Upload
batica
View
222
Download
0
Embed Size (px)
Citation preview
8/16/2019 Korunic Prikupljanje i Analiza DNS Prometa
http://slidepdf.com/reader/full/korunic-prikupljanje-i-analiza-dns-prometa 1/60
ZAVOD ZA ELEKTRONIKU, MIKROELEKTRONIKU, RAČUNALNE I INTELIGENTNE SUSTAVEFAKULTET ELEKTROTEHNIKE I RAČUNARSTVA
SVEUČILIŠTE U ZAGREBU
DIPLOMSKI RAD br. 1784
Analiza i prikupljanje DNS paketaD!"# K#r$!%
Z&'r(b, )(*+&& -/.
8/16/2019 Korunic Prikupljanje i Analiza DNS Prometa
http://slidepdf.com/reader/full/korunic-prikupljanje-i-analiza-dns-prometa 2/60
Sažetak
Predmet promatranja ovog diplomskog rada je područje DNS protokola vezano uz brojne kritične
sigurnosne prijetnje prema DNS poslužiteljima. U radu se razmatra izrada sustava distribuiranog
pasivnog prisluškivanja DNS komunikacije uz istovremenu opću i sigurnosnu analizu navedenog
prometa identi!ikaciju sigurnosni" problema te predstavljanje rezultata korisniku. Uz razradu
DNS problematike i pojedinosti sustava za analizu DNS prometa te !ormalno testiranje
sukladnosti standardima obavljena su i praktična mjerenja na centralnim DNS poslužiteljima
#avoda za elektroniku mikroelektroniku računalne i inteligentne sustave $akulteta elektrote"nike
i računarstva u #agrebu te $akulteta strojarstva i brodogradnje u #agrebu.
Ključne riječi
DNS protokol DNS trovanje analiza DNS prometa sustavi za otkrivanje neovlaštenog upada.
Abstract
%"is &ork deals &it" numerous securit' t"reats to t"e DNS protocol. (e are discussing t"e idea
be"ind t"e distributed DNS monitoring s'stem &"ic" passivel' monitors t"e DNS tra!!ic per!orms
t"e basic and t"e securit' anal'sis per!orms t"e identi!ication o! securit' issues and presents t"e
results to t"e end user. %"e related details o! DNS protocols and standards are documented as
&ell as all necessar' prere)uisites and components o! DNS monitoring s'stem itsel!. (e "ave
per!ormed t"e !ormal standards compliance testing and practical DNS data anal'sis on central
DNS servers at Department o! *lectronics +icroelectronics ,omputer and -ntelligent S'stems o!
$acult' o! *lectrical *ngineering and ,omputing and $acult' o! +ec"anical *ngineering and
Naval rc"itecture #agreb.
Keywords
DNS protocol DNS poisoning DNS tra!!ic anal'sis -ntrusion Detection S'stems.
8/16/2019 Korunic Prikupljanje i Analiza DNS Prometa
http://slidepdf.com/reader/full/korunic-prikupljanje-i-analiza-dns-prometa 3/60
Sadržaj
1. U)#0...................................................................................................................................1
-. I(!" 2$23&) 0#(!&.....................................................................................................-.1. T5#) DNS $53&..................................................................................................................
-.-. DNS R(2#$r6( R(6#r0..........................................................................................................-.. T5#) DNS &52&................................................................................................................7-.4. DNS $53 #0'#)#r............................................................................................................./-.9. T5#) DNS 5#2*$:3(*+&......................................................................................................1--.. S'$r!#2! 5r#b*(............................................................................................................14-.7. M(3#0( &!&*( 5r#(3& $ 5#2*$:3(*+&............................................................................19-.8. Pr('*(0 5#23#+(%; 25(6+&*r&!; &*&3&..............................................................................18
. S$23&) & !&0#r &!&*$ DNS 5r#(3&.........................................................................-.1. R&r&0& 5*((!3&6+(......................................................................................................-1
.1.1. E<"&2!& "#$!"&6+&.................................................................................................................--
.1.-. M!&*!# #53(r(%(!+( r&$!&*& 2(!#r&................................................................................... ..--.1.. M!&*!# #53(r(%(!+( 6(!3r&*!#' 5#2*$:3(*+&............................................................................--.1.4. Kr53r&!+( 5r#(3& 5r#)+(r& &$3(!3!#23.................................................................................-.1.9. A$3(!3"&6+& &$3#r&6+&...........................................................................................................-9.1.. Pr+(!#2 5r#'r&2"; 23r$"3$r&....................................................................................................-
.-. K#5#!(!3( "&r&"3(r23"( 2$23&)&..................................................................................-.. O3"r)&!+( 5r#b*(&3!#' 5r#(3&.....................................................................................4. D&*+!+ r&0...........................................................................................................................-
4. R($*3&3 r&&3r&!+(.....................................................................................................4.1. F#r&*!# 3(23r&!+( 2$23&)&.................................................................................................4.-. M+(r(!+& $ 5r#0$"6+ 02"$2+& r($*3&3&..........................................................................9
9. Z&"*+$&"..........................................................................................................................47
. L3(r&3$r&..........................................................................................................................4/
7. D#0&3&" A= S&0r:&+ 5r*#:(!#' (0+& >?D@DVD..........................................................91
8. D#0&3&" B= U5$3( & !23&*&6+$.......................................................................................9-
/. D#0&3&" ?= U5$3( & "#r3(!+(.......................................................................................9
8/16/2019 Korunic Prikupljanje i Analiza DNS Prometa
http://slidepdf.com/reader/full/korunic-prikupljanje-i-analiza-dns-prometa 4/60
Popis oznaka i kraticaDNS D#&! N&( SC23(IP I!3(r!(3 Pr#3#6#*HTTP HC5(r3(3 Tr&!2<(r Pr#3#6#*SMTP S5*( M&* Tr&!2<(r Pr#3#6#*
NNTP N(3#r" N(2 Tr&!2<(r Pr#3#6#*LDAP L';3(';3 Dr(63#rC A66(22 Pr#3#6#*TLD T#5*()(* 0#&!IANA I!3(r!(3 A22'!(0 N$b(r2 A$3;#r3CT?P Tr&!222#! ?#!3r#* Pr#3#6#*UDP U2(r D&3&'r& Pr#3#6#*RR R(2#$r6( R(6#r0ISP I!3(r!(3 2(r)6( 5r#)0(r FDN F$**C $&*<(0 0#&! !&(TTL T( 3# *)(IP)4 I!3(r!(3 Pr#3#6#* )(r2#! 4IP) I!3(r!(3 Pr#3#6#* )(r2#! SPF S(!0(r P#*6C Fr&(#r" GPS G*#b&* P#23#!!' SC23(DNSSE? DNS S(6$r3C E3(!2#!2ISDN I!3('r&3(0 S(r)6(2 D'3&* N(3#r" PSDN P$b*6 236;(0 0&3& !(3#r" RF? R($(23 <#r ?#(!32AS A$3#!##$2 2C23(IP2(6 I!3(r!(3 Pr#3#6#* S(6$r3CIDS I!3r$2#! 0(3(63#! 2C23(ID I0(!3<6&3#!P?AP P&6"(3 ?&53$r(SLD S(6#!0*()(* 0#&!LD T;r0*()(* 0#&!OSI O5(! SC23(2 I!3(r6#!!(63#!FIFO Fr23 I!, Fr23 O$3
?O ?#5C#!r3(IKE I!3(r!(3 K(C E6;&!'(PSK Pr(2;&r(0 "(CAES A0)&!6(0 E!6rC53#! S3&!0&r0?B? ?5;(r B*#6" ?;&!!'E?B E*(63r#!6 ?#0(B##" ?FB ?5;(r F((0B&6" OFB O$35$3 F((0B&6" ?TR ?#$!3(r HMA? "(C(0H&2; M(22&'( A$3;(!36&3#! ?#0(MD9 M(22&'(D'(23 A*'#r3; 9SHA1 S(6$r( H&2; A*'#r3; 1IV I!3&*&3#! )(63#r I?V I!3('r3C 6;(6" )&*$(PS $(r(2 5(r 2(6#!0PAD (b Pr#C A$3#026#)(rC Pr#3#6#*
8/16/2019 Korunic Prikupljanje i Analiza DNS Prometa
http://slidepdf.com/reader/full/korunic-prikupljanje-i-analiza-dns-prometa 5/60
Popis tablicaT&b*6& -.1= O0+(*+6 $ DNS 5&"(3$......................................................................................./T&b*6& -.-= Pr"& &'*&)*+& $ DNS 5&"(3$........................................................................1T&b*6& -.= P#*+& $ #0+(*+"$ $53&.......................................................................................1-
T&b*6& -.4= Pr('*(0 &!&*( 5r#(3& $ DNS 5#2*$:3(*+&...............................................1T&b*6& -.9= Pr('*(0 &*&3& & DNS &!&*$...........................................................................18T&b*6& 4.1= R(<(r(!3!& "#!<'$r&6+& B!0 5#2*$:3(*+&......................................................T&b*6& 4.-= U3+(6&+ !&0#r& !& DNS 5(r<#r&!2(..............................................................9T&b*6& 7.1= S&0r:&+ 5r*#:(!#' (0+&................................................................................91
8/16/2019 Korunic Prikupljanje i Analiza DNS Prometa
http://slidepdf.com/reader/full/korunic-prikupljanje-i-analiza-dns-prometa 6/60
Popis slikaS*"& -.1= R(#*$6+& $ DNS &r;3("3$r.................................................................................4S*"& -.-= DNS 3#5#*#'+&......................................................................................................9S*"& -.= Pr"& DNS 5&"(3& 2 #0+(*+6&............................................................................/
S*"& .1= Pr('*(0 "#$!"&6+2"#' 5&"(3&.........................................................................-9S*"& .-= Ar;3("3$r&*! 5r"& "#$!"&6+( $ 2$23&)$.....................................................-8S*"& .= T+(" &"6+& #br&0( DNS 5&"(3&..........................................................................-/S*"& .4= M(J$#0!#2 5r#'r&2"; "*&2&............................................................................S*"& 4.1= R&25#0+(*& $"$5!#' br#+& !60(!&3& !& FSB$..................................................7S*"& 4.-= RF?1/18 $53 >5r)&3!( &0r(2(.........................................................................8S*"& 4.= O0'#)#r !& !(5#23#+(%( $53(.............................................................................8S*"& 4.4= O0'#)#r r&*3 #0 $53&.................................................................................../S*"& 4.9= V(23r$" #0'#)#r !& $53................................................................................../
S*"& 4.= A&A 2'$r!#2! !60(!3.................................................................................4S*"& 4.7= N(0#)#*+(! !&"#) $ $53$..............................................................................4S*"& 4.8= N(5#!&3 35 $53&...............................................................................................41S*"& 4./= P#)r&3!& 5#'r("& #0 DNS 5#2*$:3(*+&...............................................................41S*"& 4.1= N(5#!&3( )r!( 0#(!(...................................................................................4-S*"& 4.11= S"$5! 5r"& &b*+(:(!; !60(!&3& !& FSB$...............................................4S*"& 4.1-= R&25#0+(*& $"$5!#' br#+& !60(!&3& !& ZEMRIS$........................................49S*"& 4.1= S"$5! 5r"& &b*+(:(!; !60(!&3& !& ZEMRIS$.......................................4
8/16/2019 Korunic Prikupljanje i Analiza DNS Prometa
http://slidepdf.com/reader/full/korunic-prikupljanje-i-analiza-dns-prometa 7/60
1. Uod
DNS >(!'. Domain Name S'stem +( (!" 2(r)2 "#+ ##'$%&)& 5#)()&!+( 2*#)!;!&)& !& I!3(r!(3$ 2 IP >(!'. -nternet Protocol &0r(2&& "#+( +(0!23)(!# &0r(2r&+$$0&*+(! r(2$r2 ##'$%&)&+$ "#$!"&6+$ 2 !+( 1. DNS +( 0&!&2 +(0&! #0 "*+$!;I!3(r!(3 2(r)2& "#+ 2( "#r23 $ )(*"#+ )(%! #23&*; &5*"&3)!; 5r#3#"#*& !& I!3(r!(3$.R&*#' *(: 5r)(!23)(!# $ +(0!#23&)!#23 "#r3(!+& 2*#)!; *&"# 5&3*+); #!&"&$+(23# "#!"r(3!; IP &0r(2&.
DNS +( r(&*r&! "&# 23r#'# ;+(r&r;+2" 023rb$r&! 2$23&) $ "#+( 2( #'$ !&*&3r&*3( !<#r&6+(, &* 2( 5r)(!23)(!# "#r23( #!( # IP &0r(2&& 2*#)! !&)&. UDNS (!6& 2( !&+(%( !&*&( 2*#)! !&) r&$!&*& * $r(J&+& >(!'. "ostname, &
2)&" 3&"&) !&) +( +(0!23)(!# 2b#*"# ( $!$3&r 5#+(0!( r(:( "#+( 2*$: &(*("3r#!"$ 0(!3<"&6+$ !("#' r&$!&*&. T&") 2( (!# "#r23( r&*3 &5*"&3)! 5r#3#"#* 5#5$3 HTTP >(!'. /'perte0t %rans!er Protocol , SMTP >(!'. Simple +ail
%rans!er Protocol , NNTP >(!'. Net&ork Ne&s %rans!er Protocol 2*. T&") 2*#)! !&)#'$ b3 2&# +(0!& r+(, &"# 2( r&0 # *#"&*!#+ r(:, * 5&" !("#*"# r+( #0)#+(!;3#"&&. U 5#3#!+( 2*$&+$ r+( +( # 0#(!2"# (!$ >(!'. domain name "#+(
5r(023&)*+& 2b#*"# ( r&$!&*& &+(0!# 2 ;+(r&r;+2" 5#r(0&! (!& !&0r(J(!;>$ *#'"#, &* !( !$:!# <"# 22*$ b*!( 'r$5& r&$!&*&.
DNS 5#2*$:3(*+ 5r$:&+$ DNS !<#r&6+( "#r23(% DNS 5r#3#"#* & "#$!"&6+$ "&"# 2
"*+(!3& 3&"# (J$2#b!#. U (!"( +( #'$%( 25r(&3 r&!( 0#0&3!( !<#r&6+( 5#5$3 #!; & &5*"&3)!# $2+(r&)&!+( r(:!; "#$!"&6+&, ;&r0)(r2"( #52( r&$!&*&,30. ?+(*#"$5&! DNS 2$23&) +( 5$!# r, 3( #b$;)&%& 3r #2!#)!( <$!"6+( -=
• DNS (!" 5r#23#r, 5r#b*(&3"$ (!#)&!+& 5r&)*&= "&r&"3(r23"( 2$;+(r&r;+2"& 23r$"3$r&, (!"& 23r$"3$r& 5r&)*& (!#)&!+& 3( 25(6<"&6+(0#(!&,
• r('23r&6+$ 0#(!& !( &0!23r&3)!( 5r#b*((= ;+(r&r;+2"$ 23r$"3$r$!&0*(:!; 3+(*&, ;+(r&r;+$ )r!; !&0*(:!; 3+(*& >TLD, (!'. %op1level domain,
5r#6(0$r( r('23r&6+( 2("$!0&r!; 0#(!&, &0!23r&6+$ DNS #!&
&0!23r&6+$ ;+(r&r;+(,• 5#2*$:3(*+( 5r#6(2 r(#*$6+(= DNS &52 #!(, 35#) DNS 5#2*$:3(*+& 2
r&*3 $*#'&&, 5r#6(2 r(#*$6+(, DNS 5#r$"(, <#r&3 &52.
Pr(0(3 5r#&3r&!+& #)#' 05*#2"#' r&0& +( 5#0r$+( DNS 5r#3#"#*& )(&!# $ br#+!("r3!( 2'$r!#2!( 5r+(3!+( 5r(& DNS 5#2*$:3(*+&. U r&0$ 2( r&&3r& r&0& 2$23&)&023rb$r&!#' 5&2)!#' 5r2*$")&!+& DNS "#$!"&6+( $ 23#)r((!$ #5%$ 2'$r!#2!$ &!&*$ !&)(0(!#' 5r#(3&, 0(!3<"&6+$ 2'$r!#2!; 5r#b*(& 3(
5r(023&)*+&!+( r($*3&3& "#r2!"$.
1
8/16/2019 Korunic Prikupljanje i Analiza DNS Prometa
http://slidepdf.com/reader/full/korunic-prikupljanje-i-analiza-dns-prometa 8/60
1. U)#0
P#'*&)*+( - & <$!"6+$ $)#0& $ DNS 2$23&) "#$!"&6+$ 3# +( 5#3r(b!# &r&$+()&!+( 5r#b*(&3"( r&*#'& & &!&*$ DNS 5r#(3&. U 3# 2( 5#'*&)*+$r&&3r&+$ !(0#23&36 5#23#+(%; &*&3&, 3( br#+! 2'$r!#2! 5r#b*( )(&! $ DNS.
P#'*&)*+( #52$+( 5#3r(b!( "&r&"3(r23"( 2$23&)&, 0#" 2( 5#'*&)*+( 4 b&) 3(23r&!+( "&# 0#b)(! r($*3&3& +(r(!+&.
-
8/16/2019 Korunic Prikupljanje i Analiza DNS Prometa
http://slidepdf.com/reader/full/korunic-prikupljanje-i-analiza-dns-prometa 9/60
!. "#enički susta do#ena
S)&" DNS1
5#2*$:3(*+ & "#$!"&6+$ 23&!0&r0!# "#r23 5#r3 9 "#+ $ +( 0#0+(*+(! #0IANA( >(!'. -nternet ssigned Numbers ut"orit'. N& !&)(0(!# 5#r3$ #2*$"$+(RF?7/ T?P >(!'. %ransmission ,ontrol Protocol #0!#2!# RF?78 UDP >(!'. User
Datagram Protocol $53(, 0#" #0'#)#r #:( 5#2*&3 b*# 2 3#' 23#' 5#r3& * !("#' 0r$'#')2#"#' 5#r3& >5#r3 )(% #0 1-4 #)2!# # "#!<'$r&6+ 5#2*$:3(*+&. O0'#)#r 2&0r: 23&3$2# $25+(;$ #0!#2!# 5#'r(6 "&# ()(!3$&*!( 3r&:(!( &52( #0!#2!# RR#)( >(!'.
2esource 2ecord . U 2*$&+$ 0& 5#2*$:3(*+ !(& 3r&:(!( 5#0&3"(, &* & 5#0&3"("&# "*+(!3 3r(b& 0&*+( !&23&)3 2 $53#, 5#2*&3 %( 3( 0#0&3!( !<#r&6+( $+(23#3r&:(!;.
S3&!0&r0!# 2( "#r23 UDP & $53(, & "#$!"&6+& 2( $'*&)!# 2)#0 !& +(0&! UDP $53 +(0&! UDP #0'#)#r. T?P "#$!"&6+( 2( "#r23 $'*&)!# "&0 )(*!& #0'#)#r& 5r(*& 91- b&+3#)& * & 'r$5!( 5r+(!#2( DNS !<#r&6+&, 3). 5r+(!#2 #!( >(!'. #one
%rans!er . M#'$%( 2$ 23$&6+( '0+( DNS 5#2*$:3(*+ $#5%( !( #0'#)&r& !& T?P $53( *&" 23$&6+( '0+( DNS "*+(!3 &*+( 2&# T?P $53(.
P#+&)# RF?-71 EDNS 23&!0&r0& +( 5r#b*( #'r&!(!+& UDP DNS 5&"(3& !& 91- b&+3#)& r+((! "*+(!3 5#2*$:3(*+ 0#'#)&r&+$ #"# )(*!( 5r+( 2&#' 2*&!+& )(*"#' 5&"(3& "#r3(!+( 25(6+&*!#' EDNS OPT RR $53& 4. S& 23&!0&r0 +( $!&&0!#"#5&3b*&! 2 5#23#+(% 5*((!3&6+&&, &"# !+('#)# $)#J(!+( $)+(3$+( !&0#'r&0!+$
DNS 5#2*$:3(*+& DNS "*+(!&3& 3# !(r+(3"# 5#)*& !&0#'r&0!+$ 6+(*#"$5!#'#5(r&6+2"#' 2$23&)&.
!.1. $ipoi DNS upita
S)&" 2( <$!"6#!&*! DNS 2$23&) !$:!# 2&23#+ 2( #0 3r 0+(*& 9=
• DNS "*+(!3 >(!'. 2esolver , 5r#'r& "#+ 2( )r&)& !& "*+(!32"# r&$!&*$ "#+ <#rr& #0r(J(! DNS &;3+(). T&"&) 5r#'r& !( #r& b3 !$:!# 2#+(%2(r)2, #! +( !& )(%! U!#0& !&+(%( $'r&J(! $ 23&!0&r0!#+ bb*#3(6 $ <#r
223(2"; 5#)& "#+( 5#)&+$ r&*3 "#r2!" 5r#'r&,• R("$r)! >(!'. 2ecursive DNS 5#2*$:3(*+, "#+ !&"#! 0#b)(!; $53& & "*+(!3&
#b&)*+& 5r(3r&:)&!+( "r# DNS 23&b*# )r&%& !&&0 #0'#)#r( "*+(!3&,
• A$3#r3&3)! >(!'. ut"oritative DNS 5#2*$:3(*+, "#+ #0'#)&r& !& $53(r("$r)!; 5#2*$:3(*+& 3( )r&%& * &)r! #0'#)#r * b#' 0(*('r&!+& )r&%&r(<(r(!6$ !& !(" 0r$' &$3#r3&3)! DNS 5#2*$:3(*+.
1 O2!#)! DNS 23&!0&r0 & r&$+()&!+( 5r#b*(&3"( 2$ b&r(= RF?14, RF?19, RF?111,RF?11-, RF?118, RF?19/1, RF?-181.
8/16/2019 Korunic Prikupljanje i Analiza DNS Prometa
http://slidepdf.com/reader/full/korunic-prikupljanje-i-analiza-dns-prometa 10/60
-. I(!" 2$23&) 0#(!&
S& 5r#6(2 5r&!+& &;3+()& !+;#)( #br&0( 3( )r&%&!+& #0'#)#r& 2( !&)& DNSr(#*$6+& >(!'. Name 2esolution. T# +( 5r#6(2 5r(3)#rb( 0#(!2"#' (!& $ IP &0r(2$=
5r)# 3r&:# &$3#r3&3)! DNS 5#2*$:3(*+, &3 $ &*+(# $53 & &0r(2# !& "#+ #!
#0'#)&r& 2 3r&:(!# &0r(2#. B$0$% 0& +( DNS 23r#'# 023rb$r&! (!" 2(r)2, #! +(r&0+(*+(! 5# !#'# r&*3; 5#2*$:3(*+&. Zb#' 3( r&25#0+(*+(!#23 r(#*$6+& #b!# !(#:( b3 #b&)*+(!& "r# 2&# +(0&! $53 #0'#)#r, )(% !&+(%( &;3+()& 0$:$"#$!"&6+$ ! $53& #0'#)#r&. N&+(%& +( 23$&6+& 0& "*+(!3 &*+( &;3+()(*#"&*!# r("$r)!# DNS 5#2*$:3(*+$ "#+ +( !&0*(:&! & r(:$ $ "#+#+ 2( !&*& 3#"*+(!32"# r&$!&*# "#+ #b&)*+& &0&!( $53( 3( &3 )r&%& #0'#)#r "*+(!3$. T&"&)
5#2*$:3(*+ +( #b!# 0#0+(*+(! #0 ISP& >(!'. -nternet service provider * $23&!#)( $"#+#+ 2( !&*& "*+(!32"# r&$!&*#. N&+)(% !&+2*#:(!+ 0# r(#*$6+( 5r(023&)*+& 3r&:(!+(&$3#r3&3)!#' 5#2*$:3(*+& $ 2*#:(!#+ DNS ;+(r&r;+, "&# 3# 2( #:( )0+(3 !& 2*6 -.1.
Slika 3.45 2ezolucija u DNS ar"itekturi
P#23#+( 0)& #2!#)!& 35& DNS r(#*$6+( #0!#2!# 5r#*&2"& "r# DNS ;+(r&r;+$ 0& b 2(0#!&# "#!"r(3&! &52. O! 2( r&*"$+$ 5# 3#( 3"# #b&)*+& )(%!$ 5#2*& #"# 2&!&)&!+&
5#0&3&"& !+;#)( #br&0(, & 5r)(!23)(!# 2( 5#+&)*+$+$ "&0 #br&0& #0r(J(!#' DNS $53&&;3+()& !("#*"# "#r&"& #0!#2!# "&0 *#"&*! DNS 5#2*$:3(*+ !(& 2)( 3r&:(!(!<#r&6+(=
• I3(r&3)! "&0& "*+(!3 &*+( 0#3!( $53(, 5#2*$:3(*+ #r& #0'#)#r3 +(0! #00)& #'$%& #0'#)#r&= & #0'#)#r# !& &;3+() * b (!# 0r$'#' DNS
4
8/16/2019 Korunic Prikupljanje i Analiza DNS Prometa
http://slidepdf.com/reader/full/korunic-prikupljanje-i-analiza-dns-prometa 11/60
-. I(!" 2$23&) 0#(!&
5#2*$:3(*+& >#b&)*+& 2( 0(*('r&!+( "#+ & )( 5#0&3&"& # 3r&:(!# $53$. U#)&")# 35$ $53& !&+)(% 0# 5#2*& #b&)*+& "*+(!3 3(rr&+$% &"6+( $53#0'#)#r
5r#*&(% "r# DNS ;+(r&r;+$,
• R("$r)! "&0& "*+(!3 &*+( r("$r)! $53, 5#2*$:3(*+ 5r($& 5#2&# 5r#!&*&:(!+& !<#r&6+& # 3r&:(!# $53$. O!# 3# +( $ 3(r&3)!# #b&)*+&#"*+(!3, "#0 r("$r)!; $53& #b&)*+& 5#2*$:3(*+ #br&J$+( !<#r&6+( &*+( !#)($53( 0r$' 5#2*$:3(*+& 2)( 0#" !( 5r#!&J( 3r&:(!#. T# !& 0& "*+(!3 &*+(2)('& +(0&! &;3+() 3( 0#b)& * 3#!$ !<#r&6+$ "#+$ +( 3r&:# * 5#r$"$ #
5#'r(6.
O'*(0!# +( r("$r)&! !&! 5r(3r&:)&!+& )r*# 5#)#*+&! & "*+(!3(, &* #:( !&3!##53(r(33 DNS 5#2*$:3(*+( >!& 23r&!$ 5#3(!6+&*! 5r#b*( 3r#)&!+& DNS 5#2*$:3(*+& #"#+( %( "&2!+( b3 r+(, 5& 2( 3&")( <#r( $53& #b!# ("25*63!# 0#)#*+&)&+$ 2&#r&$!&*& *#"&*!( r(:(, r&$!&*& "#+& +( 0#3! DNS 5#2*$:3(*+ !&0*(:&!.
DNS 23&b*# +( ;+(r&r;+2" 2*#:(! 2"$5 DNS 5#2*$:3(*+&, '0+( 2)&"& 0#(!& 5#00#(!&& +(0!#' * )( &$3#r3&3)!; DNS 5#2*$:3(*+&. D#3! 5#2*$:3(*+ >)#r#) 23&b*& 2$!&0*(:! & 2)( 0#(!( 25#0 !+;, #0!#2!# #0'#)&r&+$ !& $53( 0r("3!# 2& 3r&:(!#!<#r&6+# * #b&)*+&+$ 0(*('r&!+( 5r(& !("# 0r$'# 5#2*$:3(*+$. H+(r&r;+2"r&25#r(0 5#2*$:3(*+& $5r&)# #r& #0'#)&r&3 r&25#r(0$ 0#(!& #0'#)&r&+$%('0#(!2"#' 5r#23#r&, "&# 3# +( 5r"&&!# $ 2*6 -.-.
Slika 3.35 DNS topologija
9
8/16/2019 Korunic Prikupljanje i Analiza DNS Prometa
http://slidepdf.com/reader/full/korunic-prikupljanje-i-analiza-dns-prometa 12/60
-. I(!" 2$23&) 0#(!&
Pr&"3" 2)&"& 5r(3r&'& & !("# DNS !<#r&6+# 5#!+( #0 )#r!#' DNS r&$!&*&,#0 )r;& DNS 23&b*&. Pr#*&&" "r# DNS 23&b*# +( 2*&&" 5# 'r&!&& 23&b*&, '0+( +( 2)&")#r +(0&! DNS 5#2*$:3(*+, !&0*(:&! & 2)#+ 0# DNS 5r#23#r&. O2!#)! 5r(0$)+(3
5r#!&*&:(!+& b*# "#+(' )#r& 23&b*& +( *#"&*!& *23& #0 1 )r!; DNS 5#2*$:3(*+& !+;#); IP &0r(2&. N&( $5r&)# 2$ 3 )r! 5#2*$:3(*+ "#+ 0&*+( 0(*('r&+$ 5r(3r&'$ 5#&52& b( "#+; '*#b&*! DNS 2$23&) !( #:( <$!"6#!r&3. D# &0r(2& )r!;
5#2*$:3(*+& 2( 023rb$r& &!C6&23 3(;!#*#'+# "&"# b 2( ##'$%*& 0(6(!3r&*&6+& 2&!+(!+( #53(r(%(!+& !& 5#+(0! 5#2*$:3(*+&. N& 3&+ !&! 2( )(*" br#+023rb$r&!; )#r#)& $ 2)+(3$ 5#+&)*+$+( "&# +(0!23)(! )#r #0!#2!# 2(r)2 5r ($DNS "*+(!3 &$3#&32" #0&br$ !&+b*:. Tr(!$3!# +( & #b&)*+&!+( <$!"6+( 1 )r!;
5#2*$:3(*+& r&25#r(J(!# $"$5!# 23#3!+&" >$ )(*+& -8. b*# +( 1/ )r!; 5#2*$:3(*+& 5r(& URL=;335=@@.r##32(r)(r2.#r'@ <"; 5#2*$:3(*+& 0*+( 2)+(3&. Tr(!$3!
r&25#r(0 )r!; DNS 5#2*$:3(*+& +( 0&*("# #0 r&)!#+(r!( 023rb$6+( = 8 5#2*$:3(*+& +( !&0*(:!# & S+()(r!$ A(r"$, 9 & E$r#5$, - & A$23r&*+$, - & N#) Z(*&!0, - &K!$, - & R$2+$, 0#" #23&*( (*+( !(&+$ )r!( DNS 5#2*$:3(*+(, & 5#!("&0 ! TLD
5#2*$:3(*+( $ 2)#+#+ (*+.
!.!. DNS %esource %ecord
RR +( #2!#)! &52 #0!#2!# +(0!6& $ DNS 2$23&)$. RR 2&0r: #0r(J(!( &3rb$3(,#0'#)&r&+$%( & )*&233 35, & 3# #'$ b3= IP &0r(2&, &0r(2& & 25#r$"$ (*("3r#!"(
5#3(, ! !&"#)&, DNS #!&"& * !(3# 3r(%(. RR 2( 2&23#+ #0 2*+(0(%; "#5#!(!3,!&)(0(!; r(0# "#+ 2( 5#+&)*+$+$ 7=
• I( 0#(!( $'*&)!# 2( "#r23 FDN >(!'. $ull' )uali!ied domain name, &&"# +( &52&!# "r&3"# ( #!0& 2( &$3#&32" 0#0&+( ( #!( !& "r&+ (!&,
• TTL >(!'. %ime to live $ 2("$!0&&, 23&!0&r0!& )r+(0!#23 +( !&*!&)r+(0!#23 !&)(0(!& $ SOA &52$ ># #)#( "&2!+(,
• "*&2& &52& "#+ #:( b3 I!3(r!(3, H(2#0 ?;,
• T5 &52&= ?NAME, PTR, A, M, TT, AAAA, A, 30.
•
P#0&6 & 0#3! 35 &52& #0'#)&r&+$ #0r(J(!# 35$, &"# 2&0r:&)&+$ (0#(!( "#+( !+( FDN, &$3#&32" 2( 0#0&+( ( #!( !& "r&+ (!&,
• O56#!&*! "#(!3&r >0#0&! $ #)2!#23 # )r23 5#2*$:3(*+2"#' 2#<3)(r&.
B$0$% 0& +( #0 5#(3"& b*# &*+(!# 0& %( 2( "r# DNS !$03 (!"( $2*$'( & )(#0 +(0!#' 5r#3#"#*& >0&"*( 0r$'( 5r#3#"#*( #2 IP&, DNS +( #<#r*+(! )r*# #5%(!3#.S3#'& 2)&" RR $!$3&r #!( & 2)#+$ "*&2$ >(!'. 2esource 2ecord ,lasses, &"# 2$ #!($ #2!#) 5#)+(2!& #23&)3!&. D&!&2 2( $ 5r&"2 "#r23 +(0!# I!3(r!(3 "*&2&, 5& 2( #!&5*63!# 5#0r&$+()& "&0 $ *#"&*!#+ #! !+( ("25*63!# !&)(0(!& IN "*&2&.
8/16/2019 Korunic Prikupljanje i Analiza DNS Prometa
http://slidepdf.com/reader/full/korunic-prikupljanje-i-analiza-dns-prometa 13/60
-. I(!" 2$23&) 0#(!&
!.&. $ipoi DNS zapisa
P#23#+ 0#23& r&*3; 35#)& DNS &52& "#+ 2( 5r)(!23)(!# r&*"$+$ 5# 2)#+#+ !&+(!=
• A >(!'. ddress 5#)($+( #0'#)&r&+$%( 0#(!2"# ( >#!&"$ * ! #!&"& 2-b3!# IP)4 >(!'. -nternet Protocol version 6 &0r(2#. D&!&2 +( (23# #'$%(!&% 0& )( A &52& 5#"&$+( !& 23$ IP &0r(2$,
• ?NAME >(!'. ,anonical Name ##'$%&)& 0& +(0!# 0#(!2"# ( b$0(&+(!2"# ( & 0r$'#. T&")# &+(!2"# ( 0#b)& 2)( #2#b!( #r'!&*&,$"*+$$+$% IP &0r(2( 5#00#(!(. N# !(25r&)!# +( $ #! &3 +(0&! &52 "#+0+(* 23# ( >#!&"$ "&# ?NAME &52 ?NAME !( #:( 23#0#b!# 5#23#+&3!3 2 +(0! 0r$' 35# & 23$ #!&"$, $"*+$$+$% 5r&!$ #!&"$. T&"#J(r!3 +(0&! 35 &52& #2 ?NAME !( 2+( 5#"&)&3 !& &+(!2"$ &0r(2$>#0!#2!# !& ?NAME, b$0$% 0& b 3# ##'$%*# 5(3*+( !(25r&)!( &52( $ #!,
• M >(!'. +ail *0c"ange #!&&)& "#+ 2$ 2)( (&* 5#2*$:3(*+ !&0*(:! &0#3!$ 0#(!$. U 2*$&+$ 0& #)&+ &52 !( 5#23#+, (&* 2( 25#r$$+( "#r23(%A &52 0#b)(! r(#*$6+# #0r(0!( 0#(!(. O2!#)!& <$!"6#!&*!#23 #)#'(;&!& +( 5r$:3 #'$%!#23 5#23#+&!+& )( (&* 5#2*$:3(*+& & +(0!$0#(!$ 2 3#! r(0#2*+(0# 5r(& "#+( ; 2( #r& "#!3&"3r&3. T( 2( !&
+(0!#23&)&! !&! ##'$%&)& $2+(r)&!+( (&*& >(!'. +ail 2outing "&# #'$%!#23 r&25#0+(*( #53(r(%(!+& (J$ )( 5#2*$:3(*+&. M &52 !(##'$%&)& 5#23&)*+&!+( (&* 2(r)2& !& &*3(r!&3)! 5#r3#)& !3 !(
5#23&)*+&!+( 3(:!2"; )r+(0!#23 & 5#2*$:3(*+( "#+ 2$ 23#' 5r#r3(3& "&# 3# SRV&52 ##'$%&)&. M &52 <$!"6#!r& 3&"# 0& "*+(!3 5r M &;3+()$ 0#b)&*23$ (&* 5#2*$:3(*+&, 3( #! &5#!+( 25#r$"$ 5#3( !& !&! 0& +( M &52 2!&+&!+ 5r5&0! br#+( >(!'. Pre!erence #!&+ 2 !&+)(% 5r#r3(3#. K*+(!33&"# 5r#*& *23$ 5#2*$:3(*+& 2)( 0#" $25+(!# !( 25#r$ (&*. S) 5#2*$:3(*+"#+ &+$ 23 M br#+ 2( 3r(3r&+$ 2 +(0!&" 5r#r3(3#, 5& 2( 23#'& !&0 !+&2)& 5#"$&)& 25#r$"& 0#" !( $25+(,
• PTR >(!'. Pointer 2ecord 5#)($+( IP)4 &0r(2$ 2 #0'#)&r&+$% 0#(!2"
(!# #0!#2!# FDN. Ob!# PTR &52 3r(b&+$ 5#"&)&3 !& ( "#+( 2(#:( $!&&0!# r&r+(3 $ 5#*&!$ IP)4 &0r(2$. PTR &52 !+( IP)4 &0r(2&, )(%#br!$3# &52&!& 4 #"3(3& &0r(2( 2 0#0&3!# INADDR.ARPA. 0#(!#,
• NS >(!'. Name Server 2ecord #!&&)& 0& & 0#3!$ #!$ 3r(b& 5#2*$:)&3$5r&)# 0#3! DNS 5#2*$:3(*+. S)&" NS &52 +( * #!&"& &$3#r3(3& * #!&"&& 0(*('&6+$= &"# +( !&) NS &52& +(0!&" #! $ "#+#+ 2( NS &52 5#+&)*+$+(,r+( +( # &$3#r3&3)!# &52$ &"# +( 5&" r+( # !&)$ "#+ 2&0r: !("$ #0
5#00#(!&, r+( +( # 0(*('&6+,
7
8/16/2019 Korunic Prikupljanje i Analiza DNS Prometa
http://slidepdf.com/reader/full/korunic-prikupljanje-i-analiza-dns-prometa 14/60
-. I(!" 2$23&) 0#(!&
• SOA >(!'. Start o! ut"orit' #!&&)& "#+ +( DNS 5#2*$:3(*+ &$3#r3&3)&! &0#3!$ 0#(!$, & 0#!#2 0#0&3!( !<#r&6+( # #!. S)&"& 25r&)!& #!& #r&&3 SOA &52,
• AAAA A 5#)($+$ #0'#)&r&+$%( 0#(!2"# ( 2 1-8b3!# IP) >(!'. -nternet Protocol version 7 &0r(2#. M#'$%( +( !&% AAAA A &52, 5r ($2( #! r&*"$+$ $ !(" 0(3&*+&= A ##'$%&)& 0& #!&"& b$0( 0(<!r&!& "&#
b!&r! !, 30. D&!&2 2( A +# $)+(" 2&3r& ("25(r(!3&*! &52#, 3( 2( $ 5r#0$"6+ 5r(5#r$& "#r233 AAAA,
• DNAME >(!'. Delegation Name r(*&3)!# r(6(!3! !&! 0(<!r&!+& &+(!2";(!& & 6+(*$ 0#(!$, !( !$:!# 2&# 5#+(0!# 0#(!2"# (. K#r23 2(
5r+(r6( $ IP) & &'r('&6+$ 0(*('&6+$ 6+(*#' 5r(<"2&. N( "#r23 2( $ 5r&"2,
•
SRV >(!'. Server Selection &52 "#+ 2( 2)( (%( "#r23 $ 5r#3#"#*& "#+ 2(3(" 5#+&)*+$+$ !& 3r:3$, & 5r(023&)*+& !&&+!# b#*+$ &*3(r!&3)$ M &52&.R+( +( # #5%(!3# &52$ & 0(<!6+$ *#"&6+( 2(r)2&, !+('#)( 3(:!(
5r#r3(3&, 5r+(r6( & LDAP >(!'. 8ig"t&eig"t Director' ccess Protocol ,HTTP, SMTP 2*,
• TT >(!'. %e0t String ##'$%&)& 5r#)#*+! 3("23$&*! &52 0# -99 b&+3#)&.D&!&2 2( "#r23 5r+(r6( $+(23# &23&r+(*#' HINFO #52& $r(J&+& "#+ !#20#(!2"# ( * & $52)&!+( SPF >(!'. Sender Polic' $rame&ork - #b*+(:+&,
• DS >(!'. Delegation Signer 0#0&+( 2( !& +(23$ 5r("0& #!( >+(23& '0+( 2(
#b&)*+& 0(*('&6+& 0& b 2( 5#"&&*# "&"# +( 0(*('r&!& #!& 0'3&*!# 5#352&!& 0& 0#3!& 5r(5#!&+( #0r(J(! "*+$ "&# 25r&)! )*&233 "*+$. O)( 2(("25*63!# 0(<!r& 0(*('&6+&, $+(23# 23&!0&r0!#' 5*63!#' !&!&,
• KE >(!'. Public 9e' +&)! "*+$ "#+ +( &$3#rr&! #0 SIG &52&, & ##'$%&)& 5#;r&!$ DNSSE? >(!'. DNS Securit' *0tensions "*+$()& 5r#)#*+!;"*+$()& & &5*"&6+(,
• K >(!'. 9e' *0c"anger ##'$%&)& (3#0$ & 0(*('r&!+( &$3#r&6+( & !(")#r $ ( +(0!#' * )( )#r#)&, "&"# b 5r$:* 2(r)2( r&+(!( "*+$()&,
• LO? >(!'. 8ocation -n!ormation &52 $ "#+ +( #'$%( 25r(3 '(#*#"&6+2"(
#0!#2!# GPS >(!'. :lobal Positioning S'stem 5#0&3"( # #0r(J(!# )#r$ *0#(!,
• SIG >(!'. ,r'ptograp"ic Public 9e' Signature 5r(023&)*+& 5#352 r&0&$3(!3<"&6+( 5#0&3&"& $ DNSSE?$,
- SPF (;&!& +( 0(3&*+!# 0#"$(!3r&! $ RF?448, &"# +( +# $)+(" r+( # ("25(r(!3&*!# 5r#3#"#*$ "#+ !+( #5%(5r;)&%(! 23&!0&r0.
DNSSE? +( 6+(* 2(3 ("23(!+& !& #2!#)! DNS 23&!0&r0 >)( # !+($ +( $ RF?4, & 5#0r&$+()& "#r3(!+( EDNS 5#0r"( RF?-71. D#0&3! RR#) "#+( DNSSE? 0#!#2 2$ 0#"$(!3r&! $RF?44. D#0&3!( #0<"&6+( DNS 5r#3#"#*& 5#r&0 ("23(!+& 2$ 0#"$(!3r&!( $ RF?49.
8
8/16/2019 Korunic Prikupljanje i Analiza DNS Prometa
http://slidepdf.com/reader/full/korunic-prikupljanje-i-analiza-dns-prometa 15/60
-. I(!" 2$23&) 0#(!&
• TSIG >(!'. %ransaction Signature ##'$%&)& +(0!#23&)!$ &$3(!3<"&6+$"#r23(% 0+(*+(!( 3&+!( "*+$()( ;&2;r&!+( & DNS 3r&!2&"6+(,
• RP >(!'. 2esponsible Person &52 # #0'#)#r!#+ #2#b & 0#(!$ * )#r#)(.
P#23#+ +# ! r+(3"# "#r3(!; &52& 8= AFSDB >(!'. $S Database 8ocation ,ode,HINFO >(!'. /ost -n!ormation, ISDN >(!'. -SDN ddress, MB >(!'. +ailbo0, MR>(!'. +ail 2ename Domain ,ode, NULL >(!'. Null 2ecord , RT >(!'. 2oute %"roug",-9 >(!'. ;3< PSDN ddress, MINFO >(!'. +ailbo0 or +ailing 8ist -n!ormation, P>(!'. Pointer to ;.6==>2$,?33 +ail +apping -n!ormation, NSAP >(!'. Net&ork Service
ccess Point ddress NAPTR >(!'. Naming ut"orit' Pointer .
!.'. DNS upiti i od(oori
S3&!0&r0! DNS $53 +( #b!# )r*# +(0!#23&)&! 2&0r: $'*&)!# 2&# 5#0&3&" "#+ 2(:(* r&r+(3, 0#" 2$ #0'#)#r $)+(" 2*#:(!+ b$0$% 0& 2&0r:( 2)( &0r(2( &+(!2"(&0r(2( "#+( 2$ r($*3&3 $53&. S3#'& 2( #0'#)#r #b!# 2&:&+$ 5#2(b! &*'#r3& 4,(*!r&+$% !(5#3r(b!( 5#0&3"( / 2&!+$+$% 2&$ )(*!$ UDP 0&3&'r&&. U2*$&+$ 0& )(*!& 5&"(3& 0&*+( 5r(*& 91- b&+3#)&, &*+( 2( 5&r6+&*!& 5#r$"& $ #b*"$UDP 5&"(3& 2 5#23&)*+(! 5#2(b! b3# "#+ #!&$+( 0& 2( $53 #r& 5#!#)3"#r23(% T?P. N&)(0(!& &"2&*!& )(*!& 5&"(3& +( $+(0!# r&*#' &3# 5#23#+ 2)('&
1 )r!; DNS 5#2*$:3(*+&= $5r&)# 2( *23& #0 2&# 1 IP &0r(2& #:( 25r(3 $ +(0&!DNS 5&"(3. T5&! '*(0 DNS 5&"(3& 5r"&&! +( !& 2*6 -., & 5#0r#b!+( 2( 0(<!r& $!&23&)"$.
Slika 3.@5 Prikaz DNS paketa s odjeljcima
Z& $53( #0'#)#r( 2( "#r23 3). #5% #b*" 5#r$"(, "#+ 2( 2&23#+ #0 9 #0+(*+&"& 5r"&&!; $ 3&b*6 -.1. D#3!& 5#r$"& 2( 5#5$!+&)& $53# #0 "*+(!3& #0'#)#r# #0 5#2*$:3(*+&, 3( $ #b& 2*$&+& 5#0&6& $ &'*&)*+$ "#+ 2$ !$:! 0& 2( 5r#6(2 #b&)25r&)!# $25+(!#.
%ablica 3.45 Adjeljci u DNS paketu
nazi odjeljka sr)a odjeljka
Z&'*&)*+( >(!'. N$:!& 5#*+& "#+& 0(<!r&+$ 35 5#r$"( 5r$:&+$ "*+(!3$ * 5#2*$:3(*+$ )&:!(
4 V( # "#5r(2+ (!& $ DNS 5&"(3& +( #'$%( 5r#3&3 $ RF?19, 5#'*&)*+$ 4.1.4.
/
8/16/2019 Korunic Prikupljanje i Analiza DNS Prometa
http://slidepdf.com/reader/full/korunic-prikupljanje-i-analiza-dns-prometa 16/60
-. I(!" 2$23&) 0#(!&
nazi odjeljka sr)a odjeljka
/eader !<#r&6+( # 5#r$6. U &'*&)*+$ 2( 3&"#J(r !&*&( b r#+& &52& $ 0 r$'#0+(*+6& 5#r$"(. Z&'*&)*+( +( 5r2$3!# $ 2) 5#r$"&& <"2!( +( )(*!( #0 1-
b&+3#)&. Q(0!& #0 )&:!+; &23&)6& $ &'*&)*+$ +( R "#+& #!&&)& 0& * +( 5#r$"& $53 * #0'#)#r.
O0+(*+&" 53&!+& >(!'.Buestion Section
S&0r: +(0&! * )( $53& "*+(!3& 5r(& DNS 5#2*$:3(*+$. V(*!& #)2 # br#+$$53& >&"# +( !&+(%( 2&# +(0&! $53.
O0+(*+&" & #0'#)#r>(!'. ns&er Section
S&0r: +(0&! * )( RR#)& "#+ 2$ #0'#)#r !& "*+(!3#) $53. V(*!& #)2 # br#+$#0'#)#r&.
A$3#r3&3)! #0+(*+&">(!'. utorit'
Section
S&0r: +(0&! * )( RR#)& "#+ 5r(023&)*+&+$ 0(*('&6+$ !& &$3#r3&3)!( 5#2*$:3(*+(, #0!#2!# 5#"&$+$ !& &$3#r3&3)!( DNS 5#2*$:3(*+( "#+ 2( #'$"#r233 & !&23&)&" DNS r(#*$6+(. V(*!& #)2 # br#+$ &$3#r3&3)!; &52&.
D#0&3! #0+(*+&"
>(!'. dditionalSection
S&0r: +(0&! * )( RR#)& "#+ 2&0r:( r&*3( 0#0&3!( !<#r&6+( )(&!( $ $53,
&* 0#3!( !2$ !$:!( & 5#35$!#23 #0'#)#r& * $53& 5r+(r6( IP &0r(2& DNS 5#2*$:3(*+& 25#(!$3#' $ 5#*+$ & &$3#r3(3. V(*!& #)2 # br#+$ 0#0&3!; &52&.
S)&"& DNS 5#r$"& >$53 * #0'#)#r & !("#*"# 5#*+& $ &'*&)*+$ "#+& 0(<!r&+$!&+)&:!+( "&r&"3(r23"( 5#r$"(. T&b*6& -.- 5r"&$+( 23r$"3$r$ &'*&)*+&, #0!#2!# 5#*+&&+(0!# 2 !+;#) )(*!&& 1.
