[dns-operations] DoS with amplification: yet another funny Unix script

Paul Vixie paul at redbarn.org
Mon Sep 10 17:48:40 UTC 2012 

On 9/10/2012 2:41 PM, Laurent Frigault wrote:
> On Wed, Sep 05, 2012 at 04:51:12PM +0200, Stephane Bortzmeyer wrote:
>> A friend sent me the script he uses against DNS DoS attacks by
>> reflection+amplification. I reject any responsability for it but I
>> found it cute and geeky :-)

it is cute, geeky, and dangerously oversimplistic.

>> It uses tcpdump + typical Unix tools to automatically detect IP
>> addresses used in such attacks and block them (not something I
>> endorse).
>>
>> tcpdump -t -s 0 -n -c 200 src port 53 and greater 1400 2> /dev/null \
>> | awk '/RRSIG/ && /DNSKEY/ && /Type51/' \
>> | sed -e 's/\([0-9]*\.[0-9]*\.[0-9]*\.[0-9]*\)\.[0-9]*/\1/g' -e 's/:[0-9]*\*-.*//' \
>> | sort \
>> | uniq -c \
>> | awk '$1 > 40 {print $5}' \
>> | while read i
>> do
>>         echo $i
>>         pfctl -t flood -T add $i 2>/dev/null
>> done

this has the three obvious flaws of all packet based answers to dns ddos
filtering: it can be fooled by fragmentation, it is hard wired to a
specific (and easily varied) attack pattern, and it blocks all responses
to the source even those not part of the attack.

> Instead of working on the DNS answer, I try a modified version based on
> the query on one of my DNS servers :
>
> #!/bin/sh
>
> /sbin/pfctl -t floodDNS -T expire 86400  2>/dev/null
>
> /usr/sbin/tcpdump -tnp -s0 -c 5000 dst port 53 2>/dev/null \
> | /usr/bin/egrep '^IP .* ANY\? ' \
> | /usr/bin/sed -e 's/^IP \([0-9]*\.[0-9]*\.[0-9]*\.[0-9]*\)\.[0-9]* >.*/\1/g' \
> | /usr/bin/sort \
> | /usr/bin/uniq -c \
> | /usr/bin/awk '$1 > 100 {print $2}' \
> | while read i
> do
>         echo $i
>         /sbin/pfctl -t floodDNS -T add $i 2>/dev/null
> done

please don't do, or promulgate, this. ddos filtering in order to do more
good than harm has to be based on the attack's answer, not on its query.
see also the three flaws identified above, which also apply here. (so,
your approach has four, adding one.)

vernon schryver and i explain this in the technical note at
<http://www.redbarn.org/dns/ratelimits/>.

paul

More information about the dns-operations mailing list