[dns-operations] PCAP based detector of malicious DNS traffic

bert hubert bert.hubert at netherlabs.nl
Fri Jun 27 07:00:04 UTC 2014


In addition to Nick Urbanik's work, which is log file based, we've also
provided some tooling to detect the originators and domains in the recent
flood of malicious DNS traffic based on PCAP files.

>From our mailing list post to pdns-users yesterday:

"Secondly, the botnet mitigation code in Recursor 3.6.0 is holding up well,
but we still see A Lot of malicious DNS traffic.  To determine exactly which
users are attacking your recursor with such traffic, we've enhanced
'dnsscope' (one of our DNS analysis tools) with the --servfail-tree option. 
This option generates a per-domain suffix list of IP addresses sending
servfail-generating traffic.

A provisional document for how to benefit from --servfail-tree and use it to
configure bulk IP blocking based on ipset can be found on:


This also includes links on where to download binary packages of dnsscope.
Note by the way that the instructions are not PowerDNS specific, and will
also help you protect other nameservers."

The output of the tool is, like Nick's work, a list of domain names and
additionally the set of IP addresses sending traffic to those domains.


On Fri, Jun 27, 2014 at 12:25:43PM +1000, Nick Urbanik wrote:
> On 20/06/14 16:07 +1000, Nick Urbanik wrote:
> >Our DNS caches are subject to a massive load of queries which resulted
> >initially in SERVFAIL.  The pattern is a parent DNS domain, with
> >queries for tens of thousands of apparently randomly generated
> >subdomains all initially resulting in SERVFAIL.
> >
> >I have written code to analyse the query-errors log to detect these
> >patterns and blackhole the entire domain automatically.  I can tidy
> >the code up and make it freely available if there is sufficient
> >interest.
> The code is now available at http://nicku.org/software/#dns-malware-blocker
> Feedback welcome.
> -- 
> Nick Urbanik http://nicku.org 808-71011 nick.urbanik at optusnet.com.au
> GPG: 7FFA CDC7 5A77 0558 DC7A 790A 16DF EC5B BB9D 2C24  ID: BB9D2C24
> I disclaim, therefore I am.
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
> dns-jobs mailing list
> https://lists.dns-oarc.net/mailman/listinfo/dns-jobs

More information about the dns-operations mailing list