DNS Flood Protection v2
Problem this snippet solves:
same concept as previous version but use session variable instead of array minor changes: remove all global variable and hope it is cmp compatible. DNS Flood Protection v3 for v10.1+ is also available.
Code :
when CLIENT_ACCEPTED { set maxquery 2 set holdtime 10 } when CLIENT_DATA { set srcip [IP::client_addr] set c [clock second] if {[ session lookup uie "b$c$srcip" ] != ""} { #log local0. "drop [IP::client_addr]" UDP::drop return } set f [session lookup uie "u$c$srcip"] if { $f != "" } { incr f if { $f > $maxquery } { #log local0. "$srcip: $f times" for { set i 2} { $i < [expr $holdtime + 2 ]} {incr i} { session add uie "b$c$srcip" b $i incr c } #log local0. "drop [IP::client_addr]" UDP::drop return } else { session add uie "u$c$srcip" $f 2 } } else { session add uie "u$c$srcip" 1 2 } }
Published Mar 17, 2015
Version 1.0Nat_Thirasuttakorn
Employee
Joined September 25, 2004
Nat_Thirasuttakorn
Employee
Joined September 25, 2004
No CommentsBe the first to comment