DNS Amplification – detection script

Lately DDoS amplification method of attack became very popular due to simplicity of its deployment and potentially great attack power. If you own your DNS server for your clients good idea is to make it available only for them (acl trusted). This script allows you to detect and quickly inform you about any DNS attack which runs through your network.

— cut here —

#!/bin/bash

LANG=C
PATH=’/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin’

cd /scripts/dnsflood/

cat /dev/null > dnssyf_mailbody
echo „DNS AMPLIFICATION” >> dnssyf_mailbody
echo ” ” >> dnssyf_mailbody
netstat -tupan | grep 53 | awk ‚{ print $5 }’ | grep -v 0.0.0.0 | grep -v :::* | sed -e ‚s/:53//g’ | sort | uniq -c | sort -k1n | tail -n 3 > dnssyf_tmp
while read l
do
ip=`echo $l | awk ‚{print $2}’`
polaczenia=`echo $l | awk ‚{print $1}’`
netname=`whois $ip | grep -m 1 -i netname`
echo „IP address: $ip Connections: $polaczenia Netname: $netname” >> dnssyf_mailbody
done < dnssyf_tmp
echo ” ” >> dnssyf_mailbody
awk ‚{ if ($1 >=70) print „Problematic hosts: „$2 }’ dnssyf_tmp >> dnssyf_mailbody
echo ” ” >> dnssyf_mailbody
tcpdump -n -l -p -c 10 -i INTERFACE host $ip | awk ‚{ print $9 }’ > dnssyf_domains
domena=`sed -e ‚s/\./ /g’ dnssyf_domains | awk ‚{print $(NF-1)”.”$NF}’ | sort | uniq`
echo „Domain used for attack: *”$domena >> dnssyf_mailbody
grep „problematic” dnssyf_mailbody && mail -s „DNS Amplification – Warning – `hostname`” NOC@DOMENA.LTD < dnssyf_mailbody
rm dnssyf_tmp
rm dnssyf_domains

— cut here —

Please put the script @ /scripts/dnsflood and put in crontab:

*/10 * * * * /scripts/dnsflood/dnssyf >/dev/null 2>&1
*/5 * * * * killall dnssyf >/dev/null 2>&1

When attack occurs you should see this email in your mailbox:

DNS AMPLIFICATION
 
IP address: 173.245.59.133  Connections: 72  Netname: NetName:        CLOUDFLARENET
IP address: 173.245.58.118  Connections: 156  Netname: NetName:        CLOUDFLARENET
IP address: 61.164.144.24  Connections: 404  Netname: netname:        CHINANET-ZJ-WZ
 
Problematic hosts: 173.245.59.133
Problematic hosts: 173.245.58.118
Problematic hosts: 61.164.144.24
 
Domain used for attack: *amcbet.com

Reaction for attack:

Blocking the domain:

iptables -I OUTPUT -p udp --dport 53 -m string --string $DOMAIN --algo bm -j DROP

Checking whether connection amount drops:

netstat -tupan | grep 53 | wc -l

You can also try to find problematic domain on your own:

tcpdump -n -l -p -i $INTERFEJS_NASLUCHUJACY port 53

Leave a Reply

Your email address will not be published. Required fields are marked *