%ablica 3.35 Prikaz zaglavlja u DNS paketu
nazi polja eličina opis
ID >(!'. -denti!ier - b&+3& 1b3! 0(!3<"&3#r 5&"(3& "#+ 2( $53& 5r(!#2 $ #0'#)#r, 3( 2( !& 3&+!&! 5#)($+( $53 #0'#)#r. Q(0!23)(! +( & 5#+(0! 5#2*$:3(*+ $"#!3("23$ 5#+(0!( "#$!"&6+( 3( 2( '(!(rr& )( * &!+(
52($0#2*$&+!# #)2!# # DNS 5#2*$:3(*+$.
R >(!'.Buer'>2esponse
$lag
1 b3 R & $53 5r(& 5#2*$:3(*+$, #0!#2!# R1 & #0'#)#r #0 5#2*$:3(*+&.
OP?ODE >(!'.Aperation ,ode
4 b3& D(<!r& 35 $53&. Vr+(0!#23 2$ 2*+(0(%(=
• OP?ODE +( UER, $#b&+(! 35 $53&,
• OP?ODE1 +( IUER, !)(r! $53 "#+ 2( 0&!&2 )( !( "#r23,
•
OP?ODE- +( STATUS, $53 & 0#!&)&!+( 23&!+& 5#2*$:3(*+&,• OP?ODE 2( !( "#r23,
• OP?ODE4 +( NOTIF, 25(6+&*!& 5#r$"& "#+& 2( "#r23 &#b&)+(23 5#2*$:3(*+$ "&"# 2$ 2( 5#0&6 $ 5#+(0!#+ #! &0#(!$ 5r#+(!*, 3( 0& +( 5#3r(b!# #b&)3 5r+(!#2 #!(,
• OP?ODE9 +( UPDATE, 25(6+&*!& 5#r$"& "#+& 2*$: &5*((!3r&!+( 0!&"#' DNS&, #0!#2!# !&!& & 0#0&)&!+(,+(!$ br2&!+( &52&.
AA >(!'. ut"oritative
1 b3 AA1 $ #0'#)#r$ #!&&)& 0& +( 5#2*$:3(*+ &$3#r3&3)&! & #!$ $#0+(*+"$ & 53&!+&, #0!#2!# AA !& 0& #0'#)#r !+( &$3#r3&3)&! 3# +(
1
8/16/2019 Korunic Prikupljanje i Analiza DNS Prometa
http://slidepdf.com/reader/full/korunic-prikupljanje-i-analiza-dns-prometa 17/60
-. I(!" 2$23&) 0#(!&
nazi polja eličina opis
ns&er $lag "&r&"3(r23!# & DNS r("$r2#r(.
T? >(!'.%runcation $lag
1 b3 T?1 $ #0'#)#r$ #!&&)& 0& b 5$! UDP #0'#)#r b# )(% #0 91- b&+3#)&, 3( 0& +( 5#3r(b!# 5r+(% !& T?P "#$!"&6+$ 3( 5#!#)3 $53.D#b)(! UDP #0'#)#r 2&0r: 5&r6+&*! 0# 3r&:(!; !<#r&6+&.
RD >(!'. 2ecursion
Desired 1 b3 RD1 $ $53$ #!&&)& 0& "*+(!3 3r&: r("$r+$. E)(!3$&*! #0'#)#r
&0r:&)&+$ 23&!+( &23&)6(.
RA >(!'. 2ecursion
vailable
1 b3 RA1 $ #0'#)#r$ #!&&)& 0& 5#2*$:3(*+ 5#0r:&)& r("$r+$. I2"*+$)#&$3#r3&3)! 5#2*$:3(*+ !(%( 5#0r:&)&3 r("$r+$.
Z >(!'. #ero b3& R((r)r&!#, 3r(b&+$ b3 .
R?ODE >(!'. 2esponse ,ode
4 b3& D(<!r& r($*3&3 #br&0( $53&. Vr+(0!#23 2$ 2*+(0(%(=
• R?ODE +( $ 2) 53&!+&, "&# $ #0'#)#r& "#+ !2$r($*3r&* 5#'r("# > No *rror ,
• R?ODE1 "&0 5#23#+ 5#'r("& $ <#r&3$ $53& > $ormat *rror ,
• R?ODE- "&0 5#2*$:3(*+ !+( $ #'$%!#23 #0'#)#r3 b#'$!$3r&!+( 5#'r("( >Server *rror ,
• R?ODE "&0 ( !&)(0(!# $ $53$ !+( !&J(!# $ 0#(! > Name
*rror . O0'#)#r #:( b3 &$3#r3&3)&! * !(&$3#r3&3)&! >!5r.!('&3)! DNS (J$25r(!",
• R?ODE4 "&0 35 $53& !+( 5#0r:&! #0 23r&!( 5#2*$:3(*+& > Not
-mplemented ,
•
R?ODE9 "&0 5#2*$:3(*+ #0b+& #b&)3 $53, 5r+(r6( b#' 5r23$5!; *23 2 #br# !& 35 $53& > 2e!used ,
• R?ODE "&0 3r&:(!# ( 5#23#+, & !( b 2+(*# >C; Domain,
• R?ODE7 "&0 3r&:(! &52 5#23#+, & !( b 2# >C; 22 Set ,
• R?ODE8 "&0 3r&:(! &52 !( 5#23#+, & 3r(b&# b > N; 22 Set ,
• R?ODE/ "&0 5#2*$:3(*+ !+( &$3#r3&3)&! & 3r&:(!$ 0#(!$> Not ut",
• R?ODE1 "&0 3r&:(!# ( !+( $!$3&r #!( 5#r$"( > Not #one.
D?OUNT >(!'.Buestion ,ount
- b&+3& O0r(J$+( br#+ $53& $ #0+(*+"$ & 53&!+&. U53 & 2)('& +(0!# 53&!+(, 5& 2(#br&0& )(23r$"; 53&!+& r&*"$+( (J$ r&*3; 5#2*$:3(*+2";
2#<3)(r&.
AN?OUNT >(!'. ns&er 2ecord
,ount
- b&+3& O0r(J$+( br#+ RR#)& $ #0+(*+"$ & #0'#)#r(.
NS?OUNT >(!'. ut"orit' 2ecord
,ount
- b&+3& O0r(J$+( br#+ RR#)& $ &$3#r3&3)!# #0+(*+"$.
AR?OUNT >(!'. dditional 2ecord
,ount
- b&+3& O0r(J$+( br#+ RR#)& $ 0#0&3!# #0+(*+"$.
11
8/16/2019 Korunic Prikupljanje i Analiza DNS Prometa
http://slidepdf.com/reader/full/korunic-prikupljanje-i-analiza-dns-prometa 18/60
-. I(!" 2$23&) 0#(!&
T&b*6& -. 5r"&$+( "#+& 5#*+& & #0+(*+&" $53& $ DNS 5&"(3&, 3( "#+( 2$ !+;#)()(*!(.
%ablica 3.@5 Polja u odjeljku upita
nazi polja eličina opis
NAME >(!'.Buestion Name
)&rr& S&0r: #b+("3, 0#(!$ * #!$ "#+ 2$ 5r(0(3 $53&.
TPE >(!'.Buestion %'pe
- b&+3& S&0r: 35 $53&. M#:( 2&0r:&)&3 25(6<! br#+ "#+ #0'#)&r& 35$ RR&"#+ 2( 3r&: * 5&" !(" #0 5#2(b!; br#+()& & 5#2(b!( )r23( $53&=
• TPE-91 #0'#)&r& &;3+()$ & !"r((!3&*! #!2" 5r+(!#2>IFR
• TPE-9- #0'#)&r& 23&!0&r0!# &;3+()$ & 5r+(!#2 #!(>AFR
• TPE-9, TPE-94 #0'#)&r&+$ &23&r+(* $53& &&52( )(&!( $ (&* >MAILA MAILB $53 & MB, MG MR&52&,
• TPE-99 "#+ #0'#)&r& $53$ & 2) &52& >.
?LASS >(!'.Buestion ,lass
- b&+3& O!&&)& "#+ 2( 35 RR 3r&: #:( 5#5r3 )r+(0!#23 #0 0# 999.S3&!0&r0!# 2( "#r23 2)('& 5(3 )r+(0!#23=
• ?LASS1 & I!3(r!(3 >IN &52,
• ?LASS & ?HAOS,
• ?LASS4 & H(2#0 >HS,• ?LASS-94 & 5r&! >NONE 35 "#+ 2( #b!# "#r23 $
0!&"# DNS$,
• ?LASS-99 & AN $53. AN "*&2& +( &+(!2" > 35.
!.*. $ipoi DNS poslužitelja
P#3r(b!# +( +# 0(<!r&3 (J$#0!#2 )( DNS 5#2*$:3(*+& & 23$ 0#(!$. S)&" 5#2*$:3(*+ "#+ & "#5*(3!$ "#5+$ #!( >b*# *#"&*!#, b*# 5r;)&3# !& !(" 0r$'
!&! b( 5#3r(b( & 5r#6(2# r(#*$6+( +( &$3#r3&3)! DNS 5#2*$:3(*+ & 3$ #!$.R+( +( # 5#2*$:3(*+$ "#+ 2(r)r& )*&233( 5#0&3"( "*+(!3&, & #! #:( b3 &$3#r3&3)&!& +(0!$ #!$, &* !( !$:!# & !("$ 0r$'$. O2!#)! 5#0&3&" "#+ !<#rr& 5#2*$:3(*+ 0&
+( &$3#r3&3)&! & 3$ #!$ +( SOA &52, $ #23&3&" "#!<'$r&6+( "#+ ##'$%&)& 5r;)&3 5#0&3&"& # #! 2*. Kr)# 0(<!r&!# SOA 5#*+( #:( 0#)(23 0# 23$&6+( 0& !3 +(0&!DNS 5#2*$:3(*+ & #!$ !( b$0( &$3#r3&3)&! 3( 0# 5r(23&!"& !#r&*!#' r&0& DNSr(#*$6+( & 3$ #!$.
M#:( 5#23#+&3 )( 0(<!r&!; DNS 5#2*$:3(*+& & 23$ #!$ "#r23(% )( #0'#)&r&+$%; NS &52&. D&!&2 +( 5r&"2& 0& b 2)&"& #!& 3r(b&*& &3 b&r( 0)& DNS 5#2*$:3(*+&,
1-
8/16/2019 Korunic Prikupljanje i Analiza DNS Prometa
http://slidepdf.com/reader/full/korunic-prikupljanje-i-analiza-dns-prometa 19/60
-. I(!" 2$23&) 0#(!&
3&"# 0& 5&0# +(0!#' DNS !&23&)*+& <$!"6#!r&3. N&(, !&"#! 23("& TTL )r((!& 5#+(0!#' RR& >0(<!r&!# $ 2)&"# RR$ 5#0&6 25r(*+(! 5# r&! "*+(!3& 5#2*$:3(*+& !(23&+$. U 2*$&+$ 0& +( 5#23#+&# 2&# +(0&! &$3#r3&3)! NS >+(0&! DNS
5#2*$:3(*+, "&0 +( #! !(&"3)&! * !(25r&)&! $ 0$:( 5(r#0$ >)(% #0 TTL& !&)(0(!&#!& %( b3 !(0#23$5!&. T )(, !&"#! 5#"r(3&!+& 5#2*$:3(*+& #!& %( b3 +# $)+("!(0#23$5!& 2 #br# 0& 2( !($25+(* $53 >#! "#+ 2$ 0#b* NDOMAIN & #0'#)#r
5&3( +# !("# )r+(( !& "*+(!3& 5#2*$:3(*+& b#' 5r!65& !('&3)!#'(J$25r(!"&. S3#'& +( r&)+(! 5r!65 5r&r!#' >(!'. Primar'>+aster 2("$!0&r!#'>(!'. Secondar'>Slave DNS 5#2*$:3(*+&.
Pr&r! 5#2*$:3(*+ +( #!&+ &$3#r3&3)! 5#2*$:3(*+ "#+ 5#0&3"( # 2)#+#+ #! & *#"&*!#25r(*+(!(, #0!#2!# & *#"&*! 5r23$5 !&)(0(! 5#0&6&. S("$!0&r! 5#2*$:3(*+ +(
5&" #!&+ "#+ 0#b)& 5#0&3"( #0 !("#' )&!+2"#' )#r&, #b!# "#r23(% 5r+(!#2 #!(
>(!'. #one %rans!er #0 5r&r!#' 5#2*$:3(*+&. Pr&r! 5#2*$:3(*+ & +(0!$ #!$ #:( b3 2("$!0&r! & 0r$'$ 2*. S '*(03& "*+(!3&, #b& 2$ 5#2*$:3(*+& >5r&r! 2("$!0&r! +(0!&"( )r+(0!#23 >&$3#r3(3& +(0!&"#' 5r#r3(3& >2*$&+! b#r. P#23#+( 0r$' r&*#& $)#J(!+( 2("$!0&r!#' 5#2*$:3(*+& "&"# r&0 *&"(' #0r:&)&!+& >5r&r! !( #r& b3&"3)&! & )r+(( #0r:&)&!+&, 3&"# b#*+(' r&25#r(J)&!+& #53(r(%(!+& & )(*"( #!( !#'# $53&.
O2 5r&r!; 2("$!0&r!; &$3#r3&3)!; 5#2*$:3(*+& 5#23#+ +# 5&r 35#)& 5#2*$:3(*+&.Pr) $ !$ +( 2"*+$)# (J$25r(!" 5#2*$:3(*+ >(!'. ,ac"ing1onl' Name Server .T&") 5#2*$:3(*+ !2$ &$3#r3&3)! !3 & +(0&! RR !(&+$ !"&")( *#"&*!( 5#0&3"(
"#+( b 5#2*$:)&* !+;#)& #2!#)!& <$!"6+& +( 5#b#*+&3 5(r<#r&!2( DNS 2$23&)&r&0(% "&"# 5#3)!#, 3&"# !('&3)!# 5&%(!+( r($*3&3& DNS $53&, 2&!+$+$% 3(#53(r(%(!+( !& &$3#r3&3)! 5#2*$:3(*+&. S*+(0(% 35 +( 5r#2*+(J)&" 5#2*$:3(*+ >(!'.
$or&arding Name Server . N+('#)& +( #2!#)!& <$!"6+& 5r;)&3 5r#2*+(J)&!+( $53&!("# 0r$'# DNS 5#2*$:3(*+$, &* 2( #b!# "#b!r& 2 *#"&*!# 5#;r&!#0#b)(!; r($*3&3&, 5& +( r+( # 0#br# r+((!+$ & 25#r( r(:(.
S*+(0(% 35 +( 2"*+$)# &$3#r3&3)! 5#2*$:3(*+ >(!'. ut"oritative1onl' Name Server "#+ !(& (J$25r(!" DNS $53& !3 !( #0'#)&r& !& $53( & "#+( !+( &$3#r3&3)&!.O! +( 5r&r! * 2("$!0&r! 5#2*$:3(*+ & #!$, & !( ##'$%&)& r("$r)!( $53(. R+(
+( !&+(%( # )0$ 2'$r!#23 '0+( 2( #0)&+&+$ 5#2*$:3(*+ & 2"*+$)# &$3#r3&3)!( 2"*+$)# (J$25r(!"( &0&%(. T&")( #"#*!( '0+( 2( 3r&: 2'$r! #b*" DNS
5#2*$:3(*+& #b!# &+$ !("#*"# DNS 5#2*$:3(*+& #0 "#+; 2$ 2&# !(" +&)!# )0*+),0#" 2$ 0r$' 2"r)(! >(!'. Stealt" Name Server . N&+(%( +( 2*$&+ 0& 2"r)(! 5#2*$:3(*+25#r$$+$ "*+(!3& DNS !<#r&6+( "#+( !2$ )0*+)( !& +&)!#+ )&!+2"#+ r(:. N& 3&+2( !&! )&!+2" "*+(!3& 5#2*$:$+( 3(" 0# !<#r&6+& & "#+( 2( 2&3r& 0& 2$
5#3r(b!(, & $!$3r&!+& 2( 0&+( 0r$' 0# !<#r&6+& & "#+ 2( 2&3r& 0& 2$ 0#)#*+!( 3&"# 2( (*!r& 2'$r!#2! 5r#b*( 0& 2) )0( 2)(. T&+ 5r!65 2( +# !&)&
1
8/16/2019 Korunic Prikupljanje i Analiza DNS Prometa
http://slidepdf.com/reader/full/korunic-prikupljanje-i-analiza-dns-prometa 20/60
-. I(!" 2$23&) 0#(!&
r&0)#+(! 5#2*$:3(*+ >(!'. Split Name Server , #0!#2!# r&0)#+(! DNS >(!'. Split
DNS .
!.+. Si(urnosni proble#i
P#23#+ ! 3r"#)& 5##%$ "#+; 2( #:( #0r(0! DNS 5#2*$:3(*+ !&3+(r&3 0& 5r;)&3*&:!( &52(9. T&")# 2( (3#0# *&:r&!+& DNS &52& >(!'. DNS $orger' 11!(2)+(2! "*+(!3 5r($2+(r$+$ !& *&:!( &0r(2( 3( 5#23&+$ *&"& (3& !&5&0&&.S3&!0&r0!# 2$ 3&") !&5&0 $ <#r 3r#)&!+& DNS (J$25r(!"& >(!'. ,ac"e Poisoning 1, !&5&0& "#0 "#+(' 2( $3( !& DNS 5#2*$:3(*+ 0& 5#)+(r$+( 0& +( 0#b# &$3#r3&3)!(!<#r&6+( # 3r&:(! 5#0&6&. T( 2( $3( !& 2)( "*+(!3( "#+ "#r23( 0#3! DNS
5#2*$:3(*+ 0& 3&"#J(r "#r23( *&:r&!$ !<#r&6+$, "#+& #:( ##'$%3 0&*+!+( r&*3(
!&5&0( !& "*+(!32"& r&$!&*&.
Dr$' )(*" 5r#b*( !+( 3#*"# )(&! $ 2'$r!#23 "#*"# $ DNS &'&J(!+( >(!'. DNS
Pollution 1- #0!#2!# b(25#3r(b!( DNS $53(. T5! 5r+(r #)&")#' 5r#(3& 2$ DNS$53 & 5r)&3! &0r(2&& "#+( +( 5#3r(b!# *#"&*!# r&r+(3 !& DNS 5#2*$:3(*+$ 3&"#0& 2( !( 5r#2*+(J$+$ 0&*+(. T&"&) 5r#(3 b(25#3r(b!# #53(r(%$+( )r!( DNS 5#2*$:3(*+(
b$0$% 0& 2( 3&")( &0r(2( "#r23( 2"*+$)# $ 5r)&3! r(:&&, 3( !3 +(0&! DNS 5#2*$:3(*+ $ 2)+(3$ !(%( b3 &$3#r3&3)&! & !&)(0(!( &0r(2(. Pr(& r(6(!3!23r&:)&!+& &" 1.1 $"$5!#' 2)+(32"#' DNS 5r#(3& 5r(023&)*+& 6$r(!+( RF?1/18$53& 5r(& )r! DNS 5#2*$:3(*+& 1, 23#'& +( --. '#0!( <#rr&!& 0#0&3!&
$2+(r)&"& ;+(r&r;+& #"# AS11- >(!'. utonomous s'stem r&0 r&r+(&)&!+& $53& &RF?1/18 >1.!&00r.&r5&, 30. RF? >-94.1/.!&00r.&r5& &0r(2&&. O!# 3# 2(#:( &"*+$3 +(23 0& +( r(*&3)!# &*(! 5#23#3&" DNS 5r#(3& $ 23)&r "#r("3&! >5r(&0#2&0&!+ +(r(!+& !& )r! 5#2*$:3(*+&, 2)('& - 14.
P#23#+( +# r&*3 35#) &'&J(!+& "#+& 2( 0(&)&+$ $ DNS 5r#23#r$=
• AA $53 !(25r&)! DNS "*+(!3 &*+( A $53 $ "#+( +( )(% 2&0r:&!& IP &0r(2&>K#+& +( IP &0r(2& r&$!&*& 2 IP &0r(2# 1.-..4. O)# +( "&r&"3(r23!# &M6r#2#<3 !0#2 NT #5(r&6+2" 2$23&), & r+(&)& 2( #b!# "#r3(!+( 0+b0!22(r)2& * B!0 / 5#2*$:3(*+& "#+ +( &$3#r3&3)&! & 2); -9 !$(r"; #!&, 5r
($ +( 2)&"& 5r&!&,
• U53 & "r) TLD#)& "#+ 2$ !&+(%( 5#'r("& $ *#"&*! "#!<'$r&6+&&>"r)& 0#(!&, !(3#!& 0#(!&, #b*! $r(J&+, !(25r&)!( 23&!0&r0!("#!<'$r&6+( * &5*"&6+&&, 5& 2( 5#+&)*+$+$ $53 & *#6&*;#23, *#6&*0#&!,#r"'r#$5 2*! !(5#23#+(% 0#(!&&, #0!#2!# 0#(!&& "#+( b3r(b&*( b3 *#"&*!# 0(<!r&!(,
9 A!&*& 5#3(!6+&*!; 2'$r!#2!; 5r#b*(& $ DNS 2$23&)$ +( 0#"$(!3r&!& $ RF?8. M2* 2( !& RF?1/18 5r)&3!( &0r(2(, #0!#2!# 1@8, 17-.1@1- 1/-.18@1 5r(<"2(.
14
8/16/2019 Korunic Prikupljanje i Analiza DNS Prometa
http://slidepdf.com/reader/full/korunic-prikupljanje-i-analiza-dns-prometa 21/60
-. I(!" 2$23&) 0#(!&
• U53 & &0r(2&& )r!; 5#2*$:3(*+& 2) DNS 5#2*$:3(*+ &+$ 5#52 )r!; 5#2*$:3(*+& "&"# b $#5%( #'* #23)&r3 5#(3!$ "#$!"&6+$. P#)r((!##2)+(:&)&!+( &52& +( !#r&*!# b#' 23+(6&!+& TTL&, !# RR#) & )r!(
5#2*$:3(*+( &+$ !&+(%( TTL #0 1 2&3. U 2*$&+$ 0& 2( #)&") $53 0(&)&+$ 5r((23#, r+( +( # 5#'r(6 $ <*3rr&!+$ DNS 5r#(3&, !(25r&)!# DNS 5#2*$:3(*+2"# 2#<3)(r$ 2*,
• IP) $53 (23# ; &*+$ &5*"&6+( "&0 3# !+( !$:!#. B!0 5#2*$:3(*+ 0#0&3!##b&)*+& !&+(%( !(5#3r(b!( >&" &"# r&$!&*# !(& IP) 23#' AAAA A$53(, 5r+(r6( & 5#)($+$%( &52(.
I 5r*#:(!#' +( #3# 0& b DNS &0!23r&3#r$ b# "r&+!+( "#r23&! 2$23&) "#+ 5r&3
0#*&! #0*&! DNS 5r#(3 3( 0(!3<6r& 5#3(!6+&*!( 2'$r!#2!( 5r+(3!+(, 5r+&)*+$+( ()(!3$&*!# #b&)*+& 5r#&"3)!( r&0!+( &33( #0 23;. U !&23&)"$ %( 2( $23)r03 5#23#+( *3&") &*&3 "#+( 2$ !+;#)( <$!"6#!&*!#23.
!.,. -etode analize pro#eta u poslužitelji#a
S)&" r("$r)! DNS 5#2*$:3(*+ #r& 5*((!3r&3 3((*+3$ &!&*$ #0'#)#r& 2$0&*+(!#' 5#2*$:3(*+& r&0 b+('&)&!+& 3r#)&!+& r&0 5r#)+(r( "#r("3!#23 #0'#)#r& 2#br# !& 5*((!3r&!( DNS 23&!0&r0(. T((*+3#23 3&")( 5r#)+(r( 2( b3!# r&*"$+(
#0 5#2*$:3(*+& 0# 5#2*$:3(*+&, "&"# 5*((!3&6+2" 3&"# ")&*3(3# 0#b)(!;r($*3&3&.
T+("# 23r&:)&!+& 2( 5#"&&*# 0& 2$ 5#23#+(%( (3#0( b*+(:(!+& 5r#b*(& $#(!; $DNS 5r#(3$ $'*&)!# !(5#35$!( !(5r*&'#J(!( ()(!3$&*!#+ 0&*+!+#+ 2'$r!#2!#+&!&*. Pr+(r6( !&+(%( !(0#23&+( 0(3&*+! 5r"& 5r*+(!#' DNS 5&"(3& >)#r!& #0r&0!& &0r(2&, &23&)6( !& 2)&"# 5#+(0!# !)#$ 5&"(3&, 0$:!( 5#+(0!#'&'*&)*+&, 0(3&*+! 2&0r:&+ 5#0&3"#)!#' 0+(*& 5&"(3&, 30., r&*#' #0b&6)&!+& 5#+(0!#'$53&, "&# 5#52 5&"(3& "#+ 2$ #0b&(! +(r b 0#)(* 0# 2'$r!#2!#' !60(!3& >!5r. $2*$&+$ 5#"$&+& 3r#)&!+& DNS 25r(!"&. N3 "#0 +(0!#' !+( #'$%( 2*&!+( &52!"&
5r(& $0&*+(!# 5#2*$:3(*+$ & b*+(:(!+(, )(% +( 3# 2&# "#0 !("#*6!( #'$%(!0r("3!# #23)&r3 "#r23(% SC2*#' (;&!&. I "#0 3&")#' "#r3(!+& 5r#b*( +( 0&SC2*#' !( 5#0r:&)& "r53r&!+( 5r#(3& #0'#)&r&+$%$ &$3(!3"&6+$@&$3#r&6+$, )(% +(r&0 3#'& !$:!# r&03 223(2"( &;)&3( $ )0$ IP2(6 >(!'. -nternet Protocol Securit'3$!(*&.
T&b*6& -.4 0#!#2 !&+5#!&3+( DNS 5#2*$:3(*+( "#+ 2$ 5r('*(0&! 3+("# 23r&:)&!+& !+;#)( 5#+(0!&!( "&r&"3(r23"( 19 !& 5#*+& &!&*( 5#3(!6+&*!# 5r#b*(&3!;DNS $53&, b*+(:(!+& 5r#b*(& $ 223(2"( &52!"(, b*+(:(!+& 0#*&!; #0*&!; DNS
5&"(3&, "&# 5#35$!#23 5*((!3&6+( DNS 23&!0&r0&.
19
8/16/2019 Korunic Prikupljanje i Analiza DNS Prometa
http://slidepdf.com/reader/full/korunic-prikupljanje-i-analiza-dns-prometa 22/60
-. I(!" 2$23&) 0#(!&
%ablica 3.65 Pregled analize prometa u DNS poslužiteljima
nazi poslužitelja bilježenje i analiza pro#eta
B!0 B*+(:(!+( +( #'$%(, !+( 23&!0&r0!# &"3)r&!# &* 2( +(0!#23&)!# "#!<'$rr&. V0(2( 2&# #5% 0(3&*+ # $53$ >2&# $53$, !+( #'$%( )0+(3 #0'#)#r(, !( 25(6<!( 3(;!"( 5#+(0!#23 >br#+ #0+(*+&"&, )(*!& 5&"(3&, 5#'r("( $ $53$ *#0'#)#r$, 23&3$2 $53&, 30. P#23#+ 2'$r!#2!# *#'r&!+( !# #!# +( 5r)(!23)(!##r+(!3r&!# *#"&*!#+ "#!<'$r&6+ 5#2*$:3(*+& >5r23$5!( *23(, $53 "#+( +(!(#'$%( r+(3, !(2'$r! 0!&" DNS $53, 5r+(!#2 #!(, 30. S&&"*&2<"&6+& b*+(:(!+& +( 0#br# r&r&J(!&. K&# "#0 0r$'; 5#2*$:3(*+& !+( #'$%($!$3r&!+( $0&*+(!# *#'r&!+(, )(% +(0!# "r# SC2*#' (;&!&.
R+( +( # +(0!# #0 !&+5#35$!+; 5*((!3&6+& DNS 5#2*$:3(*+&, & &!&*& $53& +( )r*# 2*#:(!# )(0(!& "r# 3((*+3$ 3(r&3)!$ 5r#)+(r$ 2)&"#' 5#+(0!#' $53& #0'#)#r&. P#2*$:3(*+ "&# )(%!& #23&*; !(& !"&")( (3#0( 5r#&"3)!( &33( $22*$ r(&"6+( !& 5#"$&+( !&5&0&. B!0 +( 0&!&2 5r&"3!# 23&!0&r0! U!@L!$DNS 5#2*$:3(*+.
URL= ;3352=@@.26.#r'@2#<3&r(@b!0
0+b0!2 S3&!0&r0!# b*+(: 5r#(3 r&*3( $!$3r&!+( 23&323"( )r*# 0(3&*+!#, !#0#"$(!3&6+& # 3#( +( $'*&)!# 2*&b& * !"&")&. N(& #'$%!#23 b*+(:(!+&
5#2*&!; #0'#)#r& !3 ()(!3$&*!( 2'$r!#2!( !60(!3(. U 2*$&+$ 2'$r!#2!;5*"&6+& !( &*+( !"&"&) #0'#)#r, ! 3# $'*&)!# !( b*+(: #2 $ !("#*"#2*$&+()&. N+( #'$%( ! *#'r&!+( "r# 2C2*#' !3 $0&*+(!# *#'r&!+(, +(0!# "r#()(!3$&*!( !(23&!0&r0!( 0#0&3"(. Z&b*+(:(! 5r#(3 !+( *+$02" 3*+) >IP &0r(2($ ;("2&0(6&*!# &52$, !$(r" &52&!( 5#'r("( b( 3&b*6( !&(!+&, 30.A$3#r3&3)! r("$r)! 5#2*$:3(*+ 2$ #0)#+(!, 5& +( $#b&+(!# r&0)#+(!#
b*+(:(!+(.R+( +( # #2!#)!#+ DNS 5*((!3&6+, & 2#<3)(r $'*&)!# !&*!# &!&*r&DNS 5r#(3 0#!#2 &"*+$"( # !+($, )(% #0'#)&r& )r*# "#!(r)&3)!# 3# 2&#!& 5r#(3 !& "#+ #:( $ 5#35$!#23 #0'#)#r3. D+b0!2 +( )+(r#+&3!# 3r(!$3!#!&+2'$r!+ DNS 5#2*$:3(*+ $ 22*$ #'$%; 2'$r!#2!; 5*"&6+& b#' 2)#'!&*23"#' 0&+!&.
URL= ;335=@@6r.C5.3#@0+b0!2.;3*
M&r&DNS S3&!0&r0!# !( b*+(: 5r#(3, (J$3 +( 3# #'$%( &"3)r&3. M#:( b*+(:3 $53()r*# 0(3&*+!# "&# 2)( #'$%( $23&!#)*+(!( 2'$r!#2!( 5r#b*((, 3( b*# "&")(
5r#b*(( #3"r)(!( $ $53$ #0 "*+(!3& * #0'#)#r$ #0 0r$'#' 5#2*$:3(*+&. N(&"*&2<"&6+$ &b*+(:(!; 5r#b*(&.
I5*((!3&6+& 3r(!$3!; DNS 23&!0&r0& +( 5r*!# 5#35$!&, & &$3#r +( "#r23# 0(+( 0+b0!2 B!0 2#<3)(r& $ &!&* 5r#(3&. Pr#)+(r& 5r#(3& +( #23)&r(!&$'*&)!# "&# ! *#'"; 5r#)+(r 3+("# #br&0( 5r#(3&, 3# +( &!+( <#r&*&!!&! #23&)*+& #'$%!#23 5r#5$23& $ #3"r)&!+$.
URL= ;335=@@.&r&0!2.#r'@
P#(rDNS S3&!0&r0!# !( b*+(: 5r#(3, !# #'$%( +( 0#b3 "r&+!+( 0(3&*+!# 5r&%(!+( $53& #0'#)#r& "&# $#(!; 2'$r!#2!; 5r#b*(&. S3&!0&r0!# 0&+( 0(3&*+!+ $5#3r(b*+)+ 252 #0 B!0 5#2*$:3(*+&, &+(0!# 2 r&*3 "#r2! 5#0&6& #$#(! !(5r&)*!#23& $ DNS 5r#(3$. B*+(:(!+( +( #'$%( $25#23&)3 "r#SC2*#' 2(r)2.
1
8/16/2019 Korunic Prikupljanje i Analiza DNS Prometa
http://slidepdf.com/reader/full/korunic-prikupljanje-i-analiza-dns-prometa 23/60
-. I(!" 2$23&) 0#(!&
nazi poslužitelja bilježenje i analiza pro#eta
Š3# 2( 3( DNS 23&!0&r0&, r+( +( # +(0!# #0 !&+5#35$!+; DNS 5#2*$:3(*+& $B!0. Pr#)+(r& 5r#(3& +( )r*# 0(3&*+!& "&# b*+(:(!+( 5r#b*(&3!#' 5r#(3&.
S#<3)(r $ 2*$&+$ #5(3#)&!; 5#"$&+& 3r#)&!+& * D#S !&5&0& r(&'r& 5r#'r(2)! b*#"r&!+( "#$!"&6+( 5r(& !&5&0&$.
URL= ;335=@@.5#(r0!2.6#@
NSD R+( +( # 2"*+$)# &$3#r3&3)!# DNS 5#2*$:3(*+$, 5& +( 2&& &!&*& #'$%; 5r+(3!+ b3!# +(0!#23&)!+& !('# "#0 #23&*; 5#2*$:3(*+&. N(& b*+(:(!+& $53& #0'#)#r&, )(% b*+(:(!+( ()(!3$&*!; <$!"6#!&*!; 5r#b*(& &br&!+(!; $53&b#' 5r23$5!; *23.
URL= ;335=@@.!*!(3*&b2.!*@5r#+(632@!20@
M6r#2#<3 DNS S3&!0&r0!# !( b*+(: 5r#(3, &* +( #'$%( b*+(:3 0#*&! #0*&! 5r#(3, 3# +(r+(3"& #'$%!#23. P#23#+ $5#3r(b*+)& "*&2<"&6+& 5r#b*(&, &"# +( 2'$r!#2!#
b*+(:(!+( $'*&)!# 0#23& #'r&!(!( <$!"6#!&*!#23.I5*((!3r&! 2$ 2) )&:!+ DNS 23&!0&r0. N(5#!&3# +( "#*"# +( 0#br##23)&r(!& 5r#)+(r& 5r#(3&, !# 5#2*$:3(*+ +( r(*&3)!# 0$'# b# r&!+) !& r&*3()&r+&!3( DNS 3r#)&!+&. S& 5#2*$:3(*+ +( 5r&"3" #2!#)! 0# M6r#2#<3 A63)(D#&!& &r;3("3$r(, 5& +( 2;#0!# 3#( )r*# 5#5$*&r!# r+((!+(.
URL= ;335=@@.6r#2#<3.6#
D!2&2 R+( +( # 5r#2*+(J)&"# 35$ DNS 5#2*$:3(*+& "#+ #:( ()(!3$&*!# &$3#r3&3)!#0&)&3 5#0&3"( # *#"&*! r&$!&*&. N( b*+(: 5r#(3 !3 & 3&")( #'$%!#23,2 #br# 0& +( 5r&r!# !&+(!+(! & *#"&*! r&0. S'$r!#2!& &!&*& 0(3&*+!&
5r#)+(r& DNS 5&"(3& +( !(5#23#+(%&.
URL= ;335=@@.3;("(**(C2.#r'.$"@0!2&2@0#6.;3*P#2&02 N(0#23&+( 0#"$(!3&6+& 3( !(& )( ! "&")( )0*+)( &"3)!#23 !& r&)#+$
2#<3)(r&. DNS 5#2*$:3(*+ 2( b&r( 4 '#0!( !( r&)+&, 3( +( 3( )&! <#"$2& #)#' 5r('*(0&. R&!+) +( !& 6+(* ! !#)+; 2'$r!#2!; !&5&0&.
URL= ;335=@@5#2&02.2#$r6(<#r'(.!(3@
U!b#$!0 S3&!0&r0!# !( b*+(: 5r#(3, &* +( 3# #'$%( #23)&r3 & 0#*&! 5r#(3. B*+(:(!+(2'$r!#2!; !60(!&3& +( !(0#)#*+!# 0(3&*+!#, &"# 5#23#+. O3"r)&!+( 5#3(!6+&*!;
5r#b*(& +( #23)&r(!# )r*# 0(3&*+!# ")&*3(3!#, 'r&0!+# 5#35$!#' DNS 23&b*& #0b&6)&!+( 2); 0+(*#)& 5&"(3& "#+ 5r(023&)*+&+$ 2$)&" * 5#3(!6+&*!
5r#b*(, &+(0!# 2 b*+(:(!+( $#(!; 5r#b*(&.
P#2*$:3(*+ 5*((!3r& 2)( b3!( 23&!0&r0( 0# 0#0&3!; DNS ("23(!+&. Pr#)+(r& 5r#(3& +( ")&*3(3!& 0(3&*+!+& #0 2); #23&*; 5#2*$:3(*+&, 5r#)+(r&)& 2( !( 2$"*&0!#23 23&!0&r0& )(% 2)&" 5#3(!6+&*! 5r#b*( 3# !& !&! 0& 2( $& $#br 2&# "#r("3!( !<#r&6+(.
URL= ;335=@@.$!b#$!0.!(3@
S5*( DNS P*$2 M#'$%( +( b*+(:3 0#*&! #0*&! 5r#(3, "&"# *#"&*!# 3&"# $0&*+(!#, &+(0!#2 b*+(:(!+( 2r#); >!(#br&J(!; 5#35$!; DNS 5&"(3&, ( 2( r&*"$+( #0#23&*; DNS 5#2*$:3(*+&. I& r(*&3)!# 2"r#!$ 2'$r!#2!$ &!&*$ 5r#(3&, 3(0#23& 2*&b$ "*&2<"&6+$ $#(!; 5r#b*(&.
P#2*$:3(*+ 5#3$+( 2)( b3!( 23&!0&r0( 0# 0#0&3!; DNS ("23(!+&. Š3# 2( 3(
17
8/16/2019 Korunic Prikupljanje i Analiza DNS Prometa
http://slidepdf.com/reader/full/korunic-prikupljanje-i-analiza-dns-prometa 24/60
-. I(!" 2$23&) 0#(!&
nazi poslužitelja bilježenje i analiza pro#eta
#23&*; #'$%!#23 !+( !& r&! #23&*; 5#2*$:3(*+&.
URL= ;335=@@.25*(0!2.6#@
?NS, ANS, S(6$r(4DNS S'!(r,S(6$r(4 DNSA$3;#r3C
K#(r6+&*! 5#2*$:3(*+ &3)#r(!#' )#r!#' "#0& "#+ !( 5#23#+( $ 0(#@3r&*)&r+&!3&&, 3&"# 0& 2( # !+& !( #:( $23&!#)3 )( "#!"r(3!; !<#r&6+&.
URL= ;335=@@.!#!$.6#@, ;335=@@.2(6$r(4.6#@
!.. Pre(led postoje/i) specijalizirani) alata
U 3&b*6 -.9 2*+(0 5r('*(0 25(6+&*r&!; &*&3& & &!&*$ #br&0$ DNS 5r#(3&, 3(#3"r)&!+( 2'$r!#2!; 5r#b*(& &+(0!# 2 ()(!3$&*! #'$%!#23& b*+(:(!+& DNS
5r#(3&.
%ablica 3.<5 Pregled alata za DNS analizu
nazi alata bilježenje i analiza pro#eta
S!#r3 IDS T5! S!#r3 $#r6 !( ##'$%&)&+$ ")&*3(3!# 5r&%(!+( DNS 5r#(3&, !# 5#23#+0#0&3! 0!223&3( &*&3 "#+ 2*$: #3"r)&!+$ !("#*"# DNS r&!+)#23. M#:( #3"r3
5#"$&+( 3r#)&!+& >2&# )&r+&!3& 3r#)&!+& "r# 3(rr&!+( ID+()& >(!'. -denti!ication 2 *&:! #0'#)#r&, <&23<*$ !&5&0(, #0'#)#r( 2 "r) ID +()&, #0'#)#r( b( 5r(3;#0!#' #0'#)&r&+$%(' $53& "&# )(23r$"( >!(5#3r(b!(#0'#)#r(.
F#r(!"& "#5#!(!3& +( ")&*3(3!&, 3( +( #'$%( 2!&3 5&"(3( 2& 2) #'$%&23&)6&& "&# P?AP >(!'. Packet ,apture 0&3#3("( & "&2!+$ 0#0&3!$ &!&*$. N( 5#23#+ 0(06r&!& DNS &!&*& 5&"(3&, !# 3# +( #'$%( #b&)*+&3 2 0#0&3!&*&3& 5#5$3 r(2;&r" &!&*&3#r&.
URL= ;335=@@.2!#r3.#r'@
0!23#5 S*$: 5r)(!23)(!# 23&323"#+ &!&* DNS $53&, br#+$ IP)4@IP) DNS 5&"(3&, TLD,SLD >(!'. Second1level domain, LD >(!'. %"ird1level domain $53&, br#+$ A,PTR, ?NAME #23&*; RR $#(!; $ $53& #0!#2!# #0'#)#r&, br#+$ )J(!;0#(!&, 30. T&"#J(r, &*&3 5r(5#!&+( #2!#)!( 35#)( 5r#b*(& $ DNS $53&
5#5$3 RF?1/18 PTR $53&, A&A $53& !(5#!&3; TLD#)& $ $53&.
F#r(!"& "#5#!(!3& +( r(*&3)!# 2*&b&. N( 5#23#+ #'$%!#23 b*+(:(!+& 5r#(3&,
&"# +( !5r. #'$%( &!&*r&3 25r(*+(!( P?AP 0&3#3("(. P#23#+ 2"r#&! br#+2&; IDS >(!'. -ntrusion detection s'stem <*3&r&, !# 0&*+( 2( 0#b)& )(!<#r&6+& !('# 3# 5r"&$+$ DNS 5#2*$:3(*+.
URL= ;335=@@0!2.(&2$r((!3<&63#rC.6#@3##*2@0!23#5@
18
8/16/2019 Korunic Prikupljanje i Analiza DNS Prometa
http://slidepdf.com/reader/full/korunic-prikupljanje-i-analiza-dns-prometa 25/60
-. I(!" 2$23&) 0#(!&
nazi alata bilježenje i analiza pro#eta
0!25"3<*# K#r23 2( & )$&*&6+$ 5r#(3& (J$ DNS "*+(!&3& 5#2*$:3(*+&, 2#56#!&*! 5r"&# 2&0r:&+&, &23&)6&, 30. S& &*&3 !+( 2#+(%, )(% "#r23
)( )&!+2"; 5r#'r&& >Gr&5;) & 26r3&)&!+( 'r&<#)& 3( r(2;&r" & 2&$&!&*$ DNS 5r#(3&.
Pr#'r& !(& !"&")$ <#r(!"$ )r+(0!#23, 3( !(& !"&"); IDS <*3&r& "#+ b 5r"&)&* ()(!3$&*!( $#(!( 5r#b*(( $ &5r*+(!# 5r#(3$.
URL= ;335=@@.0!22(63##*2.#r'@
r(2;&r" >5&6"(30!2
E3;(r(&* #0!#2!# r(2;&r" +( !&+5#!&3+ &!&*&3#r r(:!#' 5r#(3&. P#0r:&)&! r&*3; 5r#3#"#*& !& ) !: r&!&& OSI >(!'. Apen S'stems
-nterconnection #0(*&, & (J$ #23&*#'& DNS "r# $!$3r&!+ 5&6"(30!2#0$*. M#'$%( +( &!&*r&3 T?P UDP DNS 5r#(3, 5r"&)&3 r($*3&3( !&"#!#* 3( 25r(&3 &5r*+(!( 5&"(3( $ P?AP 0&3#3("(. I5*((!3r&! 2$ 2)
5#!&3 DNS 23&!0&r0 >"&# 23&!0&r0 "#+ 2$ 3(" $ 5r#6(0$r & #0#br(!+( &25r&)!# 0("#0r&!+( DNS 5&"(3&, 5& +( #'$%& &!&*& 5r#)#*+!#' DNS 5r#(3&3( "#5*(3! 5r"& &23&)6& 2&0r:&+& 5&"(3&.
Pr#'r& 2( !&+(%( "#r23 $ <#r(!"( 2)r;(, !# !(& !"&"); IDS <*3&r& "#+ b 5r"&)&* ()(!3$&*!( $#(!( 5r#b*((.
URL= ;335=@@.r(2;&r".#r'@
0!26&5 R+( +( # &*&3$ !&+(!+(!# 5r2*$")&!+$ b*+(:(!+$ DNS 5r#(3&. Pr#'r&<$!"6#!r& "&# 5r2*$")& 5r#(3& 2 #'$%!#23& )r*# 0(3&*+!#' #0&br&:(*+(!; DNS 5&"(3& >35#) $53& #0!#2!# #0'#)#r&, &23&)6(, 30. 3( b*+(:(!+& $0&3#3("(, b*# P?AP b*# 5r((!3&6+2"#' >)(% 0("#0r&!#' 35&.
A*&3 !(& !"&"); IDS <*3&r&, !# & 2)( 5#3r(b!( #'$%!#23 & 2(*("6+$ b*+(:(!+( :(*+(!#' 5r#(3& 3( "&2!+$ &!&*$ 0r$' &*&3&.
URL= ;3352=@@.0!2#&r6.!(3@3##*2@0!26&5
1/
8/16/2019 Korunic Prikupljanje i Analiza DNS Prometa
http://slidepdf.com/reader/full/korunic-prikupljanje-i-analiza-dns-prometa 26/60
&. Susta za nadzor i analizu DNS pro#eta
S #br# !& 25#(!$3$ 2'$r!#2!$ 5r#b*(&3"$, 2&3r& 2( 0& +( 2)r22;#0!# r&032$23&) "#+ ##'$%&)& 2!&!+( DNS $53& #0'#)#r&, !+;#)$ &5*"&3)!$ &!&*$ 3(
b*+(:(!+( r($*3&3& &!&*( "&# #0'#)&r&+$%( 5r((!3r&!; 5&"(3&. T&"&) b 5r#+("3 b#"r&+!+( "#r23&! 2) 223(&0!23r&3#r& 2 #br# 0& !( 5#23#+ r+((!+( >"&# 3# +(
5#"&&!# $ 5#'*&)*+& -.7 -.8 "#+( b &r;3("3$r&*!# <$!"6#!&*!# ##'$%*#023rb$r&! 5r;)&3 DNS 5#0&3&"&, 3((*+3$ 2'$r!#2!$ &!&*$ 2"*&03(!+(
5r((!3r&!; 5#0&3&"&. U #")r$ #)#' r&0& !&5r&)3 %( 2( &!&*& ;r)&32"#' DNS 5r#(3& +(0!# #0 )(%; DNS 5#2*$:3(*+&.
K#r23(% 2( )('#0!+ 2"$23)# &0!23r&6+( r&*3; U! 5#2*$:3(*+&, #'$%( +(
0(<!r&3 2*+(0(%( &;3+()( "#+( 2( #("$+( 0& &5*"&6+& &0#)#*+=• !$:!& +( )2#"& r&!& #0$*&r!#23 b$0$%( !&0#'r&0)#23, & 5#0r&$+()& 2(
"#r3(!+( '#3#); 23&!0&r0r&!; "#5#!(!3 >& r(:!$ "#$!"&6+$, #br&0$"#!<'$r&6+2"; 0&3#3("&, 5r3)( & (J$5r#6(2!$ "#$!"&6+$ &"*+$&)&!+(, "r53#'r&<2"( <$!"6+( "&# r&*3( )( 35#)( 5#0&3&"& 5#5$3*23, &2#6+&3)!; r+(!"&, 30.,
• 3r&: 2( 5#35$!& 5r(!#2)#23 (J$ r&*3; #0(r!; #5(r&6+2"; 2$23&)&, b( 5#3r(b( & 5#!#)! 5r()#J(!+( * "#r("6+&& $ )#r!# "#0$,
• 5r"$5*+&!+( DNS 5#0&3&"& !( 2+( !3 $ "#+( #b*"$ $25#r3 * #(3&3
!#r&*&! r&0 r&$!&*& !& "#+( 2( 5r"$5*+&+$ &!&*r&+$ DNS 5&"(3,• 5r"$5*+&!+( #r& b3 #'$%( #23)&r3 *#"&*!# >2"*+$)# *#"&*!& &!&*&
25r(3( 023rb$r&!# >#0(* +(0!#' * )( &'(!&3&2(!#r& 3( $0&*+(!#'6(!3r&*!#' 5#2*$:3(*+&25r(3&,
• "#$!"&6+& &'(!&3& 6(!3r&*!#' 5#2*$:3(*+& #r& b3 )(0(!& 3&"# 0& 2( 5#23'!$ 3# &!+( *&3(!6+( $ "#$!"&6+ >!&*!# $25#r(!+( 6(!3r&*!#' 5#2*$:3(*+& &'(!&3& 3( +( !$:!# b+(% b*#"r&!+( 2(!#r& * 6(!3r&*!#' 5#2*$:3(*+& b#' 5#'r(&"& $ "#$!"&6+,
• (J$ &'(!&3& $0&*+(!#' 25r(3& !$:!# +( #23)&r3 #0'#)&r&+$%$ &$3#r&6+$
&$3(!3"&6+$, & 5#0&6 "#+ 2( 5r(!#2( $0&*+(!# 25r(3$ #r&+$ 2( "r53r&3$#b&+(! 2!&:! "r53#'r&<2" (3#0&& >$ 2*$&+$ 2"*+$)# *#"&*!#'
5r"$5*+&!+& "r53r&!& "#$!"&6+& !+( !$:!#23,
• &5*"&6+& #r& #b&)*+&3 #0'#)&r&+$%$ &5*"&3)!$ &!&*$ 0("#0r&!+( 5r*+(!; 5&"(3&, $3)rJ$+$% IP )#r3(, IP #0r(03(, 0#0&3!( &23&)6( #!&"( "&# 2&)2&0r:&+ DNS 5#r$"& >3&"#J(r 2& 2) 5#5r&3! &23&)6&& #!&"&&,
• !$:!# +( ##'$%3 5#&0!2" >2(r)2! !&! r&0& '0+( 2( &5*"&6+( )r&)&+$ b( 0r("3!( "#$!"&6+( 2 'r&<" * 3("23$&*! 3(r!&*#,
-
8/16/2019 Korunic Prikupljanje i Analiza DNS Prometa
http://slidepdf.com/reader/full/korunic-prikupljanje-i-analiza-dns-prometa 27/60
. S$23&) & !&0#r &!&*$ DNS 5r#(3&
• & &'(!3( 25r(3( +( 5#3r(b!# #23)&r3 #br&0$ 2); 5#'r(&"& 3+("# r&0& $!&23&)&" r&0& &"# +( #'$%, 3( #0'#)&r&+$%( b*+(:(!+( !&)(0(!; 5#'r(&"& $&52!"(.
