Mashi 13 eqenjini elisebenzayo lokulwa nokuhlukunyezwa kwe-RIPE bheka ukudunwa kwe-BGP (hjjack) njengokwephulwa kwenqubomgomo ye-RIPE. Uma ngabe isiphakamiso samukelwe, umhlinzeki we-inthanethi ohlaselwe ukuvinjwa kwethrafikhi uzoba nethuba lokuthumela isicelo esikhethekile ukuze adalule umhlaseli. Uma ithimba elibuyekezayo liqoqe ubufakazi obanele obusekelayo, i-LIR eyayiwumthombo wokunqamuka kwe-BGP izobhekwa njengomhlaseli futhi ingase yephucwe isimo sayo se-LIR. Kwabuye kwaba nezingxabano izinguquko.
Kulesi sishicilelo sifuna ukukhombisa isibonelo sokuhlasela lapho bekungekona umhlaseli wangempela kuphela obekukhulunywa ngakho, kodwa nalo lonke uhlu lweziqalo ezithintekile. Ngaphezu kwalokho, ukuhlasela okunjalo kuphinde kuphakamise imibuzo mayelana nezisusa zokunqamuka kwesikhathi esizayo kwalolu hlobo lwethrafikhi.
Eminyakeni embalwa edlule, kuphela izingxabano ezifana ne-MOAS (Isistimu Yokuzenzakalela Kwemvelaphi Eningi) eye yavezwa emaphephandabeni njengokunqamula kwe-BGP. I-MOAS iyisimo esikhethekile lapho amasistimu amabili ahlukene azimele akhangisa iziqalo ezingqubuzanayo nama-ASN ahambisanayo kokuthi AS_PATH (i-ASN yokuqala kokuthi AS_PATH, ngemuva kwalokhu ebizwa ngokuthi umsuka we-ASN). Nokho, singasho okungenani ukuvinjwa kwethrafikhi, okuvumela umhlaseli ukuthi asebenzise isibaluli se-AS_PATH ngezinhloso ezahlukahlukene, okuhlanganisa ukudlula izindlela zesimanje zokuhlunga nokuqapha. Uhlobo lokuhlasela olwaziwayo - uhlobo lokugcina lokungenelela okunjalo, kodwa hhayi nakancane ngokubaluleka. Kungenzeka ukuthi yilona kanye uhlobo lokuhlasela esikubone emasontweni edlule. Isenzakalo esinjalo sinemvelo eqondakalayo kanye nemiphumela emibi kakhulu.
Labo abafuna inguqulo ye-TL;DR bangaskrola baye kusihlokwana esithi "Perfect Attack".
Ingemuva lenethiwekhi
(ukukusiza uqonde kangcono izinqubo ezihilelekile kulesi sigameko)
Uma ufuna ukuthumela iphakethe futhi uneziqalo eziningi kuthebula lomzila eliqukethe ikheli le-IP okuyiwa kulo, uzosebenzisa umzila wesiqalo onobude obude kakhulu. Uma kunemizila eminingana eyahlukene yesiqalo esifanayo kuthebula lomzila, uzokhetha ehamba phambili (ngokuya ngendlela engcono kakhulu yokukhetha indlela).
Izindlela ezikhona zokuhlunga nokuqapha zizama ukuhlaziya imizila nokwenza izinqumo ngokuhlaziya isibaluli se-AS_PATH. Irutha ingase iguqule lesi sibaluli kunoma yiliphi inani ngesikhathi sokukhangisa. Ukwengeza kalula i-ASN yomnikazi ekuqaleni kwe-AS_PATH (njengomsuka we-ASN) kungase kube ngokwanele ukudlula izindlela zamanje zokuhlola umsuka. Ngaphezu kwalokho, uma kunomzila osuka ku-ASN ohlaselwe oya kuwe, kuyenzeka ukuthi ukhiphe futhi usebenzise i-AS_PATH yalo mzila kwezinye izikhangiso zakho. Noma isiphi isheke sokuqinisekisa se-AS_PATH kuphela sezimemezelo zakho ezicashile ekugcineni sizodlula.
Kusenemikhawulo embalwa okufanele ikhulunywe. Okokuqala, uma isiqalo sihlungwa ngumhlinzeki okhuphuka nomfula, umzila wakho usengahlungwa (ngisho nange-AS_PATH elungile) uma isiqalo singesona esekhoni yeklayenti lakho elungiselelwe phezulu. Okwesibili, i-AS_PATH evumelekile ingaba engavumelekile uma umzila odaliwe ukhangiswa ezindleleni ezingalungile futhi, ngalokho, wephula inqubomgomo yemizila. Okokugcina, noma yimuphi umzila onesiqalo owephula ubude be-ROA ungase uthathwe njengengavumelekile.
Isigameko
Emasontweni ambalwa edlule sithole isikhalazo komunye wabasebenzisi bethu. Sibone imizila enemvelaphi yakhe ye-ASN kanye /25 neziqalo, kuyilapho umsebenzisi athi akazikhangisi.
TABLE_DUMP2|1554076803|B|xxx|265466|78.163.7.0/25|265466 262761 263444 22356 3491 2914 9121|INCOMPLETE|xxx|0|0||NAG||
TABLE_DUMP2|1554076803|B|xxx|265466|78.163.7.128/25|265466 262761 263444 22356 3491 2914 9121|INCOMPLETE|xxx|0|0||NAG||
TABLE_DUMP2|1554076803|B|xxx|265466|78.163.18.0/25|265466 262761 263444 6762 2914 9121|INCOMPLETE|xxx|0|0||NAG||
TABLE_DUMP2|1554076803|B|xxx|265466|78.163.18.128/25|265466 262761 263444 6762 2914 9121|INCOMPLETE|xxx|0|0||NAG||
TABLE_DUMP2|1554076803|B|xxx|265466|78.163.226.0/25|265466 262761 263444 22356 3491 2914 9121|INCOMPLETE|xxx|0|0||NAG||
TABLE_DUMP2|1554076803|B|xxx|265466|78.163.226.128/25|265466 262761 263444 22356 3491 2914 9121|INCOMPLETE|xxx|0|0||NAG||
TABLE_DUMP2|1554076803|B|xxx|265466|78.164.7.0/25|265466 262761 263444 6762 2914 9121|INCOMPLETE|xxx|0|0||NAG||
TABLE_DUMP2|1554076803|B|xxx|265466|78.164.7.128/25|265466 262761 263444 6762 2914 9121|INCOMPLETE|xxx|0|0||NAG||
Izibonelo zezimemezelo zasekuqaleni kuka-Ephreli 2019
I-NTT endleleni yesiqalo /25 iyenza isolise ngokukhethekile. I-LG NTT ibingazi ngalo mzila ngesikhathi sesigameko. Ngakho yebo, omunye u-opharetha udala yonke i-AS_PATH yalezi ziqalo! Ukuhlola amanye ama-routers kuveza i-ASN eyodwa: AS263444. Ngemva kokubheka eminye imizila enalolu hlelo oluzimele, sihlangabezane nalesi simo esilandelayo:
TABLE_DUMP2|1554076800|B|xxx|265466|1.6.36.0/23|265466 262761 263444 52320 9583|IGP|xxx|0|0||NAG||
TABLE_DUMP2|1554076800|B|xxx|265466|1.6.38.0/23|265466 262761 263444 52320 9583|IGP|xxx|0|0||NAG||
TABLE_DUMP2|1554076800|B|xxx|265466|1.23.143.0/25|265466 262761 263444 22356 6762 9498 9730 45528|IGP|xxx|0|0||NAG||
TABLE_DUMP2|1554076800|B|xxx|265466|1.23.143.128/25|265466 262761 263444 22356 6762 9498 9730 45528|IGP|xxx|0|0||NAG||
TABLE_DUMP2|1554076800|B|xxx|265466|1.24.0.0/17|265466 262761 263444 6762 4837|IGP|xxx|0|0||NAG||
TABLE_DUMP2|1554076800|B|xxx|265466|1.24.128.0/17|265466 262761 263444 6762 4837|IGP|xxx|0|0||NAG||
TABLE_DUMP2|1554076800|B|xxx|265466|1.26.0.0/17|265466 262761 263444 6762 4837|IGP|xxx|0|0||NAG||
TABLE_DUMP2|1554076800|B|xxx|265466|1.26.128.0/17|265466 262761 263444 6762 4837|IGP|xxx|0|0||NAG||
TABLE_DUMP2|1554076800|B|xxx|265466|1.64.96.0/20|265466 262761 263444 6762 3491 4760|IGP|xxx|0|0||NAG||
TABLE_DUMP2|1554076800|B|xxx|265466|1.64.112.0/20|265466 262761 263444 6762 3491 4760|IGP|xxx|0|0||NAG||
Zama ukuqagela ukuthi yini engalungile lapha
Kubonakala sengathi othile uthathe isiqalo emzileni, wasihlukanisa saba izingxenye ezimbili, futhi wakhangisa umzila nge-AS_PATH efanayo yalezo ziqalo ezimbili.
TABLE_DUMP2|1554076800|B|xxx|263444|1.6.36.0/23|263444 52320 9583|IGP|xxx|0|0|32:12595 52320:21311 65444:20000|NAG||
TABLE_DUMP2|1554076800|B|xxx|263444|1.6.38.0/23|263444 52320 9583|IGP|xxx|0|0|32:12595 52320:21311 65444:20000|NAG||
TABLE_DUMP2|1554076800|B|xxx|61775|1.6.36.0/23|61775 262761 263444 52320 9583|IGP|xxx|0|0|32:12595 52320:21311 65444:20000|NAG||
TABLE_DUMP2|1554076800|B|xxx|61775|1.6.38.0/23|61775 262761 263444 52320 9583|IGP|xxx|0|0|32:12595 52320:21311 65444:20000|NAG||
TABLE_DUMP2|1554076800|B|xxx|265466|1.6.36.0/23|265466 262761 263444 52320 9583|IGP|xxx|0|0||NAG||
TABLE_DUMP2|1554076800|B|xxx|265466|1.6.38.0/23|265466 262761 263444 52320 9583|IGP|xxx|0|0||NAG||
TABLE_DUMP2|1554076800|B|xxx|28172|1.6.36.0/23|28172 52531 263444 52320 9583|IGP|xxx|0|0||NAG||
TABLE_DUMP2|1554076800|B|xxx|28172|1.6.38.0/23|28172 52531 263444 52320 9583|IGP|xxx|0|0||NAG||
Imizila eyisibonelo yeyodwa yamapheya esiqalo esihlukanisiwe
Kuphakama imibuzo eminingana ngesikhathi esisodwa. Ingabe ukhona owake waluzama ngempela lolu hlobo lokungenelela? Ingabe ukhona othathe le mizila? Yiziphi iziqalo ezithintekile?
Yilapho kuqala uchungechunge lwethu lokuhluleka kanye nomunye umjikelezo wokudumala ngesimo samanje sempilo ye-inthanethi.
Indlela yokwehluleka
Izinto zokuqala kuqala. Singanquma kanjani ukuthi yimaphi ama-routers amukele imizila enjalo evinjiwe nokuthi ithrafikhi kabani engashintshwa namuhla? Besicabanga ukuthi sizoqala ngeziqalo ezingu-/25 ngoba "azikwazi nje ukusabalalisa umhlaba wonke." Njengoba ungaqagela, besinephutha kakhulu. Le metric ibonakale inomsindo kakhulu futhi imizila eneziqalo ezinjalo ingavela naku-opharetha we-Tier-1. Isibonelo, i-NTT ineziqalo ezinjalo ezingaba ngu-50, ezisabalalisa kumakhasimende ayo. Ngakolunye uhlangothi, le metric yimbi ngoba iziqalo ezinjalo zingahlungwa uma umsebenzisi esebenzisa , kuzo zonke izinhlangothi. Ngakho-ke, le ndlela ayifanele ukuthola bonke opharetha abathrafikhi yabo iqondiswe kabusha ngenxa yesigameko esinjalo.
Omunye umqondo omuhle esicabange ukuthi siwubheke . Ikakhulukazi emizileni ephula umthetho wobude obukhulu be-ROA ehambisanayo. Ngale ndlela singathola inani lama-ASN omsuka ohlukile anesimo esingavumelekile abebonakala ku-AS enikeziwe. Nokho, kunenkinga "encane". Isilinganiso (i-median nemodi) yale nombolo (inani lemvelaphi ehlukene ye-ASNs) cishe i-150 futhi, noma ngabe sihlunga iziqalo ezincane, ihlala ingaphezulu kuka-70. Lesi simo sezindaba sinencazelo elula kakhulu: kukhona kuphela ama-opharetha ambalwa asevele asebenzisa izihlungi ze-ROA ezinenqubomgomo "yokusetha kabusha imizila Engavumelekile" ezindaweni zokungena, ukuze nomaphi lapho umzila onokwephulwa kwe-ROA uvela emhlabeni wangempela, ukwazi ukusabalala kuzo zonke izinkomba.
