.github/dependabot.yml

@@ -0,0 +1,12 @@
+version: 2
+updates:
+  - package-ecosystem: github-actions
+    directory: "/"
+    schedule:
+      interval: daily
+      time: "04:00"
+    reviewers:
+      - "waja"
+    pull-request-branch-name:
+      separator: "-"
+    open-pull-requests-limit: 10

.github/workflows/packaging_test.yml

@@ -0,0 +1,36 @@
+name: Packaging Test
+
+on:
+  push:
+    branches:
+      - $default-branch
+      - development
+      - master
+  # Run tests for any PRs
+  pull_request:
+
+env:
+  SOURCE_DIR: ./
+  ARTIFACTS_DIR: debian/build/release/
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v4
+      env:
+        DEBIAN_FRONTEND: "noninteractive"
+    - name: Remove github artefacts
+      run: |
+        rm -rf .github*
+    - name: Adjust distibution in changelog file
+      run: |
+        sed -i '0,/restricted/s//stable/' debian/changelog
+    - name: Build Debian package
+      uses: dawidd6/action-debian-package@v1.5.0
+      with:
+        artifacts_directory: debian/build/release/
+        os_distribution: testing
+    - name: Debug
+      run: |
+        ls -la

.github/workflows/release.yml

@@ -0,0 +1,71 @@
+on:
+  push:
+    # Sequence of patterns matched against refs/tags
+    tags:
+      - 'debian/*' # Push events to matching debian/*, i.e. debian/1.0-2, debian/20.15.10, debian/23.20020326
+
+name: Release Process
+
+env:
+  SOURCE_DIR: ./
+  ARTIFACTS_DIR: debian/build/release/
+
+jobs:
+  create-release:
+    name: Create Release
+    runs-on: ubuntu-latest
+    outputs:
+      release-id: ${{ steps.create_release.outputs.id }}
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+      - name: Install needed packages
+        run: |
+          if [ $(dpkg -l | grep -c dpkg-dev) -ne 1 ]; then sudo apt-get update && sudo apt-get install -y dpkg-dev; fi
+      - name: Gather changelog
+        run: |
+          ls -la
+          dpkg-parsechangelog | tail -n +9 > debian.changelog
+      - name: Create Release
+        id: create_release
+        uses: actions/create-release@v1
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # This token is provided by Actions, you do not need to create your own token
+        with:
+          tag_name: ${{ github.ref }}
+          release_name: Release ${{ github.ref }}
+          body_path: debian.changelog
+          draft: false
+          prerelease: false
+
+  build:
+    name: Build and upload packages
+    needs: create-release
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v4
+      env:
+        DEBIAN_FRONTEND: "noninteractive"
+    - name: Remove github artefacts
+      run: |
+        rm -rf .github*
+    - name: Adjust distibution in changelog file
+      run: |
+        sed -i '0,/restricted/s//stable/' debian/changelog
+    - name: Build Debian package
+      uses: dawidd6/action-debian-package@v1.5.0
+      with:
+        artifacts_directory: debian/build/release/
+        os_distribution: testing
+#    - name: Build Debian package
+#      uses: pi-top/action-debian-package@v0.2.0
+#      with:
+#        artifacts_directory: debian/build/release/
+#        target_architectures: "amd64,i386"
+    - name: Upload the artifacts
+      uses: skx/github-action-publish-binaries@release-2.0
+      env:
+        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      with:
+        releaseId: ${{ needs.create-release.outputs.release-id }}
+        args: debian/build/release/*

.travis.yml

@@ -0,0 +1,32 @@
+dist: xenial
+sudo: required
+
+env:
+  - TRAVIS_DEBIAN_DISTRIBUTION=unstable TRAVIS_DEBIAN_MIRROR="http://httpredir.debian.org/debian/" TRAVIS_DEBIAN_SECURITY_UPDATES=false
+  - TRAVIS_DEBIAN_DISTRIBUTION=testing  TRAVIS_DEBIAN_MIRROR="http://httpredir.debian.org/debian/"
+  - TRAVIS_DEBIAN_DISTRIBUTION=stable   TRAVIS_DEBIAN_MIRROR="http://httpredir.debian.org/debian/"
+
+services:
+  - docker
+
+before_script:
+  # fetch all tags (not done due travis cloning with depth=50)
+  - git fetch --tags
+
+script:
+  # build the debian package
+  - wget -O- http://travis.debian.net/script.sh | sh -
+
+after_script:
+  # run lintian after build
+  - sudo add-apt-repository -y ppa:waja/trusty-backports
+  - sudo apt-get update -qq
+  - sudo apt-get install -qq --no-install-recommends lintian
+  - lintian --info --display-info --display-experimental --pedantic --show-overrides ../*.deb && lintian --info --display-info --display-experimental --pedantic --show-overrides ../*.dsc
+
+#notifications:
+#  email: false
+
+branches:
+  except:
+    - /^debian\/\d/

