{"id":7895,"date":"2024-05-27T17:08:50","date_gmt":"2024-05-27T14:08:50","guid":{"rendered":"https:\/\/sunucucozumleri.com\/?p=7895"},"modified":"2024-05-27T17:08:50","modified_gmt":"2024-05-27T14:08:50","slug":"bind-9daki-hiz-sinirlari-ve-dnsbomb-guvenlik-acigi","status":"publish","type":"post","link":"https:\/\/sunucucozumleri.com\/blog\/bind-9daki-hiz-sinirlari-ve-dnsbomb-guvenlik-acigi\/","title":{"rendered":"BIND 9&#8217;daki H\u0131z S\u0131n\u0131rlar\u0131 ve DNSBomb G\u00fcvenlik A\u00e7\u0131\u011f\u0131"},"content":{"rendered":"<div id=\"ez-toc-container\" class=\"ez-toc-v2_0_82_2 counter-hierarchy ez-toc-counter ez-toc-grey ez-toc-container-direction\">\n<div class=\"ez-toc-title-container\">\n<p class=\"ez-toc-title\" style=\"cursor:inherit\">Makale \u0130\u00e7eri\u011fi<\/p>\n<span class=\"ez-toc-title-toggle\"><a href=\"#\" class=\"ez-toc-pull-right ez-toc-btn ez-toc-btn-xs ez-toc-btn-default ez-toc-toggle\" aria-label=\"\u0130\u00e7indekiler Tablosunu A\u00e7\/Kapat\"><span class=\"ez-toc-js-icon-con\"><span class=\"\"><span class=\"eztoc-hide\" style=\"display:none;\">Toggle<\/span><span class=\"ez-toc-icon-toggle-span\"><svg style=\"fill: #999;color:#999\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" class=\"list-377408\" width=\"20px\" height=\"20px\" viewBox=\"0 0 24 24\" fill=\"none\"><path d=\"M6 6H4v2h2V6zm14 0H8v2h12V6zM4 11h2v2H4v-2zm16 0H8v2h12v-2zM4 16h2v2H4v-2zm16 0H8v2h12v-2z\" fill=\"currentColor\"><\/path><\/svg><svg style=\"fill: #999;color:#999\" class=\"arrow-unsorted-368013\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"10px\" height=\"10px\" viewBox=\"0 0 24 24\" version=\"1.2\" baseProfile=\"tiny\"><path d=\"M18.2 9.3l-6.2-6.3-6.2 6.3c-.2.2-.3.4-.3.7s.1.5.3.7c.2.2.4.3.7.3h11c.3 0 .5-.1.7-.3.2-.2.3-.5.3-.7s-.1-.5-.3-.7zM5.8 14.7l6.2 6.3 6.2-6.3c.2-.2.3-.5.3-.7s-.1-.5-.3-.7c-.2-.2-.4-.3-.7-.3h-11c-.3 0-.5.1-.7.3-.2.2-.3.5-.3.7s.1.5.3.7z\"\/><\/svg><\/span><\/span><\/span><\/a><\/span><\/div>\n<nav><ul class='ez-toc-list ez-toc-list-level-1 ' ><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-1\" href=\"https:\/\/sunucucozumleri.com\/blog\/bind-9daki-hiz-sinirlari-ve-dnsbomb-guvenlik-acigi\/#BIND_9_DNSBombdan_Etkilenmiyor\" >BIND 9, DNSBomb&#8217;dan Etkilenmiyor<\/a><ul class='ez-toc-list-level-3' ><li class='ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-2\" href=\"https:\/\/sunucucozumleri.com\/blog\/bind-9daki-hiz-sinirlari-ve-dnsbomb-guvenlik-acigi\/#DNSBomba_Saldirisi\" >DNSBomba Sald\u0131r\u0131s\u0131<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-3\" href=\"https:\/\/sunucucozumleri.com\/blog\/bind-9daki-hiz-sinirlari-ve-dnsbomb-guvenlik-acigi\/#BIND_9da_Sinirlarin_Test_Edilmesi\" >BIND 9&#8217;da S\u0131n\u0131rlar\u0131n Test Edilmesi<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-4\" href=\"https:\/\/sunucucozumleri.com\/blog\/bind-9daki-hiz-sinirlari-ve-dnsbomb-guvenlik-acigi\/#Amplifikasyon_Faktoru_Hakkinda_Notlar\" >Amplifikasyon