

Condition

Parameters Comments



Default PassDrop


Default Pass Drop









Rule ID

Rule


Enable




Enabled bydefault

NA



Enabled bydefault





Enabled bydefault





Enabled bydefault




Enabled bydefault





Enabled bydefault





Enabled bydefault





Enabled bydefault




EnableDisable

Condition

Parameters Comments




HA Support

















Rule ID

Rule

Type




NA



NA




























Enabled bydefault

Action

(default = Pass)





Enabled bydefault

Action

(default = Pass)




Enabled bydefault

Action

(default = Pass)




Enabled bydefault

Action

(default = Pass)




Enabled bydefault

Action

(default = Pass)




Enabled bydefault





Enabled bydefault

Action

(default = Pass)




Enabled bydefault

Action

(default = Pass)




Action = Pass

Enabled bydefault

Action

(default = Pass)

Events per second

(default = 1)



Enabled bydefault

Action

(default = Pass)




Enabled bydefault

Action

(default = Pass)




Enabled bydefault

Action

(default = Pass)



record TCP



Enabled by

default

Action




Enabled bydefault

Action

(default = Pass)




Enabled bydefault

Action

(default = Pass)


Rule ID

Rule

Type


EnableDisable

Condition

Parameters Comments



DNS Message Type




Enabled bydefault

Action

(default = Pass)





Enabled bydefault

Action

(default = Pass)




Enabled bydefault

Action

(default = Pass)




Enabled bydefault

Action

(default = Pass)




Enabled bydefault

Action

(default = Pass)




Enabled bydefault





Enabled bydefault

Action

(default = Pass)




Enabled bydefault

Action

(default = Pass)




Action = Pass

Enabled bydefault

Action

(default = Pass)

Events per second

(default = 1)



Enabled bydefault

Action

(default = Pass)




Enabled bydefault

Action

(default = Pass)


Rule ID

Rule

Type


EnableDisable

Condition

Parameters Comments




General DDoS



Reconnaissance






Rule ID

Rule

Type


EnableDisable

Condition

Parameters Comments
















Rule ID

Rule

Type


Enable

Condition

Parameters Comments



information

Alwaysenabled




Alwaysenabled




DNS Malware


DNS Malware








Rule ID

Rule

Type


Enable

Condition

Parameters Comments










Rule ID

Rule

Type


Enable

Condition

Parameters Comments





















(default = 1)

























Rule ID

Rule

Type


Enable

Condition

Parameters Comments



TCPUDP Flood


TCP UDP Flood





Enable

Condition

Parameters Comments



Disabled bydefault








Disabled bydefault


Drop interval









DNS queries



second value

Disabled bydefault










interval

Disabled bydefault













DNS DDoS



Rule ID

Rule

Type


EnableDisable

Condition

Parameters Comments




Enabled bydefault


Drop interval








Enabled bydefault











Drop interval

Enabled bydefault


Drop interval







DNS Tunneling


DNS Tunneling








Rule ID

Rule

Type


EnableDisable

Condition

Parameters Comments




Disabled bydefault




Packet size

(default = 200)





interval


Disabled bydefault


Drop interval



Packet size

(default = 200)






interval


Enabled bydefault


Drop interval



Packet size

(default = 40)










NTP


Table H13 NTP Rules

Rule ID

Rule

Type


EnableDisable

Condition

Parameters Comments




Enabled bydefault








Disabled bydefault


Drop interval






Disabled bydefault






Rule ID

Rule

Type


EnableDisable

Condition

Parameters Comments





Drop interval









NTP












Requests IMPL 0x02



Interval





Interval

















Drop interval



Rule ID

Rule

Type


EnableDisable

Condition

Parameters Comments











Drop interval







Drop interval









Drop interval

(default = 60







Drop interval







Enabled when


Packets per second




















Rule ID

Rule

Type


EnableDisable

Condition

Parameters Comments



BGP


BGP


Table H14 BGP Rules

Rule ID

Rule

Type


EnableDisable

Condition

Parameters Comments










attempts

















interval )




