Commit 63b4b0fa authored by waja's avatar waja
Browse files

Imported Upstream version 1.20

parent 912e105e
DNS FLood Detector 1.12
DNS FLood Detector 1.2
Dennis Opacki
......@@ -21,6 +21,16 @@ By default, it will count dns queries directed to any address in the same
network as the primary IP address on the interface being watched; the -A,
-M, and -Q options can be used to modify this behaviour.
As of version 1.2, DNS Flood Detector can now send source IP request
data to a network-based collector as JSON. This lets you gather near
real-time information about who is using your DNS servers, and from
where. I've included a sample application called,
which you can use to receive and report these data. The output of this
program can be easily fed into a graphing tool, such as Caida's
How do I build it?
Execute ./ to select the appropriate make target. Then simply
......@@ -41,7 +51,7 @@ What platforms does it work on?
Linux, BSDI, FreeBSD, Mac OSX, Solaris
Will it run under Windows {95,98,NT,2000,XP}?
Will it run under Windows {95,98,NT,2000,XP,2003,2008 or Win7}?
Maybe. I haven't tried. If it doesn't, feel free to submit a fix.
......@@ -62,6 +72,9 @@ Usage: ./dns_flood_detector [OPTION]
-d run in background in daemon mode
-D dump dns packets (implies -b)
-v verbose output - use again for more verbosity
-s send source IP stats to collector as JSON
-z N.N.N.N address to send stats to (default
-p N UDP port to send stats to (default 2000)
-h display this usage information
Sample Output:
use strict;
use threads;
use threads::shared;
use Sys::Syslog;
use Data::Dumper;
use Getopt::Long;
use POSIX;
use IO::Socket::Multicast;
use JSON;
# Native Maxmind library -
# requires:
use Geo::IP;
# set these to the same port and multicast (or unicast) address as the detector
use constant GROUP => '';
use constant PORT => '2000';
my %ipc_source :shared;
my %ipc_customer :shared;
my $time_to_die :shared = 0;
my $debug;
my $foreground=0;
# determines how often you want to aggregage and write-out stats dumps
my $interval = 60;
# you can get the binary format GeoLiteCity.dat from Maxmind
my $gi = Geo::IP->open("/usr/local/GeoLiteCity.dat",GEOIP_MEMORY_CACHE | GEOIP_CHECK_CACHE);
# adjust this to the path where you want to keep the
sub PATH {'/tmp/'}
"debug" => \$debug,
"foreground" => \$foreground,
"interval=s" => \$interval,
sub main() {
# daemonize unless running in foreground
unless ($foreground){
# prepare data acquisition thread
while (! $time_to_die ) {
# record time started to help evenly space runs
my $start_run = time();
my $next_run = $start_run + $interval;
# de-serialize latest copy of source address structure
# execute this in a isolated scope so that lock goes out of scope
my $source_distance;
# lock data structure to prevent other thread from updating it
# open coordinates file for graph generation
open(CRDS, ">".PATH."/coords.txt.tmp");
# calculate great circle distance between each source IP and local POP
foreach my $key (keys %ipc_source) {
eval {
my $r = $gi->record_by_addr($key);
# write raw entry to coordinates file
print CRDS $key.",".$ipc_source{$key}.",".$r->latitude.",".$r->longitude."\n";
if ($@) {
print CRDS $key.",".$ipc_source{$key}.",0,0\n";
# close coordinate file
close CRDS;
system("mv ".PATH."/coords.txt.tmp ".PATH."/coords.txt");
# clean out structure for next sample period
%ipc_source = ();
# sleep to make the interval
while((my $time_left = ($next_run - time())) > 0) {
# fetch data from UDP multicast
sub get_data() {
# set up our multicast listener
# note: this will receive unicast fine too
my $sock = IO::Socket::Multicast->new(LocalPort=>PORT,ReuseAddr=>1);
$sock->mcast_add(GROUP) || die "Couldn't set group: $!\n";
while ( ! $time_to_die ) {
my $data;
next unless $sock->recv($data,1500);
# decode JSON
eval {
my $obj = decode_json $data;
print Dumper $obj;
foreach my $ip (keys %{$obj->{data}}) {
my $count = $obj->{data}->{$ip};
# done!
# daemonize application
sub daemonize {
chdir '/' or die "Can't chdir to /: $!";
open STDIN, '/dev/null' or die "Can't read /dev/null: $!";
open STDOUT, '>/dev/null';
# fork and exit parent
my $pid = fork();
exit if $pid;
die "Couldn't fork: $!" unless defined ($pid);
POSIX::setsid() || die ("$0 can't start a new session: $!");
open STDERR, '>&STDOUT' or die "Can't dup stdout: $!";
# signal handlers
$SIG{KILL} = \&handler;
sub handler {
$time_to_die = 1;
This diff is collapsed.
......@@ -30,6 +30,13 @@
#define NS_MAXDNAME 1025
#define MAXSYSLOG 192
#define MAXMESSAGE 1200
#define MAXDATALET 64
#define MAXHEAD 300
#define MAX_TIME_LEN 20
#define DEFAULT_PORT 2000
#define DEFAULT_IP ""
#define HOST_NAME_MAX 254
// evil Solaris hack
#ifdef __sun__
......@@ -41,10 +48,12 @@ typedef uint32_t u_int32_t;
// prototypes
void handle_IP(u_char *args,const struct pcap_pkthdr* pkthdr,const u_char* packet);
int calculate_averages();
int saddr_stats(int sock, struct sockaddr_in addr, char *hostname);
int scour_bucket(int i);
int find_bucket(struct in_addr *ip_src);
int daemonize(void);
int malloc_fail(char * var, int size);
int microsleep(unsigned int usec);
// data structures
struct my_dns {
CFLAGS+=-Wall -O -g -I/usr/local/include -I/usr/include
LDLIBS=-L/usr/local/lib -lpcap -lpthread -lm
LDLIBS=-lpcap -lpthread -lm
all: dns_flood_detector
strip dns_flood_detector
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment