the-binary - Command 12 - Initiate DNS query flood
Purpose:
This command causes the agent to initiate a DNS query flood aimed at a
specific DNS server. By using a non-random source IP it is also possible
to flood a specific target with DNS responses at the same time.
Format:
A handler sends the following command to initiate a DNS query flood
(xxx = don't care):
2 |
xxx |
xxx |
12 |
destination ip
|
source ip
|
count
|
sourcPortHi
|
sourcePortLo
|
nameFlag
|
name...
|
padding for a minimum packet size
of 201 bytes including the IP header |
NOTE: the shaded bytes must be encoded prior to transmission to the agent.
Parameters:
-
destination IP:
-
The IP address of the DNS server that is to be flooded. This field is in
network byte order. If nameFlag is non-zero, this field will be ignored.
See description of nameFlag and name parameters below.
-
-
source IP:
-
The source IP to be spoofed. All DNS responses will be sent to this
host. If 0.0.0.0 is specified, a random source address will be generated
for each DNS query. This field is in network byte order.
-
-
count: int range 0-255
-
This parameter's purpose is to set the time between calls to gethostbyname
when a DNS server is being targeted by name rather than IP. A lookup
is performed following every 40000 * count packets. A count of zero
is equivalent to a count of 1. HOWEVER, as with commands 4 and 9, the author's
improper nesting of loops prevents this parameter from having any useful
effect.
-
-
sourcPortHi/sourcePortLo:
-
The spoofed source port from which the DNS request appears to originate.
If both of these are zero, then the source port is randomized for every
request.
-
-
nameFlag: boolean
-
If non-zero, ignore the destination IP and instead do a gethostbyname lookup
on the hostname specified in the name parameter. If a name lookup
fails, the flood process will sleep for 10 minutes before attempting another
lookup. The flood process will loop indefinitely until a successful
lookup occurs at which point the process will commence flooding the named
host. Unlike the use of this parameter command 10, it is unlikely
that the host name will ever be rechecked. because of poor programming
on the part of the author.
-
-
name: char*
-
Useful only if nameFlag is non-zero. This parameter contains the
null terminated host name of the host to be targeted by this flood.
Action:
The agent sends no response to this message. It simply initiates
a DNS query flooding service aimed at the destination IP/name as specified
by the nameFlag parameter. The behavior of this flooding process
is described below.
The binary contains 9 canned DNS queries (".com", ".net", ".de", ".edu",
".org", "usc.edu", ".es", ".gr", ".ie"). The algorithm for this service
is specified below
repeat forever
for each of the query types
send a query to the target DNS server
Generated DNS query packets display the following attributes:
-
randomized source IP if the supplied source IP is 0.0.0.0
-
randomized source port if both sourcePortHi and sourcePortLo are zero.
-
randomized ip ttl in the range 120 - 249
-
randomized ip id in the range 0x0000 - 0xFE00 (last two digits always zero)
-
The queries on "de", "es", "gr", and "ie" are all malformed because the
author failed to change the string lengths in the query field. When
these queries are sent the target DNS server will respond to the spoofed
source with a DNS format error response