the-binary - Commands 4/9 - Initiate DNS response flood

Purpose:

This command causes the agent to initiate a DNS response flood.

Format:

A handler sends the following commands to initiate a DNS response flood  (xxx = don't care):

Format for command 4:
2 xxx xxx 4
source ip
sourcPortHi
sourcePortLo
nameFlag
name...
padding for a minimum packet size
of 201 bytes including the IP header

Format for command 9:
2 xxx xxx 9
source ip
count
sourcPortHi
sourcePortLo
nameFlag
name...
padding for a minimum packet size
of 201 bytes including the IP header
NOTE: the shaded bytes must be encoded prior to transmission to the agent.

Commands 4 and 9 differ only in the inclusion of a 'count' parameter in command 11.  This parameter is described below.

Parameters:

source IP:
The ip of the host to be targeted by the DNS flood. This is in network byte order and is ignored if nameFlag is non-zero.  See description of nameFlag/name below.  DNS responses will be directed at this host as it appears to the DNS server as the originator of the DNS query.
 
sourcPortHi/sourcePortLo:
The source port from which the DNS request seems to originate.  If both of these are zero, then the source port is randomized for every request.
count: int range 0-255
For command 4 this value is set to zero.  The user sets this parameter for command 9 attacks.  This parameter is effectively useless in this particular attack as the author of the tool has nested some loops in such a way that it is highly improbable that it will ever have any effect.  This parameter was probably intended to provide the same functionality as the count parameter described in command 10.
 
nameFlag: boolean
If non-zero, ignore the source IP and instead do a gethostbyname lookup on the hostname specified in the name parameter.  If a name lookup fails, the flood process will sleep for 10 minutes before attempting another lookup.  The flood process will loop indefinitey until a successful lookup occurs at which point the process will commence flooding the named host.  Unlike the use of this parameter command 10, it is unlikely that the host name will ever be rechecked. because of poor programming on the part of the author.
 
name: char*
Useful only if nameFlag is non-zero.  This parameter contains the null terminated host name of the host to be targeted by this flood.

Action:

The agent sends no response to this message.  It simply initiates a DNS query/response flooding service aimed at the source IP/name as specified by the nameFlag parameter.  The behavior of this flooding process is described below.

The binary contains a list of 11,444 DNS servers and 9 canned DNS queries (".com", ".net", ".de", ".edu", ".org", "usc.edu", ".es", ".gr", ".ie").  Other than the very first pass, the basic logic is:

      repeat forever
         for each of the query types
            send a query to each of the 11444 DNS servers
            in turn, i.e. 11444 "edu" queries will be sent
            before moving on to "org" queries
A specific agent will revisit a specific DNS server once every 11444 packets.

Generated DNS query packets display the following attributes: