\u015eubat 2022’nin ba\u015flar\u0131ndan beri, Ukrayna’daki \u00e7ok say\u0131da h\u00fck\u00fcmet, askeri, finans ve ticari kurulu\u015f, halka a\u00e7\u0131k web sitelerinin, uygulamalar\u0131n\u0131n ve yard\u0131mc\u0131 destek altyap\u0131lar\u0131n\u0131n, d\u00fczenlenen bir DDoS sald\u0131r\u0131s\u0131nda hedef al\u0131nd\u0131\u011f\u0131n\u0131 bildirdi. Bu kurulu\u015flar ve bunlar\u0131n do\u011frudan bile\u015fenleri ve m\u00fc\u015fterileri \u00fczerinde \u00f6nemli do\u011frudan etkinin yan\u0131 s\u0131ra, ili\u015fkili web bar\u0131nd\u0131rma operat\u00f6rleri gibi di\u011fer kurulu\u015flar \u00fczerinde de ikincil etki meydana geldi.<\/p>\n
\u00c7evrimi\u00e7i devlet hizmetlerine, \u00e7evrimi\u00e7i web ve mobil bankac\u0131l\u0131k uygulamalar\u0131na ve otomatik vezne makinelerine (ATM’ler) halk\u0131n eri\u015fimi bu sald\u0131r\u0131lar nedeniyle kesintiye u\u011frad\u0131. Kablolu ve kablosuz geni\u015f bant \u0130nternet eri\u015fimi ve mobil telefon hizmetleri Ukrayna’da b\u00fcy\u00fck \u00f6l\u00e7\u00fcde i\u015flevsel bak\u0131mdan k\u0131s\u0131tl\u0131 kal\u0131rken, periyodik, yerel kesintiler de rapor edilmi\u015ftir.<\/p>\n
NETSCOUT’un ASERT ekibi, devam eden Ukrayna \u00e7at\u0131\u015fmas\u0131yla ilgili a\u015fa\u011f\u0131daki sald\u0131r\u0131 ayr\u0131nt\u0131lar\u0131n\u0131 g\u00f6zlemledi:<\/p>\n
G\u00f6zlemlenen Yans\u0131ma\/G\u00fc\u00e7lendirme DDoS sald\u0131r\u0131 vekt\u00f6rleri \u015funlar\u0131 i\u00e7erir:<\/p>\n
ARMS<\/p>\n
CLDAP<\/p>\n
DNS<\/p>\n
memcached<\/p>\n
ntp<\/p>\n
SNMP<\/p>\n
SSDP<\/p>\n
STUN<\/p>\n
TCP<\/p>\n
WS-DD<\/p>\n
Ek olarak, birden \u00e7ok do\u011frudan yol (muhtemelen botnet kaynakl\u0131) vekt\u00f6rler \u015funlar\u0131 i\u00e7erir:<\/p>\n
DNS sorgusu ta\u015fmalar\u0131<\/p>\n
SYN-flood sald\u0131r\u0131lar\u0131<\/p>\n
RST-flood sald\u0131r\u0131lar\u0131<\/p>\n
ACK-flood sald\u0131r\u0131lar\u0131<\/p>\n
K\u00fc\u00e7\u00fck ve b\u00fcy\u00fck paket UDP flood sald\u0131r\u0131lar\u0131<\/p>\n
HTTP and HTTP\/S flooding<\/p>\n
Bug\u00fcne kadar nispeten az say\u0131da \u00e7ok vekt\u00f6rl\u00fc DDoS sald\u0131r\u0131s\u0131 g\u00f6zlemlendi; bu sald\u0131r\u0131lar boyunca tek bir sald\u0131r\u0131da kullan\u0131lan maksimum 4 DDoS vekt\u00f6r\u00fc g\u00f6zlemlendi.<\/p>\n
Bug\u00fcne kadar bu sald\u0131r\u0131larda kullan\u0131lan t\u00fcm g\u00f6zlemlenen DDoS vekt\u00f6rlerinin \u00f6zellikleri yerle\u015fik normlar dahilindedir; sald\u0131r\u0131 dinamiklerinin ASERT analizi, bu sald\u0131r\u0131 kampanyas\u0131nda standart DDoS \u00f6zellikli botnetlerin ve kiral\u0131k DDoS hizmetlerinin kullan\u0131ld\u0131\u011f\u0131n\u0131 g\u00f6sterir. Hem kiral\u0131k DDoS hem de \u00f6zel olarak i\u015fletilen botnetler genellikle g\u00f6zlemlenen \u00f6l\u00e7ek, kapsam ve t\u00fcrlerde DDoS sald\u0131r\u0131lar\u0131 olu\u015fturmak i\u00e7in kullan\u0131l\u0131r.<\/p>\n
Kullan\u0131lan botnetlerin bir\u00e7o\u011fu b\u00f6lgesel g\u00f6r\u00fcnmektedir ve sald\u0131r\u0131 merkezleri \u00f6ncelikle Orta Avrupa’da bulunuyor. ASERT, Ukrayna, Rusya, Portekiz, Birle\u015fik Krall\u0131k, Amerika Birle\u015fik Devletleri ve Yeni Zelanda’da bulunan botnetlerin (“botlar”) bu sald\u0131r\u0131lara kat\u0131ld\u0131\u011f\u0131n\u0131 g\u00f6zlemledi.<\/p>\n
Bu sald\u0131r\u0131 kampanyas\u0131nda kullan\u0131lan hem UDP hem de TCP yans\u0131t\u0131c\u0131lar\u0131n\/y\u00fckselticilerin da\u011f\u0131l\u0131m\u0131, Orta Avrupa’daki hedeflere y\u00f6nelik, kiral\u0131k DDoS hizmetleri arac\u0131l\u0131\u011f\u0131yla ba\u015flat\u0131lan di\u011fer DDoS sald\u0131r\u0131lar\u0131yla uyumludur.<\/p>\n
Bir g\u00fcvenlik ara\u015ft\u0131rma firmas\u0131, bu sald\u0131r\u0131 kampanyas\u0131nda kullan\u0131lan botnetlerden birinin komuta ve kontrol (C2) merkezinin Hollanda’da bulundu\u011funu ve s\u00f6z konusu botnetin bir Mirai botnet oldu\u011funu bildirdi. ASERT analizi, g\u00f6zlemlenen do\u011frudan yollu DDoS sald\u0131r\u0131 vekt\u00f6rlerinin, tipik olarak Mirai botnetleri taraf\u0131ndan sergilenen sald\u0131r\u0131 yetenekleriyle tutarl\u0131 oldu\u011funu do\u011frulamaktad\u0131r.<\/p>\n
Bu sald\u0131r\u0131lar s\u0131ras\u0131nda ASERT taraf\u0131ndan g\u00f6zlemlenen UDP yans\u0131tma\/y\u00fckseltme sald\u0131r\u0131 trafi\u011fi, g\u00f6zlemlenen do\u011frudan UDP ta\u015fma sald\u0131r\u0131 trafi\u011fiyle birlikte, hedeflenen a\u011flar\/sunucular\/hizmetler\/uygulamalar i\u00e7in profil d\u0131\u015f\u0131d\u0131r; hedef ba\u011flant\u0131 noktalar\u0131 UDP\/80, UDP\/443 ve UDP\/7777, g\u00f6r\u00fcn\u00fc\u015fte rastgele UDP y\u00fcksek ba\u011flant\u0131 noktalar\u0131yla birlikte s\u00fcrekli olarak hedeflenmi\u015ftir. Hedef ba\u011flant\u0131 noktas\u0131 UDP\/53’e y\u00f6nelik DNS sorgusu floodlar\u0131n \u00f6ncelikle yetkili DNS sunucular\u0131n\u0131 hedef ald\u0131\u011f\u0131 g\u00f6zlemlenmi\u015ftir.<\/p>\n
G\u00f6r\u00fcn\u00fc\u015fe g\u00f6re sald\u0131rganlar, canl\u0131 ak\u0131\u015fl\u0131 \u0130nternet yay\u0131nlar\u0131n\u0131 bozmaya niyetli g\u00f6r\u00fcnmektedir, RTMP yat\u0131r\u0131mc\u0131lar\u0131na sald\u0131r\u0131rken yanl\u0131\u015fl\u0131kla bir\u00e7ok \u0130nternet ak\u0131\u015f hizmeti taraf\u0131ndan kullan\u0131lan varsay\u0131lan ba\u011flant\u0131 noktas\u0131 ve protokol olan TCP\/1935 yerine UDP\/1935 hedef ba\u011flant\u0131 noktas\u0131n\u0131 hedeflemi\u015f g\u00f6r\u00fcn\u00fcyorlar. S\u00f6z konusu sald\u0131rganlar\u0131n, geni\u015f izinli a\u011f eri\u015fim kontrol politikalar\u0131n\u0131 ve\/veya yetersiz \u015fekilde sa\u011flanan DDoS savunmalar\u0131n\u0131 atlamay\u0131 umarak, DDoS sald\u0131r\u0131 trafi\u011fini me\u015fru RTMP canl\u0131 ak\u0131\u015f trafi\u011fi olarak maskelemeye \u00e7al\u0131\u015f\u0131yor olmalar\u0131 da m\u00fcmk\u00fcnd\u00fcr.<\/p>\n
