From 9ba1a9a672bcdd992477ec9a0388afe954775c62 Mon Sep 17 00:00:00 2001 From: Jan Wagner Date: Wed, 4 Jul 2007 19:35:53 +0000 Subject: [PATCH] drop handling of upstream code --- LICENSE | 281 --------- README | 78 --- configure.pl | 19 - debian/changelog | 41 -- debian/compat | 1 - debian/control | 23 - debian/copyright | 30 - debian/default | 7 - debian/dns-flood-detector.8 | 70 --- debian/docs | 1 - debian/init.d | 64 -- debian/patches/00list | 1 - debian/patches/01_fix_prototyp.dpatch | 17 - debian/rules | 70 --- debian/watch | 2 - dns_flood_detector.c | 870 -------------------------- dns_flood_detector.h | 70 --- dnsflood | 36 -- makefiles/Makefile-BSDI | 13 - makefiles/Makefile-FreeBSD | 13 - makefiles/Makefile-Linux | 13 - makefiles/Makefile-OSX | 13 - makefiles/Makefile-Solaris | 13 - 23 files changed, 1746 deletions(-) delete mode 100644 LICENSE delete mode 100644 README delete mode 100755 configure.pl delete mode 100644 debian/changelog delete mode 100644 debian/compat delete mode 100644 debian/control delete mode 100644 debian/copyright delete mode 100644 debian/default delete mode 100644 debian/dns-flood-detector.8 delete mode 100644 debian/docs delete mode 100644 debian/init.d delete mode 100644 debian/patches/00list delete mode 100755 debian/patches/01_fix_prototyp.dpatch delete mode 100755 debian/rules delete mode 100644 debian/watch delete mode 100644 dns_flood_detector.c delete mode 100644 dns_flood_detector.h delete mode 100755 dnsflood delete mode 100644 makefiles/Makefile-BSDI delete mode 100644 makefiles/Makefile-FreeBSD delete mode 100644 makefiles/Makefile-Linux delete mode 100644 makefiles/Makefile-OSX delete mode 100644 makefiles/Makefile-Solaris diff --git a/LICENSE b/LICENSE deleted file mode 100644 index 69e1d93..0000000 --- a/LICENSE +++ /dev/null @@ -1,281 +0,0 @@ - GNU GENERAL PUBLIC LICENSE - Version 2, June 1991 - - Copyright (C) 1989, 1991 Free Software Foundation, Inc. - 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA - Everyone is permitted to copy and distribute verbatim copies - of this license document, but changing it is not allowed. - - Preamble - - The licenses for most software are designed to take away your -freedom to share and change it. By contrast, the GNU General Public -License is intended to guarantee your freedom to share and change free -software--to make sure the software is free for all its users. This -General Public License applies to most of the Free Software -Foundation's software and to any other program whose authors commit to -using it. (Some other Free Software Foundation software is covered by -the GNU Library General Public License instead.) You can apply it to -your programs, too. - - When we speak of free software, we are referring to freedom, not -price. Our General Public Licenses are designed to make sure that you -have the freedom to distribute copies of free software (and charge for -this service if you wish), that you receive source code or can get it -if you want it, that you can change the software or use pieces of it -in new free programs; and that you know you can do these things. - - To protect your rights, we need to make restrictions that forbid -anyone to deny you these rights or to ask you to surrender the rights. -These restrictions translate to certain responsibilities for you if you -distribute copies of the software, or if you modify it. - - For example, if you distribute copies of such a program, whether -gratis or for a fee, you must give the recipients all the rights that -you have. You must make sure that they, too, receive or can get the -source code. And you must show them these terms so they know their -rights. - - We protect your rights with two steps: (1) copyright the software, and -(2) offer you this license which gives you legal permission to copy, -distribute and/or modify the software. - - Also, for each author's protection and ours, we want to make certain -that everyone understands that there is no warranty for this free -software. If the software is modified by someone else and passed on, we -want its recipients to know that what they have is not the original, so -that any problems introduced by others will not reflect on the original -authors' reputations. - - Finally, any free program is threatened constantly by software -patents. We wish to avoid the danger that redistributors of a free -program will individually obtain patent licenses, in effect making the -program proprietary. To prevent this, we have made it clear that any -patent must be licensed for everyone's free use or not licensed at all. - - The precise terms and conditions for copying, distribution and -modification follow. - - GNU GENERAL PUBLIC LICENSE - TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION - - 0. This License applies to any program or other work which contains -a notice placed by the copyright holder saying it may be distributed -under the terms of this General Public License. The "Program", below, -refers to any such program or work, and a "work based on the Program" -means either the Program or any derivative work under copyright law: -that is to say, a work containing the Program or a portion of it, -either verbatim or with modifications and/or translated into another -language. (Hereinafter, translation is included without limitation in -the term "modification".) Each licensee is addressed as "you". - -Activities other than copying, distribution and modification are not -covered by this License; they are outside its scope. The act of -running the Program is not restricted, and the output from the Program -is covered only if its contents constitute a work based on the -Program (independent of having been made by running the Program). -Whether that is true depends on what the Program does. - - 1. You may copy and distribute verbatim copies of the Program's -source code as you receive it, in any medium, provided that you -conspicuously and appropriately publish on each copy an appropriate -copyright notice and disclaimer of warranty; keep intact all the -notices that refer to this License and to the absence of any warranty; -and give any other recipients of the Program a copy of this License -along with the Program. - -You may charge a fee for the physical act of transferring a copy, and -you may at your option offer warranty protection in exchange for a fee. - - 2. You may modify your copy or copies of the Program or any portion -of it, thus forming a work based on the Program, and copy and -distribute such modifications or work under the terms of Section 1 -above, provided that you also meet all of these conditions: - - a) You must cause the modified files to carry prominent notices - stating that you changed the files and the date of any change. - - b) You must cause any work that you distribute or publish, that in - whole or in part contains or is derived from the Program or any - part thereof, to be licensed as a whole at no charge to all third - parties under the terms of this License. - - c) If the modified program normally reads commands interactively - when run, you must cause it, when started running for such - interactive use in the most ordinary way, to print or display an - announcement including an appropriate copyright notice and a - notice that there is no warranty (or else, saying that you