Nhasi tichatarisa misoro miviri yakakosha: DHCP Snooping uye "isina-default" Native VLAN. Usati waenderera mberi nechidzidzo, ndinokukoka kuti ushanyire imwe chiteshi chedu cheYouTube kwaunogona kuona vhidhiyo yemaitiro ekuvandudza ndangariro yako. Ini ndinokurudzira kuti unyore kuchiteshi ichi, sezvo isu tinotumira akawanda anobatsira matipi ekuzvivandudza ipapo.
Ichi chidzidzo chakapirwa pakudzidza kwezvikamu zvidimbu 1.7b ne1.7c zvemusoro weICND2. Tisati tatanga neDHCP Snooping, ngatirangarirei mamwe mapoinzi kubva muzvidzidzo zvakapfuura. Kana ndisiri kukanganisa, takadzidza nezveDHCP muZuva 6 uye Zuva rechi24. Ikoko, nyaya dzakakosha dzakakurukurwa maererano nekugoverwa kwePI kero neDHCP server uye kuchinjana kwemashoko anoenderana.
Kazhinji, kana Mushandisi Wekupedzisira apinda panetiweki, inotumira chikumbiro chekutepfenyura kunetiweki iyo "inonzwika" nemidziyo yese yetiweki. Kana iyo yakabatana zvakananga kune server yeDHCP, ipapo chikumbiro chinoenda zvakananga kune server. Kana pane zvishandiso zvekutumira pane network - ma routers uye switch - ipapo chikumbiro kune sevha chinoenda kuburikidza navo. Mushure mekugamuchira chikumbiro, sevha yeDHCP inopindura kumushandisi, uyo anomutumira chikumbiro chekuwana IP kero, mushure meiyo sevha inoburitsa kero yakadaro kune mudziyo wemushandisi. Aya ndiwo maitiro ekutora kero yeIP anoitika pasi pemamiriro akajairwa. Maererano nemuenzaniso uri mudhayagiramu, Mushandisi Wekupedzisira achagamuchira kero 192.168.10.10 uye kero yegedhi 192.168.10.1. Mushure meizvi, mushandisi achakwanisa kuwana Indaneti kuburikidza negedhi iri kana kutaurirana nemamwe madivayiri etiweki.
Ngatitorei kuti mukuwedzera kune chaiyo DHCP server, pane hunyengeri DHCP server panetiweki, ndiko kuti, anorwisa anongoisa sevha yeDHCP pakombuta yake. Muchiitiko ichi, mushandisi, apinda munetiweki, anotumirawo meseji yekutepfenyura, iyo iyo router uye switch ichaendesa kune chaiyo sevha.
Nekudaro, iyo rogue server zvakare "inoteerera" kunetiweki, uye, yakagamuchira meseji yekutepfenyura, ichapindura mushandisi nechipo chayo pachinzvimbo cheiyo chaiyo DHCP server. Mushure mekugamuchira, mushandisi achapa mvumo yake, semhedzisiro yaanozogamuchira IP kero kubva kune anorwisa 192.168.10.2 uye kero yesuwo 192.168.10.95.
Maitiro ekuwana IP kero yakapfupikiswa seDORA uye ine 4 nhanho: Kuwanikwa, Kupa, Chikumbiro uye Kutenda. Sezvauri kuona, munhu anorwisa achapa mudziyo wepamutemo IP kero iri munzvimbo inowanikwa yetiweki kero, asi panzvimbo yeiyo chaiyo gedhi kero 192.168.10.1, iye "achatsvedza" nekero yenhema 192.168.10.95, ndiko kuti, kero yekombuta yake.
Mushure meizvi, ese ekupedzisira-mushandisi traffic anotungamirwa kuInternet achapfuura nepakombuta yeanorwisa. Anorwisa anozoitungamira zvakare, uye mushandisi haazonzwi chero musiyano neiyi nzira yekutaurirana, sezvo iye achiri kukwanisa kuwana Internet.
Nenzira imwecheteyo, kudzorera traffic kubva kuInternet ichayerera kumushandisi kuburikidza nekombuta yeanorwisa. Izvi ndizvo zvinowanzonzi Murume ari Pakati (MiM) kurwisa. Yese traffic yemushandisi ichapfuura nepakombuta yehacker, uyo achakwanisa kuverenga zvese zvaanotumira kana kugamuchira. Iyi ndiyo imwe mhando yekurwisa inogona kuitika paDHCP network.
Rudzi rwechipiri rwekurwiswa rwunodaidzwa kuti Denial of Service (DoS), kana "kunyimwa basa." Chii chinoitika? Komputa yehacker haichaite sevhavha yeDHCP, yangova mudziyo wekurwisa. Inotumira Discovery chikumbiro kune chaiyo DHCP server uye inogamuchira Offer meseji mukupindura, yozotumira Chikumbiro kune server uye inogamuchira IP kero kubva kwairi. Komputa yeanorwisa inoita izvi mamilliseconds mashoma ega ega, nguva yega yega inogamuchira itsva IP kero.
