Ba asiri ba ne cewa ana kula da sarrafa toshewa a cikin jerin abubuwan da aka haramta a Rasha ta hanyar tsarin sarrafa kansa "Inspector". Yadda yake aiki an rubuta shi da kyau anan cikin wannan , hoto daga wuri guda:
An shigar kai tsaye a mai badawa :
Tsarin "Agent Inspector" wani tsari ne na tsarin sarrafa kansa "Inspector" (AS "Inspector"). An tsara wannan tsarin don saka idanu da bin ka'idoji ta hanyar sadarwar sadarwa tare da buƙatun ƙuntatawa a cikin tsarin tanadin da aka kafa ta Articles 15.1-15.4 na Dokar Tarayya na Yuli 27, 2006 No. 149-FZ "Akan Bayani, Fasahar Bayanai da Kariyar Bayanai. ”
Babban manufar ƙirƙirar AS "Revizor" ita ce tabbatar da lura da bin ka'idodin ma'aikatan telecom tare da buƙatun da aka kafa ta Articles 15.1-15.4 na Dokar Tarayya na Yuli 27, 2006 No. 149-FZ "Akan Bayanai, Fasahar Bayanai da Kariyar Bayanai " dangane da gano gaskiyar samun damar yin amfani da bayanan da aka haramta da kuma samun kayan tallafi (bayanai) game da cin zarafi don hana damar yin amfani da bayanan da aka haramta.
Yin la'akari da cewa, idan ba duka ba, to, yawancin masu samar da wannan na'ura sun shigar da wannan na'ura, ya kamata a sami babbar hanyar sadarwa na bincike mai haske kamar. har ma da ƙari, amma tare da rufaffiyar shiga. Koyaya, fitilar fitila ce don aika sigina ta kowane bangare, amma idan muka kama su kuma muka ga abin da muka kama da nawa fa?
Kafin mu ƙidaya, bari mu ga dalilin da ya sa hakan ma zai yiwu.
A bit of ka'idar
Wakilai suna duba samuwan albarkatu, gami da buƙatun HTTP(S), kamar wannan:
TCP, 14678 > 80, "[SYN] Seq=0"
TCP, 80 > 14678, "[SYN, ACK] Seq=0 Ack=1"
TCP, 14678 > 80, "[ACK] Seq=1 Ack=1"
HTTP, "GET /somepage HTTP/1.1"
TCP, 80 > 14678, "[ACK] Seq=1 Ack=71"
HTTP, "HTTP/1.1 302 Found"
TCP, 14678 > 80, "[FIN, ACK] Seq=71 Ack=479"
TCP, 80 > 14678, "[FIN, ACK] Seq=479 Ack=72"
TCP, 14678 > 80, "[ACK] Seq=72 Ack=480"
Bugu da ƙari ga nauyin biyan kuɗi, buƙatar kuma ta ƙunshi lokacin kafa haɗin haɗi: musayar SYN и SYN-ACK, da matakan kammala haɗin gwiwa: FIN-ACK.
Rijistar bayanan da aka haramta ya ƙunshi nau'ikan toshewa. Babu shakka, idan an toshe albarkatu ta adireshin IP ko sunan yanki, to ba za mu ga kowane buƙatun ba. Waɗannan su ne mafi ɓarna nau'ikan toshewa, waɗanda ke haifar da rashin isa ga duk albarkatun akan adireshin IP ɗaya ko duk bayanan kan yanki. Hakanan akwai nau'in toshewa "ta URL". A wannan yanayin, tsarin tacewa dole ne ya rarraba kan buƙatun HTTP don tantance ainihin abin da za a toshe. Kuma kafin shi, kamar yadda ake iya gani a sama, yakamata a sami lokacin kafa haɗin gwiwa wanda zaku iya gwada waƙa, tunda mai yiwuwa tacewa zata rasa shi.
Don yin wannan, kuna buƙatar zaɓar yankin da ya dace kyauta tare da nau'in toshe "URL" da HTTP don sauƙaƙe aikin tsarin tacewa, zai fi dacewa da dogon watsi da shi, don rage shigar da zirga-zirgar ababen hawa sai dai daga Agents. Wannan aikin bai zama mai wahala ba kwata-kwata; akwai wurare da yawa na kyauta a cikin rajistar bayanan da aka haramta kuma ga kowane dandano. Saboda haka, an sayi yankin kuma an haɗa shi da adiresoshin IP akan VPS mai gudana tcpdump Aka fara kirgawa.
Audit na "Auditors"
Ina tsammanin ganin fashe buƙatun lokaci-lokaci, wanda a ganina zai nuna aikin sarrafawa. Ba zai yuwu a ce ban gan shi kwata-kwata ba, amma babu shakka babu cikakken hoto:
Wanda ba abin mamaki ba ne, har ma a kan yankin da ba wanda yake buƙata kuma akan IP ɗin da ba a taɓa amfani da shi ba, kawai za a sami tarin bayanan da ba a buƙata ba, irin wannan shine Intanet na zamani. Amma an yi sa'a, buƙatun na musamman na URL kawai nake buƙata, don haka duk na'urar daukar hotan takardu da masu fasa kalmar sirri da sauri aka samu. Har ila yau, ya kasance mai sauƙin fahimtar inda ambaliyar ta ta'allaka kan yawan buƙatun iri ɗaya. Na gaba, na tattara adadin abubuwan da ke faruwa na adiresoshin IP kuma na bi ta cikin duka saman da hannu, na raba waɗanda suka rasa shi a matakan da suka gabata. Bugu da ƙari, na yanke duk hanyoyin da aka aika a cikin kunshin guda ɗaya, babu da yawa daga cikinsu kuma. Kuma ga abin da ya faru:
Karamar digression lyrical. Fiye da kwana ɗaya bayan haka, mai ba da sabis na ya aika da wasiƙa tare da ingantaccen abun ciki, yana mai cewa wuraren aikinku sun ƙunshi albarkatu daga jerin abubuwan da aka haramta na RKN, don haka an toshe shi. Da farko na dauka an toshe account dina, ba haka lamarin yake ba. Sai na yi tunanin cewa kawai suna yi mini gargaɗi game da wani abu da na riga na sani. Amma ya zama cewa mai ɗaukar hoto ya kunna matattarar sa a gaban yanki na kuma a sakamakon haka na zo ƙarƙashin tacewa sau biyu: daga masu samar da kuma daga mai ɗaukar hoto. Tace kawai ta wuce iyakar buƙatun: FIN-ACK и RST yanke duk HTTP a URL da aka haramta. Kamar yadda kake gani daga jadawali da ke sama, bayan ranar farko na fara samun ƙarancin bayanai, amma har yanzu na karɓi shi, wanda ya isa ga aikin ƙidayar buƙatun buƙatun.
Je zuwa batun. A ganina, fashewa biyu suna bayyane a kowace rana, na farko karami, bayan tsakar dare na Moscow, na biyu kusa da 6 na safe tare da wutsiya har zuwa karfe 12 na rana. Kololuwar baya faruwa a daidai lokaci guda. Da farko, Ina so in zaɓi adiresoshin IP waɗanda suka faɗi kawai a cikin waɗannan lokuttan kuma kowanne a cikin kowane lokaci, bisa tsammanin cewa ana yin rajista ta Agents lokaci-lokaci. Amma da bita a hankali, na gano lokuta na faɗuwa cikin wasu tazara, tare da wasu mitoci, har zuwa buƙatu ɗaya a kowace awa. Sa'an nan na yi tunani game da yankunan lokaci da kuma cewa watakila yana da wani abu da ya yi tare da su, sa'an nan na yi tunanin cewa gaba ɗaya tsarin ba zai iya aiki tare a duniya. Bugu da ƙari, ƙila NAT za ta taka rawa kuma Wakilin ɗaya zai iya yin buƙatu daga IPs na jama'a daban-daban.
Tunda burina na farko bai kasance daidai ba, na kirga duk adiresoshin da na ci karo da su a cikin mako guda kuma na samu - 2791. Adadin zaman TCP da aka kafa daga adireshin ɗaya yana kan matsakaicin 4, tare da tsaka-tsaki na 2. Babban zaman kowane adireshin: 464, 231, 149, 83, 77. Matsakaicin daga 95% na samfurin shine zaman 8 a kowane adireshin. Matsakaicin ba shi da tsayi sosai, bari in tunatar da ku cewa jadawali yana nuna tsayayyen lokaci na yau da kullun, don haka mutum zai iya tsammanin wani abu a kusa da 4 zuwa 8 a cikin kwanaki 7. Idan muka jefar da duk zaman da ke faruwa sau ɗaya, za mu sami tsaka-tsaki daidai da 5. Amma ba zan iya cire su ba bisa ga ma'auni bayyananne. Akasin haka, binciken bazuwar ya nuna cewa suna da alaƙa da buƙatun da aka haramta.
Adireshi adireshi ne, amma akan Intanet, tsarin sarrafa kansa - AS, wanda ya zama mafi mahimmanci 1510, a matsakaita adireshi 2 a kowane AS tare da tsaka-tsaki na 1. Babban adireshi na AS: 288, 77, 66, 39, 27. Matsakaicin 95% na samfurin shine adireshi 4 a kowace AS. Anan ana tsammanin tsaka-tsaki - Wakili ɗaya ga kowane mai bayarwa. Muna kuma sa ran manyan - akwai manyan 'yan wasa a ciki. A cikin babbar hanyar sadarwa, dole ne wakilai su kasance a kowane yanki na kasancewar mai aiki, kuma kar a manta game da NAT. Idan muka ɗauka ta ƙasa, matsakaicin zai kasance: 1409 - RU, 42 - UA, 23 - CZ, 36 daga wasu yankuna, ba RIPE NCC ba. Buƙatun daga wajen Rasha suna jan hankali. Wataƙila ana iya bayanin wannan ta kurakuran yanki ko kurakurai masu rijista lokacin cike bayanai. Ko kuma gaskiyar cewa wani kamfani na Rasha ba shi da tushen Rasha, ko kuma yana da ofishin wakilai na waje saboda yana da sauƙi, wanda yake da kyau a lokacin da ake hulɗa da wata kungiya ta RIPE NCC. Wasu sassan ba shakka ba su da ƙarfi, amma yana da wuyar dogaro don raba shi, tunda albarkatun suna ƙarƙashin toshewa, kuma daga rana ta biyu a ƙarƙashin toshewar sau biyu, kuma yawancin zaman musayar fakitin sabis ne kawai. Mu yarda cewa wannan kadan ne.
An riga an kwatanta waɗannan lambobin tare da adadin masu samarwa a Rasha. lasisi don "Sabis na Sadarwa don watsa bayanai, ban da murya" - 6387, amma wannan ƙididdiga ce mai girma daga sama, ba duk waɗannan lasisin sun shafi masu samar da Intanet ba musamman waɗanda ke buƙatar shigar da wakili. A cikin yankin RIPE NCC akwai irin wannan adadin ASes da aka yiwa rajista a Rasha - 6230, wanda ba duka masu samarwa bane. kuma ya karɓi kamfanoni 3940 a cikin 2017, kuma wannan shine kimantawa daga sama. A kowane hali, muna da sau biyu da rabi ƙasa da adadin hasken AS. Amma a nan yana da kyau a fahimci cewa AS baya daidai da mai bayarwa. Wasu masu samarwa ba su da nasu AS, wasu suna da fiye da ɗaya. Idan muka ɗauka cewa har yanzu kowa yana da Agents, to wani yana tacewa da ƙarfi fiye da sauran, ta yadda ba za a iya bambanta buƙatun su da shara ba, idan sun isa gare su kwata-kwata. Amma ga m kima yana da matukar jure wa, ko da wani abu ya rasa saboda na sa ido.
Game da DPI
Duk da cewa mai ba da sabis na ya kunna matattarar sa tun daga rana ta biyu, dangane da bayanin daga ranar farko za mu iya yanke cewa toshewar yana aiki cikin nasara. Maɓuɓɓuka 4 ne kawai suka sami damar shiga kuma sun kammala zaman HTTP da TCP gaba ɗaya (kamar a misalin da ke sama). Ana iya aika wasu 460 GET, amma zaman nan da nan ya ƙare ta RST. kula TTL:
TTL 50, TCP, 14678 > 80, "[SYN] Seq=0"
TTL 64, TCP, 80 > 14678, "[SYN, ACK] Seq=0 Ack=1"
TTL 50, TCP, 14678 > 80, "[ACK] Seq=1 Ack=1"
HTTP, "GET /filteredpage HTTP/1.1"
TTL 64, TCP, 80 > 14678, "[ACK] Seq=1 Ack=294"
#Вот это прислал фильтр
TTL 53, TCP, 14678 > 80, "[RST] Seq=3458729893"
TTL 53, TCP, 14678 > 80, "[RST] Seq=3458729893"
HTTP, "HTTP/1.1 302 Found"
#А это попытка исходного узла получить потерю
TTL 50, TCP ACKed unseen segment, 14678 > 80, "[ACK] Seq=294 Ack=145"
TTL 50, TCP, 14678 > 80, "[FIN, ACK] Seq=294 Ack=145"
TTL 64, TCP, 80 > 14678, "[FIN, ACK] Seq=171 Ack=295"
TTL 50, TCP Dup ACK 14678 > 80 "[ACK] Seq=295 Ack=145"
#Исходный узел понимает что сессия разрушена
TTL 50, TCP, 14678 > 80, "[RST] Seq=294"
TTL 50, TCP, 14678 > 80, "[RST] Seq=295"
Bambance-bambancen wannan na iya zama daban-daban: ƙasa RST ko fiye da sake aikawa - kuma ya dogara da abin da tacewa ke aikawa zuwa kullin tushe. A kowane hali, wannan shine samfuri mafi aminci, wanda daga gare shi ya bayyana a fili cewa haramtacciyar hanya ce da aka nema. Bugu da kari akwai ko da yaushe amsar da ta bayyana a cikin zaman tare da TTL mafi girma fiye da na baya da na gaba.
Ba za ka iya ko gani daga sauran GET:
TTL 50, TCP, 14678 > 80, "[SYN] Seq=0"
TTL 64, TCP, 80 > 14678, "[SYN, ACK] Seq=0 Ack=1"
#Вот это прислал фильтр
TTL 53, TCP, 14678 > 80, "[RST] Seq=1"
Ko kuma haka:
TTL 50, TCP, 14678 > 80, "[SYN] Seq=0"
TTL 64, TCP, 80 > 14678, "[SYN, ACK] Seq=0 Ack=1"
TTL 50, TCP, 14678 > 80, "[ACK] Seq=1 Ack=1"
#Вот это прислал фильтр
TTL 53, TCP, 14678 > 80, "[RST, PSH] Seq=1"
TTL 50, TCP ACKed unseen segment, 14678 > 80, "[FIN, ACK] Seq=89 Ack=172"
TTL 50, TCP ACKed unseen segment, 14678 > 80, "[FIN, ACK] Seq=89 Ack=172"
#Опять фильтр, много раз
TTL 53, TCP, 14678 > 80, "[RST, PSH] Seq=1"
...
Bambancin tabbas yana bayyane TTL idan wani abu ya fito daga tace. Amma sau da yawa babu abin da zai iya zuwa kwata-kwata:
TCP, 14678 > 80, "[SYN] Seq=0"
TCP, 80 > 14678, "[SYN, ACK] Seq=0 Ack=1"
TCP Retransmission, 80 > 14678, "[SYN, ACK] Seq=0 Ack=1"
...
Ko kuma haka:
TCP, 14678 > 80, "[SYN] Seq=0"
TCP, 80 > 14678, "[SYN, ACK] Seq=0 Ack=1"
TCP, 14678 > 80, "[ACK] Seq=1 Ack=1"
#Прошло несколько секунд без трафика
TCP, 80 > 14678, "[FIN, ACK] Seq=1 Ack=1"
TCP Retransmission, 80 > 14678, "[FIN, ACK] Seq=1 Ack=1"
...
Kuma duk wannan ana maimaitawa da maimaitawa kuma ana maimaita su, kamar yadda ake iya gani akan jadawali, fiye da sau ɗaya, kowace rana.
Game da IPv6
Labari mai dadi shine cewa akwai. Zan iya dogaro da gaske cewa buƙatun lokaci-lokaci zuwa ga haramtaccen albarkatu na faruwa daga adiresoshin IPv5 daban-daban guda 6, wanda shine ainihin halayen Wakilan da na zata. Haka kuma, ɗayan adiresoshin IPv6 ba ya faɗi ƙarƙashin tacewa kuma na ga cikakken zaman. Daga biyu kuma na ga zaman daya kawai ba a gama ba, daya ya katse shi RST daga tace, a karo na biyu. Jimla 7.
Tun da akwai 'yan adireshi, na yi nazarin duka dalla-dalla kuma ya zama cewa akwai masu ba da sabis na 3 kawai a can, ana iya ba su tsayin daka! Wani adireshi shine girgije hosting a Rasha (ba tacewa), wani kuma cibiyar bincike ne a Jamus (akwai tacewa, a ina?). Amma me yasa suke duba kasancewar haramtattun albarkatun akan jadawali tambaya ce mai kyau. Sauran biyun sun yi buƙatu ɗaya kuma suna wajen Rasha, kuma ɗaya daga cikinsu ana tacewa (a hanyar wucewa, bayan duk?).
Kashewa da Agents babban cikas ne ga IPv6, wanda aiwatar da shi ba ya motsawa da sauri. Abin bakin ciki ne. Wadanda suka magance wannan matsalar za su iya yin alfahari da kansu.
