[dns-operations] PCAP based detector of malicious DNS traffic
sthaug at nethelp.no
sthaug at nethelp.no
Fri Jun 27 08:40:13 UTC 2014
> In addition to Nick Urbanik's work, which is log file based, we've also
> provided some tooling to detect the originators and domains in the recent
> flood of malicious DNS traffic based on PCAP files.
>
> >>From our mailing list post to pdns-users yesterday:
>
> "Secondly, the botnet mitigation code in Recursor 3.6.0 is holding up well,
> but we still see A Lot of malicious DNS traffic. To determine exactly which
> users are attacking your recursor with such traffic, we've enhanced
> 'dnsscope' (one of our DNS analysis tools) with the --servfail-tree option.
> This option generates a per-domain suffix list of IP addresses sending
> servfail-generating traffic.
>
> A provisional document for how to benefit from --servfail-tree and use it to
> configure bulk IP blocking based on ipset can be found on:
>
> https://gist.github.com/ahupowerdns/53c9ec191f9b32803392
>
> This also includes links on where to download binary packages of dnsscope.
> Note by the way that the instructions are not PowerDNS specific, and will
> also help you protect other nameservers."
>
> The output of the tool is, like Nick's work, a list of domain names and
> additionally the set of IP addresses sending traffic to those domains.
Is dnsscope available for other OSes, e.g. FreeBSD?
Steinar Haug, AS 2116
More information about the dns-operations
mailing list