A friend sent me the script he uses against DNS DoS attacks by
reflection+amplification. I reject any responsability for it but I
found it cute and geeky :-)
It uses tcpdump + typical Unix tools to automatically detect IP
addresses used in such attacks and block them (not something I
endorse).
tcpdump -t -s 0 -n -c 200 src port 53 and greater 1400 2> /dev/null \
| awk '/RRSIG/ && /DNSKEY/ && /Type51/' \
| sed -e 's/\([0-9]*\.[0-9]*\.[0-9]*\.[0-9]*\)\.[0-9]*/\1/g' -e
's/:[0-9]*\*-.*//' \
| sort \
| uniq -c \
| awk '$1 > 40 {print $5}' \
| while read i
do
echo $i
pfctl -t flood -T add $i 2>/dev/null
done
pfctl is a BSD-specific command which controls the firewall. The table
"flood" is configured:
table <flood> persist
block in quick on $if from <flood> to $if
Porting to IPv6 is left as an exercice.
It runs on an old FreeBSD, hence the Type51 instead of NSEC3PARAM.
_______________________________________________
dns-operations mailing list
dns-operations@lists.dns-oarc.net
https://lists.dns-oarc.net/mailman/listinfo/dns-operations
dns-jobs mailing list
https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
