vampire: Add special hook for DNS badness.

There's a DDOS attack which works by sending DNS servers bogus requests
with spoofed source addresses.  The servers' error reports end up
bombarding the victim.

The `logtrawl' program maintains an ipset listing the known victim IP
addresses based on the DNS server's logs; here, we /drop/ matching
packets -- otherwise the ICMP fallout would do just as well as the DNS
errors at clobbering the victim.  Fortunately this isn't very evil,
since DNS over UDP is unreliable anyway.

It may be that `logtrawl' grows up to do more of this stuff later.

diff --git a/Makefile b/Makefile
index 3780854af22bdcbb857f34ab36ac9d64135589a4..12c685f6f9a4ba3ca48e67f3dcd8e311d938f692 100644 (file)
--- a/Makefile
+++ b/Makefile
@@ -3,6 +3,8 @@
 MAIN_M4_SOURCES                 =
 HOSTS                   =
 
 MAIN_M4_SOURCES                 =
 HOSTS                   =
 

+SCRIPTS                         =
+

 default: all
 .PHONY: default
 
 default: all
 .PHONY: default
 

diff --git a/local.mk b/local.mk
index c413cdbcdcaf64bd582848ec6b2064c6a47ea616..8294782ca8a2ef1b5868ff677eae78c19774027c 100644 (file)
--- a/local.mk
+++ b/local.mk
@@ -7,6 +7,8 @@ HOSTS                   += vampire
 
 ROOT                    = become root
 
 
 ROOT                    = become root
 

+SCRIPTS                        += logtrawl
+

 ## Installation.
 install: all
        firewall_script=./`hostname`.sh && \
 ## Installation.
 install: all
        firewall_script=./`hostname`.sh && \


@@ -15,4 +17,12 @@ install: all
        $(ROOT) ./$$firewall_script
        for i in $(HOSTS); do \
          $(ROOT) scp $$i.sh $$i:/etc/init.d/firewall; \
        $(ROOT) ./$$firewall_script
        for i in $(HOSTS); do \
          $(ROOT) scp $$i.sh $$i:/etc/init.d/firewall; \

+         for j in $(SCRIPTS); do \
+           $(ROOT) ssh $$i <$$j " \
+               cd /usr/local/sbin && \
+               rm -f $$j.new && \
+               cat >$$j.new && \
+               chmod 755 $$j.new && \
+               mv $$j.new $$j"; \
+         done; \

        done
        done

diff --git a/logtrawl b/logtrawl
new file mode 100755 (executable)
index 0000000..8153acc
--- /dev/null
+++ b/logtrawl
@@ -0,0 +1,27 @@
+#! /bin/bash
+
+set -e
+
+## DNS DDOS victims.
+dns_victims=$(
+  sed -n '
+    /^.*named.*client \([0-9]\+\.[0-9]\+\.[0-9]\+\.[0-9]\+\)#.*:.*view inet.*NS\/IN.*denied.*$/ s//\1/p
+  ' /var/log/daemon.log |
+  sort -u |
+  while read addr; do
+    if ! ipset -qT ddos-evil-dns "$addr"; then
+      echo "$addr"
+    fi
+  done
+)
+case "$dns_victims" in
+  "") ;;
+  *)
+    echo 'DNS DDOS victim addresses:'
+    ipset -N ddos-evil-dns iphash >/dev/null 2>&1 || :
+    for addr in $dns_victims; do
+      echo "  $addr"
+      ipset -A ddos-evil-dns "$addr" || :
+    done
+    ;;
+esac

diff --git a/vampire.m4 b/vampire.m4
index 13e37bd6477ea550b2ec6054c6ac8bcdae396a8a..3a389caec2d4d0d575f89a2f5fc79c3658bd39b5 100644 (file)
--- a/vampire.m4
+++ b/vampire.m4
@@ -37,6 +37,12 @@ m4_divert(-1)
 ### vampire-specific rules.
 
 m4_divert(82)m4_dnl
 ### vampire-specific rules.
 
 m4_divert(82)m4_dnl

+## Repelling evil DDos attack.
+run ipset -N ddos-evil-dns iphash 2>/dev/null || :
+run iptables -A inbound -j DROP \
+       -m set --set ddos-evil-dns src \
+       -p udp --destination-port $port_dns
+

 ## Externally visible services.
 allowservices inbound tcp \
        finger ident \
 ## Externally visible services.
 allowservices inbound tcp \
        finger ident \