commit 9ec21234321258c285149e345663f796c0422298 Author: Jan Wagner Date: Sat Nov 4 19:54:02 2006 +0000 make daniel happy diff --git a/LICENSE b/LICENSE new file mode 100644 index 0000000..69e1d93 --- /dev/null +++ b/LICENSE @@ -0,0 +1,281 @@ + GNU GENERAL PUBLIC LICENSE + Version 2, June 1991 + + Copyright (C) 1989, 1991 Free Software Foundation, Inc. + 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + Everyone is permitted to copy and distribute verbatim copies + of this license document, but changing it is not allowed. + + Preamble + + The licenses for most software are designed to take away your +freedom to share and change it. By contrast, the GNU General Public +License is intended to guarantee your freedom to share and change free +software--to make sure the software is free for all its users. This +General Public License applies to most of the Free Software +Foundation's software and to any other program whose authors commit to +using it. (Some other Free Software Foundation software is covered by +the GNU Library General Public License instead.) You can apply it to +your programs, too. + + When we speak of free software, we are referring to freedom, not +price. Our General Public Licenses are designed to make sure that you +have the freedom to distribute copies of free software (and charge for +this service if you wish), that you receive source code or can get it +if you want it, that you can change the software or use pieces of it +in new free programs; and that you know you can do these things. + + To protect your rights, we need to make restrictions that forbid +anyone to deny you these rights or to ask you to surrender the rights. +These restrictions translate to certain responsibilities for you if you +distribute copies of the software, or if you modify it. + + For example, if you distribute copies of such a program, whether +gratis or for a fee, you must give the recipients all the rights that +you have. You must make sure that they, too, receive or can get the +source code. And you must show them these terms so they know their +rights. + + We protect your rights with two steps: (1) copyright the software, and +(2) offer you this license which gives you legal permission to copy, +distribute and/or modify the software. + + Also, for each author's protection and ours, we want to make certain +that everyone understands that there is no warranty for this free +software. If the software is modified by someone else and passed on, we +want its recipients to know that what they have is not the original, so +that any problems introduced by others will not reflect on the original +authors' reputations. + + Finally, any free program is threatened constantly by software +patents. We wish to avoid the danger that redistributors of a free +program will individually obtain patent licenses, in effect making the +program proprietary. To prevent this, we have made it clear that any +patent must be licensed for everyone's free use or not licensed at all. + + The precise terms and conditions for copying, distribution and +modification follow. + + GNU GENERAL PUBLIC LICENSE + TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION + + 0. This License applies to any program or other work which contains +a notice placed by the copyright holder saying it may be distributed +under the terms of this General Public License. The "Program", below, +refers to any such program or work, and a "work based on the Program" +means either the Program or any derivative work under copyright law: +that is to say, a work containing the Program or a portion of it, +either verbatim or with modifications and/or translated into another +language. (Hereinafter, translation is included without limitation in +the term "modification".) Each licensee is addressed as "you". + +Activities other than copying, distribution and modification are not +covered by this License; they are outside its scope. The act of +running the Program is not restricted, and the output from the Program +is covered only if its contents constitute a work based on the +Program (independent of having been made by running the Program). +Whether that is true depends on what the Program does. + + 1. You may copy and distribute verbatim copies of the Program's +source code as you receive it, in any medium, provided that you +conspicuously and appropriately publish on each copy an appropriate +copyright notice and disclaimer of warranty; keep intact all the +notices that refer to this License and to the absence of any warranty; +and give any other recipients of the Program a copy of this License +along with the Program. + +You may charge a fee for the physical act of transferring a copy, and +you may at your option offer warranty protection in exchange for a fee. + + 2. You may modify your copy or copies of the Program or any portion +of it, thus forming a work based on the Program, and copy and +distribute such modifications or work under the terms of Section 1 +above, provided that you also meet all of these conditions: + + a) You must cause the modified files to carry prominent notices + stating that you changed the files and the date of any change. + + b) You must cause any work that you distribute or publish, that in + whole or in part contains or is derived from the Program or any + part thereof, to be licensed as a whole at no charge to all third + parties under the terms of this License. + + c) If the modified program normally reads commands interactively + when run, you must cause it, when started running for such + interactive use in the most ordinary way, to print or display an + announcement including an appropriate copyright notice and a + notice that there is no warranty (or else, saying that you provide + a warranty) and that users may redistribute the program under + these conditions, and telling the user how to view a copy of this + License. (Exception: if the Program itself is interactive but + does not normally print such an announcement, your work based on + the Program is not required to print an announcement.) + +These requirements apply to the modified work as a whole. If +identifiable sections of that work are not derived from the Program, +and can be reasonably considered independent and separate works in +themselves, then this License, and its terms, do not apply to those +sections when you distribute them as separate works. But when you +distribute the same sections as part of a whole which is a work based +on the Program, the distribution of the whole must be on the terms of +this License, whose permissions for other licensees extend to the +entire whole, and thus to each and every part regardless of who wrote it. + +Thus, it is not the intent of this section to claim rights or contest +your rights to work written entirely by you; rather, the intent is to +exercise the right to control the distribution of derivative or +collective works based on the Program. + +In addition, mere aggregation of another work not based on the Program +with the Program (or with a work based on the Program) on a volume of +a storage or distribution medium does not bring the other work under +the scope of this License. + + 3. You may copy and distribute the Program (or a work based on it, +under Section 2) in object code or executable form under the terms of +Sections 1 and 2 above provided that you also do one of the following: + + a) Accompany it with the complete corresponding machine-readable + source code, which must be distributed under the terms of Sections + 1 and 2 above on a medium customarily used for software interchange; or, + + b) Accompany it with a written offer, valid for at least three + years, to give any third party, for a charge no more than your + cost of physically performing source distribution, a complete + machine-readable copy of the corresponding source code, to be + distributed under the terms of Sections 1 and 2 above on a medium + customarily used for software interchange; or, + + c) Accompany it with the information you received as to the offer + to distribute corresponding source code. (This alternative is + allowed only for noncommercial distribution and only if you + received the program in object code or executable form with such + an offer, in accord with Subsection b above.) + +The source code for a work means the preferred form of the work for +making modifications to it. For an executable work, complete source +code means all the source code for all modules it contains, plus any +associated interface definition files, plus the scripts used to +control compilation and installation of the executable. However, as a +special exception, the source code distributed need not include +anything that is normally distributed (in either source or binary +form) with the major components (compiler, kernel, and so on) of the +operating system on which the executable runs, unless that component +itself accompanies the executable. + +If distribution of executable or object code is made by offering +access to copy from a designated place, then offering equivalent +access to copy the source code from the same place counts as +distribution of the source code, even though third parties are not +compelled to copy the source along with the object code. + + 4. You may not copy, modify, sublicense, or distribute the Program +except as expressly provided under this License. Any attempt +otherwise to copy, modify, sublicense or distribute the Program is +void, and will automatically terminate your rights under this License. +However, parties who have received copies, or rights, from you under +this License will not have their licenses terminated so long as such +parties remain in full compliance. + + 5. You are not required to accept this License, since you have not +signed it. However, nothing else grants you permission to modify or +distribute the Program or its derivative works. These actions are +prohibited by law if you do not accept this License. Therefore, by +modifying or distributing the Program (or any work based on the +Program), you indicate your acceptance of this License to do so, and +all its terms and conditions for copying, distributing or modifying +the Program or works based on it. + + 6. Each time you redistribute the Program (or any work based on the +Program), the recipient automatically receives a license from the +original licensor to copy, distribute or modify the Program subject to +these terms and conditions. You may not impose any further +restrictions on the recipients' exercise of the rights granted herein. +You are not responsible for enforcing compliance by third parties to +this License. + + 7. If, as a consequence of a court judgment or allegation of patent +infringement or for any other reason (not limited to patent issues), +conditions are imposed on you (whether by court order, agreement or +otherwise) that contradict the conditions of this License, they do not +excuse you from the conditions of this License. If you cannot +distribute so as to satisfy simultaneously your obligations under this +License and any other pertinent obligations, then as a consequence you +may not distribute the Program at all. For example, if a patent +license would not permit royalty-free redistribution of the Program by +all those who receive copies directly or indirectly through you, then +the only way you could satisfy both it and this License would be to +refrain entirely from distribution of the Program. + +If any portion of this section is held invalid or unenforceable under +any particular circumstance, the balance of the section is intended to +apply and the section as a whole is intended to apply in other +circumstances. + +It is not the purpose of this section to induce you to infringe any +patents or other property right claims or to contest validity of any +such claims; this section has the sole purpose of protecting the +integrity of the free software distribution system, which is +implemented by public license practices. Many people have made +generous contributions to the wide range of software distributed +through that system in reliance on consistent application of that +system; it is up to the author/donor to decide if he or she is willing +to distribute software through any other system and a licensee cannot +impose that choice. + +This section is intended to make thoroughly clear what is believed to +be a consequence of the rest of this License. + + 8. If the distribution and/or use of the Program is restricted in +certain countries either by patents or by copyrighted interfaces, the +original copyright holder who places the Program under this License +may add an explicit geographical distribution limitation excluding +those countries, so that distribution is permitted only in or among +countries not thus excluded. In such case, this License incorporates +the limitation as if written in the body of this License. + + 9. The Free Software Foundation may publish revised and/or new versions +of the General Public License from time to time. Such new versions will +be similar in spirit to the present version, but may differ in detail to +address new problems or concerns. + +Each version is given a distinguishing version number. If the Program +specifies a version number of this License which applies to it and "any +later version", you have the option of following the terms and conditions +either of that version or of any later version published by the Free +Software Foundation. If the Program does not specify a version number of +this License, you may choose any version ever published by the Free Software +Foundation. + + 10. If you wish to incorporate parts of the Program into other free +programs whose distribution conditions are different, write to the author +to ask for permission. For software which is copyrighted by the Free +Software Foundation, write to the Free Software Foundation; we sometimes +make exceptions for this. Our decision will be guided by the two goals +of preserving the free status of all derivatives of our free software and +of promoting the sharing and reuse of software generally. + + NO WARRANTY + + 11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY +FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN +OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES +PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED +OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF +MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS +TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE +PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, +REPAIR OR CORRECTION. + + 12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING +WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR +REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, +INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING +OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED +TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY +YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER +PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE +POSSIBILITY OF SUCH DAMAGES. + + END OF TERMS AND CONDITIONS + diff --git a/README b/README new file mode 100644 index 0000000..17217d1 --- /dev/null +++ b/README @@ -0,0 +1,74 @@ +DNS FLood Detector 1.10 +Dennis Opacki +dopacki@adotout.com + + +What is DNS Flood Detector? + +DNS Flood Detector was developed to detect abusive usage levels on high +traffic nameservers and to enable quick response to the use of one's +nameserver to facilitate spam. DNS Flood Detector is distributed under the +Gnu Public License (see