"Mutumin da ya yi gidan yanar gizon mu ya riga ya kafa kariyar DDoS."
"Muna da kariyar DDoS, me yasa shafin ya ragu?"
"Dubu nawa Qrator yake so?"
Domin amsa irin waɗannan tambayoyin da kyau daga abokin ciniki / shugaba, zai yi kyau a san abin da ke ɓoye a bayan sunan "kariyar DDoS". Zaɓin sabis na tsaro ya fi kama da zabar magani daga likita fiye da zaɓar tebur a IKEA.
Na kasance ina tallafawa shafukan yanar gizo na tsawon shekaru 11, na tsira daga daruruwan hare-hare akan ayyukan da nake tallafawa, kuma yanzu zan gaya muku kadan game da ayyukan kariya na ciki.
Hare-hare na yau da kullun. 350k jimillar req, 52k na halal
Hare-haren farko sun bayyana kusan lokaci guda tare da Intanet. DDoS a matsayin sabon abu ya zama tartsatsi tun daga ƙarshen 2000s (dubawa ).
Tun game da 2015-2016, kusan dukkanin masu ba da sabis an kiyaye su daga hare-haren DDoS, kamar yadda mafi yawan shahararrun shafukan yanar gizo a yankunan gasa (yi whois ta IP na shafukan eldorado.ru, leroymerlin.ru, tilda.ws, za ku ga cibiyoyin sadarwa). na ma'aikatan kariya).
Idan 10-20 shekaru da suka wuce za a iya tunkude mafi yawan hare-hare a kan uwar garken kanta (ƙimar shawarwarin mai kula da tsarin Lenta.ru Maxim Moshkov daga 90s: ), amma yanzu ayyukan kariya sun zama masu wahala.
Nau'in hare-haren DDoS daga ra'ayi na zabar ma'aikacin kariya
Hare-hare a matakin L3/L4 (bisa ga samfurin OSI)
- UDP ambaliya daga botnet (ana aika buƙatun da yawa kai tsaye daga na'urorin da suka kamu da cutar zuwa sabis ɗin da aka kai hari, an toshe sabobin tare da tashar);
- DNS/NTP/da sauransu ƙarawa (ana aika buƙatu da yawa daga na'urorin da suka kamu da cutar zuwa DNS/NTP/da sauransu, adireshin mai aikawa an ƙirƙira shi, gajimare na fakitin da ke amsa buƙatun ambaliya ta tashar mutumin da aka kai hari; wannan shine yadda mafi yawa ana kai munanan hare-hare akan Intanet na zamani;
- SYN / ACK ambaliya (ana aika buƙatun da yawa don kafa haɗin gwiwa zuwa sabobin da aka kai harin, layin haɗin ya cika);
- hare-hare tare da rarrabuwar fakiti, ping na mutuwa, ambaliya ta ping (Google shi don Allah);
- da sauransu.
Waɗannan hare-haren suna nufin "rufe" tashar uwar garken ko kuma "kashe" ikonsa na karɓar sabon zirga-zirga.
Kodayake SYN/ACK ambaliya da haɓakawa sun bambanta sosai, kamfanoni da yawa suna fama da su daidai. Matsaloli suna tasowa game da hare-hare daga rukuni na gaba.
Hare-hare akan L7 (Layin aikace-aikacen)
- Ambaliyar http (idan an kai hari akan gidan yanar gizo ko wasu api);
- hari a kan wuraren da ke da rauni (waɗanda ba su da cache, waɗanda ke ɗaukar rukunin yanar gizon sosai, da sauransu).
Manufar ita ce sanya uwar garken "yi aiki tuƙuru", aiwatar da yawancin "buƙatun gaske" kuma a bar su ba tare da albarkatu don buƙatun gaske ba.
Ko da yake akwai wasu hare-hare, wadannan su ne suka fi yawa.
An ƙirƙiri munanan hare-hare a matakin L7 ta hanya ta musamman don kowane aikin da ake kaiwa hari.
Me yasa ƙungiyoyi 2?
Domin akwai mutane da yawa waɗanda suka san yadda ake tunkuɗe hare-hare da kyau a matakin L3/L4, amma ko dai ba su ɗauki kariya a matakin aikace-aikacen (L7) kwata-kwata, ko kuma har yanzu sun gaza wajen mu'amala da su fiye da sauran hanyoyin.
