DNS Amplification – detection script
Lately DDoS amplification method of attack became very popular due to simplicity of its deployment and potentially great attack power. If you own your DNS server for your clients good idea is to make it available only for them (acl trusted). This script allows you to detect and quickly inform you about any DNS attack which runs through your network.
— cut here —
cd /scripts/dnsflood/
cat /dev/null > dnssyf_mailbody
echo „DNS AMPLIFICATION” >> dnssyf_mailbody
echo ” ” >> dnssyf_mailbody
netstat -tupan | grep 53 | awk ‚{ print $5 }’ | grep -v | grep -v :::* | sed -e ‚s/:53//g’ | sort | uniq -c | sort -k1n | tail -n 3 > dnssyf_tmp
while read l
ip=`echo $l | awk ‚{print $2}’`
polaczenia=`echo $l | awk ‚{print $1}’`
netname=`whois $ip | grep -m 1 -i netname`
echo „IP address: $ip Connections: $polaczenia Netname: $netname” >> dnssyf_mailbody
done < dnssyf_tmp
echo ” ” >> dnssyf_mailbody
awk ‚{ if ($1 >=70) print „Problematic hosts: „$2 }’ dnssyf_tmp >> dnssyf_mailbody
echo ” ” >> dnssyf_mailbody
tcpdump -n -l -p -c 10 -i INTERFACE host $ip | awk ‚{ print $9 }’ > dnssyf_domains
domena=`sed -e ‚s/\./ /g’ dnssyf_domains | awk ‚{print $(NF-1)”.”$NF}’ | sort | uniq`
echo „Domain used for attack: *”$domena >> dnssyf_mailbody
grep „problematic” dnssyf_mailbody && mail -s „DNS Amplification – Warning – `hostname`” NOC@DOMENA.LTD < dnssyf_mailbody
rm dnssyf_tmp
rm dnssyf_domains
— cut here —
Please put the script @ /scripts/dnsflood and put in crontab:
*/10 * * * * /scripts/dnsflood/dnssyf >/dev/null 2>&1
*/5 * * * * killall dnssyf >/dev/null 2>&1
When attack occurs you should see this email in your mailbox:
DNS AMPLIFICATION IP address: Connections: 72 Netname: NetName: CLOUDFLARENET IP address: Connections: 156 Netname: NetName: CLOUDFLARENET IP address: Connections: 404 Netname: netname: CHINANET-ZJ-WZ Problematic hosts: Problematic hosts: Problematic hosts: Domain used for attack: *amcbet.com
Reaction for attack:
Blocking the domain:
iptables -I OUTPUT -p udp --dport 53 -m string --string $DOMAIN --algo bm -j DROP
Checking whether connection amount drops:
netstat -tupan | grep 53 | wc -l
You can also try to find problematic domain on your own:
tcpdump -n -l -p -i $INTERFEJS_NASLUCHUJACY port 53