Zvichienderana nezvirongwa, sevha chaiyo yeDHCP ine dziva remazana kana mazana akati wandei asina IP kero. Kombiyuta yehacker ichagamuchira IP kero .1, .2, .3, zvichingodaro kusvikira dziva remakero rapera zvachose. Mushure meizvi, sevha yeDHCP haizokwanisi kupa IP kero kune vatengi vatsva pane network. Kana mushandisi mutsva akapinda kunetiweki, haakwanise kuwana kero yemahara IP. Iyi ndiyo poindi yekurwiswa kweDoS pane server yeDHCP: kuidzivirira kubva pakuburitsa IP kero kuvashandisi vatsva.
Kurwisa kurwiswa kwakadaro, pfungwa yeDHCP Snooping inoshandiswa. Iyi i OSI layer XNUMX basa rinoita senge ACL uye rinoshanda chete pakuchinja. Kuti unzwisise DHCP Snooping, unofanirwa kufunga nezvepfungwa mbiri: yakavimbika ports yeTrusted switch uye isina kuvimbika isina kuvimbika madoko kune mamwe maturusi etiweki.
Zviteshi zvinovimbwa zvinobvumira chero mhando yemeseji yeDHCP kupfuura. Zviteshi zvisingavimbiki zviteshi zvakabatanidzwa nevatengi, uye DHCP Snooping inozviita kuti chero meseji yeDHCP inobva kune zviteshi iraswe.
Kana tikarangarira maitiro eDORA, meseji D inouya kubva kumutengi kuenda kuseva, uye meseji O inouya kubva kuseva kuenda kumutengi. Tevere, meseji R inotumirwa kubva kumutengi kuenda kuseva, uye sevha inotumira meseji A kumutengi.
Mameseji D uye R kubva kumadoko asina kuchengetedzwa anogamuchirwa, uye mameseji akaita seO naA anoraswa. Kana iyo DHCP Snooping basa ikagoneswa, ese switch ports anoonekwa seasina kuchengetedzwa nekukasira. Iri basa rinogona kushandiswa zvese kuchinjika sese uye kune yega maVLAN. Semuenzaniso, kana VLAN10 yakabatana nechiteshi, unogona kugonesa ichi chimiro cheVLAN10 chete, uye ipapo chiteshi chayo chinozove chisingavimbike.
Kana iwe uchigonesa DHCP Snooping, iwe, semutongi wehurongwa, uchafanirwa kupinda muzvigadziriso zvekuchinja uye kugadzirisa zviteshi nenzira yekuti madoko chete ayo maturusi akafanana nesevha akabatana anotorwa seasina kuvimbika. Izvi zvinoreva chero rudzi rwesevha, kwete DHCP chete.
Semuenzaniso, kana imwe switch, router kana chaiyo DHCP server yakabatana nechiteshi, ipapo chiteshi ichi chinogadziriswa sekuvimbwa. Iyo yakasara switch ports kune iyo yekupedzisira-mushandisi zvishandiso kana isina waya yekuwana nzvimbo yakabatana inofanirwa kugadzirwa seisina kuchengeteka. Naizvozvo, chero mudziyo wakadai senzvimbo yekuwana iyo vashandisi vanobatanidzwa inobatanidza kune switch kuburikidza nechiteshi chisina kuvimbika.
Kana komputa yeanorwisa ikatumira mameseji emhando O uye A kune switch, ivo vanozovharwa, ndiko kuti, traffic yakadaro haizokwanisi kupfuura nepachiteshi chisina kuvimbika. Iyi ndiyo nzira iyo DHCP Snooping inodzivirira nayo mhando dzekurwiswa dzakurukurwa pamusoro.
Pamusoro pezvo, DHCP Snooping inogadzira DHCP inosunga matafura. Mushure mekunge mutengi agamuchira IP kero kubva kuseva, kero iyi, pamwe nekero yeMAC yechishandiso chakaigamuchira, ichapinzwa muDHCP Snooping tafura. Aya maitiro maviri achabatanidzwa nechiteshi chisina kuchengeteka icho mutengi akabatanidzwa.
Izvi zvinobatsira, semuenzaniso, kudzivirira kurwiswa kweDoS. Kana mutengi ane kero yakapihwa MAC atowana kero yeIP, saka nei ichifanira kuda IP kero itsva? Muchiitiko ichi, chero kuedza kwebasa rakadaro kuchadziviswa pakarepo mushure mekutarisa kupinda mutafura.
Chinhu chinotevera chatinofanira kukurukura ndechekuti Nondefault, kana "isina-default" Native VLAN. Isu takabata-bata pamusoro pemusoro weVLANs, tichipa 4 vhidhiyo zvidzidzo kune aya network. Kana wakanganwa kuti chii ichi, ndinokupa zano kuti uongorore zvidzidzo izvi.
Isu tinoziva kuti muCisco inoshandura iyo default Native VLAN ndeye VLAN1. Kune kurwiswa kunonzi VLAN Hopping. Ngatifungei kuti komputa iri mudhayagiramu yakabatana kune yekutanga switch neiyo default native network VLAN1, uye yekupedzisira switch yakabatana nekombuta neVLAN10 network. Hunde inotangwa pakati pema switch.
Kazhinji, kana traffic kubva pakombuta yekutanga yasvika pakuchinja, inoziva kuti chiteshi chakabatanidzwa komputa iyi chikamu cheVLAN1. Tevere, traffic iyi inoenda kune trunk pakati pema switch maviri, uye yekutanga switch inofunga sezvizvi: "iyi traffic yakabva kuNative VLAN, saka ini handifanire kuimaka," uye inotungamira isina kunyorwa traffic padhuze, iyo inosvika pakuchinja kwechipiri.
Chinja 2, wagamuchira traffic isina kunyorwa, inofunga seizvi: "sezvo traffic iyi isina kunyorwa, zvinoreva kuti ndeyeVLAN1, saka handikwanise kuitumira pamusoro peVLAN10." Nekuda kweizvozvo, traffic inotumirwa nekombuta yekutanga haigone kusvika kune yechipiri komputa.
Muchokwadi, ndozvazvinofanira kuitika - VLAN1 traffic haifanirwe kupinda muVLAN10. Zvino ngatimbofungidzira kuti kuseri kwekombuta yekutanga kune anorwisa anogadzira furemu ine VLAN10 tag uye anoitumira kune switch. Kana iwe uchirangarira mashandiro anoita VLAN, saka iwe unoziva kuti kana tagged traffic ichisvika pachinja, hapana chaanoita nefuremu, asi inongoiendesa mberi pahunde. Nekuda kweizvozvo, iyo yechipiri switch ichagamuchira traffic ine tag yakagadzirwa neanorwisa, uye kwete neyekutanga switch.
Izvi zvinoreva kuti uri kutsiva Native VLAN nechimwe chinhu chisiri VLAN1.
Sezvo yechipiri switch isingazive kuti ndiani akagadzira iyo VLAN10 tag, inongotumira traffic kune yechipiri komputa. Aya ndiwo maitiro eVLAN Hopping kurwiswa kunoitika, kana munhu anorwisa achipinda netiweki iyo pakutanga yakanga isingasvikike kwaari.
Kuti udzivise kurwiswa kwakadaro, unofanirwa kugadzira Random VLAN, kana maVLAN asina kurongeka, semuenzaniso VLAN999, VLAN666, VLAN777, nezvimwewo, izvo zvisingagoni kushandiswa neanorwisa zvachose. Panguva imwecheteyo, tinoenda kune trunk ports dzema switch uye tinodzigadzirisa kuti dzishande, semuenzaniso, neNative VLAN666. Muchiitiko ichi, tinoshandura Native VLAN ye trunk ports kubva kuVLAN1 kuenda kuVLAN66, kureva kuti, tinoshandisa chero network kunze kweVLAN1 seNative VLAN.
Zviteshi pamativi ese etrunk zvinofanirwa kugadzirwa kune imwechete VLAN, zvikasadaro isu tinogashira VLAN nhamba mismatch kukanganisa.
Mushure mekuseta uku, kana mubiki akafunga kuita VLAN Hopping kurwisa, haabudirire, nekuti yemuno VLAN1 haina kupihwa kune chero ehunde madhishi. Iyi ndiyo nzira yekudzivirira kubva pakurwiswa nekugadzira isina-default yemuno maVLAN.
Ndinokutendai nekugara nesu. Unoda zvinyorwa zvedu here? Unoda kuona zvimwe zvinonakidza zvemukati? Titsigire nekuisa odha kana kukurudzira kushamwari, 30% kuderedzwa kwevashandisi veHabr pane yakasarudzika analogue yekupinda-level maseva, iyo yakagadzirwa nesu kuti iwe: (inowanikwa neRAID1 uye RAID10, kusvika ku24 cores uye kusvika ku40GB DDR4).
Dell R730xd kaviri zvakachipa? Chete pano muNetherlands! Dell R420 - 2x E5-2430 2.2Ghz 6C 128GB DDR3 2x960GB SSD 1Gbps 100TB - kubva pamadhora makumi mapfumbamwe nemapfumbamwe! Verenga nezve
Source: www.habr.com