Akusiyo imfihlo ukuba ukulawulwa kokuthintela kwiluhlu lolwazi olunqatshelwe eRashiya lubekwe esweni yinkqubo ezenzekelayo "Umhloli". Indlela esebenza ngayo ibhalwe kakuhle apha kule , umfanekiso okwindawo enye:
Ifakwe ngqo kumboneleli :
Imodyuli "yoMhloli we-Agent" yinto yolwakhiwo lwenkqubo ezenzekelayo "Umhloli" (AS "Umhloli"). Le nkqubo yenzelwe ukubeka esweni ukuthotyelwa kwabaqhubi be-telecom kunye neemfuno zokuthintela ukufikelela ngaphakathi kwesakhelo semimiselo esekwe yiNqaku 15.1-15.4 yoMthetho we-Federal kaJulayi 27, 2006 No. ”
Injongo ephambili yokudala i-AS "Revizor" kukuqinisekisa ukuthotyelwa kwabaqhubi be-telecom kunye neemfuno ezisekwe yiNqaku 15.1-15.4 yoMthetho we-Federal kaJulayi 27, 2006 No. " malunga nokuchonga iinyani zokufikelela kulwazi olungavumelekanga kunye nokufumana izinto ezixhasayo (idatha) malunga nokuphulwa kokuthintela ukufikelela kulwazi olungavumelekanga.
Uthathela ingqalelo into yokuba, ukuba ayingabo bonke, uninzi lwababoneleli basifakile esi sixhobo, bekufanele ukuba kukho inethiwekhi enkulu yeebhikoni eziphandayo ezifana. kwaye nangaphezulu, kodwa ngofikelelo oluvaliweyo. Nangona kunjalo, ibhakana sisibane sokuthumela imiqondiso macala onke, kodwa kuthekani ukuba siyayibamba kwaye sibone into esiyibambileyo kwaye bangaphi?
Ngaphambi kokuba sibale, makhe sibone ukuba kutheni le nto inokwenzeka.
Ingcamango ethile
Iiarhente zijonga ubukho besixhobo, ukuquka ngeHTTP(S) izicelo, ezifana nesi:
TCP, 14678 > 80, "[SYN] Seq=0"
TCP, 80 > 14678, "[SYN, ACK] Seq=0 Ack=1"
TCP, 14678 > 80, "[ACK] Seq=1 Ack=1"
HTTP, "GET /somepage HTTP/1.1"
TCP, 80 > 14678, "[ACK] Seq=1 Ack=71"
HTTP, "HTTP/1.1 302 Found"
TCP, 14678 > 80, "[FIN, ACK] Seq=71 Ack=479"
TCP, 80 > 14678, "[FIN, ACK] Seq=479 Ack=72"
TCP, 14678 > 80, "[ACK] Seq=72 Ack=480"
Ukongeza kumthwalo wokuhlawula, isicelo sikwabandakanya isigaba sokusekwa koqhagamshelo: utshintshiselwano SYN и SYN-ACK, kunye nezigaba zokugqitywa koqhagamshelwano: FIN-ACK.
Irejista yolwazi olunqatshelwe luqulethe iindidi ezininzi zokuvimba. Ngokucacileyo, ukuba isibonelelo sivaliwe yidilesi ye-IP okanye igama lesizinda, ngoko asiyi kubona naziphi na izicelo. Ezi ntlobo zezona zonakalisa kakhulu zokuthintela, ezikhokelela ekungafumanekiyo kwazo zonke izibonelelo kwidilesi enye ye-IP okanye lonke ulwazi kwi-domain. Kukho kwakhona "nge-URL" uhlobo lokuthintela. Kulo mzekelo, isixokelelwano sokucoca kufuneka sicazulule i-header yesicelo se-HTTP ukumisela ukuba yintoni enokubhloka. Kwaye phambi kwayo, njengoko kunokubonwa ngasentla, kufuneka kubekho isigaba sokusekwa koqhagamshelo onokuthi uzame ukusilandela, kuba kusenokwenzeka ukuba isihluzi siyakuphoswa.
Ukwenza oku, kufuneka ukhethe i-domain ekhululekileyo efanelekileyo kunye ne "URL" kunye nohlobo lokuthintela i-HTTP ukuququzelela umsebenzi wenkqubo yokucoca, ngokufanelekileyo ishiywe ixesha elide, ukunciphisa ukungena kwetrafikhi engaphandle ngaphandle kwee-Agents. Lo msebenzi uye wabonakala ungenzima kwaphela; kukho iindawo ezininzi zasimahla kwirejista yolwazi olungavumelekanga kunye nayo yonke incasa. Ngoko ke, i-domain yathengwa kwaye idibaniswe needilesi ze-IP kwi-VPS esebenzayo tcpdump kwaqala ukubala.
Uphicotho lwe "Auditors"
Bendilindele ukubona izicelo eziqhushumbayo, ngokokubona kwam oko bekuya kubonisa isenzo esilawulwayo. Akunakwenzeka ukuthetha ukuba andizange ndiyibone kwaphela, kodwa ngokuqinisekileyo kwakungekho mfanekiso ucacileyo:
Oko akumangalisi, nakwi-domain ekungekho mntu uyidingayo kunye ne-IP engazange isetyenziswe, kuya kuba netoni yolwazi olungacetywanga, njenge-Intanethi yanamhlanje. Kodwa ngethamsanqa, bendifuna kuphela izicelo ze-URL ethile, ke zonke iiskena kunye ne-password crackers zifunyenwe ngokukhawuleza. Kwakhona, kwakulula ukuqonda apho unogumbe wawusekelwe kubunzima bezicelo ezifanayo. Emva koko, ndaqulunqa ukuphindaphinda kokuvela kweedilesi ze-IP kwaye ndadlula yonke into ephezulu ngesandla, ndahlula abo bayiphosileyo kumanqanaba angaphambili. Ukongeza, ndinqumle yonke imithombo ethunyelwe kwiphakheji enye, bekungasekho maninzi kubo. Kwaye kwenzeka oku:
Uphumlo oluncinci lwengoma. Ngaphantsi kosuku emva koko, umboneleli wam wokubamba wathumela ileta enomxholo olungelelanisiweyo, esithi izibonelelo zakho ziqulethe isibonelelo esivela kuluhlu oluthintelweyo lwe-RKN, ngoko luvaliwe. Ekuqaleni ndandicinga ukuba i-akhawunti yam ivaliwe, kwakungenjalo. Emva koko ndacinga ukuba bandilumkisa nje ngento endandisele ndiyazi ngayo. Kodwa kwavela ukuba i-hoster ivule isihluzo sayo phambi kwesizinda sam kwaye ngenxa yoko ndafika phantsi kokucoca kabini: ukusuka kubaboneleli kunye nakwi-hoster. Isihluzi sigqithise kuphela iziphelo zezicelo: FIN-ACK и RST ukusika yonke i-HTTP kwi-URL engavumelekanga. Njengoko unokubona kwigrafu engentla, emva kosuku lokuqala ndaqala ukufumana idatha encinci, kodwa ndisayifumene, eyanele ngokwaneleyo ukubala imithombo yesicelo.
Yiya kwinqanaba. Ngokombono wam, ukugqabhuka kabini kubonakala ngokucacileyo yonke imihla, okokuqala kuncinci, emva kobusuku bexesha laseMoscow, okwesibini kufutshane ne-6 ekuseni kunye nomsila ukuya kwi-12 emini. Incopho ayenzeki kanye ngexesha elinye. Ekuqaleni, ndandifuna ukukhetha iidilesi ze-IP eziwela kuphela kula maxesha kwaye ngalinye kuwo onke amaxesha, ngokusekelwe kwingcinga yokuba ii-Agents zenziwa ngamaxesha athile. Kodwa emva kokuphonononga ngononophelo, ndiye ndafumanisa ngokukhawuleza amaxesha esiwa kwamanye amaxesha, kunye nezinye iifrikhwensi, ukuya kuthi ga kwisicelo esinye kwiyure nganye. Emva koko ndacinga malunga neendawo zexesha kwaye mhlawumbi zinento yokwenza nazo, emva koko ndacinga ukuba ngokubanzi inkqubo inokungadityaniswa kwihlabathi jikelele. Ukongeza, i-NAT mhlawumbi iya kudlala indima kwaye i-Agent efanayo inokwenza izicelo kwii-IP zoluntu ezahlukeneyo.