provide - a warranty) and that users may redistribute the program under - these conditions, and telling the user how to view a copy of this - License. (Exception: if the Program itself is interactive but - does not normally print such an announcement, your work based on - the Program is not required to print an announcement.) - -These requirements apply to the modified work as a whole. If -identifiable sections of that work are not derived from the Program, -and can be reasonably considered independent and separate works in -themselves, then this License, and its terms, do not apply to those -sections when you distribute them as separate works. But when you -distribute the same sections as part of a whole which is a work based -on the Program, the distribution of the whole must be on the terms of -this License, whose permissions for other licensees extend to the -entire whole, and thus to each and every part regardless of who wrote it. - -Thus, it is not the intent of this section to claim rights or contest -your rights to work written entirely by you; rather, the intent is to -exercise the right to control the distribution of derivative or -collective works based on the Program. - -In addition, mere aggregation of another work not based on the Program -with the Program (or with a work based on the Program) on a volume of -a storage or distribution medium does not bring the other work under -the scope of this License. - - 3. You may copy and distribute the Program (or a work based on it, -under Section 2) in object code or executable form under the terms of -Sections 1 and 2 above provided that you also do one of the following: - - a) Accompany it with the complete corresponding machine-readable - source code, which must be distributed under the terms of Sections - 1 and 2 above on a medium customarily used for software interchange; or, - - b) Accompany it with a written offer, valid for at least three - years, to give any third party, for a charge no more than your - cost of physically performing source distribution, a complete - machine-readable copy of the corresponding source code, to be - distributed under the terms of Sections 1 and 2 above on a medium - customarily used for software interchange; or, - - c) Accompany it with the information you received as to the offer - to distribute corresponding source code. (This alternative is - allowed only for noncommercial distribution and only if you - received the program in object code or executable form with such - an offer, in accord with Subsection b above.) - -The source code for a work means the preferred form of the work for -making modifications to it. For an executable work, complete source -code means all the source code for all modules it contains, plus any -associated interface definition files, plus the scripts used to -control compilation and installation of the executable. However, as a -special exception, the source code distributed need not include -anything that is normally distributed (in either source or binary -form) with the major components (compiler, kernel, and so on) of the -operating system on which the executable runs, unless that component -itself accompanies the executable. - -If distribution of executable or object code is made by offering -access to copy from a designated place, then offering equivalent -access to copy the source code from the same place counts as -distribution of the source code, even though third parties are not -compelled to copy the source along with the object code. - - 4. You may not copy, modify, sublicense, or distribute the Program -except as expressly provided under this License. Any attempt -otherwise to copy, modify, sublicense or distribute the Program is -void, and will automatically terminate your rights under this License. -However, parties who have received copies, or rights, from you under -this License will not have their licenses terminated so long as such -parties remain in full compliance. - - 5. You are not required to accept this License, since you have not -signed it. However, nothing else grants you permission to modify or -distribute the Program or its derivative works. These actions are -prohibited by law if you do not accept this License. Therefore, by -modifying or distributing the Program (or any work based on the -Program), you indicate your acceptance of this License to do so, and -all its terms and conditions for copying, distributing or modifying -the Program or works based on it. - - 6. Each time you redistribute the Program (or any work based on the -Program), the recipient automatically receives a license from the -original licensor to copy, distribute or modify the Program subject to -these terms and conditions. You may not impose any further -restrictions on the recipients' exercise of the rights granted herein. -You are not responsible for enforcing compliance by third parties to -this License. - - 7. If, as a consequence of a court judgment or allegation of patent -infringement or for any other reason (not limited to patent issues), -conditions are imposed on you (whether by court order, agreement or -otherwise) that contradict the conditions of this License, they do not -excuse you from the conditions of this License. If you cannot -distribute so as to satisfy simultaneously your obligations under this -License and any other pertinent obligations, then as a consequence you -may not distribute the Program at all. For example, if a patent -license would not permit royalty-free redistribution of the Program by -all those who receive copies directly or indirectly through you, then -the only way you could satisfy both it and this License would be to -refrain entirely from distribution of the Program. - -If any portion of this section is held invalid or unenforceable under -any particular circumstance, the balance of the section is intended to -apply and the section as a whole is intended to apply in other -circumstances. - -It is not the purpose of this section to induce you to infringe any -patents or other property right claims or to contest validity of any -such claims; this section has the sole purpose of protecting the -integrity of the free software distribution system, which is -implemented by public license practices. Many people have made -generous contributions to the wide range of software distributed -through that system in reliance on consistent application of that -system; it is up to the author/donor to decide if he or she is willing -to distribute software through any other system and a licensee cannot -impose that choice. - -This section is intended to make thoroughly clear what is believed to -be a consequence of the rest of this License. - - 8. If the distribution and/or use of the Program is restricted in -certain countries either by patents or by copyrighted interfaces, the -original copyright holder who places the Program under this License -may add an explicit geographical distribution limitation excluding -those countries, so that distribution is permitted only in or among -countries not thus excluded. In such case, this License incorporates -the limitation as if written in the body of this License. - - 9. The Free Software Foundation may publish revised and/or new versions -of the General Public License from time to time. Such new versions will -be similar in spirit to the present version, but may differ in detail to -address new problems or concerns. - -Each version is given a distinguishing version number. If the Program -specifies a version number of this License which applies to it and "any -later version", you have the option of following the terms and conditions -either of that version or of any later version published by the Free -Software Foundation. If the Program does not specify a version number of -this License, you may choose any version ever published by the Free Software -Foundation. - - 10. If you wish to incorporate parts of the Program into other free -programs whose distribution conditions are different, write to the author -to ask for permission. For software which is copyrighted by the Free -Software Foundation, write to the Free Software Foundation; we sometimes -make exceptions for this. Our decision will be guided by the two goals -of preserving the free status of all derivatives of our free software and -of promoting the sharing and reuse of software generally. - - NO WARRANTY - - 11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY -FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN -OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES -PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED -OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF -MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS -TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE -PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, -REPAIR OR CORRECTION. - - 12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING -WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR -REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, -INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING -OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED -TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY -YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER -PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE -POSSIBILITY OF SUCH DAMAGES. - - END OF TERMS AND CONDITIONS - diff --git a/README b/README deleted file mode 100644 index afa0ab9..0000000 --- a/README +++ /dev/null @@ -1,78 +0,0 @@ -DNS FLood Detector 1.12 -Dennis Opacki -dopacki@adotout.com - - -What is DNS Flood Detector? - -DNS Flood Detector was developed to detect abusive usage levels on high -traffic nameservers and to enable quick response to the use of one's -nameserver to facilitate spam. DNS Flood Detector is distributed under the -Gnu Public License (see included LICENSE file for details). - -How does it work? - -DNS Flood Detector uses libpcap (in non-promiscuous mode) to monitor -incoming dns queries to a nameserver. The tool may be run in one of two -modes, either daemon mode or "bindsnap" mode. In daemon mode, the tool -will alarm via syslog. In bindsnap mode, the user is able to get -near-real-time stats on usage to aid in more detailed troubleshooting. -By default, it will count dns queries directed to any address in the same -network as the primary IP address on the interface being watched; the -A, --M, and -Q options can be used to modify this behaviour. - -How do I build it? - -Execute ./configure.pl to select the appropriate make target. Then simply -type "make". - -Why was it written? - -I wrote DNS Flood Detector because the fifty or so public recursive -nameservers I am responsible for were being abused by both customers and -non-customers. DNS Flood Detector allows for prompt action when anomalous -conditions are detected. - -What do I need to use it? - -You need libpcap and a little bit of patience. - -What platforms does it work on? - -Linux, BSDI, FreeBSD, Mac OSX, Solaris - -Will it run under Windows {95,98,NT,2000,XP}? - -Maybe. I haven't tried. If it doesn't, feel free to submit a fix. - -What does it look like? - -Usage: ./dns_flood_detector [OPTION] - --i IFNAME specify interface to listen on --t N alarm at >N queries per second --a N reset alarm after N seconds --w N calculate stats every N seconds --x N create N buckets --m N mark total query rate every N seconds --A addr filter for specific address --M mask netmask for filter (in conjunction with -A) --Q don't filter by local interface address --b run in foreground in bindsnap mode --d run in background in daemon mode --D dump dns packets (implies -b) --v verbose output - use again for more verbosity --h display this usage information - -Sample Output: - -dopacki:~$ sudo ./dns_flood_detector -v -v -b -t10 -[15:14:56] source [192.168.1.45] - 0 qps tcp : 24 qps udp [8 qps A] [16 qps PTR] -[15:14:56] source [10.0.24.2] - 0 qps tcp : 15 qps udp [15 qps A] -[15:15:06] source [192.168.1.45] - 0 qps tcp : 24 qps udp [8 qps A] [16 qps PTR] -[15:15:06] source [10.0.24.2] - 0 qps tcp : 15 qps udp [14 qps A] -[15:15:16] source [192.168.1.45] - 0 qps tcp : 23 qps udp [7 qps A] [15 qps PTR] - -What if I have questions? - -You can e-mail me at dopacki@adotout.com diff --git a/configure.pl b/configure.pl deleted file mode 100755 index 66648ba..0000000 --- a/configure.pl +++ /dev/null @@ -1,19 +0,0 @@ -#!/usr/bin/perl - -use strict; - -my $os = shift; - -# get target listings -opendir(MAKE_TARGETS,'./makefiles'); -my @targets = grep { /Makefile/ && -f './makefiles/'.$_ && s/^Makefile-// } readdir(MAKE_TARGETS); -closedir(MAKE_TARGETS); - -# display usage -unless ($os && grep{/$os/}@targets) {print< Wed, 04 Jul 2007 12:29:06 +0200 - -dns-flood-detector (1.12-1) unstable; urgency=medium - - * New upstream release - * modified fix_prototyp patch for upstream - - -- Jan Wagner Thu, 23 Nov 2006 13:35:11 +0100 - -dns-flood-detector (1.10-4) unstable; urgency=low - - * included fix_prototyp patch provided by "dann frazier " - (Closes: #399283). - * build depend to dpatch - - -- Jan Wagner Sun, 19 Nov 2006 10:18:55 +0100 - -dns-flood-detector (1.10-3) unstable; urgency=low - - * using killall in init script to get daemon stopped - * same for prerm - - -- Jan Wagner Thu, 9 Nov 2006 20:49:10 +0100 - -dns-flood-detector (1.10-2) unstable; urgency=low - - * fixed typo in initscript - - -- Jan Wagner Sat, 4 Nov 2006 21:46:03 +0100 - -dns-flood-detector (1.10-1) unstable; urgency=low - - * Initial release (Closes: #396618). - - -- Jan Wagner Fri, 3 Nov 2006 12:39:42 +0100 diff --git a/debian/compat b/debian/compat deleted file mode 100644 index 7ed6ff8..0000000 --- a/debian/compat +++ /dev/null @@ -1 +0,0 @@ -5 diff --git a/debian/control b/debian/control deleted file mode 100644 index 175e510..0000000 --- a/debian/control +++ /dev/null @@ -1,23 +0,0 @@ -Source: dns-flood-detector -Section: net -Priority: optional -Maintainer: Jan Wagner -Build-Depends: debhelper (>= 5), dpatch, libpcap0.8-dev -Standards-Version: 3.7.2 - -Package: dns-flood-detector -Architecture: any -Depends: ${shlibs:Depends} -Description: detect abusive usage levels on high traffic nameservers - This package provides the dns-flood-detector daemon. - . - It was developed to detect abusive usage levels on high traffic nameservers - and to enable quick response in halting the use of one's nameserver to - facilitate spam. - It uses libpcap (in non-promiscuous mode) to monitor incoming dns queries to a - nameserver. The tool may be run in one of two modes, either daemon mode or - "bindsnap" mode. In daemon mode, the tool will alarm