README 3.58 KB
Newer Older
waja's avatar
waja committed
1
DNS FLood Detector 1.2
waja's avatar
waja committed
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
Dennis Opacki
dopacki@adotout.com


What is DNS Flood Detector?  

DNS Flood Detector was developed to detect abusive usage levels on high 
traffic nameservers and to enable quick response to the use of one's 
nameserver to facilitate spam. DNS Flood Detector is distributed under the 
Gnu Public License (see included LICENSE file for details).

How does it work?    

DNS Flood Detector uses libpcap (in non-promiscuous mode) to monitor 
incoming  dns queries to a nameserver. The tool may be run in one of two 
modes, either  daemon mode or "bindsnap" mode. In daemon mode, the tool 
will alarm via syslog. In bindsnap mode, the user is able to get 
near-real-time stats on usage to aid in more detailed troubleshooting. 
waja's avatar
waja committed
20
21
22
By default, it will count dns queries directed to any address in the same
network as the primary IP address on the interface being watched; the -A,
-M, and -Q options can be used to modify this behaviour.
waja's avatar
waja committed
23

waja's avatar
waja committed
24
25
26
27
28
29
30
31
32
33
As of version 1.2, DNS Flood Detector can now send source IP request
data to a network-based collector as JSON. This lets you gather near
real-time information about who is using your DNS servers, and from
where. I've included a sample application called dns_flood_collector.pl,
which you can use to receive and report these data. The output of this
program can be easily fed into a graphing tool, such as Caida's 
plot-latlong:

http://www.caida.org/tools/visualization/plot-latlong/

waja's avatar
waja committed
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
How do I build it?

Execute ./configure.pl to select the appropriate make target. Then simply
type "make".

Why was it written?  

I wrote DNS Flood Detector because the fifty or so public recursive 
nameservers I am responsible for were being abused by both customers and 
non-customers. DNS Flood Detector allows for prompt action when anomalous 
conditions are detected. 

What do I need to use it?  

You need libpcap and a little bit of patience.

What platforms does it work on?

Linux, BSDI, FreeBSD, Mac OSX, Solaris

waja's avatar
waja committed
54
Will it run under Windows {95,98,NT,2000,XP,2003,2008 or Win7}?  
waja's avatar
waja committed
55
56
57
58
59
60
61
62
63
64
65
66
67

Maybe. I haven't tried. If it doesn't, feel free to submit a fix. 

What does it look like?  

Usage: ./dns_flood_detector [OPTION]

-i IFNAME              specify interface to listen on
-t N                   alarm at >N queries per second
-a N                   reset alarm after N seconds
-w N                   calculate stats every N seconds
-x N                   create N buckets
-m N                   mark total query rate every N seconds
waja's avatar
waja committed
68
69
70
-A addr                filter for specific address
-M mask                netmask for filter (in conjunction with -A)
-Q                     don't filter by local interface address
waja's avatar
waja committed
71
72
-b                     run in foreground in bindsnap mode
-d                     run in background in daemon mode
waja's avatar
waja committed
73
-D	               dump dns packets (implies -b)
waja's avatar
waja committed
74
-v                     verbose output - use again for more verbosity
waja's avatar
waja committed
75
76
77
-s                     send source IP stats to collector as JSON
-z N.N.N.N             address to send stats to (default 226.1.1.2)
-p N                   UDP port to send stats to (default 2000)
waja's avatar
waja committed
78
79
80
81
82
-h                     display this usage information

Sample Output:

dopacki:~$ sudo ./dns_flood_detector -v -v -b -t10
waja's avatar
waja committed
83
[15:14:56] source [192.168.1.45] - 0 qps tcp : 24 qps udp [8 qps A] [16 qps PTR] 
waja's avatar
waja committed
84
[15:14:56] source [10.0.24.2] - 0 qps tcp : 15 qps udp [15 qps A] 
waja's avatar
waja committed
85
[15:15:06] source [192.168.1.45] - 0 qps tcp : 24 qps udp [8 qps A] [16 qps PTR] 
waja's avatar
waja committed
86
[15:15:06] source [10.0.24.2] - 0 qps tcp : 15 qps udp [14 qps A] 
waja's avatar
waja committed
87
[15:15:16] source [192.168.1.45] - 0 qps tcp : 23 qps udp [7 qps A] [15 qps PTR] 
waja's avatar
waja committed
88
89
90
91

What if I have questions?  

You can e-mail me at dopacki@adotout.com