Skip to main content
Skip table of contents

3535 - Creating Custom ADP Rules in NIOS

This lab requires a lab environment with Advanced DNS Protection capability!
Please ensure that you have deployed a NIOS Lab Environment (with Advanced DNS Protection) lab environment.

Scenario

Your organization has recently tuned ADP to fit its needs and you are tasked to create three new custom rules to aid with the recently tuned ADP rules and categories. You are asked to make a custom rule to allow IP Address 203.0.113.254 of an important customer. The organization has a legal obligation to provide a 24/7 service, and the traffic from this customer cannot be blocked or rate limited. However, after you do this, you notice this same IP address is sending a lot of traffic, and you want to reduce the amount of QPS it can send to 100 before it is rate-limited. Finally, the security team finds that the IP Address has been compromised and identified as trying to attack the organization. You must now put in a custom Denylist (Blacklist) rule to stop traffic from the IP Address 203.0.113.254.

In this lab, you will create three different types of custom ADP rules for each of these scenarios.

Estimate Completion Time

  • 25 to 35 Minutes

Credentials

Description

Username

Password

URL or IP

Grid Manager UI

admin

infoblox

https://10.100.0.100/

Jump-Desktop

training

infoblox

Support-Server

training

infoblox

Course References

  • 3034: Advanced DNS Protection Tuning in NIOS

Lab Initiation

Access jump-desktop

Once the lab is deployed, you can access the virtual machines required to complete this lab activity. To initiate the lab, click on the jump-desktop tile and login to the Linux UI:

Username: training

Password: infoblox

Initiate lab

To initiate the lab, double-click the Launch Lab icon on the Desktop.

Launch Lab

Launch Lab

Choose the lab number from the list and click OK.

After clicking OK, you will see a pop-up message with a brief description of the lab task. If the description looks correct, click Yes to continue lab initiation.

Lab initiation will take a couple of minutes to finish.

Once complete, you will see another pop-up message with the login credentials and the URL for the Grid Manager’s User Interface. Note that the credentials may differ from those from prior labs.

Screenshot 2024-05-06 at 3.16.57 PM.png

Tasks

  • Task 1: Verifying the lab state

  • Task 2: Creating a Custom Allowlist (Whitelist) Rule

  • Task 3: Creating a Custom Rate Limiting Rule

  • Task 4: Creating a Custom Denylist (Blacklist) Rule

Task 1: Verifying the lab state

Before starting this lab, you must verify the Grid member extibns.techblue.net (nios-4) is part of the Grid and has the correct license. When ADP licenses are loaded correctly, they appear as Threat Protection in the user interface.

If the license is missing, load the license file available in the jump-desktop file system at Shared Drive/licenses/ADP.lic

Task 2: Creating a Custom Allowlist (Whitelist) Rule

Create a custom Allowlist rule to allow traffic from the IP Address 203.0.113.254.

In this scenario, 203.0.113.254 is the IP Address of an important customer, traffic from this customer cannot be blocked or rate limited.

Use the queryperf and bmon on Support-Server to test your configuration by sending 1000 QPS to extibns.techblue.net.

Once this Task is completed, disable the rule and republish

Task 3: Creating a Custom Rate Limiting Rule

Create a custom Rate Limited rule to control traffic from the IP Address 203.0.113.254.

In this scenario, 203.0.113.254 is sending us a lot of traffic, and we want to reduce the amount of QPS it can send to 100 before it is rate-limited.

Use the following parameters for the rule:

  • For Log Severity select Critical

  • For Packets per second specify a value of 100

  • For Drop interval specify a value of 5

  • For Events per second specify a value of 1

  • Use the 203.0.113.254 as the IP address

  • For Rate algorithm select Rate_Limiting

  • Use the queryperf and bmon on Support-Server to test your configuration. Use a number that is less than the threshold and then a higher number to verify that the rule works.

Once this Task is completed, disable the rule and republish

Task 4: Creating a Custom Denylist (Blacklist) Rule

In this scenario, the IP Address 203.0.113.254 has been identified as trying to attack us. Create a custom Denylist rule to block traffic from the IP Address 203.0.113.254.

Use the queryperf on support-server and NIOS syslogs to test your configuration.

Solutions:

Task 1 Solution: Verifying the lab state

Verify that extibns.techblue.net has all the required licenses:

  1. Navigate to Grid → Licenses, and check which licenses are applied to extibns.techblue.net.

    image-20240119-120033.png

  2. If ADP licenses are missing, click the + button and add the license file. The license file should be under Shared Drive/licenses/ named ADP.lic. Click Save License(s) to apply the selected file.

    image-20240119-120229.png

  3. Before you continue, make sure ADP licenses are added to the grid on the licenses list.

    eac50089-1457-4ca3-a30c-dafee49dfdc1.png

Task 2 Solution: Creating a Custom Allowlist (Whitelist) Rule

In this task, you create a custom Allowlist rule to allow traffic from the IP Address 203.0.113.254.

This is the IP Address of an important customer. The organization has a legal obligation to provide a 24/7 service, and the traffic from this customer cannot be blocked or rate limited.

You need to create an ALLOWLIST PASS UDP IP rule to allow UDP traffic from IP Address 203.0.113.254.

  1. Navigate to Data Management → Security → Threat Protection Rules.

  2. Click on the link for the 20231220-12 ruleset.

  3. Click the plus (+) symbol to add a custom rule.

    image-20240111-091433.png

  4. Choose the Allowlist WHITELIST PASS UDP IP prior to rate limiting from the drop-down template list.

  5. Click Next to configure the rule parameters.

  6. Enter the IP Address 203.0.113.254, then Save and Close.

    image-20240111-091711.png
    image-20240111-091730.png

  7. Publish the rule when prompted.

image-20240111-091822.png

It may take up to 1 minute for the ruleset to be reloaded. You can see the reload status in the NIOS syslog.

