This Proof-of-Concept[PoC] tool exploit DNS resolvers to perform an huge amplification attack against a specific Victim (specifying its IP). It hides the basic idea behind the attack.
DNS Amplifications Attacks are performed by an attacker to increase the bandiwidth amount in order to sends a targeted potential victim. The traditional amplification attack is known as a SMURF attack: SMURF Attack: An attacker spoofs a neighbour's IP address (of the potential victim). He sends an ICMP request to the network's broadcast address (X.X.X.255). This is configured to relay ICMP to all devices that stays behind the router. ICMP doesn't include a handshake, the destination devvice has no way to check if the source IP is legitimate.
1)The router will passes it on all the devices that sit behind it. 2)All those devices then respond back to the ping.
UDP doesn't require a handshake == source attribute can be spoofed.
The idea is to have the response to the query significantly biffer than the original query itself.
We need a DNS Open-resolver configured to resolve recursive queries, no an Authorative Server.
There are Linux built-ins command that helps to discover if a particular DNS server is an open resolver:
dig TARGET@x.x.x.x where's x.x.x.x is the DNS ip.
A DNS Open-resolved configured as we desire will return a response with status: NOERROR Instead, an Authorative DNS will return a response with status: REFUSED
This PoC uses Shodan APIs in order to identifies open resolvers across the internet, saves IP address into a json that will be convert in a txt file and using Scapy in order to make a DNS query with neighbour's IP spoofed and redirect the replies-storm to him.
PRE-REQUISITES:
- Scapy - libary for packet manipulation.
- Shodan library installed.
- Shodan API-Key for Developer. Sign up in Shodan
- Scapy - libary for packet manipulation.
pip install shodan or easy_install shodan
pip install --pre scapy