There are some free DNS stress tools, such as queryperf, dnperf and both are nice tools, but I think those might not be suitable when it comes to simulating DoS traffic.
I usually use “tcpreplay” for that purpose, but I also found other nice tool called “drool “,
this is a nice tool to generate DoS queries because this tool has useful options, filter,
timing, destination address etc when replaying a pcap.
this is a nice tool to generate DoS queries because this tool has useful options, filter,
timing, destination address etc when replaying a pcap.
[ build drool on Ubuntu 16.04 including trial and error logs ]
install drool on Ubuntu 16.04.
root@c-drool:~# apt update
root@c-drool:~# apt install build-essential –y
root@c-drool:~# apt install -y libluajit-5.1-dev libpcap-dev libev-dev luajit autoconf
|
build dnsjit before building drool, which is required to build drool.
root@c-drool:~# git clone https://github.com/DNS-OARC/dnsjit.git
root@c-drool:~# cd dnsjit/
root@c-drool:~/dnsjit# git submodule update –init
root@c-drool:~/dnsjit# sh autogen.sh
configure.ac:30: installing './ar-lib'
configure.ac:27: installing './compile'
configure.ac:29: installing './config.guess'
configure.ac:29: installing './config.sub'
configure.ac:21: installing './install-sh'
configure.ac:21: installing './missing'
src/Makefile.am: installing './depcomp'
root@c-drool:~/dnsjit#
|
error
root@c-drool:~/dnsjit# ./configure
checking for a BSD-compatible install... /usr/bin/install -c
checking whether build environment is sane... yes
checking for a thread-safe mkdir -p... /bin/mkdir -p
checking for gawk... gawk
checking whether make sets $(MAKE)... yes
checking whether make supports nested variables... yes
checking for gcc... gcc
checking whether the C compiler works... yes
checking for C compiler default output file name... a.out
checking for suffix of executables...
checking whether we are cross compiling... no
checking for suffix of object files... o
checking whether we are using the GNU C compiler... yes
checking whether gcc accepts -g... yes
checking for gcc option to accept ISO C89... none needed
checking whether gcc understands -c and -o together... yes
checking for style of include used by make... GNU
checking dependency style of gcc... gcc3
checking build system type... x86_64-pc-linux-gnu
checking host system type... x86_64-pc-linux-gnu
checking for ar... ar
checking the archiver (ar) interface... ar
./configure: line 4310: syntax error near unexpected token `disable-static'
./configure: line 4310: `LT_INIT(disable-static)'
|
configure file ( line 4310 )
4309
4310 LT_INIT(disable-static)
4311
4312 # Checks for support.
4313 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for dlopen in -ldl" >&5
4314 $as_echo_n "checking for dlopen in -ldl... " >&6; }
4315 if ${ac_cv_lib_dl_dlopen+:} false; then :
4316 $as_echo_n "(cached) " >&6
4317 else
4318 ac_check_lib_save_LIBS=$LIBS
4319 LIBS="-ldl $LIBS"
4320 cat confdefs.h - <<_ACEOF >conftest.$ac_ext
4321 /* end confdefs.h. */
4322
|
Googling this error, it seems that this might happen if libtool does not exist.
install libtool.
root@c-drool:~/dnsjit# apt install libtool libtool-bin
|
try again.
error.
root@c-drool:~/dnsjit# sh autogen.sh
root@c-drool:~/dnsjit# ./configure
checking for library containing clock_gettime... none required
checking for clock_nanosleep... yes
checking for nanosleep... yes
./configure: line 13414: syntax error near unexpected token `luajit,'
./configure: line 13414: `PKG_CHECK_MODULES(luajit, luajit >= 2,,as_fn_error $? "luajit v2+ not found" "$LINENO" 5)'
|
I noticed that I forgot to install pkg-confg.
try again.
root@c-drool:~/dnsjit# apt install pkg-config –y
root@c-drool:~/dnsjit# sh autogen.sh
root@c-drool:~/dnsjit# ./configure
<snip>
configure: creating ./config.status
config.status: creating Makefile
config.status: creating src/Makefile
config.status: creating examples/Makefile
config.status: creating src/config.h
config.status: executing depfiles commands
config.status: executing libtool commands
root@c-drool:~/dnsjit# echo $?
0
root@c-drool:~/dnsjit# make
root@c-drool:~/dnsjit# make install
|
then build drool.
root@c-drool:~# git clone https://github.com/DNS-OARC/drool.git
root@c-drool:~# cd drool/
root@c-drool:~/drool# sh autogen.sh
root@c-drool:~/drool# ./configure
root@c-drool:~/drool# make
root@c-drool:~/drool# make install
|
root@c-drool:~/drool# which drool
/usr/local/bin/drool
root@c-drool:~/drool# drool -V
<< dnsjit v0.9.2 https://github.com/DNS-OARC/dnsjit/issues >>
drool v2.0.0
|
[ use drool ]
prepare a DNS server to receive DNS traffic from drool.
I installed unbound.
root@c-xenial01:~# apt update; apt install -y unbound
root@c-xenial01:~# cp /usr/share/doc/unbound/examples/unbound.conf /etc/unbound/unbound.conf.d/
root@c-xenial01:/etc/unbound/unbound.conf.d# pwd
/etc/unbound/unbound.conf.d
root@c-xenial01:/etc/unbound/unbound.conf.d# cp unbound.conf unbound.conf.orig
# diff unbound.conf unbound.conf.orig
38d37
< interface: 0.0.0.0
197d195
< access-control: 0.0.0.0/0 allow
# systemctl start unbound
# unbound-control status
version: 1.5.8
verbosity: 1
threads: 1
modules: 2 [ validator iterator ]
uptime: 211 seconds
options: control(ssl)
unbound (pid 1208) is running...
root@c-xenial01:~# dig @127.1 www.google.com +short
172.217.26.36
|
then prepare a capture file to replay.
on the drool machine, send DNS queries and capture DNS traffic.
root@c-drool:~/drool# tcpdump -nn -i eth0 udp dst port 53 -w dns.cap
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
root@c-drool:~# for i in `seq 1 100`;do dig @192.168.132.67 www.google.com +noall >/dev/null ;done
root@c-drool:~#
root@c-drool:~/drool# tcpdump -nn -r dns.cap | head -1
reading from file dns.cap, link-type EN10MB (Ethernet)
05:30:05.847631 IP 192.168.132.84.58646 > 192.168.132.67.53: 6998+ [1au] A? www.google.com. (43)
|
replay the capture data with drool.
root@c-drool:~# drool --v -c 'text:timing multiply 0.5; client_pool target "192.168.132.67" "53"; client_pool sendas udp;' -r
dns.cap
<< dnsjit v0.9.2 https://github.com/DNS-OARC/dnsjit/issues >>
runtime 0.000352731
packets 100 283502.15886894 /pps
queries 100 283502.15886894 /qps
dropped 0
ignored 0
total 100
|
on the DNS server.
root@c-xenial01:~# tcpdump -nn -i eth0 port 53
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
05:33:21.214292 IP 192.168.132.84.48043 > 192.168.132.67.53: 6998+ [1au] A? www.google.com. (43)
05:33:21.214369 IP 192.168.132.84.48630 > 192.168.132.67.53: 51727+ [1au] A? www.google.com. (43)
05:33:21.214384 IP 192.168.132.67.53 > 192.168.132.84.48043: 6998 1/0/1 A 172.217.26.36 (59)
|
[ replay TCP queries ]
send TCP queries and capture that.
root@c-drool:~# for i in `seq 1 10`;do dig @192.168.132.67 www.google.com +tcp +noall > /dev/null;done
root@c-drool:~#
root@c-drool:~# tcpdump -nn -i eth0 tcp dst port 53 -w dns-tcp.cap
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
^C60 packets captured
root@c-drool:~# tcpdump -nn -r dns-tcp.cap | head -5
reading from file dns-tcp.cap, link-type EN10MB (Ethernet)
05:42:31.510126 IP 192.168.132.84.57113 > 192.168.132.67.53: Flags [S], seq 994349377, win 29200, options [mss 1460,sackOK,TS val 387927626 ecr 0,nop,wscale 7], length 0
05:42:31.510212 IP 192.168.132.84.57113 > 192.168.132.67.53: Flags [.], ack 2166890484, win 229, options [nop,nop,TS val 387927626 ecr 387927626], length 0
05:42:31.510303 IP 192.168.132.84.57113 > 192.168.132.67.53: Flags [P.], seq 0:45, ack 1, win 229, options [nop,nop,TS val 387927626 ecr 387927626], length 4552857+ [1au] A? www.google.com. (43)
05:42:31.510395 IP 192.168.132.84.57113 > 192.168.132.67.53: Flags [.], ack 62, win 229, options [nop,nop,TS val 387927626 ecr 387927626], length 0
05:42:31.510549 IP 192.168.132.84.57113 > 192.168.132.67.53: Flags [F.], seq 45, ack 62, win 229, options [nop,nop,TS val 387927626 ecr 387927626], length 0
tcpdump: Unable to write output: Broken pipe
|
replay that with drool.
root@c-drool:~# drool -vv -c 'text:filter "tcp"; client_pool target "192.168.132.67" "53";' -r dns-tcp.cap
<< dnsjit v0.9.2 https://github.com/DNS-OARC/dnsjit/issues >>
runtime 0.000503851
packets 60 119082.82408887 /pps
queries 10 19847.137348145 /qps
dropped 50
ignored 0
total 60
|
on the DNS server
root@c-xenial01:~# tcpdump -nn -i eth0 port 53
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
05:43:43.474627 IP 192.168.132.84.40932 > 192.168.132.67.53: Flags [S], seq 2937983352, win 29200, options [mss 1460,sackOK,TS val 387945617 ecr 0,nop,wscale 7], length 0
05:43:43.474666 IP 192.168.132.67.53 > 192.168.132.84.40932: Flags [S.], seq 3430904361, ack 2937983353, win 28960, options [mss 1460,sackOK,TS val 387945617 ecr 387945617,nop,wscale 7], length 0
05:43:43.474695 IP 192.168.132.84.40932 > 192.168.132.67.53: Flags [.], ack 1, win 229, options [nop,nop,TS val 387945617 ecr 387945617], length 0
05:43:43.474757 IP 192.168.132.84.40934 > 192.168.132.67.53: Flags [S], seq 1072516780, win 29200, options [mss 1460,sackOK,TS val 387945617 ecr 0,nop,wscale 7], length 0
05:43:43.474770 IP 192.168.132.67.53 > 192.168.132.84.40934: Flags [S.], seq 1015983461, ack 1072516781, win 28960, options [mss 1460,sackOK,TS val 387945617 ecr 387945617,nop,wscale 7], length 0
|
[ replay a pcap as fast as possible ]
root@c-drool:~# drool -vv -c 'text:filter "udp"; timing ignore; context client_pools 1; client_pool target "192.168.132.67" "53"; client_pool skip_reply;' -r dns.cap
|
destination file recorded in the pcap is 192.168.132.67.
reading from file dns.cap, link-type EN10MB (Ethernet)
05:30:05.847631 IP 192.168.132.84.58646 > 192.168.132.67.53: 6998+ [1au] A? www.google.com. (43)
05:30:05.856452 IP 192.168.132.84.33222 > 192.168.132.67.53: 51727+ [1au] A? www.google.com. (43)
05:30:05.867903 IP 192.168.132.84.56097 > 192.168.132.67.53: 28075+ [1au] A? www.google.com. (43)
root@c-drool:~#
|
generate DNS queries to other hosts.
root@c-drool:~# drool -vv -c 'text:filter "udp"; timing ignore; context client_pools 1; client_pool target "192.168.132.73" "53"; client_pool skip_reply;' -r dns.cap
<< dnsjit v0.9.2 https://github.com/DNS-OARC/dnsjit/issues >>
runtime 0.000616341
packets 100 162247.84656546 /pps
queries 100 162247.84656546 /qps
dropped 0
ignored 0
|
[ online documentation ]
root@c-drool:~# man drool.conf
|
No comments:
Post a Comment
Note: Only a member of this blog may post a comment.