Iqela labaphandi abavela kwiYunivesithi yaseTel Aviv kunye neZiko leeNgxoxo eziPhambili eHerzliya (kwaSirayeli) indlela entsha yokuhlasela (), ikuvumela ukuba usebenzise naziphi na izisombululi ze-DNS njenge-traffic amplifiers, ukubonelela ngezinga lokukhulisa ukuya kuthi ga kwi-1621 ngokwenani leepakethi (ngesicelo ngasinye esithunyelwe kumsombululi, unokufezekisa izicelo eziyi-1621 ezithunyelwa kumncedisi wexhoba) kwaye ukuya kuthi ga kwi-163 amaxesha ngokwemiqathango yezithuthi.
Ingxaki inxulumene nezinto ezikhethekileyo zeprothokholi kwaye ichaphazela zonke iiseva ze-DNS ezixhasa ukuphendulwa kombuzo ophinda-phindayo, kuquka. (I-CVE-2020-8616), (I-CVE-2020-12667), (I-CVE-2020-10995), и (CVE-2020-12662), kunye neenkonzo zeDNS zoluntu zeGoogle, Cloudflare, Amazon, Quad9, ICANN kunye nezinye iinkampani. Ukulungiswa kwalungelelaniswa nabaphuhlisi beseva ye-DNS, abathe ngaxeshanye bakhupha uhlaziyo lokulungisa ubungozi kwiimveliso zabo. Ukhuseleko lohlaselo luphunyeziwe
, , , .
Uhlaselo lusekelwe kumhlaseli usebenzisa izicelo ezibhekisela kwinani elikhulu leerekhodi ze-NS ezingabonakaliyo ngaphambili, apho ukuzimisela kwegama kuthunywe khona, kodwa ngaphandle kokuchaza iirekhodi zeglue kunye nolwazi malunga needilesi ze-IP zamaseva e-NS kwimpendulo. Ngokomzekelo, umhlaseli uthumela umbuzo ukusombulula igama elithi sd1.attacker.com ngokulawula iseva ye-DNS ejongene nesizinda se-attacker.com. Ekuphenduleni isicelo somsombululi kumncedisi we-DNS womhlaseli, kukhutshwa impendulo ehambisa ukuzimisela kwedilesi ye-sd1.attacker.com kwi-server ye-DNS yexhoba ngokubonisa iirekhodi ze-NS kwimpendulo ngaphandle kokuchaza iiseva ze-IP NS. Ekubeni iseva ye-NS ekhankanyiweyo ayizange idibane nayo ngaphambili kwaye idilesi ye-IP ayichazwanga, umsombululi uzama ukumisela idilesi ye-IP yomncedisi we-NS ngokuthumela umbuzo kwi-DNS iseva yexhoba ekhonza indawo ekujoliswe kuyo (victim.com).
Ingxaki kukuba umhlaseli unokuphendula ngoluhlu olukhulu lweeseva ze-NS ezingaphindiyo kunye namagama angekhoyo angabonakaliyo amaxhoba e-subdomain (fake-1.victim.com, fake-2.victim.com,... fake-1000. victim.com). Umxazululi uya kuzama ukuthumela isicelo kumncedisi weDNS wexhoba, kodwa uya kufumana impendulo yokuba i-domain ayifumanekanga, emva koko iya kuzama ukumisela iseva ye-NS elandelayo kuluhlu, njalo njalo ide izame zonke Iirekhodi ze-NS ezidweliswe ngumhlaseli. Ngokufanelekileyo, kwisicelo somhlaseli omnye, umsombululi uya kuthumela inani elikhulu lezicelo zokumisela iinginginya ze-NS. Ekubeni amagama eeseva ze-NS enziwa ngokungenamkhethe kwaye abhekiselele kwii-subdomains ezingekhoyo, azibuyiselwa kwi-cache kwaye isicelo ngasinye esivela kumhlaseli siphumela kwizicelo ezininzi kwi-server ye-DNS ekhonza i-domain yexhoba.
Abaphandi bafunde iqondo lokuba semngciphekweni kwabasombululi be-DNS yoluntu kwingxaki kwaye bazimisele ukuba xa uthumela imibuzo kwi-CloudFlare solver (1.1.1.1), kunokwenzeka ukwandisa inani leepakethi (i-PAF, i-Packet Amplification Factor) ngamaxesha angama-48, uGoogle (8.8.8.8) - 30 amaxesha, FreeDNS (37.235.1.174) - 50 amaxesha, OpenDNS (208.67.222.222) - 32 amaxesha. Izalathi eziqaphelekayo ngakumbi ziyaqwalaselwa
Inqanaba3 (209.244.0.3) - 273 amaxesha, Quad9 (9.9.9.9) - 415 amaxesha
SafeDNS (195.46.39.39) - 274 amaxesha, Verisign (64.6.64.6) - 202 amaxesha,
Ultra (156.154.71.1) - 405 amaxesha, Comodo Secure (8.26.56.26) - 435 amaxesha, DNS.Watch (84.200.69.80) - 486 amaxesha, kunye Norton ConnectSafe (199.85.126.10) - 569 amaxesha. Kwiiseva ezisekelwe kwi-BIND 9.12.3, ngenxa yokuhambelana kwezicelo, inqanaba lokuzuza lingafikelela kwi-1000. Kwi-Knot Resolver 5.1.0, inqanaba lokuzuza limalunga namashumi amaninzi amaxesha (24-48), ukususela ekumiselweni Amagama e-NS enziwa ngokulandelelana kwaye axhomekeke kumda wangaphakathi kwinani lamanyathelo okusombulula amagama avumelekileyo kwisicelo esinye.
Kukho izicwangciso ezibini eziphambili zokuzikhusela. Kwiinkqubo ezine-DNSSEC se benzisa ukunqanda i-DNS cache bypass kuba izicelo zithunyelwa ngamagama angaqhelekanga. Undoqo wendlela kukuvelisa iimpendulo ezingalunganga ngaphandle kokuqhagamshelana neeseva ze-DNS ezigunyazisiweyo, usebenzisa uluhlu lokujonga nge-DNSSEC. Indlela elula kukunciphisa inani lamagama anokuchazwa xa kusetyenzwa isicelo esigunyazisiweyo esinye, kodwa le ndlela inokubangela iingxaki ngolungelelwaniso olukhoyo ngenxa yokuba imida ayichazwanga kwiprothokholi.
umthombo: opennet.ru