Bilginin Adresi Homepage
Forum Home Forum Home > Bilgisayar Güvenliği / Computer Security > Güvenlik / Security Makaleleri
  New Posts New Posts
  FAQ FAQ  Forum Search   Register Register  Login Login

REKLAM ALANI

El dokuma Konya Kilim, Kayseri Kilim, Antik Milas Halı, Antik Yörük Kilim, Hint Kilim

Konya Kilimleri Kayseri Kimleri Yörük İran ve Antika Kilimler Hint Kilimleri

Yeni ve 2. El İnşaat Yapı Malzemeleri

Masa iskele, Beton Paspayı, Kalıpaltı iskele, Güvenlikli iskele

Fayer İnşaat Ergenekon İnşaat


Son günlerin Dns Zafiyetlerine PF çözümü !

 Post Reply Post Reply
Author
Message
megabros View Drop Down
Security Professional
Security Professional
Avatar

Joined: 08-06-2009
Location: Turkey
Status: Offline
Points: 747
Post Options Post Options   Thanks (0) Thanks(0)   Quote megabros Quote  Post ReplyReply Direct Link To This Post Topic: Son günlerin Dns Zafiyetlerine PF çözümü !
    Posted: 08-06-2009 at 14:27

Birkac gun once detaylarina buradan -ve teknik olarak buradan-erisebileceginiz bir DNS protokolu zaafiyeti yayinlandi. Zaafiyetin kotuye kullanilmasi sonucu bu acigi barindiran (Internetin %99′u diyebiliriz) dns sunucularin cachelerinin zehirlenmesi ihtimali var.

Yukarıda verdigim adreste zaafiyet icin onerilen maddelerden biri de DNS sunucularin sorgulama yaparken rastgele kaynak port kullanmalari idi. Bildigim kadari ile DJBdns haric bunu native saglayan dns sunucu/istemci yazilimi yok.

Packet Filter gibi Nat yaparken kaynak portlari degistirebilen(cogu Firewall bunu yapar) bir Firewall kullaniyorsaniz DNS sunucunuzun udp 53 cikislarini nat yaparak cikarirsaniz kaynak port numalari rastgele secilmis olur.

Asagidaki ornekleme OpenBSD named ve PF ile gerceklenmistir.

PF ile NAT yapmadan cikis yapan bir DNS sunucudan yapilan sorgulamalar

# nslookup > server 127.0.0.1 Default server: 127.0.0.1 Address: 127.0.0.1#53 > www.google.com Server: 127.0.0.1 Address: 127.0.0.1#53

Non-authoritative answer: www.google.com canonical name = www.l.google.com. Name: www.l.google.com Address: 74.125.39.103 Name: www.l.google.com Address: 74.125.39.147 Name: www.l.google.com Address: 74.125.39.99 Name: www.l.google.com Address: 74.125.39.104 > www.lifeoverip.net Server: 127.0.0.1 Address: 127.0.0.1#53

Non-authoritative answer: Name: www.lifeoverip.net Address: 80.93.212.86 > set q=a > www.huzeyfe.net Server: 127.0.0.1 Address: 127.0.0.1#53

Non-authoritative answer: Name: www.huzeyfe.net Address: 80.93.212.86 > www.cnn.com Server: 127.0.0.1 Address: 127.0.0.1#53

Non-authoritative answer: Name: www.cnn.com Address: 64.236.91.23 Name: www.cnn.com Address: 64.236.16.20 Name: www.cnn.com Address: 64.236.16.52 Name: www.cnn.com Address: 64.236.24.12 Name: www.cnn.com Address: 64.236.29.120 Name: www.cnn.com Address: 64.236.91.21 > exit

Bu isteklerin cikisini tcpdump ile izledigimizde asagidaki sonuclari aliriz.

