For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Simple GTM Domain Generation Algorithm dynamic blacklist

Problem this snippet solves:

Simple GTM DGA dynamic blacklist used to reduce load on backend DNS servers. This iRule should be applied to GTM listener.

Here are a list of all the configurable options:

  • static::debug - enable/disable verbose logging to /var/log/ltm
  • static::timeout - blacklist timeout
  • static::threshold - threshold to enable dns blacklisting of a domain

You need to set timeout and threshold according to your needs before enabling this irule.

Code :

when RULE_INIT {
    set static::debug       0
    set static::timeout     60
    set static::threshold   10
}

when DNS_REQUEST {
    regexp {([-A-Z,a-z,0-9]+.[-A-Z,a-z,0-9]+)$} [DNS::question name] domain
    set count [table lookup ddbl_$domain]

    if { $count >= $static::threshold} {
        if { $static::debug } { log local0. "\[DDBL\] Dropping question [DNS::question name], $domain is on dynamic dns blacklist" }
        table timeout ddbl_$domain $static::timeout
        DNS::drop
    }
}

when DNS_RESPONSE {
    if { [DNS::ptype] == "NXDOMAIN" } {
        set count [ table incr ddbl_$domain ]
        table timeout ddbl_$domain $static::timeout
        if { $static::debug } { log local0. "\[DDBL\] NXDOMAIN HIT [DNS::question name], hitcount is $count, threshold is $static::threshold" }
    }
}

Tested this on version:

11.6
Published Jul 21, 2015
Version 1.0
BIG-IP DNS
denylist
devops
dga
No CommentsBe the first to comment