Akuyona imfihlo ukuthi ukulawulwa kokuvimbela ohlwini lolwazi olungavunyelwe eRussia kulawulwa uhlelo oluzenzakalelayo "Umhloli". Ukuthi isebenza kanjani ibhalwe kahle lapha kulokhu , isithombe esivela endaweni efanayo:
Kufakwe ngqo kumhlinzeki :
Imojula "Yomhloli We-ejenti" iyingxenye yesakhiwo sohlelo oluzenzakalelayo "Umhloli" (NJENGOBA "Umhloli"). Lolu hlelo ludizayinelwe ukuqapha ukuthobela opharetha bezingcingo ezinezidingo zokukhawulelwa kokufinyelela ngaphakathi kohlaka lwezinhlinzeko ezisungulwe I-Athikili 15.1-15.4 yoMthetho Wombuso wangomhla zingama-27 kuJulayi, 2006 No. 149-FZ “Ngolwazi, Ubuchwepheshe Bolwazi Nokuvikelwa Kolwazi. ”
Injongo eyinhloko yokudala i-AS "Revizor" iwukuqinisekisa ukuqapha ukuthobela kwabaqhubi be-telecom nezimfuneko ezisungulwe I-Athikili 15.1-15.4 ye-Federal Law yangoJulayi 27, 2006 No. 149-FZ "On Information, Information Technologies and Information Protection. " mayelana nokuhlonza amaqiniso okufinyelela olwazini olunqatshelwe kanye nokuthola izinto ezisekelayo (idatha) mayelana nokwephulwa komthetho ukuze kukhawulelwe ukufinyelela olwazini olunqatshelwe.
Uma kucatshangelwa iqiniso lokuthi, uma kungenjalo bonke, ngakho-ke abahlinzeki abaningi bafake le divayisi, bekufanele kube nenethiwekhi enkulu yama-beacon probes afana futhi ngisho nangaphezulu, kodwa ngokufinyelela okuvaliwe. Kodwa-ke, i-beacon iyisibani sokuthumela amasignali kuzo zonke izinhlangothi, kodwa kuthiwani uma sibabamba futhi sibone ukuthi sibambe ini nokuthi bangaki?
Ngaphambi kokuba sibale, ake sibone ukuthi kungani lokhu kungenzeka.
A little ofory
Ama-ejenti ahlola ukutholakala kwesisetshenziswa, okufaka phakathi izicelo ze-HTTP(S), njengalesi:
TCP, 14678 > 80, "[SYN] Seq=0"
TCP, 80 > 14678, "[SYN, ACK] Seq=0 Ack=1"
TCP, 14678 > 80, "[ACK] Seq=1 Ack=1"
HTTP, "GET /somepage HTTP/1.1"
TCP, 80 > 14678, "[ACK] Seq=1 Ack=71"
HTTP, "HTTP/1.1 302 Found"
TCP, 14678 > 80, "[FIN, ACK] Seq=71 Ack=479"
TCP, 80 > 14678, "[FIN, ACK] Seq=479 Ack=72"
TCP, 14678 > 80, "[ACK] Seq=72 Ack=480"
Ngaphezu komthwalo okhokhelwayo, isicelo siphinde sibe nesigaba sokusungulwa koxhumano: ukushintshana SYN и SYN-ACK, kanye nezigaba zokuphothula uxhumano: FIN-ACK.
Irejista yolwazi olungavunyelwe iqukethe izinhlobo ezimbalwa zokuvimba. Ngokusobala, uma insiza ivinjwe ikheli le-IP noma igama lesizinda, lapho-ke ngeke sibone noma yiziphi izicelo. Lezi izinhlobo zokuvinjwa ezibhubhisa kakhulu, eziholela ekungafinyeleleki kwazo zonke izinsiza ekhelini elilodwa le-IP noma lonke ulwazi esizindeni. Kukhona futhi uhlobo "nge-URL" lokuvimba. Kulesi simo, isistimu yokuhlunga kufanele ihlukanise isihloko sesicelo se-HTTP ukuze sinqume ukuthi yini okufanele ivinjwe. Futhi ngaphambi kwakho, njengoba kungabonwa ngenhla, kufanele kube nesigaba sokusungulwa koxhumano ongazama ukusilandela, njengoba kungenzeka isihlungi siphuthelwe.
Ukuze wenze lokhu, udinga ukukhetha isizinda esifanelekile esine-“URL” kanye nohlobo lokuvimbela i-HTTP ukusiza umsebenzi wesistimu yokuhlunga, okungcono eshiywe isikhathi eside, ukuze unciphise ukungena kwethrafikhi ngaphandle kokuthi kuma-Agent. Lo msebenzi ubonakale ungenzima neze; kunezizinda eziningi zamahhala kurejista yolwazi olungavunyelwe kanye nakho konke ukunambitheka. Ngakho-ke, isizinda sathengwa futhi saxhunyaniswa namakheli e-IP ku-VPS esebenzayo tcpdump kwaqala ukubala.
Ukuhlolwa kwe-"Auditors"
Bengilindele ukubona ukuqhuma kwezicelo ngezikhathi ezithile, lokho ngokombono wami okungabonisa isenzo esilawulwayo. Akunakwenzeka ukusho ukuthi angizange ngikubone nhlobo, kodwa sasingekho isithombe esicacile:
Okungamangalisi, ngisho nasendaweni engayidingi muntu futhi ku-IP engakaze isetshenziswe, kuzomane kube nethoni yolwazi olungaceliwe, njenge-Intanethi yesimanje. Kodwa ngenhlanhla, bengidinga kuphela izicelo ze-URL ethile, ngakho-ke zonke izikena nama-password crackers atholakala ngokushesha. Futhi, kwakulula kakhulu ukuqonda ukuthi isikhukhula sasisekelwe kuphi ebuningini bezicelo ezifanayo. Okulandelayo, ngahlanganisa imvamisa yokwenzeka kwamakheli e-IP futhi ngadlula phezulu ngesandla, ngihlukanisa labo abaphuthelwe ezigabeni ezedlule. Ukwengeza, nginqamule yonke imithombo eyayithunyelwe ngephakeji elilodwa, yayingasekho eminingi yayo. Futhi nakhu okwenzekile:
Ukwehla kwezwi elincane. Ngemva kwesikhathi esingaphezu kosuku, umhlinzeki wami wokusingathwa wathumela incwadi enokuqukethwe okulula, ethi izindawo zakho ziqukethe insiza evela kuhlu oluvinjelwe lwe-RKN, ngakho-ke ivinjiwe. Ekuqaleni ngacabanga ukuthi i-akhawunti yami ivaliwe, akunjalo. Ngabe sengicabanga ukuthi bamane bangixwayisa ngento engangiyazi kakade. Kodwa kwavela ukuthi i-hoster ivule isihlungi sayo phambi kwesizinda sami futhi ngenxa yalokho ngingena ngaphansi kokuhlunga kabili: kusuka kubahlinzeki kanye nakumgcini. Isihlungi siphumelele kuphela iziphetho zezicelo: FIN-ACK и RST ukunqamula yonke i-HTTP ku-URL engavunyelwe. Njengoba ungabona kugrafu engenhla, ngemva kosuku lokuqala ngaqala ukuthola idatha encane, kodwa ngisayithola, eyayanele impela emsebenzini wokubala imithombo yokucela.
Thola iphuzu. Ngokubona kwami, ukuqhuma okubili kubonakala ngokucacile nsuku zonke, okokuqala kuncane, ngemva kwamabili isikhathi saseMoscow, okwesibili eduze no-6 ekuseni nomsila kuze kube ngu-12 emini. Ukuphakama akwenzeki ngesikhathi esifanayo ncamashi. Ekuqaleni, bengifuna ukukhetha amakheli e-IP awela kuphela kulezi zikhathi futhi ngayinye kuzo zonke izikhathi, ngokusekelwe ekucabangeni ukuthi ukuhlola okwenziwa ama-ejensi kwenziwa ngezikhathi ezithile. Kodwa lapho ngibuyekeza ngokucophelela, ngathola ngokushesha izikhathi eziwela kwezinye izikhawu, nezinye izikhawu, ezifika esicelweni esisodwa njalo ngehora. Ngabe sengicabanga ngendawo yesikhathi nokuthi mhlawumbe yayinento yokwenza nazo, ngabe sengicabanga ukuthi ngokujwayelekile uhlelo kungenzeka lungavumelaniswa emhlabeni jikelele. Ngaphezu kwalokho, i-NAT cishe izodlala indima futhi Umenzeli ofanayo angenza izicelo kuma-IP omphakathi ahlukene.