# tcpdump -ttnn udp port 53 tcpdump: listening on vic0, link-type EN10MB 1214527060.000368 192.168.2.23.26926 > 192.33.14.30.53: 52135% [1au] A? www.huzeyfe.net. (44) (43) 1214527060.202598 192.168.2.23.26926 > 70.84.223.230.53: 26205% [1au] AAAA? jet.tekrom.com. (43) 1214527060.202728 192.168.2.23.26926 > 70.84.223.230.53: 45553% [1au] A? ns3.tekrom.com. (43) 1214527060.202918 192.168.2.23.26926 > 70.84.223.230.53: 9887% [1au] AAAA? ns3.tekrom.com. (43) 1214527060.203064 192.168.2.23.26926 > 70.84.223.230.53: 19219% [1au] A? ns4.tekrom.com. (43) 1214527060.203171 192.168.2.23.26926 > 70.84.223.230.53: 9937% [1au] AAAA? ns4.tekrom.com. (43) 1214527060.478490 70.84.223.230.53 > 192.168.2.23.26926: 23575*- 1/2/3 A 74.52.0.226 (127) (DF) 1214527060.479070 192.168.2.23.26926 > 70.84.223.226.53: 5700% [1au] A? www.huzeyfe.net. (44) 1214527060.483016 70.84.223.230.53 > 192.168.2.23.26926: 26205*- 0/1/1 (91) (DF) 1214527060.487206 70.84.223.230.53 > 192.168.2.23.26926: 45553*- 1/2/2 A 70.84.223.226 (107) (DF) 1214527060.492574 70.84.223.230.53 > 192.168.2.23.26926: 9887*- 0/1/1 (87) (DF) 1214527060.496554 70.84.223.230.53 > 192.168.2.23.26926: 19219*- 1/2/2 A 70.84.223.227 (107) (DF) 1214527060.501199 70.84.223.230.53 > 192.168.2.23.26926: 9937*- 0/1/1 (91) (DF) 1214527060.756220 70.84.223.226.53 > 192.168.2.23.26926: 5700- 0/13/1 (252) (DF) 1214527060.756753 192.168.2.23.26926 > 70.84.223.227.53: 58800% [1au] A? www.huzeyfe.net. (44) 1214527061.031910 70.84.223.227.53 > 192.168.2.23.26926: 58800- 0/13/1 (252) (DF) 1214527061.032272 192.168.2.23.26926 > 74.52.0.226.53: 54605% [1au] A? www.huzeyfe.net. (44) 1214527061.309713 74.52.0.226.53 > 192.168.2.23.26926: 54605*- 1/2/3 A 80.93.212.86 (138) (DF) 1214527081.550135 192.168.2.23.26926 > 192.26.92.30.53: 48697% [1au] A? www.cnn.com. (40) 1214527081.694272 192.26.92.30.53 > 192.168.2.23.26926: 48697- 0/4/5 (203) (DF) 1214527081.695022 192.168.2.23.26926 > 205.188.146.88.53: 10679% [1au] A? www.cnn.com. (40) 1214527081.851653 205.188.146.88.53 > 192.168.2.23.26926: 10679- 0/2/3 (123) (DF)

Dikkat edilecek olursa tum dns istekleri ayni kaynak porttan cikiyor…

Packet Filter ile cikis yonundeki UDP 53 ler icin NAT islemi uyguladiktan sonra ayni islemleri tekrarlayalim

Sorgulamalar

# nslookup > server 127.0.0.1 Default server: 127.0.0.1 Address: 127.0.0.1#53 > set query=a > www.lifeoverip.net Server: 127.0.0.1 Address: 127.0.0.1#53

Non-authoritative answer: Name: www.lifeoverip.net Address: 80.93.212.86 > www.linux.com Server: 127.0.0.1 Address: 127.0.0.1#53

Non-authoritative answer: www.linux.com canonical name = linux.com. Name: linux.com Address: 216.34.181.51 > www.fazlamesai.net Server: 127.0.0.1 Address: 127.0.0.1#53

Non-authoritative answer: Name: www.fazlamesai.net Address: 82.222.181.125 > netsec.lifeoverip.net Server: 127.0.0.1 Address: 127.0.0.1#53

Non-authoritative answer: Name: netsec.lifeoverip.net Address: 80.93.212.86

Sorgualamarin tcpdump ciktisi

# tcpdump -ttnn udp port 53 tcpdump: listening on vic0, link-type EN10MB 1214527500.423316 192.168.2.23.55819 > 192.42.93.30.53: 15093% [1au] A? www.linux.com. (42) 1214527500.692729 192.42.93.30.53 > 192.168.2.23.55819: 15093- 0/3/4 (168) (DF) 1214527500.694008 192.168.2.23.63085 > 12.31.165.79.53: 8055% [1au] A? www.linux.com. (42) 1214527500.991152 12.31.165.79.53 > 192.168.2.23.63085: 8055*- 2/0/0 CNAME linux.com., (61) (DF) 1214527500.995350 192.168.2.23.60810 > 216.34.181.21.53: 732% [1au] A? linux.com. (38) 1214527501.165336 216.34.181.21.53 > 192.168.2.23.60810: 732*- 1/0/0 A 216.34.181.51 (43) (DF) 1214527515.105501 192.168.2.23.63168 > 192.54.112.30.53: 38190% [1au] A? www.fazlamesai.net. (47) 1214527515.176086 192.54.112.30.53 > 192.168.2.23.63168: 38190- 0/2/1 (97) (DF) 1214527515.177442 192.168.2.23.52894 > 199.19.57.1.53: 13823% [1au] A? ns1.fazlamesai.org. (47) 1214527515.177701 192.168.2.23.52894 > 199.19.57.1.53: 63052% [1au] AAAA? ns1.fazlamesai.org. (47) 1214527515.177963 192.168.2.23.52894 > 199.19.57.1.53: 52497% [1au] A? ns2.fazlamesai.org. (47) 1214527515.178148 192.168.2.23.52894 > 199.19.57.1.53: 19103% [1au] AAAA? ns2.fazlamesai.org. (47) 1214527515.251261 199.19.57.1.53 > 192.168.2.23.52894: 13823- 0/2/3 (111) (DF) 1214527515.251972 192.168.2.23.57625 > 195.33.233.59.53: 64528% [1au] A? ns1.fazlamesai.org. (47) 1214527515.256090 199.19.57.1.53 > 192.168.2.23.52894: 63052- 0/2/3 (111) (DF) 1214527515.256721 192.168.2.23.57625 > 195.33.233.59.53: 19139% [1au] AAAA? ns1.fazlamesai.org. (47) 1214527515.260952 199.19.57.1.53 > 192.168.2.23.52894: 52497- 0/2/3 (111) (DF) 1214527515.261360 192.168.2.23.57625 > 195.33.233.59.53: 2367% [1au] A? ns2.fazlamesai.org. (47) 1214527515.265682 199.19.57.1.53 > 192.168.2.23.52894: 19103- 0/2/3 (111) (DF) 1214527515.266223 192.168.2.23.57625 > 195.33.233.59.53: 19193% [1au] AAAA? ns2.fazlamesai.org. (47) 1214527515.695411 192.168.2.23.57625 > 195.33.233.59.53: 22141% [1au] A? www.fazlamesai.net. (47) 1214527515.764586 192.168.2.23.61756 > 82.222.181.125.53: 51328% [1au] A? ns1.fazlamesai.org. (47) 1214527515.764749 192.168.2.23.61756 > 82.222.181.125.53: 60964% [1au] AAAA? ns1.fazlamesai.org. (47) 1214527515.764895 192.168.2.23.61756 > 82.222.181.125.53: 48058% [1au] A? ns2.fazlamesai.org. (47) 1214527515.779404 82.222.181.125.53 > 192.168.2.23.61756: 51328* 1/2/2 A 82.222.181.125 (111) (DF) 1214527515.779909 192.168.2.23.61756 > 82.222.181.125.53: 11798% [1au] AAAA? ns2.fazlamesai.org. (47) 1214527515.785161 82.222.181.125.53 > 192.168.2.23.61756: 60964* 0/1/1 (94) (DF) 1214527515.789313 82.222.181.125.53 > 192.168.2.23.61756: 48058* 1/2/2 A 212.175.237.162 (111) (DF) 1214527515.794834 82.222.181.125.53 > 192.168.2.23.61756: 11798* 0/1/1 (98) (DF) 1214527516.215004 192.168.2.23.61756 > 82.222.181.125.53: 54317% [1au] A? www.fazlamesai.net. (47) 1214527516.228870 82.222.181.125.53 > 192.168.2.23.61756: 54317* 1/2/3 A 82.222.181.125 (145) (DF) 1214527540.838462 192.168.2.23.62275 > 70.84.223.227.53: 2944% [1au] A? netsec.lifeoverip.net. (50) 1214527541.105514 70.84.223.227.53 > 192.168.2.23.62275: 2944*- 1/2/3 A[|domain] (DF)

Gorulecegi uzere nat yapinca kaynak portlar rastgele olarak degisiyor…

Saygılar..
Back to Top
 Post Reply Post Reply
  Share Topic   

Forum Jump Forum Permissions View Drop Down



This page was generated in 0.391 seconds.