DNS Tunnel Mitigation v1

Problem this snippet solves:

(Solution from Pedro Haoa)

Due to some people attempt DNS tunneling to pass data frames inside of DNS records to the Internet and the lack of information around here, I'm going to share with you some basic code for DNS Tunnel Mitigation on the BIG-IPs. This irule put some overhead in your CPU so check it with caution.

The idea is to improve this code (I'm looking for less overhead) here in DevCentral and try to build a better base solution for the most common techniques. You can use the DNS Protocol Security, DNS Anti-DDoS and IP Intelligence features to get the most comprehensive solution.

Remember that there are a lot of DNS Tunneling utilities with a wide range of capabilities and options, so this is one of many forms to mitigate some of the attacks.

How to use this snippet:

LTM + DNS services license

Code :

# DNS Tunnel Mitigation v1.1
#Esta iRule analiza cada consulta DNS, intentando identificar rastros comunes de un túnel vía el protocolo DNS.
#El mecanismo primario a utilizar son listas (Blancas y Negras).
#El mecanismo secundario es analizar la cantidad de consultas DNS idénticas desde una direccion IP específica hacia un dominio específico.
#por Pedro Haoa    
#Evento inicial que establece variables globales estadísticas, para todas las consultas y conexiones cliente.
when RULE_INIT {
    set static::ataque 0
    set static::IP
    set static::key
    set static::query
    #Número máximo de consultas DNS idénticas
    set max_identical_queries 60
    set DomBlack [domain [DNS::question name] 2]
    set static::query $DomBlack
    set static::IP [IP::remote_addr]
    set static::key "$static::IP-$static::query"
    #log local2. "Consulta desde $static::IP"
if {[class match $DomBlack equals blacklist] }{
    #log local2. "Dominio $DomBlack bloqueado"
} elseif {[table lookup $static::key] != ""} {
    #log local2.alert "Alerta Amarilla: Consultas identicas desde $static::IP."
    set count [table incr $static::key]
    #log local2.alert "El numero de consultas identicas desde $static::IP es $count"
if {$count > $max_identical_queries} {
    #log local2.alert "Alerta Roja: Demasiadas consultas identicas desde $static::IP"
    set static::ataque 1
} else {
    #Se crea una entrada en la tabla
    log local2.alert "Primera consulta desde $static::IP, $static::key"
    set static::key "$static::IP-$static::query"
    #Tabla para cada entrada IP-Dominio con expiracion para cada entrada en 60 segundos
    table set $static::key 1 indefinite 60

Tested this on version:

No Version Found
Published Jun 19, 2019
Version 1.0

Was this article helpful?

No CommentsBe the first to comment