Si chinsinsi kuti kulamulira kutsekereza pa mndandanda wa zidziwitso zoletsedwa ku Russia kumayang'aniridwa ndi "Inspector" yokhazikika. Momwe zimagwirira ntchito zalembedwa bwino apa , chithunzi cha malo omwewo:
Zakhazikitsidwa mwachindunji kwa wothandizira :
Gawo la "Agent Inspector" ndi gawo ladongosolo la automated "Inspector" (AS "Inspector"). Dongosololi lapangidwa kuti liziyang'anira kutsatiridwa ndi oyendetsa ma telecom omwe ali ndi zoletsa zoletsa kulowa mkati mwa dongosolo la zomwe zakhazikitsidwa ndi Ndime 15.1-15.4 ya Federal Law ya July 27, 2006 No. 149-FZ "Pa Information, Information Technologies and Information Protection. ”
Cholinga chachikulu chopanga AS "Revizor" ndikuwonetsetsa kuti oyang'anira ma telecom akutsatiridwa ndi zofunikira zomwe zakhazikitsidwa ndi Ndime 15.1-15.4 ya Federal Law ya July 27, 2006 No. 149-FZ "Pa Information, Information Technologies and Information Protection. "Kutengera kuzindikiritsa zowona zofikira zidziwitso zoletsedwa ndikupeza zida zothandizira (deta) zokhudzana ndi zophwanya malamulo kuti aletse kupeza zidziwitso zoletsedwa.
Poganizira kuti, ngati si onse, ndiye kuti opereka ambiri ayika chipangizochi, payenera kukhala pali netiweki yayikulu ya ma beacon probes ngati. ndi zina zambiri, koma ndi mwayi wotsekedwa. Komabe, nyali ndi nyali yotumiza zizindikiro mbali zonse, koma bwanji ngati titawagwira ndikuwona zomwe tagwira komanso zingati?
Tisanawerenge, tiyeni tiwone chifukwa chake izi zingakhale zotheka.
Chiphunzitso china
Othandizira amayang'ana kupezeka kwa chinthu, kuphatikiza kudzera pa zopempha za HTTP(S), monga izi:
TCP, 14678 > 80, "[SYN] Seq=0"
TCP, 80 > 14678, "[SYN, ACK] Seq=0 Ack=1"
TCP, 14678 > 80, "[ACK] Seq=1 Ack=1"
HTTP, "GET /somepage HTTP/1.1"
TCP, 80 > 14678, "[ACK] Seq=1 Ack=71"
HTTP, "HTTP/1.1 302 Found"
TCP, 14678 > 80, "[FIN, ACK] Seq=71 Ack=479"
TCP, 80 > 14678, "[FIN, ACK] Seq=479 Ack=72"
TCP, 14678 > 80, "[ACK] Seq=72 Ack=480"
Kuphatikiza pa kulipira, pempholi limakhalanso ndi gawo lokhazikitsa kulumikizana: kusinthanitsa SYN и SYN-ACK, ndi magawo omaliza kulumikizana: FIN-ACK.
Registry ya chidziwitso choletsedwa ili ndi mitundu ingapo yotsekereza. Mwachiwonekere, ngati chida chatsekedwa ndi adilesi ya IP kapena dzina lachidziwitso, ndiye kuti sitiwona zopempha zilizonse. Izi ndizomwe zimawononga kwambiri zotsekereza, zomwe zimapangitsa kuti zinthu zonse zizipezeka pa adilesi imodzi ya IP kapena zidziwitso zonse pa domain. Palinso mtundu wa "by URL" wotsekereza. Pachifukwa ichi, makina osefa ayenera kufotokozera mutu wa pempho la HTTP kuti mudziwe zomwe mungaletse. Ndipo zisanachitike, monga tawonera pamwambapa, payenera kukhala gawo lokhazikitsa kulumikizana lomwe mungayesere kutsata, chifukwa mwina fyulutayo idzaphonya.
Kuti muchite izi, muyenera kusankha malo oyenera aulere okhala ndi "URL" ndi mtundu wotsekereza wa HTTP kuti muthandizire ntchito yosefera, makamaka yosiyidwa kwanthawi yayitali, kuti muchepetse kulowa kwa magalimoto ochulukirapo kupatula kuchokera kwa Agents. Ntchitoyi sinakhale yovuta konse; pali madera ambiri aulere mu kaundula wa zidziwitso zoletsedwa komanso kukoma kulikonse. Chifukwa chake, domain idagulidwa ndikulumikizidwa ndi ma adilesi a IP pa VPS yomwe ikuyenda tcpdump ndipo kuwerenga kunayamba.