Izindlela ezimbili zokugcina zisivumela ukuthi sithole opharetha ababone isigameko sethu (njengoba besisikhulu impela), kodwa ngokuvamile azisebenzi. Kulungile, kodwa singamthola umhlaseli? Yiziphi izici ezivamile zalokhu kukhohlisa kwe-AS_PATH? Kunemibono embalwa eyisisekelo:
- Isiqalo besingakaze sibonwe ndawo ngaphambili;
- Umsuka ASN (isikhumbuzi: i-ASN yokuqala ku-AS_PATH) ivumelekile;
- I-ASN yokugcina ku-AS_PATH i-ASN yomhlaseli (uma umakhelwane wakhe ehlola i-ASN yomakhelwane kuyo yonke imizila engenayo);
- Ukuhlasela kuvela kumhlinzeki oyedwa.
Uma konke ukucabangela kulungile, khona-ke yonke imizila engalungile izokwethula i-ASN yomhlaseli (ngaphandle kwe-ASN yomsuka) futhi, ngaleyo ndlela, leli iphuzu "elibucayi". Phakathi kwabaduni beqiniso kwakukhona i-AS263444, nakuba kwakukhona abanye. Ngisho nalapho sesiyilahlile imizila yesigameko ekucatshangelweni kwayo. Kungani? Iphuzu elibalulekile lingase lihlale libalulekile ngisho nasezindleleni ezifanele. Kungaba umphumela wokungaxhumani kahle endaweni noma imikhawulo ekubonakaleni kwethu.
Ngenxa yalokho, kunendlela yokuthola umhlaseli, kodwa kuphela uma zonke lezi zimo ezingenhla zihlangatshezwana nazo futhi kuphela lapho ukuvinjelwa kukhulu ngokwanele ukuze kudlule imingcele yokuqapha. Uma ezinye zalezi zici zingahlangatshezwana nazo, singasho-ke yini iziqalo ezibe khona ngenxa yokunqamuka okunjalo? Kwabaqhubi abathile - yebo.
Uma umhlaseli edala umzila oqondile, isiqalo esinjalo asikhangiswa umnikazi wangempela. Uma unohlu oluguquguqukayo lwazo zonke iziqalo zalo ezivela kulo, khona-ke kuyenzeka wenze isiqhathaniso futhi uthole imizila eqondile ehlanekezelwe. Siqoqa lolu hlu lweziqalo sisebenzisa izikhathi zethu ze-BGP, ngoba asinikezwa kuphela uhlu oluphelele lwemizila ebonakalayo ku-opharetha okwamanje, kodwa futhi nohlu lwazo zonke iziqalo ezifuna ukuzikhangisa emhlabeni. Ngeshwa, manje kunabasebenzisi abambalwa be-Radar abangaqedi kahle ingxenye yokugcina. Sizobazisa maduze futhi sizame ukuxazulula le nkinga. Wonke umuntu angajoyina isistimu yethu yokuqapha khona manje.
Uma sibuyela esigamekweni sokuqala, kokubili umhlaseli nendawo yokusabalalisa kutholwe yithi ngokufuna amaphuzu abalulekile. Ngokumangalisayo, i-AS263444 ayizange ithumele imizila eyenziwe kuwo wonke amakhasimende ayo. Nakuba kukhona umzuzu ongaziwa.
BGP4MP|1554905421|A|xxx|263444|178.248.236.0/24|263444 6762 197068|IGP|xxx|0|0|13106:12832 22356:6453 65444:20000|NAG||
BGP4MP|1554905421|A|xxx|263444|178.248.237.0/24|263444 6762 197068|IGP|xxx|0|0|13106:12832 22356:6453 65444:20000|NAG||
Isibonelo sakamuva somzamo wokuvimba isikhala sethu samakheli
Lapho okucaciswe kakhudlwana kudalelwa iziqalo zethu, kwasetshenziswa i-AS_PATH edalwe ngokukhethekile. Nokho, le AS_PATH ibingeke ithathwe kunoma yimuphi wemizila yethu yangaphambilini. Asinakho ukuxhumana ne-AS6762. Uma sibheka eminye imizila esehlakalweni, eminye yayo yayine-AS_PATH yangempela eyayisetshenziswe ngaphambilini, kanti eminye ayizange isetshenziswe, ngisho noma ibukeka njengeyangempela. Ukushintsha i-AS_PATH ngaphezu kwalokho akuwenzi umqondo ongokoqobo, njengoba ithrafikhi izoqondiswa kabusha kumhlaseli noma kunjalo, kodwa imizila βenokubiβ AS_PATH ingahlungwa nge-ASPA nanoma iyiphi enye indlela yokuhlola. Lapha sicabanga ngesisusa sobugebengu. Okwamanje asinalo ulwazi olwanele lokuqinisekisa ukuthi lesi sigameko bekuwukuhlasela okuhleliwe. Noma kunjalo, kungenzeka. Ake sizame ukucabanga, nakuba kusesekucatshangelwa, kodwa okungenzeka kube ngokoqobo impela, isimo.