README

@@ -1,4 +1,4 @@
-DNS FLood Detector 1.12
+DNS FLood Detector 1.2
 Dennis Opacki
 dopacki@adotout.com
 
@@ -21,6 +21,16 @@ By default, it will count dns queries directed to any address in the same
 network as the primary IP address on the interface being watched; the -A,
 -M, and -Q options can be used to modify this behaviour.
 
+As of version 1.2, DNS Flood Detector can now send source IP request
+data to a network-based collector as JSON. This lets you gather near
+real-time information about who is using your DNS servers, and from
+where. I've included a sample application called dns_flood_collector.pl,
+which you can use to receive and report these data. The output of this
+program can be easily fed into a graphing tool, such as Caida's 
+plot-latlong:
+
+http://www.caida.org/tools/visualization/plot-latlong/
+
 How do I build it?
 
 Execute ./configure.pl to select the appropriate make target. Then simply
@@ -41,7 +51,7 @@ What platforms does it work on?
 
 Linux, BSDI, FreeBSD, Mac OSX, Solaris
 
-Will it run under Windows {95,98,NT,2000,XP}?  
+Will it run under Windows {95,98,NT,2000,XP,2003,2008 or Win7}?  
 
 Maybe. I haven't tried. If it doesn't, feel free to submit a fix. 
 
@@ -62,6 +72,9 @@ Usage: ./dns_flood_detector [OPTION]
 -d                     run in background in daemon mode
 -D	               dump dns packets (implies -b)
 -v                     verbose output - use again for more verbosity
+-s                     send source IP stats to collector as JSON
+-z N.N.N.N             address to send stats to (default 226.1.1.2)
+-p N                   UDP port to send stats to (default 2000)
 -h                     display this usage information
 
 Sample Output:

debian/.gitlab-ci.yml

@@ -0,0 +1,14 @@
+include:
+ - https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/salsa-ci.yml
+ - https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/pipeline-jobs.yml
+
+variables:
+ RELEASE: 'unstable'
+ SALSA_CI_DISABLE_APTLY: 0
+ SALSA_CI_DISABLE_AUTOPKGTEST: 1
+ SALSA_CI_DISABLE_BLHC: 0
+ SALSA_CI_DISABLE_LINTIAN: 0
+ SALSA_CI_DISABLE_PIUPARTS: 1
+ SALSA_CI_DISABLE_REPROTEST: 1
+ SALSA_CI_DISABLE_BUILD_PACKAGE_ALL: 0
+ SALSA_CI_DISABLE_BUILD_PACKAGE_ANY: 0