Drop Interval





interval







interval








OSPF






interval )









Rule ID

Rule

Type


Enable

Condition

Parameters Comments


























Rule ID

Rule

Type


EnableDisable

Condition

Parameters Comments



ICMP


ICMP





EnableDisable

Condition

Parameters Comments




















































































EnableDisable

Condition

Parameters Comments



ICMP















































EnableDisable

Condition

Parameters Comments


















































EnableDisable

Condition

Parameters Comments



Default PassDrop


Default Pass Drop









Rule ID

Rule


Enable




Enabled bydefault

NA



Enabled bydefault





Enabled bydefault





Enabled bydefault




Enabled bydefault





Enabled bydefault





Enabled bydefault





Enabled bydefault




EnableDisable

Condition

Parameters Comments




HA Support

















Rule ID

Rule

Type




NA



NA

























DNS Message Type




Enabled bydefault

Action

(default = Pass)





Enabled bydefault

Action

(default = Pass)




Enabled bydefault

Action

(default = Pass)




Enabled bydefault

Action

(default = Pass)




Enabled bydefault

Action

(default = Pass)




Enabled bydefault





Enabled bydefault

Action

(default = Pass)




Enabled bydefault

Action

(default = Pass)




Action = Pass

Enabled bydefault

Action

(default = Pass)

Events per second

(default = 1)



Enabled bydefault

Action

(default = Pass)




Enabled bydefault

Action

(default = Pass)


Rule ID

Rule

Type


EnableDisable

Condition

Parameters Comments




General DDoS



Reconnaissance






Rule ID

Rule

Type


EnableDisable

Condition

Parameters Comments
















Rule ID

Rule

Type


Enable

Condition

Parameters Comments



information

Alwaysenabled




Alwaysenabled




DNS Malware


DNS Malware








Rule ID

Rule

Type


Enable

Condition

Parameters Comments










Rule ID

Rule

Type


Enable

Condition

Parameters Comments





















(default = 1)

























Rule ID

Rule

Type


Enable

Condition

Parameters Comments



TCPUDP Flood


TCP UDP Flood





Enable

Condition

Parameters Comments



Disabled bydefault








Disabled bydefault


Drop interval









DNS queries



second value

Disabled bydefault










interval

Disabled bydefault













DNS DDoS



Rule ID

Rule

Type


EnableDisable

Condition

Parameters Comments




Enabled bydefault


Drop interval








Enabled bydefault











Drop interval

Enabled bydefault


Drop interval







DNS Tunneling


DNS Tunneling








Rule ID

Rule

Type


EnableDisable

Condition

Parameters Comments




Disabled bydefault




Packet size

(default = 200)





interval


Disabled bydefault


Drop interval



Packet size

(default = 200)






interval


Enabled bydefault


Drop interval



Packet size

(default = 40)










NTP


Table H13 NTP Rules

Rule ID

Rule

Type


EnableDisable

Condition

Parameters Comments




Enabled bydefault








Disabled bydefault


Drop interval






Disabled bydefault






Rule ID

Rule

Type


EnableDisable

Condition

Parameters Comments





Drop interval









NTP












Requests IMPL 0x02



Interval





Interval

















Drop interval



Rule ID

Rule

Type


EnableDisable

Condition

Parameters Comments











Drop interval







Drop interval









Drop interval

(default = 60







Drop interval







Enabled when


Packets per second




















Rule ID

Rule

Type


EnableDisable

Condition

Parameters Comments



BGP


BGP


Table H14 BGP Rules

Rule ID

Rule

Type


EnableDisable

Condition

Parameters Comments










attempts

















interval )




Drop Interval





interval







interval








OSPF






interval )









Rule ID

Rule

Type


Enable

Condition

Parameters Comments


























Rule ID

Rule

Type


EnableDisable

Condition

Parameters Comments



ICMP


ICMP





EnableDisable

Condition

Parameters Comments




















































































EnableDisable

Condition

Parameters Comments



ICMP















































EnableDisable

Condition

Parameters Comments


















































EnableDisable

Condition

Parameters Comments



Default PassDrop


Default Pass Drop









Rule ID

Rule


Enable




Enabled bydefault

NA



Enabled bydefault





Enabled bydefault





Enabled bydefault




Enabled bydefault





Enabled bydefault





Enabled bydefault





Enabled bydefault




EnableDisable

Condition

Parameters Comments




HA Support

















Rule ID

Rule

Type




NA



NA


























General DDoS



Reconnaissance






Rule ID

Rule

Type


EnableDisable

Condition

Parameters Comments
















Rule ID

Rule

Type


Enable

Condition

Parameters Comments



information

Alwaysenabled




Alwaysenabled




DNS Malware


DNS Malware








Rule ID

Rule

Type


Enable

Condition

Parameters Comments










Rule ID

Rule

Type


Enable

Condition

Parameters Comments





















(default = 1)

























Rule ID

Rule

Type


Enable

Condition

Parameters Comments



TCPUDP Flood


TCP UDP Flood





Enable

Condition

Parameters Comments



Disabled bydefault








Disabled bydefault


Drop interval









DNS queries



second value

Disabled bydefault










interval

Disabled bydefault













DNS DDoS



Rule ID

Rule

Type


EnableDisable

Condition

Parameters Comments




Enabled bydefault


Drop interval








Enabled bydefault











Drop interval

Enabled bydefault


Drop interval







DNS Tunneling


DNS Tunneling








Rule ID

Rule

Type


EnableDisable

Condition

Parameters Comments




Disabled bydefault




Packet size

(default = 200)





interval


Disabled bydefault


Drop interval



Packet size

(default = 200)






interval


Enabled bydefault


Drop interval



Packet size

(default = 40)










NTP


Table H13 NTP Rules

Rule ID

Rule

Type


EnableDisable

Condition

Parameters Comments




Enabled bydefault








Disabled bydefault


Drop interval






Disabled bydefault






Rule ID

Rule

Type


EnableDisable

Condition

Parameters Comments





Drop interval









NTP












Requests IMPL 0x02



Interval





Interval

















Drop interval



Rule ID

Rule

Type


EnableDisable

Condition

Parameters Comments











Drop interval







Drop interval









Drop interval

(default = 60







Drop interval







Enabled when


Packets per second




















Rule ID

Rule

Type


EnableDisable

Condition

Parameters Comments



BGP


BGP


Table H14 BGP Rules

Rule ID

Rule

Type


EnableDisable

Condition

Parameters Comments










attempts

















interval )




Drop Interval





interval







interval








OSPF






interval )









Rule ID

Rule

Type


Enable

Condition

Parameters Comments


























Rule ID

Rule

Type


EnableDisable

Condition

Parameters Comments



ICMP


ICMP





EnableDisable

Condition

Parameters Comments




















































































EnableDisable

Condition

Parameters Comments



ICMP















































EnableDisable

Condition

Parameters Comments


















































EnableDisable

Condition

Parameters Comments



Default PassDrop


Default Pass Drop









Rule ID

Rule


Enable




Enabled bydefault

NA



Enabled bydefault





Enabled bydefault





Enabled bydefault




Enabled bydefault





Enabled bydefault





Enabled bydefault





Enabled bydefault




EnableDisable

Condition

Parameters Comments




HA Support

















Rule ID

Rule

Type




NA



NA

























DNS Malware


DNS Malware








Rule ID

Rule

Type


Enable

Condition

Parameters Comments










Rule ID

Rule

Type


Enable

Condition

Parameters Comments





















(default = 1)

























Rule ID

Rule

Type


Enable

Condition

Parameters Comments



TCPUDP Flood


TCP UDP Flood





Enable

Condition

Parameters Comments



Disabled bydefault








Disabled bydefault


Drop interval









DNS queries



second value

Disabled bydefault










interval

Disabled bydefault













DNS DDoS



Rule ID

Rule

Type


EnableDisable

Condition

Parameters Comments




Enabled bydefault


Drop interval








Enabled bydefault











Drop interval

Enabled bydefault


Drop interval







DNS Tunneling


DNS Tunneling








Rule ID

Rule

Type


EnableDisable

Condition

Parameters Comments




Disabled bydefault




Packet size

(default = 200)





interval


Disabled bydefault


Drop interval



Packet size

(default = 200)






interval


Enabled bydefault


Drop interval



Packet size

(default = 40)










NTP


Table H13 NTP Rules

Rule ID

Rule

Type


EnableDisable

Condition

Parameters Comments




Enabled bydefault








Disabled bydefault


Drop interval






Disabled bydefault






Rule ID

Rule

Type


EnableDisable

Condition

Parameters Comments





Drop interval









NTP












Requests IMPL 0x02



Interval





Interval

















Drop interval



Rule ID

Rule

Type


EnableDisable

Condition

Parameters Comments











Drop interval







Drop interval









Drop interval

(default = 60







Drop interval







Enabled when


Packets per second




















Rule ID

Rule

Type


EnableDisable

Condition

Parameters Comments



BGP


BGP


Table H14 BGP Rules

Rule ID

Rule

Type


EnableDisable

Condition

Parameters Comments










attempts

















interval )




Drop Interval





interval







interval








OSPF






interval )









Rule ID

Rule

Type


Enable

Condition

Parameters Comments


























Rule ID

Rule

Type


EnableDisable

Condition

Parameters Comments



ICMP


ICMP





EnableDisable

Condition

Parameters Comments




















































































EnableDisable

Condition

Parameters Comments



ICMP















































EnableDisable

Condition

Parameters Comments


















































EnableDisable

Condition

Parameters Comments



Default PassDrop


Default Pass Drop









Rule ID

Rule


Enable




Enabled bydefault

NA



Enabled bydefault





Enabled bydefault





Enabled bydefault




Enabled bydefault





Enabled bydefault





Enabled bydefault





Enabled bydefault




EnableDisable

Condition

Parameters Comments




HA Support

















Rule ID

Rule

Type




NA



NA





































(default = 1)

























Rule ID

Rule

Type


Enable

Condition

Parameters Comments



TCPUDP Flood


TCP UDP Flood





Enable

Condition

Parameters Comments



Disabled bydefault








Disabled bydefault


Drop interval









DNS queries



second value

Disabled bydefault










interval

Disabled bydefault













DNS DDoS



Rule ID

Rule

Type


EnableDisable

Condition

Parameters Comments




Enabled bydefault


Drop interval








Enabled bydefault











Drop interval

Enabled bydefault


Drop interval







DNS Tunneling


DNS Tunneling








Rule ID

Rule

Type


EnableDisable

Condition

Parameters Comments




Disabled bydefault




Packet size

(default = 200)





interval


Disabled bydefault


Drop interval



Packet size

(default = 200)






interval


Enabled bydefault


Drop interval



Packet size

(default = 40)










NTP


Table H13 NTP Rules

Rule ID

Rule

Type


EnableDisable

Condition

Parameters Comments




Enabled bydefault








Disabled bydefault


Drop interval






Disabled bydefault






Rule ID

Rule

Type


EnableDisable

Condition

Parameters Comments





Drop interval









NTP












Requests IMPL 0x02



Interval





Interval

















Drop interval



Rule ID

Rule

Type


EnableDisable

Condition

Parameters Comments











Drop interval







Drop interval









Drop interval

(default = 60







Drop interval







Enabled when


Packets per second




















Rule ID

Rule

Type


EnableDisable

Condition

Parameters Comments



BGP


BGP


Table H14 BGP Rules

Rule ID

Rule

Type


EnableDisable

Condition

Parameters Comments










attempts

















interval )




Drop Interval





interval







interval








OSPF






interval )









