Forum Discussion

Deep_287674's avatar
Deep_287674
Icon for Nimbostratus rankNimbostratus
Oct 06, 2016

iRule for DNS Flood protection

Hi Team, We have implemented new F5 AFM/ASM DDOS boxes. We need to create iRule to protect DNS flood from some range of IP but we need to whitelistdnsdomain.

 

when DNS_REQUEST {set fqdn [DNS::question name]

 

if { !([class match $fqdn contains whitelistdomains]) }

 

{log local0. "-------[DNS::question name] Dropped-----" drop } }

 

Will this work.

 

  • You can apply a similar logic

     

    https://devcentral.f5.com/codeshare/http-request-throttle-version-101-and-above

     

  • Migara_61430's avatar
    Migara_61430
    Historic F5 Account

    This logic will drop all the DNS queries belongs to a FQDN, unless that FQDN is in your whitelist. If that's what you want to do, yes, this will work.

     

    If you want some sort of rate limiting then you will have to implement a logic with a counter and drop packets based on requests per second.

     

  • Not sure I get the context.

     

    Most DNS DDoS attacks are reflected, so you receive answers, not questions.

     

    I cynically suspect well configured DNS server will handle floods of requests faster than F5 iRules, I know back in the days of 486 PCs we you could saturate the wire (only 100Mbps back then) before you got performance issues with DNS servers.

     

    There are also cheap/free suppliers of authoritative DNS services with AnyCast and other DDoS protections.

     

    You are seeing floods of queries, but not for your own domains? If it is malicious they'll switch to using your domains.

     

  • Migara, yes we have whitelisted those domains. And we want to achieve this . For your comment If you want some sort of rate limiting then you will have to implement a logic with a counter and drop packets based on requests per second. How can we achieve this . Just we want an Idea

     

  • Migara_61430's avatar
    Migara_61430
    Historic F5 Account

    You can apply a similar logic

     

    https://devcentral.f5.com/codeshare/http-request-throttle-version-101-and-above

     

  • Simon : You are seeing floods of queries, but not for your own domains? If it is malicious they'll switch to using your domains.

     

    I think with this point I agree that's why we are whitelisting only our domains rather than blacklisting other domains.

     

  • Do we have to create Wildcard server 0.0.0.0 0.0.0.0 wth sevice port 53 also to apply this rule.