Options
DNS NXDOMAIN Attack Aflex
![[Deleted User]](https://wc.vanillicon.com/v2/cba2703155a3bc920a1333c9390b9de8.svg)
in aFleX
All, this may be used as a template to protect against DNS NXDOMAIN attacks. The aFlex will dynamically build a table of FQDNs based on observed DNS replies that are 'NXDOMAIN'. Entries are stored for an hour (3600 seconds). Subsequent requests for these FQDNs are blocked.
when RULE_INIT {
set ::holdtime 3600
}
when DNS_RESPONSE {
set repcode [DNS::header rcode]
set name [DNS::question name]
if {$repcode equals "NXDOMAIN"} {
if { [table lookup "blacklist" $name] == ""} {
table add "blacklist" $name "blocked" $::holdtime
log local0.3 "Table entry created"
return
}
if { [table lookup "blacklist" $name] != ""} {
log local0.3 "A subsequent response for $name was observed within the timeout"
return
}
}
}
when DNS_REQUEST {
set req [DNS::question name]
if { [table lookup "blacklist" $req] == ""} {
log local0.3 "Request $req permitted."
return
}
if { [table lookup "blacklist" $req] != ""} {
log local0.3 "Request $req denied."
drop
return
}
}
when RULE_INIT {
set ::holdtime 3600
}
when DNS_RESPONSE {
set repcode [DNS::header rcode]
set name [DNS::question name]
if {$repcode equals "NXDOMAIN"} {
if { [table lookup "blacklist" $name] == ""} {
table add "blacklist" $name "blocked" $::holdtime
log local0.3 "Table entry created"
return
}
if { [table lookup "blacklist" $name] != ""} {
log local0.3 "A subsequent response for $name was observed within the timeout"
return
}
}
}
when DNS_REQUEST {
set req [DNS::question name]
if { [table lookup "blacklist" $req] == ""} {
log local0.3 "Request $req permitted."
return
}
if { [table lookup "blacklist" $req] != ""} {
log local0.3 "Request $req denied."
drop
return
}
}
Tagged:
0