« önceki sonraki »
Sayfa: [1]

Gönderen Konu: Son gunlerin dns zaafiyetine Pf(Packet Filter) cozumu  (Okunma sayısı 291 defa)

GuvenliHost

  • Yönetici
  • Kahraman Üye
  • *****
  • İleti: 514
  • Karma +10/-0
    • Profili Görüntüle
Son gunlerin dns zaafiyetine Pf(Packet Filter) cozumu
« : 06 Mart 2009, 22:35:00 »
Son gunlerin dns zaafiyetine Pf(Packet Filter) cozumu


Birkac gun once detaylarina buradan -ve teknik olarak buradan-erisebileceginiz bir DNS protokolu zaafiyeti yayinlandi. Zaafiyetin kotuye kullanilmasi sonucu bu acigi barindiran (Internetin %99′u diyebiliriz) dns sunucularin cachelerinin zehirlenmesi ihtimali var.
 Yukarıda verdigim adreste zaafiyet icin onerilen maddelerden biri de DNS sunucularin sorgulama yaparken rastgele kaynak port kullanmalari idi. Bildigim kadari ile DJBdns haric bunu native saglayan dns sunucu/istemci yazilimi yok.
 Packet Filter gibi Nat yaparken kaynak portlari degistirebilen(cogu Firewall bunu yapar) bir Firewall kullaniyorsaniz DNS sunucunuzun udp 53 cikislarini nat yaparak cikarirsaniz kaynak port numalari rastgele secilmis olur.
 Asagidaki ornekleme OpenBSD named ve PF ile gerceklenmistir.
 PF ile NAT yapmadan cikis yapan bir DNS sunucudan yapilan sorgulamalar
    # nslookup > server 127.0.0.1 Default server: 127.0.0.1 Address: 127.0.0.1#53 > Google Server: 127.0.0.1 Address: 127.0.0.1#53
 Non-authoritative answer: Google canonical name = Google. Name: Google Address: 74.125.39.103 Name: Google Address: 74.125.39.147 Name: Google Address: 74.125.39.99 Name: Google Address: 74.125.39.104 > Zorla Guvenlik Olmaz… Server: 127.0.0.1 Address: 127.0.0.1#53
 Non-authoritative answer: Name: Zorla Guvenlik Olmaz… Address: 80.93.212.86 > set q=a > http://www.huzeyfe.net Server: 127.0.0.1 Address: 127.0.0.1#53
 Non-authoritative answer: Name: http://www.huzeyfe.net Address: 80.93.212.86 > CNN.com - Breaking News, U.S., World, Weather, Entertainment & Video News Server: 127.0.0.1 Address: 127.0.0.1#53
 Non-authoritative answer: Name: CNN.com - Breaking News, U.S., World, Weather, Entertainment & Video News Address: 64.236.91.23 Name: CNN.com - Breaking News, U.S., World, Weather, Entertainment & Video News Address: 64.236.16.20 Name: CNN.com - Breaking News, U.S., World, Weather, Entertainment & Video News Address: 64.236.16.52 Name: CNN.com - Breaking News, U.S., World, Weather, Entertainment & Video News Address: 64.236.24.12 Name: CNN.com - Breaking News, U.S., World, Weather, Entertainment & Video News Address: 64.236.29.120 Name: CNN.com - Breaking News, U.S., World, Weather, Entertainment & Video News Address: 64.236.91.21 > exit
 Bu isteklerin cikisini tcpdump ile izledigimizde asagidaki sonuclari aliriz.
