[dns-operations] DoS with amplification: yet another funny Unix script
Laurent Frigault
lolo at troll.free.org
Mon Sep 10 14:41:11 UTC 2012
On Wed, Sep 05, 2012 at 04:51:12PM +0200, Stephane Bortzmeyer wrote:
> A friend sent me the script he uses against DNS DoS attacks by
> reflection+amplification. I reject any responsability for it but I
> found it cute and geeky :-)
>
> It uses tcpdump + typical Unix tools to automatically detect IP
> addresses used in such attacks and block them (not something I
> endorse).
>
> tcpdump -t -s 0 -n -c 200 src port 53 and greater 1400 2> /dev/null \
> | awk '/RRSIG/ && /DNSKEY/ && /Type51/' \
> | sed -e 's/\([0-9]*\.[0-9]*\.[0-9]*\.[0-9]*\)\.[0-9]*/\1/g' -e 's/:[0-9]*\*-.*//' \
> | sort \
> | uniq -c \
> | awk '$1 > 40 {print $5}' \
> | while read i
> do
> echo $i
> pfctl -t flood -T add $i 2>/dev/null
> done
Instead of working on the DNS answer, I try a modified version based on
the query on one of my DNS servers :
#!/bin/sh
/sbin/pfctl -t floodDNS -T expire 86400 2>/dev/null
/usr/sbin/tcpdump -tnp -s0 -c 5000 dst port 53 2>/dev/null \
| /usr/bin/egrep '^IP .* ANY\? ' \
| /usr/bin/sed -e 's/^IP \([0-9]*\.[0-9]*\.[0-9]*\.[0-9]*\)\.[0-9]* >.*/\1/g' \
| /usr/bin/sort \
| /usr/bin/uniq -c \
| /usr/bin/awk '$1 > 100 {print $2}' \
| while read i
do
echo $i
/sbin/pfctl -t floodDNS -T add $i 2>/dev/null
done
--
Laurent Frigault | Free.org
More information about the dns-operations
mailing list