by Dennis Opacki
dopacki@adotout.com
|
|
What is DNS Flood Detector?
DNS Flood Detector was developed to detect abusive usage levels on high traffic nameservers and to enable quick response in halting the use of one's nameserver to facilitate spam. How does it work? DNS Flood Detector uses libpcap (in non-promiscuous mode) to monitor incoming dns queries to a nameserver. The tool may be run in one of two modes, either daemon mode or "bindsnap" mode. In daemon mode, the tool will alarm via syslog. In bindsnap mode, the user is able to get near-real-time stats on usage to aid in more detailed troubleshooting. Why was it written? I wrote DNS Flood Detector because the fifty or so public recursive nameservers I am responsible for were being abused by both customers and non-customers. DNS Flood Detector allows for prompt action when anomalous conditions are detected. Thank you Jim and Erik for your patches and troubleshooting; you have helped make DNS Flood Detector a more useful tool for the Internet community! What do I need to use it? You need libpcap and a little bit of patience. I have currently tested DNS Flood Detector on Linux, OSX, BSDI, Solaris 9, and FreeBSD. Will it run under Windows {95,98,ME,NT,2000,XP}? Maybe. I haven't tried. If it doesn't, feel free to submit a fix. What does it look like?
Usage: ./dns_flood_detector [OPTION]
-i ifname specify interface to listen on (default lets pcap pick)
-t n alarm when more than n queries per second are observed
(default 40)
-a n wait for n seconds before alarming again on same source
(default 90)
-w n calculate statistics every n seconds
(default 10)
-x n use n buckets
(default 50)
-m n mark overall query rate every n seconds
(default disabled)
-A addr filter for specific address
-M mask netmask for filter (in conjunction with -A)
-Q monitor any addresses (default is to filter only for
primary addresses on chosen interface)
-b run in foreground in "bindsnap" mode
-d run in background in "daemon" mode
-D dump dns packets (implies -b)
-v detailed information (use twice for more detail)
-h usage info
Sample Output:
dopacki:~$ sudo ./dns_flood_detector -v -v -b -t10
[15:14:56] source [192.168.1.45] - 0 qps tcp : 24 qps udp [8 qps A] [16 qps PTR]
[15:14:56] source [10.0.24.2] - 0 qps tcp : 15 qps udp [15 qps A]
[15:15:06] source [192.168.1.45] - 0 qps tcp : 24 qps udp [8 qps A] [16 qps PTR]
[15:15:06] source [10.0.24.2] - 0 qps tcp : 15 qps udp [14 qps A]
[15:15:16] source [192.168.1.45] - 0 qps tcp : 23 qps udp [7 qps A] [15 qps PTR]
Where do I get it? Right here, of course! Download current version (1.12) of dnsflood.tgz Thanks to Larry Long for the RPM and SRPM packages (1.08 at the moment). What if I have questions? You can e-mail me at dopacki@adotout.com Want to know more about me? Dennis's resume (PDF) Links to other projects of mine Trust Informations - security metrics service Let's Talk About Risk [Paper - 2007] Business Case for Information Assurance Invetment [ Causal Loop Diagram - 2006] Security Metrics: Building Business Unit Scorecards [Paper - 2005] Exploring Anonymous Networking: MIT's Tor Project [Paper - 2004] IP Flood Detector v1.0 (detect TCP,UDP and ICMP packet floods) Echoart v0.1 (ASCII art over ICMP) Netmatrix v0.2 (network monitoring) Disconnect.cgi (Cisco RAS management) Decoy email link |