The repository contains the code used in my research project with the title "Estimating the Amplification Factor in the Network Infrastructure of France".
The code is used to help network administrators or fellow researchers identify amplifiers within network infrastructures. Amplifiers are vulnerable servers that return large responses to small requests.
The code should be used ethically without abusing the identified vulnerable servers.
The code targets mainly three protocols: DNS, NTP, and Memcached, and contains the following functionalities:
- Collect servers running a specific protocol using Censys API
- Find authoritative DNS servers in a country
- Determine whether a server is a potential amplifier by sending a simple UDP packet
- Compute the amplification factor by sending a UDP packet to the server
- Docker: Install Docker from here.
- Censys: Create an account here for the collection of servers
- IPinfo: Create an account here to verify the location of the servers.
- Clone this repository and navigate to the project directory:
git clone https://github.com/panayiotishad04/Amplifier-Collector.git cd <your-repository-name>
- Create a file in the project's directory with name .env and add the credentials for Censys
and IPinfo by replacing the values of the corresponding variables
CENSYS_API_ID=add_censys_api_id CENSYS_API_SECRET=add_censys_api_secret_key IPINFO_API_KEY=add_ipinfo_api_key
- Build the docker image
docker build -t <name_of_image> .
- Create an interactive image
docker run -it <name_of_image> /bin/bash
run python server_collection.py query_censys_and_save <query_input> <output_filename>
to collect
servers running a specific protocol
<query_input>: Check censys search syntax
e.g., f"location.country_code: FR AND services.service_name: NTP AND services.port: 123"
-
Download files from https://toplists.net.in.tum.de/archive/ and add them to the docker container
-
Depending on the type of the file (csv or txt) use:
runpython server_collection.py extract_domain_names_csv <input_filename> <output_filename>
or:
runpython server_collection.py extract_domain_names_txt <input_filename> <output_filename>
Both methods add domain names to the output file if not present already, therefore keeping only unique domain names.
-
run
python amplifier_discovery.py nameserver_collection <input_filename> <output_filename>
to get authoritative DNS servers for the collected domain names -
run
python amplifier_discovery.py transform_reverse_dns_to_ip <input_filename> <output_filename>
This will resolve the reverse-DNS names from the previous step to get the IP addresses of the servers and extract only open servers. -
run
python amplifier_discovery.py extract_valid_geolocation <input_filename> <output_filename>
to filter out servers not located in France
run python amplifier_discovery.py filter_open_recursive_dns <input_filename> <output_filename>
to
collect open recursive DNS servers.
run python amplifier_discovery.py filter_open_ntp_servers <input_filename> <output_filename>
to
collect open servers running NTP.
-
run
python amplifier_discovery.py filter_open_memcached_servers <input_filename> <output_filename>
to filter open Memcached servers by checking if they reply on UDP when asking for the statistics of the server. -
run
python amplifier_discovery.py extract_memcached_servers_keys <input_filename> <output_filename>
to extract keys from the open Memcached servers from the previous step.
<output_filename>: e.g., memcached_keys.json
run python packet_sender.py dns_experiment_authoritative <input_filename> <output_filename>
<input_filename>: output_filename in Step 2.A.3
The default RR type parameter is ANY (255). You can try with another parameter by changing the value in the qtype parameter (e.g., qtype = 'TXT') when crafting the packet in methodmeasure_dns_authoritative_packet_size
.
run python packet_sender.py dns_experiment_recursive <input_filename> <output_filename> <domain_name>
<input_filename>: output_filename in Step 2.B
The default RR type parameter is ANY (255). You can try with another parameter by changing the value in the qtype parameter (e.g., qtype = 'TXT') when crafting the packet in methodmeasure_dns_authoritative_packet_size
.
run python packet_sender.py ntp_experiment <input_filename> <output_filename>
<input_filename>: file containing the keys obtained in Step 2.C
run python packet_sender.py compute_baf_for_stats <input_filename> <output_filename>
<input_filename>: file containing the statistics obtained in Step 2.B.1
run python packet_sender.py memcached_experiment <input_filename> <output_filename>
<input_filename>: file containing the keys obtained in Step 2.B.2
-
run
python server_fingerprinting.py collect_authoritative_dns_versions <input_filename> <output_filename>
to get the server's version. -
run
python server_fingerprinting.py collect_authoritative_buffer_sizes <input_filename> <output_filename>
to get the server's buffer size.
-
run
python server_fingerprinting.py collect_recursive_dns_versions <input_filename> <output_filename>
to get the server's version. -
run
python server_fingerprinting.py collect_recursive_buffer_sizes <input_filename> <output_filename>
to get the server's buffer size.
run python server_fingerprinting.py collect_ntp_versions <input_filename> <output_filename>
to get the
version of NTP servers with ntpq.
run python server_fingerprinting.py collect_memcached_versions <input_filename> <output_filename>
to
get the versions of Memcached servers over TCP.