Kuba injongo yam yokuqala yayingeyiyo ncam, ndibala zonke iidilesi endiye ndazifumana ngeveki kwaye ndazifumana - 2791. Inani leeseshoni ze-TCP ezisekelwe kwidilesi enye yi-4, kunye ne-median ye-2. Iiseshoni eziphezulu ngedilesi nganye: 464, 231, 149, 83, 77. Ubuninzi obuvela kwi-95% yesampuli yiiseshoni ze-8 ngedilesi nganye. I-median ayiphezulu kakhulu, makhe ndikukhumbuze ukuba igrafu ibonisa i-periodicity ecacileyo yemihla ngemihla, ngoko umntu unokulindela into malunga ne-4 ukuya kwi-8 kwiintsuku ze-7. Ukuba silahla zonke iiseshoni ezenzeka kanye, siya kufumana i-median elingana no-5. Kodwa andizange ndibakhuphele ngaphandle ngokusekelwe kwinqobo ecacileyo. Ngokuchasene noko, ukukhangela okungacwangciswanga kwabonisa ukuba zazinxulumene nezicelo zomthombo owalelweyo.
Iidilesi ziidilesi, kodwa kwi-Intanethi, iinkqubo ezizimeleyo - AS, eziye zabonakala zibaluleke ngakumbi 1510, kwi-avareji 2 iidilesi nge-AS kunye ne-median ye-1. Iidilesi eziphezulu kwi-AS: 288, 77, 66, 39, 27. Ubuninzi be-95% yesampuli yi-4 idilesi nge-AS. Apha i-median ilindeleke - i-Agent enye ngomboneleli ngamnye. Silindele nabaphezulu – kukho abadlali abakhulu kuyo. Kwinethiwekhi enkulu, ii-Agent kufuneka zibekwe kwindawo nganye yobukho bomqhubi, kwaye ungalibali nge-NAT. Ukuba siyithatha ngelizwe, ubuninzi buya kuba: 1409 - RU, 42 - UA, 23 - CZ, 36 ukusuka kwezinye iindawo, kungekhona i-RIPE NCC. Izicelo ezisuka ngaphandle kweRashiya zitsala umdla. Oku mhlawumbi kunokuchazwa ngeempazamo ze-geolocation okanye iimpazamo zombhalisi xa ugcwalisa idatha. Okanye into yokuba inkampani yaseRashiya ayinayo iingcambu zaseRashiya, okanye ibe neofisi yommeli wangaphandle kuba ilula, into engokwemvelo xa isebenzisana nentlangano yangaphandle i-RIPE NCC. Inxalenye ethile ngokungathandabuzekiyo i-superfluous, kodwa kunzima ngokuthembekileyo ukuyihlula, kuba isibonelelo siphantsi kokuthintela, kwaye ukususela ngosuku lwesibini phantsi kokuthintela kabini, kwaye ezininzi iiseshini zitshintshiselwano lweepakethi ezininzi zenkonzo. Masivume ukuba le yinxalenye encinci.
La manani sele enokuthelekiswa nenani lababoneleli eRashiya. iilayisenisi "Iinkonzo zoNxibelelwano losasazo lwedatha, ngaphandle kwelizwi" - 6387, kodwa olu luqikelelo oluphezulu kakhulu oluvela phezulu, ayizizo zonke ezi mvume ezisebenza ngokukodwa kubaboneleli be-Intanethi abafuna ukufaka i-Agent. Kwi-RIPE NCC zone kukho inani elifanayo le-ASes ebhaliswe eRashiya - i-6230, apho akubona bonke ababoneleli. kwaye ifumene iinkampani ezingama-3940 ngo-2017, kwaye oku kunokuba luqikelelo oluvela phezulu. Kuyo nayiphi na imeko, sinamaxesha amabini anesiqingatha ngaphantsi kwenani lee-AS ezikhanyisiweyo. Kodwa apha kufanelekile ukuqonda ukuba i-AS ayilingani ngokungqongqo nomnikezeli. Abanye ababoneleli abanayo i-AS yabo, abanye bangaphezu kwesinye. Ukuba sicinga ukuba wonke umntu usenayo i-Agents, ngoko umntu ucoca kakhulu kunabanye, ukuze izicelo zabo zingabonakali kwinkunkuma, ukuba zifikelela kuzo zonke. Kodwa kuvavanyo olurhabaxa luyanyamezeleka, nokuba kukho into elahlekileyo ngenxa yokongamela kwam.
Malunga neDPI
Ngaphandle kwento yokuba umnikezeli wam wokubamba uphendulele isihluzo saso ukususela ngosuku lwesibini, ngokusekelwe kulwazi olusuka kusuku lokuqala sinokugqiba ukuba ukuvinjelwa kusebenza ngempumelelo. Imithombo ye-4 kuphela ikwazi ukufikelela kwaye igqibe ngokupheleleyo iiseshoni ze-HTTP kunye ne-TCP (njengoko kumzekelo ongentla). Amanye angama-460 anokuthunyelwa GET, kodwa iseshoni iyapheliswa ngoko nangoko RST. Naka u TTL:
TTL 50, TCP, 14678 > 80, "[SYN] Seq=0"
TTL 64, TCP, 80 > 14678, "[SYN, ACK] Seq=0 Ack=1"
TTL 50, TCP, 14678 > 80, "[ACK] Seq=1 Ack=1"
HTTP, "GET /filteredpage HTTP/1.1"
TTL 64, TCP, 80 > 14678, "[ACK] Seq=1 Ack=294"
#Вот это прислал фильтр
TTL 53, TCP, 14678 > 80, "[RST] Seq=3458729893"
TTL 53, TCP, 14678 > 80, "[RST] Seq=3458729893"
HTTP, "HTTP/1.1 302 Found"
#А это попытка исходного узла получить потерю
TTL 50, TCP ACKed unseen segment, 14678 > 80, "[ACK] Seq=294 Ack=145"
TTL 50, TCP, 14678 > 80, "[FIN, ACK] Seq=294 Ack=145"
TTL 64, TCP, 80 > 14678, "[FIN, ACK] Seq=171 Ack=295"
TTL 50, TCP Dup ACK 14678 > 80 "[ACK] Seq=295 Ack=145"
#Исходный узел понимает что сессия разрушена
TTL 50, TCP, 14678 > 80, "[RST] Seq=294"
TTL 50, TCP, 14678 > 80, "[RST] Seq=295"
Ukwahluka oku kunokwahluka: ngaphantsi RST okanye ukuthunyelwa kwakhona okungaphezulu- kukwaxhomekeke ekubeni isihluzi sithumela ntoni na kwindawo yomthombo. Kwimeko nayiphi na into, le template ethembekileyo, apho kucacile ukuba yayiyimithombo enqatshelwe eyayiceliwe. Plus kusoloko kukho impendulo evela kwiseshoni nge TTL inkulu kuneepakethe ezidlulileyo nezilandelayo.
