Router yepamba (mune iyi kesi FritzBox) inogona kurekodha yakawanda: yakawanda sei traffic iri kuenda rinhi, ndiani akabatana nekumhanya kupi, nezvimwe. A domain name server (DNS) pane network yemuno yakandibatsira kuziva chakavanzika kuseri kwevasingazivikanwe vanogamuchira.
Pakazere, DNS yakave nemhedzisiro yakanaka kunetiweki yekumba: yakawedzera kukurumidza, kugadzikana, uye kugona.
Pazasi pane dhayagiramu yakamutsa mibvunzo uye kukosha kwekunzwisisa zvaiitika. Mhedzisiro yacho yatosefa inozivikanwa uye inoshanda zvikumbiro kumaseva emazita emazita.
Sei 60 madomasi asina kujeka achivhoterwa zuva rega rega munhu wese achiri kurara?
Mazuva ese, mazana mana nemakumi mana asingazivikanwe madomasi anovhoterwa panguva dzekushanda. Ndivanaani uye vanoita sei?
Avhareji yenhamba yezvikumbiro pazuva neawa
SQL report query
WITH CLS AS ( /* prepare unique requests */
SELECT
DISTINCT DATE_NK,
STRFTIME( '%s', SUBSTR(DATE_NK,8,4) || '-' ||
CASE SUBSTR(DATE_NK,4,3)
WHEN 'Jan' THEN '01' WHEN 'Feb' THEN '02' WHEN 'Mar' THEN '03' WHEN 'Apr' THEN '04' WHEN 'May' THEN '05' WHEN 'Jun' THEN '06'
WHEN 'Jul' THEN '07' WHEN 'Aug' THEN '08' WHEN 'Sep' THEN '09' WHEN 'Oct' THEN '10' WHEN 'Nov' THEN '11'
ELSE '12' END || '-' || SUBSTR(DATE_NK,1,2) || ' ' || SUBSTR(TIME_NK,1,8) ) AS EVENT_DT,
REQUEST_NK, DOMAIN
FROM STG_BIND9_LOG )
SELECT
1 as 'Line: DNS Requests per Day for Hours',
strftime('%H:00', datetime(EVENT_DT, 'unixepoch')) AS 'Day',
ROUND(1.0*SUM(1)/COUNT(DISTINCT strftime('%d.%m', datetime(EVENT_DT, 'unixepoch'))), 1) AS 'Requests per Day'
FROM CLS
WHERE DOMAIN NOT IN ('in-addr.arpa', 'IN-ADDR.ARPA', 'local', 'dyndns', 'nas', 'ntp.org')
AND datetime(EVENT_DT, 'unixepoch') > date('now', '-20 days')
GROUP BY /* hour aggregate */
strftime('%H:00', datetime(EVENT_DT, 'unixepoch'))
ORDER BY strftime('%H:00', datetime(EVENT_DT, 'unixepoch'))Usiku, kupinda kusina wireless kunovharwa uye basa rekushandisa rinotarisirwa, i.e. hapana polling yenzvimbo dzisingazivikanwi. Izvi zvinoreva kuti chiitiko chikuru chinobva kumidziyo ine masisitimu anoshanda senge Android, iOS uye Blackberry OS.
Ngatinyorei madomasi akavhoterwa zvine simba. Kusimba kwacho kuchatemerwa nezvimiro zvakaita sehuwandu hwezvikumbiro pazuva, huwandu hwemazuva ekuita uye mumaawa mangani ezuva aakaonekwa.
Vese vaitarisirwa kufungidzirwa vaive pazita.
Intensively polled domains
SQL report query
WITH CLS AS ( /* prepare unique requests */
SELECT
DISTINCT DATE_NK,
STRFTIME( '%s', SUBSTR(DATE_NK,8,4) || '-' ||
CASE SUBSTR(DATE_NK,4,3)
WHEN 'Jan' THEN '01' WHEN 'Feb' THEN '02' WHEN 'Mar' THEN '03' WHEN 'Apr' THEN '04' WHEN 'May' THEN '05' WHEN 'Jun' THEN '06'
WHEN 'Jul' THEN '07' WHEN 'Aug' THEN '08' WHEN 'Sep' THEN '09' WHEN 'Oct' THEN '10' WHEN 'Nov' THEN '11'
ELSE '12' END || '-' || SUBSTR(DATE_NK,1,2) || ' ' || SUBSTR(TIME_NK,1,8) ) AS EVENT_DT,
REQUEST_NK, DOMAIN
FROM STG_BIND9_LOG )
SELECT
1 as 'Table: Havy DNS Requests',
REQUEST_NK AS 'Request',
DOMAIN AS 'Domain',
REQ AS 'Requests per Day',
DH AS 'Hours per Day',
DAYS AS 'Active Days'
FROM (
SELECT
REQUEST_NK, MAX(DOMAIN) AS DOMAIN,
COUNT(DISTINCT REQUEST_NK) AS SUBD,
COUNT(DISTINCT strftime('%d.%m', datetime(EVENT_DT, 'unixepoch'))) AS DAYS,
ROUND(1.0*SUM(1)/COUNT(DISTINCT strftime('%d.%m', datetime(EVENT_DT, 'unixepoch'))), 1) AS REQ,
ROUND(1.0*COUNT(DISTINCT strftime('%d.%m %H', datetime(EVENT_DT, 'unixepoch')))/COUNT(DISTINCT strftime('%d.%m', datetime(EVENT_DT, 'unixepoch'))), 1) AS DH
FROM CLS
WHERE DOMAIN NOT IN ('in-addr.arpa', 'IN-ADDR.ARPA', 'local', 'dyndns', 'nas', 'ntp.org')
AND datetime(EVENT_DT, 'unixepoch') > date('now', '-20 days')
GROUP BY REQUEST_NK )
WHERE DAYS > 9 -- long period
ORDER BY 4 DESC, 5 DESC
LIMIT 20Isu tinovhara isΡ.blackberry.com uye iceberg.blackberry.com, iyo mugadziri acharuramisa nekuda kwezvikonzero zvekuchengetedza. Mhedzisiro: paunenge uchiedza kubatana neWLAN, inoratidza peji rekupinda uye haimbobatanidzi kupi zvako. Ngatiisunungure.
