|
| 1 | +# -*- coding: utf-8 |
| 2 | +u"""DNS Amplification detection module for SecureTea IDS. |
| 3 | +
|
| 4 | +Project: |
| 5 | + ╔═╗┌─┐┌─┐┬ ┬┬─┐┌─┐╔╦╗┌─┐┌─┐ |
| 6 | + ╚═╗├┤ │ │ │├┬┘├┤ ║ ├┤ ├─┤ |
| 7 | + ╚═╝└─┘└─┘└─┘┴└─└─┘ ╩ └─┘┴ ┴ |
| 8 | + Author: Aman Singh <dun930n.m45732@gmail.com> , June 14 2021 |
| 9 | + Version: 1.1 |
| 10 | + Module: SecureTea |
| 11 | +
|
| 12 | +""" |
| 13 | + |
| 14 | +import scapy.all as scapy |
| 15 | +from subprocess import check_output |
| 16 | +import re |
| 17 | +from securetea import logger |
| 18 | + |
| 19 | +class DNS_Amplification(object): |
| 20 | + """DNS Amplification class.""" |
| 21 | + |
| 22 | + def __init__(self, debug=False): |
| 23 | + """ |
| 24 | + Initialize DNS Amplification class. |
| 25 | +
|
| 26 | + Args: |
| 27 | + debug (bool): Log on terminal or not |
| 28 | +
|
| 29 | + Raises: |
| 30 | + None |
| 31 | +
|
| 32 | + Returns: |
| 33 | + None |
| 34 | + """ |
| 35 | + # Initialize logger |
| 36 | + self.logger = logger.SecureTeaLogger( |
| 37 | + __name__, |
| 38 | + debug=debug |
| 39 | + ) |
| 40 | + |
| 41 | + def detect_dns_amplification(self, pkt): |
| 42 | + """ |
| 43 | + Detect detect DNS Amplification by observing source, |
| 44 | + destination IP & ports. |
| 45 | +
|
| 46 | + Args: |
| 47 | + pkt (scapy_object): Packet to dissect and observe |
| 48 | +
|
| 49 | + Raises: |
| 50 | + None |
| 51 | +
|
| 52 | + Returns: |
| 53 | + None |
| 54 | + """ |
| 55 | + if (pkt.haslayer(scapy.IP) and |
| 56 | + pkt.haslayer(scapy.UDP) and |
| 57 | + pkt.haslayer(scapy.DNS)): |
| 58 | + |
| 59 | + source_ip = pkt[scapy.IP].src |
| 60 | + dest_dns = [str(pkt[scapy.IP].dst)] |
| 61 | + |
| 62 | + udp_port = pkt[scapy.UDP].dport |
| 63 | + ips = check_output(['hostname', '--all-ip-addresses']) |
| 64 | + ips = ips.decode("utf-8").split(' ')[:-1] |
| 65 | + |
| 66 | + # dns ips for top public dns servers |
| 67 | + dns_dst = ['8.8.8.8','8.8.4.4','9.9.9.9','149.112.112.112','208.67.222.222','208.67.220.220','1.1.1.1','1.0.0.1','185.228.168.9','185.228.169.9','76.76.19.19','76.223.122.150','94.140.14.14','94.140.15.15'] |
| 68 | + |
| 69 | + if ((source_ip in ips) and (udp_port == 53)): |
| 70 | + for dest in dest_dns: |
| 71 | + if(re.search('[a-zA-Z]', dest)): |
| 72 | + dest_dns += check_output(['dig', '+short', dest]).decode('utf-8').split('\n')[:-1] |
| 73 | + if(dest in dns_dst): |
| 74 | + self.logger.log( |
| 75 | + "Possible dns amplification attack detected.", |
| 76 | + logtype="warning" |
| 77 | + ) |
| 78 | + break |
0 commit comments