vampire: Add special hook for DNS badness.

There's a DDOS attack which works by sending DNS servers bogus requests
with spoofed source addresses.  The servers' error reports end up
bombarding the victim.

The `logtrawl' program maintains an ipset listing the known victim IP
addresses based on the DNS server's logs; here, we /drop/ matching
packets -- otherwise the ICMP fallout would do just as well as the DNS
errors at clobbering the victim.  Fortunately this isn't very evil,
since DNS over UDP is unreliable anyway.

It may be that `logtrawl' grows up to do more of this stuff later.

diff --git a/Makefile b/Makefile
index 3780854..12c685f 100644 (file)
--- a/Makefile
+++ b/Makefile
@@ -3,6 +3,8 @@
 MAIN_M4_SOURCES                 =
 HOSTS                   =
 
+SCRIPTS                         =
+
 default: all
 .PHONY: default
 

diff --git a/local.mk b/local.mk
index c413cdb..8294782 100644 (file)
--- a/local.mk
+++ b/local.mk
@@ -7,6 +7,8 @@ HOSTS                   += vampire
 
 ROOT                    = become root
 
+SCRIPTS                        += logtrawl
+
 ## Installation.
 install: all
        firewall_script=./`hostname`.sh && \
@@ -15,4 +17,12 @@ install: all
        $(ROOT) ./$$firewall_script
        for i in $(HOSTS); do \
          $(ROOT) scp $$i.sh $$i:/etc/init.d/firewall; \
+         for j in $(SCRIPTS); do \
+           $(ROOT) ssh $$i <$$j " \
+               cd /usr/local/sbin && \
+               rm -f $$j.new && \
+               cat >$$j.new && \
+               chmod 755 $$j.new && \
+               mv $$j.new $$j"; \
+         done; \
        done

diff --git a/logtrawl b/logtrawl
new file mode 100755 (executable)
index 0000000..8153acc
--- /dev/null
+++ b/logtrawl
@@ -0,0 +1,27 @@
+#! /bin/bash
+
+set -e
+
+## DNS DDOS victims.
+dns_victims=$(
+  sed -n '
+    /^.*named.*client \([0-9]\+\.[0-9]\+\.[0-9]\+\.[0-9]\+\)#.*:.*view inet.*NS\/IN.*denied.*$/ s//\1/p
+  ' /var/log/daemon.log |
+  sort -u |
+  while read addr; do
+    if ! ipset -qT ddos-evil-dns "$addr"; then
+      echo "$addr"
+    fi
+  done
+)
+case "$dns_victims" in
+  "") ;;
+  *)
+    echo 'DNS DDOS victim addresses:'
+    ipset -N ddos-evil-dns iphash >/dev/null 2>&1 || :
+    for addr in $dns_victims; do
+      echo "  $addr"
+      ipset -A ddos-evil-dns "$addr" || :
+    done
+    ;;
+esac

diff --git a/vampire.m4 b/vampire.m4
index 13e37bd..3a389ca 100644 (file)
--- a/vampire.m4
+++ b/vampire.m4
@@ -37,6 +37,12 @@ m4_divert(-1)
 ### vampire-specific rules.
 
 m4_divert(82)m4_dnl
+## Repelling evil DDos attack.
+run ipset -N ddos-evil-dns iphash 2>/dev/null || :
+run iptables -A inbound -j DROP \
+       -m set --set ddos-evil-dns src \
+       -p udp --destination-port $port_dns
+
 ## Externally visible services.
 allowservices inbound tcp \
        finger ident \