From 83610d8aa07970a77bcb27f0cffe9db38b09cc1d Mon Sep 17 00:00:00 2001
From: Mark Wooding <mdw@distorted.org.uk>
Date: Thu, 4 Jun 2009 15:55:44 +0100
Subject: [PATCH] vampire: Add special hook for DNS badness.

There's a DDOS attack which works by sending DNS servers bogus requests
with spoofed source addresses.  The servers' error reports end up
bombarding the victim.

The `logtrawl' program maintains an ipset listing the known victim IP
addresses based on the DNS server's logs; here, we /drop/ matching
packets -- otherwise the ICMP fallout would do just as well as the DNS
errors at clobbering the victim.  Fortunately this isn't very evil,
since DNS over UDP is unreliable anyway.

It may be that `logtrawl' grows up to do more of this stuff later.
---
 Makefile   |  2 ++
 local.mk   | 10 ++++++++++
 logtrawl   | 27 +++++++++++++++++++++++++++
 vampire.m4 |  6 ++++++
 4 files changed, 45 insertions(+)
 create mode 100755 logtrawl

diff --git a/Makefile b/Makefile
index 3780854..12c685f 100644
--- a/Makefile
+++ b/Makefile
@@ -3,6 +3,8 @@
 MAIN_M4_SOURCES		 =
 HOSTS			 =
 
+SCRIPTS			 =
+
 default: all
 .PHONY: default
 
diff --git a/local.mk b/local.mk
index c413cdb..8294782 100644
--- a/local.mk
+++ b/local.mk
@@ -7,6 +7,8 @@ HOSTS			+= vampire
 
 ROOT			 = become root
 
+SCRIPTS			+= logtrawl
+
 ## Installation.
 install: all
 	firewall_script=./`hostname`.sh && \
@@ -15,4 +17,12 @@ install: all
 	$(ROOT) ./$$firewall_script
 	for i in $(HOSTS); do \
 	  $(ROOT) scp $$i.sh $$i:/etc/init.d/firewall; \
+	  for j in $(SCRIPTS); do \
+	    $(ROOT) ssh $$i <$$j " \
+		cd /usr/local/sbin && \
+		rm -f $$j.new && \
+		cat >$$j.new && \
+		chmod 755 $$j.new && \
+		mv $$j.new $$j"; \
+	  done; \
 	done
diff --git a/logtrawl b/logtrawl
new file mode 100755
index 0000000..8153acc
--- /dev/null
+++ b/logtrawl
@@ -0,0 +1,27 @@
+#! /bin/bash
+
+set -e
+
+## DNS DDOS victims.
+dns_victims=$(
+  sed -n '
+    /^.*named.*client \([0-9]\+\.[0-9]\+\.[0-9]\+\.[0-9]\+\)#.*:.*view inet.*NS\/IN.*denied.*$/ s//\1/p
+  ' /var/log/daemon.log |
+  sort -u |
+  while read addr; do
+    if ! ipset -qT ddos-evil-dns "$addr"; then
+      echo "$addr"
+    fi
+  done
+)
+case "$dns_victims" in
+  "") ;;
+  *)
+    echo 'DNS DDOS victim addresses:'
+    ipset -N ddos-evil-dns iphash >/dev/null 2>&1 || :
+    for addr in $dns_victims; do
+      echo "  $addr"
+      ipset -A ddos-evil-dns "$addr" || :
+    done
+    ;;
+esac
diff --git a/vampire.m4 b/vampire.m4
index 13e37bd..3a389ca 100644
--- a/vampire.m4
+++ b/vampire.m4
@@ -37,6 +37,12 @@ m4_divert(-1)
 ### vampire-specific rules.
 
 m4_divert(82)m4_dnl
+## Repelling evil DDos attack.
+run ipset -N ddos-evil-dns iphash 2>/dev/null || :
+run iptables -A inbound -j DROP \
+	-m set --set ddos-evil-dns src \
+	-p udp --destination-port $port_dns
+
 ## Externally visible services.
 allowservices inbound tcp \
 	finger ident \
-- 
2.11.0