Discuss mailing list

[Jeff Taylor <shdwdrgn AT sourpuss.net>]

On 12/29/2010 06:00 PM, Barnaby Astles wrote:
> Would it be possible to have a look at you script ? It could 
> have multiple uses.

Sure, no problem.  This relies on you having a logging option for 
security in BIND.  In my case, that info is logged in 
/var/log/named/filter.  The BLOCK variable simply points to where the 
script can store a file containing the blocked IPs and what time their 
block expires.  If you do not run this script as root, simply touch the 
file with the proper user rights.

I have made some refinements to the script this evening.  It now looks 
only at the lines which have been added to the log since the last 
iteration of the script (and that is now running once every second).  It 
also is more critical of what is being blocked -- a single IP has to be 
pushing this particular query at least 10 times per second before they 
are blocked.  That should be sufficient to ensure there are no 
false-positives.


#!/bin/bash

BLOCK="/etc/ddos.block"
LOGFILE="/var/log/named/filter"
NAME="DNS_Filter"
LAST="-n100"

while true ; do
  FILTER=`tail $LAST $LOGFILE | grep "query: isc.org IN ANY +ED" | awk 
"{ print $6 }" | cut -d\# -f1 | sort | uniq`
  now=`date "+%s"`

  for IP in $FILTER ; do
    if [ "`grep $IP $BLOCK`" == "" ] ; then
      COUNT=`tail $LAST $LOGFILE | grep 'query: isc.org IN ANY +ED' | 
grep $IP | wc -l`
      if [ $COUNT -ge 10 ] ; then
        iptables -A INPUT -s $IP -j DROP
        END=$(($now + 600))
        echo "$END $IP" >> $BLOCK
        logger -t $NAME Blocked $IP
      fi
    fi
  done

  if [ -f "$BLOCK" ] ; then
    while read timeout IP ; do
      if [ $timeout -lt $now ] ; then
        iptables -D INPUT -s $IP -j DROP 2>/dev/null
        sed "/$IP/d" $BLOCK > /tmp/ddos.block
        mv /tmp/ddos.block $BLOCK
        logger -t $NAME Removed $IP
      fi
    done < $BLOCK
  fi

  LAST="-c+`stat -c%s $LOGFILE`"
  sleep 1
done