DNS Flood Detector 1.12

DNS Flood Detector was developed to detect abusive usage levels on high traffic nameservers and to enable quick response in halting (among other things) the use of ones nameserver to facilitate spam.
DNS Flood Detector uses libpcap (in non-promiscuous mode) to monitor incoming dns queries to a nameserver. The tool may be run in one of two modes, either daemon mode or "bindsnap" mode. In daemon mode, DNS Flood Detector will alarm via syslog.
In bindsnap mode, the user is able to get near-real-time stats on usage to aid in more detailed troubleshooting.
Usage: ./dns_flood_detector [OPTION]
-i ifname specify interface to listen on (default lets pcap pick)
-t n alarm when more than n queries per second are observed
(default 40)
-a n wait for n seconds before alarming again on same source
(default 90)
-w n calculate statistics every n seconds
(default 10)
-x n use n buckets
(default 50)
-m n mark overall query rate every n seconds
(default disabled)
-A addr filter for specific address
-M mask netmask for filter (in conjunction with -A)
-Q monitor any addresses (default is to filter only for
primary addresses on chosen interface)
-b run in foreground in "bindsnap" mode
-d run in background in "daemon" mode
-D dump dns packets (implies -b)
-v detailed information (use twice for more detail)
-h usage info
Sample Output:
dopacki:~$ sudo ./dns_flood_detector -v -v -b -t10
[15:14:56] source [192.168.1.45] - 0 qps tcp : 24 qps udp [8 qps A] [16 qps PTR]
[15:14:56] source [10.0.24.2] - 0 qps tcp : 15 qps udp [15 qps A]
[15:15:06] source [192.168.1.45] - 0 qps tcp : 24 qps udp [8 qps A] [16 qps PTR]
[15:15:06] source [10.0.24.2] - 0 qps tcp : 15 qps udp [14 qps A]
[15:15:16] source [192.168.1.45] - 0 qps tcp : 23 qps udp [7 qps A] [15 qps PTR]
Enhancements:
- Address filtering options are now available, as are fractional query rates for better precision.
- This update also fixes several crashes and segfaults that affected overall reliability.