Rule ID

Rule

Type


Enable

Condition

Parameters Comments


























Rule ID

Rule

Type


EnableDisable

Condition

Parameters Comments



ICMP


ICMP





EnableDisable

Condition

Parameters Comments




















































































EnableDisable

Condition

Parameters Comments



ICMP















































EnableDisable

Condition

Parameters Comments


















































EnableDisable

Condition

Parameters Comments



Default PassDrop


Default Pass Drop









Rule ID

Rule


Enable




Enabled bydefault

NA



Enabled bydefault





Enabled bydefault





Enabled bydefault




Enabled bydefault





Enabled bydefault





Enabled bydefault





Enabled bydefault




EnableDisable

Condition

Parameters Comments




HA Support

















Rule ID

Rule

Type




NA



NA

























TCPUDP Flood


TCP UDP Flood





Enable

Condition

Parameters Comments



Disabled bydefault








Disabled bydefault


Drop interval









DNS queries



second value

Disabled bydefault










interval

Disabled bydefault













DNS DDoS



Rule ID

Rule

Type


EnableDisable

Condition

Parameters Comments




Enabled bydefault


Drop interval








Enabled bydefault











Drop interval

Enabled bydefault


Drop interval







DNS Tunneling


DNS Tunneling








Rule ID

Rule

Type


EnableDisable

Condition

Parameters Comments




Disabled bydefault




Packet size

(default = 200)





interval


Disabled bydefault


Drop interval



Packet size

(default = 200)






interval


Enabled bydefault


Drop interval



Packet size

(default = 40)










NTP


Table H13 NTP Rules

Rule ID

Rule

Type


EnableDisable

Condition

Parameters Comments




Enabled bydefault








Disabled bydefault


Drop interval






Disabled bydefault






Rule ID

Rule

Type


EnableDisable

Condition

Parameters Comments





Drop interval









NTP












Requests IMPL 0x02



Interval





Interval

















Drop interval



Rule ID

Rule

Type


EnableDisable

Condition

Parameters Comments











Drop interval







Drop interval









Drop interval

(default = 60







Drop interval







Enabled when


Packets per second




















Rule ID

Rule

Type


EnableDisable

Condition

Parameters Comments



BGP


BGP


Table H14 BGP Rules

Rule ID

Rule

Type


EnableDisable

Condition

Parameters Comments










attempts

















interval )




Drop Interval





interval







interval








OSPF






interval )









Rule ID

Rule

Type


Enable

Condition

Parameters Comments


























Rule ID

Rule

Type


EnableDisable

Condition

Parameters Comments



ICMP


ICMP





EnableDisable

Condition

Parameters Comments




















































































EnableDisable

Condition

Parameters Comments



ICMP















































EnableDisable

Condition

Parameters Comments


















































EnableDisable

Condition

Parameters Comments



Default PassDrop


Default Pass Drop









Rule ID

Rule


Enable




Enabled bydefault

NA



Enabled bydefault





Enabled bydefault





Enabled bydefault




Enabled bydefault





Enabled bydefault





Enabled bydefault





Enabled bydefault




EnableDisable

Condition

Parameters Comments




HA Support

















Rule ID

Rule

Type




NA



NA


























DNS DDoS



Rule ID

Rule

Type


EnableDisable

Condition

Parameters Comments




Enabled bydefault


Drop interval








Enabled bydefault











Drop interval

Enabled bydefault


Drop interval







DNS Tunneling


DNS Tunneling








Rule ID

Rule

Type


EnableDisable

Condition

Parameters Comments




Disabled bydefault




Packet size

(default = 200)





interval


Disabled bydefault


Drop interval



Packet size

(default = 200)






interval


Enabled bydefault


Drop interval



Packet size

(default = 40)