A ƙarshe
Ban yi ƙoƙari don daidaito 100% ba, don Allah a gafarta mini saboda wannan, ina fata wani yana son maimaita wannan aikin tare da daidaito mafi girma. Yana da mahimmanci a gare ni in fahimci ko wannan hanyar za ta yi aiki bisa manufa. Amsar ita ce eh. A matsayin kima na farko, alkalumman da aka samu, ina tsammanin, sun dogara sosai.
Abin da kuma za a iya yi kuma abin da na yi kasala don yin shi ne ƙidaya buƙatun DNS. Ba a tace su ba, amma kuma ba sa samar da daidaito sosai tunda suna aiki ne don yankin kawai, kuma ba ga URL gaba ɗaya ba. Mitar ya kamata a ganuwa. Idan kun haɗa shi da abin da ke bayyane kai tsaye a cikin tambayoyin, wannan zai ba ku damar raba abubuwan da ba dole ba kuma ku sami ƙarin bayani. Hakanan yana yiwuwa a tantance masu haɓaka DNS ɗin da masu samarwa ke amfani da su da ƙari mai yawa.
Ban yi tsammanin cewa mai masaukin ba zai hada da nasa tace don VPS na. Wataƙila wannan al'ada ce ta gama gari. A ƙarshe, RKN yana aika buƙatun don share albarkatun zuwa ga mai ɗaukar hoto. Amma wannan bai ba ni mamaki ba kuma a wasu hanyoyi ma ya yi amfani da ni. Tace ta yi aiki sosai yadda ya kamata, tana yanke duk buƙatun HTTP daidai zuwa URL da aka haramta, amma ba daidai ba waɗanda suka riga suka wuce ta hanyar tace masu samarwa sun isa gare su, kodayake kawai ta hanyar ƙarewa: FIN-ACK и RST - ragi don ragi kuma kusan ya zama ƙari. Af, IPv6 ba ta tace ta wurin mai masaukin baki ba. Tabbas, wannan ya shafi ingancin kayan da aka tattara, amma har yanzu ya ba da damar ganin mita. Ya bayyana cewa wannan muhimmin batu ne lokacin zabar wani shafin don sanya albarkatu; kar a manta da sha'awar batun shirya aiki tare da jerin wuraren da aka haramta da buƙatun daga RKN.
A farkon, na kwatanta AS "Inspector" da . Wannan kwatancen ya yi daidai kuma babban hanyar sadarwa na Agents na iya yin fa'ida. Misali, tantance ingancin wadatar albarkatu daga masu samar da kayayyaki daban-daban a sassa daban-daban na kasar. Kuna iya ƙididdige jinkiri, za ku iya gina jadawali, za ku iya tantance shi duka kuma ku ga canje-canjen da ke faruwa a cikin gida da na duniya. Wannan ba hanya ce ta kai tsaye ba, amma masu ilimin taurari suna amfani da "kyandirori masu kyau", me yasa ba za ku yi amfani da Agents ba? Sanin (bayan gano) daidaitattun halayen su, zaku iya tantance canje-canjen da ke faruwa a kusa da su da kuma yadda wannan ke shafar ingancin ayyukan da aka bayar. Kuma a lokaci guda, ba kwa buƙatar sanya bincike da kansa akan hanyar sadarwar, Roskomnadzor ya riga ya shigar da su.
Wani batu da nake so in taɓa shi shine cewa kowane kayan aiki na iya zama makami. AS "Inspector" cibiyar sadarwa ce da aka rufe, amma Agents sun mika kowa ta hanyar aika buƙatun ga duk albarkatun daga jerin da aka haramta. Samun irin wannan albarkatu ba ya haifar da wata matsala kwata-kwata. A cikin duka, masu samarwa ta hanyar Agents, ba da gangan ba, suna ba da labari mai yawa game da hanyar sadarwar su fiye da mai yiwuwa: DPI da nau'in DNS, wurin da Agent (ƙulli na tsakiya da cibiyar sadarwar sabis?), Alamomin cibiyar sadarwa na jinkiri da asara - kuma wannan shine kawai mafi bayyananne. Kamar yadda wani zai iya sa ido kan ayyukan Agents don inganta wadatar albarkatun su, wani yana iya yin hakan don wasu dalilai kuma babu wani cikas ga wannan. Sakamakon shi ne kayan aiki mai kaifi biyu da yawa, kowa zai iya ganin wannan.
source: www.habr.com