{"id":21081887,"url":"https://github.com/avielyo10/dns-amplification-lab","last_synced_at":"2025-12-29T09:04:44.748Z","repository":{"id":103397951,"uuid":"163815039","full_name":"Avielyo10/DNS-Amplification-Lab","owner":"Avielyo10","description":"Using Scapy for DNS amplification","archived":false,"fork":false,"pushed_at":"2019-02-13T18:57:47.000Z","size":126,"stargazers_count":15,"open_issues_count":0,"forks_count":8,"subscribers_count":1,"default_branch":"master","last_synced_at":"2025-01-20T23:33:20.647Z","etag":null,"topics":["cyber-lab","dns-amplification-attack","dns-amplification-lab","scapy"],"latest_commit_sha":null,"homepage":"","language":"Makefile","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/Avielyo10.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2019-01-02T08:33:39.000Z","updated_at":"2024-05-07T16:58:49.000Z","dependencies_parsed_at":null,"dependency_job_id":"f8fae840-edef-411a-ab2a-8e279ec53369","html_url":"https://github.com/Avielyo10/DNS-Amplification-Lab","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Avielyo10%2FDNS-Amplification-Lab","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Avielyo10%2FDNS-Amplification-Lab/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Avielyo10%2FDNS-Amplification-Lab/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Avielyo10%2FDNS-Amplification-Lab/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/Avielyo10","download_url":"https://codeload.github.com/Avielyo10/DNS-Amplification-Lab/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":243526862,"owners_count":20305112,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["cyber-lab","dns-amplification-attack","dns-amplification-lab","scapy"],"created_at":"2024-11-19T20:11:23.158Z","updated_at":"2025-12-29T09:04:44.661Z","avatar_url":"https://github.com/Avielyo10.png","language":"Makefile","funding_links":[],"categories":[],"sub_categories":[],"readme":"# DNS Amplification Lab\n![](https://img.shields.io/badge/license-Apache--2.0-brightgreen.svg)\n![](https://img.shields.io/badge/requirements-Docker-red.svg)  \n\nIn this lab we will use [Docker](https://www.docker.com/get-started) \u0026 [Scapy](https://scapy.net/).  \n\n## Lab Overview\nDNS (Domain Name System) is the Internet’s phone book; it translates hostnames to IP addresses (or IP\naddresses to hostnames). This translation is through DNS resolution, which happens behind the scene.  \nDNS amplification attack is a sophisticated denial of service attack that takes advantage of DNS server behavior in order to amplify the attack. This attack is a new type of attack which utilizes the fact that size of response generated by DNS can be much larger than DNS request query. This attack is feasible only in case of recursive DNS server. The huge amount of traffic generated by DNS server is utilized to flood the target server i.e victim to establish denial of service attack. Two malicious tasks are performed by attacker to launch DNS Amplification Attack on victim.\n\nA DNS amplification can be broken down into four steps:\n\n- The attacker uses a compromised endpoint to send UDP packets with spoofed IP addresses to a DNS recursor. The spoofed address on the packets points to the real IP address of the victim.\n- Each one of the UDP packets makes a request to a DNS resolver, often passing an argument such as “ANY” in order to receive the largest response possible.\n- After receiving the requests, the DNS resolver, which is trying to be helpful by responding, sends a large response to the spoofed IP address.\n- The IP address of the target receives the response and the surrounding network infrastructure becomes overwhelmed with the deluge of traffic, resulting in a denial-of-service.\n\nWhile a few requests is not enough to take down network infrastructure, when this sequence is multiplied across multiple requests and DNS resolvers, the amplification of data the target receives can be substantial.  \n\n\n## Lab Environment  \nIf Docker is not installed on your computer, install it now.  \nPulling the images for the lab:\n- Sniff container(our target):  \n`docker pull avielyosef/ubuntu-dns-amplification:sniff` \n- Attacker container:  \n`docker pull avielyosef/ubuntu-dns-amplification:attacker`\n\n- DNS container:  \n`docker pull andyshinn/dnsmasq`\n\nCreate Docker network: `docker network create myLab`.\n  \nRun and connect to Sniff:  \n- `docker run --rm -ti --net myLab --name Sniff avielyosef/ubuntu-dns-amplification:sniff`\n  \nRun and connect to Attacker:  \n- `docker run --rm -ti --net myLab --name Attacker avielyosef/ubuntu-dns-amplification:attacker`  \n\nRun DNS1 on background:  \n- `docker run --rm -d --net myLab --name DNS1 --cap-add=NET_ADMIN andyshinn/dnsmasq`\n\nRun DNS2 on background:  \n- `docker run --rm -d --net myLab --name DNS2 --cap-add=NET_ADMIN andyshinn/dnsmasq`\n\nRun DNS3 on background:  \n- `docker run --rm -d --net myLab --name DNS3 --cap-add=NET_ADMIN andyshinn/dnsmasq`\n\n![](images/explanation.png)\n\n## Lab Tasks\n\n### Task 1: Run `basic_script`.\n**NOTE:** To resolve an IP from a running container run `docker inspect \u003ccontainer_name\u003e`, for example: `docker inspect Sniff`. \n\nHere we can see a screenshot of `basic_script` from the Attacker container.\nModify this script to send a DNS request with Sniff's IP, you can use any DNS container you want for this task.   \nThen run: `sudo python basic_script`. \n\n**Describe what do you see on Sniff's screen?**\n\n![basic Scapy script](images/basic-DNS-script.png)\n\n### Task 2: Improve `basic_script`.\nNow that we understand how to spoof our own DNS packets, lets improve our code!\n\nTo see the load on the network open a new terminal and run: `docker exec -ti Sniff bash`, you should see Sniff's terminal, run `bmon`.\n\n**For each task describe what do you see on Sniff's screens?**\n\n#### Task 2.1: loop it!\nModify our `basic_script` to send spoofed DNS requests in a loop! you can use any DNS container you want for this task. \n\n#### Task 2.2: getting greedy\n\nCreate `SERVERS.txt` \u0026 `DOMAINS.txt`, inside `SERVERS.txt` put the DNS's IPs in a separate lines, inside `DOMAINS.txt` put domain addresses in a separate lines.\n\nCreate your own script or build it on top of `basic_script`, use `SERVERS.txt` \u0026 `DOMAINS.txt` inside your script in order to use all 3 DNS containers with different domain queries.\n\n## Finish up\n\n### Stop containers\nRun `docker container stop \u003ccontainer_name\u003e`, for example: `docker container stop Sniff`.\n\n**NOTE:** Don't forget to stop all 5 containers.","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Favielyo10%2Fdns-amplification-lab","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Favielyo10%2Fdns-amplification-lab","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Favielyo10%2Fdns-amplification-lab/lists"}