NTP


Table H13 NTP Rules

Rule ID

Rule

Type


EnableDisable

Condition

Parameters Comments




Enabled bydefault








Disabled bydefault


Drop interval






Disabled bydefault






Rule ID

Rule

Type


EnableDisable

Condition

Parameters Comments





Drop interval









NTP












Requests IMPL 0x02



Interval





Interval

















Drop interval



Rule ID

Rule

Type


EnableDisable

Condition

Parameters Comments











Drop interval







Drop interval









Drop interval

(default = 60







Drop interval







Enabled when


Packets per second




















Rule ID

Rule

Type


EnableDisable

Condition

Parameters Comments



BGP


BGP


Table H14 BGP Rules

Rule ID

Rule

Type


EnableDisable

Condition

Parameters Comments










attempts

















interval )




Drop Interval





interval







interval








OSPF






interval )









Rule ID

Rule

Type


Enable

Condition

Parameters Comments


























Rule ID

Rule

Type


EnableDisable

Condition

Parameters Comments



ICMP


ICMP





EnableDisable

Condition

Parameters Comments




















































































EnableDisable

Condition

Parameters Comments



ICMP















































EnableDisable

Condition

Parameters Comments


















































EnableDisable

Condition

Parameters Comments



Default PassDrop


Default Pass Drop









Rule ID

Rule


Enable




Enabled bydefault

NA



Enabled bydefault





Enabled bydefault





Enabled bydefault




Enabled bydefault





Enabled bydefault





Enabled bydefault





Enabled bydefault




EnableDisable

Condition

Parameters Comments




HA Support

















Rule ID

Rule

Type




NA



NA

























DNS Tunneling


DNS Tunneling








Rule ID

Rule

Type


EnableDisable

Condition

Parameters Comments




Disabled bydefault




Packet size

(default = 200)





interval


Disabled bydefault


Drop interval



Packet size

(default = 200)






interval


Enabled bydefault


Drop interval



Packet size

(default = 40)










NTP


Table H13 NTP Rules

Rule ID

Rule

Type


EnableDisable

Condition

Parameters Comments




Enabled bydefault








Disabled bydefault


Drop interval






Disabled bydefault






Rule ID

Rule

Type


EnableDisable

Condition

Parameters Comments





Drop interval









NTP












Requests IMPL 0x02



Interval





Interval

















Drop interval



Rule ID

Rule

Type


EnableDisable

Condition

Parameters Comments











Drop interval







Drop interval









Drop interval

(default = 60







Drop interval







Enabled when


Packets per second




















Rule ID

Rule

Type


EnableDisable

Condition

Parameters Comments



BGP


BGP


Table H14 BGP Rules

Rule ID

Rule

Type


EnableDisable

Condition

Parameters Comments










attempts

















interval )




Drop Interval





interval







interval








OSPF






interval )









Rule ID

Rule

Type


Enable

Condition

Parameters Comments


























Rule ID

Rule

Type


EnableDisable

Condition

Parameters Comments



ICMP


ICMP





EnableDisable

Condition

Parameters Comments




















































































EnableDisable

Condition

Parameters Comments



ICMP















































EnableDisable

Condition

Parameters Comments


















































EnableDisable

Condition

Parameters Comments



Default PassDrop


Default Pass Drop









Rule ID

Rule


Enable




Enabled bydefault

NA



Enabled bydefault





Enabled bydefault





Enabled bydefault




Enabled bydefault





Enabled bydefault





Enabled bydefault





Enabled bydefault




EnableDisable

Condition

Parameters Comments




HA Support

















Rule ID

Rule

Type




NA



NA





























NTP


Table H13 NTP Rules

Rule ID

Rule

Type


EnableDisable

Condition

Parameters Comments




Enabled bydefault








Disabled bydefault


Drop interval






Disabled bydefault






Rule ID

Rule

Type


EnableDisable

Condition

Parameters Comments





Drop interval









NTP












Requests IMPL 0x02



Interval





Interval

















Drop interval



Rule ID

Rule

Type


EnableDisable

Condition

Parameters Comments











Drop interval







Drop interval









Drop interval

(default = 60







Drop interval







Enabled when


Packets per second




















Rule ID

Rule

Type


EnableDisable

Condition

Parameters Comments



BGP


BGP


Table H14 BGP Rules

Rule ID

Rule

Type


EnableDisable

Condition

Parameters Comments










attempts

















interval )




