about dnstop
I am looking for ways to identify domain names which are used for DNS DDoS like below.
Src IP : spoofed IPs
FQDN : <random string>.www.foo.com
QPS per FQDN: very few
22:45:36.162809 IP 192.168.30.136.42344 > 192.168.30.254.53: 21282 A? a774.www.foo.com. (34)
22:45:36.231295 IP 192.168.30.136.57178 > 192.168.30.254.53: 22703 A? a775.www.foo.com. (34)
22:45:36.303128 IP 192.168.30.136.21903 > 192.168.30.254.53: 34912 A? a776.www.foo.com. (34)
22:45:36.367110 IP 192.168.30.136.33021 > 192.168.30.254.53: 10937 A? a777.www.foo.com. (34)
22:45:36.431912 IP 192.168.30.136.64286 > 192.168.30.254.53: 28269 A? a778.www.foo.com. (34)
|
I think we could relatively easily notice the attack by monitoring the number of nxdomain, servfail or recursive-clients, but it is sometimes take time to identify domains to block the attack.
I think that dnstop “-l” option would help identify domain names being used for the attack.
# apt-get install dnstop
|
# dnstop eth0 -l 4
|
-l option
-l level
keep counts on names up to level domain name levels.
For example, with -l 2 (the default), dnstop will keep two
tables: one with top-level domain names, and another with second-
level domain names. Increasing the level provides more details,
but also requires more memory and CPU.
|
-l 4
query count of each FQDN is very few.
Query Name Count %
---------------- --------- ------
a590.www.foo.com 2 1.5
a589.www.foo.com 2 1.5
a588.www.foo.com 2 1.5
a587.www.foo.com 2 1.5
a586.www.foo.com 2 1.5
a585.www.foo.com 2 1.5
a584.www.foo.com 2 1.5
a583.www.foo.com 2 1.5
a582.www.foo.com 2 1.5
a581.www.foo.com 2 1.5
|
-l 3.
100%. so <random>.www.foo.com are used for DDoS.
Query Name Count %
----------- --------- ------
www.foo.com 990 100.0
|
dnstop can output statistics from a pcap file.
# dnstop -l 4 a.cap
|
No comments:
Post a Comment
Note: Only a member of this blog may post a comment.