Zb#' !&)(0(!; &;3+()& 2&3r& 2( 0& +( #53&*&! b#r 5r#'r&2" +(" PC3;#!. N&)(0# !("#*"# b3!; "&r&"3(r23"& !&)(0(!#' +("& "#+( #5r&)0&)&+$ #)&+ b#r=
• PC3;#! +( #0(r! #b+("3!##r+(!3r&! !3(r5r(3r&! +(" >!+( 5#3r(b!&r("#5*&6+& "#0& 5r 5r(!#(!+$ !& 0r$'( 5*&3<#r( 2 !# ")&*3(3!;5*((!3&6+& >?PC3;#!, QC3;#!, Ir#!PC3;#! !& 5r&"3" 2) #0(r!#5(r&6+2" 2$23&)&,
• )(% 5#23#+ ! #0'#)&r&+$%; #0$*& "#+ +&( 5r(!#2)#23 0#)#*+!$ &523r&"6+$
"&r&"3(r23"& 5#+(0!#' #5(r&6+2"#' 2$23&)&, 3&"# 0& +( #'$%( 5r)(!23)(!# 2("#!6(!3rr&3 !& r+(&)&!+( 3r&:(!; 5r#b*(& >DNS 0("#0r&!+(, &!&*&
5r((!3&6+& !( '$b(% 2( $ 5*((!3&6+2" 0(3&*+&,
• & PC3;#! 5#23#+ )(% #0'#)&r&+$% #0(* 5r;)&3& r(:!; 5&"(3& #0 #5(r&6+2"#'2$23&)&= S6&5C bb*#3("& ##'$%&)& #0'#)&r&+$%$ !3(r&"3)!$ 02("6+$ &!5$*&6+$ 5&"(3& 3( 5#0r:&)& UDP DNS 5&"(3( 3+("# 3(23r&!+&$23&!#)*+(!# +( 0& !+( $ 23&!+$ 0("#0r&3 T?P DNS 5&"(3( !# 3# +( r+((!#0#0&)&!+( #0'#)&r&+$%(' "#0& >"#+ +( 3&"#J(r 0# #)#' 05*#2"#' r&0&.
Pr&"3! r&0 b 2( 23#'& 3((*+# !& #23)&r(!+$ 2*+(0(%; <$!"6#!&*!; 6+(*!&=• !&*!#' &;)&3& !& PC3;#! S6&5C bb*#3(6 & 5#0r"$ T?P DNS 5&"(3&,
• PC3;#! 5*((!3&6+ 2#+(%(' &'(!3& & 5r;)&3 DNS 5&"(3&, #2!#)!#0("#0r&!+( #0&*+&!+( "r# "r53r&!$ )($ 5r(& $0&*+(!# 6(!3r&*!#
5#2*$:3(*+$,
• PC3;#! 5*((!3&6+ 6(!3r&*!#' 5#2*$:3(*+& & 5r;)&3 0("#0r&!; 5&"(3&,)(23r$"$ 2'$r!#2!$ &!&*$ b*+(:(!+( $ *#"&*!( &52!"(.
&.1. %azrada i#ple#entacije
U !&23&)"$ %( 2( #52&3 r+((!+& 5#+(0!; 5r#b*(& 5r(3;#0!#' 5#'*&)*+&, #0!#2!#0(+!& 5r#'r&2"& r+((!+& "#+& 2$ 5r(0(3 #)#' 05*#2"#' r&0&= "&"# +( 5#23'!$3&
br!& 0+(*#3)#r!#23 "#$!"&6+(, 0(3&*+ # )*&233# "#$!"&6+2"# 5r#3#"#*$, 0(3&*+# &33 5#0&3&"& 3( #23&* b3! "#5#!(!3&&.
-1
8/16/2019 Korunic Prikupljanje i Analiza DNS Prometa
http://slidepdf.com/reader/full/korunic-prikupljanje-i-analiza-dns-prometa 28/60
. S$23&) & !&0#r &!&*$ DNS 5r#(3&
&.1.1. 0ikasna ko#unikacija
S #br# !& 35! &;3+() & !2"# *&3(!6+# 5r #23)&r(!+$ "#$!"&6+2"#' "&!&*&,
!&++(0!#23&)!+( $+(0!# !&+(<"&2!+( r+((!+( +( "#r233 +(0!#2+(r!$ UDP"#$!"&6+$. T( 2( b+('&)&+$ ("&!+& !& #23)&r(!+( 3r#2+(r!#' r$"#)&!+&"&r&"3(r23!#' & T?P )($, & 5#23:( 2( +(0!#2+(r!#23 "#$!"&6+( "#+& +( 2&2)0#)#*+!& & #)&+ 2*$&+ "#$!"&6+( (J$ )( &'(!&3& +(0!#' 6(!3r&*!#' 25r(3&.S&& )r!& 5r#5$2!#23 %( b3 !(3# &!+&, !# "&"# +( r+( # r(*&3)!# &* 5&"(3&>$'*&)!# 25#0 1 "*#b&+3& 2&0r:&+& 3# !( 5r(023&)*+& !&&+&! 5r#b*(.
E)(!3$&*! 5r#b*( +(23 0& +( +( )#r3( UDP 5#r$"& *&"# *&:r&3 >!( 5#23#+ 5*63!& 5r#)+(r& )#r3& 2 #br# 0& 2( !( #23)&r$+( 0)#2+(r!& "#$!"&6+& 5& +( 23#'& 5#3r(b!# 5*((!3r&3 (;&!& 5r23$5!; *23 "&# #0'#)&r&+$%$ "r53#'r&<2"$&33$ 2&0r:&+&. O02$3!#23 23&*!; T?P "#!("6+& !& 6(!3r&*!# 5#2*$:3(*+$ 3&"#J(r
5#+(0!#23&)*+$+( 5*((!3&6+$ 2 #br# 0& 2( 5r#(3 #br&J$+( 5#+(0!&!# >5# 5&"(3$3( 0& 2( !( '#*&+$ "#!("6+( #0!#2!# #3)#r(!( 0&3#3("(.
&.1.!. -ini#alno optere/enje računala senzora
U!"#)3& (3#0& !&6+( 0#0&3!#' #53(r(%(!+& !& 5#2*$:3(*+ +(23 5*((!3&6+&&2!;r#!#' 5r;)&3& 5#0&3&"& #0!#2!# &2!"r#!( r(:!( "#$!"&6+( 2 6(!3r&*!
5#2*$:3(*+(. S #br# 0& S6&5C bb*#3("& 5r$:& #'$%!#23 "#r3(!+& 0(<!r&!+& 5r#)#*+!( 6&**b&6" (3#0( & 5r;)&3 5#0&3&"& >$ !&( 2*$&+$ DNS 5r#(3&, 5#:(*+!# +( 3# &!+( 5r#6(2#r2"#' )r((!& 5r#)(23 $ !&)(0(!#+ (3#0 2 #br# 0& 2( !&)(0(!&(3#0& 5#)& & 2)&" 5r*+(! 5&"(3 :(*+(!#' 5r#3#"#*&, & 3# 2( #3# #:( 0(23 32$%&& 5$3& $ 2("$!0 !& #53(r(%(!# DNS 5#2*$:3(*+$.
R+((!+( +(23 0& 2( 2)&" 5r;)&%(! 5&"(3 $ 6&**b&6" (3#0 #0&; 25r(& $ #0'#)&r&+$%$FIFO >(!'. $irst -n $irst Aut 23r$"3$r$ #0!#2!# #0'#)&r&+$% r(0 5#r$"& "#+(' %(
+(0&! 5# +(0&! )&03 &!&*r&3 $ #0)#+(!#+ 0r(3) "#+& !( $3( !& 5r;)&3 DNS 5#0&3&"&. Z& r(0 5#r$"& 2( 5#0r&$+()& 0& #r& 5*((!3r&3 #0'#)&r&+$%(&"*+$&)&!+( 5r*"# &:$rr&!+& $!#2& 3( b*#"r&!+( 0r(3)( "#+& 3& 5r&&! r(0 #)(2( 5#23:( 0& 5r#'r& !( "#r23 5r#6(2#r2"# )r+(( 0#" !(& 5#0&3&"& & &!&*$.
Mr(:!& "#$!"&6+& 2( #:( #b&)*+&3 $ 23#+ 0r(3) $ "#+#+ 2( #b&)*+& &!&*&, 2#br# !& 5#23#+&!+( r(0& 5#r$"& & 5r;)&3 5r"$5*+(!; (J$ 0)& 5#)&!+& !&)(0(!(0r(3)(.
&.1.&. -ini#alno optere/enje centralno( poslužitelja
G*&)! 5r#b*( 6(!3r&*!#' 5#2*$:3(*+& +(23 )(*" br#+ r(:!; "#$!"&6+& "#+( 2(#0)+&+$ 23#)r((!#. O)&+ 2( 5r#b*( !&+(%( r+(&)& 3&"# 0& UDP "#$!"&6+2"
5#2*$:3(*+ 23)&r& !#)$ !23&!6$ & 2)&" 5r25+(* 5&"(3, 3( 2( 5&"(3 5&r&*(*r&!#
--
8/16/2019 Korunic Prikupljanje i Analiza DNS Prometa
http://slidepdf.com/reader/full/korunic-prikupljanje-i-analiza-dns-prometa 29/60
. S$23&) & !&0#r &!&*$ DNS 5r#(3&
#br&J$+$. P#23#+( 2$ 0)+( #'$%!#23 & 5&r&*(*&6+$= 23)&r&!+( 6+(*; !#); 5r#6(2& &2)&" 5#+(0! 5&"(3 * "#r3(!+( 0r(3). U"#*"# 2( "#r23( 0r(3)( 6+(* +( 2$23&) b3!#
br: 2 #br# !& )r*# 0+(*#3)#r!# 23)&r&!+( 0r(3), b$0$% 0& 2( & 0r(3)( 2( "#r23 ?O
>(!'. ,op'1on1&rite 5r!65, 0#" 23)&r&!+( 5r#6(2& r&0 "#5*(3!$ "#5+$ &0r(2!#' 5r#23#r& 3# +( 35!# & r(0 )(*!( 25#r+& #5(r&6+&. D&*+!+& +( #53&6+& "r&3" :)#3 5#+(0!( 0r(3)( !&*! "#0 "#+ 2( 5&r&*(*r&!# )r&)& & 5#+(0! 5&"(3.
S;#0!# 3#(, UDP 5#2*$:3(*+ & 2)&" 5r25+(* 5&"(3 3r(b& 23)#r3 #0'#)&r&+$%$ 0r(3)$'0+( 2( 0(&)&+$ 2)( 25(6<!( 5r#)+(r( >0("r53r&!+( 30. & 5#+(0! 5&"(3, & #!0& 2(0("#0r&! 5&"(3 25r(& $ r(0 5#r$"& 0r(3)& &)r&)& 2 r&0#. Z&2(b!& 0r(3)& $r(0#)! !3(r)&*& #br&J$+( )(% 0("#0r&!( 5r#)+(r(!( 5&"(3( r(0& 5#r$"& $ 5#3r&& 2'$r!#2! 5r#b*(&. K&"# +( 3&+ 5#3#!+ 0# 5#2*& !&+25#r+ 2 '*(03& r(2$r2&!&+&;3+()!+ 0# 5#2*&, r(2$r2( %( !&*!# 5#3r#3 $5r&)# !&)(0(! #b*" r+((!+&. Z&
r(0 5#r$"& 2( 5#0r&$+()& 0& #r& 5r#)(23 #0'#)&r&+$%( &"*+$&)&!+( 5r*"#&:$rr&!+& $!#2&, 2 #br# 0& %( '& &:$rr&3 )(*" br#+ 0r(3) "#+ 5r)(!23)(!# #)2 #
br#+$ &"3)!; 2(!#r&.
I!6+&*!$ #br&0$ $;)&%(!; DNS 5&"(3& +( 5#)#*+!+( #23&)3 0& 2( #0r&0 !& 5#+(0!&! 2(!#r&, 2 #br# 0& b 2( $ 2$5r#3!# 2*$&+$ $"$5! 5#2&# !&6(!3r&*r&!# 5#2*$:3(*+$ )(23r$"# 5#)(%&# * &" 0#)(# 0# 5r(#53(r(%(!+&
5#2*$:3(*+& $ #)2!#23 # $"$5!# br#+$ &"3)!; 2(!#r& $;)&%(!# 5r#(3$. S3#'& +( 5#)#*+!+( &"# 2(!#r 6(!3r&*!# 5#2*$:3(*+$ &*+$ )(% 0("#0r&!( !<#r&6+( $#0'#)&r&+$%( 5r((!3&6+2"# >#br&J(!# 5#)#*+!# & 2*&!+( 5r("# r(:( #b*"$.
&.1.'. Kriptiranje pro#eta i projera autentičnosti
K&0 b 5r+(!#2 DNS 5&"(3& (J$ 2(!#r& 6(!3r&*!#' 5#2*$:3(*+& b# $ #b*"$ 23#'3("23&, 3# b ##'$%*# 3r(%#+ 23r&! b&r( 5&2)!# !(#)*&3(!# 5r&%(!+( 3#' 5r#(3&, &* r&!( )r23( 2'$r!#2!; !&5&0& 2 *&:r&!+( 5r#(3& >*&:r&!+( &52&, 5r#+(!& $
5&"(3& * !&5&0 $2"r&3# $2*$'(. S3#'& +( !$:!# 5r+(!3 #0'#)&r&+$%("r53#'r&<2"( 2'$r!#2!( +(r( "&"# b 2( &33*# #0 3&"); !&5&0&. O0'#)&r&+$%(r+((!+( "#+( 2( 3((*+ !& 5#0r6 #0 #5(r&3)!#' 2$23&)& b*# b "#r3(!+( IP2(67
5r#3#"#*&, (J$3 !( 5#0r:&)&+$ 2) #5(r&3)! 2$23&) IP2(6 * !3('r&6+$ 2 23 "r#IKE)- >(!'. -nternet 9e' *0c"ange.
Pr#b*( +( 5r"*&0!# r+(3 !& r&! 2&( &5*"&6+( 3# 3&"# 0& 2( 5r;)&%(! DNS 5&"(3 "r53r&+$ 0#0&+$% &33!$ 2$$ !& &'(!3$, 0#" 2( !& 6(!3r&*!# 5#2*$:3(*+$ 5r#(3 5r#)+(r&)& 3(" #!0& 0("r53r&. S #br# 0& 2( "*+$() $!&5r+(0 #'$r&25#r(03 5# 2) 5#!&3 2(!#r& 6(!3r&*!# 5#2*$:3(*+$ >3(;!"& "#+& 2( !&)&PSK #0!#2!# (!'. Pre1s"ared ke', #:( 2( "#r233 2(3r!& (!"r56+& 2 23 "*+$(
7 IP2(6 +( 5#b*:( 0(<!r&! $ RF?41. T&"#J(r b3! 23&!0&r0 & 5r#$3 2$ IP2(6 AH RF?4-, IP2(6ESP RF?4 3( IKE)- RF?4.
-
8/16/2019 Korunic Prikupljanje i Analiza DNS Prometa
http://slidepdf.com/reader/full/korunic-prikupljanje-i-analiza-dns-prometa 30/60
. S$23&) & !&0#r &!&*$ DNS 5r#(3&
& 2)( 5#2*$:3(*+(. S(3r! 2$ &*'#r3 35!# & 5&r r(0#)& )(*!& br: #0&2(3r!;, & "#r23( !&3!# &!+( r(2$r2& 3+("# r&0&.
Q(0&! #0 !&+5#5$*&r!+; 2(3r!; b*#"#)2"; &*'#r3&& 35!# $ $5#3r(b $ IP2(6"#$!"&6+ +( AES >(!'. dvanced *ncr'ption Standard . N+('#)( 5r(0!#23 2$ *&"&2#<3)(r2"& 5*((!3&6+&, &*& 5#3r#!+& r(2$r2& >2 #br# 0& +( &*'#r3& )r*# (<"&2&! 2$5233$6+2"#' 35&, & 2)#+( 5#3r(b( "#r23 )r*# &*# r&0!( (#r+(, #3)#r(!#23,23&!0&r0r&!#23, +(0!#23&)!#23 "#r3(!+& "&# ! '#3#); 5*((!3&6+& & 2)( +("(
5& 3&"# & PC3;#!.
AES r&0 !& b*#"#)& #0 1-8 b3#)& "#r23 "*+$()( #0 1-8, 1/- * -9 b3#)&. I& 9!&!& r&0&= ?B? >(!'. ,ip"er lock ,"aining , E?B >(!'. *lectronic ,odeook , ?FB>(!'. ,ip"er $eedack , OFB >(!'. Autput $eedack &!0 ?TR >(!'. ,ounter .
N&+5#5$*&r!+ !&! "#+ +( $+(0!# !&+0(3&*+!+( 0#"$(!3r&! +(23 ?B?, & "#+ +( !$:!#"#r233 !6+&*&6+2" )("3#r >IV #0!#2!# (!'. -nitialization vector "#+ +( 23( )(*!("&# b*#" 5#0&3&"&. N&)(0(! )("3#r 2( 5r)# 5$! 2*$&+! br#+()&, & &3 2( #b&)*+&OR #5(r&6+& 2 5r) b*#"# 5#0&3&"& 5r+( (!"r53r&!+&. Z&3 2( 2)&" 2*+(0(% b*#"OR& 2 5r(3;#0! !("r53r&! b*#"# 5r+( (!"r56+(. D& b 0r$'& 23r&!& #'*&0("r53r&3 2&0r:&+, 5#3r(b!# +#+ +( 5r(!+(3 (!"r53r&!( b*#"#)( "&# 2& IV.
S #br# 0& AES r&0 2"*+$)# !& b*#"#)& 5#0&3&"&, !$:!# +( #2'$r&3 0& 2$ 0+(*+(!"*+$ 5#0&6 $ #0'#)&r&+$% b*#"#)& #0 1-8 b3#)&, #0!#2!# 0& +( 0$*+!& "*+$& 3(
5#r$"( )("r&3!" )(*!( b*#"&. U 2*$&+$ 0& +( b*#" !+( 5#35$!# 5#5$!+(!, "#r23 2((3#0& 5#5$!+&)&!+& 5# b#r$. T5!# 2( $ #)&") 2*$&+()& "#r23 PK?SW78
(3#0& "#+& 5#5$!+&)& #23&3&" b*#"& 2 br#+( b&+3#)& "#+ 2$ 0#0&!= & N b&+3#)& "#+ 2$0#0&! 0# 'r&!6( b*#"&, 23&)*+& )r+(0!#23 N $ 2)&" b&+3 "#+ +( 0#0&!.
Dr$' b3&! 5r#b*( +(23 5r&)#)r((!# #3"r)&!+( !&+(r!; * 2*$&+!; #0<"&6+&2&0r:&+& 5#r$"( "#r23(% I?V >(!'. -ntegrit' ,"eck Ealue 3(;!"$. R+( +( # r&$!$
+(0!23)(!( )r+(0!#23 & 2)&"$ 5#2*&!$ 5#r$"$ >5#r$"& #r& 2&0r:&)&3 IV 2&((!"r53r&!( 5#0&3"(, &* 3&")( )r+(0!#23 "#+$ !+( #'$%( *#!&+(r!# 5r#+(!3 b(!&!+& 3&+!#' "*+$&. U IP2(6 23&!0&r0$ 2( "#r23 RF?-14 HMA? >(!'. ke'ed1/as"
+essage ut"entication ,ode "#0 "#+(' 2( )r+(0!#23 0(r)r& 5#r$"( 3&+!#'>0+(*+(!#' "*+$&. HMA? 2( 23#)r((!# "#r23 "&"# & &$3(!3"&6+$ 5#0&3&"&, 3&"# &
5r#)+(r$ 2&#' !3('r3(3&. HMA? ##'$%&)& "#r3(!+( !("; #0 35!; ;&2;&*'#r3&& 5#5$3 RF?1-1 MD9 >(!'. +essage1Digest lgorit"m < * RF?174 SHA1>(!'. Secure /as" lgorit"m 4, & 2!&'& &33( 0r("3!# #)2 # "r53#'r&<2"#+ <$!"6+ !&"#+#+ 2( 3((*+. K&"# +( SHA1 +( "r53#'r&<2" !&&+!# +&& (3#0& "#+& 5r#)#0 1
b3!$ 2$$, HMA?SHA1 2( 5#23&)*+& "&# b#*+ b#r.
S)&" 5&"(3 "#+ 2( &*+( #0 &'(!3& #0!#2!# 2(!#r& 5r(& 6(!3r&*!# 5#2*$:3(*+$ &r(0# 2*+(0(%& 5#*+& >!( !&)#0# IP &'*&)*+(, )(% 2&# 2&0r:&+=
• HMA?SHA1 &33!$ 2$$ 0$:!( - b&+3#)& >1 b3#)&,
8 PK?SW7 (3#0& +( #52&!& $ RF?89-, 5#'*&)*+$ ..
-4
8/16/2019 Korunic Prikupljanje i Analiza DNS Prometa
http://slidepdf.com/reader/full/korunic-prikupljanje-i-analiza-dns-prometa 31/60
. S$23&) & !&0#r &!&*$ DNS 5r#(3&
• IV !6+&*&6+2" )("3#r 0$:!( 1 b&+3#)& >1-8 b3#)&, 2 #br# 0& 2( "#r23AES1-8?B?,
• N b*#"#)& AES1-8?B? <rr&!; 5#0&3&"& #0 "#+; +( 2)&" 0$:!( 1 b&+3#)&>N1-8 b3#)&.
I !&)(0(!#' 5r#*& 0& +( !&*!& 0$*+!& &5*"&3)!#' 5&"(3& 9- b&+3&, #0!#2!# 0& +(!&*!& )(*!& IP)4 5&"(3& 8 b&+3&. S*"& .1 5r(0#$+( )(*!( &'*&)*+& "&"##2!#)!#' &5*"&3)!#' 5r#3#"#*& 3&"# )(*!( &'*&)*+& #23&*; r&!& !:( "#$!"&6+(.
U PC3;#!$ +( 23&!0&r0!# 5*((!3r&! HMA? >SHA1 MD9 )&r+&!3(, 0#" 2( & AES(!"r56+$ "#r23 0#0&3! ?rC53# #0$*.
&.1.*. Autentikacija i autorizacija
K&# "#0 2)&"#' r(:!#' 2(r)2&, !$:!# +( #% #'r&!3 "#+ "*+(!3 2+$"#$!6r&3 2 6(!3r&*! 5#2*$:3(*+(. U #)# 2$23&)$ +( 3$ <$!"6+$ #'$%( 5r#)(23"r# 0+(*+(! "*+$ 2 #br# 0& +( 2(3r&!, 2) "*+(!3 "#+ &+$ "*+$ #'$"#$!6r&3 2 6(!3r&*! 5#2*$:3(*+(. Dr$'( #'$%!#23 2$ 0#0&3!# <*3rr&!+( 5# IP&0r(2&&, r&25#!& 2*. M(J$3 2 '*(03& br!( 2'$r!#23 3&")& <*3rr&!+& +( 0&*("#!&+(<"&2!+( 5*((!3r&3 !& )&3r#0!# 2#<3)(r$, #0!#2!# $ +('r 5#2*$:3(*+&.
