Is there a way to use DNSBLs for service protection without going through the overhead of a complete Trafficscript rule containing DNS-Lookups and everything else? Or (question @riverbed staff) would you expect that using such a rule on EVERY request would be ok, performancewise? I wouldn't do it with trafficscript alone, because a solid implementation would at least have to maintain some sort of local lookup cache in order to work nicely, not to mention other DNS lookup optimizations that would be necessary.
BTW: a quick logfile check revealed that the average ratio of Requests per IP per day is about 85, with about 80.000 distinct IPv4 source IPs per day. So in our case, that would make up for 7 million dns lookups per day (if uncached).
We have to jump through many hoops to protect our sites from all kinds of bots and attacks - most of them not being really dangerous but mostly stupid, misconfigured or misbehaving bots and simple hacker tools just walking through our URL space and consuming our resources. Without Blacklist filters for source IPs and user Agents we would have to use substantial parts (at times up to 20%) of our resources just to serve content to them. So currently we maintain our own blacklist in a trafficscript rule which is a List of about 50 /24 IPv4 networks. The list is changing every now and then with new addresses coming in and old ones being deleted. This is not the most effective way to do it, and certainly it will not scale to work with IPv6 in the future so using a BL would be a good thing ...
Any ideas on this? Plans to implement DNSBLs? Having protection classes with BL support would be the logical place to put them.
Solved! Go to Solution.
It's fairly straightforward to configure as a request rule in TrafficScript. I've documented the process here: Checking IP addresses against a DNS blacklist with Stingray Traffic Manager.
Stingray will cache the DNS responses locally, so performance should be good and you won't overload your DNS server with duplicate queries.
Hope that this helps
Thanks Owen for your fast and comprehensive reply. I wasn't aware of the local DNS cache, so this might be worth a try. On the technical side, I will comment on your solution in the context of the article you wrote.
Thanks and best regards,