G\u00f6zlemlenen SYN-flood, ACK-flood, RST-flood ve TCP yans\u0131ma\/y\u00fckseltme sald\u0131r\u0131lar\u0131, hedeflenen web sunucular\u0131n\u0131n trafik profilleriyle tutarl\u0131 olan TCP\/80 ve TCP\/443 hedef portlar\u0131n\u0131 hedeflemi\u015ftir.<\/p>\n
Etkiler:<\/p>\n
Genel ama\u00e7l\u0131 ve\/veya Nesnelerin \u0130nterneti (IoT) cihazlar\u0131 botnetlere dahil edilen ki\u015filer ve kurulu\u015flar, g\u00fcvenli\u011fi ihlal edilmi\u015f bu sistemler giden DDoS sald\u0131r\u0131lar\u0131n\u0131 ba\u015flatmak i\u00e7in kullan\u0131ld\u0131\u011f\u0131nda olumsuz etkilenebilir. Yans\u0131ma\/y\u00fckseltme sald\u0131r\u0131lar\u0131nda oldu\u011fu gibi, bu, kritik g\u00f6rev uygulamalar\u0131n\u0131n ve hizmetlerin k\u0131smen veya tamamen kesintiye u\u011framas\u0131n\u0131n yan\u0131 s\u0131ra; ta\u015f\u0131ma kapasitesi t\u00fcketimi, durum bilgisi olan g\u00fcvenlik duvarlar\u0131n\u0131n ve y\u00fck dengeleyicilerin durum tablosunun t\u00fckenmesi vb. nedeniyle ek hizmet kesintisini i\u00e7erebilir.<\/p>\n
G\u00fcvenli\u011fi ihlal edilmi\u015f extranet ortak sunucular\u0131, ilgili sunuculara\/hizmetlere\/uygulamalara kar\u015f\u0131 DDoS sald\u0131r\u0131lar\u0131 ba\u015flatmak i\u00e7in kullan\u0131labilir ve genellikle a\u015f\u0131r\u0131 izin verilen a\u011f eri\u015fim denetimi politikalar\u0131, DDoS kar\u015f\u0131 \u00f6nlem muafiyetleri vb. nedeniyle mevcut DDoS savunmalar\u0131n\u0131 atlar.<\/p>\n
\u00d6nerilen Eylemler:<\/p>\n
AIF Filtre Listeleri, 30’dan fazla yans\u0131ma\/amplifikasyon DDoS vekt\u00f6r\u00fcn\u00fcn azalt\u0131lmas\u0131na izin verir ve belirtildi\u011fi gibi Sightline\/TMS azaltma \u015fablonlar\u0131na dahil edilmelidir. AIF \u015eablonlar\u0131, birden \u00e7ok DDoS sald\u0131r\u0131 vekt\u00f6r\u00fcn\u00fc azaltmak ve ortak sunucu\/hizmet\/uygulama t\u00fcrlerini korumak i\u00e7in kar\u015f\u0131 \u00f6nlem yap\u0131land\u0131rma \u00f6rnekleri sa\u011flar. AIF Filtre Listeleri ve AIF \u015eablonlar\u0131, AIF hakk\u0131na sahip Sightline\/TMS m\u00fc\u015fterileri taraf\u0131ndan kullan\u0131labilir.<\/p>\n
UDP Yans\u0131ma\/G\u00fc\u00e7lendirme Koruma \u00f6nlemi, UDP yans\u0131ma\/y\u00fckseltme DDoS sald\u0131r\u0131lar\u0131n\u0131 azaltmak i\u00e7in Sightline\/TMS operat\u00f6rleri taraf\u0131ndan kullan\u0131labilir.<\/p>\n
\u0130zin Ver\/Reddet Listeleri, Sightline\/TMS ve AED\/APS m\u00fc\u015fterileri taraf\u0131ndan duruma uygun a\u011f eri\u015fim kontrol politikalar\u0131n\u0131 uygulamak ve ayr\u0131ca UDP yans\u0131tma\/b\u00fcy\u00fctme sald\u0131r\u0131lar\u0131n\u0131 ve di\u011fer do\u011frudan yollu DDoS sald\u0131r\u0131 t\u00fcrlerini azaltmak i\u00e7in kullan\u0131labilir.<\/p>\n
Sightline\/TMS operat\u00f6rleri, HTTP tabanl\u0131 uygulama katman\u0131 DDoS sald\u0131r\u0131lar\u0131n\u0131 azaltmak i\u00e7in a\u015fa\u011f\u0131daki g\u00fcvenlik \u00f6nlemleri kullanabilir:<\/p>\n