K&0& b 5r#'r& 2&0r:&)&# !0)0$&*!( 5r#)+(r( IP )#r3&, 3# b !&*# 0& &()(!3$&*!( *&:r&!( 5&"(3( #r& 23)&r&3 !#)( 0r(3)( $ "#+& #b&)*+& 2)( 2'$r!#2!(
5r#)+(r(. T# r# #3)&r& #'$%!#23 2'$r!#2!#' !&5&0& $2"r&3# r&0&, 2 #br# 0&!&5&0& #:( 5r&"3" !(#'r&!(!# 23)&r&3 !#)& *&:r&!& )#r3& 3( #53(r(%)&36(!3r&*! 5#2*$:3(*+ 0# 5r(23&!"& !#r&*!#' r&0&. A"# 2$ 5&" 2'$r!#2!( 5r#)+(r(0r("3!# 5*((!3r&!( $ +('r #5(r&6+2"#' 2$23&)&, 3# !& 0& ()(!3$&*! *#!&+(r!
5r#(3 ! !( 0#*& 0# 2&( &5*"&6+( 3( !&*!# $3+(( !& !#r&*!$ "#$!"&6+$ !#r&*&! r&0 5#2*$:3(*+&.
-9
Slika @.45 Pregled komunikacijskog paketa
8/16/2019 Korunic Prikupljanje i Analiza DNS Prometa
http://slidepdf.com/reader/full/korunic-prikupljanje-i-analiza-dns-prometa 32/60
. S$23&) & !&0#r &!&*$ DNS 5r#(3&
&.1.+. Prijenos pro(ra#ski) struktura
Pr+( 2*&!+& 5r#'r&2"; 23r$"3$r& (#r+( "r# r(:$, !$:!# ; +( 2(r+&*r&3. T&+
5r#6(2 5#0r&$+()& "#!)(r+$ #b+("&3& $ ! b3#)& "#+ 2( #:( 5#;r&!3 !& "&"&)(0+ * 5#2*&3 "r# r(:!$ "#$!"&6+$ 3( $25+(!# "&2!+( $3&3. T& 5r#6(0$r& 23)&r&!#) &* 2(&!3" 23 #b+("3, "#0 "#+(' 2$ $!$3r&!+( &0r(2( r&*3(, &* r(<(r(!6( 2&0r:&+ #$)&!. Pr+( (!"r56+( 5#0&3&"& 2( $!$3r&!+( (#r+2"( 23r$"3$r( "#+( 2&0r:(0("#0r&!( DNS 5&"(3( #r&+$ 2(r+&*r&3 #0!#2!#, 5r $25+(!# &5r&!+$(!"r53r&!; 5#0&3&"& 2( #! !&"#! 5r#)+(r& 0("r56+( #r&+$ 0(2(r+&*r&3, 23)&r&+$%#b+("3 2 5r((!3r&! DNS 5#0&6& $ (#r+.
PC3;#! 2&0r: #0'#)&r&+$% P6"*(@6P6"*( #0$* & !&)(0(!( 5#3r(b(. N&0&*+(, P6"*(#b+("3 2$ 2'$r!# "#5&3b*! (J$ r&*3; )(r+& PC3;#! !3(r5r(3(r&, 3# 5r&"3!#!& 0& !2$ !$:!( 23( )(r+( PC3;#! 5r#'r&& !& 5#2*$:3(*+$ !& 2(!#r&.K#5*(3!( 23r$"3$r( $ (#r+ 2( 5r(3)&r&+$ $ b!&r! >* 23# 3("23$&*!, #)2!# #"#!<'$r&6+ ! !&"#)& "#+ +( 5#2)( 5r(!#2) b( "&"); r(23r"6+&.
&.!. Ko#ponente i karakteristike sustaa
I5*((!3r&! 2$ $ 5#35$!#23 2*+(0(% #2!#)! 0+(*#) 2$23&)&=
• 2(!#r "#+ ##'$%&)& 5&2)!# 5r2*$")&!+( 5r#)#*+!#' $!6&23 $*36&23DNS 5r#(3& $ T?P UDP #b*"$, #2!#)!$ #br&0$ 5#0&3&"& !+;#)# "r53r&!#
2*&!+( 5r(& 6(!3r&*!# 5#2*$:3(*+$,• 6(!3r&*! 5#2*$:3(*+ "#+ 5r& 5#0&3"( #0 +(0!#' * )( 2(!#r&, 5r#)+(r&)&,
0("r53r& 0&*+!+( #br&J$+(, *#"&*!# 25r(&+$% r($*3&3(,
• "#5#!(!3& & 0(3&*+!$ 2'$r!#2!$ &!&*$ "#+& ##'$%&)& 5r(5#!&)&!+( 1-35#)& 2'$r!#2!; !&5&0& #'$%( +$ +( "#r233 $ 2)&"# 2(!#r$ >& 2#+(%r&0 * $ 6(!3r&*!# 5#2*$:3(*+$ >#br&0& 2); 5r25+(*; !<#r&6+&,
• +(0!#23&)! DNS (J$25r(!" "#+ ##'$%&)& "#!3("23$&*!$ &!&*$ $53& #0'#)#r&.
T&"#J(r +( #2*+(! r&)+(! )*&233 5r#3#"#* & "r53r&!$ "#$!"&6+$ 2& &33!2$&& "#+ &0#)#*+&)& &;3+()( !2"; *&3(!6+& #'$%!#23 5r+(!#2& (#r+2";23r$"3$r& 5r("# r(:(.
U 0# 2&0& #52&!# 2$23&)$ 0+(*$+$ 2*+(0(% <" $r(J&+=
• r&0!( 23&!6(, 5#2*$:3(*+ 2*. "#+ #b&)*+&+$ DNS $53( 5r(& 2)#+ DNS 5#2*$:3(*+& !& "#+& 2$ !23&*r&! 2(!#r & 5r;)&3 DNS 5r#(3&,
-
8/16/2019 Korunic Prikupljanje i Analiza DNS Prometa
http://slidepdf.com/reader/full/korunic-prikupljanje-i-analiza-dns-prometa 33/60
. S$23&) & !&0#r &!&*$ DNS 5r#(3&
• 6(!3r&*!& +('r& "#+& 5r;)&%& "r53r&!( DNS 5&"(3( #0 2(!#r& 3( #b&)*+&2'$r!#2!$ &!&*$ 23;, "&# 5#;r&!$ 5#0&3&"&.
M#'$ 2( 0(<!r&3 2*+(0(%& #'r&!(!+& 2$23&)&=
• 2(!#r& #r& b3 +(0&! * )(,
• #'$%( +( &3 2(!#r 5#2*$:3(*+ $ +(0!# >3# +( 2#+(% !&! r&0&,
• $ 2)&"# 5#+(0!# 3r(!$3"$ #r& 5#23#+&3 2&# +(0&! 6(!3r&*! 5#2*$:3(*+.
S& "#$!"&6+2"#' '*(03& >2*"& .- 5r"&$+( "#$!"&6+2" 5$3 $!$3&r 2$23&)&,"&r&"3(r23"( 2$23&)& 2$ 2*+(0(%(=
•
#r'!&*! DNS $53 5$3$+$ !(#(3&!# 0# 2)#' 6*+& >DNS 5#2*$:3(*+& "#+ +(&$3#r3&3)&! * 25r(!" !+;#)# 5r2*$")&!+( +( 2"*+$)# 5&2)!#,
• 5r+(!#2 (!"r53r&!; 0("#0r&!; DNS 5&"(3& 5r(& 6(!3r&*!# 5#2*$:3(*+$ 2(#0)+& +(0!#2+(r!#, 5&r&*(*!# >&*+$ 2( 5#3(!6+&*!# 23#)r((!# 2 r&*3;&'(!&3& &2!;r#!# >2 #0r(J(! !(b+(:! "&!+(!+( !&25r& #r'!&*!;$53&,
• 6(!3r&*!& +('r& 5r25+(*( $53( 3r(!$3!# &5r&, !# 0(3&*+!# >2'$r!#2!& &!&*&; #br&J$+( r(0# 5r25+(%&, 3# +( 3&"#J(r $ #0r(J(!# "&!+(!+$ !&25r&#r'!&*!#' 0#'&J&+&,
• 2(!#r !2$ 2)+(2! 0& * +('r& $#5%( r&0 0& * #:0& 0#*# 0# '$b3&"& 5&"(3&,• +('r& !( !& # "#+( +( br#+$ 2(!#r& r+(, )(% 5&2)!# ("$+(.
-7
8/16/2019 Korunic Prikupljanje i Analiza DNS Prometa
http://slidepdf.com/reader/full/korunic-prikupljanje-i-analiza-dns-prometa 34/60
. S$23&) & !&0#r &!&*$ DNS 5r#(3&
Slika @.35 r"itekturalni prikaz komunikacije u sustavu
Vr((!2" 2*+(0# 0(&)&+$ 2( 2*+(0(%( &"6+( $ 2$23&)$ !&"#! 5r;)&3& +(0!#' DNS 5&"(3& #0 23r&!( +(0!#' 2(!#r& >2*"& .=
• $!$3&r 2(!#r&=
• 5r 5r25+(%$ #0!#2!# 0(!3<6r&!# DNS 5&"(3$ $!$3&r S6&5C bb*#3("(,#"0& 2( 6&**b&6" 5r#6(0$r& $!$3&r &'(!3&,
• &'(!3 5r25+(* DNS 5&"(3 0("#0r& >5r(3)&r& 2r#)#' #b*"& $ #0'#)&r&+$% 5r((!3&6+2" #b*" 3( 25r(& $ r(0 5#r$"&, !&"#! ('& 2( 6&**b&6" 5r#6(0$r&
&)r&)&,
• +( r(0 5#r$"& !(5r&&! >b&r( +(0!& 5#r$"&, &2(b!& 0r(3)& DNS &'(!3&2( b$0 >& r&*"$ #0 6&**b&6" 5r#6(0$r( "#+& 2( 5#)& 5# 5#3r(b, #!& +(23&*!# 5r2$3!& &* +( $ 23&!+$ ("&!+& 0#"*( '#0 !(& 5&"(3& $ r(0$ 5#r$"&,
5r;)&%& 5&"(3 r(0& >( #! !(23&+( r(0& 5#r$"& 3( '& 2(r+&*r&,(!"r53r&, r&$!& &33!$ 2$$ #0&*+( 5r(& 6(!3r&*!# 5#2*$:3(*+$,
• $!$3&r 6(!3r&*!#' 5#2*$:3(*+&=
-8
8/16/2019 Korunic Prikupljanje i Analiza DNS Prometa
http://slidepdf.com/reader/full/korunic-prikupljanje-i-analiza-dns-prometa 35/60
. S$23&) & !&0#r &!&*$ DNS 5r#(3&
• & 2)&" 5r25+(* 5&"(3 2( 23)&r& !#)& 0r(3)& "#+& 5r;)&%& 5&"(3, 5r#)+(r&)&,0("r53r& 25r(& $ r(0 5#r$"&, !&"#! ('& 0r(3)& &)r&)& 2 r&0#,
• &2(b!& 0r(3)& 2( b$0 >23&*!# 5r2$3!& $ 23&!+$ ("&!+& 0#"*( '#0 !(& 5&"(3& $ r(0$ 5#r$"&, 0&*+!+( #br&J$+( 5&"(3 #b&)*+&+$% &!&*$ 2'$r!#2!<*3&r& b*+(:(% ()(!3$&*!( $#(!( 2'$r!#2!( 5r#b*((.
Slika @.@5 %ijek akcija obrade DNS paketa
S*"& .4 0#!#2 UML 0+&'r& "*&2& 2*+(0(%; 5r#'r&2"; "#5#!(!3=
• 0&3#3("& 2!<<2(!2#r.5C=
• "*&2& DNSF*#?*(!3 2$(*+( 5r(& S6&5C bb*#3(6, 5r(3)#rb& DNS 5&"(3& 2r#)#' $ 5r((!3&6+2" #b*", 2(r+&*&6+& 3( "r53r&!+( 2*&!+( 5&"(3&,
• 0&3#3("& 2!<<6#r(.5C 6(!3r&*!& +('r& 2 )(0r(3)(! UDP 5#2*$:3(*+(,0("r53r&!+(, 0(2(r+&*&6+# 2'$r!#2! 5r#)+(r&&=
-/
proizvoljnog prometaza prisluškivanjesučelje koje služieksterno Scapy
monitor_callback()
new
pktqueue.put()
stotine tisua senzoracentralnoj jezgri. !ogue je imati"#S promet i enkriptirano šaljesenzor koji prisluškuje
pktqueue.get()
network_emit()
poslužiteljem (slušatelj)više$retvenim %"¢ralna jezgra sa
new()
new()
'an$le()
pktqueue.put()
logging()
pktqueue.get()
ilters()
"#S paketomsvakim primljenimizvršavaju na$*"S unkcije se
ilters()
Sensor+,snovna"retva
sen$_low+"retva
-ore+,snovna"retva
net_server+"retva
process_low+"retva
*"S+,snovna"retva
razmjena poruka kroz red i sinkronizacija
razmjena poruka kroz red i s inkronizacija
8/16/2019 Korunic Prikupljanje i Analiza DNS Prometa
http://slidepdf.com/reader/full/korunic-prikupljanje-i-analiza-dns-prometa 36/60
. S$23&) & !&0#r &!&*$ DNS 5r#(3&
• "*&2& DNSF*#S(r)(r !&0*(:!& "*&2& >!6+&*!& "#!<'$r&6+&, 5#23&)*+&!+("r53#'r&<2"; 5&r&(3&r&, 30.,
• "*&2& DNSF*#H&!0*(r 6(!3r&*!& r$3!& & )(0r(3)(! UDP 5#2*$:3(*+,
• 0&3#3("& 2!<<0!26&6;(.5C=
• "*&2& DNS6&6;( +(0!#23&)! DNS (J$25r(!" "#+ 2( "#r23 & "#r(*&6+$DNS $53& #0'#)#r&,
• 0&3#3("& 2!<<<*3(r2.5C 5*((!3&6+& r&*3; 5##%!; (3#0& &)&J(!+( 5r#)+(r$ DNS 5#0&3"&, "&# 2); (3#0& & 2'$r!#2!$ &!&*$"#r23 2( $ 6(!3r&*!# 5#2*$:3(*+$ * 2#+(%( 2(!#r$.
Slika @.65 +eFuodnos programski" klasa
&.&. 2tkrianje proble#atično( pro#eta
F$!6#!&*!# !&+2*#:(!+ &25("3 #)( 5*((!3&6+( +( !(0)#+b(!# 0(!3<"&6+&2'$r!#2!; 5r#b*(& $ $;)&%(! DNS 5&"(3&. Z& 5#+(0!( (3#0( +( 0#)#*+!#
5r#&3r&3 #*r&!( 5&"(3( >!5r. $#3 #0r(J(!( 5#'r("( $ $53$ * #0'#)#r$, 0#" +( &0r$'( 5#3r(b!# 5r#&3r&3 2& "#!3("23, #0!#2!# "#r(*r&3 5r(3;#0!( $53( #0'#)#r( !&
8/16/2019 Korunic Prikupljanje i Analiza DNS Prometa
http://slidepdf.com/reader/full/korunic-prikupljanje-i-analiza-dns-prometa 37/60
. S$23&) & !&0#r &!&*$ DNS 5r#(3&
!+;. S&( 2'$r!#2!( 5r#)+(r( 2( !$:!# #r&+$ #2*&!+&3 !& br#+!( (3#0( !:(' 23$5!+&"#+( 0#;)&%&+$ r&*3( 0+(*#)( DNS 5&"(3& #b&)*+&+$% 5r 3#( 2)( 5#3r(b!( 5r#)+(r(>5#23#+( * $#5%( #0+(*+6 &23&)6(, 0& * +( 0#*# 0# 223(2"( 5#'r("(, 0& * +( &52 $
#b*"$ 3("23& $+(23# 6+(*#br#+!, 30..
O3"r)&!+( !(5r&)*!#23 +( #23)&r(!# "r# !0)0$&*!( <*3r( >5r#'r&2" "#0 "#+ 5r(5#!&+$ #*r&+$ 5#+(0!( 5r#b*((, b*+(:(% 2)( !<#r&6+( # 5&"(3$ "#+ +($r#"#)&# 5#'r("$. I5*((!3r&!( 2$ 2*+(0(%( (3#0( #0!#2!# <*3r=
• !(5#!&3 TLD#) $ NAME &52&= IANA 0(<!r& 3#&! 5#52 )r!; 0#(!&"#+( 2( 5#23#+( $ 2*$&+$ 0& $53 2&0r: !(5#!&3$ )r!$ 0#(!$, r+( +( #
5#'r(6 !& 23r&! "*+(!3& !&+(%( $r#"#)&!#+ "r)# DNS "#!<'$r&6+# * 5&" 5#'r("&& $ &5*"&6+ "#+& #b&)*+& DNS $53(,
•
A&A $53= r+( +( # !(5#3r(b! $53& & r&r+((!+( IP &0r(2( $ IP &0r(2$& "#+( +( $!&5r+(0 #3# 0& 2$ 2$)!, & 3&") $53 5r(023&)*+&+$ #b*+!$ 5#'r("$ $ DNS &5*"&6+,
• RF?1/18 $53= "&0& "*+(!3 &+$ 5r)&3!( &0r(2(, $#b&+(!# +( 0& 2( $53 & 5r)&3! &0r(2&& &*+$ 5r(& *#"&*!# DNS 5#2*$:3(*+$, !# $ 2*$&+$ 0& 3&")$53 0&*+( 6$r( 5r(& ) DNS 5#2*$:3(*+& r+( +( # #b*+!#+ 5#'r(6 $DNS "#!<'$r&6+ +(r !(& 5#3r(b( 0& 2( #! 5r#2*+(J$+$, & 2&# 5r0#!#2(#53(r(%(!+$ 2)+(32"; DNS 5#2*$:3(*+&,
• $53 2 !(25r&)! DNS #!&"&&= DNS 23&!0&r0 23r"3!# 5r#52$+( 0& DNS
#!&"( 2+$ b3 > #!&&)& r&25#!, & !&)#0!6 5#+(0!$ 'r$5$ !&"#)&= &,AZ, / 3( !&"#) .@X $ 2*$&+$ 0& $53 2&0r: !("( !(35!( !&"#)& 5#5$3 0)#3#"(, 3#"&&r(& 2*, r+( +( # 5#'r(6,
• $53 & 23&r ("25(r(!3&*! &52&= RF?19 0(<!r& "#+ 2$ DNS RR35#) &23&r+(* #0!#2!# "#+ &+$ ("25(r(!3&*!# !&(!+(, 3&") 2( $53 $23&!0&r0!#+ "#$!"&6+ !( b 2+(* 5#+&)*+)&3,
• 5#"$&+ 5r(52)&!+& 25r(!"&= M6r#2#<3 DNS "*+(!3 5#2*$:3(*+ 2$ &* 5#!&3$ r&!+)#23 MS41 "#+& +( $0&*+(!# !&5&0&$ ##'$%&)&*& 5r(52)&!+( 25r(!"& )r&)&!+( 5r#)#*+!#' "#0& !& 5#'#J(! r&$!&*&
23#'& +( #)&")( !&5&0( 5#3r(b!# 5r&)#)r((!# 5r(5#!&3 5r&)#)r((!# 5r#&"3)!# 0+(*#)&3,
• !(5#!&3 OP?ODE #0!#2!# !(5#!&3 35 $53&= $ 2*$&+$ 0& #!&"& DNS#5(r&6+( "#+& 2( 3r&: !+( UER, IUER, STATUS * UPDATE, r+( +( #35$ $53& "#+ 2( !( b 2# 0(23,
• 'r("& $ #b*"$ $53&= 5#2*$:3(*+ &*+( #0'#)&r&+$%$ 5#r$"$ # 5#'r(6 "&0 $53& 5#'r("$ $ <#r&3$ #)&+ <*3&r 5r(5#!&+( 3&")( 5#)r&3!( 5#r$"( b*+(:
5#)r&3!$ !<#r&6+$ "#+& 2&0r: #r'!&*&! $53,
1
8/16/2019 Korunic Prikupljanje i Analiza DNS Prometa
http://slidepdf.com/reader/full/korunic-prikupljanje-i-analiza-dns-prometa 38/60
. S$23&) & !&0#r &!&*$ DNS 5r#(3&
• )( #0 #0'#)#r& 2 23 ID#= 5#23#+ ! 5#!&3; (<"&2!; 3(;!"& 3r#)&!+&DNS (J$25r(!"& *&:r&! DNS #0'#)#r& $ 2*$&+$ 0& 2( 0#'#0 )( #0 #0'#)#r& 2 23 +(0!23)(! 0(!3<"&3#r#, <*3&r 2( &"3)r& b$0$% 0& +( r+( #
5#3(!6+&*!# 2'$r!#2!# !&5&0$ '0+( 2( )&rr&!+( #0'#)#r& 2 23 ID+( 5#"$&)& &3r#)&3 $0&*+(! DNS 5#2*$:3(*+,
• #0'#)#r !& !(5#!&3 $53= <*3&r 0(!3<6r& #0'#)#r( "#+ !(&+$ #0'#)&r&+$%DNS $53 #0!#2!# $53( !& $53 "#+ !+( !"&0 5#23&)*+(!, b$0$% 0& 2$ 3&")#0'#)#r !&+(%( 5#"$&+$ 3r#)&!+& DNS (J$25r(!"&,
• #0'#)#r !& *&:! $53= <*3&r 5r#)+(r&)& !&0#*&(%( #0'#)#r( 5r#)+(r& 0& * "#5+&$53& $ 3 #0'#)#r& #0'#)&r& &23& 5#23&)*+(! $53& * +( r+( # *&:r&!#0'#)#r&.
Z& 5#3r(b( "#r(*&6+( $53& #0'#)#r& !&5r&)*+(! +( +(0!#23&)! DNS (J$25r(!" "#+ 5&3 $53( #0r(J(!# )r+(( 2&# 3r&+&!+( +( 5#0(2)#, & 35!# 2( "#r23 2("$!0& )r+(( :)#3& $5&%(!; $53&. K*+$ & r&*"#)&!+( 5#+(0!; $53& +(23 +(0!23)(!0(!3<"&3#r 5#+(0!#' $53& >#0!#2!# ID, #0r(0!& &0r(2& 5r(& "#+#+ +( #0&2*&! $53 #0r(0! 5#r3. M(J$25r(!" ##'$%&)& b*+(:(!+( #0'#)#r& & 5#+(0! $53, #0!#2!#
br#+&!+( #0'#)#r&.
&.'. Daljnji radU 2&# r&0$ !2$ 5*((!3r&!( !("( <$!"6#!&*!#23 & "#+( 2( 2&3r&*# 0& 2$ #02("$!0&r!( )&:!#23 0& !2$ 5r(0(3 05*#2"#' r&0&=
• &!#!r&!+( 5#0&3&"&= 2$23&) b*+(: ! 5#0&3&"& "#+ #'$ $'r#3 5r)&3!#23 5#+(0!&6& &"# 2( &52!6 #b+&)( +&)!#, #0!#2!# "#r23( )&! $23&!#)( '0+( 2$&b*+(:(!,
• r&*3 "*+$() & r&*3( "*+(!3(= 3r(!$3!# 2) 2(!#r "#r23( 23 0+(*+(! "*+$,3# $r#"$+( 0& 6(!3r&*! 5#2*$:3(*+ !( r&*"$+( 5#+(0!( 2(!#r( 3&"#J(r $2*$&+$ "r&J( "*+$& 2 +(0!#' 2(!#r&, 6+(* +( 2$23&) 2'$r!#2!# $'r#:(!,
• r&*3( (3#0( (!"r56+(= 2$23&) "#r23 2"*+$)# AES1-8?B? (3#0$(!"r56+( 5#0&3&"&, 0#" b 5#:(*+!# b*# ##'$%3 +(!+&!+( )(*!( b*#"&,(!"r56+2" &*'#r3& "&# #23&*; 5&r&(3&r& "#$!"&6+(,
• 0(!3<"&6+& r&0& 6(!3r&*!#' 5#2*$:3(*+&= 2(!#r !(&+$ !&!& $23&!#)3 0& *6(!3r&*! 5#2*$:3(*+ $#5%( r&0 b$0$% 0& +( "#$!"&6+& 2"*+$)# +(0!#2+(r!&,
• b*+(:(!+( 2r#); 5&"(3& $ P?AP #b*"$= &"# 2&# S6&5C 2$(*+( ##'$%&)& b*+(:(!+( 2r#); >!(0("#0r&!; DNS 5&"(3&, 2& 2$23&) b*+(: 2"*+$)# $ 5r((!3&6+2"# #b*"$.
