Ofungiyar masu bincike daga jami’ar Peking, da jami’ar Tsinghua da kuma jami’ar Texas da ke Dallas bayani game da aikinku yayi domin ya iya ganowa sabon aji na hare-haren DoS wanda suka sanya masa suna "RangeAmp" kuma waxanda ke kan amfani da taken Range HTTP don tsara faɗakarwar zirga-zirga ta hanyar sadarwar isar da abun ciki (CDN).
Jigon hanyar abin shine, saboda kwatankwacin aikin sarrafa Range a kan CDN da yawa, mai kai hari na iya neman baiti daga babban fayil ta CDN, amma CDN zata zazzage dukkan fayil ɗin ko kuma mafi girman girman bayanan bayanai daga sabar makiya don caching.
Matsayin kara yawan zirga-zirga a yayin kai hari irin wannan, a cewar CDN, ya kai sau 724 zuwa 43330, wanda za a iya amfani da shi wajen yin obalo da zirga-zirgar CDN da ke shigowa ko rage bazuwar tashar sadarwa ta karshe zuwa shafin wanda aka azabtar.
Taken zangon Range yana bawa abokin ciniki damar ƙayyade kewayon matsayi a cikin fayil ɗin wanda ya kamata a ɗora a maimakon dawo da fayil ɗin duka.
Misali, abokin harka zai iya tantance "Range: bytes = 0-1023" kuma saba zai gabatar da farkon adadin bayanan da suka shafi 1024. Wannan yanayin yana cikin buƙata yayin saukar da manyan fayiloli: mai amfani na iya tsayar da zazzagewa sannan kuma ci gaba daga matsayin da aka katse shi. Lokacin tantancewa "bytes = 0-0", mizani ya tsara bada baiti na farko a cikin fayil din, "bytes = -1" - na karshe, "bytes = 1-" - daga baiti 1 zuwa karshen fayil din. Kuna iya wuce jeri da yawa a cikin taken kai, misali "Range: bytes = 0-1023.8192-10240".
Har ila yau, an ba da shawarar zaɓi na biyu (ana kiransa harin RangeAmp Overlapping Byte Ranges (OBR), an tsara don ƙara yawan hanyar sadarwa lokacin da aka tura zirga-zirga ta wani CDN, wanda ake amfani dashi azaman wakili (misali, lokacin da Cloudflare yayi aiki a matsayin na gaba (FCDN) kuma Akamai yana aiki a matsayin mai bayan (BCDN)) Hanyar tana kama da harin farko, amma yana cikin CDNs kuma yana ba ku damar haɓaka zirga-zirga yayin samun dama ta hanyar wasu CDN, ƙara ɗaukar kaya akan abubuwan more rayuwa da rage ingancin sabis.
Tunanin shine don maharin ya aiko da jeri da yawa zuwa bukatar zangon CDN, kamar "bytes = 0-, 0-, 0 - ...", "bytes = 1-, 0-, 0 - ..." ko "bytes = - 1024,0-, 0 -…«.
Buƙatun na ƙunshe da adadi mai yawa na jeri "0-", wanda ke nuna dawowar fayil din daga farko zuwa karshe. Saboda kewayawar kewayon da ba daidai ba lokacin da CDN ta farko ke nuni zuwa na biyu, an mayar da cikakken fayil zuwa kowane rukuni na "0-" (ba a tara jeri ba, amma ana ba da umarnin bi da bi) idan kwafin kewayo da mararraba sun kasance a cikin buƙatun kai harin da aka gabatar da farko. Matsayin haɓakar zirga-zirga a cikin irin wannan harin ya fara daga 53 zuwa 7432 sau.
Nazarin ya binciki halayen 13 CDNs: Akamai, Alibaba Cloud, Azure, CDN77, CDNsun, Cloudflare, CloudFront, Fast, G-Core Labs, Huawei Cloud, KeyCDN, StackPath, da Tencent Cloud.
"Abin takaici, kodayake mun yi musu imel sau da yawa kuma mun yi kokarin tuntuɓar abokan cinikin su, StackPath bai ba da amsa ba," in ji ƙungiyar binciken.
“Gabaɗaya, mun yi iya ƙoƙarinmu don bayar da rahoto da kyau game da rauni da kuma samar da hanyoyin magance su. Masu ba da CDN masu alaƙa sun sami kusan watanni bakwai don aiwatar da dabarun ragewa kafin a buga wannan daftarin aiki. "
Duk CDNs da aka duba sun ba da izinin nau'in hari na farko akan sabar manufa. Nauyin CDN na biyu na harin CDN ya zama an fallasa shi ga ayyuka 6, wanda guda huɗu na iya aiki azaman hanyar haɗi a harin (CDN77, CDNsun, Cloudflare da StackPath) kuma uku a cikin rawar ƙarshen-baya (Akamai, Azure da kuma StackPath).
An sami mafi girman riba a cikin Akamai da StackPath, wanda ke ba ku damar nuna sama da matsayi 10 a cikin taken Matsayi.
An sanar da masu CDN game da na rauni kimanin watanni 7 da suka gabata kuma a lokacin da jama'a ke ba da bayanin, 12 cikin 13 na CDN sun warware matsalolin da aka gano ko suka nuna aniyar warware su.
Source: https://www.liubaojun.org