Fakt\u00f6r\u00fc Hakk\u0131nda Notlar<\/a><\/li><\/ul><\/li><\/ul><\/nav><\/div>\n<h2 id=\"bind-9-is-unaffected-by-the-dnsbomb\"><span class=\"ez-toc-section\" id=\"BIND_9_DNSBombdan_Etkilenmiyor\"><\/span><span>BIND 9, DNSBomb&#8217;dan Etkilenmiyor<\/span><span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p><a href=\"https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2024-33655\" target=\"_blank\" rel=\"noopener noreferrer nofollow\"><span>DNSBomb ( CVE-2024-33655<\/span><\/a><span>\u00a0) ad\u0131 verilen bir DNS g\u00fcvenlik a\u00e7\u0131\u011f\u0131 raporunu ara\u015ft\u0131r\u0131yor ve test ediyoruz\u00a0. Kapsaml\u0131 testlerden sonra bu tekni\u011fin BIND 9 operat\u00f6rleri i\u00e7in \u00f6nemli bir tehdit olu\u015fturmad\u0131\u011f\u0131 sonucuna vard\u0131k. Testlerimiz \u00f6nerilen yap\u0131land\u0131rmalarla \u015funu g\u00f6sterdi:<\/span><\/p>\n<ul>\n<li><span>\u0130stemci(ler) i\u00e7in paket y\u00fckseltme fakt\u00f6r\u00fc 1x&#8217;tir (yani yok).<\/span><\/li>\n<li><span>Bu sald\u0131r\u0131n\u0131n yeni k\u0131sm\u0131 (sorgular\u0131 zamana yaymak ve ard\u0131ndan \u00e7\u00f6z\u00fcmleyiciyi k\u0131sa bir zaman aral\u0131\u011f\u0131 i\u00e7inde yan\u0131t vermesi i\u00e7in kand\u0131rmak), mevcut s\u0131n\u0131rlamalar taraf\u0131ndan zaten yeterince hafifletilmi\u015ftir.<\/span><\/li>\n<\/ul>\n<h3 id=\"the-dnsbomb-attack\"><span class=\"ez-toc-section\" id=\"DNSBomba_Saldirisi\"><\/span><span>DNSBomba Sald\u0131r\u0131s\u0131<\/span><span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p><span><a title=\"DNSBomb\" href=\"https:\/\/sunucucozumleri.com\/dns-sorgularini-ve-yanitlarini-kullanan-yeni-dos-saldirisi-dnsbomb\/\">DNSBomb<\/a> sald\u0131r\u0131s\u0131 , Tsinghua \u00dcniversitesi\u00a0<a href=\"https:\/\/netsec.ccert.edu.cn\/chs\/\" target=\"_blank\" rel=\"noopener noreferrer nofollow\">NISL Laboratuvar\u0131&#8217;ndan\u00a0<\/a><\/span><a href=\"https:\/\/lixiang521.com\/\" target=\"_blank\" rel=\"noopener noreferrer nofollow\"><span>Xiang Li<\/span><\/a><span>\u00a0taraf\u0131ndan tan\u0131mland\u0131\u00a0ve de\u011ferlendirme i\u00e7in birden fazla DNS yaz\u0131l\u0131m geli\u015ftirme ekibine sorumlu bir \u015fekilde bildirildi. Bu, k\u00f6t\u00fc niyetli olarak tasarlanm\u0131\u015f bir otorite ve savunmas\u0131z bir \u00f6zyinelemeli \u00e7\u00f6z\u00fcmleyici kullanarak zamanlanm\u0131\u015f yan\u0131t ak\u0131nlar\u0131 olu\u015fturmak i\u00e7in sorgu h\u0131z\u0131 s\u0131n\u0131rlar\u0131, sorgu zaman a\u015f\u0131mlar\u0131 ve maksimum yan\u0131t boyutu ayarlar\u0131 gibi \u00f6zelliklerden yararlanan darbeli bir hizmet reddi sald\u0131r\u0131s\u0131d\u0131r (PDOS). Sald\u0131r\u0131lar\u0131 ayr\u0131ca, b\u00fcy\u00fck tepkiler vermek i\u00e7in otorite \u00fczerinde \u00f6zel olarak haz\u0131rlanm\u0131\u015f b\u00f6lgeleri kullanarak tepki g\u00fc\u00e7lendirmeyi de i\u00e7eriyor.