[dns-operations] DoS with amplification: yet another funny Unix script
Stephane Bortzmeyer
bortzmeyer at nic.fr
Wed Sep 5 14:51:12 UTC 2012
A friend sent me the script he uses against DNS DoS attacks by
reflection+amplification. I reject any responsability for it but I
found it cute and geeky :-)
It uses tcpdump + typical Unix tools to automatically detect IP
addresses used in such attacks and block them (not something I
endorse).
tcpdump -t -s 0 -n -c 200 src port 53 and greater 1400 2> /dev/null \
| awk '/RRSIG/ && /DNSKEY/ && /Type51/' \
| sed -e 's/\([0-9]*\.[0-9]*\.[0-9]*\.[0-9]*\)\.[0-9]*/\1/g' -e 's/:[0-9]*\*-.*//' \
| sort \
| uniq -c \
| awk '$1 > 40 {print $5}' \
| while read i
do
echo $i
pfctl -t flood -T add $i 2>/dev/null
done
pfctl is a BSD-specific command which controls the firewall. The table
"flood" is configured:
table <flood> persist
block in quick on $if from <flood> to $if
Porting to IPv6 is left as an exercice.
It runs on an old FreeBSD, hence the Type51 instead of NSEC3PARAM.
More information about the dns-operations
mailing list