NetFort Tips & Tricks - Monitoring suspicious DNS traffic on your network

  • 1
  • Idea
  • Updated 6 years ago
  • (Edited)
A LANGuardian customer recently contacted us with an interesting use case. A DDoS attack had just happened on their network where they were flooded with DNS traffic, and the customer asked if LANGuardian could help identify when DNS traffic levels are increasing. The customer knew the IP addresses of all known-good DNS servers on the network. By using LANGuardian traffic reports, the customer was able to craft their own custom report that would list all machines generating more than 10MB of DNS traffic in one hour.

DDoS attacks are a favored method to disrupt websites and involve sending large amounts of data in hopes of overwhelming servers and causing websites to not respond to requests.

The network administrator has now set up a report for DNS traffic and in future will be notified when DNS traffic levels are increasing after creating an alert on the report. The steps to create the report and alert were as follows:

  1. Click on Reports in the LANGuardian menu bar.

  2. In the IP Activity section, click on More>>, LANGuardian displays the advanced IP Activity reports.

  3. Click on IP Activity :: Systems generating more than 2GB of bandwidth. Enter 53 (DNS) in the Server Port field and exclude the IP addresses for all known DNS servers in the IP/Subnet field, then Click View.

  4. When LANGuardian displays the report, click More Actions on the report menu bar and select Save Report.

  5. Enter a name and description for the report, then click Save. The new report will be listed in the Custom Reports section.

  6. Click More Actions on the report menu and select Report Syntax. The default 2GB value will probably look something like this 2000000000. Change the default value to 10485760 (10MB) and select Save.

  7. To trigger the alert, change the Generate Alerts settings for the report on the report wizard page to "alert".

And, of course, please contact us any time if you have any questions about monitoring DNS traffic on your network or indeed any other aspect of network monitoring with LANGuardian.
Photo of Aisling Brennan

Aisling Brennan, Official Rep

  • 393 Posts
  • 8 Reply Likes

Posted 6 years ago

  • 1

Be the first to post a reply!