DNS Amplification, please enlighten me

[youpi]

So I'm pretty sure I've found recursive DNS servers because NMAP and reliable website says so.

That being said, I would like to be able to verify that myself.

i've been using things like dig +notcp -t ANY @rec-server irc.efnet.org for exemple but I'm getting only 400 bytes response when website says people get 4000 bytes back. (http://www.watchguard.com/infocenter/editorial/41649.asp)


Please enlighten me.

EDIT: Just read they're using large TXT records.

Anyway, is there a way to see if the server is vuln with dig ?
DNS amplifications aren't useless without a compromised dns servers with a large TXT record aren't they ? When resolving things like irc.efnet.org for exempl

-- Use the modify button fool!!

[ande]

http://www.watchguard.com/infocenter/editorial/41649.asp

It doesn't have to be a TXT record and you don't have to compromise the amplification server(s). If you already have compromised the server, you could just as well use a UDP flooder script of some sort.

Thing is you find one or more DNS servers and try to find the largest response possible, then spoof packets (posing as your target) so that the response is sent to your target. This means a request being maybe 70 bytes can reflect as much as 4000 bytes back depending on how large response you are able to craft/find.

Example wise: I can request googl.com (approx 69 bytes) and get 5 IP's back (approx 149 bytes). That's a 215% amplification, not a great one but you get the idea. And because of the way UDP works in this case there are no handshake or connection state required and that's why this attack works.

[bluechill]

If you really want to do amplification, use standard time servers.  You can get kilobytes back for bytes.  Over 80x amplification whereas DNS is only 1.5-4

[ande]

If you really want to do amplification, use standard time servers.  You can get kilobytes back for bytes.  Over 80x amplification whereas DNS is only 1.5-4

(no research done beforehand): Does standard time servers use UDP without any kind of handshake or connection state? Also I am pretty sure you can get a better amplification than 1.5-4 with DNS. If I remember correctly there was some exploit/bug/feature that allowed you to dump all public records on a DNS server and sending megabytes back.

[vezzy]

http://blog.cloudflare.com/understanding-and-mitigating-ntp-based-ddos-attacks

[youpi]

Thanks for this I will read it up.


Anyone has a PoC script to send spoofed NTP request ?

[youpi]

OK so as no one would wipe my ass I done my little research.


UDP is on top of IP.
And NTP should be on TOP of UDP which is on top of IP.


I'll be using raw sockets to forge raw UDP packets with a spoofed address.
So I'll create a struct with all the UDP shit we need to take care, checksum, tos, the lot of it I captured the packet using tcpdump and wireshark.
I've everything figured out concerning this.


Now I understand than when you send a raw UDP packet you're basically sending a string, which is a pointer to an array of chars. and you can send udp packets like "ABC" whatever.


I also understand and read that NTP is protocol on iot's own so I have to create the packet using a struct and here will be the monlist message which is a request message (set the bit) bla bla. Just hsit I have to respect as it's the RFC but don't give a fuck about.




NOW THE QUESTION:
How do I encapsulate the thing to send it in my spoofed UDP raw socket ?
The only way I see is sending it in place of the *buffer, but yeah it seems a bit weird and I actually don't know how I'll do to convert. (just cast the struct to the expected input ?)


Please enlighten me, smartasses. (lawl)


struct iphdr *ip = (struct iphdr *)packet;
06.
struct udphdr *udp = (struct udphdr *)((void *) ip + sizeof(struct iphdr));
07.
 
This is done to encaspulate UDP in IP.
So I just do something similar ?
Still need to look up what's included for the headers and shit.

Wow, so much work, please tell me if I'm in teh right direction.

[RedBullAddicted]

Hi youpi,

I am not very good at c so I can't help you with that. For the packet frames and the message types you can have a look at a sample capture from here: http://wiki.wireshark.org/SampleCaptures (search for NTP_sync.pcap). For your attack you don't need to write a full ntp implementation. Just define the message types you need. Here you have the structure of an ntp packet: http://www.meinbergglobal.com/english/info/ntp-packet.htm
Maybe a little sample helps? http://www.prismmodelchecker.org/qprover/casestudies/ntpclient_probity/ntpclient/ntpclient.c
Here is another usefull explanation: http://www.eecis.udel.edu/~mills/ntp/html/warp.html and if you want to go hardcore this is the right link for you.. lol: http://tools.ietf.org/html/rfc5905

Anyways.. I would go ahead and capture the ntp packet you want to create with wireshark and try to rebuild that packet than. If you want to take a more easy approach you should have a look at python/scapy. This will give you the possibility to create your attack pretty fast http://fossies.org/dox/scapy-2.2.0/classscapy_1_1layers_1_1ntp_1_1NTP.html

Have fun

[ande]

Take a look at the pcap library. It allows for IP spoofing and a lot of IP and TCP/UDP stuff is already taken care of for you, such as structures and checksums.

[b0whunter]

[edit] thanks to rba for the awesome formatting job. Its quite the task on my mobile browser, but send me your paypal donation link and we'll sort it out [\edit]
python/scapy is great... take a look:


About ScapyWhat is Scapy
Scapy is a powerful interactive packet manipulation program. It is able to forge or decode packets of a wide number of protocols, send them on the wire, capture them, match requests and replies, and much more. It can easily handle most classical tasks like scanning, tracerouting, probing, unit tests, attacks or network discovery (it can replace hping, 85% of nmap, arpspoof, arp-sk, arping, tcpdump, tethereal, p0f, etc.). It also performs very well at a lot of other specific tasks that most other tools can't handle, like sending invalid frames, injecting your own 802.11 frames, combining technics (VLAN hopping+ARP cache poisoning, VOIP decoding on WEP encrypted channel, ...), etc.

What makes scapy different from most other networking tools
First, with most other tools, you won't build someting the author did not imagine. These tools have been built for a specific goal and can't deviate much from it. For example, an ARP cache poisoning program won't let you use double 802.1q encapsulation. Or try to find a program that can send, say, an ICMP packet with padding (I said padding, not payload, see?). In fact, each time you have a new need, you have to build a new tool.
http://www.secdev.org/projects/scapy/

A nice example of it's use an be found here: http://www.blackhatlibrary.net/Python#Scapy

Perhaps the fastest way to do it would be to capture a  packet you need with wireshark, use hexedit to modify it and then file2cable to send it.
STAFF NOTE: Please format your posts and use the modify Button instead of double posting. Not going to do it for you all the time.

[Cr4t3r]

You can verify here or just do that:

Code: [Select]

$ dig +short porttest.dns-oarc.net TXT
porttest.y.x.w.v.u.t.s.r.q.p.o.n.m.l.k.j.i.h.g.f.e.d.c.b.a.pt.dns-oarc.net.
"x.x.x.x is GREAT: 26 queries in 5.1 seconds from 26 ports with std dev 18219"