Showing results for 
Search instead for 
Did you mean: 
Login & Join the DevCentral Connects Group to watch the Recorded LiveStream (May 12) on Basic iControl Security - show notes included.

Problem this snippet solves:

This iRule illustrates how to provide flood protection per source IP address. This iRule may provide basic idea to protect against dns flood protection per source ip address. The "maxquery" is number of query allowed per second. The "holdtime" is the period that bad client will be blocked. There are CMP-aware versions of this rule available at DNS Flood Protection v2 and DNS Flood Protection v3.

Code :

when RULE_INIT {
  set ::maxquery 100
  set ::holdtime 600
  array set ::usertable { }
  array set ::blacklist { }

  set srcip [IP::remote_addr]
#  log "src=$srcip"
  set currtime [clock second]
#  log "currtime=$currtime"
  if { [ info exists ::blacklist($srcip) ] } {
    if { $::holdtime > [expr ${currtime} - $::blacklist($srcip) ] } {
      log "drop $srcip"
    } else {
      unset ::blacklist($srcip)
      log "remove $srcip from blacklist"
  if { [ info exists ::usertable(time,$srcip)] and $currtime == $::usertable(time,$srcip) } {
    incr ::usertable(freq,$srcip)
    log "$srcip^$::usertable(time,$srcip)^$::usertable(freq,$srcip)"
    if { $::usertable(freq,$srcip) > $::maxquery } {
      log "new blacklist member <$srcip> with $::usertable(freq,$srcip) times"
      set ::blacklist($srcip) $currtime
      unset ::usertable(freq,$srcip)
      unset ::usertable(time,$srcip)
  } else {
    set ::usertable(freq,$srcip) 1
    set ::usertable(time,$srcip) $currtime
#    log "new member <$srcip><$currtime>"
  pool dnsserver
Version history
Last update:
‎17-Mar-2015 13:04
Updated by: