ahupowerdns/botnetservfail

## botnetservfail
If you note that some of your users are sending you queries to weirdly named domains
(sdfhsdfkh.www.7xinggua.com. for example), and that those queries in turn are contributing
to a denial of service attack to "nameservers" behind those weirdly named domains, this page
may be for you. The instructions are for Linux, but other operating systems will offer
similar ways to filter traffic.

PowerDNS Recursor 3.6.0 out of the box comes with settings that try to limit this attack,
but there is only so much we can do. A better way is to block or deflect traffic from those
sending the queries.

Note that this procedure is NOT PowerDNS specific, but does use a PowerDNS tool (dnsscope).

There are two ways to do it - one is to block queries for the offending domains. The other
is to block or change queries from the offending IP addresses.

To collect data, run tcpdump for a while:

    # tcpdump -i any -c 100000 -s 0 -w traffic udp and port 53

Then feed traffic to the latest version of dnsscope (as found through
https://autotest.powerdns.com/job/auth-git-semistatic-deb-amd64/ and
https://autotest.powerdns.com/job/auth-git-semistatic-rpm-amd64/):

    $ dnsscope --rd=1 --servfail-tree traffic > results

And browse the resulting file. If you egrep this with '^source: ', you get
a list of currently offending domain names and IP addresses.
*Check carefully that this is not including non-suspicious domains*

To block the offending domains names, try:

    # iptables -I INPUT -p udp --dport 53 -m string --algo bm --hex-string \
      "|03|www|08|7xinggua|03|com|00|" -j DROP -m comment --comment "drop *.www.7xinggua.com"

Note that for this to work, replace the dots in the domain name by the length of the label
that follows them, terminating with |00|. Also note that currently active botnets change domain
names a lot!

To block the whole set of offending IP addresses, install the ipset package. Then:

    # ipset create botnet hash:ip
    # iptables -I INPUT -m set --match-set botnet src -j DROP
    # for a in $(egrep '^source: ' results | cut -f2 | sort -u)
      do
          ipset add botnet $a
      one

To update, use 'ipset flush botnet', and then repeat dnsscope and the last line above.

For more information about ipset, please see:
    http://daemonkeeper.net/781/mass-blocking-ip-addresses-with-ipset/
	If you note that some of your users are sending you queries to weirdly named domains
	(sdfhsdfkh.www.7xinggua.com. for example), and that those queries in turn are contributing
	to a denial of service attack to "nameservers" behind those weirdly named domains, this page
	may be for you. The instructions are for Linux, but other operating systems will offer
	similar ways to filter traffic.

	PowerDNS Recursor 3.6.0 out of the box comes with settings that try to limit this attack,
	but there is only so much we can do. A better way is to block or deflect traffic from those
	sending the queries.

	Note that this procedure is NOT PowerDNS specific, but does use a PowerDNS tool (dnsscope).

	There are two ways to do it - one is to block queries for the offending domains. The other
	is to block or change queries from the offending IP addresses.

	To collect data, run tcpdump for a while:

	# tcpdump -i any -c 100000 -s 0 -w traffic udp and port 53

	Then feed traffic to the latest version of dnsscope (as found through
	https://autotest.powerdns.com/job/auth-git-semistatic-deb-amd64/ and
	https://autotest.powerdns.com/job/auth-git-semistatic-rpm-amd64/):

	$ dnsscope --rd=1 --servfail-tree traffic > results

	And browse the resulting file. If you egrep this with '^source: ', you get
	a list of currently offending domain names and IP addresses.
	Check carefully that this is not including non-suspicious domains

	To block the offending domains names, try:

	# iptables -I INPUT -p udp --dport 53 -m string --algo bm --hex-string \
	"\|03\|www\|08\|7xinggua\|03\|com\|00\|" -j DROP -m comment --comment "drop *.www.7xinggua.com"

	Note that for this to work, replace the dots in the domain name by the length of the label
	that follows them, terminating with \|00\|. Also note that currently active botnets change domain
	names a lot!

	To block the whole set of offending IP addresses, install the ipset package. Then:

	# ipset create botnet hash:ip
	# iptables -I INPUT -m set --match-set botnet src -j DROP
	# for a in $(egrep '^source: ' results \| cut -f2 \| sort -u)
	do
	ipset add botnet $a
	one

	To update, use 'ipset flush botnet', and then repeat dnsscope and the last line above.

	For more information about ipset, please see:
	http://daemonkeeper.net/781/mass-blocking-ip-addresses-with-ipset/