DNS NXDOMAIN Attack Aflex

All, this may be used as a template to protect against DNS NXDOMAIN attacks. The aFlex will dynamically build a table of FQDNs based on observed DNS replies that are 'NXDOMAIN'. Entries are stored for an hour (3600 seconds). Subsequent requests for these FQDNs are blocked.

when RULE_INIT {
set ::holdtime 3600
}

when DNS_RESPONSE {
set repcode [DNS::header rcode]
set name [DNS::question name]
if {$repcode equals "NXDOMAIN"} {
if { [table lookup "blacklist" $name] == ""} {
table add "blacklist" $name "blocked" $::holdtime
log local0.3 "Table entry created"
return
}
if { [table lookup "blacklist" $name] != ""} {
log local0.3 "A subsequent response for $name was observed within the timeout"
return
}
}
}

when DNS_REQUEST {
set req [DNS::question name]
if { [table lookup "blacklist" $req] == ""} {
log local0.3 "Request $req permitted."
return
}
if { [table lookup "blacklist" $req] != ""} {
log local0.3 "Request $req denied."
drop
return
}
}
Sign In or Register to comment.