451
Intrusion Detection and Prevention / Re: Port 53 flood on IPS
« on: February 15, 2018, 04:00:41 pm »
What I ended up doing was allow port 53 through IPS and then used a floating firewall rule to block them. That way I don't flood the logs. I used pftop to identify the traffic and saw that it was outbound traffic to port 53 as well as inbound, which is a normal transaction for DNS queries.
Here is a pic of what I saw. the 68.105 IP's are the legitimate DNS from the ISP. The 208.76 is not.
Also here is the floating rule I used for DNS
Here is a pic of what I saw. the 68.105 IP's are the legitimate DNS from the ISP. The 208.76 is not.
Also here is the floating rule I used for DNS