DNS Hammer
Getting Started
Here is a walk through for a first audit of your domain:
Step 1: Locate the DNS Server's IP address
First, you have to know the IP address of your DNS server. If you know the DNS server's IP address, you can skip this step.
In DNShammer, locate the tab "NS Finder" and enter your domain name and click "Go!". For this short introduction, we look at RIPE and their domain ripe.net.
DNS Hammer will now contact the name servers specified as "auxiliary name servers". This could be your local DNS server at home or in the office. The default servers usually work well. The result from all 3 servers will show up in the table. Locate the name server hosted by RIPE, right-click on it's IPv4 address, and select "Test Forward Lookup" from the pop-up menu.
Step 2: Audit your DNS Server configuration
Now decide which DNS queries will be sent to your server, and how often these queries will be sent. At this time, you can also decide, how long the test should run. The default values are:
- 5 queries for an IPv4 address of www.<your domain>
- 5 queries for an IPv6 address of www.<your domain>
- 30 queries for an IPv4 address of a random host name in <your domain>
- like abcdefgh.<your domain>. The random part always consists of 8 characters.
- 5 queries for the ANY record, which is probably the most likely request for a DNS reflection
- 5 queries for the MX record
- Test duration 15 seconds
The program enforces the following limits:
- The total number of requests cannot exceed 500 queries per second.
- The test duration is limited to 2 minutes (120 seconds).
Click "Go!" to start the test. Please note that the "Go!" button now morphs into an "Abort" button. Click "Abort" at any time to stop your test.
At the end of the test, the program will wait for 3 seconds to collect answers, that might be arriving late. Please note that this example documents a configuration without DNS rate limiting: DNS Hammer send 50 requests per second over a time of 15 seconds, giving a total of 750 requests. As seen in the status bar, the server dutifully delivered 750 responses.
You can right-click on the graph and copy it to your clipboard. If necessary, you can now add the screenshot to your documentation, post it on a social media channel of your choice, print it out, or use it as your desktop background.
The effectiveness of a reflection attack depends more on the number of bytes send by the server, and not so much on the number of DNS responses. The second tab in the result area visualizes, how many bytes DNS Hammer send to the server, and how many bytes came back.
While we send about 4.000 byte per second, the server responded with approx. 40.000 byte. The zig-zagging lines show, that the results did not come in a steady rhythm, but in the end all requests were answered.
The last tab in the result area gives some statistics in a debately raw manner. At the end of the report we find a detailed specification about the number of bytes send and received, followed by the amplification factor. In this example, the server amplified the traffic by a factor of 10.
Test Report for Domain ripe.net
Name server: 193.0.9.7, recursion disabled
Test configuration:
A records per second: 5
AAAA records per second: 5
Random A records per second: 30
ANY records per second: 5
Random MX records per second: 5
Total requests per second: 50
Start time: 15/12/2020 19:34
Test duration: 15 sec
Requests send: 750
Responses received: 750
Truncated responses received: 0
The following DNS errors were encountered:
Error code 3 (Non-existent Domain): 450 (likely caused by random queries)
Bytes send:52,1 kB
Bytes received:523,1 kB
Amplification factor 10,0:
Test completed normally
Please note, that a different mix of parameters can generate higher or smaller factors.
Step 3: Rinse and Repeat
The vast majority of domains are hosted by at least two DNS servers. Go back to the NS Finder and select another server for the next testrun. This time we analyze a server hosted by APNIC, the Asia Pacific Network Information Center. Right-click on a name server hosted by APNIC and select it for testing. At this time, DNS Hammer can only send IPv4 packets. This will change with the next version.
Once you selected the new name server from the list, DNS Hammer will switch to the window with the parameter definition. Click "Go!" to start testing this server.
Note, that the server hosted by APNIC is much more restrictive: It gave only 18 answers, 3 which come with the "truncated" flag. This flag tells the client to come back with a TCP connection to retrieve the desired information.
Hat's off to the guys at APNIC. This configuration should ensure, that APNIC's DNS servers are of minimal use for a DDoS attack.
Keep on testing
It is both educating and entertaining to fiddle around with the parameters. Here a few ideas:
- Run 500 queries of the same type (500 A records, 500 ANY records etc.) and set all other values to zero.
- Exclude one record type from the mix. Hint: Start by excluding the ANY record.
- Run the test for 60, 90 or 120 seconds. We have found a few servers that dish out a ton of responses for 30 seconds and then block you out for several minutes.