[dns-operations] DoS with amplification: yet another funny Unix script

Mathieu Arnold mat at mat.cc
Mon Sep 10 09:19:37 UTC 2012

+--On 10 septembre 2012 10:21:30 +0200 "Marco Davids (SIDN)"
<marco.davids at sidn.nl> wrote:
| On 09/05/12 16:51, Stephane Bortzmeyer wrote:
|> A friend sent me the script he uses against DNS DoS attacks by
|> reflection+amplification. I reject any responsability for it but I
|> found it cute and geeky :-)
| It is.

I did not know of any tool that could do this, tcpdump (and no Stéphane,
it's a FreeBSD 8.3, so, not old at all, though the shipped tcpdump (4.0)
may be a bit old.) seemed the "right" choice :-)

I also have a daily "/sbin/pfctl -t flood -T expire 86400" to tidy up a bit.

Right now, the table has about 23k entries, the good thing is that "they"
only use 2 of my 4 name servers so collateral would still be able to
resolve the domains we serve.

| 'DNS flood detector' also is a nice tool that may come in handy sooner
| or later (available s package under Debian/Ubuntu):
| http://www.adotout.com/

I'll have a look, see if it's in the FreeBSD's ports tree.

Mathieu Arnold

More information about the dns-operations mailing list