GTM iRule to prevent DNS reflector DoS attacks

We recently became aware of the issue of DNS servers being used in forged packet reflector attacks. In short, bot nets forge a DNS recursive query and usually request "." (all records). The forged address is a site someone wants to attack. In our case we deny recursive lookups but we still send the deny packet to the forged address.

 

 

For general discussion: is there a way to use an iRule to expose the forgery and if found drop the packet with no reply?

 

 

Another option might be drop all denied requests but that is not proper behavior, particularly when it is a valid request.

 

 

Still another, since we deny lookups to “.” anyway, we could drop those specific requests. It still suffers from the same issue above, namely valid requests.

 

 

By the way, consider this my vote for a GTM specific forum.