Fasalolin saitunan DPI

Wannan labarin ba ya rufe cikakken daidaitawar DPI da duk abin da aka haɗa tare, kuma ƙimar kimiyyar rubutun ba ta da yawa. Amma ya bayyana hanya mafi sauƙi don ketare DPI, wanda kamfanoni da yawa ba su yi la'akari da su ba.

Disclaimer #1: Wannan labarin yanayin bincike ne kuma baya ƙarfafa kowa yayi ko amfani da wani abu. Tunanin ya dogara ne akan ƙwarewar mutum, kuma kowane kamance bazuwar.

Gargadi A'a. 2: labarin bai bayyana asirin Atlantis ba, bincike na Grail Mai Tsarki da sauran abubuwan sirri na sararin samaniya; duk kayan suna samuwa kyauta kuma ana iya bayyana su fiye da sau ɗaya akan Habré. (Ban same shi ba, zan yi godiya ga hanyar haɗin gwiwa)

Ga waɗanda suka karanta gargaɗin, bari mu fara.

Menene DPI?

DPI ko Deep Packet Inspection fasaha ce don tara bayanan ƙididdiga, dubawa da tace fakitin cibiyar sadarwa ta hanyar nazarin ba kawai fakitin buga labarai ba, har ma da cikakken abun ciki na zirga-zirga a matakan ƙirar OSI daga na biyu da mafi girma, wanda ke ba ku damar ganowa toshe ƙwayoyin cuta, tace bayanan da bai dace da ƙayyadaddun ka'idoji ba.

Akwai nau'ikan haɗin DPI guda biyu, waɗanda aka bayyana ValdikSS na github:

DPI mai wucewa

An haɗa DPI zuwa cibiyar sadarwar mai bada a layi daya (ba a cikin yanke ba) ko dai ta hanyar mai raba gani na gani, ko ta amfani da madubin zirga-zirgar da ya samo asali daga masu amfani. Wannan haɗin ba ya rage saurin hanyar sadarwar mai badawa idan akwai rashin isasshen aikin DPI, wanda shine dalilin da ya sa manyan masu samarwa ke amfani da shi. DPI tare da wannan nau'in haɗin kai na iya gano yunƙurin neman abun ciki da aka haramta a fasaha kawai, amma ba dakatar da shi ba. Don ƙetare wannan ƙuntatawa da toshe damar shiga wani rukunin yanar gizo da aka haramta, DPI tana aika mai amfani yana buƙatar URL ɗin da aka katange fakitin HTTP da aka kera na musamman tare da turawa zuwa shafin stub na mai bayarwa, kamar dai albarkatun da aka nema ne ya aiko da irin wannan amsa (IP ɗin mai aikawa da kansa). adireshi da jerin TCP an ƙirƙira su). Saboda DPI ta fi kusa da mai amfani a zahiri fiye da rukunin da ake buƙata, amsawar da aka yi ta ɓarna tana isa ga na'urar mai amfani da sauri fiye da ainihin martani daga rukunin yanar gizon.

DPI mai aiki

DPI mai aiki - DPI da aka haɗa zuwa cibiyar sadarwar mai bayarwa ta hanyar da aka saba, kamar kowace na'ura na cibiyar sadarwa. Mai badawa yana tsara hanyar tafiya don DPI ta karɓi zirga-zirga daga masu amfani zuwa katange adiresoshin IP ko yanki, sannan DPI ta yanke shawarar ko don ba da izini ko toshe zirga-zirga. DPI mai aiki na iya bincika zirga-zirgar mai fita da mai shigowa, duk da haka, idan mai bada sabis yana amfani da DPI kawai don toshe shafuka daga wurin yin rajista, galibi ana saita shi don bincika zirga-zirgar masu fita kawai.

Ba wai kawai tasirin toshe zirga-zirgar ababen hawa ba, har ma da nauyi akan DPI ya dogara da nau'in haɗin gwiwa, don haka ba zai yiwu a bincika duk zirga-zirgar ababen hawa ba, amma kawai wasu:

"Normal" DPI

DPI "na yau da kullun" shine DPI wanda ke tace wani nau'in zirga-zirga kawai akan mafi yawan tashoshin jiragen ruwa na irin wannan. Misali, DPI “na yau da kullun” tana ganowa kuma tana toshe haramtacciyar zirga-zirgar HTTP akan tashar jiragen ruwa 80 kawai, zirga-zirgar HTTPS akan tashar jiragen ruwa 443. Irin wannan DPI ba zai bin diddigin abubuwan da aka haramta ba idan kun aika buƙatu tare da URL ɗin da aka toshe zuwa IP ɗin da ba a toshe ko ba- misali tashar jiragen ruwa.

"Cikakken" DPI

Ba kamar "na yau da kullun" DPI ba, irin wannan nau'in DPI yana rarraba zirga-zirga ba tare da la'akari da adireshin IP da tashar jiragen ruwa ba. Ta wannan hanyar, rukunin yanar gizon da aka toshe ba za su buɗe ba ko da kuna amfani da uwar garken wakili akan wata tashar ruwa ta daban da adireshin IP da ba a toshe ba.