AED\/APS operat\u00f6rleri, HTTP tabanl\u0131 uygulama katman\u0131 DDoS sald\u0131r\u0131lar\u0131n\u0131 azaltmak i\u00e7in a\u015fa\u011f\u0131daki korumalardan yararlanabilir:<\/p>\n
Netscout Arbor Sightline m\u00fc\u015fterileri, Profilli Y\u00f6nlendirici TCP uyar\u0131lar\u0131 arac\u0131l\u0131\u011f\u0131yla HTTP ve HTTP\/S uygulama katman\u0131 DDoS sald\u0131r\u0131lar\u0131n\u0131 alg\u0131layabilir ve s\u0131n\u0131fland\u0131rabilir; Toplam Trafik uyar\u0131lar\u0131; veya protokol 6’y\u0131 (TCP), 1024-65535 kaynak ba\u011flant\u0131 noktalar\u0131n\u0131 ve t\u00fcm ge\u00e7erli hedef TCP ba\u011flant\u0131 noktalar\u0131n\u0131 veya TCP\/80 ve TCP\/443 gibi ortak hedef TCP ba\u011flant\u0131 noktalar\u0131n\u0131 kapsayacak \u015fekilde yap\u0131land\u0131r\u0131lm\u0131\u015f \u00f6zel hatal\u0131 kullan\u0131m uyar\u0131lar\u0131. Bu ayn\u0131 kriterleri kullanan Profilli Y\u00f6netilen Nesnelerin olu\u015fturulmas\u0131, sald\u0131r\u0131 trafi\u011fini daha fazla karakterize etmede ve me\u015fru trafikten ay\u0131rmada da kullan\u0131labilir.<\/p>\n
Sightline\/TMS ve AED\/APS IP Filter List kar\u015f\u0131 \u00f6nlemi, sald\u0131r\u0131 kayna\u011f\u0131 tan\u0131mlamas\u0131na dayal\u0131 olarak t\u00fcm DDoS sald\u0131r\u0131 t\u00fcrlerini azaltmak i\u00e7in kullan\u0131labilir. Engellenecek kaynaklar\u0131 belirlemek i\u00e7in ilgili sunucu\/uygulama\/hizmet y\u00f6neticileriyle birlikte sald\u0131r\u0131 kayna\u011f\u0131 analizi kullan\u0131lmal\u0131d\u0131r. IP Filtre Listesi kar\u015f\u0131 \u00f6nleminin, engellenen kaynaklardan kaynaklanan t\u00fcm gelen trafi\u011fi d\u00fc\u015f\u00fcrece\u011fine dikkat edilmelidir. G\u00f6r\u00fc\u015f Hatt\u0131\/TMS ve AED\/APS Zombi Tespiti kar\u015f\u0131 \u00f6nlemi [AED\/APS’de Esnek H\u0131za Dayal\u0131 Engelleme], sald\u0131r\u0131 trafi\u011fine kar\u015f\u0131 me\u015fru trafik i\u00e7in belirli s\u0131n\u0131fland\u0131rma kriterlerinin belirlenmesine dayal\u0131 olarak do\u011frudan yollu DDoS sald\u0131r\u0131lar\u0131n\u0131 azaltmak i\u00e7in kullan\u0131labilir.<\/p>\n
Bu t\u00fcr s\u0131n\u0131fland\u0131rma kriterlerini belirlemek i\u00e7in yukar\u0131da belirtilen trafik s\u0131n\u0131fland\u0131rma mekanizmalar\u0131 kullan\u0131lmal\u0131d\u0131r. Hem a\u015f\u0131r\u0131 engellemenin hem de yetersiz engellemenin en aza indirilmesini sa\u011flamak i\u00e7in \u00f6zen g\u00f6sterilmelidir. Sightline\/TMS ve AED\/APS Payload Regexp kar\u015f\u0131 \u00f6nlemleri, ayr\u0131nt\u0131l\u0131 paket \u00f6zelliklerine dayal\u0131 olarak DDoS sald\u0131r\u0131lar\u0131n\u0131 azaltmak i\u00e7in kullan\u0131labilir. G\u00f6r\u00fc\u015f Hatt\u0131\/TMS Y\u00fck Normal \u0130fadesi \u00f6nleminin Dinamik Trafik Analizi (DTA) i\u015flevi, ‘Trafi\u011fe Dayal\u0131 Yap\u0131land\u0131r’ se\u00e7ene\u011fini se\u00e7erek ve sistem taraf\u0131ndan olu\u015fturulan s\u0131n\u0131fland\u0131r\u0131c\u0131lar\u0131 de\u011ferlendirerek, gerekti\u011finde de\u011fi\u015ftirerek ve bunlar\u0131 kullanarak uygulanabilir. PCRE s\u0131n\u0131fland\u0131r\u0131c\u0131lar\u0131n\u0131 t\u00fcretmek i\u00e7in kullan\u0131labilir. DDoS sald\u0131r\u0131 trafi\u011fini s\u0131n\u0131fland\u0131r\u0131r.<\/p>\n
Payload Regexp \u00f6nlemi, HTTP\/S trafi\u011finin \u015fifre \u00e7\u00f6zme sonras\u0131nda incelenmesine izin verecek \u015fekilde yerle\u015ftirilmi\u015f TMS’ler arac\u0131l\u0131\u011f\u0131yla HTTP\/S sald\u0131r\u0131lar\u0131n\u0131 azaltmak i\u00e7in kullan\u0131labilir. HTTP\/S trafi\u011fini denetlemek i\u00e7in yap\u0131land\u0131r\u0131lan AED\/APS sistemleri, HTTP\/S uygulama katman\u0131 sald\u0131r\u0131lar\u0131n\u0131 azaltmak i\u00e7in kullan\u0131labilir; aksi takdirde, \u015fifre \u00e7\u00f6zme sonras\u0131 HTTP\/S trafi\u011finin incelenmesine izin verecek \u015fekilde yerle\u015ftirilmelidirler.<\/p>\n
G\u00f6r\u00fc\u015f hatt\u0131\/TMS ve AED\/APS operat\u00f6rleri, kaynak d\u00fc\u011f\u00fcmlerin GeoIP s\u0131n\u0131fland\u0131rmas\u0131na dayal\u0131 olarak DDoS sald\u0131r\u0131lar\u0131n\u0131 azaltmak i\u00e7in IP Konum Filtre Listeleri kar\u015f\u0131 \u00f6nlemini [AED\/APS’de IP Konumu] kullanabilir.<\/p>\n
Kar\u015f\u0131 \u00f6nlem se\u00e7imi, ayarlanmas\u0131 ve konu\u015fland\u0131r\u0131lmas\u0131n\u0131n \u00f6zellikleri, bireysel a\u011flar\u0131n\/kaynaklar\u0131n \u00f6zelliklerine ba\u011fl\u0131 olarak de\u011fi\u015fecektir; optimal kar\u015f\u0131 \u00f6nlem se\u00e7imi ve istihdam\u0131 ile ilgili olarak ilgili Netscout Arbor hesap ekiplerine ve\/veya ATAC’a dan\u0131\u015f\u0131labilir.<\/p>\n
T\u00fcm olas\u0131 DDoS sald\u0131r\u0131 azaltma \u00f6nlemleri, a\u011flara da\u011f\u0131t\u0131lmadan \u00f6nce duruma uygun bir \u015fekilde test edilmeli ve \u00f6zelle\u015ftirilmelidir.<\/p>\n
Uygulanabilir Netscout Arbor \u00c7\u00f6z\u00fcmleri: Netscout Arbor Sightline, Netscout Arbor TMS, Netscout Arbor AED\/APS.<\/strong><\/p>\n","protected":false},"excerpt":{"rendered":" \u015eubat 2022’nin ba\u015flar\u0131ndan beri, Ukrayna’daki \u00e7ok say\u0131da h\u00fck\u00fcmet, askeri, finans ve ticari kurulu\u015f, halka a\u00e7\u0131k web sitelerinin, uygulamalar\u0131n\u0131n ve yard\u0131mc\u0131 destek altyap\u0131lar\u0131n\u0131n, d\u00fczenlenen bir DDoS sald\u0131r\u0131s\u0131nda hedef al\u0131nd\u0131\u011f\u0131n\u0131 bildirdi. Bu kurulu\u015flar ve bunlar\u0131n do\u011frudan bile\u015fenleri ve m\u00fc\u015fterileri \u00fczerinde \u00f6nemli do\u011frudan etkinin yan\u0131 s\u0131ra, ili\u015fkili web…<\/p>","protected":false},"author":2,"featured_media":8079,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[255],"tags":[],"class_list":["post-8078","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-haberler"],"acf":[],"yoast_head":"\n