Iqembu labacwaningi abavela eNyuvesi yaseCalifornia eRiverside likhululiwe Ezinsukwini ezedlule okuhlukile okusha kokuhlasela kwe-SAD DNS okusebenza naphezu kokuvikelwa okwengezwe ngonyaka odlule ukuvimba ukuba sengozini kwe-CVE-2020-25705.
Indlela entsha ngokuvamile okufana nokuba sengozini konyaka odlule futhi kuhlukaniswe kuphela ngokusetshenziswa kohlobo oluhlukile lwamaphakheji I-ICMP yokuqinisekisa izimbobo ze-UDP ezisebenzayo. Ukuhlasela okuhlongozwayo yenza kube nokwenzeka ukufaka esikhundleni sedatha ye-dummy kunqolobane yeseva ye-DNS, engase isetshenziselwe ukonakalisa ikheli lasesizindeni se-inthanethi lesizinda esingagunyaziwe kunqolobane futhi iqondise kabusha amakholi esizindeni aye kuseva yomhlaseli.
Indlela ehlongozwayo isebenza kuphela kusitaki senethiwekhi ye-Linux Ngenxa yokuxhumeka kwayo kokukhethekile kwendlela yokucubungula iphakethe le-ICMP ku-Linux, isebenza njengomthombo wokuvuza kwedatha okwenza kube lula ukuzimisela kwenombolo yembobo ye-UDP esetshenziswa iseva ukuthumela isicelo sangaphandle.
Ngokusho kwabacwaningi abahlonze inkinga, ubungozi buthinta cishe u-38% wezixazululi ezivulekile kunethiwekhi, kufaka phakathi amasevisi e-DNS adumile njenge-OpenDNS ne-Quad9 (9.9.9.9). Kusofthiwe yeseva, ukuhlasela kungenziwa kusetshenziswa amaphakheji afana ne-BIND, Unbound, ne-dnsmasq kuseva ye-Linux. Amaseva e-DNS asebenza ezinhlelweni ze-Windows ne-BSD ayibonisi inkinga. I-IP spoofing kufanele isetshenziselwe ukuqeda ngempumelelo ukuhlasela. Kuyadingeka ukuthi uqinisekise ukuthi i-ISP yomhlaseli ayiwavimbi amaphakethe anekheli le-IP eliwumthombo we-spoofed.
Njengesikhumbuzo, ukuhlasela I-SAD DNS ivumela ukuvikeleka kokudlula okwengezwe kumaseva e-DNS ukuze kuvinjwe indlela yobuthi yenqolobane ye-DNS yakudala ehlongozwa ngo-2008 nguDan Kaminsky.
Indlela ye-Kaminsky ishintsha usayizi onganakwa wenkundla ye-ID yombuzo we-DNS, okungamabhithi ayi-16 kuphela. Ukuthola isihlonzi sokwenziwe se-DNS esilungile esidingekayo ukuze uphathe igama lomsingathi, vele uthumele izicelo ezingaba ngu-7.000 futhi ulingise cishe izimpendulo mbumbulu ezingu-140.000. Ukuhlasela kubilisa ekuthumeleni inombolo enkulu yamaphakethe mbumbulu aboshwe nge-IP ohlelweni Isixazululi se-DNS esinezihlonzi zokwenziwe ze-DNS ezihlukile.
Ukuvikela kulolu hlobo lokuhlasela, Abakhiqizi beseva ye-DNS yenze ukusatshalaliswa okungahleliwe kwezinombolo zembobo yenethiwekhi umthombo lapho izicelo zokulungiswa zithunyelwa khona, okwenza usayizi wesikhombi omkhulu onganele. Ngemuva kokuqaliswa kokuvikelwa kokuthunyelwa kwempendulo engelona iqiniso, ngaphezu kokukhethwa kwesihlonzi se-16-bit, kuye kwadingeka ukukhetha eyodwa yamachweba ayizinkulungwane ezingu-64, okwandisa inani lezinketho zokukhethwa ku-2 ^ 32.
Indlela I-SAD DNS ikuvumela ukuthi wenze lula ukuzimisela kwenombolo yembobo yenethiwekhi futhi unciphise ukuhlasela indlela ye-classical Kaminsky. Umhlaseli anganquma ukufinyelela kuzimbobo ze-UDP ezingasetshenzisiwe nezisebenzayo ngokusebenzisa ulwazi oluputshuziwe mayelana nomsebenzi wembobo yenethiwekhi lapho kucutshungulwa amaphakethe okuphendula e-ICMP.
Ukuvuza kolwazi okukuvumela ukuthi uhlonze ngokushesha izimbobo ze-UDP ezisebenzayo kungenxa yokushiyeka kwekhodi yokusingatha amaphakethe e-ICMP anokwehlukana (ifulegi le-ICMP elidingekayo) noma ukuqondisa kabusha (ifulegi lokuqondisa kabusha i-ICMP). Ukuthumela amaphakethe anjalo kushintsha isimo senqolobane kusitaki senethiwekhi, okwenza kwenzeke, ngokusekelwe empendulweni yeseva, ukunquma ukuthi iyiphi imbobo ye-UDP esebenzayo nokuthi iyiphi engasebenzi.
Izinguquko ezivimba ukuvuza kolwazi zamukelwe ku-Linux kernel ekupheleni kuka-Agasti (Ukulungiswa kufakwe ku-kernel 5.15 kanye nezibuyekezo zikaSepthemba zamagatsha e-LTS e-kernel.) Isixazululo ukushintshela ekusebenziseni i-algorithm ye-SipHash hash kuma-caches enethiwekhi esikhundleni se-Jenkins Hash.
Ekugcineni, uma unentshisekelo yokwazi okwengeziwe ngakho, ungaxhumana ne- imininingwane kusixhumanisi esilandelayo.