via syslog. In bindsnap - mode, the user is able to get near-real-time stats on usage to aid in more - detailed troubleshooting. - . - Homepage: diff --git a/debian/copyright b/debian/copyright deleted file mode 100644 index 18c16a3..0000000 --- a/debian/copyright +++ /dev/null @@ -1,30 +0,0 @@ -This package was debianized by Jan Wagner on -Fri, 3 Nov 2006 12:39:42 +0100. - -It was downloaded from - -Upstream Author: Dennis Opacki - -Copyright: (C) 2003 Dennis Opacki - -License: - - This program is free software; you can redistribute it and/or modify - it under the terms of the GNU General Public License as published by - the Free Software Foundation; either version 2 of the License, or - (at your option) any later version. - - This program is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - GNU General Public License for more details. - - You should have received a copy of the GNU General Public License - along with this program; if not, write to the Free Software - Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA - -On Debian systems, the complete text of the GNU General Public License -can be found in /usr/share/common-licenses/GPL file. - -The Debian packaging is (C) 2006, 2007 Jan Wagner and -is licensed under the GPL, see `/usr/share/common-licenses/GPL'. diff --git a/debian/default b/debian/default deleted file mode 100644 index 977f5d7..0000000 --- a/debian/default +++ /dev/null @@ -1,7 +0,0 @@ -# Defaults for dns-flood-detector initscript -# sourced by /etc/init.d/dns-flood-detector -# installed at /etc/default/dns-flood-detector by the maintainer scripts - -# options that are passed to the Daemon. -# here: daemon mode, be more verbose, alarm at > 5/s, stats every 3 secs -DAEMON_OPTS="-d -v -v -t5 -w3" diff --git a/debian/dns-flood-detector.8 b/debian/dns-flood-detector.8 deleted file mode 100644 index e7a9cad..0000000 --- a/debian/dns-flood-detector.8 +++ /dev/null @@ -1,70 +0,0 @@ -.TH DNS-FLOOD-DETECTOR 8 "2006-11-03" "1.10" "dns flood detection tool" - -.SH NAME -DNS-FLOOD-DETECTOR \- dns flood detection and alert tool - -.SH SYNOPSIS -.B dns-flood-detector -.RB [\| \-b \||\| \-d \|] -.RB [\| \-v \|] -.RB [\| \-h \|] -.RB [\| \-i -.IR device \|] -.RB [\| -t -.IR n \|] -.RB [\| -a -.IR n \|] -.RB [\| -w -.IR n \|] -.RB [\| -x -.IR n \|] -.RB [\| -m -.IR n \|] - -.SH DESCRIPTION -.B DNS Flood Detector -was developed to detect abusive usage levels on high traffic nameservers and to -enable quick response to the use of one's nameserver to facilitate spam. - -.SH OPTIONS -.B -.TP -.B \-b -run in foreground in bindsnap mode -.TP -.B \-d -run in background in daemon mode -.TP -.B \-v -verbose output \- use again for more verbosity -.TP -.B \-h -display help -.TP -.B \-i device -specify device name to listen on -.TP -.B \-t n -alarm at >n queries per second -.TP -.B \-a n -reset alarm after n seconds -.TP -.B \-w n -calculate stats every n seconds -.TP -.B \-x n -create n buckets -.TP -.B \-m n -report overall stats every n seconds - -.SH SEE ALSO -.B Website - - -.SH AUTHOR -DNS-FLOOD-DETECTOR was written by Dennis Opacki . -.PP -This manual page was written by Jan Wagner , -for the Debian project (but may be used by others). diff --git a/debian/docs b/debian/docs deleted file mode 100644 index e845566..0000000 --- a/debian/docs +++ /dev/null @@ -1 +0,0 @@ -README diff --git a/debian/init.d b/debian/init.d deleted file mode 100644 index 4feeaee..0000000 --- a/debian/init.d +++ /dev/null @@ -1,64 +0,0 @@ -#!/bin/sh -# Written by Miquel van Smoorenburg . -# Modified for Debian -# by Ian Murdock . -# -# Version: @(#)skeleton 1.9 26-Feb-2001 miquels@cistron.nl -# /etc/init.d/dns-flood-detector: v1 2006/11/03 Jan Wagner - -### BEGIN INIT INFO -# Provides: dns-flood-detector -# Required-Start: $local_fs $network $remote_fs $syslog -# Required-Stop: $local_fs $network $remote_fs $syslog -# Default-Start: 2 3 4 5 -# Default-Stop: 0 1 6 -# Short-Description: start and stop the dns-flood-detector daemon -# Description: detect abusive usage levels on high traffic nameservers -### END INIT INFO - -PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin -DAEMON=/usr/bin/dns-flood-detector -NAME=dns-flood-detector -DESC=dns-flood-detector - -test -x $DAEMON || exit 0 - -# Include dns-flood-detector defaults if available -if [ -f /etc/default/dns-flood-detector ] ; then - . /etc/default/dns-flood-detector -fi - -set -e - -case "$1" in - start) - echo -n "Starting $DESC: " - start-stop-daemon --start --quiet --pidfile /var/run/$NAME.pid \ - --exec $DAEMON -- $DAEMON_OPTS - ps aux | grep $DAEMON | head -1 | awk '{ print $2 }' > /var/run/$NAME.pid - echo "$NAME." - ;; - stop) - echo -n "Stopping $DESC: " - start-stop-daemon --stop --quiet --pidfile /var/run/$NAME.pid \ - --exec $DAEMON - echo "$NAME." - ;; - restart|force-reload) - echo -n "Restarting $DESC: " - start-stop-daemon --stop --quiet --pidfile /var/run/$NAME.pid \ - --exec $DAEMON - start-stop-daemon --start --quiet --pidfile /var/run/$NAME.pid \ - --exec $DAEMON -- $DAEMON_OPTS - ps aux | grep $DAEMON | head -1 | awk '{ print $2 }' > /var/run/$NAME.pid - echo "$NAME." - ;; - *) - N=/etc/init.d/$NAME - # echo "Usage: $N {start|stop|restart|reload|force-reload}" >&2 - echo "Usage: $N {start|stop|restart|force-reload}" >&2 - exit 1 - ;; -esac - -exit 0 diff --git a/debian/patches/00list b/debian/patches/00list deleted file mode 100644 index 3220968..0000000 --- a/debian/patches/00list +++ /dev/null @@ -1 +0,0 @@ -01_fix_prototyp.dpatch diff --git a/debian/patches/01_fix_prototyp.dpatch b/debian/patches/01_fix_prototyp.dpatch deleted file mode 100755 index d6b7390..0000000 --- a/debian/patches/01_fix_prototyp.dpatch +++ /dev/null @@ -1,17 +0,0 @@ -#!/bin/sh /usr/share/dpatch/dpatch-run -## 01_fix_prototyp.dpatch by dann frazier -## -## DP: fix missing function prototype definition - -@DPATCH@ - ---- dns-flood-detector-1.10/dns_flood_detector.c~ 2003-12-29 20:53:38.000000000 -0700 -+++ dns-flood-detector-1.10/dns_flood_detector.c 2006-11-18 17:38:47.000000000 -0700 -@@ -79,6 +79,7 @@ - #include - #include - #include -+#include - #include - #include - #include diff --git a/debian/rules b/debian/rules deleted file mode 100755 index 8ead083..0000000 --- a/debian/rules +++ /dev/null @@ -1,70 +0,0 @@ -#!/usr/bin/make -f -# written by Jan Wagner -# -# Uncomment this to turn on verbose mode. -#export DH_VERBOSE=1 - -include /usr/share/dpatch/dpatch.make - -CFLAGS += -D_BSD_SOURCE -Wall -g -LDLIBS += -lpcap -lpthread -lm - -ifneq (,$(findstring noopt,$(DEB_BUILD_OPTIONS))) - CFLAGS += -O0 -else - CFLAGS += -O2 -endif - -build: build-stamp -build-stamp: patch-stamp - dh_testdir - # Add here commands to compile the package. - $(CC) $(CFLAGS) dns_flood_detector.c $(LDLIBS) -o dns_flood_detector - - touch $@ - -clean: unpatch - dh_testdir - dh_testroot - rm -f build-stamp - - # Add here commands to clean up after the build process. - rm -rf dns_flood_detector *.o *~ - - dh_clean - -install: build - dh_testdir - dh_testroot - dh_clean -k - dh_installdirs - - # Add here commands to install the package into debian/dns-flood-detector. - install -D -m 0755 dns_flood_detector debian/dns-flood-detector/usr/bin/dns-flood-detector - install -D -m 0644 debian/default debian/dns-flood-detector/etc/default/dns-flood-detector - install -D -m 0755 debian/init.d debian/dns-flood-detector/etc/init.d/dns-flood-detector - -# Build architecture-independent files here. -binary-indep: build install -# We have nothing to do by default. - -# Build architecture-dependent files here. -binary-arch: build install - dh_testdir - dh_testroot - dh_installchangelogs - dh_installdocs - dh_installman debian/dns-flood-detector.8 - dh_installinit -- defaults 40 - dh_link - dh_strip - dh_compress - dh_fixperms - dh_shlibdeps - dh_installdeb - dh_gencontrol - dh_md5sums - dh_builddeb - -binary: binary-indep binary-arch -.PHONY: build clean binary-indep binary-arch binary install diff --git a/debian/watch b/debian/watch deleted file mode 100644 index 76ed60b..0000000 --- a/debian/watch +++ /dev/null @@ -1,2 +0,0 @@ -version=3 -http://www.adotout.com/dnsflood-(.