Help
CodeShare
Have some code. Share some code.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Technical Forum Quicklinks: No Replies | Active-Not Solved | Recent Solutions

Simple GTM Domain Generation Algorithm dynamic blacklist

rdvn_148212
Nimbostratus
Nimbostratus

on ‎21-Jul-2015 06:05

Problem this snippet solves:

Simple GTM DGA dynamic blacklist used to reduce load on backend DNS servers. This iRule should be applied to GTM listener.

Here are a list of all the configurable options:

  • static::debug - enable/disable verbose logging to /var/log/ltm
  • static::timeout - blacklist timeout
  • static::threshold - threshold to enable dns blacklisting of a domain

You need to set timeout and threshold according to your needs before enabling this irule.

Code :

when RULE_INIT {
    set static::debug       0
    set static::timeout     60
    set static::threshold   10
}

when DNS_REQUEST {
    regexp {([-A-Z,a-z,0-9]+.[-A-Z,a-z,0-9]+)$} [DNS::question name] domain
    set count [table lookup ddbl_$domain]

    if { $count >= $static::threshold} {
        if { $static::debug } { log local0. "\[DDBL\] Dropping question [DNS::question name], $domain is on dynamic dns blacklist" }
        table timeout ddbl_$domain $static::timeout
        DNS::drop
    }
}

when DNS_RESPONSE {
    if { [DNS::ptype] == "NXDOMAIN" } {
        set count [ table incr ddbl_$domain ]
        table timeout ddbl_$domain $static::timeout
        if { $static::debug } { log local0. "\[DDBL\] NXDOMAIN HIT [DNS::question name], hitcount is $count, threshold is $static::threshold" }
    }
}

Tested this on version:

11.6
Labels:
0 Kudos
Version history
Last update:
‎21-Jul-2015 06:05
Updated by:
Nimbostratus
Contributors
Copyright © 2023 Khoros, LLC