debian/changelog

@@ -0,0 +1,182 @@
+dns-flood-detector (1.20-8) UNRELEASED; urgency=medium
+
+  * 
+
+ -- Jan Wagner <waja@cyconet.org>  Mon, 23 Jan 2023 12:11:35 +0000
+
+dns-flood-detector (1.20-7) unstable; urgency=medium
+
+  [ Jan Wagner ]
+  * [34a5705] Use secure copyright file specification URI.
+  * [812b668] Remove overrides for lintian tags that are no longer supported.
+  * [1da11e5] Update watch file format version to 4.
+  * [bd99c1c] d/source/options: Adding .github to diff ignore
+  * [ab52f4a] Bump debhelper from old 12 to 13.
+  * [2d78c7e] Bump Standards-Version to 4.6.2
+  * [14e7160] Drop lsb-base, sysvinit-utils is essential
+  * [dcdc452] Set Rules-Requires-Root: no.
+  * [353f35e] Adding unitfile
+
+ -- Jan Wagner <waja@cyconet.org>  Mon, 23 Jan 2023 11:34:04 +0000
+
+dns-flood-detector (1.20-6) unstable; urgency=medium
+
+  [ Jan Wagner ]
+  * [9f76895] Adding d/.gitlab-ci.yml
+  * [2fdc34f] Bump Standards-Version to 4.5.1.0, no changes needed
+
+  [ Helmut Grohne ]
+  * [9db1d5f] Fix FTCBFS: Let dpkg's buildtools.mk supply $(CC).
+    (Closes: #949599)
+
+  [ Jan Wagner ]
+  * [88f1ad9] Adding Github CI
+  * [17a80e0] d/control: Raise compat level to 12
+
+ -- Jan Wagner <waja@cyconet.org>  Wed, 06 Jan 2021 21:33:15 +0100
+
+dns-flood-detector (1.20-5) unstable; urgency=medium
+
+  * [d1ee939] travis-ci: Use xenial image
+  * [187c4cb] d/control: Bump Standards-Version to 4.3.0, no changes needed
+  * [0f96e5a] d/rules: don't touch opmimisations cflags directly
+
+ -- Jan Wagner <waja@cyconet.org>  Thu, 24 Jan 2019 10:45:28 +0100
+
+dns-flood-detector (1.20-4) unstable; urgency=medium
+
+  * [0ff1167] d/control: Depend on lsb-base
+  * [51a32a6] d/changelog: Fixing typo
+  * [2d36138] travis-ci: Make use of travis.d.n
+
+ -- Jan Wagner <waja@cyconet.org>  Mon, 05 Dec 2016 14:13:55 +0100
+
+dns-flood-detector (1.20-3) unstable; urgency=medium
+
+  * [e388f86] travis-ci: don't install build-deps manual
+  * [5035fb3] travis-ci: build package with dpkg-buildpackage
+  * [1b42314] Refresh patches/fix_prototyp
+  * [e7cde7c] debian/control: reformating with warp-and-sort
+  * [fec98e0] travis-ci: grab actual used upstream version
+  * [118ec9c] travis-ci: Adding required arguments for trusty
+  * [aeab465] travis-ci: automatically install dependencies
+  * [9144fb8] d/control: Remove hardening-wrapper from Build-Depends
+    (Closes: #836622)
+  * [5b0f4ee] d/control: Bump Standards-Version to 3.9.8, no changes needed
+
+ -- Jan Wagner <waja@cyconet.org>  Sat, 10 Sep 2016 14:08:46 +0200
+
+dns-flood-detector (1.20-2) unstable; urgency=medium
+
+  * [278015a] Update Vcs-headers to selfhosted VCS
+  * [09a0485] Bump Standards-Version to 3.9.6, no changes needed
+
+ -- Jan Wagner <waja@cyconet.org>  Sun, 12 Oct 2014 20:56:29 +0200
+
+dns-flood-detector (1.20-1) unstable; urgency=low
+
+  * New upstream release
+  * Enable Hardening
+    - build-dep on hardening-wrapper
+  * [a454efe] Source init functions in init script
+  * [39f0420] Updating standards version to 3.9.4, no changes needed
+  * [a6c1551] Include dns_flood_collector.pl as example
+  * [b7b35b2] Update Vcs-headers
+  * [8260b99] Updating standards version to 3.9.5, no changes needed
+  * [7bffbb7] Add travis-ci config
+  * [1b8697f] Reorder and comment .travis.yml
+  * [a63e27c] Add lintian checks after build to .travis.yml
+  * [738c15d] Update VCS-* fields to current canonical URIs
+  * [ccc5dba] Update to recent copyright format
+  * [f383018] Adjust debian/rules to make hardening efficient
+  * [1438e9d] Provide lintian override for missing upstream changelog
+
+ -- Jan Wagner <waja@cyconet.org>  Sun, 02 Mar 2014 19:49:52 +0100
+
+dns-flood-detector (1.12-7) unstable; urgency=low
+
+  * Add trailing trunk/ at Vcs-Svn-field
+  * Updating standards version to 3.9.3, no changes needed
+  * Switch over to packaging format 3.0 (quit) (closes: #664409)
+  * Remove build-dependency of dpatch
+  * Use dh_prep instead of dh_clean -k
+  * Add build-arch and build-indep targets to debian/rules
+
+ -- Jan Wagner <waja@cyconet.org>  Thu, 29 Mar 2012 18:26:14 +0200
+
+dns-flood-detector (1.12-6) unstable; urgency=low
+
+  * Add "Copyright" to all copyrights in debian/copyright
+  * Updating standards version to 3.8.4
+    - Add README.source
+  * Migrate Vcs-Fields over to scm.uncompleted.org
+  * Add 1.0 to debian/source/format
+  * Add ${misc:Depends} to dependencies
+
+ -- Jan Wagner <waja@cyconet.org>  Wed, 10 Mar 2010 00:07:06 +0100
+
+dns-flood-detector (1.12-5) unstable; urgency=low
+
+  * Updating standards version to 3.8.2, no changes needed
+  * remove absolute path of pidof from preinst
+
+ -- Jan Wagner <waja@cyconet.org>  Sun, 26 Jul 2009 00:31:45 +0200
+
+dns-flood-detector (1.12-4) unstable; urgency=low
+
+  * Updating standards version to 3.8.0, no changes needed
+  * implement machine-interpretable copyright file
+
+ -- Jan Wagner <waja@cyconet.org>  Sun, 20 Jul 2008 12:53:51 +0200
+
+dns-flood-detector (1.12-3) unstable; urgency=low
+
+  * added Vcs- fields, moved Homepage into source header's field
+  * bump standards version to 3.7.3 (no changes needed)
+  * change copyright of packaging to 2008 in debian/copyright
+  * get rid of 'ps aux' in init script and preinst, using pidof instead
+
+ -- Jan Wagner <waja@cyconet.org>  Mon, 14 Apr 2008 22:39:46 +0200
+
+dns-flood-detector (1.12-2) unstable; urgency=low
+
+  * some cosmetic fixes to init script
+  * make start-stop-daemon working instead of using kill (Closes: #431676).
+  * providing upgrade path via preinst
+  * drop own maintainers scripts and make again use of debhelper
+
+ -- Jan Wagner <waja@cyconet.org>  Wed, 04 Jul 2007 12:29:06 +0200
+
+dns-flood-detector (1.12-1) unstable; urgency=medium
+
+  * New upstream release
+  * modified fix_prototyp patch for upstream
+
+ -- Jan Wagner <waja@cyconet.org>  Thu, 23 Nov 2006 13:35:11 +0100
+
+dns-flood-detector (1.10-4) unstable; urgency=low
+
+  * included fix_prototyp patch provided by "dann frazier <dannf@debian.org>"
+    (Closes: #399283).
+  * build depend to dpatch
+
+ -- Jan Wagner <waja@cyconet.org>  Sun, 19 Nov 2006 10:18:55 +0100
+
+dns-flood-detector (1.10-3) unstable; urgency=low
+
+  * using killall in init script to get daemon stopped
+  * same for prerm
+
+ -- Jan Wagner <waja@cyconet.org>  Thu,  9 Nov 2006 20:49:10 +0100
+
+dns-flood-detector (1.10-2) unstable; urgency=low
+
+  * fixed typo in initscript
+
+ -- Jan Wagner <waja@cyconet.org>  Sat,  4 Nov 2006 21:46:03 +0100
+
+dns-flood-detector (1.10-1) unstable; urgency=low
+
+  * Initial release (Closes: #396618).
+
+ -- Jan Wagner <waja@cyconet.org>  Fri,  3 Nov 2006 12:39:42 +0100

debian/control

@@ -0,0 +1,25 @@
+Source: dns-flood-detector
+Section: net
+Priority: optional
+Maintainer: Jan Wagner <waja@cyconet.org>
+Build-Depends: debhelper-compat (= 13), libpcap0.8-dev
+Homepage: http://www.adotout.com/
+Vcs-Browser: https://gitlab.uncompleted.org/debian/dns-flood-detector
+Vcs-Git: https://gitlab.uncompleted.org/debian/dns-flood-detector.git
+Standards-Version: 4.6.2
+Rules-Requires-Root: no
+
+Package: dns-flood-detector
+Architecture: any
+Depends: ${misc:Depends}, ${shlibs:Depends}
+Description: detect abusive usage levels on high traffic nameservers
+ This package provides the dns-flood-detector daemon.
+ .
+ It was developed to detect abusive usage levels on high traffic nameservers
+ and to enable quick response in halting the use of one's nameserver to
+ facilitate spam.
+ It uses libpcap (in non-promiscuous mode) to monitor incoming dns queries to a
+ nameserver. The tool may be run in one of two modes, either daemon mode or
+ "bindsnap" mode. In daemon mode, the tool will alarm via syslog. In bindsnap
+ mode, the user is able to get near-real-time stats on usage to aid in more
+ detailed troubleshooting.

