Gulu la ofufuza ochokera ku yunivesite ya Tel Aviv ndi Interdisciplinary Center ku Herzliya (Israel) njira yatsopano yowukira (), kukulolani kuti mugwiritse ntchito zosintha zilizonse za DNS monga zokulitsa magalimoto, ndikupatsanso kuchuluka kwanthawi zofikira 1621 malinga ndi kuchuluka kwa mapaketi (pa pempho lililonse lotumizidwa kwa womasulira, mutha kukwaniritsa zopempha 1621 zomwe zimatumizidwa ku seva ya wozunzidwayo) mpaka nthawi 163 potengera kuchuluka kwa magalimoto.
Vutoli limakhudzana ndi mawonekedwe a protocol ndipo limakhudza ma seva onse a DNS omwe amathandizira kukonzanso kwamafunso, kuphatikiza. (CVE-2020-8616) (CVE-2020-12667) (CVE-2020-10995) ΠΈ (CVE-2020-12662), komanso ntchito zapagulu za DNS za Google, Cloudflare, Amazon, Quad9, ICANN ndi makampani ena. Kukonzekeraku kudalumikizidwa ndi opanga ma seva a DNS, omwe nthawi imodzi adatulutsa zosintha kuti akonze chiwopsezo chazinthu zawo. Kutetezedwa kwa Attack kumayendetsedwa muzotulutsa
, , , .
Kuwukiraku kumatengera wowukirayo pogwiritsa ntchito zopempha zomwe zimatanthawuza kuchuluka kwa mbiri zabodza za NS zomwe sizinawonekere, zomwe kutsimikizika kwa mayina kumaperekedwa, koma osatchula zolemba zamagulu ndi zambiri za ma adilesi a IP a ma seva a NS poyankha. Mwachitsanzo, wowukira amatumiza funso kuti athetse dzina sd1.attacker.com poyang'anira seva ya DNS yomwe ili ndi domain ya attacker.com. Poyankha pempho la wotsutsa ku seva ya DNS yowukirayo, yankho limaperekedwa lomwe limapereka kutsimikiza kwa adilesi ya sd1.attacker.com ku seva ya DNS ya wozunzidwayo powonetsa zolemba za NS poyankha popanda kufotokozera ma seva a IP NS. Popeza seva ya NS yomwe yatchulidwayi sinakumanepo nayo kale ndipo adilesi yake ya IP sinatchulidwe, wosankhayo amayesa kudziwa adilesi ya IP ya seva ya NS potumiza funso ku seva ya DNS ya wozunzidwayo yomwe ikugwiritsa ntchito dera lomwe mukufuna (victim.com).
Vuto ndiloti wowukirayo amatha kuyankha ndi mndandanda waukulu wa ma seva a NS osabwerezabwereza omwe ali ndi mayina abodza omwe sapezekapo (fake-1.victim.com, fake-2.victim.com,... fake-1000. victim.com). Wosankhayo ayesa kutumiza pempho kwa seva ya DNS ya wozunzidwayo, koma adzalandira yankho kuti derali silinapezeke, pambuyo pake adzayesa kudziwa seva yotsatira ya NS pamndandanda, ndi zina zotero mpaka atayesa zonse. Zolemba za NS zolembedwa ndi wowukirayo. Chifukwa chake, pa pempho la wowukira m'modzi, wosankhayo atumiza zopempha zambiri kuti adziwe omwe ali ndi NS. Popeza mayina a seva ya NS amapangidwa mwachisawawa ndipo amalozera ku ma subdomain omwe palibepo, samachotsedwa ku cache ndipo pempho lililonse lochokera kwa wowukirayo limabweretsa kuchuluka kwa zopempha ku seva ya DNS yomwe imathandizira dera la wozunzidwayo.
Ofufuza adafufuza kuchuluka kwa kusatetezeka kwa othetsa DNS pagulu pavutoli ndipo adatsimikiza kuti potumiza mafunso ku CloudFlare resolutioner (1.1.1.1), ndizotheka kuwonjezera kuchuluka kwa mapaketi (PAF, Packet Amplification Factor) ndi nthawi 48, Google. (8.8.8.8) - 30 nthawi, FreeDNS (37.235.1.174) - 50 nthawi, OpenDNS (208.67.222.222) - 32 nthawi. Zizindikiro zowoneka bwino zimawonedwa
Level3 (209.244.0.3) - 273 nthawi, Quad9 (9.9.9.9) - 415 nthawi
SafeDNS (195.46.39.39) - 274 nthawi, Verisign (64.6.64.6) - 202 nthawi,
Ultra (156.154.71.1) - 405 nthawi, Comodo Secure (8.26.56.26) - 435 nthawi, DNS.Watch (84.200.69.80) - 486 nthawi, ndi Norton ConnectSafe (199.85.126.10) - nthawi 569. Kwa ma seva ozikidwa pa BIND 9.12.3, chifukwa cha kufanana kwa zopempha, mlingo wopindula ukhoza kufika ku 1000. Mu Knot Resolver 5.1.0, mlingo wopindula uli pafupifupi makumi angapo nthawi (24-48), kuyambira kutsimikiza kwa Mayina a NS amachitidwa motsatizana ndipo amatsamira malire amkati pa kuchuluka kwa njira zothetsera mayina zomwe zimaloledwa pa pempho limodzi.
Pali njira ziwiri zazikulu zodzitetezera. Kwa machitidwe omwe ali ndi DNSSEC ntchito kuteteza DNS cache bypass chifukwa zopempha zimatumizidwa ndi mayina mwachisawawa. Chofunikira cha njirayi ndikutulutsa mayankho olakwika popanda kulumikizana ndi ma seva ovomerezeka a DNS, pogwiritsa ntchito kuwunika kosiyanasiyana kudzera pa DNSSEC. Njira yosavuta ndiyo kuchepetsa chiwerengero cha mayina omwe angatanthauzidwe pokonza pempho limodzi loperekedwa, koma njirayi ingayambitse mavuto ndi makonzedwe omwe alipo chifukwa malire sakufotokozedwa mu protocol.
Source: opennet.ru