Njengoba inhloso yami yokuqala bekungeyona impela, ngibale wonke amakheli engawathola ngesonto futhi ngawathola - 2791. Inombolo yezikhathi ze-TCP ezisungulwe kusuka ekhelini elilodwa liyisilinganiso esingu-4, ne-median ye-2. Izikhathi eziphezulu ngekheli ngalinye: 464, 231, 149, 83, 77. Ubuningi obusuka ku-95% wesampula yizikhathi ezingu-8 ngekheli ngalinye. I-median ayiphezulu kakhulu, ake ngikukhumbuze ukuthi igrafu ibonisa i-periodicity yansuku zonke ecacile, ngakho-ke umuntu angalindela okuthile okuzungeze i-4 kuya ku-8 ezinsukwini ezingu-7. Uma silahla zonke izikhathi ezenzeka kanye, sizothola i-median elingana no-5. Kodwa angikwazanga ukuwakhipha ngokusekelwe kumbandela ocacile. Ngokuphambene, ukuhlola okungahleliwe kubonise ukuthi kwakuhlobene nezicelo zesisetshenziswa esinqatshelwe.
Amakheli amakheli, kodwa ku-inthanethi, izinhlelo ezizimele - AS, okwavela ukuthi kubaluleke kakhulu 1510, ngokwesilinganiso amakheli angu-2 nge-AS ngayinye ene-median engu-1. Amakheli aphezulu nge-AS ngayinye: 288, 77, 66, 39, 27. Ubukhulu obungu-95% besampula amakheli angu-4 nge-AS ngayinye. Lapha kulindelwe i-median - I-ejenti eyodwa ngomhlinzeki ngamunye. Nathi silindele phezulu - kukhona abadlali abakhulu kuyona. Kunethiwekhi enkulu, ama-Agent kufanele abekwe endaweni ngayinye yobukhona bomsebenzisi, futhi ungakhohlwa nge-NAT. Uma siyithatha ngezwe, amanani aphezulu azoba: 1409 - RU, 42 - UA, 23 - CZ, 36 avela kwezinye izifunda, hhayi i-RIPE NCC. Izicelo ezivela ngaphandle kwaseRussia ziheha ukunaka. Lokhu kungase kuchazwe ngamaphutha e-geolocation noma amaphutha obhalisi lapho ugcwalisa idatha. Noma iqiniso lokuthi inkampani yaseRussia ingase ingabi nezimpande zaseRussia, noma ibe nehhovisi elimele amazwe angaphandle ngoba kulula, okungokwemvelo lapho usebenza nenhlangano yangaphandle i-RIPE NCC. Enye ingxenye ngokungangabazeki ayinalutho, kodwa kunzima ngokuthembekile ukuyihlukanisa, njengoba insiza ivinjelwe, futhi kusukela ngosuku lwesibili ngaphansi kokuvinjelwa kabili, futhi izikhathi eziningi ziwukushintshaniswa kwamaphakethe wesevisi amaningana. Masivume ukuthi ingxenye encane lena.
Lezi zinombolo sezivele ziqhathaniswe nenani labahlinzeki e-Russia. amalayisense "Amasevisi zokuxhumana okudlulisa idatha, ngaphandle kwezwi" - 6387, kodwa lesi isilinganiso esiphezulu kakhulu esivela phezulu, akuwona wonke lawa malayisensi asebenza ngokuqondile kubahlinzeki be-inthanethi abadinga ukufaka i-Ejenti. Endaweni ye-RIPE NCC kunenombolo efanayo yama-AS abhaliswe eRussia - 6230, okungebona bonke abahlinzeki. futhi yathola izinkampani ezingama-3940 ngo-2017, futhi lokhu kuyisilinganiso esivela phezulu. Kunoma ikuphi, sinenani eliphindwe kabili nesigamu lama-AS akhanyayo. Kodwa lapha kufanelekile ukuqonda ukuthi i-AS ayilingani ngokuqinile nomhlinzeki. Abanye abahlinzeki abanayo i-AS yabo, abanye banengaphezu koyedwa. Uma sicabanga ukuthi wonke umuntu usenama-Agent, khona-ke othile uhlunga kakhulu kunabanye, ukuze izicelo zabo zingabonakali kudoti, uma zifinyelela kuzo. Kodwa uma kuhlolwa kanzima kuyabekezeleleka, noma ngabe kukhona okulahlekile ngenxa yokwengamela kwami.
Mayelana ne-DPI
Naphezu kweqiniso lokuthi umhlinzeki wami wokusingatha uvule isihlungi saso kusukela osukwini lwesibili, ngokusekelwe olwazini kusukela ngosuku lokuqala singaphetha ngokuthi ukuvinjelwa kusebenza ngempumelelo. Imithombo emi-4 kuphela ekwazile ukudlula futhi isiqedele ngokuphelele izikhathi ze-HTTP ne-TCP (njengakusibonelo esingenhla). Amanye angama-460 angathunyelwa GET, kodwa iseshini inqanyulwa ngokushesha ngu RST. Naka TTL:
TTL 50, TCP, 14678 > 80, "[SYN] Seq=0"
TTL 64, TCP, 80 > 14678, "[SYN, ACK] Seq=0 Ack=1"
TTL 50, TCP, 14678 > 80, "[ACK] Seq=1 Ack=1"
HTTP, "GET /filteredpage HTTP/1.1"
TTL 64, TCP, 80 > 14678, "[ACK] Seq=1 Ack=294"
#Вот это прислал фильтр
TTL 53, TCP, 14678 > 80, "[RST] Seq=3458729893"
TTL 53, TCP, 14678 > 80, "[RST] Seq=3458729893"
HTTP, "HTTP/1.1 302 Found"
#А это попытка исходного узла получить потерю
TTL 50, TCP ACKed unseen segment, 14678 > 80, "[ACK] Seq=294 Ack=145"
TTL 50, TCP, 14678 > 80, "[FIN, ACK] Seq=294 Ack=145"
TTL 64, TCP, 80 > 14678, "[FIN, ACK] Seq=171 Ack=295"
TTL 50, TCP Dup ACK 14678 > 80 "[ACK] Seq=295 Ack=145"
#Исходный узел понимает что сессия разрушена
TTL 50, TCP, 14678 > 80, "[RST] Seq=294"
TTL 50, TCP, 14678 > 80, "[RST] Seq=295"
Izinguquko zalokhu zingahluka: zincane RST noma ukuthunyelwa kabusha okuningi - futhi kuya ngokuthi isihlungi sithumela ini endaweni yomthombo. Kunoma yikuphi, lesi yisifanekiso esithembeke kakhulu, okuvela kuso ukuthi kwakuyinsiza evinjelwe eyayiceliwe. Futhi kuhlale kunempendulo evela kuseshini nge TTL okukhulu kunamaphakheji adlule nalandelayo.
Awukwazi nokuyibona kwabanye GET:
TTL 50, TCP, 14678 > 80, "[SYN] Seq=0"
TTL 64, TCP, 80 > 14678, "[SYN, ACK] Seq=0 Ack=1"
#Вот это прислал фильтр
TTL 53, TCP, 14678 > 80, "[RST] Seq=1"
Noma:
TTL 50, TCP, 14678 > 80, "[SYN] Seq=0"
TTL 64, TCP, 80 > 14678, "[SYN, ACK] Seq=0 Ack=1"
TTL 50, TCP, 14678 > 80, "[ACK] Seq=1 Ack=1"
#Вот это прислал фильтр
TTL 53, TCP, 14678 > 80, "[RST, PSH] Seq=1"
TTL 50, TCP ACKed unseen segment, 14678 > 80, "[FIN, ACK] Seq=89 Ack=172"
TTL 50, TCP ACKed unseen segment, 14678 > 80, "[FIN, ACK] Seq=89 Ack=172"
#Опять фильтр, много раз
TTL 53, TCP, 14678 > 80, "[RST, PSH] Seq=1"
...