Drop Interval





interval







interval








OSPF






interval )









Rule ID

Rule

Type


Enable

Condition

Parameters Comments


























Rule ID

Rule

Type


EnableDisable

Condition

Parameters Comments



ICMP


ICMP





EnableDisable

Condition

Parameters Comments




















































































EnableDisable

Condition

Parameters Comments



ICMP















































EnableDisable

Condition

Parameters Comments


















































EnableDisable

Condition

Parameters Comments



Default PassDrop


Default Pass Drop









Rule ID

Rule


Enable




Enabled bydefault

NA



Enabled bydefault





Enabled bydefault





Enabled bydefault




Enabled bydefault





Enabled bydefault





Enabled bydefault





Enabled bydefault




EnableDisable

Condition

Parameters Comments




HA Support

















Rule ID

Rule

Type




NA



NA

























NTP












Requests IMPL 0x02



Interval





Interval

















Drop interval



Rule ID

Rule

Type


EnableDisable

Condition

Parameters Comments











Drop interval







Drop interval









Drop interval

(default = 60







Drop interval







Enabled when


Packets per second




















Rule ID

Rule

Type


EnableDisable

Condition

Parameters Comments



BGP


BGP


Table H14 BGP Rules

Rule ID

Rule

Type


EnableDisable

Condition

Parameters Comments










attempts

















interval )




Drop Interval





interval







interval








OSPF






interval )









Rule ID

Rule

Type


Enable

Condition

Parameters Comments


























Rule ID

Rule

Type


EnableDisable

Condition

Parameters Comments



ICMP


ICMP





EnableDisable

Condition

Parameters Comments




















































































EnableDisable

Condition

Parameters Comments



ICMP















































EnableDisable

Condition

Parameters Comments


















































EnableDisable

Condition

Parameters Comments



Default PassDrop


Default Pass Drop









Rule ID

Rule


Enable




Enabled bydefault

NA



Enabled bydefault





Enabled bydefault





Enabled bydefault




Enabled bydefault





Enabled bydefault





Enabled bydefault





Enabled bydefault




EnableDisable

Condition

Parameters Comments




HA Support

















Rule ID

Rule

Type




NA



NA

































Drop interval







Drop interval









Drop interval

(default = 60







Drop interval







Enabled when


Packets per second




















Rule ID

Rule

Type


EnableDisable

Condition

Parameters Comments



BGP


BGP


Table H14 BGP Rules

Rule ID

Rule

Type


EnableDisable

Condition

Parameters Comments










attempts

















interval )




Drop Interval





interval







interval








OSPF






interval )









Rule ID

Rule

Type


Enable

Condition

Parameters Comments


























Rule ID

Rule

Type


EnableDisable

Condition

Parameters Comments



ICMP


ICMP





EnableDisable

Condition

Parameters Comments




















































































EnableDisable

Condition

Parameters Comments



ICMP















































EnableDisable

Condition

Parameters Comments


















































EnableDisable

Condition

Parameters Comments



Default PassDrop


Default Pass Drop









Rule ID

Rule


Enable




Enabled bydefault

NA



Enabled bydefault





Enabled bydefault





Enabled bydefault




Enabled bydefault





Enabled bydefault





Enabled bydefault





Enabled bydefault




EnableDisable

Condition

Parameters Comments




HA Support

















Rule ID

Rule

Type




NA



NA

























BGP


BGP


Table H14 BGP Rules

Rule ID

Rule

Type


EnableDisable

Condition

Parameters Comments










attempts

















interval )




Drop Interval





interval







interval








OSPF






interval )









