For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

DNS Flood Protection v1

Problem this snippet solves:

This iRule illustrates how to provide flood protection per source IP address. This iRule may provide basic idea to protect against dns flood protection per source ip address. The "maxquery" is number of query allowed per second. The "holdtime" is the period that bad client will be blocked. There are CMP-aware versions of this rule available at DNS Flood Protection v2 and DNS Flood Protection v3.

Code :

when RULE_INIT {
  set ::maxquery 100
  set ::holdtime 600
  array set ::usertable { }
  array set ::blacklist { }
}

when CLIENT_DATA {
  set srcip [IP::remote_addr]
#  log "src=$srcip"
  set currtime [clock second]
#  log "currtime=$currtime"
  if { [ info exists ::blacklist($srcip) ] } {
    
    if { $::holdtime > [expr ${currtime} - $::blacklist($srcip) ] } {
      drop
      log "drop $srcip"
      return    
    } else {
      unset ::blacklist($srcip)
      log "remove $srcip from blacklist"
    }
  }
  if { [ info exists ::usertable(time,$srcip)] and $currtime == $::usertable(time,$srcip) } {
    incr ::usertable(freq,$srcip)
    log "$srcip^$::usertable(time,$srcip)^$::usertable(freq,$srcip)"
    if { $::usertable(freq,$srcip) > $::maxquery } {
      log "new blacklist member <$srcip> with $::usertable(freq,$srcip) times"
      set ::blacklist($srcip) $currtime
      unset ::usertable(freq,$srcip)
      unset ::usertable(time,$srcip)
      drop
      return
    }
  } else {
    set ::usertable(freq,$srcip) 1
    set ::usertable(time,$srcip) $currtime
#    log "new member <$srcip><$currtime>"
  }
  pool dnsserver
}
Published Mar 17, 2015
Version 1.0
application delivery
devops
dns
iRules
No CommentsBe the first to comment