included LICENSE file for details). + +How does it work? + +DNS Flood Detector uses libpcap (in non-promiscuous mode) to monitor +incoming dns queries to a nameserver. The tool may be run in one of two +modes, either daemon mode or "bindsnap" mode. In daemon mode, the tool +will alarm via syslog. In bindsnap mode, the user is able to get +near-real-time stats on usage to aid in more detailed troubleshooting. + +How do I build it? + +Execute ./configure.pl to select the appropriate make target. Then simply +type "make". + +Why was it written? + +I wrote DNS Flood Detector because the fifty or so public recursive +nameservers I am responsible for were being abused by both customers and +non-customers. DNS Flood Detector allows for prompt action when anomalous +conditions are detected. + +What do I need to use it? + +You need libpcap and a little bit of patience. + +What platforms does it work on? + +Linux, BSDI, FreeBSD, Mac OSX, Solaris + +Will it run under Windows {95,98,NT,2000,XP}? + +Maybe. I haven't tried. If it doesn't, feel free to submit a fix. + +What does it look like? + +Usage: ./dns_flood_detector [OPTION] + +-i IFNAME specify interface to listen on +-t N alarm at >N queries per second +-a N reset alarm after N seconds +-w N calculate stats every N seconds +-x N create N buckets +-m N mark total query rate every N seconds +-b run in foreground in bindsnap mode +-d run in background in daemon mode +-v verbose output - use again for more verbosity +-h display this usage information + +Sample Output: + +dopacki:~$ sudo ./dns_flood_detector -v -v -b -t10 +[15:14:56] source [192.168.1.45] - 0 qps tcp : 24 qps udp [8 qps A] [16 +qps PTR] +[15:14:56] source [10.0.24.2] - 0 qps tcp : 15 qps udp [15 qps A] +[15:15:06] source [192.168.1.45] - 0 qps tcp : 24 qps udp [8 qps A] [16 +qps PTR] +[15:15:06] source [10.0.24.2] - 0 qps tcp : 15 qps udp [14 qps A] +[15:15:16] source [192.168.1.45] - 0 qps tcp : 23 qps udp [7 qps A] [15 +qps PTR] + +What if I have questions? + +You can e-mail me at dopacki@adotout.com diff --git a/configure.pl b/configure.pl new file mode 100755 index 0000000..66648ba --- /dev/null +++ b/configure.pl @@ -0,0 +1,19 @@ +#!/usr/bin/perl + +use strict; + +my $os = shift; + +# get target listings +opendir(MAKE_TARGETS,'./makefiles'); +my @targets = grep { /Makefile/ && -f './makefiles/'.$_ && s/^Makefile-// } readdir(MAKE_TARGETS); +closedir(MAKE_TARGETS); + +# display usage +unless ($os && grep{/$os/}@targets) {print< + Date: Tue Mar 18 16:46:53 EST 2003 + Purpose: Monitor DNS servers for abusive usage levels + and alarm to syslog + + compile with: + gcc -o dns_flood_detector -lpcap -lpthread -lm dns_flood_detector.c + + command-line options: + + -i ifname specify interface to listen on (default lets pcap pick) + -t n alarm when more than n queries per second are observed + (default 40) + -a n wait for n seconds before alarming again on same source + (default 90) + -w n calculate statistics every n seconds + (default 10) + -x n use n buckets + (default 50) + -m n mark overall query rate every n seconds + (default disabled) + -b run in foreground in "bindsnap" mode + -d run in background in "daemon" mode + -v detailed information (use twice for more detail) + -h usage info + + Copyright (C) 2003 Dennis Opacki + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 2 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program; if not, write to the Free Software + Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + + --- new in v1.05 --- + 8/18/2003 - FreeBSD target - Jim Westfall + 8/18/2003 - Moved to getopt(3) for compatibility + 8/19/2003 - Added OSX/BSDI make targets - + Added ability to specify inteface - + + --- new in v1.06 --- + 8/20/2003 - Added Solaris9 make target - + 8/26/2003 - Fixed tcp qdcount bug - + + --- new in v1.07 --- + 8/27/2003 - Fixed alarm reset bug - + 8/28/2003 - Added malloc_fail function - + 8/28/2003 - Added mutex thread locking - + 8/30/2003 - Fixed wierd qtype segfault - + + + --- new in v1.08 --- + 9/02/2003 - Added -v -v output in daemon mode - + + --- new in v1.09 --- + 10/19/2003 - Added stdout flushing to bindsnap mode - + 10/19/2003 - Changed logging priority to LOG_NOTICE - + 10/19/2003 - Fixed low traffic verbose logging bugs - + + --- new in v1.10 --- + 10/22/2003 - Added 'mark status' option via '-m' - + 10/23/2003 - Code cleanup in verbose syslogging - + +********************************************************************************/ + +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#ifdef __bsdi__ +#include +#else +#ifdef __sun__ +#include +#else +#include +#endif +#endif +#include +#include +#include +#include +#include +#include +#include "dns_flood_detector.h" + +// global variables and their defaults +pthread_mutex_t stats_lock; +struct bucket **bb; +int option_t = 60; +int option_a = 90; +int option_w = 10; +int option_x = 50; +int option_m = 0; +int option_b = 0; +int option_d = 0; +int option_v = 0; +int option_h = 0; +int totals = 0; +char VERSION[] = "1.10"; + +// this is our statistics thread +void *run_stats () { + while (1) { + + // check statistical stuff + pthread_mutex_lock(&stats_lock); + calculate_averages(); + pthread_mutex_unlock(&stats_lock); + + sleep (option_w); + } +} + +// calculate the running average within each bucket +int calculate_averages() { + u_int i,j,delta,cursize,newsize,qps; + char st_time[10]; + time_t now = time(0); + u_int types[] = {1,2,5,6,12,15,252,0}; + u_char *type; + u_char *target; + char *names[] = {"A","NS","CNAME","SOA","PTR","MX","AXFR",""}; + struct tm *raw_time = localtime(&now); + snprintf(st_time, 9, "%02d:%02d:%02d",raw_time->tm_hour,raw_time->tm_min,raw_time->tm_sec); + + for (i=0; iip_addr != NULL ) { + delta = now - bb[i]->first_packet; + + // let's try to avoid a divide-by-zero, shall we? + if (delta > 1 ) { + + // round our average and save it in the bucket + bb[i]->qps = (int)ceil( (float)((((float)bb[i]->tcp_count) + bb[i]->udp_count) / delta)); + + // handle threshold crossing + if ( bb[i]->qps > option_t ) { + + + // display detail to either syslog or stdout + if ( option_b ) { + if ( ! option_v ) { + printf("[%s] source [%s] - %d qps\n",st_time,bb[i]->ip_addr,bb[i]->qps); + fflush(stdout); + } + else { + printf("[%s] source [%s] - %d qps tcp : %d qps udp ",st_time,bb[i]->ip_addr, + (int)ceil( (float)(bb[i]->tcp_count/delta)), + (int)ceil( (float)(bb[i]->udp_count/delta)) + ); + if ( option_v >1 ) { + for (j=0;types[j];j++) { + if ((int)ceil((float)(bb[i]->qstats[types[j]]/delta))){ + printf("[%d qps %s] ",(int)ceil((float)(bb[i]->qstats[types[j]]/delta)),names[j]); + } + } + } + printf("\n"); + fflush(stdout); + } + } + else { + // if running in background, use alarm reset timer + if ((now-bb[i]->alarm_set)>option_a) { + + // display appropriate level of detail via syslog + if ( ! option_v ) { + syslog(LOG_NOTICE,"source [%s] - %d qps\n",bb[i]->ip_addr,bb[i]->qps); + } + else if (option_v > 1) { + target = (char *)malloc(sizeof(char)*MAXSYSLOG); + newsize = MAXSYSLOG; + cursize = snprintf(target,newsize,"source [%s] - %d tcp qps : %d udp qps ",bb[i]->ip_addr, + (int)ceil( (float)(bb[i]->tcp_count/delta)), + (int)ceil( (float)(bb[i]->udp_count/delta)) + ); + newsize-=cursize; + + for (j=0;types[j];j++ ) { + qps = (u_int)ceil((float)(bb[i]->qstats[types[j]]/delta)); + if ( ( qps > 0) && ( newsize > 1 ) ) { + cursize = snprintf(target+(MAXSYSLOG-newsize),newsize,"[%d qps %s] ",qps,names[j]); + newsize-=cursize; + } + } + if (newsize <= 0 ) { + target[MAXSYSLOG-1]='\0'; + } + syslog(LOG_NOTICE,"%s",target); + free(target); + } + else { + syslog(LOG_NOTICE,"source [%s] - %d tcp qps - %d udp qps\n",bb[i]->ip_addr, + (int)ceil( (float)(bb[i]->tcp_count/delta)), + (int)ceil( (float)(bb[i]->udp_count/delta)) + ); + } + + // reset alarm + bb[i]->alarm_set = now; + } + } + } + } + } + } + + // 'mark stats' if required and it is time + delta = now - bb[totals]->first_packet; + if ( (option_m > 0)&&(delta > 1)&&(delta >= option_m) ) { + + // handle bindsnap mode + if (option_b) { + printf("[%s] totals - %d qps tcp : %d qps udp ",st_time,(int)ceil( (float)(bb[totals]->tcp_count/delta)),(int)ceil( (float)(bb[totals]->udp_count/delta))); + if (option_v) { + for (j=0;types[j];j++) { + qps = (u_int)ceil((float)(bb[totals]->qstats[types[j]]/delta)); + if (qps){ + printf("[%d qps %s] ",qps,names[j]); + } + } + } + printf("\n"); + fflush(stdout); + } + else { + // agonizing high verbosity code + if (option_v) { + target = (char *)malloc(sizeof(char)*MAXSYSLOG); + newsize = MAXSYSLOG; + cursize = snprintf(target,newsize,"[totals] - %d tcp qps : %d udp qps ", + (int)ceil( (float)(bb[totals]->tcp_count/delta)), + (int)ceil( (float)(bb[totals]->udp_count/delta)) + ); + newsize-=cursize; + + for (j=0;types[j];j++ ) { + qps = (u_int)ceil((float)(bb[totals]->qstats[types[j]]/delta)); + if ( ( qps > 0) && ( newsize > 1 ) ) { + cursize = snprintf(target+(MAXSYSLOG-newsize),newsize,"[%d qps %s] ",qps,names[j]); + newsize-=cursize; + } + } + if (newsize <= 0 ) { + target[MAXSYSLOG-1]='\0'; + } + syslog(LOG_NOTICE,"%s",target); + free(target); + } + else { + syslog(LOG_NOTICE,"[totals] - %d tcp qps : %d udp qps\n", + (int)ceil( (float)(bb[totals]->tcp_count/delta)), + (int)ceil( (float)(bb[totals]->udp_count/delta)) + ); + } + } + scour_bucket(totals); + } + + return 1; +} + +// purge and initialize all buckets +void init_buckets() { + u_int i; + + // create bucket brigade (final bucket is for totals) + pthread_mutex_lock(&stats_lock); + if ( ( bb = malloc( sizeof(struct bucket *) * (option_x+1)) ) == NULL ) malloc_fail("bb", sizeof(struct bucket *) * (option_x+1)); + for (i=0; i <=option_x; i++ ) { + if ( ( bb[i] = (struct bucket *)malloc( sizeof(struct bucket) ) ) == NULL) malloc_fail("bb[i]", sizeof(struct bucket) ); + bb[i]->ip_addr=NULL; + scour_bucket(i); + } + pthread_mutex_unlock(&stats_lock); +} + +// clean out a bucket while avoiding obvious memory leak +int scour_bucket( int i ) { + int j; + + if ( bb[i]->ip_addr != NULL ) { + free ( bb[i]->ip_addr ); + } + bb[i]->ip_addr=NULL; + bb[i]->tcp_count=0; + bb[i]->udp_count=0; + bb[i]->qps=0; + bb[i]->first_packet=time(0); + bb[i]->last_packet=(time_t)0; + bb[i]->alarm_set=(time_t)0; + + for (j=0;j<256;j++) { + bb[i]->qstats[j]=0; + } + return 1; +} + +// add a packet to a bucket +int add_to_bucket ( char * ip_src, int ip_proto, int num_queries, u_int8_t qtype) { + int bucket = 