Awunakuyibona nakweminye GET:
TTL 50, TCP, 14678 > 80, "[SYN] Seq=0"
TTL 64, TCP, 80 > 14678, "[SYN, ACK] Seq=0 Ack=1"
#Вот это прислал фильтр
TTL 53, TCP, 14678 > 80, "[RST] Seq=1"
Okanye kunjalo:
TTL 50, TCP, 14678 > 80, "[SYN] Seq=0"
TTL 64, TCP, 80 > 14678, "[SYN, ACK] Seq=0 Ack=1"
TTL 50, TCP, 14678 > 80, "[ACK] Seq=1 Ack=1"
#Вот это прислал фильтр
TTL 53, TCP, 14678 > 80, "[RST, PSH] Seq=1"
TTL 50, TCP ACKed unseen segment, 14678 > 80, "[FIN, ACK] Seq=89 Ack=172"
TTL 50, TCP ACKed unseen segment, 14678 > 80, "[FIN, ACK] Seq=89 Ack=172"
#Опять фильтр, много раз
TTL 53, TCP, 14678 > 80, "[RST, PSH] Seq=1"
...
Umahluko ubonakala ngokuqinisekileyo TTL ukuba kukho into evela kwisihluzo. Kodwa amaxesha amaninzi akukho nto inokufika konke konke:
TCP, 14678 > 80, "[SYN] Seq=0"
TCP, 80 > 14678, "[SYN, ACK] Seq=0 Ack=1"
TCP Retransmission, 80 > 14678, "[SYN, ACK] Seq=0 Ack=1"
...
Okanye kunjalo:
TCP, 14678 > 80, "[SYN] Seq=0"
TCP, 80 > 14678, "[SYN, ACK] Seq=0 Ack=1"
TCP, 14678 > 80, "[ACK] Seq=1 Ack=1"
#Прошло несколько секунд без трафика
TCP, 80 > 14678, "[FIN, ACK] Seq=1 Ack=1"
TCP Retransmission, 80 > 14678, "[FIN, ACK] Seq=1 Ack=1"
...
Kwaye konke oku kuphinda kuphindwe kwaye kuphindwe kwaye kuphindwe, njengoko kunokubonwa kwigrafu, ngaphezu kweyodwa, yonke imihla.
Malunga IPv6
Iindaba ezimnandi kukuba ikho. Ndingatsho ngokuqinisekileyo ukuba izicelo zamaxesha athile kwisixhobo esithintelweyo zivela kwiidilesi ezi-5 ezahlukeneyo ze-IPv6, nto leyo yindlela yokuziphatha yee-Arhente ebendizilindele. Ngaphezu koko, enye yeedilesi ze-IPv6 ayiweli phantsi kohluzo kwaye ndibona iseshoni epheleleyo. Ukusuka kwezinye ezimbini ndabona iseshoni enye kuphela engekagqitywa, enye yayo yaphazanyiswa RST ukusuka kwisihluzi, okwesibini kwixesha. Imali iyonke 7.
Ekubeni kukho iidilesi ezimbalwa, ndifunde zonke iinkcukacha kwaye kwavela ukuba kukho ababoneleli be-3 kuphela apho, banokunikwa i-ovation yokuma! Enye idilesi i-cloud hosting eRashiya (ayihlungi), enye iziko lophando eJamani (kukho isihlungi, phi?). Kodwa kutheni bajonga ukufumaneka kwezixhobo ezithintelweyo kwishedyuli ngumbuzo olungileyo. Ababini abaseleyo benza isicelo esinye kwaye babekwe ngaphandle kweRashiya, kwaye enye yazo iyahluzwa (kwihambo, emva kwayo yonke into?).
Ukuthintela kunye nee-Agents zingumqobo omkhulu kwi-IPv6, ukuphunyezwa kwayo okungahambi ngokukhawuleza. Kubuhlungu. Abo basombulula le ngxaki banokuzingca ngokupheleleyo.
Ekugqibeleni
Andizange ndizame ukuchaneka kwe-100%, ndicela undixolele ngale nto, ndiyathemba ukuba umntu ufuna ukuphinda lo msebenzi ngokuchaneka okukhulu. Kwakubalulekile kum ukuba ndiqonde ukuba le ndlela iza kusebenza ngokomgaqo. Impendulo nguewe. Njengoqikelelo lokuqala, amanani afunyenweyo, ndicinga ukuba athembekile.
