Simple GTM Domain Generation Algorithm dynamic blacklist

Problem this snippet solves:

Simple GTM DGA dynamic blacklist used to reduce load on backend DNS servers. This iRule should be applied to GTM listener.

Here are a list of all the configurable options:

  • static::debug - enable/disable verbose logging to /var/log/ltm
  • static::timeout - blacklist timeout
  • static::threshold - threshold to enable dns blacklisting of a domain

You need to set timeout and threshold according to your needs before enabling this irule.

Code :

when RULE_INIT {
    set static::debug       0
    set static::timeout     60
    set static::threshold   10
}

when DNS_REQUEST {
    regexp {([-A-Z,a-z,0-9]+.[-A-Z,a-z,0-9]+)$} [DNS::question name] domain
    set count [table lookup ddbl_$domain]

    if { $count >= $static::threshold} {
        if { $static::debug } { log local0. "\[DDBL\] Dropping question [DNS::question name], $domain is on dynamic dns blacklist" }
        table timeout ddbl_$domain $static::timeout
        DNS::drop
    }
}

when DNS_RESPONSE {
    if { [DNS::ptype] == "NXDOMAIN" } {
        set count [ table incr ddbl_$domain ]
        table timeout ddbl_$domain $static::timeout
        if { $static::debug } { log local0. "\[DDBL\] NXDOMAIN HIT [DNS::question name], hitcount is $count, threshold is $static::threshold" }
    }
}

Tested this on version:

11.6
Published Jul 21, 2015
Version 1.0

Was this article helpful?

No CommentsBe the first to comment