Umehluko ubonakala nakanjani TTL uma okuthile kuvela kusihlungi. Kodwa ngokuvamile akukho lutho olungase lufike nhlobo:
TCP, 14678 > 80, "[SYN] Seq=0"
TCP, 80 > 14678, "[SYN, ACK] Seq=0 Ack=1"
TCP Retransmission, 80 > 14678, "[SYN, ACK] Seq=0 Ack=1"
...
Noma:
TCP, 14678 > 80, "[SYN] Seq=0"
TCP, 80 > 14678, "[SYN, ACK] Seq=0 Ack=1"
TCP, 14678 > 80, "[ACK] Seq=1 Ack=1"
#Прошло несколько секунд без трафика
TCP, 80 > 14678, "[FIN, ACK] Seq=1 Ack=1"
TCP Retransmission, 80 > 14678, "[FIN, ACK] Seq=1 Ack=1"
...
Futhi konke lokhu kuyaphindwa futhi kuphindaphindwa futhi kuphindwe, njengoba kungabonakala kugrafu, izikhathi ezingaphezu kwesisodwa, nsuku zonke.
Mayelana ne-IPv6
Izindaba ezinhle ukuthi ikhona. Ngingasho ngokwethembekile ukuthi izicelo zezikhathi ezithile esisetshenziswa esivinjelwe zivela kumakheli angu-5 ahlukene e-IPv6, okuwukuziphatha kwama-ejenti engangikulindele. Ngaphezu kwalokho, elinye lamakheli e-IPv6 aliwi ngaphansi kokuhlunga futhi ngibona iseshini egcwele. Kweminye emibili ngabona iseshini eyodwa kuphela engakaqedwa, eyodwa yayo iphazanyiswe RST kusukela kusihlungi, okwesibili ngesikhathi. Ingqikithi yemali 7.
Njengoba kunamakheli ambalwa, ngiwafunde wonke ngokuningiliziwe futhi kwavela ukuthi kukhona abahlinzeki abangu-3 kuphela lapho, banganikezwa i-ovation emile! Elinye ikheli liwukubamba ifu eRussia (alihlungi), elinye isikhungo sokucwaninga eJalimane (kukhona isihlungi, kuphi?). Kodwa kungani behlola ukutholakala kwezinsiza ezinqatshelwe ohlelweni kuwumbuzo omuhle. Laba ababili abasele benza isicelo esisodwa futhi batholakala ngaphandle kweRussia, futhi eyodwa yabo iyahlungwa (isendleleni, phela?).
Ukuvinjwa nama-ejenti kuyisithiyo esikhulu ku-IPv6, ukuqaliswa kwayo okungahambi ngokushesha okukhulu. Kuyadabukisa. Labo abaxazulula le nkinga bangakwazi ukuziqhenya ngokugcwele.
Ekuphethweni
Angizange ngilwele ukunemba okungu-100%, ngicela ningixolele ngalokhu, ngithemba ukuthi kukhona ofuna ukuphinda lo msebenzi ngokunemba okukhulu. Bekubalulekile kimina ukuthi ngiqonde ukuthi le ndlela izosebenza yini ngokomgomo. Impendulo ithi yebo. Izibalo ezitholiwe, njengesilinganiso sokuqala, ngicabanga, zithembekile impela.
