Boka revatsvagiri kubva kuTel Aviv University uye Interdisciplinary Center muHerzliya (Israel) nzira itsva yekurwisa (), zvichikubvumidza kuti ushandise chero maDNS anogadzirisa setraffic amplifiers, achipa chiyero chekuwedzera chinosvika 1621 nguva maererano nehuwandu hwemapakiti (pachikumbiro chega chega chinotumirwa kumugadzirisi, unogona kuzadzisa 1621 zvikumbiro zvinotumirwa kune server yeakabatwa) uye kusvika ku163 nguva maererano netraffic.
Dambudziko rine hukama neakasarudzika eprotocol uye rinobata ese DNS maseva anotsigira anodzokorodza bvunzo kugadzirisa, kusanganisira. (CVE-2020-8616) (CVE-2020-12667) (CVE-2020-10995) ΠΈ (CVE-2020-12662), pamwe neruzhinji DNS masevhisi eGoogle, Cloudflare, Amazon, Quad9, ICANN nemamwe makambani. Iyo gadziriso yakarongedzerwa nevagadziri veDNS server, avo panguva imwe chete vakaburitsa zvigadziriso zvekugadzirisa kusagadzikana mune zvigadzirwa zvavo. Kudzivirira kunoitwa mukuburitswa
, , , .
Kurwiswa kwacho kunoenderana neanorwisa achishandisa zvikumbiro zvinoreva huwandu hukuru hwezvaimbove zvisingaonekwe zvenhema zvinyorwa zveNS, izvo zvinopihwa zita rekutemerwa, asi pasina kutsanangura marekodhi eglue ane ruzivo nezve IP kero yeNS maseva mumhinduro. Semuenzaniso, munhu anorwisa anotumira mubvunzo kugadzirisa zita rekuti sd1.attacker.com nekudzora sevha yeDNS ine chekuita neaattacker.com domain. Mukupindura chikumbiro chemugadziri kune anorwisa DNS server, mhinduro inopihwa iyo inomiririra kugadzwa kwe sd1.attacker.com kero kune akabatwa DNS server nekuratidza marekodhi eNS mumhinduro pasina kudonongodza IP NS maseva. Sezvo iyo yakambotaurwa NS server isati yambosangana nayo uye IP kero isina kutaurwa, mugadziri anoedza kuona iyo IP kero yeNS server nekutumira mubvunzo kune akabatwa DNS server inoshandira iyo yakananga domain (victim.com).
Dambudziko nderekuti anorwisa anogona kupindura nehombe rondedzero yeasingadzokorore maseva eNS ane asiripo ekunyepedzera munhu akabatwa subdomain mazita (fake-1.victim.com, fake-2.victim.com,... fake-1000. victim.com). Iye anogadzirisa anoedza kutumira chikumbiro kune akabatwa DNS server, asi anogashira mhinduro yekuti iyo dura haina kuwanikwa, mushure mezvo ichaedza kuona inotevera NS server mune rondedzero, zvichingodaro kusvika yaedza ese NS zvinyorwa zvakanyorwa neanorwisa. Saizvozvo, kune chikumbiro cheanorwisa, mugadziri achatumira nhamba huru yezvikumbiro zvekuona NS mauto. Sezvo mazita eseva eNS achigadzirwa zvisina tsarukano uye achireva kune asiripo subdomain, haatorerwe kubva kucache uye chikumbiro chega chega kubva kune anorwisa chinoguma nekuwanda kwezvikumbiro kuDNS server inoshandira nzvimbo yemunhu akabatwa.
Vatsvagiri vakadzidza huwandu hwekusagadzikana kweveruzhinji DNS solvers kune dambudziko uye vakafunga kuti kana kutumira mibvunzo kune CloudFlare solver (1.1.1.1), zvinokwanisika kuwedzera huwandu hwemapaketi (PAF, Packet Amplification Factor) ne48 nguva, Google. (8.8.8.8) - 30 nguva, FreeDNS (37.235.1.174) - 50 nguva, OpenDNS (208.67.222.222) - 32 nguva. Zvimwe zviratidzo zvinoonekwa zvinocherechedzwa
Level3 (209.244.0.3) - 273 nguva, Quad9 (9.9.9.9) - 415 nguva
SafeDNS (195.46.39.39) - 274 nguva, Verisign (64.6.64.6) - 202 nguva,
Ultra (156.154.71.1) - 405 times, Comodo Secure (8.26.56.26) - 435 times, DNS.Watch (84.200.69.80) - 486 times, uye Norton ConnectSafe (199.85.126.10) - 569 times. Kune maseva akavakirwa paBIND 9.12.3, nekuda kwekuenderana kwezvikumbiro, iyo nhanho yekuwana inogona kusvika kusvika 1000. MuKnot Resolver 5.1.0, iyo nhanho yekuwana inosvika makumi akati wandei enguva (24-48), kubva pakatemwa Mazita eNS anoitwa zvakatevedzana uye anozorora pamuganho wemukati pane nhamba yematanho ekugadziriswa kwezita anotenderwa kuchikumbiro chimwe.
Pane nzira mbiri huru dzekudzivirira. Kune masisitimu ane DNSSEC shandisa kudzivirira DNS cache bypass nekuti zvikumbiro zvinotumirwa nemazita asina kujairika. Chako cheiyo nzira ndechekugadzira mhinduro dzisina kunaka pasina kubata ane chiremera DNS maseva, uchishandisa renji kutarisa kuburikidza neDNSSEC. Nzira iri nyore ndeyekudzikamisa nhamba yemazita anogona kutsanangurwa paunenge uchigadzirisa chikumbiro chimwe chete chakatumwa, asi nzira iyi inogona kukonzera matambudziko kune mamwe magadzirirwo aripo nekuti miganhu haina kutsanangurwa muprotocol.
Source: opennet.ru