Script for banning „query: ripe.net IN ANY +ED“

Publiziert am 27. August 2012 von Bernd Hohmann

I recently discovered that our nameservers are flooded with queries to „ripe.net“ since 2 months. The detection was very easy: our provider billed us for „extended traffic“, the first time since years.

Well – 400 queries per second will produce traffic.

I tried to use fail2ban for this, but failed because injecting the drop rule into iptables ended in an error. After a couple of hours and tries I created a small script instead of wasting more time with fail2ban.

Its called by the crontab of root every minute and does its job very well. Because our nameservers are in a virtual machine and the VM will restarted every day there is no functionality to remove an IP from the blocklist – feel free to expand the script with this functionality.

Please keep in mind that the source of UDP queries may be faked so you may lock out the wrong IP.

#!/bin/bash

# sudo crontab -e
# */1 * *   *   *     /home/dns1/dnswatch

# 27,97.2012 logfile shortening
# 24.08.2012 creation
# (C) 2012 20/1 Informationssysteme GmbH
# Freeware as long the orginating author is mentioned.

querylog=/var/log/bind9/query.log	# the bind logfile
querylog_search=20			# how many lines from the end should be searched?

logfile=/var/log/dnswatch.log		# logfile
logfile_keep=50				# keep how many lines?

iptables=/sbin/iptables			# command executing "iptables"
iptablessave=/sbin/iptables-save	# command executing "iptables-save"


if [ -e $logfile ]; then		# logfile shortening
   tempfile=$(tempfile)
   tail -n $logfile_keep $logfile > $tempfile
   rm $logfile
   mv $tempfile $logfile
fi

					# check querylogfile for queries to "view public: query: ripe.net ..."
tail -q -n $querylog_search $querylog | while read line; do
  echo $line | grep "view public: query: ripe.net IN ANY +ED" > /dev/null; result=$?
  if [ $result == "0" ]; then		# found!
    ipaddr=$(echo $line | cut -d "#" -f 1 | cut -d " " -f 4)	# get ip address from querylogfile
    $iptablessave | grep -e "-A INPUT -s $ipaddr/32 -j DROP" > /dev/null; result=$?
    if [ $result == "1" ]; then		# not in iptables already? drop anything from the IP
       $iptables -A INPUT -s $ipaddr/32 -j DROP
       echo "$(date) Dropped $ipaddr"
       echo "$(date) Dropped $ipaddr" >> $logfile
    fi
  fi
done

# end

btw: you need the logfile from bind9, sure…. edit /etc/bind/named.conf.options and add

logging {
   channel query.log {
      file "/var/log/bind9/query.log" versions 2 size 20m;
      print-time yes;
      severity debug 3;
   };
   category queries { query.log; };
};
Dieser Beitrag wurde unter Dies und das... veröffentlicht. Setzen Sie ein Lesezeichen auf den Permalink.

Schreiben Sie einen Kommentar