-
8/16/2019 Korunic Prikupljanje i Analiza DNS Prometa
http://slidepdf.com/reader/full/korunic-prikupljanje-i-analiza-dns-prometa 39/60
'. %ezultati i raz#atranje
Pr(3;#0!# #52&! 2$23&) 023rb$r&!#' 5r"$5*+&!+& &!&*( DNS 5r#(3& #23)&r(! +( $ 5r#'r&2"# +("$ PC3;#! >2(!#r, 6(!3r&*! 5#2*$:3(*+, "#5#!(!3& & 2'$r!#2!$&!&*$ DNS (J$25r(!" 3( 2$ 5r+( 5$3&!+& $ 5r#0$"6+$ 5r#)(0(!& #0'#)&r&+$%&<#r&*!& 3(23r&!+& 2$"*&0!#23 DNS 23&!0&r0& "&# +(r(!+( $3+(6&+& !& )r!##53(r(%(!+( DNS 5#2*$:3(*+&. U !&23&)"$ %( 2( #br&33 5&:!+& !& "#r3(!( 5r#'r&( (3#0#*#'+$ 3(23r&!+&, "&# 0#b)(!( r($*3&3( $ 5r&"2.
'.1. 3or#alno testiranje sustaa
Z& 5#3r(b( 3(23r&!+& 2$"*&0!#23 DNS 23&!0&r0& "#r3(! +( PROTOS Securit' %estingo! Protocol -mplementations >URL= ;335=@@.((.#$*$.<@r(2(&r6;@#$25'@5r#3#2@ 2$23&)"#+ ##'$%&)& 3(23r&!+( r&0& DNS 5#2*$:3(*+&. K#!"r(3!# 2$23&) 5r#)+(r&)& r(&"6+$DNS 5#2*$:3(*+& !& 2"$5 #0 14 r&*3; $53&, DNS "*+(!&3& !& 2"$5 #0 1118r&*3; #0'#)#r&, "&# r(&"6+$ DNS 5#2*$:3(*+& !& 5r+(!#2 #!( 2 11-- )&r+&6+&. T3(23#) 5#"r)&+$ 2)( 35!( 23$&6+( "#$!"&6+( DNS "*+(!&3& 5#2*$:3(*+&, "&# (J$2#b!( "#$!"&6+( 0)&+$ DNS 5#2*$:3(*+&. S$23&) "#+ $25+(!# 5r#*& #)( 3(23#)(&0#)#*+&)& #2!#)! 2"$5 DNS 23&!0&r0& >RF?19, RF?-/-/, RF?-1, RF?-71,RF?7, RF?-849, RF?-9, RF?-874, RF?-99 3( RF?-/1.
T+("# 3(23r&!+& +( "#r3(! B!0 / 5#2*$:3(*+ $ !&6 /.. 2 #0'#)&r&+$%#"#!<'$r&6+# '0+( +( #!(#'$%(!# "#!3&"3r&!+( #23&*; DNS 5#2*$:3(*+& "&"# b 2(!r&*( *&3(!6+( $"*#!*& !(5#3r(b!& 0#0&3!& "#$!"&6+& !()(&!& $ #2!#)!#3(23r&!+(. R(*()&!3&! b*#" "#!<'$r&6+( +( 5r"&&! $ 3&b*6 4.1.
%ablica 6.45 2e!erentna kon!iguracija ind poslužitelja
options {
directory "...";
transfer-format many-answers;
check-sibling no;
recursion no;
fetch-glue no;
allow-recursion { none; };
max-acache-size 1!;
};
T(23r&!+( 2$"*&0!#23 2( 2&23#+&*# #0 0+(*&=
8/16/2019 Korunic Prikupljanje i Analiza DNS Prometa
http://slidepdf.com/reader/full/korunic-prikupljanje-i-analiza-dns-prometa 40/60
8/16/2019 Korunic Prikupljanje i Analiza DNS Prometa
http://slidepdf.com/reader/full/korunic-prikupljanje-i-analiza-dns-prometa 41/60
4. R($*3&3 r&&3r&!+(
6(!3r&*!# FSB DNS 5#2*$:3(*+$ &5r*+(!# 4 *+$!& 5&"(3& $!$3&r &" 1 r&0!;0&!&.
%ablica 6.35 Utjecaj nadzora na DNS per!ormanse
DNS poslužitelj bez
nadzora
DNS poslužitelj s
nadzoro#4 bilježe se
sa#o incidenti
DNS poslužitelj s
nadzoro#4 bilježe se si
DNS paketi i incidenti
obra5eni) upita u
sekundi 67ps8
-71.1 -98/.9- -911.
ukupno trajanje
testiranja 6sec8
748. 7/7.19 7/./
I r($*3&3& +( )0*+)# 0& +( $3+(6&+ !&0#r& !& 5(r<#r&!2( DNS 5#2*$:3(*+& &!(&r),&" $ 23$&6+&& '0+( 2( b*+(:( 2) 0(3&*+ # DNS 5r#(3$. U 5r&"2 2( #:( #(")&30& !3(!)!# 52&!+( 5# 0&3#3(!# 2$23&)$ & !$25#+&)$ 5#)(!#' )r!#' #53(r(%(!+&
5#2*$:3(*+&, !# 3&+ 5r#b*( r+(&)& !23&*&6+& 23; 2(!#r& b( IDS "#5#!(!3(.
'.!. -jerenja u produkciji i diskusija rezultata
Z& 5#3r(b( 3(23r&!+& $ 23)&r!# #"r$:(!+$ !23&*r&! +( !& ;#bb3.<2b.;r, 6(!3r&*! DNS 5#2*$:3(*+ F&"$*3(3& 23r#+&r23)& br#0#'r&0!+( $ Z&'r(b$ >$ 0&*+!+( 3("23$ FSB. U
r&0#b*+$ #0 -4 r&0!& 2&3&, 5r('*(0&!# +( / *+$!& 0#*&!; #0*&!; DNS 5&"(3& &b*+(:(!# 5r("# 4 *+$!& 5#3(!6+&*!; 2'$r!#2!; 5r+(3!+ 3( 7 32$%& 5#'r(&"& $DNS "#$!"&6+ >$r#"#)&!; 5#'r("&& $ DNS &5*"&6+&& $0&*+(!; "*+(!&3�!#2!# $0&*+(!; 5#2*$:3(*+&. S$23&) +( 3+("# r&0& 23)#r# 0&3#3("$ )(*!( 4.1GB 2"#5*(3! 5r('*(0# 5#+(0!; 2'$r!#2!; !60(!&3& 3( 23&323"&& # )*&233# r&0$>br#+ &5r*+(!; 5&"(3&, 2&3 r&0&, $"$5! br#+ !60(!&3&.
S"r&%(! )&0&" !&+&!*+)+; 5#0&3&"&, )+(%& # r&0$ 2$23&)& $#(!; 5r#b*(& $DNS 5r#(3$ #b$;)&%&=
• /44-19 &!&*r&!; 0#*&!; #0*&!; DNS 5&"(3&,
• 7119 "r3!; 5#'r(&"& $ DNS "#$!"&6+ >"r3!( 5#'r("( $ <#r&3$ DNS 5&"(3&, 5#'r("( $ "#5r(2+ DNS #!&"&, 30.,
• 4-177/ 5#3(!6+&*!; 2'$r!#2!; 5r+(3!+, 3# +( 1.8 #0 $"$5!#' 5r#(3& 2 5r#2+(!# 1797 &b*+(:(!; !60(!&3& 5# r&0!# 2&3$ & #0 3#'&=
• -/-1 !(5#!&3; TLD &52&,
• -11 A&A $53& >$53 & 5r#!&*&:(!+( IP &0r(2( #b*"& "#+ )(% +(23 IP&0r(2&,
• 74//91 $53& & 5r)&3! RF?1/18 &0r(2&&,
9
8/16/2019 Korunic Prikupljanje i Analiza DNS Prometa
http://slidepdf.com/reader/full/korunic-prikupljanje-i-analiza-dns-prometa 42/60
4. R($*3&3 r&&3r&!+(
• -4 $53& 2 5#'r("&& >!(0#)#*+(! !&"#) $ DNS #!&"&&,
• $53& & 23&r RR &52&,
•
$53& & ("25(r(!3&*! RR &52&,• 5#"$&+& 2"#r3&)&!+& MS41 r&!+)#23,
• -9- $53& 2 !(5#!&3 35# $53& >5r(3(:!# 5#"$&+ 0!&"; DNS$53&,
• 1-7 0(!3<6r&!; 5#'r(&"& $ #b*"$ 5&"(3& >5#)r&3!& 0(!3<"&6+& #0 23r&!(DNS 5#2*$:3(*+&,
• 41 )(23r$"; #0'#)#r& !& 5#+(0! DNS $53 >#'$% 5#"$&+ 3r#)&!+&DNS (J$25r(!"&,
• 47 #0'#)#r& "#+ !( 2&0r:( 0(!3! $53 #!#( "#+ +( 5#2*&! >*&:r&!#0'#)#r, #0!#2!# #0'#)#r '0+( +( 5#*+( $53& 5#'r("# !(25r&)!#
5#5$!+(!#,
• /- #0'#)#r& "#+ 2$ * &"&!+(* >5r("# 2("$!0 * 2$ *&:r&!#0'#)#r & $53( "#+ !2$ !"&0 5#2*&!.
I 2*"( 4.1 +( )0*+)# 0& 5r#(3 "#+ 2( #0!#2 !& r&r+((!+( 5r)&3!; &0r(2& &$&8/ !60(!&3& >$3)rJ(!# +( $ 5r(3;#0! 23r&:)&!+& 0& 1.1 2)+(32"#' DNS
5r#(3& 5r(023&)*+& 6$r(!+( RF?1/18 $53& 5r(& )r! DNS 5#2*$:3(*+& 1, !#
5#0&3&" +( +# &!*+)+ "&0 2( $( $ #br 0& +( r(:& FSB 2"*+$)# $ +&)!#r&25#!$ 11.9.11.@--, #0!#2!# 0& 2( 5r)&3!( &0r(2( 23&!0&r0!# !( "#r23(. M#:( 2(&"*+$3 0& +( r+( # 5r#(3$ "#+ +( $r#"#)&! !(25r&)! "#!<'$r&6+&& $r(J&+& &"#+; 2( !&*&( 5#+(0!( 5r)&3!( r(:(, '0+( 2( DNS $53 !( r&r+(&)&+$ *#"&*!# )(%
b)&+$ 5r#2*+(J(! !& !&0*(:!( 5#2*$:3(*+(. M+(r(!+( +( 5#3)r0*# 0& +( !&&+&! br#+!60(!&3& )(&! $ 6$r(!+( 5r)&3!; &0r(2& 3( 0& +( 5#3r(b!# 5#2(b!$ 5&:!+$ 5#2)(33$5r&)# 25r&)!# <*3rr&!+$ 3&"); $53&.
8/16/2019 Korunic Prikupljanje i Analiza DNS Prometa
http://slidepdf.com/reader/full/korunic-prikupljanje-i-analiza-dns-prometa 43/60
4. R($*3&3 r&&3r&!+(
Slika 6.45 2aspodjela ukupnog broja incidenata na $S1u
I +(r(!+& 2( 3&"#J(r #:( &"*+$3 0& +( $"$5! br#+ !60(!&3& r&+(r!# !&"!&25r& $"$5!#' DNS 5r#(3& >2)('& 1 5r#(3&, 3# +( r&*3# #0 r($*3&3& 2 )r!;DNS 5#2*$:3(*+&= 5r(& 0#2&0&!+ +(r(!+& !& )r! 5#2*$:3(*+&, 2)('& - +(
*('3&! 5r#(3 14. R&*#' 2( #:( 3r&:3 $ !+(!6 0& +( r(:& FSB 23r#'#"#!3r#*r&!& #"#*!& >&:$r!( r&0!( 23&!6(, &!3)r$2!( &33(, *('&*!( &5*"&6+(, 30., 5&
+( br#+ 5#'r(&"& $r#"#)&!; !(25r&)! "#!<'$r&6+&& !&3!# &!+ !('# #!&+ !& 5#2*$:3(*+& "#+ 2$ #3)#r(! 5r(& 6+(*# 2)+(3$.
Pr('*(0 &52!"& $"&$+( 0& +( 881778 !60(!&3& $r#"#)&!# *#"&*!( r(:( FSB, 3# +( /-.11 !60(!&3&. K&0 2( &!(&r( $53 & 5r)&3! &0r(2&& >5r"&&! !& 2*64.-, 0#b)& 2( 0& +( -7-94 >98.8 5r(#23&*; 2'$r!#2!; !60(!&3& $r#"#)&!# *#"&*!( r(:(, & 1//4-1 )&!& >41./-. B3!# +( 5r+(33 "&"# 5r(#23&* !60(!3&+$ !&&+!+( 2'$r!#2!( 5#2*+(06(, &"# 2( r+(J( 5#+&)*+$+$ >)0+(3 2*"$ 4., 4.4 4.9=
5r+(r6( $ 2*$&+$ 0& $25+( 5#"$&+ 3r#)&!+& DNS 5#2*$:3(*+&, +(0&! DNS 5&"(3 #:(&3r#)&3 2)( "*+(!3( "#+ "#r23( 5#2*$:3(*+ 3&"# $r#"#)&3 0$'#3r&+!( 0&*("#2(:!(
5#2*+(06(. S3#'& &"# RF?1/18 $53 &+$ 3(!0(!6+$ 23&*!#' #53(r(%)&!+& DNS 5#2*$:3(*+&, #! 2( +(0!#23&)!# #'$ <*3rr&3 r+(3, 0#" 3# & *&:!( $53(, *&:!(#0'#)#r( #23&*( 5#"$&+( 3r#)&!+& DNS 5#2*$:3(*+& !+( !&*# +(0!#23&)!#.
7
8/16/2019 Korunic Prikupljanje i Analiza DNS Prometa
http://slidepdf.com/reader/full/korunic-prikupljanje-i-analiza-dns-prometa 44/60
4. R($*3&3 r&&3r&!+(
Slika 6.35 2$,4G4? upiti Hprivatne adreseI
Slika 6.@5 Adgovori na nepostojeće upite
8
8/16/2019 Korunic Prikupljanje i Analiza DNS Prometa
http://slidepdf.com/reader/full/korunic-prikupljanje-i-analiza-dns-prometa 45/60
4. R($*3&3 r&&3r&!+(
Slika 6.65 Adgovori različiti od upita
Slika 6.<5 Eišestruki odgovori na upit
S'$r!#2! !60(!3 #0 2("$!0&r!( )&:!#23 2$=
• A&A $53 >5r"&&! !& 2*6 4.,
• $53 2 !(0#)#*+(! !&"#)& >2*"& 4.7,
• !(5#!&3 35 $53& >2*"& 4.8.
Pr)& 0)& 35& !60(!&3& 2$ 2"*+$)# )(&! $ 5#'r("( $ &5*"&6+&& "#+( "#r23( DNS$2*$'( +(0&! #0 $r#!"& +( 5r+(r6( N#0- &!3)r$2! 5r#'r& "#+ 5#"$&)& 5#2*&3
/
8/16/2019 Korunic Prikupljanje i Analiza DNS Prometa
http://slidepdf.com/reader/full/korunic-prikupljanje-i-analiza-dns-prometa 46/60
4. R($*3&3 r&&3r&!+(
$53 2 5#r3# $ (!$ 5#2*$:3(*+& 2 &!3)r$2! 0(<!6+&&. Š3# 2( 3( $53& 2!(5#!&3 "#0# #5(r&6+(, r+( +( # DNS "*+(!3& >$'*&)!# M6r#2#<3 !0#2r&$!&*& "#+ 2$ !(25r&)!# "#!<'$rr&! &*+$ 0!&"( DNS $53( &"# 2( 0!&"
DNS !( "#r23 $ r(: FSB. S3#'& 2( 3( $53( #:( 5r#&3r&3 "&# )r23$ DNS &'&J(!+&"#+& #53(r(%$+( DNS 5#2*$:3(*+ b( 0r$'; 5#2*+(06&.
Slika 6.75 1za1 sigurnosni incidenti
Slika 6.J5 Nedozvoljeni znakovi u upitu
4
8/16/2019 Korunic Prikupljanje i Analiza DNS Prometa
http://slidepdf.com/reader/full/korunic-prikupljanje-i-analiza-dns-prometa 47/60
4. R($*3&3 r&&3r&!+(
Slika 6.?5 Nepoznati tip upita
O2 !&)(0(!; 5r#b*(&, 2$23&) +( #3"r# 23&323" &!+( )&:&! br#+ 5#'r(&"& $#br&0 DNS 5&"(3& "#+( +( DNS 5#2*$:3(*+ 5r+&)# >2*"& 4./. I&"# 2$ 3# 5#'r("( "#+( 2$!(#b!( +(r +( r+( # 5#'r("&& $ #b*"$ DNS $53& >5r+(r6( !(25r&)!& "#5r(2+&#!&"&, ! #!( !( b 2+(*( &3 2'$r!#2! !&&+ b$0$% 0& 2)&" DNS 5#2*$:3(*+ #r&#b&)*+&3 3((*+3$ 5r#)+(r$ 5r25+(*; DNS 5&"(3&. U 2*$&+$ 0& 3&")& 5r#)+(r& !+(
25r&)!&, #)&"&) 5r#(3 b #'&# $r#"#)&3 !(25r&)!# <$!"6#!r&!+( ()(!3$&*! 5r(23&!&" r&0& DNS 5#2*$:3(*+&.
Slika 6.G5 Povratna pogreška od DNS poslužitelja
41
8/16/2019 Korunic Prikupljanje i Analiza DNS Prometa
http://slidepdf.com/reader/full/korunic-prikupljanje-i-analiza-dns-prometa 48/60
4. R($*3&3 r&&3r&!+(
M(J$ !&+br#+!+ 5#'r("&& $#(! $ DNS 5r#(3$ 2$ !(0)#+b(!# $53 2 "r)&52& & )r!$ 0#(!$ >2*"& 4.1. K&# 2 RF?1/18 $53&, $r#" +( !(25r&)!&"#!<'$r&6+& r&$!&*& * 5#2*$:3(*+& "#+ &*+$ $53( 2 !(25r&)! DNS #!&"&& "#+(
!2$ $ FDN #b*"$ * &+$ !("( 0#0&3!( #!&"( 5r#&*( 5#'r(&"& $ *#"&*!#+ DNS"#!<'$r&6+. T&") $53 3&"#J(r #53(r(%$+$ 6(!3r&*! DNS 5#2*$:3(*+, !+;#)# <*3rr&!+(
+(23 3("# >5r&"3" !(#'$%(, 3( !&+(%( b)&+$ 5r#2*+(J(! 0&*+( $ 2)+(3 ( 5r0#!#2( #5%( &'&J(!+$ DNS 5r#(3&. N&)(0(!( +( 5#'r("( 5#3r(b!# 5r&)#)r((!#$#3 r+(3 25r&)*+&!+( 5#0((!+& 5#+(0!; $r#!"&. U5r&)# #)&+ 2$23&)##'$%&)& *&"# *#6r&!+( 3; $r(J&+&.
Slika 6.4=5 Nepoznate vršne domene
O5% )r((!2" 5r('*(0 >2*"& 4.11 5#"&$+( 0& 2( 2) 35#) !60(!&3& #2 RF?1/18$53& 2*+(0( )r*# 2*!( )r((!2"( $#r"( "r# 2)&" 5#+(0! 0&!, 0#" RF?1/18 $53
b)&+$ 2*&! r(0#)!#, $ )(*" "#*!&& "r# !&3!# )(% )r((!2" 5(r#0.K#r(*&6+# )r((!& 0&*+!+ 23r&:)&!+( $r#"& $23&!#)*+(!# +( "&"# 5#(3&" 2*&!+&
!&3!#' RF?1/18 5r#(3& #0'#)&r& 5#(3"$ r&0!#' 3+(0!& 5&*+(!+$ 2); r&$!&*& !&FSB, 0#" &)r(3&" 5(r#0& 5&0 "#*!( r((!; $53& #0'#)&r& "r&+$ r&0!#' 3+(0!&.
4-
8/16/2019 Korunic Prikupljanje i Analiza DNS Prometa
http://slidepdf.com/reader/full/korunic-prikupljanje-i-analiza-dns-prometa 49/60
4. R($*3&3 r&&3r&!+(
4
Slika 6.445 Skupni prikaz zabilježeni" incidenata na $S1u
8/16/2019 Korunic Prikupljanje i Analiza DNS Prometa
http://slidepdf.com/reader/full/korunic-prikupljanje-i-analiza-dns-prometa 50/60
4. R($*3&3 r&&3r&!+(
Dr$' 0# +(r(!+& 5r#)(0(! +( !& r&$!&*$ '&!0&*<.(r2.<(r.;r, 6(!3r&*!# DNS 5#2*$:3(*+$ Z&)#0& & (*("3r#!"$, "r#(*("3r#!"$, r&$!&*!( !3(*'(!3!( 2$23&)(F&"$*3(3& (*("3r#3(;!"( r&$!&r23)& $ Z&'r(b$ >$ 0&*+!+( 3("23$ ZEMRIS. ZEMRIS
5r(023&)*+& &!+$ r&0!$ 'r$5$ 2 #br# !& )(*!$ #"r$:(!+& #0 3(" &" &"3)!;r&$!&*&, 5& +( 2;#0!# 3#( #'$%( #(")&3 0r$"+( #br&26( &b*+(:(!; !(5r&)*!#23$ DNS 5r#(3$.
U r&0#b*+$ #0 --/ r&0!; 2&3, 5r('*(0&!# +( 1- *+$!& 0#*&!; #0*&!; DNS 5&"(3& &b*+(:(!# 9 32$%& 5#3(!6+&*!; 2'$r!#2!; 5r+(3!+ 3( 9 32$%& 5#'r(&"& $ DNS"#$!"&6+ >$r#"#)&!; 5#'r("&& $ DNS &5*"&6+&& $0&*+(!; "*+(!&3& #0!#2!#$0&*+(!; 5#2*$:3(*+&. S"r&%(! )&0&" !&+&!*+)+; 5#0&3&"&, )+(%& # r&0$ 2$23&)& $#(!; 5r#b*(& $ DNS 5r#(3$ #b$;)&%&=
• 1-/9-11 &!&*r&!; 0#*&!; #0*&!; DNS 5&"(3&,
• 47/4 "r3!; 5#'r(&"& $ DNS "#$!"&6+ >"r3!( 5#'r("( $ <#r&3$ DNS 5&"(3&, 5#'r("( $ "#5r(2+ DNS #!&"&, 30.,
• 49/71 5#3(!6+&*!; 2'$r!#2!; 5r+(3!+, 3# +( .9 #0 $"$5!#' 5r#(3& 2 5r#2+(!# - &b*+(:(!; !60(!&3& 5# r&0!# 2&3$ & #0 3#'&=
• 7/ !(5#!&3; TLD &52&,
• 1 A&A $53& >$53 & 5r#!&*&:(!+( IP &0r(2( #b*"& "#+ )(% +(23 IP&0r(2&,
• 4-99 $53& & 5r)&3! RF?1/18 &0r(2&&,
• 47 $53& 2 5#'r("&& >!(0#)#*+(! !&"#) $ DNS #!&"&&,
• $53& & 23&r RR &52&,
• $53& & ("25(r(!3&*! RR &52&,
• 5#"$&+& 2"#r3&)&!+& MS41 r&!+)#23,
• 1/74 $53& 2 !(5#!&3 35# $53& >5r(3(:!# 5#"$&+ 0!&"; DNS$53&,
• 4- 0(!3<6r&!; 5#'r(&"& $ #b*"$ 5&"(3& >5#)r&3!& 0(!3<"&6+& #023r&!( DNS 5#2*$:3(*+&,
• 991 )(23r$"; #0'#)#r& !& 5#+(0! DNS $53 >#'$% 5#"$&+ 3r#)&!+& DNS(J$25r(!"&,
• 11- #0'#)#r& "#+ !( 2&0r:( 0(!3! $53 #!#( "#+ +( 5#2*&! >*&:r&!#0'#)#r, #0!#2!# #0'#)#r '0+( +( 5#*+( $53& 5#'r("# !(25r&)!#
5#5$!+(!#,
• 9194 #0'#)#r& "#+ 2$ * &"&!+(* >5r("# 2("$!0 * 2$ *&:r&! #0'#)#r& $53( "#+ !2$ !"&0 5#2*&!.
