Ithimba labacwaningi abavela eNyuvesi yaseCalifornia, i-Riverside ishicilele okuhlukile okusha kwe-SAD DNS attack (CVE-2021-20322) esebenza naphezu kokuvikelwa okungeziwe ngonyaka odlule ukuvimba ukuba sengozini kwe-CVE-2020-25705. Indlela entsha ngokuvamile ifana nokuba sengozini yangonyaka odlule futhi ihluka kuphela ekusetshenzisweni kohlobo oluhlukile lwamaphakethe e-ICMP ukuhlola izimbobo ze-UDP ezisebenzayo. Ukuhlasela okuhlongozwayo kuvumela ukushintshwa kwedatha engelona iqiniso kunqolobane yeseva ye-DNS, engasetshenziswa esikhundleni sekheli le-IP lesizinda esinganaki kunqolobane futhi iqondise kabusha izicelo esizindeni kuseva yomhlaseli.
Indlela ehlongozwayo isebenza kuphela kusitaki senethiwekhi ye-Linux ngenxa yokuxhumeka kwayo kokukhethekile kwendlela yokucubungula iphakethe le-ICMP ku-Linux, esebenza njengomthombo wokuvuza kwedatha okwenza kube lula ukuzimisela kwenombolo yembobo ye-UDP esetshenziswa iseva ukuthumela isicelo sangaphandle. Izinguquko ezivimba ukuvuza kolwazi zamukelwa ku-Linux kernel ekupheleni kuka-Agasti (ukulungisa kufakwe ku-kernel 5.15 kanye nezibuyekezo zikaSepthemba kumagatsha e-LTS e-kernel). Ukulungiswa kubilisa ekushintsheni ekusebenziseni i-algorithm ye-SipHash hashing kuma-caches enethiwekhi esikhundleni se-Jenkins Hash. Isimo sokulungisa ukuba sengozini ekusatshalalisweni singahlolwa kulawa makhasi: I-Debian, RHEL, Fedora, SUSE, Ubuntu.
Ngokwabacwaningi abahlonze inkinga, cishe u-38% wezixazululi ezivulekile kunethiwekhi zisengozini, okuhlanganisa nezinsizakalo ze-DNS ezidumile ezifana ne-OpenDNS ne-Quad9 (9.9.9.9). Ngokuqondene nesofthiwe yeseva, ukuhlasela kungenziwa ngokusebenzisa amaphakheji afana ne-BIND, Unbound kanye ne-dnsmasq kuseva ye-Linux. Inkinga ayiveli kumaseva e-DNS asebenza ezinhlelweni zeWindows ne-BSD. Ukufeza ngempumelelo ukuhlasela, kuyadingeka ukusebenzisa i-IP spoofing, i.e. kuyadingeka ukuthi i-ISP yomhlaseli ingavimbi amaphakethe anekheli le-IP eliwumthombo womgunyathi.
Njengesikhumbuzo, ukuhlasela kwe-SAD DNS kudlula izivikelo ezingezwe kumaseva e-DNS ukuze kuvinjwe indlela ye-DNS yenqolobane yakudala ehlongozwe ngo-2008 nguDan Kaminsky. Indlela kaKaminsky ilawula usayizi omncane wenkambu ye-ID yombuzo we-DNS, okungamabhithi ayi-16 kuphela. Ukukhetha isihlonzi sokwenziwe se-DNS esilungile esidingekayo ukuze kuthathwe igama lomsingathi, kwanele ukuthumela izicelo ezicishe zibe ngu-7000 futhi ulingise cishe izimpendulo eziqanjiwe eziyinkulungwane eziyi-140. Ukuhlasela kubikela ekuthumeleni inombolo enkulu yamaphakethe ane-IP ebophayo eqanjiwe kanye nezihlonzi zokwenziwe ze-DNS ezihlukile kusixazululi se-DNS. Ukuvimbela ukugcinwa kwesikhashana kwempendulo yokuqala, impendulo ngayinye eyidumi iqukethe igama lesizinda elishintshwe kancane (1.example.com, 2.example.com, 3.example.com, njll.).
Ukuze kuvikelwe kulolu hlobo lokuhlasela, abakhiqizi beseva ye-DNS basebenzise ukusatshalaliswa okungahleliwe kwezinombolo zezimbobo zenethiwekhi yomthombo lapho kuthunyelwa khona izicelo zokulungiswa, okunxephezela usayizi onganele wesihlonzi. Ngemva kokufaka ukuvikelwa kokuthumela impendulo engelona iqiniso, ngaphezu kokukhetha isihlonzi esingu-16-bit, kuye kwadingeka ukuthi kukhethwe enye yamachweba ayizinkulungwane ezingu-64, okwandisa inani lezinketho zokukhetha ku-2^32.
Indlela ye-SAD DNS ikuvumela ukuthi wenze lula kakhulu ukuzimisela kwenombolo yembobo yenethiwekhi futhi unciphise ukuhlaselwa kwendlela yakudala ye-Kaminsky. Umhlaseli angakwazi ukubona ukufinyelela ezimbobeni ze-UDP ezingasetshenzisiwe nezisebenzayo ngokusebenzisa ulwazi oluputshuziwe mayelana nomsebenzi wezimbobo zenethiwekhi lapho ecubungula amaphakethe okuphendula e-ICMP. Indlela isivumela ukuthi sinciphise inani lezinketho zokusesha ngama-oda angu-4 wobukhulu - 2^16+2^16 esikhundleni sika-2^32 (131_072 esikhundleni sika-4_294_967_296). Ukuvuza kolwazi okukuvumela ukuthi unqume ngokushesha izimbobo ze-UDP ezisebenzayo kubangelwa iphutha kukhodi yokucubungula amaphakethe e-ICMP anezicelo zokuhlukaniswa (ifulegi le-ICMP elidingekayo) noma ukuqondiswa kabusha (ifulegi lokuqondisa kabusha kwe-ICMP). Ukuthumela amaphakethe anjalo kushintsha isimo senqolobane kusitaki senethiwekhi, okwenza kube nokwenzeka ukunquma, ngokusekelwe empendulweni yeseva, ukuthi iyiphi imbobo ye-UDP esebenzayo futhi engekho.
Isimo Sokuhlasela: Uma isixazululi se-DNS sizama ukuxazulula igama lesizinda, sithumela umbuzo we-UDP kuseva ye-DNS enikeza isizinda. Ngenkathi isixazululi sisalinde impendulo, umhlaseli angakwazi ukunquma ngokushesha inombolo yembobo yomthombo esetshenziswe ukuthumela isicelo futhi athumele impendulo engelona iqiniso kuso, ezenza iseva ye-DNS enikeza isizinda kusetshenziswa i-IP address spoofing. Isixazululi se-DNS sizogcina idatha ethunyelwe kumpendulo mbumbulu futhi isikhathi esithile sizobuyisela ikheli lasesizindeni se-inthanethi elifakwe umhlaseli kuzo zonke ezinye izicelo ze-DNS zegama lesizinda.
Source: opennet.ru