DNS Flood Protection v2

Problem this snippet solves:

same concept as previous version but use session variable instead of array minor changes: remove all global variable and hope it is cmp compatible. DNS Flood Protection v3 for v10.1+ is also available.

Code :

when CLIENT_ACCEPTED {
    set maxquery 2
    set holdtime 10
}
when CLIENT_DATA {
    set srcip [IP::client_addr]
    set c [clock second]
    if {[ session lookup uie "b$c$srcip" ] != ""} {
        #log local0. "drop [IP::client_addr]"
        UDP::drop
        return    
    }
    set f [session lookup uie "u$c$srcip"]
    if { $f != "" } {
        incr f 
        if { $f > $maxquery } {
            #log local0. "$srcip: $f times"
            for { set i 2} { $i < [expr $holdtime + 2 ]} {incr i} {
                session add uie "b$c$srcip" b $i
                incr c
            }
            #log local0. "drop [IP::client_addr]"
            UDP::drop
            return
        } else {
            session add uie "u$c$srcip" $f 2
        }
    } else {
        session add uie "u$c$srcip" 1 2
    }
}
Published Mar 17, 2015
Version 1.0

Was this article helpful?

No CommentsBe the first to comment