<\/span><\/p>\n<p><span>DNSBomb sald\u0131r\u0131s\u0131n\u0131 olu\u015fturmak i\u00e7in \u00fc\u00e7 kritik ad\u0131m vard\u0131r:<\/span><\/p>\n<ol>\n<li><span>DNS sorgular\u0131n\u0131 biriktirme (yan\u0131tlar\u0131 yapay olarak geciktirmek i\u00e7in zaman a\u015f\u0131m\u0131 penceresini uzatarak)<\/span><\/li>\n<li><span>Yan\u0131tlar\u0131n g\u00fc\u00e7lendirilmesi (yetkili sunucuda ve b\u00fcy\u00fck yan\u0131tlar d\u00f6nd\u00fcrmek i\u00e7in \u00f6zel olarak haz\u0131rlanm\u0131\u015f etki alanlar\u0131nda sorgu toplaman\u0131n kullan\u0131lmas\u0131)<\/span><\/li>\n<li><span>B\u00fcy\u00fck gruplar halinde hedef \u00e7\u00f6z\u00fcmleyiciye yan\u0131tlar\u0131n toplanmas\u0131 ve &#8220;darbeli&#8221; olarak g\u00f6nderilmesi<\/span><\/li>\n<\/ol>\n<h3 id=\"testing-the-limits-in-bind-9\"><span class=\"ez-toc-section\" id=\"BIND_9da_Sinirlarin_Test_Edilmesi\"><\/span><span>BIND 9&#8217;da S\u0131n\u0131rlar\u0131n Test Edilmesi<\/span><span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p><span>Bu sald\u0131r\u0131n\u0131n baz\u0131 varyantlar\u0131n\u0131 BIND 9&#8217;a kar\u015f\u0131 test ettikten sonra, DNSBomb&#8217;un BIND 9 \u00e7\u00f6z\u00fcmleyicileri \u00fczerindeki etkisini s\u0131n\u0131rlaman\u0131n veya azaltman\u0131n bir\u00e7ok yolunu bulduk. Bunlar\u0131n \u00e7o\u011fu varsay\u0131lan olarak yap\u0131land\u0131r\u0131lm\u0131\u015ft\u0131r ancak bu sald\u0131r\u0131n\u0131n etkinli\u011fini daha da azaltmak i\u00e7in yap\u0131land\u0131r\u0131labilecek h\u0131z s\u0131n\u0131rlar\u0131 da vard\u0131r.<\/span><\/p>\n<p><span>Bu s\u0131n\u0131rlamalar DNSBomb sald\u0131r\u0131s\u0131na kar\u015f\u0131 etkilidir:<\/span><\/p>\n<ul>\n<li><code>clients-per-query<\/code><span>\/\u00a0<\/span><code>max-clients-per-query<\/code><span>varsay\u0131lan olarak s\u0131ras\u0131yla 10 ve 100&#8217;e ayarlanm\u0131\u015ft\u0131r. Herhangi bir sorgu i\u00e7in bekleyen istemcilerin (isteklerin) toplam say\u0131s\u0131n\u0131 s\u0131n\u0131rlarlar. En k\u00f6t\u00fc durumda, 100 bekleyen istek olabilir.<\/span><\/li>\n<li><code>recursive-clients<\/code><span>varsay\u0131lan olarak 1000 olarak yap\u0131land\u0131r\u0131lm\u0131\u015ft\u0131r. Bu, bekleyen isteklerin toplam say\u0131s\u0131n\u0131 s\u0131n\u0131rlar. Bu s\u0131n\u0131r\u0131n %90&#8217;\u0131na (yani varsay\u0131lan olarak 900 istek) ula\u015f\u0131ld\u0131\u011f\u0131nda, en eski istekler b\u0131rak\u0131l\u0131r ve art\u0131k bu sald\u0131r\u0131n\u0131n etkinli\u011fine katk\u0131da bulunamaz.<\/span><\/li>\n<li><code>responses-per-second<\/code><span>bu sald\u0131r\u0131y\u0131 daha da azaltmak i\u00e7in yap\u0131land\u0131r\u0131labilen bir h\u0131z s\u0131n\u0131r\u0131d\u0131r. A\u011f segmenti ba\u015f\u0131na belirli bir sorgu i\u00e7in UDP yan\u0131tlar\u0131n\u0131n say\u0131s\u0131n\u0131 s\u0131n\u0131rlar.