Kufufuza kwa "Auditors"
Ndinkayembekezera kuwona zopempha zaposachedwa, zomwe m'malingaliro mwanga zingasonyeze zochita zoyendetsedwa. Ndizosatheka kunena kuti sindinaziwone konse, koma panalibe chithunzi chomveka bwino:
Zomwe sizosadabwitsa, ngakhale pa malo omwe palibe amene amafunikira komanso pa IP yosagwiritsidwa ntchito, padzakhala matani a chidziwitso chosafunsidwa, monga intaneti yamakono. Koma mwamwayi, ndinkangofunika zopempha za ulalo winawake, kotero ma scanner onse ndi opha mawu achinsinsi anapezeka mwamsanga. Komanso, zinali zophweka kumvetsetsa kumene kusefukira kunachokera pa unyinji wa zopempha zofanana. Kenako, ndidalemba kuchuluka kwa ma adilesi a IP ndikudutsa pamwamba pamanja, ndikulekanitsa omwe adaphonya pamagawo am'mbuyomu. Kuphatikiza apo, ndidadula magwero onse omwe adatumizidwa phukusi limodzi, panalibenso ambiri. Ndipo izi ndi zomwe zidachitika:
Kutsika pang'ono kwanyimbo. Patangotha tsiku limodzi, wondithandizira wanga adatumiza kalata yokhala ndi zinthu zosinthidwa bwino, kunena kuti malo anu ali ndi zida zochokera pamndandanda woletsedwa wa RKN, chifukwa chake watsekedwa. Poyamba ndimaganiza kuti akaunti yanga yatsekedwa, sizinali choncho. Kenako ndinaganiza kuti akungondichenjeza za zinthu zimene ndinkazidziwa kale. Koma zidapezeka kuti hosteryo idayatsa fyuluta yake kutsogolo kwa dera langa ndipo chifukwa chake ndidakhala ndikusefa kawiri: kuchokera kwa omwe amapereka komanso kuchokera kwa hoster. Zosefera zangodutsa zopempha: FIN-ACK и RST kudula HTTP yonse pa URL yoletsedwa. Monga mukuwonera pa graph pamwambapa, patatha tsiku loyamba ndidayamba kulandira zochepa, koma ndidalandirabe, zomwe zinali zokwanira pantchito yowerengera zopempha.
Pezani mfundo. Malingaliro anga, kuphulika kuwiri kumawoneka bwino tsiku lililonse, choyamba chaching'ono, pambuyo pa usiku pakati pa nthawi ya Moscow, chachiwiri pafupi ndi 6 am ndi mchira mpaka 12 koloko. Chimake sichichitika nthawi yomweyo. Poyamba, ndinkafuna kusankha ma adilesi a IP omwe amagwera mu nthawi izi zokha ndipo iliyonse mu nthawi zonse, kutengera lingaliro lakuti macheke a Agents amachitidwa nthawi ndi nthawi. Koma nditawunika mosamala, ndidazindikira mwachangu nthawi zomwe zikugwera m'magawo ena, ndi ma frequency ena, mpaka pempho limodzi ola lililonse. Kenako ndinaganiza za madera a nthawi komanso kuti mwina zinali ndi chochita nawo, ndiye ndimaganiza kuti nthawi zambiri dongosololi silingagwirizane padziko lonse lapansi. Kuphatikiza apo, NAT mwina itengapo gawo ndipo Wothandizira yemweyo atha kupanga zopempha kuchokera ku ma IP osiyanasiyana aboma.
Popeza cholinga changa choyambirira sichinali ndendende, ndidawerengera ma adilesi onse omwe ndidawapeza sabata imodzi ndikupeza - 2791. Chiwerengero cha magawo a TCP okhazikitsidwa kuchokera ku adiresi imodzi ndi pafupifupi 4, ndi apakati a 2. Magawo apamwamba pa adiresi: 464, 231, 149, 83, 77. Kuchuluka kuchokera ku 95% ya chitsanzo ndi magawo 8 pa adiresi. Wapakati siwokwera kwambiri, ndiloleni ndikukumbutseni kuti graph ikuwonetsa nthawi yowoneka bwino ya tsiku ndi tsiku, kotero munthu amatha kuyembekezera china chake mozungulira 4 mpaka 8 m'masiku 7. Ngati titaya magawo onse omwe amachitika kamodzi, tidzapeza wapakati wofanana ndi 5. Koma sindingathe kuwapatula potengera chiyeso chomveka bwino. M'malo mwake, kufufuza mwachisawawa kunasonyeza kuti zinali zogwirizana ndi zopempha za chinthu choletsedwa.
Maadiresi ndi ma adilesi, koma pa intaneti, machitidwe odziyimira pawokha - AS, omwe adakhala ofunika kwambiri 1510, pafupifupi maadiresi a 2 pa AS ndi apakati a 1. Maadiresi apamwamba pa AS: 288, 77, 66, 39, 27. Kuchuluka kwa 95% ya chitsanzo ndi maadiresi a 4 pa AS. Apa wapakatikati akuyembekezeka - Mmodzi Wothandizira pa wopereka. Tikuyembekezeranso zapamwamba - pali osewera akulu momwemo. Mu netiweki yayikulu, Ma Agents ayenera kukhala mdera lililonse la kukhalapo kwa wogwiritsa ntchito, ndipo musaiwale za NAT. Ngati titenga ndi dziko, ma maximums adzakhala: 1409 - RU, 42 - UA, 23 - CZ, 36 kuchokera kumadera ena, osati RIPE NCC. Zopempha zochokera kunja kwa Russia zimakopa chidwi. Izi zitha kufotokozedwa ndi zolakwika za geolocation kapena zolakwika za registrar podzaza deta. Kapena kuti kampani yaku Russia ilibe mizu yaku Russia, kapena kukhala ndi ofesi yoyimira kunja chifukwa ndi yosavuta, yomwe ndi yachilengedwe pochita ndi bungwe lakunja la RIPE NCC. Gawo lina mosakayikira ndilofunika kwambiri, koma ndizovuta kulilekanitsa, chifukwa gwero likutsekedwa, ndipo kuyambira tsiku lachiwiri pansi pa kutsekereza kawiri, ndipo magawo ambiri amangosinthana mapaketi angapo a utumiki. Tiyeni tivomereze kuti ili ndi gawo laling'ono.
Ziwerengerozi zitha kufananizidwa kale ndi kuchuluka kwa othandizira ku Russia. zilolezo za "Mauthenga otumizirana ma data, osaphatikiza mawu" - 6387, koma ichi ndi chiyerekezo chapamwamba kwambiri, si malayisensi onsewa omwe amagwira ntchito makamaka kwa opereka intaneti omwe akufunika kukhazikitsa Wothandizira. M'dera la RIPE NCC pali nambala yofanana ya ASes yolembedwa ku Russia - 6230, yomwe si onse omwe amapereka. ndipo adalandira makampani 3940 mu 2017, ndipo uku ndikungoyerekeza kuchokera pamwamba. Mulimonsemo, tili ndi kuchulukitsa kawiri ndi theka kuchepera kwa ma AS owunikira. Koma apa ndikofunikira kumvetsetsa kuti AS sizofanana kwenikweni ndi omwe amapereka. Othandizira ena alibe AS awo, ena ali ndi oposa mmodzi. Ngati tikuganiza kuti aliyense akadali ndi Agents, ndiye kuti wina amasefa mwamphamvu kwambiri kuposa ena, kotero kuti zopempha zawo zisadziwike ndi zinyalala, ngati ziwafikira nkomwe. Koma pakuwunika movutikira ndizovomerezeka, ngakhale china chake chitayika chifukwa cha kuyang'anira kwanga.
Za DPI
Ngakhale kuti wothandizira wanga adatsegula fyuluta yake kuyambira tsiku lachiwiri, kutengera chidziwitso kuyambira tsiku loyamba tikhoza kunena kuti kutsekereza kukugwira ntchito bwino. Magwero a 4 okha ndi omwe adatha kudutsa ndikumaliza magawo a HTTP ndi TCP (monga chitsanzo pamwambapa). Ena 460 akhoza kutumizidwa GET, koma gawoli limathetsedwa nthawi yomweyo RST. Samalani TTL:
TTL 50, TCP, 14678 > 80, "[SYN] Seq=0"
TTL 64, TCP, 80 > 14678, "[SYN, ACK] Seq=0 Ack=1"
TTL 50, TCP, 14678 > 80, "[ACK] Seq=1 Ack=1"
HTTP, "GET /filteredpage HTTP/1.1"
TTL 64, TCP, 80 > 14678, "[ACK] Seq=1 Ack=294"
#Вот это прислал фильтр
TTL 53, TCP, 14678 > 80, "[RST] Seq=3458729893"
TTL 53, TCP, 14678 > 80, "[RST] Seq=3458729893"
HTTP, "HTTP/1.1 302 Found"
#А это попытка исходного узла получить потерю
TTL 50, TCP ACKed unseen segment, 14678 > 80, "[ACK] Seq=294 Ack=145"
TTL 50, TCP, 14678 > 80, "[FIN, ACK] Seq=294 Ack=145"
TTL 64, TCP, 80 > 14678, "[FIN, ACK] Seq=171 Ack=295"
TTL 50, TCP Dup ACK 14678 > 80 "[ACK] Seq=295 Ack=145"
#Исходный узел понимает что сессия разрушена
TTL 50, TCP, 14678 > 80, "[RST] Seq=294"
TTL 50, TCP, 14678 > 80, "[RST] Seq=295"
Kusiyanasiyana kwa izi kungakhale kosiyana: zochepa RST kapena kutumiziranso zambiri - zimatengeranso zomwe fyulutayo imatumiza kumalo oyambira. Mulimonsemo, iyi ndi template yodalirika kwambiri, yomwe ikuwonekeratu kuti inali gwero loletsedwa lomwe linapemphedwa. Komanso nthawi zonse pamakhala yankho lomwe limapezeka mu gawoli ndi TTL zazikulu kuposa m'maphukusi am'mbuyomu ndi otsatila.
