# apt-get install dns-flood-detector
dns-flood-detector will give you warning in dmesg something like:
[1309426.142779] TCP: request_sock_TCP: Possible SYN flooding on port 53. Sending cookies. Check SNMP counters.
# /etc/init<dot>d/dns-flood-detector status
* dns-flood-detector<dot>service - LSB: start and stop the dns-flood-detector daemon
Loaded: loaded (/etc/init<dot>d/dns-flood-detector; generated; vendor preset: enabled)
Active: active (running) since Fri 2018-01-05 14:25:46 WIB; 2 weeks 1 days ago
Docs: man:systemd-sysv-generator(8)
Tasks: 2 (limit: 4915)
CGroup: /system<dot>slice/dns-flood-detector<dot>service
`-475 /usr/bin/dns-flood-detector -d -v -v -t5 -w3
Jan 20 18:09:20 mars dns_flood_detector[475]: source [66<dot>220<dot>156<dot>144] - 3 tc…AA]
Jan 20 18:09:23 mars dns_flood_detector[475]: source [173<dot>252<dot>90<dot>118] - 3 tc…AA]
Warning: Journal has been rotated since unit was started<dot> Log output is incomplete or unavailable<dot>
Hint: Some lines were ellipsized, use -l to show in full<dot>
or
# service dns-flood-detector status
* dns-flood-detector<dot>service - LSB: start and stop the dns-flood-dete
ctor daemon
Loaded: loaded (/etc/init<dot>d/dns-flood-detector; generated; vendor preset: ena
bled)
Active: active (running) since Fri 2018-01-05 14:25:46 WIB; 2 week
s 1 days ago
Docs: man:systemd-sysv-generator(8)
Tasks: 2 (limit: 4915)
CGroup: /system<dot>slice/dns-flood-detector<dot>service
`-475 /usr/bin/dns-flood-detector -d -v -v -t5 -w3
Jan 20 18:09:20 mars dns_flood_detector[475]: source [66<dot>220<dot>156<dot>144] -
3 tcp qps : 3 udp qps [1 qps A] [5 qps AAAA]
Jan 20 18:09:23 mars dns_flood_detector[475]: source [173<dot>252<dot>90<dot>118] -
3 tcp qps : 3 udp qps [1 qps A] [5 qps AAAA]
Warning: Journal has been rotated since unit was started<dot> Log output is incomple
te or unavailable<dot>
Lets we find out who they are
# whois 66<dot>220<dot>156<dot>144
#
# ARIN WHOIS data and services are subject to the Terms of Use
# available at: https://www<dot>arin<dot>net/whois_tou<dot>html
#
# If you see inaccuracies in the results, please report at
# https://www<dot>arin<dot>net/public/whoisinaccuracy/index<dot>xhtml
#
#
# The following results may also be obtained via:
# https://whois<dot>arin<dot>net/rest/nets;q=66<dot>220<dot>156<dot>144?showDetails=true&showARIN=false&showNonArinTopLevelNet=false&ext=netref2
#
NetRange: 66<dot>220<dot>144<dot>0 - 66<dot>220<dot>159<dot>255
CIDR: 66<dot>220<dot>144<dot>0/20
NetName: TFBNET3
NetHandle: NET-66-220-144-0-1
Parent: NET66 (NET-66-0-0-0-0)
NetType: Direct Assignment
OriginAS: AS32934
Organization: Facebook, Inc<dot> (THEFA-3)
RegDate: 2009-02-13
Updated: 2012-02-24
Ref: https://whois<dot>arin<dot>net/rest/net/NET-66-220-144-0-1
...
and
# whois 173<dot>252<dot>90<dot>118
#
# ARIN WHOIS data and services are subject to the Terms of Use
# available at: https://www<dot>arin<dot>net/whois_tou<dot>html
#
# If you see inaccuracies in the results, please report at
# https://www<dot>arin<dot>net/public/whoisinaccuracy/index<dot>xhtml
#
#
# The following results may also be obtained via:
# https://whois<dot>arin<dot>net/rest/nets;q=173<dot>252<dot>90<dot>118?showDetails=true&showARIN=false&showNonArinTopLevelNet=false&ext=netref2
#
NetRange: 173<dot>252<dot>64<dot>0 - 173<dot>252<dot>127<dot>255
CIDR: 173<dot>252<dot>64<dot>0/18
NetName: FACEBOOK-INC
NetHandle: NET-173-252-64-0-1
Parent: NET173 (NET-173-0-0-0-0)
NetType: Direct Assignment
OriginAS: AS32934
Organization: Facebook, Inc<dot> (THEFA-3)
RegDate: 2011-02-28
Updated: 2012-02-24
Ref: https://whois<dot>arin<dot>net/rest/net/NET-173-252-64-0-1
Ops they are Facebook.inc :D
Lets we block it
# ipset add mynetrules 66<dot>220<dot>156<dot>144
# ipset add mynetrules 173<dot>252<dot>90<dot>118
# iptables -L | grep mynetrules
DROP all -- anywhere anywhere match-set mynetrules src
These are how to block class C
Jan 21 10:11:31 mars dns_flood_detector[475]: source [173<dot>252<dot>124<dot>119] - 3 t…AA]
Jan 21 10:11:34 mars dns_flood_detector[475]: source [173<dot>252<dot>124<dot>125] - 3 t…AA]
Jan 21 10:11:34 mars dns_flood_detector[475]: source [173<dot>252<dot>124<dot>126] - 3 t…AA]
Jan 21 10:11:34 mars dns_flood_detector[475]: source [173<dot>252<dot>124<dot>123] - 3 t…AA]
Jan 21 10:11:34 mars dns_flood_detector[475]: source [173<dot>252<dot>124<dot>124] - 3 t…AA]
Just check one of them
# whois 173<dot>252<dot>124<dot>124
#
# ARIN WHOIS data and services are subject to the Terms of Use
# available at: https://www<dot>arin<dot>net/whois_tou<dot>html
#
# If you see inaccuracies in the results, please report at
# https://www<dot>arin<dot>net/public/whoisinaccuracy/index<dot>xhtml
#
#
# The following results may also be obtained via:
# https://whois<dot>arin<dot>net/rest/nets;q=173<dot>252<dot>124<dot>124?showDetails=true&showARIN=false&showNonArinTopLevelNet=false&ext=netref2
#
NetRange: 173<dot>252<dot>64<dot>0 - 173<dot>252<dot>127<dot>255
CIDR: 173<dot>252<dot>64<dot>0/18
NetName: FACEBOOK-INC
NetHandle: NET-173-252-64-0-1
Parent: NET173 (NET-173-0-0-0-0)
NetType: Direct Assignment
OriginAS: AS32934
Organization: Facebook, Inc<dot> (THEFA-3)
RegDate: 2011-02-28
Updated: 2012-02-24
Ref: https://whois<dot>arin<dot>net/rest/net/NET-173-252-64-0-1
# ipset add mynetrules 173<dot>252<dot>124<dot>0/24
No comments:
Post a Comment