debian/copyright

@@ -0,0 +1,30 @@
+Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
+Upstream-Name: DNS Flood Detector
+Upstream-Contact: Dennis Opacki <dopacki@adotout.com>
+Source: http://www.adotout.com/
+
+Files: *
+Copyright: Copyright (C) 2003 Dennis Opacki <dopacki@adotout.com>
+License: GPL-2+
+
+Files: debian/*
+Copyright: Copyright (C) 2006, 2008 Jan Wagner <waja@cyconet.org>
+License: GPL-2+
+
+License: GPL-2+
+        This program is free software; you can redistribute it and/or modify
+        it under the terms of the GNU General Public License as published by
+        the Free Software Foundation; either version 2 of the License, or
+        (at your option) any later version.
+        .
+        This program is distributed in the hope that it will be useful,
+        but WITHOUT ANY WARRANTY; without even the implied warranty of
+        MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+        GNU General Public License for more details.
+        .
+        You should have received a copy of the GNU General Public License
+        along with this program; if not, write to the Free Software
+        Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
+        .
+ On Debian systems, the complete text of the GNU General Public License can be
+ found in /usr/share/common-licenses/GPL-2 file.

debian/default

@@ -0,0 +1,7 @@
+# Defaults for dns-flood-detector initscript
+# sourced by /etc/init.d/dns-flood-detector
+# installed at /etc/default/dns-flood-detector by the maintainer scripts
+
+# options that are passed to the Daemon.
+# here: daemon mode, be more verbose, alarm at > 5/s, stats every 3 secs
+DAEMON_OPTS="-d -v -v -t5 -w3"

debian/dns-flood-detector.8

@@ -0,0 +1,70 @@
+.TH DNS-FLOOD-DETECTOR 8 "2006-11-03" "1.10" "dns flood detection tool"
+
+.SH NAME
+DNS-FLOOD-DETECTOR \- dns flood detection and alert tool
+
+.SH SYNOPSIS
+.B dns-flood-detector
+.RB [\| \-b \||\| \-d \|]
+.RB [\| \-v \|]
+.RB [\| \-h \|]
+.RB [\| \-i
+.IR device \|]
+.RB [\| -t
+.IR n \|]
+.RB [\| -a
+.IR n \|]
+.RB [\| -w
+.IR n \|]
+.RB [\| -x
+.IR n \|]
+.RB [\| -m
+.IR n \|]
+
+.SH DESCRIPTION
+.B DNS Flood Detector
+was developed to detect abusive usage levels on high traffic nameservers and to
+enable quick response to the use of one's nameserver to facilitate spam.
+
+.SH OPTIONS
+.B
+.TP
+.B \-b
+run in foreground in bindsnap mode
+.TP
+.B \-d
+run in background in daemon mode
+.TP
+.B \-v
+verbose output \- use again for more verbosity
+.TP
+.B \-h
+display help
+.TP
+.B \-i device
+specify device name to listen on
+.TP
+.B \-t n
+alarm at >n queries per second
+.TP
+.B \-a n
+reset alarm after n seconds
+.TP
+.B \-w n
+calculate stats every n seconds
+.TP
+.B \-x n
+create n buckets
+.TP
+.B \-m n
+report overall stats every n seconds
+
+.SH SEE ALSO
+.B Website
+<http://www.adotout.com/>
+
+.SH AUTHOR
+DNS-FLOOD-DETECTOR was written by Dennis Opacki <dopacki@adotout.com>.
+.PP
+This manual page was written by Jan Wagner <waja@cyconet.org>,
+for the Debian project (but may be used by others).

debian/docs

@@ -0,0 +1 @@
+README

debian/examples

@@ -0,0 +1 @@
+dns_flood_collector.pl

debian/init.d

@@ -0,0 +1,66 @@
+#!/bin/sh
+#		Written by Miquel van Smoorenburg <miquels@cistron.nl>.
+#		Modified for Debian
+#		by Ian Murdock <imurdock@gnu.ai.mit.edu>.
+#
+# Version:	@(#)skeleton  1.9  26-Feb-2001  miquels@cistron.nl
+# /etc/init.d/dns-flood-detector: v1 2006/11/03 Jan Wagner <waja@cyconet.org>
+
+### BEGIN INIT INFO
+# Provides: dns-flood-detector
+# Required-Start: $local_fs $network $remote_fs $syslog
+# Required-Stop: $local_fs $network $remote_fs $syslog
+# Default-Start:  2 3 4 5
+# Default-Stop: 0 1 6
+# Short-Description: start and stop the dns-flood-detector daemon
+# Description:  detect abusive usage levels on high traffic nameservers
+### END INIT INFO
+
+PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
+DAEMON=/usr/bin/dns-flood-detector
+NAME=dns-flood-detector
+DESC=dns-flood-detector
+
+test -x $DAEMON || exit 0
+
+. /lib/lsb/init-functions
+
+# Include dns-flood-detector defaults if available
+if [ -f /etc/default/dns-flood-detector ] ; then
+	. /etc/default/dns-flood-detector
+fi
+
+set -e
+
+case "$1" in
+  start)
+	echo -n "Starting $DESC: "
+	start-stop-daemon --start --quiet --pidfile /var/run/$NAME.pid \
+		--exec $DAEMON -- $DAEMON_OPTS
+	/bin/pidof $DAEMON > /var/run/$NAME.pid
+	echo "$NAME."
+	;;
+  stop)
+	echo -n "Stopping $DESC: "
+	start-stop-daemon --stop --quiet --pidfile /var/run/$NAME.pid \
+		--exec $DAEMON
+	echo "$NAME."
+	;;
+  restart|force-reload)
+	echo -n "Restarting $DESC: "
+	start-stop-daemon --stop --quiet --pidfile \
+		/var/run/$NAME.pid --exec $DAEMON
+	start-stop-daemon --start --quiet --pidfile \
+		/var/run/$NAME.pid --exec $DAEMON -- $DAEMON_OPTS
+	/bin/pidof $DAEMON > /var/run/$NAME.pid
+	echo "$NAME."
+	;;
+  *)
+	N=/etc/init.d/$NAME
+	# echo "Usage: $N {start|stop|restart|reload|force-reload}" >&2
+	echo "Usage: $N {start|stop|restart|force-reload}" >&2
+	exit 1
+	;;
+esac
+
+exit 0

debian/patches/fix_prototyp

@@ -0,0 +1,13 @@
+From: dann frazier <dannf@debian.org>
+Subject: fix missing function prototype definition
+
+--- a/dns_flood_detector.c
++++ b/dns_flood_detector.c
+@@ -107,6 +107,7 @@
+ #include <stdlib.h>
+ #include <fcntl.h>
+ #include <errno.h>
++#include <sys/socket.h>
+ #include <netinet/in_systm.h>
+ #include <netinet/in.h>
+ #include <netinet/ip.h>

debian/patches/series

@@ -0,0 +1 @@
+fix_prototyp

debian/preinst

@@ -0,0 +1,8 @@
+#!/bin/sh
+set -e
+
+# generate correct pid file, for versions where was non or incorrect
+if [ "$1" = "upgrade" ] && [ "$2" ] && dpkg --compare-versions "$2" <= "1.12-1"; then
+	pidof dns-flood-detector > /var/run/dns-flood-detector.pid
+fi
+#DEBHELPER#

