For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

DNS Flood Protection v2

Problem this snippet solves:

same concept as previous version but use session variable instead of array minor changes: remove all global variable and hope it is cmp compatible. DNS Flood Protection v3 for v10.1+ is also available.

Code :

when CLIENT_ACCEPTED {
    set maxquery 2
    set holdtime 10
}
when CLIENT_DATA {
    set srcip [IP::client_addr]
    set c [clock second]
    if {[ session lookup uie "b$c$srcip" ] != ""} {
        #log local0. "drop [IP::client_addr]"
        UDP::drop
        return    
    }
    set f [session lookup uie "u$c$srcip"]
    if { $f != "" } {
        incr f 
        if { $f > $maxquery } {
            #log local0. "$srcip: $f times"
            for { set i 2} { $i < [expr $holdtime + 2 ]} {incr i} {
                session add uie "b$c$srcip" b $i
                incr c
            }
            #log local0. "drop [IP::client_addr]"
            UDP::drop
            return
        } else {
            session add uie "u$c$srcip" $f 2
        }
    } else {
        session add uie "u$c$srcip" 1 2
    }
}
Published Mar 17, 2015
Version 1.0
devops
No CommentsBe the first to comment