Ukuhlasela Okuphelele
Yini esinayo? Ake sithi ungumnikezeli wezokuthutha osakaza imizila yamakhasimende akho. Uma amaklayenti akho enobukhona abaningi (i-multihome), khona-ke uzothola ingxenye kuphela yethrafikhi yawo. Kodwa uma ithrafikhi iyanda, iholo lakho liyanda. Ngakho-ke uma uqala ukukhangisa iziqalo ze-subnet zale mizila efanayo nge-AS_PATH efanayo, uzothola yonke ithrafikhi yazo. Ngenxa yalokho, enye imali.
Ingabe i-ROA izosiza lapha? Mhlawumbe yebo, uma unquma ukuyeka ukuyisebenzisa ngokuphelele . Ngaphezu kwalokho, akuthandeki kakhulu ukuba namarekhodi e-ROA aneziqalo eziphambanayo. Kwabanye opharetha, imikhawulo enjalo ayamukelekile.
Uma kucatshangelwa ezinye izindlela zokuphepha zomzila, i-ASPA ngeke isize nakulesi simo (ngoba isebenzisa i-AS_PATH ukusuka emzileni ovumelekile). I-BGPSec namanje akuyona inketho efanelekile ngenxa yamazinga aphansi okutholwa kanye namathuba asele okuhlaselwa kokwehlisa izinga.
Ngakho sinenzuzo ecacile yomhlaseli kanye nokuntuleka kokuphepha. Ingxube enkulu!
Yini okufanele siyenze?
Isinyathelo esisobala nesinzima kakhulu ukubuyekeza inqubomgomo yakho yamanje yemizila. Hlukanisa indawo yekheli lakho ube yizingxenyana ezincane (azikho ukugqagqana) ofuna ukuzikhangisa. Sayinela bona i-ROA kuphela, ngaphandle kokusebenzisa ipharamitha ye-maxLength. Kulokhu, i-POV yakho yamanje ingakusindisa ekuhlaselweni okunjalo. Kodwa-ke, futhi, kwabanye o-opharetha le ndlela ayifaneleki ngenxa yokusetshenziswa kuphela kwemizila eqondile. Zonke izinkinga ngesimo samanje se-ROA nezinto zomzila zizochazwa kwenye yezinto zethu ezizayo.
Ngaphezu kwalokho, ungazama ukuqapha ukuhlangana okunjalo. Ukwenza lokhu, sidinga ulwazi oluthembekile mayelana neziqalo zakho. Ngakho, uma usungula iseshini ye-BGP nomqoqi wethu futhi usinikeze ulwazi mayelana nokubonakala kwakho kwe-inthanethi, singathola ububanzi bezinye izigameko. Kulabo abangakaxhumi ohlelweni lwethu lokuqapha, okokuqala, uhlu lwemizila eneziqalo zakho luzokwanela. Uma uneseshini nathi, sicela uhlole ukuthi yonke imizila yakho ithunyelwe. Ngeshwa, lokhu kufanele kukhunjulwe ngoba abanye o-opharetha bakhohlwa isiqalo noma ezimbili bese ngaleyo ndlela baphazamise izindlela zethu zokusesha. Uma kwenziwa kahle, sizoba nedatha ethembekile mayelana neziqalo zakho, okuzosisiza ngokuzayo ukuthi sihlonze ngokuzenzakalelayo futhi sihlonze lolu (nolunye) uhlobo lokuphazamiseka kwethrafikhi endaweni yakho yekheli.
Uma wazi ngokuphazamiseka okunjalo kwethrafikhi yakho ngesikhathi sangempela, ungazama ukulwa nakho ngokwakho. Indlela yokuqala ukukhangisa imizila ngalezi ziqalo eziqondile wena ngokwakho. Uma kwenzeka ukuhlaselwa okusha kwalezi ziqalo, phinda.
Indlela yesibili iwukujezisa umhlaseli nalabo abayiphuzu elibalulekile kubo (emizileni emihle) ngokunqamula ukufinyelela kwemizila yakho kumhlaseli. Lokhu kungenziwa ngokungeza i-ASN yomhlaseli ku-AS_PATH yemizila yakho emidala futhi ngaleyo ndlela ibaphoqe ukuthi bagweme leyo AS kusetshenziswa indlela eyakhelwe ngaphakathi yokuthola iluphu ku-BGP. .
Source: www.habr.com