Rule ID

Rule

Type


Enable

Condition

Parameters Comments


























Rule ID

Rule

Type


EnableDisable

Condition

Parameters Comments



ICMP


ICMP





EnableDisable

Condition

Parameters Comments




















































































EnableDisable

Condition

Parameters Comments



ICMP















































EnableDisable

Condition

Parameters Comments


















































EnableDisable

Condition

Parameters Comments



Default PassDrop


Default Pass Drop









Rule ID

Rule


Enable




Enabled bydefault

NA



Enabled bydefault





Enabled bydefault





Enabled bydefault




Enabled bydefault





Enabled bydefault





Enabled bydefault





Enabled bydefault




EnableDisable

Condition

Parameters Comments




HA Support

















Rule ID

Rule

Type




NA



NA


























OSPF






interval )









Rule ID

Rule

Type


Enable

Condition

Parameters Comments


























Rule ID

Rule

Type


EnableDisable

Condition

Parameters Comments



ICMP


ICMP





EnableDisable

Condition

Parameters Comments




















































































EnableDisable

Condition

Parameters Comments



ICMP















































EnableDisable

Condition

Parameters Comments


















































EnableDisable

Condition

Parameters Comments



Default PassDrop


Default Pass Drop









Rule ID

Rule


Enable




Enabled bydefault

NA



Enabled bydefault





Enabled bydefault





Enabled bydefault




Enabled bydefault





Enabled bydefault





Enabled bydefault





Enabled bydefault




EnableDisable

Condition

Parameters Comments




HA Support

















Rule ID

Rule

Type




NA



NA

























ICMP


ICMP





EnableDisable

Condition

Parameters Comments




















































































EnableDisable

Condition

Parameters Comments



ICMP















































EnableDisable

Condition

Parameters Comments


















































EnableDisable

Condition

Parameters Comments



Default PassDrop


Default Pass Drop









Rule ID

Rule


Enable




Enabled bydefault

NA



Enabled bydefault





Enabled bydefault





Enabled bydefault




Enabled bydefault





Enabled bydefault





Enabled bydefault





Enabled bydefault




EnableDisable

Condition

Parameters Comments




HA Support

















Rule ID

Rule

Type




NA



NA








































































EnableDisable

Condition

Parameters Comments



ICMP















































EnableDisable

Condition

Parameters Comments


















































EnableDisable

Condition

Parameters Comments



Default PassDrop


Default Pass Drop









Rule ID

Rule


Enable




Enabled bydefault

NA



Enabled bydefault





Enabled bydefault





Enabled bydefault




Enabled bydefault





Enabled bydefault





Enabled bydefault





Enabled bydefault




EnableDisable

Condition

Parameters Comments




HA Support

















Rule ID

Rule

Type




NA



NA

























ICMP















































EnableDisable

Condition

Parameters Comments


















































EnableDisable

Condition

Parameters Comments



Default PassDrop


Default Pass Drop









Rule ID

Rule


Enable




Enabled bydefault

NA



Enabled bydefault





Enabled bydefault





Enabled bydefault




Enabled bydefault





Enabled bydefault





Enabled bydefault





Enabled bydefault




EnableDisable

Condition

Parameters Comments




HA Support

















Rule ID

Rule

Type




NA



NA








































































EnableDisable

Condition

Parameters Comments



Default PassDrop


Default Pass Drop









Rule ID

Rule


Enable




Enabled bydefault

NA



Enabled bydefault





Enabled bydefault





Enabled bydefault




Enabled bydefault





Enabled bydefault





Enabled bydefault





Enabled bydefault




EnableDisable

Condition

Parameters Comments




HA Support

















Rule ID

Rule

Type




NA



NA

























Default PassDrop


Default Pass Drop









Rule ID

Rule


Enable




Enabled bydefault

NA



Enabled bydefault





Enabled bydefault





Enabled bydefault




Enabled bydefault





Enabled bydefault





Enabled bydefault





Enabled bydefault




EnableDisable

Condition

Parameters Comments




HA Support

















Rule ID

Rule

Type




NA



NA


























HA Support

















Rule ID

Rule

Type




NA



NA















































Documents

Threat Protection Rules 6.12