Unifi Intrusion Prevention Flagging

  • DNS Benchmark v2 is Finished and Available!
    Guest:
    That's right. It took an entire year, but the result far more accurate and feature laden than we originally planned. The world now has a universal, multi-protocol, super-accurate, DNS resolver performance-measuring tool. This major second version is not free. But the deal is, purchase it once for $9.95 and you own it — and it's entire future — without ever being asked to pay anything more. For an overview list of features and more, please see The DNS Benchmark page at GRC. If you decide to make it your own, thanks in advance. It's a piece of work I'm proud to offer for sale. And if you should have any questions, many of the people who have been using and testing it throughout the past year often hang out here.
    /Steve.
  • Be sure to checkout “Tips & Tricks”
    Dear Guest Visitor → Once you register and log-in please checkout the “Tips & Tricks” page for some very handy tips!

    /Steve.

  • BootAble – FreeDOS boot testing freeware

    To obtain direct, low-level access to a system's mass storage drives, SpinRite runs under a GRC-customized version of FreeDOS which has been modified to add compatibility with all file systems. In order to run SpinRite it must first be possible to boot FreeDOS.

    GRC's “BootAble” freeware allows anyone to easily create BIOS-bootable media in order to workout and confirm the details of getting a machine to boot FreeDOS through a BIOS. Once the means of doing that has been determined, the media created by SpinRite can be booted and run in the same way.

    The participants here, who have taken the time to share their knowledge and experience, their successes and some frustrations with booting their computers into FreeDOS, have created a valuable knowledgebase which will benefit everyone who follows.

    You may click on the image to the right to obtain your own copy of BootAble. Then use the knowledge and experience documented here to boot your computer(s) into FreeDOS. And please do not hesitate to ask questions – nowhere else can better answers be found.

    (You may permanently close this reminder with the 'X' in the upper right.)

T

txz28

New member
Dec 14, 2025
4
0
Texas
I run a Unifi network System utilizing their intrusion prevention system (IPS) at home. This is their free intrusion system, not the paid one from Cloudflare. Since getting the DNSbenmark v2, I have had a couple of instances of incoming data getting flagged by Unifi's IPS. You can see what is getting flagged in the screen shots below. The DNS server in question 200.56.224.11 still gave reasonable results.
1766104613892.png
1766104895050.png

The program is still runs since I had the Unifi firewall set to notify and not notify and block. I tried a test and put the unifi firewall to notify and block. As one expected, Unifi blocked that ip address and it was no longer responsive and was logged as Threat Detected and Blocked. (I would like to test it with the paid Cloudflare Unifi service but do not have that currently.)

I also find it curious that not all DNS servers are flagged, only a small subset. You can see the address that were flagged. It is not consistent. 1.1.1.1 was flagged on the first scan, but did not get flagged in subsequent scans.
1766105598478.png


I bring all of this up for one reason, so @Steve can be aware that others may see similar issues with some of the advanced cybersecurity stuff in the market. For me, the ONLY time I have seen the Unifi IPS flag anything has been when I run DNSBenchmark and am comfortable with the tool. However others may have other results.
 

Attachments

  • 1766104700794.png
    1766104700794.png
    50.4 KB · Views: 61
It would be interesting to see what specifically they don't like about a simple DNS query. Clearly it must be something weird about their detection as there is no way that Steve is making request for malware URLs, so unless it's the case that some servers respond with them, it must be that this software has a broken heuristic.
 
My hunch would be the randomly generated subdomain/domain names used to test uncached dns and .com root server connectivity may seem like botnet queries looking for pseudo-randomly generated botnet C&C domains (.com domains are one of the cheapest to purchase). Back then (years ago) when I ran DNSBv1 in my university network, the perimeter dpi firewall would block it.

EDIT: Resource for further reading - https://cert.pl/en/posts/2012/01/zeus-p2pdga-variant-mapping-out-and-understanding-the-threat/
 
Last edited:
200.56.224.11 pings for me

> ping 200.56.224.11
Pinging 200.56.224.11 with 32 bytes of data:
Reply from 200.56.224.11: bytes=32 time=50ms TTL=50
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 49ms, Maximum = 54ms, Average = 50ms

> nslookup 200.56.224.11
Server: y.ns.gin.ntt.net
Address: 2001:418:3ff::1:53
Name: ns.marcatel.com.mx
Address: 200.56.224.11

But DNSBench says no DNS response:

200. 56.224. 11 | DNS queries are not answered at this IP.
---<-------->---+-------+-------+-------+-------+-------+
ns.marcatel.com.mx
COORDINADORA DE CARRIERS, S.A. DE C.V., MX

Free GRC IDServe says:

Initiating server query ...
Looking up the domain name for IP: 200.56.224.11
The domain name for the IP address is: ns.marcatel.com.mx
Connecting to the server on standard HTTP port: 80
No response was received from the machine and port at that IP.
The machine may be offline or the connection port may be stealthed.
Query complete.

( @Steve, should IDServe be upgraded to HTTPS queries, or even add
DNS queries? )

- - - - -

Regarding any watching and filtering, some of us have tried spreading
out DNSBench queries a bit farther apart from each other using the
menu [ Benchmark Speed ] which defaults to 20 msec and can be
increased to 9999 msec which equal 9.999 seconds.

If that 'calms' down the 'demand' that DNSBench puts on the watching
filter, then that may be a way to see how each system behaves -
DNSBench, the watching filter, and DNS resolvers.

If expanding the inter query delay provides complete success, great.

If that provides improved success, but not complete success, we have
ways to 'calm' down DNSBench query spacing even more - let us
know how as-much-as 9999 msec inter query delay works for you.

I'm just shotgunning, guessing here, but inter query delay is what I've
played with, so I'm curious how inter query spacing works for others.

Thanks.

1766153913829.png
 
  • Like
Reactions: PaulH
You must log in or register to reply here.
Top Bottom
Back