Yini enye eyayingenziwa futhi engangivilapha kakhulu ukubala izicelo ze-DNS. Azihlungi, kodwa futhi azinikezi ukunemba okuningi njengoba zisebenzela isizinda kuphela, futhi hhayi i-URL yonke. I-frequency kufanele ibonakale. Uma ukuhlanganisa nalokho okubonakala ngokuqondile emibuzweni, lokhu kuzokuvumela ukuba uhlukanise okungadingekile futhi uthole ulwazi olwengeziwe. Kungenzeka futhi ukunquma abathuthukisi be-DNS esetshenziswa abahlinzeki nokunye okuningi.
Bengingalindele neze ukuthi umsingathi uzofaka nesakhe isihlungi se-VPS yami. Mhlawumbe lokhu kuwumkhuba ovamile. Ekugcineni, i-RKN ithumela isicelo sokususa insiza kumsingathi. Kodwa lokhu akuzange kungimangaze futhi ngezinye izindlela kwaze kwangizuzisa. Isihlungi sisebenze kahle kakhulu, sinqamula zonke izicelo ezilungile ze-HTTP siye ku-URL enqatshelwe, kodwa okungezona ezilungile ebezidlule esihlungini sabahlinzeki ezifinyelele kuzo, nakuba bekuyindlela yeziphetho kuphela: FIN-ACK и RST - susa ngokususa futhi kucishe kwaba ukuhlanganisa. Kodwa-ke, i-IPv6 ayizange ihlungwe ngumsingathi. Yebo, lokhu kuthinte ikhwalithi yezinto eziqoqiwe, kodwa kwenze kwaba nokwenzeka ukubona imvamisa. Kuvele ukuthi leli yiphuzu elibalulekile lapho ukhetha indawo yokubeka izinsiza; ungakhohlwa ukuba nentshisekelo odabeni lokuhlela umsebenzi ngohlu lwezindawo ezingavunyelwe kanye nezicelo ezivela kwa-RKN.
Ekuqaleni, ngiqhathanise i-AS "Inspector" nayo . Lokhu kuqhathanisa kuyafaneleka futhi inethiwekhi enkulu yama-ejenti ingaba yinzuzo. Isibonelo, ukunquma ikhwalithi yokutholakala kwensiza kubahlinzeki abahlukene ezingxenyeni ezihlukene zezwe. Ungakwazi ukubala ukubambezeleka, ungakha amagrafu, ungakwazi ukukuhlaziya konke futhi ubone izinguquko ezenzeka endaweni kanye nasemhlabeni jikelele. Lena akuyona indlela eqondile, kodwa izazi zezinkanyezi zisebenzisa “amakhandlela avamile”, kungani ungasebenzisi ama-Agent? Ngokwazi (ekutholeni) ukuziphatha kwabo okujwayelekile, unganquma izinguquko ezenzeka eduze kwabo nokuthi lokhu kuyithinta kanjani ikhwalithi yezinsizakalo ezinikeziwe. Futhi ngasikhathi sinye, awudingi ukubeka ngokuzimela ama-probe kunethiwekhi; I-Roskomnadzor isivele iwafakile.
Elinye iphuzu engifuna ukulithinta elokuthi wonke amathuluzi angaba yisikhali. NJENGOBA "Umhloli" iyinethiwekhi evaliwe, kodwa ama-ejenti anikeza wonke umuntu ngokuthumela izicelo zazo zonke izinsiza ohlwini olunqatshelwe. Ukuba nensiza enjalo akuvezi izinkinga nhlobo. Sekukonke, abahlinzeki ngama-Agent, bengazi, batshela okuningi mayelana nenethiwekhi yabo kunalokho okufanelekile: Izinhlobo ze-DPI ne-DNS, indawo ye-Agent (i-node ephakathi nendawo kanye nenethiwekhi yesevisi?), izimpawu zenethiwekhi zokulibaziseka nokulahlekelwa - futhi lokhu kungukuthi kuphela okusobala kakhulu. Njengoba nje umuntu ekwazi ukuqapha izenzo zama-ejenti ukuthuthukisa ukutholakala kwezinsiza zabo, othile angenza lokhu ngezinye izinjongo futhi azikho izithiyo kulokhu. Umphumela uba insimbi ekabili futhi enezici eziningi, noma ubani angakubona lokhu.
Source: www.habr.com