Amfani da DPI

Domin kada ku rage yawan canja wurin bayanai, kuna buƙatar amfani da "Normal" m DPI, wanda ke ba ku damar yin tasiri sosai? toshe wani? albarkatun, tsoho tsari yayi kama da haka:

• HTTP tace kawai akan tashar jiragen ruwa 80
• HTTPS kawai akan tashar jiragen ruwa 443
• BitTorrent kawai akan tashar jiragen ruwa 6881-6889

Amma matsaloli suna farawa idan albarkatun za su yi amfani da tashar jiragen ruwa daban don kada su rasa masu amfani, to za ku duba kowane kunshin, misali za ku iya bayarwa:

• HTTP yana aiki akan tashar jiragen ruwa 80 da 8080
• HTTPS akan tashar jiragen ruwa 443 da 8443
• BitTorrent akan kowane rukuni

Saboda wannan, dole ne ku canza zuwa "Active" DPI ko amfani da tarewa ta amfani da ƙarin sabar DNS.

Toshewa ta amfani da DNS

Hanya ɗaya don toshe damar yin amfani da albarkatu ita ce katse buƙatar DNS ta amfani da uwar garken DNS na gida kuma mayar da mai amfani da adireshin IP na “stub” maimakon albarkatun da ake buƙata. Amma wannan ba ya ba da tabbacin sakamako, tun da yana yiwuwa a hana spoofing adireshin:

Zabin 1: Gyara fayil ɗin runduna (na tebur)

Fayil ɗin runduna wani sashe ne na kowane tsarin aiki, wanda ke ba ku damar amfani da shi koyaushe. Don samun dama ga albarkatun, mai amfani dole ne:

1. Nemo adireshin IP na albarkatun da ake buƙata
2. Bude fayil ɗin runduna don gyarawa (ana buƙatar haƙƙin gudanarwa), wanda ke cikin:
   • Linux: /etc/hosts
   • Windows: % WinDir%System32driversetchosts
3. Ƙara layi a cikin tsari:
4. Ajiye canje-canje

Amfanin wannan hanyar shine rikitarwarsa da kuma buƙatun haƙƙin gudanarwa.

Zabin 2: DoH (DNS akan HTTPS) ko DoT (DNS akan TLS)

Waɗannan hanyoyin suna ba ku damar kare buƙatun ku na DNS daga ɓarna ta amfani da ɓoyewa, amma duk aikace-aikacen ba su goyan bayan aiwatarwa. Bari mu kalli sauƙin kafa DoH don Mozilla Firefox sigar 66 daga ɓangaren mai amfani:

1. Je zuwa adireshin game da: saiti a cikin Firefox
2. Tabbatar cewa mai amfani yana ɗaukar duk haɗari
3. Canja ƙimar siga hanyar sadarwa.trr.mode a kan:
   • 0 - kashe TRR
   • 1 - zaɓi ta atomatik
   • 2 - kunna DoH ta tsohuwa
4. Canja siga network.trr.uri zabar uwar garken DNS
   • Cloudflare DNS: mozilla.cloudflare-dns.com/dns-query
   • GoogleDNS: dns.google.com/experimental
5. Canja siga network.trr.boostrapAdress a kan:
   • Idan an zaɓi Cloudflare DNS: 1.1.1.1
   • Idan Google DNS aka zaɓi: 8.8.8.8
6. Canja ƙimar siga network.security.esni.an kunna a kan gaskiya
7. Bincika cewa saitunan daidai suke ta amfani da Sabis na Cloudflare

Kodayake wannan hanyar ta fi rikitarwa, ba ta buƙatar mai amfani don samun haƙƙin gudanarwa, kuma akwai wasu hanyoyin da yawa don amintar da buƙatun DNS waɗanda ba a bayyana su a cikin wannan labarin ba.

Zabin 3 (na na'urorin hannu):

Amfani da Cloudflare app zuwa Android и iOS.

Gwaji

Don duba rashin samun albarkatu, an siyi wani yanki da aka katange a cikin Tarayyar Rasha na ɗan lokaci:

• HTTP duba + tashar jiragen ruwa 80
• HTTP duba + tashar jiragen ruwa 8080
• HTTPS duba + tashar jiragen ruwa 443
• HTTPS duba + tashar jiragen ruwa 8443

ƙarshe

Ina fatan wannan labarin zai kasance da amfani kuma zai ƙarfafa ba kawai masu gudanarwa don fahimtar batun dalla-dalla ba, amma kuma zai ba da fahimtar hakan. albarkatun za su kasance koyaushe a gefen mai amfani, kuma neman sabbin hanyoyin magance ya kamata ya zama wani muhimmin sashi a gare su.

hanyoyi masu amfani

• Aiwatar da ma'aunin SNI da aka ɓoye a Firefox
• Ketare DPI Ketare

Ƙari a wajen labarinBa za a iya kammala gwajin Cloudflare akan hanyar sadarwar sadarwar Tele2 ba, kuma ingantaccen tsarin DPI yana toshe damar shiga wurin gwajin.
P.S. Ya zuwa yanzu wannan shine farkon mai badawa don toshe albarkatu daidai.

source: www.habr.com