DNS Amplification DDoS Attack
The Domain Name System (DNS) is a hierarchical decentralized naming system for computers, services, or other resources connected to the Internet or a private network. It associates various information with domain namesassigned to each of the participating entities
When I want to go to berk.red with my browser, the browser first asks me if i can translate berk.red address to me The system looks in the /etc/hosts directory. If there is an ip address on the berk.red domain it will use it. Otherwise it goes to the DNS resolver provided by DHCP. If not, it goes to the root server.
By leaving the DNS recursion query on, you allow an attacker to use your DNS on your behalf. DNS Amplification attacks, a professional attack technique, attack by sending packets to you via a DNS server that is in your domain (If 1 DNS packet is 50 bytes, this packet will be returned in response to 10x ie 500 bytes).
Thus, the attacker will not only use your bandwidth, but at the same time will also provide his / her own privacy, creating the perception that the attacker is like you. How do we know if our DNS server is open for the recursion query?
You can learn in two shapes
If you want to check the settings of your DNS server
From the outside DNS server will do DNS Recursion query.
Using a script located in Nmap it helps to detect the weakness of the dns server 1 to get 10 Let’s first scan the DNS server list that we found using this script of NMAP.
// nmap scan command nmap -sU -p 53 --script=dns-recursion -iL /file/path/for/dns-server-list
Saddam is DDoS tool about,
- DNS Amplification (Domain Name System)
- NTP Amplification (Network Time Protocol)
- SNMP Amplification (Simple Network Management Protocol)
- SSDP Amplification (Simple Service Discovery Protocol)
// how to install git clone https://github.com/OffensivePython/Saddam.git
you need install pinject module
// pinject install git clone https://github.com/OffensivePython/Pinject.git
// pinject install cd Pinject && cp pinject.py ../Saddam
and we can use right now
//usage python Saddam.py -h
With Saddam, you can set up dns recursive attacks and control your dns servers against amplification attacks.
We will just scan some DNS Server for learning. They are public servers
//usage Saddam git:(master) ✗ python Saddam.py benchmark -d dnsfile.txt:blablablabla.com _____ __ __ / ___/____ _____/ /___/ /___ _____ ___ \__ \/ __ `/ __ / __ / __ `/ __ `__ \ ___/ / /_/ / /_/ / /_/ / /_/ / / / / / / /____/\__,_/\__,_/\__,_/\__,_/_/ /_/ /_/ https://github.com/OffensivePython/Saddam https://twitter.com/OffensivePython Protocol| IP Address | Amplification | Domain --------------------------------------------------------------------------- dns | 126.96.36.199 | 5x (45B -> 229B) |blablablabla.com dns |188.8.131.52| 4x (45B -> 223B) |blablablabla.com dns |184.108.40.206 | 4x (45B -> 191B) |blablablabla.com dns | 220.127.116.11 | 5x (45B -> 267B) |blablablabla.com dns |18.104.22.168 | 4x (45B -> 180B) |blablablabla.com dns | 22.214.171.124 | 5x (45B -> 255B) |blablablabla.com dns | 126.96.36.199 | 4x (45B -> 191B) |blablablabla.com dns | 188.8.131.52 | 5x (45B -> 255B) |blablablabla.com dns | 184.108.40.206 | 1x (45B -> 45B) |blablablabla.com dns | 220.127.116.11 | 1x (45B -> 45B) |blablablabla.com dns |18.104.22.168 | 3x (45B -> 143B) |blablablabla.com dns |22.214.171.124| 1x (45B -> 45B) |blablablabla.com Total tested: 19
Follow me with twitter @berkdusunur