debian/rules

@@ -0,0 +1,76 @@
+#!/usr/bin/make -f
+# written by Jan Wagner <waja@cyconet.org>
+#
+# Uncomment this to turn on verbose mode.
+#export DH_VERBOSE=1
+
+include /usr/share/dpkg/buildtools.mk
+
+# hardening
+export DEB_BUILD_HARDENING=1
+CPPFLAGS:=$(shell dpkg-buildflags --get CPPFLAGS)
+CFLAGS:=$(shell dpkg-buildflags --get CFLAGS)
+CXXFLAGS:=$(shell dpkg-buildflags --get CXXFLAGS)
+LDFLAGS:=$(shell dpkg-buildflags --get LDFLAGS)
+
+CFLAGS += -D_BSD_SOURCE -Wall -g
+LDLIBS += -lpcap -lpthread -lm
+
+build: build-arch build-indep
+build-arch: build-stamp
+build-indep: build-stamp
+build-stamp:
+	dh_testdir
+	# Add here commands to compile the package.
+	$(CC) $(CPPFLAGS) $(CFLAGS) $(LDFLAGS) dns_flood_detector.c $(LDLIBS) -o dns_flood_detector
+
+	touch $@
+
+clean:
+	dh_testdir
+	dh_testroot
+	rm -f build-stamp
+
+	# Add here commands to clean up after the build process.
+	rm -rf dns_flood_detector *.o *~
+
+	dh_clean
+
+install: build
+	dh_testdir
+	dh_testroot
+	dh_prep
+	dh_installdirs
+
+	# Add here commands to install the package into debian/dns-flood-detector.
+	install -D -m 0755 dns_flood_detector debian/dns-flood-detector/usr/bin/dns-flood-detector
+	install -D -m 0644 debian/default debian/dns-flood-detector/etc/default/dns-flood-detector
+	install -D -m 0755 debian/init.d debian/dns-flood-detector/etc/init.d/dns-flood-detector
+
+# Build architecture-independent files here.
+binary-indep: build install
+# We have nothing to do by default.
+
+# Build architecture-dependent files here.
+binary-arch: build install
+	dh_testdir
+	dh_testroot
+	dh_installchangelogs
+	dh_installdocs
+	dh_installman debian/dns-flood-detector.8
+	dh_installexamples
+	dh_installinit -- defaults 40
+	dh_installsystemd --no-enable
+	dh_lintian
+	dh_link
+	dh_strip
+	dh_compress
+	dh_fixperms
+	dh_shlibdeps
+	dh_installdeb
+	dh_gencontrol
+	dh_md5sums
+	dh_builddeb
+
+binary: binary-indep binary-arch
+.PHONY: build clean binary-indep binary-arch binary install

debian/service

@@ -0,0 +1,14 @@
+[Unit]
+Description=dns-flood-detector daemon
+
+[Service]
+Environment=PIDFILE=/var/run/dns-flood-detector.pid
+EnvironmentFile=-/etc/default/dns-flood-detector
+ExecStart=/usr/sbin/dns-flood-detector $DAEMON_OPTS
+ExecReload=/bin/kill -HUP $MAINPID
+KillMode=process
+Restart=on-failure
+Type=notify
+
+[Install]
+WantedBy=multi-user.target

debian/source/format

@@ -0,0 +1 @@
+3.0 (quilt)

debian/source/options

@@ -0,0 +1 @@
+extend-diff-ignore = '(^|/)(\.travis\.yml|\.git|\.github|\.gitgnore|config\.sub|config\.guess)'

debian/watch

@@ -0,0 +1,2 @@
+version=4
+http://www.adotout.com dnsflood-(.*)\.tgz

dns_flood_collector.pl

@@ -0,0 +1,157 @@
+#!/usr/bin/perl
+
+use strict;
+use threads;
+use threads::shared;
+use Sys::Syslog;
+use Data::Dumper;
+use Getopt::Long;
+use POSIX;
+use IO::Socket::Multicast;
+use JSON;
+
+# Native Maxmind library - http://www.maxmind.com/download/geoip/api/perl/
+# requires: http://www.maxmind.com/app/c
+use Geo::IP;
+
+# set these to the same port and multicast (or unicast) address as the detector
+use constant GROUP => '226.1.1.2';
+use constant PORT  => '2000';
+
+my %ipc_source :shared;
+my %ipc_customer :shared;
+my $time_to_die :shared = 0;
+my $debug;
+my $foreground=0;
+
+# determines how often you want to aggregage and write-out stats dumps
+my $interval = 60;
+
+# you can get the binary format GeoLiteCity.dat from Maxmind
+# http://www.maxmind.com/app/geolitecity
+my $gi = Geo::IP->open("/usr/local/GeoLiteCity.dat",GEOIP_MEMORY_CACHE | GEOIP_CHECK_CACHE);
+
+# adjust this to the path where you want to keep the 
+sub PATH {'/tmp/'}
+
+$|=1;
+
+GetOptions(
+  "debug" => \$debug,
+  "foreground" => \$foreground,
+  "interval=s" => \$interval,
+);
+
+
+main();
+exit();
+
+sub main() {
+
+  # daemonize unless running in foreground
+  unless ($foreground){
+    daemonize();
+  }
+
+  # prepare data acquisition thread
+  threads->new(\&get_data);
+
+  while (! $time_to_die ) {
+
+    # record time started to help evenly space runs
+    my $start_run = time();
+    my $next_run = $start_run + $interval;
+
+    # de-serialize latest copy of source address structure
+    # execute this in a isolated scope so that lock goes out of scope
+    {
+      my $source_distance;
+
+      # lock data structure to prevent other thread from updating it
+      lock(%ipc_source); 
+
+      # open coordinates file for graph generation
+      open(CRDS, ">".PATH."/coords.txt.tmp");
+
+      # calculate great circle distance between each source IP and local POP
+      foreach my $key (keys %ipc_source) { 
+
+        eval {
+        my $r = $gi->record_by_addr($key);
+
+        # write raw entry to coordinates file             
+        print CRDS $key.",".$ipc_source{$key}.",".$r->latitude.",".$r->longitude."\n";
+        };
+        if ($@) {
+          print CRDS $key.",".$ipc_source{$key}.",0,0\n";
+        }
+      }
+
+      # close coordinate file
+      close CRDS;
+      system("mv ".PATH."/coords.txt.tmp ".PATH."/coords.txt");
+
+      # clean out structure for next sample period
+      %ipc_source = ();
+    }
+
+    # sleep to make the interval
+    while((my $time_left = ($next_run - time())) > 0) {
+      sleep($time_left);
+    }
+  }
+  threads->join();
+  return;
+}
+
+# fetch data from UDP multicast
+sub get_data() {
+
+  # set up our multicast listener
+  # note: this will receive unicast fine too
+  my $sock = IO::Socket::Multicast->new(LocalPort=>PORT,ReuseAddr=>1);
+  $sock->mcast_add(GROUP) || die "Couldn't set group: $!\n";
+
+
+  while (  ! $time_to_die  ) {
+    my $data;
+    next unless $sock->recv($data,1500);
+
+    # decode JSON
+    eval {
+      my $obj = decode_json $data;
+      print Dumper $obj;
+      foreach my $ip (keys %{$obj->{data}}) {
+        my $count = $obj->{data}->{$ip};
+        lock(%ipc_source);
+        $ipc_source{$ip}+=$count;
+      }
+    };
+
+  }
+
+  # done!
+  threads->exit();
+}
+
+# daemonize application
+sub daemonize {
+
+  chdir '/' or die "Can't chdir to /: $!";
+  open STDIN, '/dev/null' or die "Can't read /dev/null: $!";
+  open STDOUT, '>/dev/null';
+
+  # fork and exit parent
+  my $pid = fork();
+  exit if $pid;
+  die "Couldn't fork: $!" unless defined ($pid);
+  POSIX::setsid() || die ("$0 can't start a new session: $!");        
+  open STDERR, '>&STDOUT' or die "Can't dup stdout: $!";
+  
+  # signal handlers
+  $SIG{KILL} = \&handler;
+}
+
+sub handler {
+  $time_to_die = 1;
+}

dns_flood_detector.h

@@ -30,6 +30,13 @@
 #endif
 #define NS_MAXDNAME 1025
 #define MAXSYSLOG 192
+#define MAXMESSAGE 1200
+#define MAXDATALET 64
+#define MAXHEAD 300
+#define MAX_TIME_LEN 20
+#define DEFAULT_PORT 2000
+#define DEFAULT_IP "226.1.1.2"
+#define HOST_NAME_MAX 254
 
 // evil Solaris hack
 #ifdef __sun__
@@ -41,10 +48,12 @@ typedef uint32_t u_int32_t;
 // prototypes
 void handle_IP(u_char *args,const struct pcap_pkthdr* pkthdr,const u_char* packet);
 int calculate_averages();
+int saddr_stats(int sock, struct sockaddr_in addr, char *hostname);
 int scour_bucket(int i);
 int find_bucket(struct in_addr *ip_src);
 int daemonize(void);
 int malloc_fail(char * var, int size);
+int microsleep(unsigned int usec);
 
 // data structures
 struct my_dns {

makefiles/Makefile-OSX

@@ -1,5 +1,5 @@
 CFLAGS+=-Wall -O -g -I/usr/local/include -I/usr/include
-LDLIBS=-L/usr/local/lib -lpcap -lpthread -lm
+LDLIBS=-lpcap -lpthread -lm
 
 all: dns_flood_detector
 	strip dns_flood_detector