#!/bin/bash
# ddos.sh - by Jeff Taylor

## Where to store the block file (full path required)
BLOCKFILE="/etc/ddos.block"

## Where to store the temp file (full path required)
TEMPFILE="/tmp/ddos.tmp"

## Which file does your DNS service log query info in (full path required)
LOGFILE="/var/log/named/filter"

## Name of the iptables chain (Default is "INPUT")
CHAIN="INPUT"

## A string to identify this program's actions in syslog
NAME="DNS_Filter"

## Time (in seconds) to keep an IP address blocked (Default is 600)
TIMER=600

## Network device which receives DNS queries
NETDEV="eth0"

## Source port that the queries are coming in on
SPORT=25345

## Offending query string being sent to DNS
QUERY="$SPORT: view net: query: isc.org IN ANY +ED"


##----- Do not edit beyond this point -----##


if [ ! -f "$BLOCKFILE" ]; then touch $BLOCKFILE ; fi

LAST="-n100"
while true ; do
  ## Generate a list of IP addresses that have performed the offending query
  FILTER=`tail $LAST $LOGFILE | grep "$QUERY" | awk '{ print $6 }' | cut -d\# -f1 | sort | uniq`
  now=`date "+%s"`

  ## Check all IP addresses and block as needed
  for IP in $FILTER ; do
	if [ "`grep $IP $BLOCKFILE`" == "" ] ; then
	  COUNT=`tail $LAST $LOGFILE | grep "$QUERY" | grep $IP | wc -l`
	  if [ $COUNT -ge 10 ] ; then
	    iptables -A $CHAIN -i $NETDEV -s $IP -p udp --sport $SPORT -j DROP
	    END=$(($now + $TIMER))
	    echo "$END      $IP" >> $BLOCKFILE
	    logger -t $NAME Blocked $IP
	  fi
	fi
  done

  ## Check if an IPs timer has expired, and remove the block
  if [ -f "$BLOCKFILE" ] ; then
	while read timeout IP ; do
	  if [ $timeout -lt $now ] ; then
	    iptables -D $CHAIN -i $NETDEV -s $IP -p udp --sport $SPORT -j DROP 2>/dev/null
	    sed "/$IP/d" $BLOCKFILE > $TEMPFILE
	    mv -f $TEMPFILE $BLOCKFILE
	    logger -t $NAME Removed $IP
	  fi
	done < $BLOCKFILE
  fi

  LAST="-c+`stat -c%s $LOGFILE`"
  sleep 1
done