DNS Flood Detector 1.10
by Dennis Opacki
dopacki@adotout.com



What is DNS Flood Detector?
DNS Flood Detector was developed to detect abusive usage levels on high traffic nameservers and to enable quick response in halting the use of one's nameserver to facilitate spam.


How does it work?
DNS Flood Detector uses libpcap (in non-promiscuous mode) to monitor incoming dns queries to a nameserver. The tool may be run in one of two modes, either daemon mode or "bindsnap" mode. In daemon mode, the tool will alarm via syslog. In bindsnap mode, the user is able to get near-real-time stats on usage to aid in more detailed troubleshooting.


Why was it written?
I wrote DNS Flood Detector because the fifty or so public recursive nameservers I am responsible for were being abused by both customers and non-customers. DNS Flood Detector allows for prompt action when anomalous conditions are detected.


What do I need to use it?
You need libpcap and a little bit of patience. I have currently tested DNS Flood Detector on Linux, OSX, BSDI, Solaris 9, and FreeBSD.


Will it run under Windows {95,98,ME,NT,2000,XP}?
Maybe. I haven't tried. If it doesn't, feel free to submit a fix.


What does it look like?
Usage: ./dns_flood_detector [OPTION]

-i IFNAME              specify interface to listen on
-t N                   alarm at >N queries per second
-a N                   reset alarm after N seconds
-w N                   calculate stats every N seconds
-x N                   create N buckets
-m N                   mark total stats every N seconds
-b                     run in foreground in bindsnap mode
-d                     run in background in daemon mode
-v                     verbose output - use again for more verbosity
-h                     display this usage information

Sample Output:

dopacki:~$ sudo ./dns_flood_detector -v -v -b -t10
[15:14:56] source [192.168.1.45] - 0 qps tcp : 24 qps udp [8 qps A] [16 qps PTR] 
[15:14:56] source [10.0.24.2] - 0 qps tcp : 15 qps udp [15 qps A] 
[15:15:06] source [192.168.1.45] - 0 qps tcp : 24 qps udp [8 qps A] [16 qps PTR] 
[15:15:06] source [10.0.24.2] - 0 qps tcp : 15 qps udp [14 qps A] 
[15:15:16] source [192.168.1.45] - 0 qps tcp : 23 qps udp [7 qps A] [15 qps PTR] 


Where do I get it?

Right here, of course!
Download current version (1.10) of dnsflood.tgz

Thanks to Larry Long for the RPM and SRPM packages (1.08 at the moment).



What if I have questions?
You can e-mail me at dopacki@adotout.com

Want to know more about me?
Dennis's resume

Links to other projects of mine
Echoart v0.1 (ASCII art over ICMP)
Netmatrix v0.2 (network monitoring)
Disconnect.cgi (Cisco RAS management)