DNS Flood Detector was developed to detect abusive usage levels on high traffic nameservers and to enable quick response in halting (among other things) the use of one's nameserver to facilitate spam.
DNS Flood Detector uses libpcap (in non-promiscuous mode) to monitor incoming dns queries to a nameserver. The tool may be run in one of two modes, either daemon mode or "bindsnap" mode. In daemon mode, DNS Flood Detector will alarm via syslog.
In bindsnap mode, the user is able to get near-real-time stats on usage to aid in more detailed troubleshooting.
Usage: ./dns_flood_detector [OPTION]
-i ifname specify interface to listen on (default lets pcap pick)
-t n alarm when more than n queries per second are observed
-a n wait for n seconds before alarming again on same source
-w n calculate statistics every n seconds
-x n use n buckets
-m n mark overall query rate every n seconds
-A addr filter for specific address
-M mask netmask for filter (in conjunction with -A)
-Q monitor any addresses (default is to filter only for
primary addresses on chosen interface)
-b run in foreground in "bindsnap" mode
-d run in background in "daemon" mode
-D dump dns packets (implies -b)
-v detailed information (use twice for more detail)
-h usage info
dopacki:~$ sudo ./dns_flood_detector -v -v -b -t10
[15:14:56] source [192.168.1.45] - 0 qps tcp : 24 qps udp [8 qps A] [16 qps PTR]
[15:14:56] source [10.0.24.2] - 0 qps tcp : 15 qps udp [15 qps A]
[15:15:06] source [192.168.1.45] - 0 qps tcp : 24 qps udp [8 qps A] [16 qps PTR]
[15:15:06] source [10.0.24.2] - 0 qps tcp : 15 qps udp [14 qps A]
[15:15:16] source [192.168.1.45] - 0 qps tcp : 23 qps udp [7 qps A] [15 qps PTR]
What's New in This Release:
· Address filtering options are now available, as are fractional query rates for better precision.
· This update also fixes several crashes and segfaults that affected overall reliability.