Commit bbd2ffd6 authored by waja's avatar waja
Browse files

Load /tmp/tmp.kfssgS9918/dns-flood-detector-1.12 into

debian/dns-flood-detector/branches/upstream/current.
parent 9ec21234
DNS FLood Detector 1.10
DNS FLood Detector 1.12
Dennis Opacki
dopacki@adotout.com
......@@ -17,6 +17,9 @@ incoming dns queries to a nameserver. The tool may be run in one of two
modes, either daemon mode or "bindsnap" mode. In daemon mode, the tool
will alarm via syslog. In bindsnap mode, the user is able to get
near-real-time stats on usage to aid in more detailed troubleshooting.
By default, it will count dns queries directed to any address in the same
network as the primary IP address on the interface being watched; the -A,
-M, and -Q options can be used to modify this behaviour.
How do I build it?
......@@ -52,22 +55,23 @@ Usage: ./dns_flood_detector [OPTION]
-w N calculate stats every N seconds
-x N create N buckets
-m N mark total query rate every N seconds
-A addr filter for specific address
-M mask netmask for filter (in conjunction with -A)
-Q don't filter by local interface address
-b run in foreground in bindsnap mode
-d run in background in daemon mode
-D dump dns packets (implies -b)
-v verbose output - use again for more verbosity
-h display this usage information
Sample Output:
dopacki:~$ sudo ./dns_flood_detector -v -v -b -t10
[15:14:56] source [192.168.1.45] - 0 qps tcp : 24 qps udp [8 qps A] [16
qps PTR]
[15:14:56] source [192.168.1.45] - 0 qps tcp : 24 qps udp [8 qps A] [16 qps PTR]
[15:14:56] source [10.0.24.2] - 0 qps tcp : 15 qps udp [15 qps A]
[15:15:06] source [192.168.1.45] - 0 qps tcp : 24 qps udp [8 qps A] [16
qps PTR]
[15:15:06] source [192.168.1.45] - 0 qps tcp : 24 qps udp [8 qps A] [16 qps PTR]
[15:15:06] source [10.0.24.2] - 0 qps tcp : 15 qps udp [14 qps A]
[15:15:16] source [192.168.1.45] - 0 qps tcp : 23 qps udp [7 qps A] [15
qps PTR]
[15:15:16] source [192.168.1.45] - 0 qps tcp : 23 qps udp [7 qps A] [15 qps PTR]
What if I have questions?
......
This diff is collapsed.
......@@ -29,7 +29,7 @@
#define ETHER_HDRLEN 14
#endif
#define NS_MAXDNAME 1025
#define MAXSYSLOG 128
#define MAXSYSLOG 192
// evil Solaris hack
#ifdef __sun__
......@@ -40,7 +40,12 @@ typedef uint32_t u_int32_t;
// prototypes
void handle_IP(u_char *args,const struct pcap_pkthdr* pkthdr,const u_char* packet);
int calculate_averages();
int scour_bucket(int i);
int find_bucket(struct in_addr *ip_src);
int daemonize(void);
int malloc_fail(char * var, int size);
// data structures
struct my_dns {
u_int16_t dns_id; /* query identification number */
......@@ -53,7 +58,7 @@ struct my_dns {
};
struct bucket {
char * ip_addr;
struct in_addr ip_addr;
unsigned int tcp_count;
unsigned int udp_count;
unsigned int qps;
......
......@@ -7,5 +7,7 @@ clean:
rm -rf dns_flood_detector *.o *~
install:
cp dns_flood_detector /usr/local/sbin/
distclean: clean
rm Makefile
dns_flood_detector: dns_flood_detector.c
......@@ -7,5 +7,7 @@ clean:
rm -rf dns_flood_detector *.o *~
install:
cp dns_flood_detector /usr/local/sbin/
distclean: clean
rm Makefile
dns_flood_detector: dns_flood_detector.c
CFLAGS=-O -D_BSD_SOURCE -g
CFLAGS=-Wall -O -D_BSD_SOURCE -g
LDLIBS=-lpcap -lpthread -lm
all: dns_flood_detector
......@@ -7,5 +7,7 @@ clean:
rm -rf dns_flood_detector *.o *~
install:
cp dns_flood_detector /usr/local/sbin/
distclean: clean
rm Makefile
dns_flood_detector: dns_flood_detector.c
CFLAGS+=-O -g -I/usr/local/include -I/usr/include
CFLAGS+=-Wall -O -g -I/usr/local/include -I/usr/include
LDLIBS=-L/usr/local/lib -lpcap -lpthread -lm
all: dns_flood_detector
......@@ -7,5 +7,7 @@ clean:
rm -rf dns_flood_detector *.o *~
install:
cp dns_flood_detector /usr/local/sbin/
distclean: clean
rm Makefile
dns_flood_detector: dns_flood_detector.c
......@@ -7,5 +7,7 @@ clean:
rm -rf dns_flood_detector *.o *~
install:
cp dns_flood_detector /usr/local/sbin/
distclean: clean
rm Makefile
dns_flood_detector: dns_flood_detector.c
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment