cancel
Showing results for 
Search instead for 
Did you mean: 
Login & Join the DevCentral Connects Group to watch the Recorded LiveStream (May 12) on Basic iControl Security - show notes included.
JRahm
Community Manager
Community Manager

Problem this snippet solves:

(Solution from Pedro Haoa)


Due to some people attempt DNS tunneling to pass data frames inside of DNS records to the Internet and the lack of information around here, I'm going to share with you some basic code for DNS Tunnel Mitigation on the BIG-IPs. This irule put some overhead in your CPU so check it with caution.

The idea is to improve this code (I'm looking for less overhead) here in DevCentral and try to build a better base solution for the most common techniques. You can use the DNS Protocol Security, DNS Anti-DDoS and IP Intelligence features to get the most comprehensive solution.

Remember that there are a lot of DNS Tunneling utilities with a wide range of capabilities and options, so this is one of many forms to mitigate some of the attacks.

How to use this snippet:

LTM + AFM + DNS Services


BIG-IP AFM (Protocol Security)


In Security ›› Protocol Security : Security Profiles : DNS ››


Create a New Security Profile and exclude obsolete record types like MD, MF, MAILA, NULL, HINFO, SPF, etc. Then apply to your DNS profile associated with your Listener.


BIG-IP DNS (LTM Data Groups and iRule)


Creating DNS Tunnel Query type Data Group


BIG-IP AFM (Protocol Security)


In Security ›› Protocol Security : Security Profiles : DNS ››


Create a New Security Profile and exclude obsolete record types like MD, MF, MAILA, NULL, HINFO, SPF, etc. Then apply to your DNS profile associated with your Listener.


BIG-IP DNS (LTM Data Groups and iRule)


Creating DNS Tunnel Query type Data Group

create ltm data-group internal TunnelType records replace-all-with { CNAME { } } type string
modify ltm data-group internal TunnelType records add { TXT { } }
modify ltm data-group internal TunnelType records add { SRV { } }
modify ltm data-group internal TunnelType records add { KEY { } }


Creating Whitelist Data Group


create ltm data-group internal Dominios_Lista_Blanca records replace-all-with { facebook.com { data facebook.com } } type string
modify ltm data-group internal Dominios_Lista_Blanca records add { instagram.com { data instagram.com } }
modify ltm data-group internal Dominios_Lista_Blanca records add { fbcdn.net { data fbcdn.net } }
modify ltm data-group internal Dominios_Lista_Blanca records add { google.com { data google.com } }
modify ltm data-group internal Dominios_Lista_Blanca records add { googleapis.com { data googleapis.com } }


Creating Blacklist Data Group


create ltm data-group internal Dominios_Lista_Negra records replace-all-with { dnstunnel.de { data dnstunnel.de } } type string
modify ltm data-group internal Dominios_Lista_Negra records add { cutheatergroup.cn { data cutheatergroup.cn } }
modify ltm data-group internal Dominios_Lista_Negra records add { demodomain.cz { data demodomain.cz } }
modify ltm data-group internal Dominios_Lista_Negra records add { buo.cc { data buo.cc } }
modify ltm data-group internal Dominios_Lista_Negra records add { pdk.lcn.cc { data pdk.lcn.cc } }


Code :

when RULE_INIT {
    # Max DNS queries during detection period per source IP / destination domain
    set static::maxq 180
    # Detection & Blocking Period
    set static::btime 60
}
when DNS_REQUEST {
    set srcip [IP::remote_addr]
    set qtype [DNS::question type]
    set DomOrigen [domain [DNS::question name] 4]
    set key "$srcip:$DomOrigen"
if { ([class match $qtype equals TunnelType]) and [DNS::len] > 512 } {
    if {[class match $DomOrigen ends_with Dominios_Lista_Blanca] }{
        return
    } elseif {[class match $DomOrigen ends_with Dominios_Lista_Negra] }{
        DNS::drop
        return
    } elseif {[table lookup $key] ne ""} {
        set count [table incr $key]
        if {$count > $static::maxq} {
            DNS::drop
            return
        }
    } else {
        table add $key 1 indef $static::btime
        }
    }
}

Tested this on version:

No Version Found
Comments
Hoang_Hung
Altostratus
Altostratus

Thanks

But I dont understand " why [DNS::len] > 512 and domain [DNS::question name] 4 "

 

Plz explain help me

 

Thanks

Hung Hoang

JRahm
Community Manager
Community Manager

I didn't write the rule, so I can only speculate. But they are using the domain command to take only the last 4 sections of a dotted FQDN to include with the src IP as a key in the table memory for counting queries. I am not sure with the len if that is being set as a control for it actually being legit tunnel traffic, but too much, or if anything less than that size would be illegitimate.

Hoang_Hung
Altostratus
Altostratus

Thanks Jason

Do you known tool using to Simulation Tunneling attack via F5 ?

Version history
Last update:
‎18-Jun-2019 22:38
Updated by:
Contributors