*)\.tgz diff --git a/dns_flood_detector.c b/dns_flood_detector.c deleted file mode 100644 index b474ad2..0000000 --- a/dns_flood_detector.c +++ /dev/null @@ -1,870 +0,0 @@ -/******************************************************************************** - - Program: dns_flood_detector.c - Author: Dennis Opacki - Date: Tue Mar 18 16:46:53 EST 2003 - Purpose: Monitor DNS servers for abusive usage levels - and alarm to syslog - - compile with: - gcc -o dns_flood_detector -lpcap -lpthread -lm dns_flood_detector.c - - command-line options: - - -i ifname specify interface to listen on (default lets pcap pick) - -t n alarm when more than n queries per second are observed - (default 40) - -a n wait for n seconds before alarming again on same source - (default 90) - -w n calculate statistics every n seconds - (default 10) - -x n use n buckets - (default 50) - -m n mark overall query rate every n seconds - (default disabled) - -A addr filter for specific address - -M mask netmask for filter (in conjunction with -A) - -Q monitor any addresses (default is to filter only for - primary addresses on chosen interface) - -b run in foreground in "bindsnap" mode - -d run in background in "daemon" mode - -D dump dns packets (implies -b) - -v detailed information (use twice for more detail) - -h usage info - - Copyright (C) 2003 Dennis Opacki - - This program is free software; you can redistribute it and/or modify - it under the terms of the GNU General Public License as published by - the Free Software Foundation; either version 2 of the License, or - (at your option) any later version. - - This program is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - GNU General Public License for more details. - - You should have received a copy of the GNU General Public License - along with this program; if not, write to the Free Software - Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA - - --- new in v1.05 --- - 8/18/2003 - FreeBSD target - Jim Westfall - 8/18/2003 - Moved to getopt(3) for compatibility - 8/19/2003 - Added OSX/BSDI make targets - - Added ability to specify inteface - - - --- new in v1.06 --- - 8/20/2003 - Added Solaris9 make target - - 8/26/2003 - Fixed tcp qdcount bug - - - --- new in v1.07 --- - 8/27/2003 - Fixed alarm reset bug - - 8/28/2003 - Added malloc_fail function - - 8/28/2003 - Added mutex thread locking - - 8/30/2003 - Fixed wierd qtype segfault - - - - --- new in v1.08 --- - 9/02/2003 - Added -v -v output in daemon mode - - - --- new in v1.09 --- - 10/19/2003 - Added stdout flushing to bindsnap mode - - 10/19/2003 - Changed logging priority to LOG_NOTICE - - 10/19/2003 - Fixed low traffic verbose logging bugs - - - --- new in v1.10 --- - 10/22/2003 - Added 'mark status' option via '-m' - - 10/23/2003 - Code cleanup in verbose syslogging - - - --- new in v1.11 --- - 06/14/2005 - added A6, AAAA, ANY qtypes - - examine all packets with >= 1 qdcount - - stop processing packet if invalid dns char - - fix tcp parsing - - add option_D to dump packets - - - --- new in v1.12 --- - 03/03/2006 - added address filtering options - - fix segfault using argv[0] after getopt - - fix rounding from float/int conversions, use unsigned more consistently - - clean up to work with -Wall - - show fractional qps rates for totals - - store addresses raw, instead of as text (speedup/reduce memory usage) - - fix crash on long syslog messages - - -********************************************************************************/ - -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#ifdef __bsdi__ -#include -#else -#ifdef __sun__ -#include -#else -#include -#endif -#endif -#include -#include -#include -#include -#include -#include -#include -#include -#include "dns_flood_detector.h" - -// global variables and their defaults -pthread_mutex_t stats_lock; -struct bucket **bb; -int option_t = 60; -int option_a = 90; -int option_w = 10; -int option_x = 50; -int option_m = 0; -int option_b = 0; -int option_d = 0; -int option_D = 0; -int option_v = 0; -int option_h = 0; -int option_Q = 0; -int option_A = 0; -int option_M = 0; -int totals = 0; -char VERSION[] = "1.12"; - -// 255.255.255.255 is invalid as a src IP address; we'll use it to mark empty buckets -#define BCAST 0xffFFffFF - -// this is our statistics thread -void *run_stats () { - while (1) { - - // check statistical stuff - pthread_mutex_lock(&stats_lock); - calculate_averages(); - pthread_mutex_unlock(&stats_lock); - - sleep (option_w); - } -} - -// calculate the running average within each bucket -int calculate_averages() { - u_int i,j,delta,cursize,qps; - int newsize; - float qpsf; - char st_time[10]; - time_t now = time(0); - u_int types[] = {1,2,5,6,12,15,28,38,252,255,0}; - char *target; - char *names[] = {"A","NS","CNAME","SOA","PTR","MX","AAAA","A6","AXFR","ANY",""}; - struct tm *raw_time = localtime(&now); - snprintf(st_time, 9, "%02d:%02d:%02d",raw_time->tm_hour,raw_time->tm_min,raw_time->tm_sec); - - for (i=0; iip_addr.s_addr != BCAST) { - delta = now - bb[i]->first_packet; - - // let's try to avoid a divide-by-zero, shall we? - if (delta > 1 ) { - - // round our average and save it in the bucket - bb[i]->qps = (u_int)ceil( (bb[i]->tcp_count + bb[i]->udp_count) / (float)delta); - - // handle threshold crossing - if ( bb[i]->qps > option_t ) { - - - // display detail to either syslog or stdout - if ( option_b ) { - if ( ! option_v ) { - printf("[%s] source [%s] - %u qps\n",st_time,inet_ntoa(bb[i]->ip_addr),bb[i]->qps); - fflush(stdout); - } - else { - printf("[%s] source [%s] - %u qps tcp : %u qps udp ",st_time,inet_ntoa(bb[i]->ip_addr), - (u_int)ceil( ((float)bb[i]->tcp_count/delta)), - (u_int)ceil( ((float)bb[i]->udp_count/delta)) - ); - if ( option_v >1 ) { - for (j=0;types[j];j++) { - qps = (u_int)ceil((float)bb[i]->qstats[types[j]]/delta); - if (qps){ - printf("[%u qps %s] ",qps,names[j]); - } - } - } - printf("\n"); - fflush(stdout); - } - } - else { - // if running in background, use alarm reset timer - if ((now-bb[i]->alarm_set)>option_a) { - - // display appropriate level of detail via syslog - if ( ! option_v ) { - syslog(LOG_NOTICE,"source [%s] - %u qps\n",inet_ntoa(bb[i]->ip_addr),bb[i]->qps); - } - else if (option_v > 1) { - target = (char *)malloc(sizeof(char)*MAXSYSLOG); - newsize = MAXSYSLOG; - cursize = snprintf(target,newsize,"source [%s] - %u tcp qps : %u udp qps ",inet_ntoa(bb[i]->ip_addr), - (u_int)ceil( ((float)bb[i]->tcp_count/delta)), - (u_int)ceil( ((float)bb[i]->udp_count/delta)) - ); - newsize-=cursize; - - for (j=0;types[j];j++ ) { - qps = (u_int)ceil(((float)bb[i]->qstats[types[j]]/delta)); - if ( ( qps > 0) && ( newsize > 1 ) ) { - cursize = snprintf(target+(MAXSYSLOG-newsize),newsize,"[%u qps %s] ",qps,names[j]); - newsize-=cursize; - } - } - if (newsize <= 0 ) { - target[MAXSYSLOG-1]='\0'; - } - syslog(LOG_NOTICE,"%s",target); - free(target); - } - else { - syslog(LOG_NOTICE,"source [%s] - %u tcp qps - %u udp qps\n",inet_ntoa(bb[i]->ip_addr), - (u_int)ceil( ((float)bb[i]->tcp_count/delta)), - (u_int)ceil( ((float)bb[i]->udp_count/delta)) - ); - } - - // reset alarm - bb[i]->alarm_set = now; - } - } - } - } - } - } - - // 'mark stats' if required and it is time - delta = (u_int)(now - bb[totals]->first_packet); - if ( (option_m > 0)&&(delta > 1)&&(delta >= option_m) ) { - - // handle bindsnap mode - if (option_b) { - printf("[%s] totals - %3.2f qps tcp : %3.2f qps udp ",st_time, ((float)bb[totals]->tcp_count/delta),((float)bb[totals]->udp_count/delta)); - if (option_v) { - for (j=0;types[j];j++) { - qpsf = ((float)bb[totals]->qstats[types[j]]/delta); - if (qpsf > 0){ - printf("[%3.2f qps %s] ",qpsf,names[j]); - } - } - } - printf("\n"); - fflush(stdout); - } - else { - // agonizing high verbosity code - if (option_v) { - target = (char *)malloc(sizeof(char)*MAXSYSLOG); - newsize = MAXSYSLOG; - cursize = snprintf(target,newsize,"[totals] - %3.2f tcp qps : %3.2f udp qps ", - ((float)bb[totals]->tcp_count/delta), - ((float)bb[totals]->udp_count/delta) - ); - newsize-=cursize; - - for (j=0;types[j];j++ ) { - qpsf = ((float)bb[totals]->qstats[types[j]]/delta); - if ( ( qpsf > 0) && ( newsize > 1 ) ) { - cursize = snprintf(target+(MAXSYSLOG-newsize),newsize,"[%3.2f qps %s] ",qpsf,names[j]); - newsize-=cursize; - } - } - if (newsize <= 0 ) { - target[MAXSYSLOG-1]='\0'; - } - syslog(LOG_NOTICE,"%s",target); - free(target); - } - else { - syslog(LOG_NOTICE,"[totals] - %3.2f tcp qps : %3.2f udp qps\n", - ((float)bb[totals]->tcp_count/delta), - ((float)bb[totals]->udp_count/delta) - ); - } - } - scour_bucket(totals); - } - - return 1; -} - -int valid_dns_char(char c) { - - if((c >= '0' && c <= '9') - || (c >= 'a' && c <= 'z') - || (c >= 'A' && c <= 'Z') - || (c == '-') - || (c == '_')) // is valid for SRV records. - return 1; - - return 0; -} -// purge and initialize all buckets -void init_buckets() { - u_int i; - - // create bucket brigade (final bucket is for totals) - pthread_mutex_lock(&stats_lock); - if ( ( bb = malloc( sizeof(struct bucket *) * (option_x+1)) ) == NULL ) malloc_fail("bb", sizeof(struct bucket *) * (option_x+1)); - for (i=0; i <=option_x; i++ ) { - if ( ( bb[i] = (struct bucket *)malloc( sizeof(struct bucket) ) ) == NULL) malloc_fail("bb[i]", sizeof(struct bucket) ); - scour_bucket(i); - } - pthread_mutex_unlock(&stats_lock); -} - -// clean out a bucket while avoiding obvious memory leak -int scour_bucket( int i ) { - int j; - - bb[i]->ip_addr.s_addr=BCAST; - bb[i]->tcp_count=0; - bb[i]->udp_count=0; - bb[i]->qps=0; - bb[i]->first_packet=time(0); - bb[i]->last_packet=(time_t)0; - bb[i]->alarm_set=(time_t)0; - - for (j=0;j<256;j++) { - bb[i]->qstats[j]=0; - } - return 1; -} - -// add a packet to a bucket -int add_to_bucket ( struct in_addr *ip_src, int ip_proto, int num_queries, u_int8_t qtype) { - int bucket = 0; - - // get the bucket to put packet in - pthread_mutex_lock(&stats_lock); - bucket = find_bucket(ip_src); - - // set bucket fields - bb[bucket]->last_packet = time(0); - if (ip_proto == 6 ) { - bb[bucket]->tcp_count+=num_queries; - bb[totals]->tcp_count+=num_queries; - } - else { - bb[bucket]->udp_count+=num_queries; - bb[totals]->udp_count+=num_queries; - } - - bb[bucket]->qstats[qtype]+=num_queries; - bb[totals]->qstats[qtype]+=num_queries; - pthread_mutex_unlock(&stats_lock); - - return 1; -} - -// figure out where to put this packet -int find_bucket(struct in_addr *ip_src) { - int i, bucket=0; - time_t oldest=0; - - // look for an existing bucket for this IP - for (i=0; i< option_x; i++ ){ - // ip field of bucket seems to match the ip we are checking - if (bb[i]->ip_addr.s_addr == ip_src->s_addr) { - return i; - } - } - - // look for unused buckets - for (i=0; i< option_x; i++ ) { - - // found an unused one - clean it, init it, and return it - if ( bb[i]->ip_addr.s_addr == BCAST ) { - scour_bucket(i); - bb[i]->ip_addr.s_addr = ip_src->s_addr; - return i; - } - - // find the most stagnant bucket in case we need it - // avoids another loop through the buckets - // TODO - should we autoflush buckets after some idle time, - // or after alarming? fixes the case where - // alarms are unlikely to reappear even if a client - // resumes flooding if there isn't bucket contention - // churning them out and resetting the timer for the rate - // calculation... - if ( ( bb[i]->last_packet != 0 ) && ((oldest==0)||( bb[i]->last_packet < oldest))) { - oldest = bb[i]->last_packet; - bucket = i; - } - } - - // use the most stagnant bucket since all are in use - // clean it, init it, and return it - scour_bucket(bucket); - bb[i]->ip_addr.s_addr = ip_src->s_addr; - - return bucket; -} - -// handle all packets we throw at it -void handle_IP(u_char *args, const struct pcap_pkthdr* pkthdr,const u_char* packet){ - const struct ip* ip; - const struct my_dns *dns; - const struct tcphdr *tcp; - const struct udphdr *udp; - u_int length = pkthdr->len; - u_int caplen = pkthdr->caplen; - u_int hlen,off,version; - unsigned char dname[NS_MAXDNAME]=""; - struct in_addr ip_src; - unsigned char *data; - u_int len,dpos; - u_int8_t qtype,tlen; - - // skip the ethernet header - length -= sizeof(struct ether_header); - - // make sure packet is a valid length - if (length < sizeof(struct ip)) { - return; - } - - // snap off the ip portion - ip = (struct ip*)(packet + sizeof(struct ether_header)); - - // get utility params for sanity checking - len = ntohs(ip->ip_len); - hlen = ip->ip_hl; - version = ip->ip_v; - - // let's not do ipv6 just yet - if(version != 4) { - return; - } - - // make sure we have a sane header length - if(hlen < 5 ) { - return; - } - - // do we have the everything we are supposed to? - if(length < len) { - return; - } - - // make sure we are only processing the first fragment - off = ntohs(ip->ip_off); - if((off & 0x1fff) == 0 ) { - - // get the source ip - ip_src.s_addr = ip->ip_src.s_addr; - - // process udp packets - if ( ip->ip_p == 17 ) { - udp = (struct udphdr *) ( (char *) packet + sizeof(struct ether_header)+ sizeof (struct ip) ); - - // try to make sure it is safe to cast packet into dns structure - if ( (sizeof(struct my_dns)+sizeof(struct ether_header)+sizeof(struct ip)+sizeof(struct udphdr)) >= caplen ) { - return; - } - else { - // populate dns header - dns = (struct my_dns *) ( (char *) packet + sizeof(struct ether_header) + sizeof (struct ip) + sizeof (struct udphdr) ); - data = (char *) packet +sizeof(struct ether_header) + sizeof (struct ip) + sizeof (struct udphdr) + sizeof(struct my_dns); - } - } - - // process tcp packets - else if ( ip->ip_p == 6 ) { - tcp = (struct tcphdr *) ( (char *) packet + sizeof(struct ether_header)+ sizeof (struct ip) ); - - // ignore packets without push flag set - if (! tcp->th_flags & TH_PUSH) return; - - // try to make sure it is safe to cast packet into dns structure - if ( (sizeof(struct my_dns)+sizeof(struct ether_header)+sizeof(struct ip)+(tcp->th_off * sizeof(u_int32_t)) + sizeof(u_int16_t)) >= caplen ) { - return; - } - else { - // populate dns header - // tcp dns lookups also include a 16bit length field = dns header + data. - dns = (struct my_dns *) ( (char *) packet + sizeof(struct ether_header)+ sizeof (struct ip) + (tcp->th_off * sizeof(u_int32_t) + sizeof(u_int16_t))); - data = (char *) packet + sizeof(struct ether_header) + sizeof (struct ip) + (tcp->th_off * sizeof(u_int32_t)) + sizeof(struct my_dns) + sizeof(u_int16_t); - } - } - - // hmm.. not tcp, not udp.. move on. - else { - return; - } - - // we only want queries, not responses - if ( dns->dns_flags1 & 0x80 ) { - return; - } - - // ignore packets with no questions - if (ntohs(dns->dns_qdcount) == 0) { - return; - } - - // get the domain name and query type - tlen=dpos=0; - for (;(*data)&&((void *)data<((void *)packet+caplen-1)); data++) { - if (!tlen) tlen=*data; - for (;(tlen&&((void *)data<((void *)packet+caplen-1)));tlen--){ - data++; - // bail on an invalid dns char - if(!valid_dns_char(*data)) { - return; - } - if (dposip_p == 17 ? "udp" : "tcp"), qtype, dname); - } - - // add packet to bucket array - if (ntohs(dns->dns_qdcount)&&qtype) { - add_to_bucket( &ip_src, ip->ip_p, 1, qtype ); - } - } - return; -} - -// main logic -// some pcap code borrowed from http://www.cet.nau.edu/~mc8/Socket/Tutorials/section1.html -int main(int argc,char **argv){ - char *dev = NULL; - pthread_t thread; - char errbuf[PCAP_ERRBUF_SIZE]; - pcap_t* descr; - struct bpf_program fp; /* hold compiled program */ - bpf_u_int32 maskp=0; /* subnet mask */ - bpf_u_int32 netp=0; /* ip */ - char *filter = NULL; - char *dst_addr = NULL; - char *dst_mask = NULL; - struct sigaction sa; - struct in_addr addr,tmpaddr; - u_int f_size; - char *args = NULL; - char *name = NULL; - u_int c = 0; - - if ( ( name = (char *)strdup(argv[0]) ) == NULL) malloc_fail("name", strlen(argv[0]) ); - // loop through command line options and get options - while(1) { - c = getopt(argc, argv,"i:t:a:w:x:m:A:M:QbdDvh"); - - if (c==-1) break; - switch(c) { - case 0: - break; - case 'i': - if (optarg) { - if ( ( dev = (char *)strdup(optarg) ) == NULL) malloc_fail("dev", strlen(optarg) ); - } - break; - case 't': - if (optarg) { - if ( abs (atoi(optarg)) > 0) { - option_t = abs( atoi(optarg)); - } - } - break; - case 'a': - if (optarg) { - if ( abs (atoi(optarg)) > 10) { - option_a = abs( atoi(optarg)); - } - } - break; - case 'w': - if (optarg) { - if ( abs (atoi(optarg)) > 1) { - option_w = abs( atoi(optarg)); - } - } - break; - case 'x': - if (optarg) { - if ( abs (atoi(optarg)) > 10) { - option_x = abs( atoi(optarg)); - } - } - break; - case 'm': - if (optarg) { - if ( abs (atoi(optarg)) > 0) { - option_m = abs( atoi(optarg)); - } - } - break; - case 'M': - if (optarg && (dst_mask == NULL) ) { - if ( inet_aton(optarg, &tmpaddr) ) { - if ( ( dst_mask = (char *)strdup(optarg) ) == NULL) malloc_fail("filter mask", strlen(optarg) ); - option_M=1; - } else { - fprintf(stderr,"Invalid filter mask \"%s\"\n",optarg); - option_h = 1; - } - } - break; - case 'A': - if (optarg && (dst_addr == NULL) ) { - if ( inet_aton(optarg, &tmpaddr) ) { - if ( ( dst_addr = (char *)strdup(optarg) ) == NULL) malloc_fail("dest filter", strlen(optarg) ); - option_A=1; - } else { - fprintf(stderr,"Invalid filter address \"%s\"\n",optarg); - option_h = 1; - } - } - break; - case 'Q': - option_Q = 1; - break; - case 'b': - option_b = 1; - break; - case 'd': - option_d = 1; - break; - case 'D': - option_D = 1; - break; - case 'v': - option_v++; - break; - case 'h': - option_h = 1; - default: - break; - } - } - - // display usage info if needed - if (optindN queries per second\n"); - fprintf(stderr,"-a N reset alarm after N seconds\n"); - fprintf(stderr,"-w N calculate stats every N seconds\n"); - fprintf(stderr,"-x N create N buckets\n"); - fprintf(stderr,"-m N report overall stats every N seconds\n"); - fprintf(stderr,"-A addr filter for specific address\n"); - fprintf(stderr,"-M mask netmask for filter (in conjunction with -A)\n"); - fprintf(stderr,"-Q don't filter by local interface address\n"); - fprintf(stderr,"-b run in foreground in bindsnap mode\n"); - fprintf(stderr,"-d run in background in daemon mode\n"); - fprintf(stderr,"-D dump dns packets (implies -b)\n"); - fprintf(stderr,"-v verbose output - use again for more verbosity\n"); - fprintf(stderr,"-h display this usage information\n"); - exit(1); - } - - // if dumping packets, force option_b and disable option_d - if( option_D ) { - if( ! option_b ) - option_b = 1; - - if( option_d ) - option_d = 0; - - } - - if ( ( option_Q ) && ( option_A ) ) { - fprintf(stderr,"%s couldn't start\n",name); - fprintf(stderr,"You can't specify both -A (address filter) and -Q (no filter)\n"); - exit(1); - } - if ( ( ! option_d ) && ( ! option_b ) ) { - fprintf(stderr,"%s couldn't start\n",name); - fprintf(stderr,"You must specify either -d (daemon) or -b (bindsnap)\n"); - exit(1); - } - free(name); - // set up for daemonized operation unless running in bindsnap mode - if ( ! option_b ) { - openlog("dns_flood_detector",LOG_PID|LOG_CONS,LOG_DAEMON); - syslog(LOG_NOTICE,"dns_flood_detector starting"); - - // daemonize unless running in bindsnap mode - daemonize(); - - // set up signal handlers - sa.sa_handler=exit; - sa.sa_flags=0; - if(sigaction(SIGTERM,&sa,NULL)) { - syslog(LOG_ERR,"Unable to set signal handler: %s. Exiting.", - strerror(errno)); - } - } - - // find a valid device to open - if(dev == NULL && ( (dev=pcap_lookupdev(errbuf)) == NULL ) ){ - fprintf(stderr,"unable to bind to valid device\n"); - exit(1); - } - - /* restrict to queries to primary local address? */ - if (option_Q) { - f_size = strlen("port 53 "); - if ( ( filter = (char *) malloc ( f_size+1) ) == NULL ) malloc_fail( "filter", f_size+1 ); - snprintf( filter, f_size, "port 53"); - } else { - if (! option_A) { - // get network address and netmask for device - pcap_lookupnet(dev,&netp,&maskp,errbuf); - - // set up filter with local network - addr.s_addr = (unsigned long int)netp; - if ( ( dst_addr = (char *)malloc( strlen((char *)inet_ntoa(addr))+1) ) == NULL ) malloc_fail("dest_addr", strlen((char *)inet_ntoa(addr))+1 ); - strncpy(dst_addr,(char*)inet_ntoa(addr),strlen((char *)inet_ntoa(addr))); - dst_addr[strlen((char *)inet_ntoa(addr))]='\0'; - - addr.s_addr = (unsigned long int)maskp; - if (!option_M) { - if ( ( dst_mask = (char *)malloc( strlen((char *)inet_ntoa(addr))+1) ) == NULL ) malloc_fail("dest_mask", strlen((char *)inet_ntoa(addr))+1 ); - strncpy(dst_mask,(char*)inet_ntoa(addr),strlen((char *)inet_ntoa(addr))); - dst_mask[strlen((char *)inet_ntoa(addr))]='\0'; - } - } else { - // we're using an address from -A - if (!option_M) { - // if no mask was specified, then use just a host mask - if ( ( dst_mask = (char *)malloc(16) ) == NULL ) malloc_fail("dest_mask", 16); - strncpy(dst_mask,"255.255.255.255",15); - } - } - - f_size = strlen("port 53 and dst net mask ")+ strlen(dst_mask)+ strlen(dst_addr); - if ( ( filter = (char *) malloc ( f_size+1) ) == NULL ) malloc_fail( "filter", f_size+1 ); - snprintf( filter, f_size, "port 53 and dst net %s mask %s", dst_addr, dst_mask); - - free (dst_mask); - free (dst_addr); - } - - if ( option_b && option_v ) { - printf("using filter \"%s\" on dev %s\n", filter, dev); - } - // open device for reading only local traffic - descr = pcap_open_live(dev,1500,0,1,errbuf); - if(descr == NULL) { - fprintf(stderr,"unable to open device %s\n",dev); - exit(1); - } - - // compile filter - if(pcap_compile(descr,&fp,filter,0,netp) == -1) { - fprintf(stderr,"error compiling filter: %s\n",pcap_geterr(descr)); - exit(1); - } - - // set filter - if(pcap_setfilter(descr,&fp) == -1){ - fprintf(stderr,"error setting filter: %s\n",pcap_geterr(descr)); - exit(1); - } - - // initialize buckets and mark overall stats bucket - init_buckets(); - totals = option_x; - - // create mutex lock - if (pthread_mutex_init(&stats_lock, NULL) < 0) { - exit(1); - } - - // launch watcher thread - if (pthread_create (&thread, NULL, run_stats, (void *)0)) { - exit(1); - } - - // main pcap loop - pcap_loop(descr,-1,handle_IP,args); - - // done - closelog(); - return 0; -} - -// daemonize the process -int daemonize(void) { - pid_t pid; - int fd; - - fd=open("/dev/null",O_RDWR); - if(fd<0) { - syslog(LOG_ERR,"Failed to open /dev/null: %s. Exiting.",strerror(errno)); - exit(1); - } - - dup2(fd,0); - dup2(fd,1); - dup2(fd,2); - - if((pid=fork())<0) { - syslog(LOG_ERR,"Fork failed: %s. Exiting.",strerror(errno)); - exit(1); - } - else if (pid!=0) { - exit(0); - } - - setsid(); - chdir("/"); - umask(0); - return 0; -} - -int malloc_fail( char * var, int size ) { - // print error to stderr if running in bindsnap mode - if (option_b) { - fprintf(stderr, "our OS wouldn't let me malloc %d bytes for a new %s. giving up", size, var); - } - else { - syslog(LOG_ERR, "our OS wouldn't let me malloc %d bytes for a new %s. giving up", size, var); - } - exit(1); -} diff --git a/dns_flood_detector.h b/dns_flood_detector.h deleted file mode 100644 index 13b7745..0000000 --- a/dns_flood_detector.h +++ /dev/null @@ -1,70 +0,0 @@ -/****************************************************************************** - - Program: dns_flood_detector.h - Author: Dennis Opacki - Date: Tue Mar 18 16:46:53 EST 2003 - Purpose: Monitor DNS servers for abusive usage levels - and alarm to syslog - - Copyright (C) 2003 Dennis Opacki - - This program is free software; you can redistribute it and/or modify - it under the terms of the GNU General Public License as published by - the Free Software Foundation; either version 2 of the License, or - (at your option) any later version. - - This program is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - GNU General Public License for more details. - - You should have received a copy of the GNU General Public License - along with this program; if not, write to the Free Software - Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA - -*******************************************************************************/ - -// definitions -#ifndef ETHER_HDRLEN -#define ETHER_HDRLEN 14 -#endif -#define NS_MAXDNAME 1025 -#define MAXSYSLOG 192 - -// evil Solaris hack -#ifdef __sun__ -typedef uint8_t u_int8_t; -typedef uint16_t u_int16_t; -typedef uint32_t u_int32_t; -#endif - -// prototypes -void handle_IP(u_char *args,const struct pcap_pkthdr* pkthdr,const u_char* packet); -int calculate_averages(); -int scour_bucket(int i); -int find_bucket(struct in_addr *ip_src); -int daemonize(void); -int malloc_fail(char * var, int size); - -// data structures -struct my_dns { - u_int16_t dns_id; /* query identification number */ - u_int8_t dns_flags1; /* first byte of flags */ - u_int8_t dns_flags2; /* second byte of flags */ - u_int16_t dns_qdcount; /* number of question entries */ - u_int16_t dns_ancount; /* number of answer entries */ - u_int16_t dns_nscount; /* number of authority entries */ - u_int16_t dns_arcount; /* number of resource entries */ -}; - -struct bucket { - struct in_addr ip_addr; - unsigned int tcp_count; - unsigned int udp_count; - unsigned int qps; - int qstats[256]; - time_t first_packet; - time_t last_packet; - time_t alarm_set; -}; - diff --git a/dnsflood b/dnsflood deleted file mode 100755 index ebb7584..0000000 --- a/dnsflood +++ /dev/null @@ -1,36 +0,0 @@ -#! /bin/sh - -PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin - -test -f /usr/local/sbin/dns_flood_detector || exit 0 - -case "$1" in - start) - echo -n "Starting DNS flood detector: dns_flood_detector" - start-stop-daemon --start --quiet --exec /usr/local/sbin/dns_flood_detector -- -d - echo "." - ;; - stop) - echo -n "Stopping DNS flood detector: dns_flood_detector" - start-stop-daemon --stop --quiet --exec /usr/local/sbin/dns_flood_detector - killall dns_flood_detector - echo "." - ;; - restart|force-reload) - echo -n "Restarting DNS flood detector: dns_flood_detector... " - start-stop-daemon --stop --quiet --exec /usr/local/sbin/dns_flood_detector - sleep 2 - start-stop-daemon --stop --quiet --exec /usr/local/sbin/dns_flood_detector - sleep 4 - killall dns_flood_detector - sleep 2 - start-stop-daemon --start --quiet --exec /usr/local/sbin/dns_flood_detector -- -d - echo "done." - ;; - *) - echo "Usage: /etc/init.d/dnsflood {start|stop|restart|force-reload}" - exit 1 - ;; -esac - -exit 0 diff --git a/makefiles/Makefile-BSDI b/makefiles/Makefile-BSDI deleted file mode 100644 index 2d8c119..0000000 --- a/makefiles/Makefile-BSDI +++ /dev/null @@ -1,13 +0,0 @@ -CFLAGS+=-O -g -LDLIBS=-lpcap -pthread -lm - -all: dns_flood_detector - strip dns_flood_detector -clean: - rm -rf dns_flood_detector *.o *~ -install: - cp dns_flood_detector /usr/local/sbin/ -distclean: clean - rm Makefile - -dns_flood_detector: dns_flood_detector.c diff --git a/makefiles/Makefile-FreeBSD b/makefiles/Makefile-FreeBSD deleted file mode 100644 index 2d8c119..0000000 --- a/makefiles/Makefile-FreeBSD +++ /dev/null @@ -1,13 +0,0 @@ -CFLAGS+=-O -g -LDLIBS=-lpcap -pthread -lm - -all: dns_flood_detector - strip dns_flood_detector -clean: - rm -rf dns_flood_detector *.o *~ -install: - cp dns_flood_detector /usr/local/sbin/ -distclean: clean - rm Makefile - -dns_flood_detector: dns_flood_detector.c diff --git a/makefiles/Makefile-Linux b/makefiles/Makefile-Linux deleted file mode 100644 index 30831a3..0000000 --- a/makefiles/Makefile-Linux +++ /dev/null @@ -1,13 +0,0 @@ -CFLAGS=-Wall -O -D_BSD_SOURCE -g -LDLIBS=-lpcap -lpthread -lm - -all: dns_flood_detector - strip dns_flood_detector -clean: - rm -rf dns_flood_detector *.o *~ -install: - cp dns_flood_detector /usr/local/sbin/ -distclean: clean - rm Makefile - -dns_flood_detector: dns_flood_detector.c diff --git a/makefiles/Makefile-OSX b/makefiles/Makefile-OSX deleted file mode 100644 index b72c947..0000000 --- a/makefiles/Makefile-OSX +++ /dev/null @@ -1,13 +0,0 @@ -CFLAGS+=-Wall -O -g -I/usr/local/include -I/usr/include -LDLIBS=-L/usr/local/lib -lpcap -lpthread -lm - -all: dns_flood_detector - strip dns_flood_detector -clean: - rm -rf dns_flood_detector *.o *~ -install: - cp dns_flood_detector /usr/local/sbin/ -distclean: clean - rm Makefile - -dns_flood_detector: dns_flood_detector.c diff --git a/makefiles/Makefile-Solaris b/makefiles/Makefile-Solaris deleted file mode 100644 index 777eefa..0000000 --- a/makefiles/Makefile-Solaris +++ /dev/null @@ -1,13 +0,0 @@ -CFLAGS+=-O -g -I/usr/local/include -I/usr/include -LDLIBS=-L/usr/local/lib -L/usr/lib -lpcap -lpthread -lm -lsocket -lnsl - -all: dns_flood_detector - strip dns_flood_detector -clean: - rm -rf dns_flood_detector *.o *~ -install: - cp dns_flood_detector /usr/local/sbin/ -distclean: clean - rm Makefile - -dns_flood_detector: dns_flood_detector.c