Open rygl opened 8 years ago
We have seen renewed interest in that feature lately. It is already possible to use dnsdist to detect and block PRSD attacks, with specific Lua scripts leveraging the ring buffers and dynamic blocks. Guidance and support for writing these scripts can be provided as part of our commercial solutions which include access to professional services.
Hi. In order to make this piece of sw even more amazing, I would like to ask if existing dynamic blocks feature can be extended in following way:
Let's have nasty clients that are sending pseudo-random sub-domain queries like A query for wtqtghwd.www.001my.com with rate of 1000 qps. These are responded with either NX DOMAIN or SERVFAIL. I would like to have an option to drop all such requests as soon as the response rate goes over a configured threshold:
addDynDomainBlocks(exceedServFailResponseRate(500, 10), "Domain blocked - Exceeded response rate", 90,2)
addDynDomainBlocks(exceedNxDomainResponseRate(200, 30), "Domain blocked - Exceeded response rate", 90,3)
The rules above would block all requests to the domain 001my.com (2nd level sub-domain) if there are more than 500 responses/s over past 10s and also the requests do the domain www.001my.com (3rd level sub-domain) if the number of the responses crosses 200 over past 30s.
Existing implementation of Dynamic blocks with exceedServFails/exceedNXDOMAINs condition does not suit here too much because of the the way how those pseudo-random sub-domain attacks work. Usually the clients are sending just 1-5 qps of "bad" queries and the power of such attack is in the amount of such clients.
Thanks Ales