Now, let’s test the rule:

  1. Log onto the support-server virtual machine (training/infoblox)

  2. Open a terminal and type the command bmon. Expand the terminal window to see the colored chart below.

  3. Press the down arrow key on your keyboard to select the eth2 interface.

  4. Open another terminal window, and type the command queryperf.

  5. Enter 1000 for the QPS to use. This value is double the threshold set in the tuned default rules and would be blocked without the Allowlist rule.

  6. The bmon tool should show a static line of RX (receive) traffic, receiving around 1000 pps, which verifies our configuration is working.

    image-20240111-092229.png

Now, for our lab exercise, we need to disable the Allowlist Custom Rule on the NIOS UI:

  1. Navigate to Data Management → Security → Threat Protection Rules.

  2. Click on the link for the 20231220-12 ruleset.

  3. Use the Quick Filter to show All Custom Rules.

  4. Click the hamburger icon next to the custom ALLOWLIST PASS UDP IP prior to rate limiting rule for 203.0.113.254.

  5. Click Disable.

  6. The rule should now show it is disabled.

    image-20240111-092451.png

  7. Publish the changes when prompted.

Please ensure the rule is disabled before continuing

Task 3 Solution: Creating a Custom Rate Limiting Rule

In this scenario, 203.0.113.254 is sending us a lot of traffic, and we want to reduce the amount of QPS it can send to 100 before it is rate-limited. In this task, you create a custom Rate Limited rule to control traffic from the IP Address 203.0.113.254.

Create a RATE LIMITED UDP IP rule to limit the UDP traffic.

  1. Navigate to Data Management → Security → Threat Protection Rules.

  2. Click on the link for the 20231220-12 ruleset.

  3. Click the plus (+) symbol to add a custom rule.

    image-20240111-091433.png

  4. Choose RATE LIMITED UDP IP from the drop-down template list.

  5. Click Next to configure the rule parameters.

  6. Use the following parameters for the rule:

    1. For Log Severity select Critical.

    2. For Packets per second specify a value of 100.

    3. For Drop interval specify a value of 5.

    4. For Events per second specify a value of 1.

    5. For Rate limited IP address/network specify a value of 203.0.113.254.

    6. For Rate algorithm select Rate_Limiting then Save & Close.

      image-20240111-093108.png
      image-20240111-093058.png

  7. Publish the rule when prompted.

    image-20240111-091822.png

It may take up to 1 minute for the ruleset to be reloaded. You can see the reload status in syslog.

Like before, we should test the rule:

  1. Login to Support-Server (training/infoblox)

  2. Open the bmon tool on a terminal and expand the window to see the graph below.

  3. Press the down arrow key on your keyboard to select the eth2 interface.

  4. Open a terminal window, and type the command queryperf.

  5. Use 50 QPS; This value is half our rate-limiting threshold, so it shouldn’t trigger the rule. The bmon tool should show RX traffic around 50 pps.

    image-20240111-093355.png

  6. Now, let’s send 200 QPS. This is higher than the allowed custom rule value but lower than the global alert value configured in rule 130000100.

  7. This time, the bmon tool shows continuous spikes of queries, then drops for 5-second intervals

    image-20240111-093632.png

  8. Check the NIOS Grid syslog to view the rate-limiting rule being applied.

    image-20240111-094226.png

Again, we must disable the Rate Limiting Custom Rule for our lab exercise.

  1. Navigate to Data Management → Security → Threat Protection Rules.

  2. Click on the link for the 20231220-12 ruleset.

  3. Use the Quick Filter to show All Custom Rules.

  4. Click the hamburger icon next to the custom RATE LIMITED UDP IP rule for 203.0.113.254.

  5. Click Disable. The rule should now show it is disabled.

    image-20240111-094428.png

  6. Publish the changes when prompted.

Please ensure the rule is disabled before continuing

Task 4 Solution: Creating a Custom Denylist (Blacklist) Rule

This IP Address 203.0.113.254 has been identified as trying to attack us. In this task, you create a custom Denylist rule to block traffic from the IP Address 203.0.113.254.

  1. You create a DENYLIST DROP UDP IP prior to rate limiting rule to ensure UDP traffic from the IP Address 203.0.113.254 is blocked.

  2. Navigate to Data Management → Security → Threat Protection Rules.

  3. Click on the link for the 20231220-12 ruleset.

  4. Click the plus (+) symbol to add a custom rule.

    image-20240111-091433.png

  5. Choose the Denylist BLACKLIST DROP UDP IP prior to rate limiting from the drop-down template list.

  6. Click Next to configure the rule parameters.

  7. Set the Severity Level to Critical.

  8. Enter the IP Address 203.0.113.254, then Save and Close.

    image-20240111-094621.png
    image-20240111-094729.png

  9. Publish the rule when prompted.

    image-20240111-091822.png

It may take up to 1 minute for the ruleset to be reloaded. You can see the reload status in the NIOS syslog.

Now, we can test this Denylist rule on a simulated attack:

  1. Login to support-server (training/infoblox)

  2. Open the bmon tool in a terminal and expand the window to see the graph below.

  3. Press the down arrow key on your keyboard to select the eth2 interface.

  4. Open a terminal window, and type the command queryperf.

  5. Use 100 QPS. This value is arbitrary, but we set it to 100 to have time to check NIOS syslogs while the attack is happening.

  6. View syslog to see the effect of the denylist rule. All UDP requests to port 53 are dropped.

    image-20240111-095040.png

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close