[dns-operations] DoS with amplification: yet another funny Unix script

Stephane Bortzmeyer bortzmeyer at nic.fr
Wed Sep 5 14:51:12 UTC 2012

A friend sent me the script he uses against DNS DoS attacks by
reflection+amplification. I reject any responsability for it but I
found it cute and geeky :-)

It uses tcpdump + typical Unix tools to automatically detect IP
addresses used in such attacks and block them (not something I

tcpdump -t -s 0 -n -c 200 src port 53 and greater 1400 2> /dev/null \
| awk '/RRSIG/ && /DNSKEY/ && /Type51/' \
| sed -e 's/\([0-9]*\.[0-9]*\.[0-9]*\.[0-9]*\)\.[0-9]*/\1/g' -e 's/:[0-9]*\*-.*//' \
| sort \
| uniq -c \
| awk '$1 > 40 {print $5}' \
| while read i
        echo $i
        pfctl -t flood -T add $i 2>/dev/null

pfctl is a BSD-specific command which controls the firewall. The table
"flood" is configured:

table <flood> persist
block in quick on $if from <flood> to $if

Porting to IPv6 is left as an exercice.

It runs on an old FreeBSD, hence the Type51 instead of NSEC3PARAM.

More information about the dns-operations mailing list