A particular client is generating dozens of DNS MX requests per minunte. I suspect that a new email worm is to blame. (Since we don't use filtering on the gateway, we're to blame for getting the worm in the first place.)
How do I use wingate to refuse DNS MX requests from one IP address?
If that can't be done, how do I use wingate to disable all DNS requests from one IP address? (I tried adding an advanced DNS Service policy, but couldn't get it to work.)
If that can't be done, how do I use wingate to disable all requests from one IP address? (I tried "Black Hole IP" from the activity window, but couldn't get it to work.)
Are there other worm service requests, besides DNS, that need to be blocked at the gateway?
Note: we do not use ENS or the wingate email server.
disabling email worm requests at the gateway
Moderator: Qbik Staff
4 posts
• Page 1 of 1
disabling email worm requests at the gateway
by tmpease » Sep 01 06 6:16 am
- tmpease
- Posts: 20
- Joined: Aug 20 04 5:01 am
Re: disabling email worm requests at the gateway
by Nev » Sep 01 06 3:36 pm
Hi,
From memory you could create a rule in the Advanced properties for Everyone in the System Policies along the lines of:
Not client number equals 10.10.x.xxx [or whatever your infected pc's subnet is].
Next apply to the services you want to limit the Policy that the user must be at least assumed, eg DNS, WWW, Pop3 etc.
Let me know if it works. ;-)
From memory you could create a rule in the Advanced properties for Everyone in the System Policies along the lines of:
Not client number equals 10.10.x.xxx [or whatever your infected pc's subnet is].
Next apply to the services you want to limit the Policy that the user must be at least assumed, eg DNS, WWW, Pop3 etc.
Let me know if it works. ;-)
--
Nev.
Nev.
- Nev
- WinGate Guru
- Posts: 861
- Joined: Sep 22 03 11:35 pm
- Location: Mudgee ~ NSW ~ Australia
This seems to disable all DNS queries from a client, but
by tmpease » Sep 06 06 5:29 am
To disable DNS queries (but enable WWW Service) for the person at 192.168.0.182,
I added the system advanced policy for Everyone
NOT met if client IP number = 192.168.0.182
user may be assumed
Under DNS Service policy, I changed the policy for Everyone to
NOT met if client IP number = 192.168.0.182
user may be assumed
system policies may be used instead.
Under WWW Service policy, I changed the policy for Everyone to
met if client IP number = 192.168.0.182
user may be assumed
system policies may be used instead.
The only problem I have now is that there's a LOT of http traffic from 192.168.0.182 for the same few small gif files that should be cached on the gateway. The CPU Usage for Wingate.exe is ten times (20%) normal (2%).
Thanks for your help
--Tim
I added the system advanced policy for Everyone
NOT met if client IP number = 192.168.0.182
user may be assumed
Under DNS Service policy, I changed the policy for Everyone to
NOT met if client IP number = 192.168.0.182
user may be assumed
system policies may be used instead.
Under WWW Service policy, I changed the policy for Everyone to
met if client IP number = 192.168.0.182
user may be assumed
system policies may be used instead.
The only problem I have now is that there's a LOT of http traffic from 192.168.0.182 for the same few small gif files that should be cached on the gateway. The CPU Usage for Wingate.exe is ten times (20%) normal (2%).
Thanks for your help
--Tim
- tmpease
- Posts: 20
- Joined: Aug 20 04 5:01 am
by adrien » Sep 06 06 10:59 am
Hi
I think you can ban specifically MX records in the DNS server as well, since these show up in the session description, and you can ban based on session description, e.g.
not session description contains "MX lookup", or similar - check the history for the DNS lookups to see the exact description.
Also, best not to exclude people from system policies if you only really want to block them from DNS. Instead you could have something like
System policies
Everyone with no restrictions
DNS server policy 1
Everyone
location included *, excluded 192.168.0.182
DNS server policy 2
Everyone
location included 192.168.0.182
Advanced: not session description contains "MX lookup"
System policies are ignored
WWW Proxy policies
System policies may be granted instead
Adrien
I think you can ban specifically MX records in the DNS server as well, since these show up in the session description, and you can ban based on session description, e.g.
not session description contains "MX lookup", or similar - check the history for the DNS lookups to see the exact description.
Also, best not to exclude people from system policies if you only really want to block them from DNS. Instead you could have something like
System policies
Everyone with no restrictions
DNS server policy 1
Everyone
location included *, excluded 192.168.0.182
DNS server policy 2
Everyone
location included 192.168.0.182
Advanced: not session description contains "MX lookup"
System policies are ignored
WWW Proxy policies
System policies may be granted instead
Adrien
- adrien
- Qbik Staff
- Posts: 5448
- Joined: Sep 03 03 2:54 pm
- Location: Auckland
4 posts
• Page 1 of 1
Who is online
Users browsing this forum: Google [Bot] and 28 guests