Iqela labaphandi abavela kwiYunivesithi yaseCalifornia, i-Riverside ipapashe inguqu entsha yokuhlaselwa kwe-SAD DNS (CVE-2021-20322) esebenzayo nangona ukhuseleko olongeziweyo kunyaka odlulileyo ukuvimba ubungozi be-CVE-2020-25705. Indlela entsha ngokubanzi ifana nokuba sesichengeni sonyaka ophelileyo kwaye iyahluka kuphela ekusebenziseni uhlobo olwahlukileyo lweepakethi ze-ICMP ukujonga izibuko ze-UDP ezisebenzayo. Uhlaselo olucetywayo luvumela ukutshintshwa kwedatha ekhohlisayo kwi-cache ye-DNS ye-server, engasetyenziselwa ukutshintsha idilesi ye-IP ye-domain engafanelekanga kwi-cache kwaye iqondise izicelo kwi-domain kwi-server yomhlaseli.
Indlela ecetywayo isebenza kuphela kwisithuba sothungelwano lwe-Linux ngenxa yoqhagamshelwano lwaso kwizinto ezikhethekileyo ze-ICMP yokusetyenzwa kwepakethi yendlela eLinux, esebenza njengomthombo wokuvuza kwedatha eyenza lula ukumiselwa kwenombolo yezibuko ye-UDP esetyenziswa ngumncedisi ukuthumela i isicelo sangaphandle. Utshintsho oluthintela ukuvuza kolwazi luye lwamkelwa kwi-Linux kernel ekupheleni kuka-Agasti (ulungiso lufakwe kwi-kernel 5.15 kunye noSeptemba ukuhlaziywa kumasebe e-LTS e-kernel). Ukulungiswa kubilisa ukutshintshela ekusebenziseni i-SipHash hashing algorithm kwii-caches network endaweni ye-Jenkins Hash. Ubume bokulungisa ubuthathaka kunikezelo lunokuvavanywa kula maphepha: Debian, RHEL, Fedora, SUSE, Ubuntu.
Ngokutsho kwabaphandi abachonge ingxaki, malunga ne-38% yezisombululo ezivulekileyo kwinethiwekhi zisengozini, kubandakanywa neenkonzo ezidumileyo ze-DNS ezifana ne-OpenDNS kunye ne-Quad9 (9.9.9.9). Ngokubhekiselele kwisoftware yeseva, uhlaselo lunokwenziwa ngokusebenzisa iipakethe ezifana ne-BIND, Unbound kunye ne-dnsmasq kwiseva yeLinux. Ingxaki ayibonakali kwiiseva ze-DNS ezisebenza kwiinkqubo zeWindows kunye ne-BSD. Ukuphumeza ngempumelelo ukuhlaselwa, kuyimfuneko ukusebenzisa i-IP spoofing, i.e. kuyafuneka ukuba i-ISP yomhlaseli ayivaleli iipakethi ezinedilesi ye-IP yomthombo womgunyathi.
Njengesikhumbuzo, uhlaselo lwe-SAD DNS ludlula ukhuseleko olongeziweyo kwiiseva ze-DNS ukuvimba indlela ye-DNS ye-cache yetyhefu ecetywayo kwi-2008 nguDan Kaminsky. Indlela ye-Kaminsky ilawula ubungakanani obuncinci be-ID ye-ID yombuzo we-DNS, eyi-16 bits kuphela. Ukukhetha i-DNS transaction isazisi esichanekileyo esiyimfuneko kwi-host name spoofing, kwanele ukuthumela malunga ne-7000 yezicelo kunye nokulinganisa malunga ne-140 lamawaka eempendulo ezingeyonyani. Uhlaselo lubilisa ukuthumela inani elikhulu leepakethi kunye ne-IP yenkohliso ebophelelayo kunye neempawu zentengiselwano ezahlukeneyo ze-DNS kwi-DNS solver. Ukuthintela i-caching yempendulo yokuqala, impendulo nganye ye-dummy iqulethe igama le-domain eguqulwe kancinane (1.example.com, 2.example.com, 3.example.com, njl.).
Ukukhusela kolu hlobo lohlaselo, abavelisi beseva ye-DNS baphumeze unikezelo olungakhethiyo lwamanani amazibuko enethiwekhi yomthombo apho izicelo zesisombululo zithunyelwa khona, ezihlawulela ubungakanani obungonelanga besichongi. Emva kokuphumeza ukukhuselwa kokuthumela impendulo ekhohlisayo, ngaphezu kokukhetha isazisi se-16-bit, kuye kwafuneka ukuba ukhethe enye yeechweba ezingamawaka angama-64, eyandisa inani leenketho zokukhetha kwi-2 ^ 32.
Indlela ye-SAD DNS ikuvumela ukuba wenze lula ukuzimisela kwenombolo ye-port yenethiwekhi kwaye unciphise ukuhlaselwa kwindlela ye-Kaminsky yakudala. Umhlaseli unokubona ukufikelela kwiichweba ze-UDP ezingasetyenziswanga kunye nezisebenzayo ngokuthatha inzuzo yolwazi oluvuzayo malunga nomsebenzi wamachweba womnatha xa kusetyenzwa iipakethi zokuphendula ze-ICMP. Indlela ivumela ukuba sinciphise inani leenketho zokukhangela nge-4 imiyalelo yobukhulu - 2 ^ 16 + 2^ 16 endaweni ye-2^ 32 (131_072 endaweni ye-4_294_967_296). Ukuvuza kolwazi olukuvumela ukuba unqume ngokukhawuleza izibuko ze-UDP ezisebenzayo zibangelwa isiphene kwikhowudi yokucubungula iipakethi ze-ICMP kunye nezicelo zokuqhekeka (i-ICMP Fragmentation efunekayo iflegi) okanye ukuqondisa kwakhona (i-ICMP Redirect flag). Ukuthumela iipakethi ezinjalo kutshintsha imeko ye-cache kwi-stack yenethiwekhi, eyenza kube lula ukumisela, ngokusekelwe kwimpendulo yomncedisi, i-port ye-UDP esebenzayo kwaye engekho.
Imeko yohlaselo: Xa i-DNS isombululi izama ukusombulula igama lesizinda, ithumela umbuzo we-UDP kwiseva ye-DNS esebenzela isizinda. Ngelixa umsombululi elinde impendulo, umhlaseli unokukhawuleza ukugqiba inombolo yezibuko yomthombo eyayisetyenziselwa ukuthumela isicelo kunye nokuthumela impendulo yobuxoki kuyo, ezenza umncedisi we-DNS okhonza i-domain usebenzisa i-IP address spoofing. Umlungisi we-DNS uya kubamba idatha ethunyelwe kwimpendulo eyinkohliso kwaye ixesha elithile liya kubuyisela idilesi ye-IP endaweni yomhlaseli kuzo zonke ezinye izicelo ze-DNS zegama lesizinda.
umthombo: opennet.ru