44
8/16/2019 Korunic Prikupljanje i Analiza DNS Prometa
http://slidepdf.com/reader/full/korunic-prikupljanje-i-analiza-dns-prometa 51/60
4. R($*3&3 r&&3r&!+(
Z& r&*"$ #0 r($*3&3& +(r(!+& !& FSB$ >2*"& 4.1 '0+( 5r()*&0&)& RF?1/18 5r#(3"&# '*&)! 35 5r#b*(&, r&25#0+(*& 5r#(3& !& ZEMRIS$ >2*"& 4.1- 5#"&$+( 0& 2$2"#r# 5#0+(0!&"# &23$5*+(! 2) 35#) !60(!&3&. /./7 $#(!; !60(!&3& &
)#r3( $ *#"&*!#+ r(:, !# br#+ RF?1/18 $53& +( 5r&"3" &!(&r) 3# +($r#"#)&!# !&*! br#+( 5r)&3!; 5#0r(:& !& 2&# ZEMRIS$. V(*" br#+!(5#!&3; 35#)& $53& $"&$+( !& 0#!&!3!#23 M6r#2#<3 !0#2 r&$!&*& "#+&
5#"$&)&+$ 5#2*&3 0!&"( DNS $53( !& DNS 5#2*$:3(*+ SOA &52& &(r2.<(r.;r 0#(!$, '&!0&*<.(r2.<(r.;r.
Slika 6.435 2aspodjela ukupnog broja incidenata na #*+2-S1u
Ir&3# &* br#+ !60(!&3& >2)('& .9 #0 $"$5!#' DNS 5r#(3& #:(# #b+&2!3$!<#r!# r&25#0+(*# #5(r&6+2"; 2$23&)& !+;#)#' !&!& "#r3(!+&, 3# +("&r&"3(r23!# & &!+( r&0!( #"#*!(. I23 3r(!0 5#!&&!+& +( )0*+) !& 2*6 4.1, "&# 0(3&*+ 0& 2$ !60(!3 $'*&)!# r&)!#+(r!# r&25#r(J(! "r# 5#+(0! r&0! 0&!. Š3# 2(3( $53& & !(5#!&3 TLD#)&, !&25r& #23&*; !60(!&3& #! 2$ 2!&:!# &23$5*+(! )r*# 2( 5r&)*!# 5#!&)*+&+$ "r# 0&!= 2&23#+( 2( #0 !(5r&)*!# &0&!; SRV $53&>r&$!&*# 2&$r#!.(r2.<(r.;r 3( $53& "#+ 5#!&+)( &)r&)&+$ !& *#6&* >'r("( $ DNS"#!<'$r&6+, 5r+(r6( !& r&$!&*$ &0&&!3&.(r2.<(r.;r, 5&0 >r+( +( #
5r#!&*&:(!+$ HTTP@FTP 5#2r(0!"#' 5#2*$:3(*+&, #0!#2!# (!'. (eb Pro0'
utodiscover' Protocol 2#68 >r&$!&*# 2#67.(r2.<(r.;r, '0+( b#' 5#'r("( !+($!(2(! DNS 2$<"2 $ "#!<'$r&6+ 0#(!(.
49
8/16/2019 Korunic Prikupljanje i Analiza DNS Prometa
http://slidepdf.com/reader/full/korunic-prikupljanje-i-analiza-dns-prometa 52/60
4. R($*3&3 r&&3r&!+(
Slika 6.4@5 Skupni prikaz zabilježeni" incidenata na #*+2-S1u
4
8/16/2019 Korunic Prikupljanje i Analiza DNS Prometa
http://slidepdf.com/reader/full/korunic-prikupljanje-i-analiza-dns-prometa 53/60
*. 9aključak
Pr(0(3 #)#' 05*#2"#' r&0& +( b*& 5r5r(&, 0&+!, r&0& 5r&"3!# 3(23r&!+(2$23&)& 023rb$r&!#' 5r"$5*+&!+& 2'$r!#2!( &!&*( DNS 5r#(3&, b$0$% 0&25(6+&*r&! 2$23&) #3"r)&!+& 2'$r!#2!; 5r+(3!+ 5r(& DNS 5#2*$:3(*+& $#5%( !(
5#23#+( >"&# 3# +( 5#"&&!# $ 5r5r(!# 0+(*$ r&0&, 5#'*&)*+$ .
T+("# 5r&"3!#' r&0& $ 5#35$!#23 2$ #23)&r(!( 2*+(0(%( "#5#!(!3( 2$23&)& $ 5r#'r&2"# +("$ PC3;#!=
• 2(!#r "#+ ##'$%&)& 5&2)!# 5r2*$")&!+( 5r#)#*+!#' $!6&23 $*36&23DNS 5r#(3& $ T?P UDP #b*"$, #2!#)!$ #br&0$ 5#0&3&"& !+;#)# "r53r&!#2*&!+( 5r(& 6(!3r&*!# 5#2*$:3(*+$,
• 6(!3r&*! 5#2*$:3(*+ "#+ 5r& 5#0&3"( #0 +(0!#' * )( 2(!#r&, 5r#)+(r&)&,0("r53r& 0&*+!+( #br&J$+(, *#"&*!# 25r(&+$% r($*3&3(,
• "#5#!(!3& & 0(3&*+!$ 2'$r!#2!$ &!&*$ "#+& ##'$%&)& 5r(5#!&)&!+( 1-35#)& 2'$r!#2!; !&5&0& #'$%( +$ +( "#r233 $ 2)&"# 2(!#r$ >& 2#+(%r&0 * $ 6(!3r&*!# 5#2*$:3(*+$ >#br&0& 2); 5r25+(*; !<#r&6+&,
• +(0!#23&)! DNS (J$25r(!" "#+ ##'$%&)& "#!3("23$&*!$ &!&*$ $53& #0'#)#r&.
T&"#J(r +( #2*+(! r&)+(! )*&233 5r#3#"#* & "r53r&!$ "#$!"&6+$ 2& &33!2$&& "#+ $0#)#*+&)& &;3+()& !2"; *&3(!6+& #'$%!#23 0+(*#3)#r!#' 5r+(!#2&(#r+2"; 23r$"3$r& 5r("# r(:(. S$"*&0!#23 )&:(% DNS 23&!0&r0& 5r#)+(r(!& +("#r23(% PROTOS &*&3 >)( $ 5#'*&)*+$ 4.1, & $3)rJ(!# +( 0& +( $3+(6&+ !& 5(r<#r&!2(
5#2*$:3(*+& &!(&r) $ 35! #53(r(%(!+& "&r&"3(r23! & DNS 5#2*$:3(*+(.
D#b)(! r($*3&3 !&0#r& 5#3)rJ$+$ 0# 2&0& $23&!#)*+(!( 5#0&3"( # !&&+!# br#+$r&*3; !(5r&)*!#23 $ DNS 5r#(3$ >)( # 2'$r!#2! 5r+(3!+&& +( #'$%( 5r#3&3$ 5#'*&)*+$ -.. T+("# 3(23r&!+& 2$23&) +( 2'$r!#2!# &!&*r&# )( #0 1 DNS
5&"(3& $ 2("$!0 b( !&&+!#' 5#r&23& #53(r(%(!+& !& 6(!3r&*!# 5#2*$:3(*+$ b("&"); !('&3)!; $3+(6&+& !& !+('#) !#r&*&! r&0. U r&0#b*+$ #0 -4 r&0!& 2&3&,
5r('*(0&!# +( $"$5!# / *+$!& 0#*&!; #0*&!; DNS 5&"(3& &b*+(:(!# 5r("# 4*+$!& 5#3(!6+&*!; 2'$r!#2!; 5r+(3!+ 3( 7 32$%& 5#'r(&"& $ DNS "#$!"&6+.
S #br# !& #0*!( r($*3&3(, 23&b*&! r&0 !&3!$ "#*!$ 5r"$5*+(!; 5#0&3&"& >!&*&(2( !& 5r*#:(!# (0+$, 3( 2$ #br&J(! $ 5#'*&)*+$ 4, 5#"&&*# 2( 0& r&J(! 2$23&)#:( $!"#)3# 5r(5#!&3 r&*3( r(:!( 2'$r!#2!( 5r#b*(( "#+ 2( &!<(23r&+$!& *#"&*! DNS 5#2*$:3(*+&. T&")( !(5r&)*!#23 $ 5r#(3$ 2$ $r#"#)&!(!(25r&)! r(:! "#!<'$r&6+&& r&*3 5#'r("&& $ &5*"&6+&&, & #3"r)&+$2( )r*# 3("# b#' !(0#23&3"& 25(6+&*r&!; &*&3&. D#0&3! +( 5r#b*( 3# 2( 3&"&) DNS
47
8/16/2019 Korunic Prikupljanje i Analiza DNS Prometa
http://slidepdf.com/reader/full/korunic-prikupljanje-i-analiza-dns-prometa 54/60
9. Z&"*+$&"
5r#(3 !&+(%( r 5r(& !&0*(:! 2)+(32" DNS 5#2*$:3(*+& '0+( $r#"$+(!(5#3r(b!& #53(r(%(!+&, 23#'& '& +( b3!# r&!# #3"r3 $"*#!3 !+('#)( $r#"(.
N& #2!#) r($*3&3& $23&!#)*+(! +( !(&* br#+ #b*+!; 2'$r!#2!; !60(!&3&$r#"#)&!; !&+(r! !&5&0& 23r&!; r(:&. DNS 5#2*$:3(*+ 35!# 5r(5#!&+$ #0b&6$+$ 3(" 0# #); 5#"$&+&, 3# +( 5#3)rJ(!# 3+("# 5r5r(!#' 0+(*& #)#' r&0&.T&") DNS 5&"(3 $ 2*$&+$ $25+(!#' !&5&0& #'$ $r#"#)&3 0$'#3r&+!( #b*+!(
5#2*+(06( 3r#)&!+& *#"&*!#' DNS 5#2*$:3(*+& !+('#); "*+(!&3&, 5r($2+(r$+$%"#r2!"( $ 2"*&0$ 2 !&5&0&() :(*+&&. T&"#J(r +( #3"r)(!# 0& )(*" br#+ $#b&+(!;"#r2!"; &5*"&6+& 5#5$3 &!3)r$2!; &*&3& (b 5r('*(0!"& $r#"$+( br#+!(!(25r&)!( DNS $53(. T# 2$ 5r+(r6( $53 "#+ &+$ !(0#)#*+(!( !&"#)( $ DNS#!&6, $53 & 2&!&)&!+( IP &0r(2( IP &0r(2(, $53 "#+ &+$ !(5#23#+(%$ )r!$0#(!$ $ #!&6, 30.
N&5#2*+(3"$ 5#"&&*# 2( 0& +( #'$%( !&5r&)3 r(:! 2$23&) 0#br; 5(r<#r&!2 $ +("$)2#"( r&!( 5#5$3 PC3;#!&, "#r23(% !&5r(0!( 3(;!"( 5#5$3 6&**b&6"#)&, )(0r(3)(!#'r&0& r(0#)& 5#r$"&. PC3;#! 2( 5#"&&# "&# !!# ")&*3(3!& 5*&3<#r& "#+& +(##'$%*& 23)&r&!+( 5#35$!# #3)#r(!#' !&0#'r&0)#' 2$23&)&.
S #br# !& br#+!#23 "r3!#23 25#(!$3; DNS 5r#b*(& >$r#"#)&!; *#"&*!# )&!&, b$0$% r&0 !& #)&")# 2$23&)$ b $"*+$)&# r&)#+ 5r#&"3)!( "#5#!(!3( "#+&
b 2 #br# !& "r3!#23 5#+(0!; !60(!&3& ##'$%&)&*& *#"&*!# * '*#b&*!# b*#"r&!+($r#!"&, "&# ()(!3$&*!( 0&*+!+( &"6+(.
48
8/16/2019 Korunic Prikupljanje i Analiza DNS Prometa
http://slidepdf.com/reader/full/korunic-prikupljanje-i-analiza-dns-prometa 55/60
+. :iteratura
1. P. M#6"&5(3r2= 2$,4=@65 Domain names 1 concepts and !acilities, URL=;335=@@.(3<.#r'@r<6@r<614.33 >11@1/87
-. Q. P#23(*= 2$,4<G45 Domain Name S'stem Structure and Delegation, URL=;335=@@.(3<.#r'@r<6@r<619/1.33 >@1//4
. P. M#6"&5(3r2= 2$,4=@<5 Domain names 1 implementation and speci!ication, URL=;335=@@.(3<.#r'@r<6@r<619.33 >11@1/87
4. P. V(= 2$,37J45 *0tension +ec"anisms !or DNS H*DNS=I, URL=;335=@@.(3<.#r'@r<6@r<6-71.33 >8@1///
9. IETF= 2$,443@5 2e)uirements !or -nternet /osts 11 pplication and Support , URL=
;335=@@.(3<.#r'@r<6@r<611-.33 >1@1/8/
. S3()( Gbb&r0= :eograp"ic -mplications o! DNS -n!rastructure Distribution, URL=;335=@@.626#.6#@(b@&b#$3@&61-@&6147@&r6;)(022$(2@5+11@110!2!<r&23r$63$r(.;3* >-9
7. R. E*, R. B$2;= 2$,34?45 ,lari!ications to t"e DNS Speci!ication, URL=;335=@@.(3<.#r'@r<6@r<6-181.33 >7@1//7
8. ?. E)(r;&r3, L. M&&"#2, R. U**&!!, P. M#6"&5(3r2= 2$, 44?@5 Ne& DNS 22
De!initions, URL= ;335=@@.(3<.#r'@r<6@r<6118.33 >1@1//
/. P. M#6"&5(3r2= 2$,44=45 DNS *ncoding o! Net&ork Names and At"er %'pes, URL=;335=@@.(3<.#r'@r<6@r<6111.33 >4@1/8/
1. D. E&23*&"( r0, E. Br$!!(r**&2, B. M&!!!'= 2$,3G3G5 Domain Name S'stem
HDNSI -N ,onsiderations, URL= ;335=@@.(3<.#r'@r<6@r<6-/-/.33 >11@-
11. D&!(* Q$*$2 B(r!23(!= DNS !orger', URL= ;335=@@6r.C5.3#@0+b0!2@<#r'(rC.;3* >-4
1-. A3 K*(!= -ND G DNS ,ac"e Poisoning , Tr$23((r, URL=;335=@@.3r$23((r.6#@<*(2@BIND/DNS?&6;(P#2#!!'.50< >@-7
1. D$&!( (22(*2= -s Cour ,ac"ing 2esolver Polluting t"e -nternetK, ?AIDA Y T;(M(&2$r((!3 F&63#rC, I!6., URL= ;335=@@0!2.(&2$r((!3<&63#rC.6#@r3!'2@(22(*2!(332-45&5(r.50< >-4
14. D$&!( (22(*2, M&r!& F#(!"#)= (o& %"atLs a 8ot o! Packets, ?AIDA Y T;(M(&2$r((!3 F&63#rC, I!6., URL= ;335=@@0!2.(&2$r((!3<&63#rC.6#@r3!'2@(22(*25&-5&5(r.50< >-
19. D!"# K#r$!%= DNS priručnik , URL= ;335=@@0"#r$!6.!(3@50<-@DNS5rr$6!".50<>-7
4/
8/16/2019 Korunic Prikupljanje i Analiza DNS Prometa
http://slidepdf.com/reader/full/korunic-prikupljanje-i-analiza-dns-prometa 56/60
. L3(r&3$r&
1. N()* Br#!*((, K6 ?*&<<C, E) N((3;= DNS Damage 1 +easurements at a 2oot
Server , URL=;335=@@.6&0&.#r'@5$b*6&3#!2@5r(2(!3&3#!2@(3<11-@0!2.0&&'(.;3* >-1
9
8/16/2019 Korunic Prikupljanje i Analiza DNS Prometa
http://slidepdf.com/reader/full/korunic-prikupljanje-i-analiza-dns-prometa 57/60
,. Dodatak A; Sadržaj priloženo( #edija 6<D=D>D8
N& 5r*#:(!# (0+$ 5#;r&!+(! 2$ 5#0&6 "#r3(! 5r r&0 r&0& 2) 5#23'!$3r($*3&3, & *#'" 2$ #r'&!r&! 5r(& 22*$ >)0+(3 3&b*6$ 7.1.
%ablica J.45 Sadržaj priloženog medija
%. br. Direktorij=datoteka Sadržaj
1. PRO?ITAQME.TT I!<#r&6+( # 2&0r:&+$ (0+&
-. @0#" T("23 r&0& $ )#r!# <#r&3$
. @0#"@K#r$!6Pr"$5*+&!+(&!&*&DNS5r#(3&.0#6 T("23 r&0& $ M6r#2#<3 #r0 <#r&3$
4. @0#"@K#r$!6Pr"$5*+&!+(&!&*&DNS5r#(3&.50< T("23 r&0& $ PDF <#r&3$ 2 #!&"&& 5#'*&)*+&
9. @0#"@K#r$!6Pr"$5*+&!+(&!&*&DNS5r#(3&.52 T("23 r&0& $ P#2326r53 <#r&3$
. @0#"@K#r$!6Pr"$5*+&!+(&!&*&DNS5r#(3&.553 Pr((!3&6+&
7. @0#"@)#r S&0r:&+ )#r& $5#3r(b*+&)&!; $ r&0$
8. @)#r!"#0 I)#r! "#0 r&J(!; 5r#'r&& 2$5$3&& # r&0!#+ #"#*!,"#(!3&r&, 5r()#0#6& 2*.
/. @)#r!"#0@23r$"3$r&.0#6 O52 23r$"3$r( 5#0&3&"&
1. @5r#'r& I)r! 5r#'r&, 2"r53(
11. @5r#'r&@!0#2 Pr#'r& & !0#2 OS
1-. @5r#'r&@*!$ Pr#'r& & L!$ OS1. @r($*3&3 U*&! 5#0&6 r($*3&3
91
8/16/2019 Korunic Prikupljanje i Analiza DNS Prometa
http://slidepdf.com/reader/full/korunic-prikupljanje-i-analiza-dns-prometa 58/60
. Dodatak ?; Upute za instalaciju
N& ?D$ 2( $ #0'#)&r&+$%#+ "#5rr&!#+ &r;) >ZIP & !0#2 OS, #0!#2!# TGZ &L!$@U! OS !&*& 6+(*#"$5!& 023rb$6+& 5r#'r&& &+(0!# 2& S6&5C PC3;#!#0$*# "#+ 2&0r: 25(6+&*!( +(!(, 5& 23#'& !+( #'$%( "#r233 ()(!3$&*!$223(2"$ !&6$.
Z& 25r&)&! r&0 2(!#r& >2!<<2(!2#r.5C 6(!3r&*!( +('r( >2!<<6#r(.5C !$:!# +( 5r(0!23&*r&3 2*+(0(%( 5r#'r&(=
• PC3#! -.9 !3(r5r(3(r 2& 2) 23&!0&r0! #0$*& >#'$%( +( "#r233 b*# "#+!#)+ #2 PC3;#! .,
• PC?rC53# >T;( PC3;#! ?rC53#'r&5;C T##*"3 "r53#'r&<2" PC3;#! #0$*,
• IPC PC3;#! #0$* & b&r&3&!+( 2 IP &0r(2&& r&25#!&.
Z& $25+(!# 5#23&)*+&!+( 2$23&)& 5#3r(b!# +( 2*+(0(%(=
• !&5r&)3 r&0! 0r("3#r+ $ "#+( %( 2( !&*&3 5r#'r&, #0$* 223(2"&52!6,
• 5#6#!r&3 2( $ 3&+ 0r("3#r+,
• #35&"r&3 #0'#)&r&+$%$ &r;)$ $ 3&+ 0r("3#r+ >23)&r& 2( 23r$"3$r& $ "#+#+ 2( #r&+$!&*&3 0&3#3("( 2!<<6#r(.5C, 2!<<0!26&6;(.5C, 2!<<<*3(r2.5C, 2!<<2(!2#r.5C
"&# 26&5C 5#00r("3#r+ 2& S6&5C #0$*&,• 5#23&)3 )r!( #)*&23 !&0 0&3#3("&& 2!<<0!26&6;(.5C 2!<<2(!2#r.5C.
O)( +( !23&*&6+& $25+(!# &)r(!&.
9-
8/16/2019 Korunic Prikupljanje i Analiza DNS Prometa
http://slidepdf.com/reader/full/korunic-prikupljanje-i-analiza-dns-prometa 59/60
@. Dodatak <; Upute za koritenje
N&"#! !23&*&6+( 5#3r(b!# +( 5r*&'#03 "#!<'$r&6+$ 2)#+ 5#3r(b&&=• &"# +( r+( # 2(!#r$ 5r#+(!( 2( $!#2( $ 0&3#3("$ 2!<<2(!2#rr6 3( +( #'$%(
5r*&'#03 2*+(0(%( 5&r&(3r(=
• lo(leel= #0r(J$+( "#*!$ !<#r&6+& "#+( 2( b*+(:(, !5r. INFO & b*+(:(!+( 2); 0#23$5!; !<#r&6+&, #0!#2!# ?RITI?AL & b*+(:(!+( 2&#"r3!; 223(2"; !<#r&6+&,
• lo(ile= #0r(J$+( 0&3#3("$ $ "#+$ 2( b*+(:( 223(2" 0#'&J&+, #br&J(! DNS 5&"(3 2*!#, & 3# +( 35!# 2!<<2(!2#r.*#',
• pcapeBpr= #b!# !+( 5#3r(b!# +(!+&3, & 23&!0&r0!# +( 0(<!r&! "&# 5#r3
9 #0!#2!# 2&) DNS 5r#(3 "#+ 0#*& #0*& 2 T?P UDP 5#r3#)& 9"#r23(% #)&+ P?AP"#5&3b*! r& #'$%( +( 5r(6!+( #0r(03
5r#&3r&! 5r#(3,
• sraddr= IP)4 &0r(2& $0&*+(!( 6(!3r&*!( +('r(,
• srport= 5#r3 !& "#+( $0&*+(!& 6(!3r&*!& +('r& #2*$"$+( 5&"(3(, & 3# +(#b!# 5#r3 9,
• cryptokey= 0+(*+(!& *#!"& & (!"r56+$ 5&"(3&,
• standalone= &23&)6& "#+& 0(<!r& 0& 2(!#r r&0 2#+(%( >0&"*( &!&*$
DNS 5r#(3& * 3# #b&)*+& $0&*+(!& +('r& 35!# +( F&*2(,• &"# +( r+( # +('r 5r#+(!( 2( $!#2( $ 0&3#3("$ 2!<<6#r(r6, 3( +( #'$%(
5r*&'#03 2*+(0(%( 5&r&(3r(=
• lo(leel= #0r(J$+( "#*!$ !<#r&6+& "#+( 2( b*+(:(, !5r. INFO & b*+(:(!+( 2); 0#23$5!; !<#r&6+&, #0!#2!# ?RITI?AL & b*+(:(!+( 2&#"r3!; 223(2"; !<#r&6+&,
• lo(ile= #0r(J$+( 0&3#3("$ $ "#+$ 2( b*+(:( 223(2" 0#'&J&+, #br&J(! DNS 5&"(3 2*!#, & 3# +( 35!# 2!<<6#r(.*#',
• addr= IP)4 &0r(2& !& "#+#+ +('r& #2*$"$+( $0&*+(!( 5&"(3(,
• port= 5#r3 !& 6(!3r&*!& +('r& #2*$"$+( 5&"(3(, & 3# +( #b!# 5#r3 9,
• cryptokey= 0+(*+(!& *#!"& & (!"r56+$ 5&"(3&,
Z& $25+(!# "#r3(!+( +( !$:!# 0#)#*+!# 2*+(0(%(=
• &"# +( r+( # 2(!#r$=
• 5r*&'#03 0&3#3("$ 2!<<2(!2#rr6 !& )(% #52&! !&!,
• 5#"r(!$3 2!<<2(!2#r.5C 3( #56#!&*!# '& 5#2*&3 $ 5#&0!2" !&! r&0&,
9
8/16/2019 Korunic Prikupljanje i Analiza DNS Prometa
http://slidepdf.com/reader/full/korunic-prikupljanje-i-analiza-dns-prometa 60/60
/. D#0&3&" ?= U5$3( & "#r3(!+(
• &52!6 # r&0$ 2( 23&!0&r0!# #'$ 5r('*(0&)&3 $ 2!<<2(!2#r.*#' >#2 &"#!+( "#!<'$rr&!# 0r$"+(,
• &"# +( r+( # +('r=
• 5r*&'#03 0&3#3("$ 2!<<6#r(r6 !& )(% #52&! !&!,
• 5#"r(!$3 2!<<6#r(.5C 3( #56#!&*!# '& 5#2*&3 $ 5#&0!2" !&! r&0&,
• &52!6 # r&0$ 2( 23&!0&r0!# #'$ 5r('*(0&)&3 $ 2!<<6#r(.*#' >#2 &"#!+( "#!<'$rr&!# 0r$"+(.
Pr#'r& r&0 0#" 2( ("25*63!# !( $'&2= "#r3(!+( ?3r*? $ !3(r&"3)!#>!(5#&0!2"# !&!$ r&0& * 2*&!+( #0'#)&r&+$%(' 2'!&*& & 5r("0.