Maris 13 zuwa ga RIPE anti-buse kungiyar aiki yi la'akari da yin garkuwa da BGP (hjjack) a matsayin cin zarafin manufofin RIPE. Idan an yarda da shawarar, mai ba da Intanet da aka kai hari ta hanyar shiga tsakani zai sami damar aika buƙatu ta musamman don fallasa maharin. Idan ƙungiyar bita ta tattara isassun shaidun goyan baya, LIR wanda shine tushen saƙon BGP za a ɗauka a matsayin mai kutse kuma ana iya cire shi daga matsayin LIR. Akwai kuma wasu muhawara canje-canje.
A cikin wannan ɗaba'ar muna so mu nuna misalin harin inda ba kawai maharin na ainihi ke cikin tambaya ba, har ma da dukkan jerin abubuwan da aka shafa. Bugu da ƙari, irin wannan harin yana sake haifar da tambayoyi game da dalilan da za a shiga tsakani na wannan nau'in zirga-zirga a nan gaba.
A cikin shekaru biyun da suka gabata, rikice-rikice kamar MOAS (Tsarin Mahimmancin Asali da yawa) ne kawai aka rufe su a cikin manema labarai azaman tsangwama na BGP. MOAS lamari ne na musamman inda tsarin biyu daban-daban masu cin gashin kansu ke tallata prefixes masu cin karo da juna tare da daidaitattun ASNs a cikin AS_PATH (ASN na farko a cikin AS_PATH, daga baya ana kiransa ASN asali). Koyaya, zamu iya suna aƙalla hana zirga-zirga, ba da damar maharin yin amfani da sifa ta AS_PATH don dalilai daban-daban, gami da ketare hanyoyin zamani don tacewa da saka idanu. Nau'in harin da aka sani - nau'i na ƙarshe na irin wannan tsangwama, amma ba a kowane mahimmanci ba. Mai yiyuwa ne irin wannan harin da muka gani a makonnin da suka gabata. Irin wannan taron yana da yanayi mai iya fahimta da sakamako mai tsanani.
Wadanda ke neman sigar TL;DR na iya gungurawa zuwa taken "Cikakken Attack".
Bayanan hanyar sadarwa
(don taimaka muku fahimtar hanyoyin da ke cikin wannan lamarin)
Idan kuna son aika fakiti kuma kuna da prefixes da yawa a cikin tebur mai tuƙi mai ɗauke da adireshin IP ɗin da ake nufi, to zaku yi amfani da hanyar don prefix tare da tsayi mafi tsayi. Idan akwai hanyoyi daban-daban don prefix iri ɗaya a cikin tebur mai tuƙi, zaku zaɓi mafi kyau (bisa ga mafi kyawun tsarin zaɓin hanya).
Hanyoyin tacewa da saka idanu suna ƙoƙarin nazarin hanyoyi da yanke shawara ta hanyar nazarin sifa ta AS_PATH. Mai ba da hanya tsakanin hanyoyin sadarwa na iya canza wannan sifa zuwa kowace ƙima yayin talla. Kawai ƙara ASN na mai shi a farkon AS_PATH (a matsayin tushen ASN) na iya isa ya ketare hanyoyin duba asalin yanzu. Haka kuma, idan akwai wata hanya daga ASN ɗin da aka kai muku hari, za ku iya cirewa da amfani da AS_PATH na wannan hanyar a cikin sauran tallan ku. Duk wani tabbaci na AS_PATH-kawai don sanarwar da aka kirkira zai wuce.
Har yanzu akwai ƴan iyakoki da ya kamata a ambata. Da fari dai, idan akwai tace prefix ta mai samar da sama, ana iya tace hanyar ku (ko da madaidaicin AS_PATH) idan prefix ɗin baya cikin mazugi na abokin ciniki wanda aka saita a sama. Na biyu, ingantacciyar AS_PATH na iya zama mara inganci idan an tallata hanyar da aka ƙirƙira ta hanyar da ba daidai ba kuma, don haka, ta saba wa manufar tuƙi. A ƙarshe, duk wata hanya tare da prefix wanda ya keta tsayin ROA ana iya ɗaukarsa mara inganci.
Abin da ya faru
Makonni kadan da suka gabata mun sami korafi daga daya daga cikin masu amfani da mu. Mun ga hanyoyi tare da asalin sa ASN da /25 prefixes, yayin da mai amfani ya yi iƙirarin cewa bai tallata su ba.
TABLE_DUMP2|1554076803|B|xxx|265466|78.163.7.0/25|265466 262761 263444 22356 3491 2914 9121|INCOMPLETE|xxx|0|0||NAG||
TABLE_DUMP2|1554076803|B|xxx|265466|78.163.7.128/25|265466 262761 263444 22356 3491 2914 9121|INCOMPLETE|xxx|0|0||NAG||
TABLE_DUMP2|1554076803|B|xxx|265466|78.163.18.0/25|265466 262761 263444 6762 2914 9121|INCOMPLETE|xxx|0|0||NAG||
TABLE_DUMP2|1554076803|B|xxx|265466|78.163.18.128/25|265466 262761 263444 6762 2914 9121|INCOMPLETE|xxx|0|0||NAG||
TABLE_DUMP2|1554076803|B|xxx|265466|78.163.226.0/25|265466 262761 263444 22356 3491 2914 9121|INCOMPLETE|xxx|0|0||NAG||
TABLE_DUMP2|1554076803|B|xxx|265466|78.163.226.128/25|265466 262761 263444 22356 3491 2914 9121|INCOMPLETE|xxx|0|0||NAG||
TABLE_DUMP2|1554076803|B|xxx|265466|78.164.7.0/25|265466 262761 263444 6762 2914 9121|INCOMPLETE|xxx|0|0||NAG||
TABLE_DUMP2|1554076803|B|xxx|265466|78.164.7.128/25|265466 262761 263444 6762 2914 9121|INCOMPLETE|xxx|0|0||NAG||
Misalai na sanarwar farkon Afrilu 2019
NTT a cikin hanyar don prefix / 25 yana sa ya zama abin tuhuma. LG NTT bai san wannan hanyar ba a lokacin da lamarin ya faru. Don haka a, wasu ma'aikata sun ƙirƙiri gabaɗayan AS_PATH don waɗannan prefixes! Duba kan sauran hanyoyin sadarwa yana bayyana ASN guda ɗaya: AS263444. Bayan duba sauran hanyoyin da wannan tsarin mai cin gashin kansa, mun ci karo da yanayi kamar haka:
TABLE_DUMP2|1554076800|B|xxx|265466|1.6.36.0/23|265466 262761 263444 52320 9583|IGP|xxx|0|0||NAG||
TABLE_DUMP2|1554076800|B|xxx|265466|1.6.38.0/23|265466 262761 263444 52320 9583|IGP|xxx|0|0||NAG||
TABLE_DUMP2|1554076800|B|xxx|265466|1.23.143.0/25|265466 262761 263444 22356 6762 9498 9730 45528|IGP|xxx|0|0||NAG||
TABLE_DUMP2|1554076800|B|xxx|265466|1.23.143.128/25|265466 262761 263444 22356 6762 9498 9730 45528|IGP|xxx|0|0||NAG||
TABLE_DUMP2|1554076800|B|xxx|265466|1.24.0.0/17|265466 262761 263444 6762 4837|IGP|xxx|0|0||NAG||
TABLE_DUMP2|1554076800|B|xxx|265466|1.24.128.0/17|265466 262761 263444 6762 4837|IGP|xxx|0|0||NAG||
TABLE_DUMP2|1554076800|B|xxx|265466|1.26.0.0/17|265466 262761 263444 6762 4837|IGP|xxx|0|0||NAG||
TABLE_DUMP2|1554076800|B|xxx|265466|1.26.128.0/17|265466 262761 263444 6762 4837|IGP|xxx|0|0||NAG||
TABLE_DUMP2|1554076800|B|xxx|265466|1.64.96.0/20|265466 262761 263444 6762 3491 4760|IGP|xxx|0|0||NAG||
TABLE_DUMP2|1554076800|B|xxx|265466|1.64.112.0/20|265466 262761 263444 6762 3491 4760|IGP|xxx|0|0||NAG||
Gwada tunanin me ke faruwa a nan
Ya bayyana cewa wani ya ɗauki prefix daga hanyar, ya raba shi kashi biyu, kuma ya tallata hanyar da AS_PATH iri ɗaya don waɗannan prefixes guda biyu.
TABLE_DUMP2|1554076800|B|xxx|263444|1.6.36.0/23|263444 52320 9583|IGP|xxx|0|0|32:12595 52320:21311 65444:20000|NAG||
TABLE_DUMP2|1554076800|B|xxx|263444|1.6.38.0/23|263444 52320 9583|IGP|xxx|0|0|32:12595 52320:21311 65444:20000|NAG||
TABLE_DUMP2|1554076800|B|xxx|61775|1.6.36.0/23|61775 262761 263444 52320 9583|IGP|xxx|0|0|32:12595 52320:21311 65444:20000|NAG||
TABLE_DUMP2|1554076800|B|xxx|61775|1.6.38.0/23|61775 262761 263444 52320 9583|IGP|xxx|0|0|32:12595 52320:21311 65444:20000|NAG||
TABLE_DUMP2|1554076800|B|xxx|265466|1.6.36.0/23|265466 262761 263444 52320 9583|IGP|xxx|0|0||NAG||
TABLE_DUMP2|1554076800|B|xxx|265466|1.6.38.0/23|265466 262761 263444 52320 9583|IGP|xxx|0|0||NAG||
TABLE_DUMP2|1554076800|B|xxx|28172|1.6.36.0/23|28172 52531 263444 52320 9583|IGP|xxx|0|0||NAG||
TABLE_DUMP2|1554076800|B|xxx|28172|1.6.38.0/23|28172 52531 263444 52320 9583|IGP|xxx|0|0||NAG||
Misalin hanyoyi na ɗaya daga cikin rarrabuwar kayyakin gabaɗaya
Tambayoyi da yawa suna tasowa lokaci guda. Shin akwai wanda ya gwada irin wannan tsangwama a aikace? Shin akwai wanda ya ɗauki waɗannan hanyoyin? Wadanne ma'auni ne aka shafa?
A nan ne zaren gazawar mu ya fara kuma wani zagaye na takaici game da yanayin lafiyar Intanet a halin yanzu.
Hanyar gazawa
Abu na farko da farko. Ta yaya za mu iya tantance waɗanne hanyoyin sadarwa ne suka karɓi irin waɗannan hanyoyin da aka katse kuma waɗanda za a iya karkatar da zirga-zirga a yau? Mun yi tunanin za mu fara da /25 prefixes saboda "kawai ba za su iya samun rarrabawar duniya ba." Kamar yadda kuke tsammani, mun yi kuskure sosai. Wannan ma'auni ya juya ya zama hayaniya kuma hanyoyi masu irin wannan prefixes na iya bayyana ko da daga masu aiki na Tier-1. Misali, NTT tana da irin wadannan prefixes kusan 50, wadanda take rabawa ga abokan cinikinta. A gefe guda, wannan ma'aunin ba shi da kyau saboda ana iya tace irin waɗannan prefixes idan mai aiki ya yi amfani da shi , a kowane bangare. Don haka, wannan hanyar ba ta dace da nemo duk ma'aikatan da aka karkatar da zirga-zirgar su ba sakamakon irin wannan lamari.
Wani kyakkyawan ra'ayi da muka yi tunani shine mu duba . Musamman don hanyoyin da suka keta dokar maxLength na ROA mai dacewa. Ta wannan hanyar za mu iya nemo adadin asalin ASN daban-daban tare da matsayi mara inganci waɗanda aka ganuwa ga AS da aka bayar. Duk da haka, akwai "karamin" matsala. Matsakaicin (matsakaici da yanayin) na wannan lamba (yawan asalin ASNs daban-daban) kusan 150 ne kuma, ko da mun tace ƙananan prefixes, ya kasance sama da 70. Wannan yanayin yana da bayani mai sauƙi: akwai kawai ƴan ma'aikatan da suka riga sun yi amfani da matatun ROA tare da manufar “sake saitin hanyoyin da ba daidai ba” a wuraren shiga, ta yadda duk inda wata hanya da take da ROA ta bayyana a duniyar gaske, za ta iya yaduwa ta kowane bangare.
Hanyoyi biyu na ƙarshe sun ba mu damar nemo masu aiki waɗanda suka ga lamarinmu (tun da ya yi girma sosai), amma gabaɗaya ba su da amfani. To, amma za mu iya nemo mai kutsen? Menene babban fasali na wannan magudin AS_PATH? Akwai 'yan zato na asali:
- Ba a taɓa ganin prefix ko'ina a baya ba;
- Asalin ASN (tunawa: ASN na farko a cikin AS_PATH) yana aiki;
- ASN na ƙarshe a cikin AS_PATH shine ASN na maharin (idan maƙwabcinsa ya bincika ASN na maƙwabcin akan duk hanyoyin da ke shigowa);
- Harin ya samo asali ne daga mai bayarwa guda ɗaya.
Idan duk zato sun yi daidai, to duk hanyoyin da ba daidai ba za su gabatar da ASN na maharin (sai dai asalin ASN) kuma, don haka, wannan “mahimmanci” batu ne. Daga cikin maharan na gaskiya akwai AS263444, kodayake akwai wasu. Ko da lokacin da muka watsar da hanyoyin da suka faru daga la'akari. Me yasa? Batu mai mahimmanci na iya kasancewa mai mahimmanci har ma don ingantattun hanyoyi. Yana iya zama ko dai sakamakon rashin haɗin kai a cikin yanki ko iyakancewa a ganuwanmu.
A sakamakon haka, akwai hanyar gano maharin, amma idan duk abubuwan da ke sama sun cika kuma kawai lokacin da tsangwama ya isa ya wuce matakan sa ido. Idan wasu daga cikin waɗannan abubuwan ba a cika su ba, to shin za mu iya gano prefixes ɗin da suka sha wahala daga irin wannan kutse? Ga wasu masu aiki - e.
Lokacin da maharin ya ƙirƙiri takamaiman hanya, irin wannan prefix ɗin ba ya tallata shi daga mai gaskiya. Idan kuna da jerin sauye-sauye na duk prefixes daga gare ta, to, yana yiwuwa a yi kwatancen kuma ku sami ƙarin ƙayyadaddun hanyoyi. Muna tattara wannan jeri na prefixes ta amfani da zaman BGP ɗinmu, saboda ba kawai ana ba mu cikakken jerin hanyoyin da ake iya gani ga mai aiki a yanzu ba, har ma da jerin duk prefixes waɗanda yake son tallata wa duniya. Abin takaici, yanzu akwai masu amfani da Radar dozin da yawa waɗanda ba su kammala ɓangaren ƙarshe daidai ba. Za mu sanar da su nan ba da jimawa ba kuma mu yi ƙoƙarin warware wannan batu. Kowa zai iya shiga tsarin sa ido a yanzu.
Idan muka koma ga abin da ya faru na asali, duka maharin da yankin rarraba mu mun gano su ta hanyar neman mahimman bayanai. Abin mamaki, AS263444 ba ta aika hanyoyin da aka ƙirƙira ga duk abokan cinikinta ba. Ko da yake akwai baƙon lokacin.
BGP4MP|1554905421|A|xxx|263444|178.248.236.0/24|263444 6762 197068|IGP|xxx|0|0|13106:12832 22356:6453 65444:20000|NAG||
BGP4MP|1554905421|A|xxx|263444|178.248.237.0/24|263444 6762 197068|IGP|xxx|0|0|13106:12832 22356:6453 65444:20000|NAG||
Misali na baya-bayan nan na yunƙurin kutse sararin adireshin mu
Lokacin da aka ƙirƙiri ƙarin takamaiman don ƙayyadaddun bayanan mu, an yi amfani da AS_PATH musamman da aka ƙirƙira. Koyaya, wannan AS_PATH ba za a iya ɗaukar shi daga kowace hanyarmu ta baya ba. Ba ma samun sadarwa tare da AS6762. Duba da sauran hanyoyin da lamarin ya faru, wasun su na da AS_PATH na haqiqa da a da ake amfani da su, wasu kuma ba su yi ba, ko da kuwa kamar na gaske ne. Canza AS_PATH baya da ma'ana a zahiri, tunda za'a karkatar da zirga-zirgar zuwa maharin ko ta yaya, amma hanyoyin da AS_PATH "mara kyau" za a iya tace su ta hanyar ASPA ko duk wata hanyar dubawa. Anan muna tunanin dalilin da ya sa mai garkuwar ya yi. A halin yanzu ba mu da isassun bayanai da za su tabbatar da cewa wannan lamari na shirin kai hari ne. Duk da haka, yana yiwuwa. Bari mu yi ƙoƙari mu yi tunanin, ko da yake har yanzu hasashe ne, amma mai yuwuwar gaske, halin da ake ciki.
Cikakken Harin
Me muke da shi? Bari mu ce ku mai ba da jigilar kayayyaki ne masu watsa hanyoyin watsa labarai don abokan cinikin ku. Idan abokan cinikin ku suna da kasancewarsu da yawa (multihome), to za ku karɓi wani yanki na zirga-zirgar su kawai. Amma yawan zirga-zirga, yawan kuɗin shiga ku. Don haka idan kun fara tallata prefixes na subnet na waɗannan hanyoyin guda ɗaya tare da AS_PATH iri ɗaya, zaku karɓi ragowar zirga-zirgar su. Sakamakon haka, sauran kuɗin.
Shin ROA za ta taimaka a nan? Wataƙila eh, idan kun yanke shawarar daina amfani da shi gaba ɗaya . Bugu da ƙari, ba a so a sami bayanan ROA tare da prefixes masu tsaka-tsaki. Ga wasu ma'aikata, irin waɗannan ƙuntatawa ba su da karbuwa.
Idan aka yi la'akari da wasu hanyoyin tsaro na zirga-zirga, ASPA ba za ta taimaka ba a wannan yanayin ko dai (saboda tana amfani da AS_PATH daga ingantacciyar hanya). BGPSec har yanzu ba shine mafi kyawun zaɓi ba saboda ƙarancin ƙima da sauran yuwuwar rage girman hare-hare.
Don haka muna da fa'ida a fili ga maharin da rashin tsaro. Babban mix!
Me ya kamata mu yi?
A bayyane kuma mafi tsauri mataki shine duba manufofin ku na yanzu. Rarraba sararin adireshin ku zuwa mafi ƙanƙanta (babu masu zobe) waɗanda kuke son tallata. Sanya hannu ROA a gare su kawai, ba tare da amfani da madaidaicin maxLength ba. A wannan yanayin, POV ɗin ku na yanzu zai iya ceton ku daga irin wannan harin. Koyaya, kuma, ga wasu ma'aikata wannan hanyar ba ta dace ba saboda keɓantaccen amfani da takamaiman hanyoyin. Duk matsalolin da halin yanzu na ROA da abubuwan hanya za a bayyana su a cikin ɗayan kayanmu na gaba.
Bugu da ƙari, kuna iya ƙoƙarin saka idanu irin wannan tsangwama. Don yin wannan, muna buƙatar ingantaccen bayani game da prefixes ɗinku. Don haka, idan kun kafa zaman BGP tare da mai karɓar mu kuma ku ba mu bayani game da ganin Intanet ɗin ku, za mu iya samun iyakar sauran abubuwan da suka faru. Ga waɗanda har yanzu ba su da alaƙa da tsarin sa ido namu, don farawa, jerin hanyoyin kawai tare da prefixes ɗinku zai isa. Idan kuna da zama tare da mu, da fatan za a duba cewa an aika duk hanyoyin ku. Abin takaici, wannan ya cancanci tunawa saboda wasu masu aiki sun manta da prefix ko biyu don haka suna tsoma baki tare da hanyoyin binciken mu. Idan aka yi daidai, za mu sami tabbataccen bayanai game da prefixes ɗinku, wanda a nan gaba zai taimaka mana ganowa da gano wannan (da sauran) nau'ikan tsangwama ta hanyar shiga adireshin adireshinku ta atomatik.
Idan kun san irin wannan kutse na zirga-zirgar zirga-zirgar ku a ainihin lokacin, zaku iya ƙoƙarin hana shi da kanku. Hanya ta farko ita ce tallata hanyoyi tare da waɗannan ƙarin ƙayyadaddun prefixes da kanka. Idan aka sami sabon hari akan waɗannan prefixes, maimaita.
Hanya ta biyu ita ce azabtar da maharin da wadanda ya kasance mahimmin batu (don kyawawan hanyoyi) ta hanyar yanke hanyoyin da kuke bi zuwa ga maharin. Ana iya yin haka ta ƙara ASN na maharin zuwa AS_PATH na tsoffin hanyoyinku don haka tilasta su su guji wannan AS ta amfani da injin gano madauki a cikin BGP. .
source: www.habr.com