Yintoni enye eyayinokwenziwa kwaye into endandiyonqena ukuyenza kukubala izicelo ze-DNS. Azihluzwanga, kodwa nazo aziboneleli ngokuchaneka okuninzi kuba zisebenzela indawo yommandla kuphela, kwaye ingeyiyo yonke i-URL. I-frequency kufuneka ibonakale. Ukuba udibanisa kunye nento ebonakalayo ngokuthe ngqo kwimibuzo, oku kuya kukuvumela ukuba uhlukanise okungafunekiyo kwaye ufumane ulwazi oluninzi. Kunokwenzeka ukumisela abaphuhlisi be-DNS abasetyenziswa ngababoneleli kunye nokunye okuninzi.
Andizange ndilindele ukuba umgcini-mgcini uza kubandakanya isihluzi saso seVPS yam. Mhlawumbi le yinto eqhelekileyo. Ekugqibeleni, i-RKN ithumela isicelo sokucima i-resource kwi-host. Kodwa oku akuzange kundimangalise yaye ngandlel’ ithile kwade kwandinceda. Isihluzi sisebenze kakuhle, sinqumle zonke izicelo ezichanekileyo ze-HTTP kwi-URL engavumelekanga, kodwa ezingezizo ebezikade zigqithile kwisihluzo sababoneleli zifike kuzo, nokuba zikwimo yesiphelo kuphela: FIN-ACK и RST - thabatha uthabathe kwaye iphantse yajika ibeyi-plus. Ngendlela, i-IPv6 ayizange ihluzwe ngumgcini. Ngokuqinisekileyo, oku kwachaphazela umgangatho wezinto eziqokelelweyo, kodwa kusenokwenza kube lula ukubona i-periodicity. Kwavela ukuba le nto ibalulekileyo xa ukhetha indawo yokubeka izixhobo;
Ekuqaleni, ndathelekisa i-AS "Umhloli" kunye . Olu thelekiso lufanelekile kwaye uthungelwano olukhulu lweearhente lunokuba luncedo. Umzekelo, ukumisela umgangatho wokufumaneka kwezibonelelo kubaboneleli abahlukeneyo kwiindawo ezahlukeneyo zelizwe. Ungabala ukulibaziseka, unokwakha iigrafu, unokuyihlalutya yonke kwaye ubone utshintsho olwenzekayo ngaphakathi nakwihlabathi jikelele. Le akuyona indlela ethe ngqo, kodwa izazi ngeenkwenkwezi zisebenzisa "amakhandlela aqhelekileyo", kutheni ungasebenzisi ii-Agents? Ukwazi (ekufumaneni) ukuziphatha kwabo okusemgangathweni, unokumisela utshintsho olwenzekayo malunga nabo kwaye oku kuchaphazela njani umgangatho weenkonzo ezibonelelweyo. Kwaye ngexesha elifanayo, awudingi ukubeka ngokuzimeleyo iiprobes kwinethiwekhi;
Enye inqaku endifuna ukuyichukumisa kukuba sonke isixhobo sinokuba sisixhobo. NJENGOKO "Umhloli" yinethiwekhi evaliweyo, kodwa ii-Agent zinika wonke umntu ngokuthumela izicelo zabo bonke oovimba kuluhlu oluthintelweyo. Ukuba nomthombo onjalo akuvezi naziphi na iingxaki konke konke. Lilonke, ababoneleli ngeeAgents, bengazi, baxelele okuninzi malunga nenethiwekhi yabo kunokuba kufanelekile: i-DPI kunye neentlobo ze-DNS, indawo ye-Agent (i-node ephakathi kunye nenethiwekhi yenkonzo?), abamakishi benethiwekhi yokulibaziseka kunye nelahleko - kwaye oku ku kuphela eyona icacileyo. Kanye njengokuba umntu unokubeka iliso kwizenzo zee-Agents zokuphucula ukufumaneka kwezibonelelo zabo, umntu unokukwenza oku ngezinye iinjongo kwaye akukho miqobo kule nto. Isiphumo sisixhobo esiphindwe kabini kunye nesininzi kakhulu, nabani na unokubona oku.
umthombo: www.habr.com