<\/span><\/li>\n<\/ul>\n<h3 id=\"notes-on-the-amplification-factor\"><span class=\"ez-toc-section\" id=\"Amplifikasyon_Faktoru_Hakkinda_Notlar\"><\/span><span>Amplifikasyon Fakt\u00f6r\u00fc Hakk\u0131nda Notlar<\/span><span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p><a href=\"https:\/\/www.cloudflare.com\/learning\/ddos\/dns-amplification-ddos-attack\/\" target=\"_blank\" rel=\"noopener noreferrer nofollow\"><span>Amplifikasyon sald\u0131r\u0131lar\u0131<\/span><\/a><span>\u00a0DNS&#8217;de yayg\u0131n bir sorundur. DNS yan\u0131tlar\u0131 genellikle kar\u015f\u0131l\u0131k gelen sorgulardan \u00e7ok daha b\u00fcy\u00fckt\u00fcr; dolay\u0131s\u0131yla normal sorgu\/yan\u0131t kal\u0131plar\u0131 ile k\u00f6t\u00fc niyetli olanlar aras\u0131ndaki temel fark, y\u00fckseltme fakt\u00f6r\u00fcd\u00fcr. Normal \u00e7al\u0131\u015fma alt\u0131nda sorgu hacminde geni\u015f de\u011fi\u015fiklikler g\u00f6r\u00fclebilir, bu nedenle bir amplifikat\u00f6r\u00fcn ger\u00e7ekten g\u00fc\u00e7l\u00fc bir sald\u0131r\u0131 vekt\u00f6r\u00fc olup olmad\u0131\u011f\u0131n\u0131 de\u011ferlendirirken en az iki b\u00fcy\u00fckl\u00fck d\u00fczeyindeki amplifikasyon fakt\u00f6rlerini arar\u0131z.<\/span><\/p>\n<p><span>DNSBomb sald\u0131r\u0131s\u0131 alt\u0131nda varsay\u0131lan yap\u0131land\u0131rmaya sahip bir \u00e7\u00f6z\u00fcmleyici i\u00e7in en k\u00f6t\u00fc durum senaryosu a\u015fa\u011f\u0131da verilmi\u015ftir:<\/span><\/p>\n<ul>\n<li><span>Sald\u0131rgan (kurban\u0131n adresini taklit ederek) zaman i\u00e7inde (10 saniyeye kadar) 1000 paket g\u00f6nderirken, yetkili <a href=\"https:\/\/sunucucozumleri.com\/blog\/frontpage\/\">sunucu<\/a> (sald\u0131rgan\u0131n kontrol\u00fc alt\u0131nda) bu s\u00fcre boyunca yan\u0131t\u0131 saklar.<\/span><\/li>\n<li><span>Sald\u0131rgan\u0131n yetkili sunucusu yan\u0131t verdi\u011finde \u00e7\u00f6z\u00fcmleyici, sald\u0131rgan\u0131n etki alan\u0131yla ilgili t\u00fcm bekleyen sorgular\u0131 yan\u0131tlar.<\/span><\/li>\n<li><span>Yan\u0131t\u0131n UDP \u00fczerinden iletilecek maksimum paket boyutunu kullanacak \u015fekilde haz\u0131rland\u0131\u011f\u0131n\u0131 varsayarsak, her yan\u0131t 1232 bayt uzunlu\u011funda olabilir. Bekleyen 1000 sorgu i\u00e7in \u00e7ok k\u0131sa bir s\u00fcrede g\u00f6nderilen toplam veri miktar\u0131 12 MB&#8217;a kadar \u00e7\u0131kabilmektedir.<\/span><\/li>\n<\/ul>\n<p><span>Makale bunun \u00f6nemli bir bant geni\u015fli\u011fi y\u00fckseltme fakt\u00f6r\u00fc anlam\u0131na geldi\u011fini savunuyor. \u0130deal ko\u015fullar alt\u0131nda bu do\u011fru olsa da, bu sald\u0131r\u0131 \u00f6l\u00e7eklenmiyor. \u00d6zyinelemeli istemci s\u0131n\u0131r\u0131 nedeniyle (varsay\u0131lan olarak 1000&#8217;dir), herhangi bir yeni istek, en eski olanlar\u0131n d\u00fc\u015f\u00fcr\u00fclmesine neden olacak ve art\u0131k bant geni\u015fli\u011fi y\u00fckseltme fakt\u00f6r\u00fcne katk\u0131da bulunmayacakt\u0131r.