From: Mark Wooding <mdw@distorted.org.uk>
Date: Thu, 4 Jun 2009 14:55:44 +0000 (+0100)
Subject: vampire: Add special hook for DNS badness.
X-Git-Url: https://git.distorted.org.uk/~mdw/firewall/commitdiff_plain/83610d8aa07970a77bcb27f0cffe9db38b09cc1d?hp=d6dd88f5fe5213e6d5bdf944791e331edf283426

vampire: Add special hook for DNS badness.

There's a DDOS attack which works by sending DNS servers bogus requests
with spoofed source addresses.  The servers' error reports end up
bombarding the victim.

The `logtrawl' program maintains an ipset listing the known victim IP
addresses based on the DNS server's logs; here, we /drop/ matching
packets -- otherwise the ICMP fallout would do just as well as the DNS
errors at clobbering the victim.  Fortunately this isn't very evil,
since DNS over UDP is unreliable anyway.

It may be that `logtrawl' grows up to do more of this stuff later.
---

diff --git a/Makefile b/Makefile
index 3780854..12c685f 100644
--- a/Makefile
+++ b/Makefile
@@ -3,6 +3,8 @@
 MAIN_M4_SOURCES		 =
 HOSTS			 =
 
+SCRIPTS			 =
+
 default: all
 .PHONY: default
 
diff --git a/local.mk b/local.mk
index c413cdb..8294782 100644
--- a/local.mk
+++ b/local.mk
@@ -7,6 +7,8 @@ HOSTS			+= vampire
 
 ROOT			 = become root
 
+SCRIPTS			+= logtrawl
+
 ## Installation.
 install: all
 	firewall_script=./`hostname`.sh && \
@@ -15,4 +17,12 @@ install: all
 	$(ROOT) ./$$firewall_script
 	for i in $(HOSTS); do \
 	  $(ROOT) scp $$i.sh $$i:/etc/init.d/firewall; \
+	  for j in $(SCRIPTS); do \
+	    $(ROOT) ssh $$i <$$j " \
+		cd /usr/local/sbin && \
+		rm -f $$j.new && \
+		cat >$$j.new && \
+		chmod 755 $$j.new && \
+		mv $$j.new $$j"; \
+	  done; \
 	done
diff --git a/logtrawl b/logtrawl
new file mode 100755
index 0000000..8153acc
--- /dev/null
+++ b/logtrawl
@@ -0,0 +1,27 @@
+#! /bin/bash
+
+set -e
+
+## DNS DDOS victims.
+dns_victims=$(
+  sed -n '
+    /^.*named.*client \([0-9]\+\.[0-9]\+\.[0-9]\+\.[0-9]\+\)#.*:.*view inet.*NS\/IN.*denied.*$/ s//\1/p
+  ' /var/log/daemon.log |
+  sort -u |
+  while read addr; do
+    if ! ipset -qT ddos-evil-dns "$addr"; then
+      echo "$addr"
+    fi
+  done
+)
+case "$dns_victims" in
+  "") ;;
+  *)
+    echo 'DNS DDOS victim addresses:'
+    ipset -N ddos-evil-dns iphash >/dev/null 2>&1 || :
+    for addr in $dns_victims; do
+      echo "  $addr"
+      ipset -A ddos-evil-dns "$addr" || :
+    done
+    ;;
+esac
diff --git a/vampire.m4 b/vampire.m4
index 13e37bd..3a389ca 100644
--- a/vampire.m4
+++ b/vampire.m4
@@ -37,6 +37,12 @@ m4_divert(-1)
 ### vampire-specific rules.
 
 m4_divert(82)m4_dnl
+## Repelling evil DDos attack.
+run ipset -N ddos-evil-dns iphash 2>/dev/null || :
+run iptables -A inbound -j DROP \
+	-m set --set ddos-evil-dns src \
+	-p udp --destination-port $port_dns
+
 ## Externally visible services.
 allowservices inbound tcp \
 	finger ident \