| var net = require('net'); | |
| var dgram = require('dgram'); | |
| function ntohs(arr) { | |
| return ((arr[0] & 0xFF) << 8) | (arr[1] & 0xFF); | |
| } | |
| function parse_name(data, pos) | |
| { | |
| for (base = pos; pos < data.length;) { |
| 3 | 0.979429111596 | |
|---|---|---|
| 4 | 0.979429111596 | |
| 5 | 0.979429111596 | |
| 6 | 0.979429111596 | |
| 7 | 0.979429111596 | |
| 8 | 0.979429111596 | |
| 9 | 0.979429111596 | |
| 10 | 0.979429111596 | |
| 11 | 0.979429111596 | |
| 12 | 0.979429111596 |
| ## How it deals with bad CDNs | |
| The query is `who.ami.here.com. A` | |
| 1. It's going to ask at `.` to `com. NS` and get a referral | |
| 2. it's going to ask `com.` nameserver about `here.com. NS` and get a referral | |
| ... see the pattern, it just appends labels, but bear with me | |
| 3. We're asking `here.com` nameserver about `ami.here.com. NS` , but he's a prick and tells us 'NXDOMAIN'. |
| Near-stretch ideas | |
| ------------------ | |
| * I *quite* like how it's built, but it's too much *PowerDNS*-y, hacking on it is a pain (if you work on cheap virtuals like me) because of long build times and dependencies (I know, but try it yourself on the budget DigitalOcean droplet...), I'd say lose the legacy and make it really a standalone thing. | |
| * The configuration is sometimes confusing, like if I set it up to listen on local interfaces, it happily does so but it silently drops all queries because the ACL allows localhost only (uhm, maybe it needs to say something in verbose mode or documentation update). | |
| * The config format for IPv6 has a poor choice of ':' as a separator, it's not possible to forward to IPv6 address on a custom port. | |
| Far-stretch ideas | |
| ----------------- |
| local slowdrip = { | |
| tracked = {}, | |
| blocked = {}, | |
| window = 60, -- Length of the tracking window | |
| threshold = 100, -- Number of NXDOMAINs before blocking | |
| -- Track suffixes of names leading to NXDOMAIN | |
| layer = { | |
| finish = function(state, req, answer) | |
| local parent = answer:qname() | |
| parent = parent:sub(parent:find('.',0,true), -1) |
| #include <stdio.h> | |
| #include <string.h> | |
| #include <lua.h> | |
| #include <lualib.h> | |
| #include <lauxlib.h> | |
| #include <arpa/inet.h> | |
| /* Get/set opcode */ | |
| static int msg_op(lua_State *L) | |
| { |
| -- C definitions | |
| local ffi = require('ffi') | |
| local csym = ffi.C | |
| ffi.cdef[[ | |
| /* DHCP header format */ | |
| struct __attribute__((packed)) dhcp_msg { | |
| /* Header */ | |
| uint8_t op; | |
| uint8_t htype; | |
| uint8_t hlen; |
| local mod = {} | |
| mod.layer = { | |
| consume = function (state, req, answer) | |
| if state == kres.FAIL then | |
| return state | |
| end | |
| answer = kres.pkt_t(answer) | |
| req = kres.request_t(req) | |
| if answer:qtype() == kres.type.NS then | |
| local qry = req:push(answer:qname(), kres.type.SOA, kres.class.IN) |
There are two preconditions for the attack:
Mitigating (1) with UDP is simple: set maximum UDP buffer size to <2048B [1] That leaves TCP.
| #!/usr/bin/python | |
| # | |
| # Copyright 2016 Google Inc | |
| # | |
| # Licensed under the Apache License, Version 2.0 (the "License"); | |
| # you may not use this file except in compliance with the License. | |
| # You may obtain a copy of the License at | |
| # | |
| # http://www.apache.org/licenses/LICENSE-2.0 | |
| # |