Inu simungakhoze kuziwona izo kuchokera kwa ena onse GET:
TTL 50, TCP, 14678 > 80, "[SYN] Seq=0"
TTL 64, TCP, 80 > 14678, "[SYN, ACK] Seq=0 Ack=1"
#Вот это прислал фильтр
TTL 53, TCP, 14678 > 80, "[RST] Seq=1"
Kapena kotero:
TTL 50, TCP, 14678 > 80, "[SYN] Seq=0"
TTL 64, TCP, 80 > 14678, "[SYN, ACK] Seq=0 Ack=1"
TTL 50, TCP, 14678 > 80, "[ACK] Seq=1 Ack=1"
#Вот это прислал фильтр
TTL 53, TCP, 14678 > 80, "[RST, PSH] Seq=1"
TTL 50, TCP ACKed unseen segment, 14678 > 80, "[FIN, ACK] Seq=89 Ack=172"
TTL 50, TCP ACKed unseen segment, 14678 > 80, "[FIN, ACK] Seq=89 Ack=172"
#Опять фильтр, много раз
TTL 53, TCP, 14678 > 80, "[RST, PSH] Seq=1"
...
Kusiyana kumawonekeradi TTL ngati chinachake chichokera mu fyuluta. Koma nthawi zambiri palibe chomwe chingafike konse:
TCP, 14678 > 80, "[SYN] Seq=0"
TCP, 80 > 14678, "[SYN, ACK] Seq=0 Ack=1"
TCP Retransmission, 80 > 14678, "[SYN, ACK] Seq=0 Ack=1"
...
Kapena kotero:
TCP, 14678 > 80, "[SYN] Seq=0"
TCP, 80 > 14678, "[SYN, ACK] Seq=0 Ack=1"
TCP, 14678 > 80, "[ACK] Seq=1 Ack=1"
#Прошло несколько секунд без трафика
TCP, 80 > 14678, "[FIN, ACK] Seq=1 Ack=1"
TCP Retransmission, 80 > 14678, "[FIN, ACK] Seq=1 Ack=1"
...
Ndipo zonsezi zimabwerezedwa ndikubwerezedwa ndikubwerezedwa, monga zikuwonekera pa graph, kangapo, tsiku lililonse.
Za IPv6
Nkhani yabwino ndiyakuti ilipo. Nditha kunena modalirika kuti zopempha zanthawi ndi nthawi kuzinthu zoletsedwa zimachitika kuchokera ku ma adilesi 5 osiyanasiyana a IPv6, zomwe ndi machitidwe a Agents omwe ndimayembekezera. Komanso, imodzi mwa ma adilesi a IPv6 simagwera pansi pa kusefa ndipo ndikuwona gawo lonse. Kuchokera kwa awiri ena ndinawona gawo limodzi lokha losamalizidwa, limodzi lomwe linasokonezedwa ndi RST kuchokera pa fyuluta, yachiwiri mu nthawi. Kuchuluka kwake pamodzi 7.
Popeza pali maadiresi ochepa, ndinawaphunzira onsewo mwatsatanetsatane ndipo zinapezeka kuti pali opereka 3 okha kumeneko, akhoza kupatsidwa chidwi choyimirira! Adilesi ina ndi kuchititsa mitambo ku Russia (sikusefa), ina ndi malo ofufuzira ku Germany (pali fyuluta, kuti?). Koma chifukwa chiyani amayang'ana kupezeka kwa zinthu zoletsedwa pa ndandanda ndi funso labwino. Awiri otsalawo adapempha chimodzi ndipo ali kunja kwa Russia, ndipo imodzi mwa izo imasefedwa (panjira, pambuyo pake?).
