Skip to content

Instantly share code, notes, and snippets.

@ahupowerdns
Last active September 17, 2021 02:57
Show Gist options
  • Save ahupowerdns/53c9ec191f9b32803392 to your computer and use it in GitHub Desktop.
Save ahupowerdns/53c9ec191f9b32803392 to your computer and use it in GitHub Desktop.
Filtering botnets that try to use your resolver as a packet amplifier
If you note that some of your users are sending you queries to weirdly named domains
(sdfhsdfkh.www.7xinggua.com. for example), and that those queries in turn are contributing
to a denial of service attack to "nameservers" behind those weirdly named domains, this page
may be for you. The instructions are for Linux, but other operating systems will offer
similar ways to filter traffic.
PowerDNS Recursor 3.6.0 out of the box comes with settings that try to limit this attack,
but there is only so much we can do. A better way is to block or deflect traffic from those
sending the queries.
Note that this procedure is NOT PowerDNS specific, but does use a PowerDNS tool (dnsscope).
There are two ways to do it - one is to block queries for the offending domains. The other
is to block or change queries from the offending IP addresses.
To collect data, run tcpdump for a while:
# tcpdump -i any -c 100000 -s 0 -w traffic udp and port 53
Then feed traffic to the latest version of dnsscope (as found through
https://autotest.powerdns.com/job/auth-git-semistatic-deb-amd64/ and
https://autotest.powerdns.com/job/auth-git-semistatic-rpm-amd64/):
$ dnsscope --rd=1 --servfail-tree traffic > results
And browse the resulting file. If you egrep this with '^source: ', you get
a list of currently offending domain names and IP addresses.
*Check carefully that this is not including non-suspicious domains*
To block the offending domains names, try:
# iptables -I INPUT -p udp --dport 53 -m string --algo bm --hex-string \
"|03|www|08|7xinggua|03|com|00|" -j DROP -m comment --comment "drop *.www.7xinggua.com"
Note that for this to work, replace the dots in the domain name by the length of the label
that follows them, terminating with |00|. Also note that currently active botnets change domain
names a lot!
To block the whole set of offending IP addresses, install the ipset package. Then:
# ipset create botnet hash:ip
# iptables -I INPUT -m set --match-set botnet src -j DROP
# for a in $(egrep '^source: ' results | cut -f2 | sort -u)
do
ipset add botnet $a
one
To update, use 'ipset flush botnet', and then repeat dnsscope and the last line above.
For more information about ipset, please see:
http://daemonkeeper.net/781/mass-blocking-ip-addresses-with-ipset/
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment