the-binary - Commands 4/9 - Initiate DNS response flood
Purpose:
This command causes the agent to initiate a DNS response flood.
Format:
A handler sends the following commands to initiate a DNS response flood
(xxx = don't care):
Format for command 4:
2 |
xxx |
xxx |
4 |
source ip
|
sourcPortHi
|
sourcePortLo
|
nameFlag
|
name...
|
padding for a minimum packet size
of 201 bytes including the IP header |
Format for command 9:
2 |
xxx |
xxx |
9 |
source ip
|
count
|
sourcPortHi
|
sourcePortLo
|
nameFlag
|
name...
|
padding for a minimum packet size
of 201 bytes including the IP header |
NOTE: the shaded bytes must be encoded prior to transmission to the agent.
Commands 4 and 9 differ only in the inclusion of a 'count' parameter
in command 11. This parameter is described below.
Parameters:
-
source IP:
-
The ip of the host to be targeted by the DNS flood. This is in network
byte order and is ignored if nameFlag is non-zero. See description
of nameFlag/name below. DNS responses will be directed at this host
as it appears to the DNS server as the originator of the DNS query.
-
-
sourcPortHi/sourcePortLo:
-
The source port from which the DNS request seems to originate. If
both of these are zero, then the source port is randomized for every request.
-
count: int range 0-255
-
For command 4 this value is set to zero. The user sets this parameter
for command 9 attacks. This parameter is effectively useless in this
particular attack as the author of the tool has nested some loops in such
a way that it is highly improbable that it will ever have any effect.
This parameter was probably intended to provide the same functionality
as the count parameter described in command 10.
-
-
nameFlag: boolean
-
If non-zero, ignore the source IP and instead do a gethostbyname lookup
on the hostname specified in the name parameter. If a name lookup
fails, the flood process will sleep for 10 minutes before attempting another
lookup. The flood process will loop indefinitey until a successful
lookup occurs at which point the process will commence flooding the named
host. Unlike the use of this parameter command 10, it is unlikely
that the host name will ever be rechecked. because of poor programming
on the part of the author.
-
-
name: char*
-
Useful only if nameFlag is non-zero. This parameter contains the
null terminated host name of the host to be targeted by this flood.
Action:
The agent sends no response to this message. It simply initiates
a DNS query/response flooding service aimed at the source IP/name as specified
by the nameFlag parameter. The behavior of this flooding process
is described below.
The binary contains a list of 11,444 DNS servers and 9 canned DNS queries
(".com", ".net", ".de", ".edu", ".org", "usc.edu", ".es", ".gr", ".ie").
Other than the very first pass, the basic logic is:
repeat forever
for each of the query types
send a query to each of the 11444 DNS servers
in turn, i.e. 11444 "edu" queries will be sent
before moving on to "org" queries
A specific agent will revisit a specific DNS server once every 11444 packets.
Generated DNS query packets display the following attributes:
-
randomized source port if both sourcePortHi and sourcePortLo are zero.
-
randomized ip ttl in the range 120 - 249
-
randomized ip id in the range 0x0000 - 0xFE00 (last two digits always zero)
-
The queries on "de", "es", "gr", and "ie" are all malformed because the
author failed to change the string lengths in the query field. When
these queries are sent DNS servers will respond to the target host with
a DNS format error response