Kuletsa ndi Ma Agents ndi cholepheretsa chachikulu ku IPv6, kukhazikitsidwa kwake sikukuyenda mwachangu. Ndizomvetsa chisoni. Amene anathetsa vutoli akhoza kunyada kwathunthu.
Pomaliza
Я не гнался за 100% точностью прошу меня за это простить, надеюсь кто-то захочет повторить такую работу с большей аккуратностью. Для меня было важно понять будет ли в принципе работать такой подход. Ответ — будет. Полученные цифры в первом приближении, я думаю, вполне достоверны.
Chinanso chomwe chikadachitidwa ndipo zomwe ndinali waulesi kuchita ndikuwerengera zopempha za DNS. Sanasefedwe, komanso samapereka zolondola kwambiri chifukwa amangogwira ntchito pa domain, osati pa URL yonse. Ma frequency ayenera kuwoneka. Ngati mungaphatikize ndi zomwe zikuwonekera mwachindunji m'mafunso, izi zidzakulolani kuti mulekanitse zosafunikira ndikupeza zambiri. Ndizothekanso kudziwa omwe akupanga DNS omwe amagwiritsidwa ntchito ndi othandizira ndi zina zambiri.
Sindimayembekezera kuti wobwereketsayo aphatikizanso fyuluta yake ya VPS yanga. Mwina izi ndizofala. Pamapeto pake, RKN imatumiza pempho kuti lichotse gwero kwa hoster. Koma izi sizinandidabwitse ndipo m’njira zina zinandithandizadi. Fyulutayo inagwira ntchito bwino kwambiri, kudula zopempha zonse zolondola za HTTP ku ulalo woletsedwa, koma osati zolondola zomwe zidadutsa kale pa fyuluta ya operekera zidawafikira, ngakhale mwanjira yomaliza: FIN-ACK и RST - kuchotsera kwa minus ndipo pafupifupi zidakhala zowonjezera. Mwa njira, IPv6 sinasefedwe ndi wosungira. Inde, izi zinakhudza ubwino wa zinthu zomwe zinasonkhanitsidwa, komabe zinapangitsa kuti zikhale zotheka kuwona pafupipafupi. Zinapezeka kuti iyi ndi mfundo yofunika kwambiri posankha malo oyika zinthu; musaiwale kukhala ndi chidwi pa nkhani yokonzekera ntchito ndi mndandanda wa malo oletsedwa ndi zopempha kuchokera ku RKN.
Pachiyambi, ndinayerekezera AS "Inspector" ndi . Kuyerekeza uku ndikoyenera ndipo maukonde akulu a Agents angakhale opindulitsa. Mwachitsanzo, kudziwa mtundu wa zinthu zomwe zilipo kuchokera kwa othandizira osiyanasiyana m'madera osiyanasiyana a dziko. Mutha kuwerengera kuchedwa, mutha kupanga ma graph, mutha kusanthula zonse ndikuwona zosintha zomwe zikuchitika kwanuko komanso padziko lonse lapansi. Iyi si njira yolunjika kwambiri, koma akatswiri a zakuthambo amagwiritsa ntchito "makandulo okhazikika", bwanji osagwiritsa ntchito Agents? Podziwa (atapeza) khalidwe lawo lokhazikika, mukhoza kudziwa zosintha zomwe zimachitika mozungulira iwo ndi momwe izi zimakhudzira ubwino wa mautumiki operekedwa. Ndipo nthawi yomweyo, simuyenera kuyika zofufuza pamaneti; Roskomnadzor yaziyika kale.
Mfundo ina yomwe ndikufuna kukhudza nayo ndikuti chida chilichonse chingakhale chida. AS "Inspector" ndi netiweki yotsekedwa, koma Othandizira amapereka aliyense potumiza zopempha zazinthu zonse kuchokera pamndandanda woletsedwa. Kukhala ndi chida choterocho sikubweretsa vuto lililonse. Ponseponse, opereka kudzera mwa Agents, mosadziwa, amauza zambiri za maukonde awo kuposa momwe zilili zoyenera: mitundu ya DPI ndi DNS, malo a Agent (node yapakati ndi network yautumiki?), zolembera za kuchedwa ndi kutayika - ndipo izi ndi zoonekeratu basi. Monga momwe wina angayang'anire zochita za Agents kuti apititse patsogolo kupezeka kwa chuma chawo, wina akhoza kuchita izi pazifukwa zina ndipo palibe zopinga izi. Chotsatira chake ndi chida chokhala ndi mbali ziwiri komanso chochuluka kwambiri, aliyense akhoza kuwona izi.
Source: www.habr.com