-
Notifications
You must be signed in to change notification settings - Fork 2
/
Copy pathdns_servfail_attack_mitigator.conf
135 lines (107 loc) · 5.65 KB
/
dns_servfail_attack_mitigator.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
#: Title : dns_servfail_attack_mitigator.conf
#: : (c) 2014, Charles Jennings, released under GPLv2
#: Date Created: Mar 13, 2014
#: Last Edit : Jun 02, 2014
#: Author : Charles Jennings
#: : ( cejennings_cr {@} yahoo.com )
#: Version : 0.3.1 (20140602)
#: Description : This script will take a snapshot of the last
# SERVFAIL errors logged by BIND named as defined by
# certain limits below. The script will then evaluate
# all the different IP addresses making queries and
# the domains that are being queried and, based on
# weighting rules below, will make a determination if
# a domain should be blocked with iptables. By
# default this script will alert only, but the script
# can be enabled to automatically block domains found
# to be under attack.
# During non-attack periods, if configured to auto-
# block, the script will check for expired rules,
# based on the configured timeframe, and remove rules.
#####################################################################
### Customization Area Below ###
#####################################################################
#!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
#!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
#!!!!! !!!!!
#!!!!! On evaluation of a domain that needs to be blocked, !!!!!
#!!!!! !!!!!
#!!!!! Report Only or Mitigate and perform actual block. !!!!!
#!!!!! !!!!!
#!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
#!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
#
## - For mitigation to take place, report_only_flag MUST be set to 0
## - AND mitigate_attack MUST be set to 1. If report_only_flag is
## - anything but 0 and mitigate_attack anything but 1, active
## - mitigation WILL NOT occur. If mitigation is active, reporting
## - via email will still occur.
let report_only_flag=1 # 1=Yes, 0=No
let mitigate_attack=0 # 1=Yes, 0=No
let summarize_report=1 # 1=Yes, 0=No
## - email configuration:
email_subject_report_only="`hostname` under DNS SERVFAIL attack - Report Only - No Mitigation actions taken"
email_subject_mitigated="`hostname` under DNS SERVFAIL attack - Mitigation has occured"
email_subject_rule_cleanup="`hostname` DNS SERVFAIL attack - iptables Rule Cleanup has occured"
## - - Separate email addresses with comma
email_destination="[email protected],[email protected]"
## - Provide the log file location where ISC BIND logs SERVFAIL
## - notifications. (BIND > v9.7.0a1)
## - - You MUST provide both the current file and the most recent
## - - rotated file.
## - - Your named.conf configuration for this log file MUST have the
## - - following settings in the "channel xxx {};" config for the
## - - "category query-errors {};" config:
## - - (Note specifically the number of versions must be greater or
## - - equal to 2 with sufficient size to get the max_records below
## - - and each entry needs to be logged with a timestamp.)
##
## - - file "/path/to/file/filename.ext" versions 2 size 20m;
## - - print-time yes;
##
named_debug_log_file=/chroot/named/logs/dns_limiting.log
named_debug_log_file0=/chroot/named/logs/dns_limiting.log.0
## - Define specifics about reading the above mentioned log files.
## - - Depending on server speed and number of logged entries, the
## - - max_records should be tuned such that reading and evaluation
## - - of the log files leaves approximately 2 minutes of idle time
## - - beforethe next cron job rotation begins. If the server is not
## - - under attack, specify the max_time in seconds to read from the
## - - log files.
let max_records=15000
let max_time=300
## - - Next define the location of key elements in the log file
## - - (columns in log file are read as space delimited).
## - - - (Confirm that the date is in column 1 and the time is in
## - - - column 2.)
let column_of_ip_addr=7
let column_of_fqdn=12
#let column_of_fqdn=14
## - Define the values that will trigger a response from the script.
## - - Queries per minute from any one IP considered "Heavy"
## - - If any IP gets this rate, it will be given the weight of "3"
let ip_qpm_heavy_rate=60
## - - Queries per minute from any one IP considered "Midweight"
## - - If any IP gets this rate, it will be given the weight of "2"
let ip_qpm_midweight_rate=40
## - - Queries per minute from any one IP considered "Light"
## - - If any IP gets this rate, it will be given the weight of "1"
let ip_qpm_light_rate=20
## - This multiplier flags a domain to be evaluated at "Light Weight"
## - - A domain will be flagged for evaluation if the number of hits
## - - is equal to or greater than this number multiplied by
## - - ip_qpm_light_rate in a 60 second timeframe. (calculated out
## - - if less than 60 seconds are captured)
let min_mal_ip_per_domain=5
## - This multiplier flags a domain to be blocked at "Heavy Weight"
## - - This value causes a domain to be triggered for blocking as a
## - - multiplier of the "Heavy Weight". (In other words, this value
## - - times 3 - or this number of Heavy Weighted IPs would cause a
## - - block)
let block_trigger_value=15
## - Define the iptables chain to append the rule to use for blocking
## - domains.
iptables_chain="INPUT"
## - Define how long before blocking rule is removed (in hours)
let block_removal=48
## End ##