    # tcpdump -ttnn udp port 53 tcpdump: listening on vic0, link-type EN10MB 1214527060.000368 192.168.2.23.26926 > 192.33.14.30.53: 52135% [1au] A? http://www.huzeyfe.net. (44) (43) 1214527060.202598 192.168.2.23.26926 > 70.84.223.230.53: 26205% [1au] AAAA? jet.tekrom.com. (43) 1214527060.202728 192.168.2.23.26926 > 70.84.223.230.53: 45553% [1au] A? ns3.tekrom.com. (43) 1214527060.202918 192.168.2.23.26926 > 70.84.223.230.53: 9887% [1au] AAAA? ns3.tekrom.com. (43) 1214527060.203064 192.168.2.23.26926 > 70.84.223.230.53: 19219% [1au] A? ns4.tekrom.com. (43) 1214527060.203171 192.168.2.23.26926 > 70.84.223.230.53: 9937% [1au] AAAA? ns4.tekrom.com. (43) 1214527060.478490 70.84.223.230.53 > 192.168.2.23.26926: 23575*- 1/2/3 A 74.52.0.226 (127) (DF) 1214527060.479070 192.168.2.23.26926 > 70.84.223.226.53: 5700% [1au] A? http://www.huzeyfe.net. (44) 1214527060.483016 70.84.223.230.53 > 192.168.2.23.26926: 26205*- 0/1/1 (91) (DF) 1214527060.487206 70.84.223.230.53 > 192.168.2.23.26926: 45553*- 1/2/2 A 70.84.223.226 (107) (DF) 1214527060.492574 70.84.223.230.53 > 192.168.2.23.26926: 9887*- 0/1/1 (87) (DF) 1214527060.496554 70.84.223.230.53 > 192.168.2.23.26926: 19219*- 1/2/2 A 70.84.223.227 (107) (DF) 1214527060.501199 70.84.223.230.53 > 192.168.2.23.26926: 9937*- 0/1/1 (91) (DF) 1214527060.756220 70.84.223.226.53 > 192.168.2.23.26926: 5700- 0/13/1 (252) (DF) 1214527060.756753 192.168.2.23.26926 > 70.84.223.227.53: 58800% [1au] A? http://www.huzeyfe.net. (44) 1214527061.031910 70.84.223.227.53 > 192.168.2.23.26926: 58800- 0/13/1 (252) (DF) 1214527061.032272 192.168.2.23.26926 > 74.52.0.226.53: 54605% [1au] A? http://www.huzeyfe.net. (44) 1214527061.309713 74.52.0.226.53 > 192.168.2.23.26926: 54605*- 1/2/3 A 80.93.212.86 (138) (DF) 1214527081.550135 192.168.2.23.26926 > 192.26.92.30.53: 48697% [1au] A? CNN.com - Breaking News, U.S., World, Weather, Entertainment & Video News. (40) 1214527081.694272 192.26.92.30.53 > 192.168.2.23.26926: 48697- 0/4/5 (203) (DF) 1214527081.695022 192.168.2.23.26926 > 205.188.146.88.53: 10679% [1au] A? CNN.com - Breaking News, U.S., World, Weather, Entertainment & Video News. (40) 1214527081.851653 205.188.146.88.53 > 192.168.2.23.26926: 10679- 0/2/3 (123) (DF)
 Dikkat edilecek olursa tum dns istekleri ayni kaynak porttan cikiyor…
 Packet Filter ile cikis yonundeki UDP 53 ler icin NAT islemi uyguladiktan sonra ayni islemleri tekrarlayalim
 Sorgulamalar
    # nslookup > server 127.0.0.1 Default server: 127.0.0.1 Address: 127.0.0.1#53 > set query=a > Zorla Guvenlik Olmaz… Server: 127.0.0.1 Address: 127.0.0.1#53
 Non-authoritative answer: Name: Zorla Guvenlik Olmaz… Address: 80.93.212.86 > Linux.com - COMING SOON! Server: 127.0.0.1 Address: 127.0.0.1#53
 Non-authoritative answer: Linux.com - COMING SOON! canonical name = linux.com. Name: linux.com Address: 216.34.181.51 > Fazlamesai :: Eve gitsem de bilgisayarla ugraşsam diyenlerin sitesi... Server: 127.0.0.1 Address: 127.0.0.1#53
 Non-authoritative answer: Name: Fazlamesai :: Eve gitsem de bilgisayarla ugraşsam diyenlerin sitesi... Address: 82.222.181.125 > netsec.lifeoverip.net Server: 127.0.0.1 Address: 127.0.0.1#53
 Non-authoritative answer: Name:   netsec.lifeoverip.net Address: 80.93.212.86
 Sorgualamarin tcpdump ciktisi
    # tcpdump -ttnn udp port 53 tcpdump: listening on vic0, link-type EN10MB 1214527500.423316 192.168.2.23.55819 > 192.42.93.30.53: 15093% [1au] A? Linux.com - COMING SOON!. (42) 1214527500.692729 192.42.93.30.53 > 192.168.2.23.55819: 15093- 0/3/4 (168) (DF) 1214527500.694008 192.168.2.23.63085 > 12.31.165.79.53: 8055% [1au] A? Linux.com - COMING SOON!. (42) 1214527500.991152 12.31.165.79.53 > 192.168.2.23.63085: 8055*- 2/0/0 CNAME linux.com., (61) (DF) 1214527500.995350 192.168.2.23.60810 > 216.34.181.21.53: 732% [1au] A? linux.com. (38) 1214527501.165336 216.34.181.21.53 > 192.168.2.23.60810: 732*- 1/0/0 A 216.34.181.51 (43) (DF) 1214527515.105501 192.168.2.23.63168 > 192.54.112.30.53: 38190% [1au] A? Fazlamesai :: Eve gitsem de bilgisayarla ugraşsam diyenlerin sitesi.... (47) 1214527515.176086 192.54.112.30.53 > 192.168.2.23.63168: 38190- 0/2/1 (97) (DF) 1214527515.177442 192.168.2.23.52894 > 199.19.57.1.53: 13823% [1au] A? ns1.fazlamesai.org. (47) 1214527515.177701 192.168.2.23.52894 > 199.19.57.1.53: 63052% [1au] AAAA? ns1.fazlamesai.org. (47) 1214527515.177963 192.168.2.23.52894 > 199.19.57.1.53: 52497% [1au] A? ns2.fazlamesai.org. (47) 1214527515.178148 192.168.2.23.52894 > 199.19.57.1.53: 19103% [1au] AAAA? ns2.fazlamesai.org. (47) 1214527515.251261 199.19.57.1.53 > 192.168.2.23.52894: 13823- 0/2/3 (111) (DF) 1214527515.251972 192.168.2.23.57625 > 195.33.233.59.53: 64528% [1au] A? ns1.fazlamesai.org. (47) 1214527515.256090 199.19.57.1.53 > 192.168.2.23.52894: 63052- 0/2/3 (111) (DF) 1214527515.256721 192.168.2.23.57625 > 195.33.233.59.53: 19139% [1au] AAAA? ns1.fazlamesai.org. (47) 1214527515.260952 199.19.57.1.53 > 192.168.2.23.52894: 52497- 0/2/3 (111) (DF) 1214527515.261360 192.168.2.23.57625 > 195.33.233.59.53: 2367% [1au] A? ns2.fazlamesai.org. (47) 1214527515.265682 199.19.57.1.53 > 192.168.2.23.52894: 19103- 0/2/3 (111) (DF) 1214527515.266223 192.168.2.23.57625 > 195.33.233.59.53: 19193% [1au] AAAA? ns2.fazlamesai.org. (47) 1214527515.695411 192.168.2.23.57625 > 195.33.233.59.53: 22141% [1au] A? Fazlamesai :: Eve gitsem de bilgisayarla ugraşsam diyenlerin sitesi.... (47) 1214527515.764586 192.168.2.23.61756 > 82.222.181.125.53: 51328% [1au] A? ns1.fazlamesai.org. (47) 1214527515.764749 192.168.2.23.61756 > 82.222.181.125.53: 60964% [1au] AAAA? ns1.fazlamesai.org. (47) 1214527515.764895 192.168.2.23.61756 > 82.222.181.125.53: 48058% [1au] A? ns2.fazlamesai.org. (47) 1214527515.779404 82.222.181.125.53 > 192.168.2.23.61756: 51328* 1/2/2 A 82.222.181.125 (111) (DF) 1214527515.779909 192.168.2.23.61756 > 82.222.181.125.53: 11798% [1au] AAAA? ns2.fazlamesai.org. (47) 1214527515.785161 82.222.181.125.53 > 192.168.2.23.61756: 60964* 0/1/1 (94) (DF) 1214527515.789313 82.222.181.125.53 > 192.168.2.23.61756: 48058* 1/2/2 A 212.175.237.162 (111) (DF) 1214527515.794834 82.222.181.125.53 > 192.168.2.23.61756: 11798* 0/1/1 (98) (DF) 1214527516.215004 192.168.2.23.61756 > 82.222.181.125.53: 54317% [1au] A? Fazlamesai :: Eve gitsem de bilgisayarla ugraşsam diyenlerin sitesi.... (47) 1214527516.228870 82.222.181.125.53 > 192.168.2.23.61756: 54317* 1/2/3 A 82.222.181.125 (145) (DF) 1214527540.838462 192.168.2.23.62275 > 70.84.223.227.53: 2944% [1au] A? netsec.lifeoverip.net. (50) 1214527541.105514 70.84.223.227.53 > 192.168.2.23.62275: 2944*- 1/2/3 A[|domain] (DF)
 Gorulecegi uzere nat yapinca kaynak portlar rastgele olarak degisiyor…
 Ek:
 Frequency X Blog
 https://www.dns-oarc.net/
 Huzeyfe ONAL
Moderatöre rapor et   Kayıtlı
Sayfa: [1]
« önceki sonraki »