0; + + // get the bucket to put packet in + pthread_mutex_lock(&stats_lock); + bucket = find_bucket(ip_src); + + // set bucket fields + bb[bucket]->last_packet = time(0); + if (ip_proto == 6 ) { + bb[bucket]->tcp_count+=num_queries; + bb[totals]->tcp_count+=num_queries; + } + else { + bb[bucket]->udp_count+=num_queries; + bb[totals]->udp_count+=num_queries; + } + + bb[bucket]->qstats[qtype]+=num_queries; + bb[totals]->qstats[qtype]+=num_queries; + pthread_mutex_unlock(&stats_lock); + + return 1; +} + +// figure out where to put this packet +int find_bucket(char *ip_src) { + int i, bucket=0; + time_t oldest=0; + + // look for an existing bucket for this IP + for (i=0; i< option_x; i++ ){ + // ip field of bucket is not null and seems to match the ip we are checking + if ((bb[i]->ip_addr != NULL)&&(strncmp(bb[i]->ip_addr, ip_src, strlen(bb[i]->ip_addr))==0)) { + return i; + } + } + + // look for unused buckets + for (i=0; i< option_x; i++ ) { + + // found an unused one - clean it, init it, and return it + if ( bb[i]->ip_addr == NULL ) { + scour_bucket(i); + if ( ( bb[i]->ip_addr = (char *)strdup(ip_src) ) == NULL) malloc_fail("bb[i]->ip_addr", strlen(ip_src) ); + return i; + } + + // find the most stagnant bucket in case we need it + // avoids another loop through the buckets + if ( ( bb[i]->last_packet != 0 ) && ((oldest==0)||( bb[i]->last_packet < oldest))) { + oldest = bb[i]->last_packet; + bucket = i; + } + } + + // use the most stagnant bucket since all are in use + // clean it, init it, and return it + scour_bucket(bucket); + if ( ( bb[bucket]->ip_addr = (char *)strdup(ip_src) ) == NULL) malloc_fail("bb[bucket]->ip_addr", strlen(ip_src) ); + + return bucket; +} + +// handle all packets we throw at it +void handle_IP(u_char *args, const struct pcap_pkthdr* pkthdr,const u_char* packet){ + const struct ip* ip; + const struct my_dns *dns; + const struct tcphdr *tcp; + const struct udphdr *udp; + u_int length = pkthdr->len; + u_int caplen = pkthdr->caplen; + u_int hlen,off,version; + unsigned char dname[NS_MAXDNAME]=""; + char *ip_src; + unsigned char *data; + u_int i,len,dpos; + u_int8_t qtype,qclass,tlen; + + // skip the ethernet header + length -= sizeof(struct ether_header); + + // make sure packet is a valid length + if (length < sizeof(struct ip)) { + return; + } + + // snap off the ip portion + ip = (struct ip*)(packet + sizeof(struct ether_header)); + + // get utility params for sanity checking + len = ntohs(ip->ip_len); + hlen = ip->ip_hl; + version = ip->ip_v; + + // let's not do ipv6 just yet + if(version != 4) { + return; + } + + // make sure we have a sane header length + if(hlen < 5 ) { + return; + } + + // do we have the everything we are supposed to? + if(length < len) { + return; + } + + // make sure we are only processing the first fragment + off = ntohs(ip->ip_off); + if((off & 0x1fff) == 0 ) { + + // get the source ip as a string (probably more efficient to use decimal) + ip_src = (char *)inet_ntoa(ip->ip_src); + + // process udp packets + if ( ip->ip_p == 17 ) { + udp = (struct udphdr *) ( (char *) packet + sizeof(struct ether_header)+ sizeof (struct ip) ); + + // try to make sure it is safe to cast packet into dns structure + if ( (sizeof(struct my_dns)+sizeof(struct ether_header)+sizeof(struct ip)+sizeof(struct udphdr)) >= caplen ) { + return; + } + else { + // populate dns header + dns = (struct my_dns *) ( (char *) packet + sizeof(struct ether_header) + sizeof (struct ip) + sizeof (struct udphdr) ); + data = (char *) packet +sizeof(struct ether_header) + sizeof (struct ip) + sizeof (struct udphdr) + sizeof(struct my_dns); + } + } + + // process tcp packets + else if ( ip->ip_p == 6 ) { + tcp = (struct tcphdr *) ( (char *) packet + sizeof(struct ether_header)+ sizeof (struct ip) ); + + // ignore packets without push flag set + if (! tcp->th_flags & TH_PUSH) return; + + // try to make sure it is safe to cast packet into dns structure + if ( (sizeof(struct my_dns)+sizeof(struct ether_header)+sizeof(struct ip)+(tcp->th_off * sizeof(u_int32_t))) >= caplen ) { + return; + } + else { + // populate dns header + dns = (struct my_dns *) ( (char *) packet + sizeof(struct ether_header)+ sizeof (struct ip) + (tcp->th_off * sizeof(u_int32_t))); + data = (char *) packet + sizeof(struct ether_header) + sizeof (struct ip) + (tcp->th_off * sizeof(u_int32_t)) + sizeof(struct my_dns); + } + } + + // hmm.. not tcp, not udp.. move on. + else { + return; + } + + // we only want queries, not responses + if ( dns->dns_flags1 & 0x80 ) { + return; + } + + // ignore seemingly bogus queries with multiple flags set + if ((ntohs(dns->dns_qdcount)>0)+(ntohs(dns->dns_ancount)>0)+(ntohs(dns->dns_nscount)>0)+(ntohs(dns->dns_arcount)>0)>1 ) { + return; + } + + // get the domain name and query type + tlen=dpos=0; + for (;(*data)&&((void *)data<((void *)packet+caplen-1)); data++) { + if (!tlen) tlen=*data; + for (;(tlen&&((void *)data<((void *)packet+caplen-1)));tlen--){ + data++; + if (dposdns_qdcount)&&qtype) { + add_to_bucket( ip_src, ip->ip_p, 1, qtype ); + } + } + return; +} + +// main logic +// some pcap code borrowed from http://www.cet.nau.edu/~mc8/Socket/Tutorials/section1.html +int main(int argc,char **argv){ + char *dev = NULL; + pthread_t thread; + char errbuf[PCAP_ERRBUF_SIZE]; + pcap_t* descr; + struct bpf_program fp; /* hold compiled program */ + bpf_u_int32 maskp=0; /* subnet mask */ + bpf_u_int32 netp=0; /* ip */ + char *filter = NULL; + char *dst_addr = NULL; + char *dst_mask = NULL; + struct sigaction sa; + struct in_addr addr; + u_int f_size; + char *args = NULL; + u_int c = 0; + + // loop through command line options and get options + while(1) { + int option_index = 0; + c = getopt(argc, argv,"i:t:a:w:x:m:bdvh"); + + if (c==-1) break; + switch(c) { + case 0: + break; + case 'i': + if (optarg) { + if ( ( dev = (char *)strdup(optarg) ) == NULL) malloc_fail("dev", strlen(optarg) ); + } + break; + case 't': + if (optarg) { + if ( abs (atoi(optarg)) > 0) { + option_t = abs( atoi(optarg)); + } + } + break; + case 'a': + if (optarg) { + if ( abs (atoi(optarg)) > 10) { + option_a = abs( atoi(optarg)); + } + } + break; + case 'w': + if (optarg) { + if ( abs (atoi(optarg)) > 1) { + option_w = abs( atoi(optarg)); + } + } + break; + case 'x': + if (optarg) { + if ( abs (atoi(optarg)) > 10) { + option_x = abs( atoi(optarg)); + } + } + break; + case 'm': + if (optarg) { + if ( abs (atoi(optarg)) > 0) { + option_m = abs( atoi(optarg)); + } + } + break; + case 'b': + option_b = 1; + break; + case 'd': + option_d = 1; + break; + case 'v': + option_v++; + break; + case 'h': + option_h = 1; + default: + break; + } + } + + // display usage info if needed + if (optindN queries per second\n"); + fprintf(stderr,"-a N reset alarm after N seconds\n"); + fprintf(stderr,"-w N calculate stats every N seconds\n"); + fprintf(stderr,"-x N create N buckets\n"); + fprintf(stderr,"-m N report overall stats every N seconds\n"); + fprintf(stderr,"-b run in foreground in bindsnap mode\n"); + fprintf(stderr,"-d run in background in daemon mode\n"); + fprintf(stderr,"-v verbose output - use again for more verbosity\n"); + fprintf(stderr,"-h display this usage information\n"); + exit(1); + } + + if ( ( ! option_d ) && ( ! option_b ) ) { + fprintf(stderr,"%s couldn't start\n",argv[0]); + fprintf(stderr,"You must specify either either -d (daemon) or -b (bindsnap)\n"); + exit(1); + } + // set up for daemonized operation unless running in bindsnap mode + if ( ! option_b ) { + openlog("dns_flood_detector",LOG_PID|LOG_CONS,LOG_DAEMON); + syslog(LOG_NOTICE,"dns_flood_detector starting"); + + // daemonize unless running in bindsnap mode + daemonize(); + + // set up signal handlers + sa.sa_handler=exit; + sa.sa_flags=0; + if(sigaction(SIGTERM,&sa,NULL)) { + syslog(LOG_ERR,"Unable to set signal handler: %s. Exiting.", + strerror(errno)); + } + } + + // find a valid device to open + if(dev == NULL && ( (dev=pcap_lookupdev(errbuf)) == NULL ) ){ + fprintf(stderr,"unable to bind to valid device\n"); + exit(1); + } + + // get network address and netmask for device + pcap_lookupnet(dev,&netp,&maskp,errbuf); + + // set up filter with local network + addr.s_addr = (unsigned long int)netp; + if ( ( dst_addr = (char *)malloc( strlen((char *)inet_ntoa(addr))+1) ) == NULL ) malloc_fail("dest_addr", strlen((char *)inet_ntoa(addr))+1 ); + strncpy(dst_addr,(char*)inet_ntoa(addr),strlen((char *)inet_ntoa(addr))); + dst_addr[strlen((char *)inet_ntoa(addr))]='\0'; + + addr.s_addr = (unsigned long int)maskp; + if ( ( dst_mask = (char *)malloc( strlen((char *)inet_ntoa(addr))+1) ) == NULL ) malloc_fail("dest_mask", strlen((char *)inet_ntoa(addr))+1 ); + strncpy(dst_mask,(char*)inet_ntoa(addr),strlen((char *)inet_ntoa(addr))); + dst_mask[strlen((char *)inet_ntoa(addr))]='\0'; + + f_size = strlen("port 53 and dst net mask ")+ strlen(dst_mask)+ strlen(dst_addr); + if ( ( filter = (char *) malloc ( f_size+1) ) == NULL ) malloc_fail( "filter", f_size+1 ); + snprintf( filter, f_size, "port 53 and dst net %s mask %s", dst_addr, dst_mask); + + free (dst_mask); + free (dst_addr); + + // open device for reading only local traffic + descr = pcap_open_live(dev,1500,0,1,errbuf); + if(descr == NULL) { + fprintf(stderr,"unable to open device %s\n",dev); + exit(1); + } + + // compile filter + if(pcap_compile(descr,&fp,filter,0,netp) == -1) { + exit(1); + } + + // set filter + if(pcap_setfilter(descr,&fp) == -1){ + exit(1); + } + + // initialize buckets and mark overall stats bucket + init_buckets(); + totals = option_x; + + // create mutex lock + if (pthread_mutex_init(&stats_lock, NULL) < 0) { + exit(1); + } + + // launch watcher thread + if (pthread_create (&thread, NULL, run_stats, (void *)0)) { + exit(1); + } + + // main pcap loop + pcap_loop(descr,-1,handle_IP,args); + + // done + closelog(); + return 0; +} + +// daemonize the process +int daemonize(void) { + pid_t pid; + int fd; + + fd=open("/dev/null",O_RDWR); + if(fd<0) { + syslog(LOG_ERR,"Failed to open /dev/null: %s. Exiting.",strerror(errno)); + exit(1); + } + + dup2(fd,0); + dup2(fd,1); + dup2(fd,2); + + if((pid=fork())<0) { + syslog(LOG_ERR,"Fork failed: %s. Exiting.",strerror(errno)); + exit(1); + } + else if (pid!