What is DNS Flood Detector?
DNS Flood Detector was developed to detect abusive usage levels on high traffic nameservers and to enable quick response to the use of one's nameserver to facilitate spam. DNS Flood Detector is distributed under the Gnu Public License (see included LICENSE file for details).
How does it work?
DNS Flood Detector uses libpcap (in non-promiscuous mode) to monitor incoming dns queries to a nameserver. The tool may be run in one of two modes, either daemon mode or "bindsnap" mode. In daemon mode, the tool will alarm via syslog. In bindsnap mode, the user is able to get near-real-time stats on usage to aid in more detailed troubleshooting. By default, it will count dns queries directed to any address in the same network as the primary IP address on the interface being watched; the -A, -M, and -Q options can be used to modify this behaviour.
As of version 1.2, DNS Flood Detector can now send source IP request data to a network-based collector as JSON. This lets you gather near real-time information about who is using your DNS servers, and from where. I've included a sample application called dns_flood_collector.pl, which you can use to receive and report these data. The output of this program can be easily fed into a graphing tool, such as Caida's plot-latlong:
Usage: ./dns_flood_detector [OPTION] -i IFNAME specify interface to listen on -t N alarm at >N queries per second -a N reset alarm after N seconds -w N calculate stats every N seconds -x N create N buckets -m N mark total query rate every N seconds -A addr filter for specific address -M mask netmask for filter (in conjunction with -A) -Q don't filter by local interface address -b run in foreground in bindsnap mode -d run in background in daemon mode -D dump dns packets (implies -b) -v verbose output - use again for more verbosity -s send source IP stats to collector as JSON -z N.N.N.N address to send stats to (default 126.96.36.199) -p N UDP port to send stats to (default 2000) -h display this usage information Sample Output: dopacki:~$ sudo ./dns_flood_detector -v -v -b -t10 [15:14:56] source [192.168.1.45] - 0 qps tcp : 24 qps udp [8 qps A] [16 qps PTR] [15:14:56] source [10.0.24.2] - 0 qps tcp : 15 qps udp [15 qps A] [15:15:06] source [192.168.1.45] - 0 qps tcp : 24 qps udp [8 qps A] [16 qps PTR] [15:15:06] source [10.0.24.2] - 0 qps tcp : 15 qps udp [14 qps A] [15:15:16] source [192.168.1.45] - 0 qps tcp : 23 qps udp [7 qps A] [15 qps PTR]
Where do I get it?
Right here, of course!
Download current version (1.20) of dnsflood.tgz
Thanks to Larry Long for the RPM and SRPM packages (1.08 at the moment).
What if I have questions?
You can e-mail me at firstname.lastname@example.org
Want to know more about me?
Dennis's resume (PDF)
Links to other projects of mine
Trust Informations - security metrics service
Let's Talk About Risk [Paper - 2007]
Business Case for Information Assurance Invetment [ Causal Loop Diagram - 2006]
Security Metrics: Building Business Unit Scorecards [Paper - 2005]
Exploring Anonymous Networking: MIT's Tor Project [Paper - 2004]
IP Flood Detector v1.0 (detect TCP,UDP and ICMP packet floods)
Echoart v0.1 (ASCII art over ICMP)
Netmatrix v0.2 (network monitoring)
Disconnect.cgi (Cisco RAS management)
Decoy email link