For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

DNS Query ID Zero Blocking

Problem this snippet solves:

This a few lines of code irule prevents one kind of malform DNS request, which is usually seen in DNS attack - query id zero.

Code :

when RULE_INIT {
    set static::zero_log_accepted_requests 0
    set static::zero_log_dropped_requests 0
    set static::zero_log_malformed_requests 0
}

when CLIENT_ACCEPTED {
    if {![binary scan [UDP::payload] S qid]} {
        if { $static::zero_log_malformed_requests==1 } {
            log local0. "malformed request. dropped. [IP::remote_addr] -> [IP::local_addr]"
        }
        UDP::drop
    } else {
        if {$qid == 0} {
            if { $static::zero_log_dropped_requests==1 } {
                log local0. "zero qid detected. dropped. [IP::remote_addr] -> [IP::local_addr]"
            }
            UDP::drop
        } else {
            if { $static::zero_log_accepted_requests==1 } {
                log local0. "query accepted. [IP::remote_addr] -> [IP::local_addr]"
            }
        }
    }
}
Published Mar 17, 2015
Version 1.0
application delivery
devops
dns
iRules
No CommentsBe the first to comment