=0) { + exit(0); + } + + setsid(); + chdir("/"); + umask(0); + return 0; +} + +int malloc_fail( char * var, int size ) { + // print error to stderr if running in bindsnap mode + if (option_b) { + fprintf(stderr, "our OS wouldn't let me malloc %d bytes for a new %s. giving up", size, var); + } + else { + syslog(LOG_ERR, "our OS wouldn't let me malloc %d bytes for a new %s. giving up", size, var); + } + exit(1); +} diff --git a/dns_flood_detector.h b/dns_flood_detector.h new file mode 100644 index 0000000..b968305 --- /dev/null +++ b/dns_flood_detector.h @@ -0,0 +1,65 @@ +/****************************************************************************** + + Program: dns_flood_detector.h + Author: Dennis Opacki + Date: Tue Mar 18 16:46:53 EST 2003 + Purpose: Monitor DNS servers for abusive usage levels + and alarm to syslog + + Copyright (C) 2003 Dennis Opacki + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 2 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program; if not, write to the Free Software + Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + +*******************************************************************************/ + +// definitions +#ifndef ETHER_HDRLEN +#define ETHER_HDRLEN 14 +#endif +#define NS_MAXDNAME 1025 +#define MAXSYSLOG 128 + +// evil Solaris hack +#ifdef __sun__ +typedef uint8_t u_int8_t; +typedef uint16_t u_int16_t; +typedef uint32_t u_int32_t; +#endif + +// prototypes +void handle_IP(u_char *args,const struct pcap_pkthdr* pkthdr,const u_char* packet); + +// data structures +struct my_dns { + u_int16_t dns_id; /* query identification number */ + u_int8_t dns_flags1; /* first byte of flags */ + u_int8_t dns_flags2; /* second byte of flags */ + u_int16_t dns_qdcount; /* number of question entries */ + u_int16_t dns_ancount; /* number of answer entries */ + u_int16_t dns_nscount; /* number of authority entries */ + u_int16_t dns_arcount; /* number of resource entries */ +}; + +struct bucket { + char * ip_addr; + unsigned int tcp_count; + unsigned int udp_count; + unsigned int qps; + int qstats[256]; + time_t first_packet; + time_t last_packet; + time_t alarm_set; +}; + diff --git a/dnsflood b/dnsflood new file mode 100755 index 0000000..ebb7584 --- /dev/null +++ b/dnsflood @@ -0,0 +1,36 @@ +#! /bin/sh + +PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin + +test -f /usr/local/sbin/dns_flood_detector || exit 0 + +case "$1" in + start) + echo -n "Starting DNS flood detector: dns_flood_detector" + start-stop-daemon --start --quiet --exec /usr/local/sbin/dns_flood_detector -- -d + echo "." + ;; + stop) + echo -n "Stopping DNS flood detector: dns_flood_detector" + start-stop-daemon --stop --quiet --exec /usr/local/sbin/dns_flood_detector + killall dns_flood_detector + echo "." + ;; + restart|force-reload) + echo -n "Restarting DNS flood detector: dns_flood_detector... " + start-stop-daemon --stop --quiet --exec /usr/local/sbin/dns_flood_detector + sleep 2 + start-stop-daemon --stop --quiet --exec /usr/local/sbin/dns_flood_detector + sleep 4 + killall dns_flood_detector + sleep 2 + start-stop-daemon --start --quiet --exec /usr/local/sbin/dns_flood_detector -- -d + echo "done." + ;; + *) + echo "Usage: /etc/init.d/dnsflood {start|stop|restart|force-reload}" + exit 1 + ;; +esac + +exit 0 diff --git a/makefiles/Makefile-BSDI b/makefiles/Makefile-BSDI new file mode 100644 index 0000000..c21e536 --- /dev/null +++ b/makefiles/Makefile-BSDI @@ -0,0 +1,11 @@ +CFLAGS+=-O -g +LDLIBS=-lpcap -pthread -lm + +all: dns_flood_detector + strip dns_flood_detector +clean: + rm -rf dns_flood_detector *.o *~ +install: + cp dns_flood_detector /usr/local/sbin/ + +dns_flood_detector: dns_flood_detector.c diff --git a/makefiles/Makefile-FreeBSD b/makefiles/Makefile-FreeBSD new file mode 100644 index 0000000..c21e536 --- /dev/null +++ b/makefiles/Makefile-FreeBSD @@ -0,0 +1,11 @@ +CFLAGS+=-O -g +LDLIBS=-lpcap -pthread -lm + +all: dns_flood_detector + strip dns_flood_detector +clean: + rm -rf dns_flood_detector *.o *~ +install: + cp dns_flood_detector /usr/local/sbin/ + +dns_flood_detector: dns_flood_detector.c diff --git a/makefiles/Makefile-Linux b/makefiles/Makefile-Linux new file mode 100644 index 0000000..d4b3300 --- /dev/null +++ b/makefiles/Makefile-Linux @@ -0,0 +1,11 @@ +CFLAGS=-O -D_BSD_SOURCE -g +LDLIBS=-lpcap -lpthread -lm + +all: dns_flood_detector + strip dns_flood_detector +clean: + rm -rf dns_flood_detector *.o *~ +install: + cp dns_flood_detector /usr/local/sbin/ + +dns_flood_detector: dns_flood_detector.c diff --git a/makefiles/Makefile-OSX b/makefiles/Makefile-OSX new file mode 100644 index 0000000..009e06f --- /dev/null +++ b/makefiles/Makefile-OSX @@ -0,0 +1,11 @@ +CFLAGS+=-O -g -I/usr/local/include -I/usr/include +LDLIBS=-L/usr/local/lib -lpcap -lpthread -lm + +all: dns_flood_detector + strip dns_flood_detector +clean: + rm -rf dns_flood_detector *.o *~ +install: + cp dns_flood_detector /usr/local/sbin/ + +dns_flood_detector: dns_flood_detector.c diff --git a/makefiles/Makefile-Solaris b/makefiles/Makefile-Solaris new file mode 100644 index 0000000..9c8c9ec --- /dev/null +++ b/makefiles/Makefile-Solaris @@ -0,0 +1,11 @@ +CFLAGS+=-O -g -I/usr/local/include -I/usr/include +LDLIBS=-L/usr/local/lib -L/usr/lib -lpcap -lpthread -lm -lsocket -lnsl + +all: dns_flood_detector + strip dns_flood_detector +clean: + rm -rf dns_flood_detector *.o *~ +install: + cp dns_flood_detector /usr/local/sbin/ + +dns_flood_detector: dns_flood_detector.c