on 17-Mar-2015 13:03
Problem this snippet solves:
This a few lines of code irule prevents one kind of malform DNS request, which is usually seen in DNS attack - query id zero.
Code :
when RULE_INIT { set static::zero_log_accepted_requests 0 set static::zero_log_dropped_requests 0 set static::zero_log_malformed_requests 0 } when CLIENT_ACCEPTED { if {![binary scan [UDP::payload] S qid]} { if { $static::zero_log_malformed_requests==1 } { log local0. "malformed request. dropped. [IP::remote_addr] -> [IP::local_addr]" } UDP::drop } else { if {$qid == 0} { if { $static::zero_log_dropped_requests==1 } { log local0. "zero qid detected. dropped. [IP::remote_addr] -> [IP::local_addr]" } UDP::drop } else { if { $static::zero_log_accepted_requests==1 } { log local0. "query accepted. [IP::remote_addr] -> [IP::local_addr]" } } } }