detectportal.firefox.com ndiyo imwe nzira, inoshandiswa chete muFirefox browser. Kana iwe uchida kupinda muWLAN network, inotanga kuratidza peji rekupinda. Hazvina kujeka zvachose kuti nei kero ichifanira kuve pinged kazhinji, asi nzira yacho inotsanangurwa zvakajeka nemugadziri.
skype. Zviito zvechirongwa ichi zvakafanana nehonye: inovanza uye haingobvumiri kuurayiwa mubharaki rebasa, inogadzira traffic yakawanda pane network, pings 10 domains maminitsi gumi ega ega. Paunenge uchifonera vhidhiyo, iyo Internet yekubatanidza inogara ichiparara, kana isingaite zviri nani. Nokuti ikozvino zvakafanira, saka zvinoramba zviripo.
upload.fp.measure.office.com - inoreva Hofisi 365, handina kuwana tsananguro yakanaka.
browser.pipe.aria.microsoft.com - handina kuwana tsananguro yakanaka.
Isu tinovhara zvese.
connect.facebook.net - Facebook chat application. Anosara.
mediator.mail.ru Ongororo yezvese zvikumbiro zvemail.ru domain yakaratidza kuvepo kwenhamba huru yezviwanikwa zvekushambadzira uye nhamba dzevateresi, izvo zvinokonzeresa kusavimba. Iyo mail.ru domain inotumirwa zvachose kune iyo blacklist.
google-analytics.com - haina kukanganisa kushanda kwemidziyo, saka tinoivhara.
doubleclick.net - counts advertising clicks. Tinovhara.
Zvikumbiro zvakawanda zvinoenda kugoogleapis.com. Iko kuvharika kwakonzera kuvharika kwemufaro kwemameseji mapfupi pahwendefa, izvo zvinoita sehupenzi kwandiri. Asi playstore yakamira kushanda, saka ngatiivhure.
cloudflare.com - vanonyora kuti vanoda yakavhurika sosi uye, kazhinji, vanonyora zvakawanda nezvavo. Iko kusimba kweiyo domain ongororo haina kujeka zvachose, iyo inowanzo kukwirira zvakanyanya kupfuura iyo chaiyo chiitiko paInternet. Ngatizvisiyei izvozvi.
Saka, kusimba kwezvikumbiro kunowanzoenderana nekushanda kunodiwa kwemidziyo. Asi avo vakazvikurira nebasa vakawanikwawo.
Chekutanga
Kana iyo Wireless Internet ikavhurwa, munhu wese achiri kurara uye zvinokwanisika kuona kuti ndezvipi zvikumbiro zvinotumirwa kune network kutanga. Saka, na6:50 iyo Internet inotendeuka uye mune yekutanga-maminetsi gumi nguva yenguva 60 domains inovhoterwa zuva nezuva:
SQL report query
WITH CLS AS ( /* prepare unique requests */
SELECT
DISTINCT DATE_NK,
STRFTIME( '%s', SUBSTR(DATE_NK,8,4) || '-' ||
CASE SUBSTR(DATE_NK,4,3)
WHEN 'Jan' THEN '01' WHEN 'Feb' THEN '02' WHEN 'Mar' THEN '03' WHEN 'Apr' THEN '04' WHEN 'May' THEN '05' WHEN 'Jun' THEN '06'
WHEN 'Jul' THEN '07' WHEN 'Aug' THEN '08' WHEN 'Sep' THEN '09' WHEN 'Oct' THEN '10' WHEN 'Nov' THEN '11'
ELSE '12' END || '-' || SUBSTR(DATE_NK,1,2) || ' ' || SUBSTR(TIME_NK,1,8) ) AS EVENT_DT,
REQUEST_NK, DOMAIN
FROM STG_BIND9_LOG )
SELECT
1 as 'Table: First DNS Requests at 06:00',
REQUEST_NK AS 'Request',
DOMAIN AS 'Domain',
REQ AS 'Requests',
DAYS AS 'Active Days',
strftime('%H:%M', datetime(MIN_DT, 'unixepoch')) AS 'First Ping',
strftime('%H:%M', datetime(MAX_DT, 'unixepoch')) AS 'Last Ping'
FROM (
SELECT
REQUEST_NK, MAX(DOMAIN) AS DOMAIN,
MIN(EVENT_DT) AS MIN_DT,
MAX(EVENT_DT) AS MAX_DT,
COUNT(DISTINCT strftime('%d.%m', datetime(EVENT_DT, 'unixepoch'))) AS DAYS,
ROUND(1.0*SUM(1)/COUNT(DISTINCT strftime('%d.%m', datetime(EVENT_DT, 'unixepoch'))), 1) AS REQ
FROM CLS
WHERE DOMAIN NOT IN ('in-addr.arpa', 'IN-ADDR.ARPA', 'local', 'dyndns', 'nas', 'ntp.org')
AND datetime(EVENT_DT, 'unixepoch') > date('now', '-20 days')
AND strftime('%H', datetime(EVENT_DT, 'unixepoch')) = strftime('%H', '2019-08-01 06:50:00')
GROUP BY REQUEST_NK
)
WHERE DAYS > 3 -- at least 4 days activity
ORDER BY 5 DESC, 4 DESCFirefox inotarisa kubatana kweWLAN kuti kuvepo kwepeji rekupinda.
Citrix iri pinging server yayo kunyangwe iyo application isiri kushanda nesimba.
Symantec inosimbisa zvitupa.
Mozilla inotarisa kuti igadziriswe, kunyangwe mune zvigadziriso ndakakumbira kusaita izvi.
mmo.de ibasa rekutamba. Zvingangodaro chikumbiro chinotangwa nefacebook chat. Tinovhara.
Apple ichamutsa masevhisi ayo ese. api-glb-fra.smoot.apple.com - tichitarisa netsanangudzo, kudzvanya kwese kwebhatani kunotumirwa pano nechinangwa chekutsvaga injini. Kunyumwira zvakanyanya, asi zvine chekuita nekushanda. Tinozvisiya.
Inotevera rondedzero refu yezvikumbiro kumicrosoft.com. Isu tinovhara madomasi ese kutanga kubva padanho rechitatu.
Nhamba yekutanga subdomain
Saka, maminetsi ekutanga e10 ekubatidza iyo isina waya Internet.
iOS polls the most subdomains - 32. Inoteverwa ne Android - 24, then Windows - 15 uye pekupedzisira Blackberry - 9.
Iyo facebook application yega inovhota gumi domains, skype polls 10 domains.
Kunobva ruzivo
Kwainobva ongororo iyi yaive bind9 yenzvimbo server log file, ine iyi inotevera fomati:
01-Aug-2019 20:03:30.996 client 192.168.0.2#40693 (api.aps.skype.com): query: api.aps.skype.com IN A + (192.168.0.102)
Iyo faira yakaunzwa kune sqlite dhatabhesi uye yakaongororwa uchishandisa SQL mibvunzo.
Iyo sevha inoita senge cache; zvikumbiro zvinobva kune router, saka panogara paine chikumbiro chimwe chete mutengi. Chimiro chetafura chakareruka chakakwana, i.e. Chirevo chinoda nguva yechikumbiro, chikumbiro pachacho, uye chechipiri-nhanho domain yekuisa mapoka.
DDL matafura
CREATE TABLE STG_BIND9_LOG (
LINE_NK INTEGER NOT NULL DEFAULT 1,
DATE_NK TEXT NOT NULL DEFAULT 'n.a.',
TIME_NK TEXT NOT NULL DEFAULT 'n.a.',
CLI TEXT, -- client
IP TEXT,
REQUEST_NK TEXT NOT NULL DEFAULT 'n.a.', -- requested domain
DOMAIN TEXT NOT NULL DEFAULT 'n.a.', -- domain second level
QUERY TEXT,
UNIQUE (LINE_NK, DATE_NK, TIME_NK, REQUEST_NK)
);mhedziso
Nokudaro, semugumisiro wekuongororwa kweiyo domain name server log, zvinopfuura zvinyorwa zve50 zvakaongororwa uye zvakaiswa pane block list.
Iko kudikanwa kwemimwe mibvunzo kunotsanangurwa zvakanaka nevagadziri vesoftware uye zvinokurudzira kuvimba. Zvisinei, zvizhinji zvezviitwa hazvina hwaro uye zvinomutsa mubvunzo.
Source: www.habr.com