<\/span><\/p>\n<p><span>Ba\u015fka bir deyi\u015fle, sald\u0131rgan bunun yerine 10 bin veya 100 bin paket g\u00f6nderseydi kurban taraf\u0131ndaki k\u0131sa veri patlamas\u0131 yine de yaln\u0131zca 12 MB veri olurdu.<\/span><\/p>\n<p><span>Ger\u00e7ek d\u00fcnya ko\u015fullar\u0131nda sald\u0131r\u0131 muhtemelen daha da az verimli olacakt\u0131r, \u00e7\u00fcnk\u00fc tam etki, sald\u0131rgan\u0131n bu \u00e7\u00f6z\u00fcmleyiciyi kullanan tek istemci olmas\u0131n\u0131 ve dolay\u0131s\u0131yla \u00f6zyinelemeli istemci s\u0131n\u0131r\u0131n\u0131n tamam\u0131n\u0131 kendisi i\u00e7in kullanabilmesini gerektirecektir. Ba\u015fka istemciler varsa, muhtemelen bu kotan\u0131n en az\u0131ndan bir k\u0131sm\u0131n\u0131 kullan\u0131yorlar ve bu da sald\u0131r\u0131n\u0131n daha da az etkili olmas\u0131na neden oluyor.<\/span><\/p>\n","protected":false},"excerpt":{"rendered":"<p>BIND 9, DNSBomb&#8217;dan Etkilenmiyor DNSBomb ( CVE-2024-33655\u00a0) ad\u0131 verilen bir DNS g\u00fcvenlik a\u00e7\u0131\u011f\u0131 raporunu ara\u015ft\u0131r\u0131yor ve test ediyoruz\u00a0. Kapsaml\u0131 testlerden sonra bu tekni\u011fin BIND 9 operat\u00f6rleri i\u00e7in \u00f6nemli bir tehdit olu\u015fturmad\u0131\u011f\u0131 sonucuna vard\u0131k. Testlerimiz \u00f6nerilen yap\u0131land\u0131rmalarla \u015funu g\u00f6sterdi: \u0130stemci(ler) i\u00e7in paket y\u00fckseltme fakt\u00f6r\u00fc 1x&#8217;tir (yani yok). Bu sald\u0131r\u0131n\u0131n yeni k\u0131sm\u0131 (sorgular\u0131 zamana yaymak ve ard\u0131ndan &hellip;<\/p>\n","protected":false},"author":1,"featured_media":7896,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[232],"tags":[],"class_list":["post-7895","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-blog"],"acf":[],"_links":{"self":[{"href":"https:\/\/sunucucozumleri.com\/blog\/wp-json\/wp\/v2\/posts\/7895","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/sunucucozumleri.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/sunucucozumleri.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/sunucucozumleri.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/sunucucozumleri.com\/blog\/wp-json\/wp\/v2\/comments?post=7895"}],"version-history":[{"count":0,"href":"https:\/\/sunucucozumleri.com\/blog\/wp-json\/wp\/v2\/posts\/7895\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/sunucucozumleri.com\/blog\/wp-json\/wp\/v2\/media\/7896"}],"wp:attachment":[{"href":"https:\/\/sunucucozumleri.com\/blog\/wp-json\/wp\/v2\/media?parent=7895"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/sunucucozumleri.com\/blog\/wp-json\/wp\/v2\/categories?post=7895"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/sunucucozumleri.com\/blog\/wp-json\/wp\/v2\/tags?post=7895"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}