DNS Amplification DDoS Attack

8 Kasım 2017 Çarşamba

DNS Amplification DDoS Attack


The Domain Name System (DNS) is a hierarchical decentralized naming system for computers, services, or other resources connected to the Internet or a private network. It associates various information with domain namesassigned to each of the participating entities. Most prominently, it translates more readily memorized domain names to the numerical IP addresses needed for locating and identifying computer services and devices with the underlying network protocols. By providing a worldwide, distributed directory service, the Domain Name System is an essential component of the functionality on the Internet, that has been in use since 1985


When I want to go to berkdusunur.net with Browser, the browser first asks me if i can translate berkdusunur.net address to me

The system looks in the / etc / hosts directory. If there is an ip address on the berkdusunur.net domain it will use it.
Otherwise it goes to the DNS resolver provided by DHCP. If not, it goes to the root server.
The root servers in Turkey are called ODTU. From there it is directed to the domain name.


By leaving the DNS recursion query on, you allow an attacker to use your DNS on your behalf.

DNS Amplification attacks, a professional attack technique, attack by sending packets to you via a DNS server that is in your domain

(If 1 DNS packet is 50 bytes, this packet will be returned in response to 10x ie 500 bytes).

Thus, the attacker will not only use your bandwidth, but at the same time will also provide his / her own privacy, creating the perception that the attacker is like you.

How do we know if our DNS server is open for the recursion query?

You can learn in two shapes

1. If you want to check the settings of your DNS server

2. From the outside DNS server will do DNS Recursion query.


Using a script located in Nmap it helps to detect the weakness of the dns server 1 to get 10

Let's first scan the DNS server list that we found using this script of NMAP.


nmap -sU -p 53 --script=dns-recursion -iL /home/ceh/Masaüstü/recursive-amp4.txt 


Tsunami is making DNS requests to the servers in the DNS list that I specify.In the answer, the changed source leads to ip address as well as to the victim
I have displayed help parameters
After downloading the tool and installing the necessary packages


./tsunami -s -p 100 -f recursive_dns.txt

-s = destination address
-p = request to be made by each DNS server (default 1)
-f = command to open the server list

After launching the attack, we listen to the packages coming through the wireshark in the virtual system that we attacked

give me one take ten :) 


0 yorum :

Yorum Gönder