the-binary Commands 12

the-binary - Command 12 - Initiate DNS query flood

Purpose:

This command causes the agent to initiate a DNS query flood aimed at a specific DNS server. By using a non-random source IP it is also possible to flood a specific target with DNS responses at the same time.

Format:

A handler sends the following command to initiate a DNS query flood (xxx = don't care):

2	xxx	xxx	12
destination ip
source ip
count	sourcPortHi	sourcePortLo	nameFlag
name...
padding for a minimum packet size of 201 bytes including the IP header

NOTE: the shaded bytes must be encoded prior to transmission to the agent.

Parameters:

destination IP:: The IP address of the DNS server that is to be flooded. This field is in network byte order. If nameFlag is non-zero, this field will be ignored. See description of nameFlag and name parameters below.
source IP:: The source IP to be spoofed. All DNS responses will be sent to this host. If 0.0.0.0 is specified, a random source address will be generated for each DNS query. This field is in network byte order.
count: int range 0-255: This parameter's purpose is to set the time between calls to gethostbyname when a DNS server is being targeted by name rather than IP. A lookup is performed following every 40000 * count packets. A count of zero is equivalent to a count of 1. HOWEVER, as with commands 4 and 9, the author's improper nesting of loops prevents this parameter from having any useful effect.
sourcPortHi/sourcePortLo:: The spoofed source port from which the DNS request appears to originate. If both of these are zero, then the source port is randomized for every request.
nameFlag: boolean

If non-zero, ignore the destination IP and instead do a gethostbyname lookup on the hostname specified in the name parameter. If a name lookup fails, the flood process will sleep for 10 minutes before attempting another lookup. The flood process will loop indefinitely until a successful lookup occurs at which point the process will commence flooding the named host. Unlike the use of this parameter command 10, it is unlikely that the host name will ever be rechecked. because of poor programming on the part of the author.
name: char*: Useful only if nameFlag is non-zero. This parameter contains the null terminated host name of the host to be targeted by this flood.

Action:

The agent sends no response to this message. It simply initiates a DNS query flooding service aimed at the destination IP/name as specified by the nameFlag parameter. The behavior of this flooding process is described below.

The binary contains 9 canned DNS queries (".com", ".net", ".de", ".edu", ".org", "usc.edu", ".es", ".gr", ".ie"). The algorithm for this service is specified below

   repeat forever
      for each of the query types
         send a query to the target DNS server

Generated DNS query packets display the following attributes:

randomized source IP if the supplied source IP is 0.0.0.0
randomized source port if both sourcePortHi and sourcePortLo are zero.
randomized ip ttl in the range 120 - 249
randomized ip id in the range 0x0000 - 0xFE00 (last two digits always zero)
The queries on "de", "es", "gr", and "ie" are all malformed because the author failed to change the string lengths in the query field. When these queries are sent the target DNS server will respond to the spoofed source with a DNS format error response