Wanene ke cikin kasuwar kariyar DDoS
(ra'ayin kaina)
Kariya a matakin L3/L4
Don tunkuɗe hare-hare tare da haɓakawa ("blockage" na tashar uwar garke), akwai isassun tashoshi masu faɗi (yawancin sabis na kariya suna haɗawa da mafi yawan manyan masu samar da kashin baya a cikin Rasha kuma suna da tashoshi tare da ƙimar ka'idar fiye da 1 Tbit). Kar a manta cewa hare-haren haɓakawa da ba safai ba safai suke kaiwa sama da awa ɗaya ba. Idan kun kasance Spamhaus kuma kowa ba ya son ku, a, suna iya ƙoƙarin rufe tashoshin ku na kwanaki da yawa, har ma da haɗarin ci gaba da rayuwa na botnet na duniya da ake amfani da su. Idan kawai kuna da kantin sayar da kan layi, ko da mvideo.ru ne, ba za ku ga 1 Tbit a cikin 'yan kwanaki ba da daɗewa ba (Ina fata).
Don tunkuɗe hari tare da ambaliya ta SYN/ACK, ɓarna fakiti, da sauransu, kuna buƙatar kayan aiki ko tsarin software don ganowa da dakatar da irin waɗannan hare-haren.
Mutane da yawa suna samar da irin wannan kayan aiki (Arbor, akwai mafita daga Cisco, Huawei, software na aiwatarwa daga Wanguard, da dai sauransu), yawancin masu aiki na baya sun riga sun shigar da shi kuma suna sayar da sabis na kariya na DDoS (Na san game da shigarwa daga Rostelecom, Megafon, TTK, MTS). , a gaskiya ma, duk manyan masu samarwa suna yin haka tare da masu ba da izini tare da kariyar su a-la OVH.com, Hetzner.de, Ni kaina na ci karo da kariya a ihor.ru). Wasu kamfanoni suna haɓaka hanyoyin magance nasu software (fasaha kamar DPDK suna ba ku damar sarrafa dubun gigabits na zirga-zirga akan injin x86 na zahiri ɗaya).
Daga cikin sanannun 'yan wasa, kowa zai iya yin yaƙi da L3/L4 DDoS fiye ko žasa yadda ya kamata. Yanzu ba zan faɗi wanda ke da mafi girman iyakar tashar tashar ba (wannan shine bayanin mai ciki), amma yawanci wannan ba shi da mahimmanci, kuma kawai bambanci shine yadda sauri ke haifar da kariyar (nan take ko bayan ƴan mintuna kaɗan na raguwar aikin, kamar yadda yake a cikin Hetzner).
Tambayar ita ce ta yaya aka yi haka: ana iya tunkude harin ƙarawa ta hanyar toshe zirga-zirgar ababen hawa daga ƙasashen da ke da mafi yawan cunkoson ababen hawa, ko kuma kawai za a iya watsar da zirga-zirgar da ba dole ba.
Amma a lokaci guda, dangane da kwarewata, duk 'yan wasan kasuwa masu mahimmanci suna fuskantar wannan ba tare da matsaloli ba: Qrator, DDoS-Guard, Kaspersky, G-Core Labs (tsohon SkyParkCDN), ServicePipe, Stormwall, Voxility, da dai sauransu.
Ban ci karo da kariya daga masu aiki irin su Rostelecom, Megafon, TTK, Beeline; bisa ga sake dubawa daga abokan aiki, suna ba da waɗannan ayyukan sosai, amma har yanzu rashin ƙwarewa yana shafar lokaci-lokaci: wani lokacin kuna buƙatar tweak wani abu ta hanyar tallafi. na ma'aikacin kariya.
Wasu masu aiki suna da sabis na daban "kariya daga hare-hare a matakin L3/L4", ko "kariyar tashoshi"; yana da ƙasa da kariya a kowane matakai.
Me yasa ba mai bada kashin baya ba ne ke tunkude hare-haren daruruwan Gbits, tun da ba shi da tashoshi?Ma'aikacin kariyar na iya haɗawa da kowane ɗayan manyan masu samarwa kuma ya tunkuɗe harin "a kuɗin sa." Dole ne ku biya kuɗin tashar, amma duk waɗannan ɗaruruwan Gbits ba koyaushe za a yi amfani da su ba; akwai zaɓuɓɓuka don rage tsadar tashoshi a wannan yanayin, don haka tsarin ya kasance mai aiki.
Waɗannan su ne rahotannin da na karɓa akai-akai daga kariyar L3/L4 mafi girma yayin tallafawa tsarin mai ba da sabis.
Kariya a matakin L7 (matakin aikace-aikace)
Hare-hare a matakin L7 (matakin aikace-aikace) suna iya korar raka'a akai-akai da inganci.
Ina da kwarewa sosai da gaske
- Qrator.net;
- DDoS-Guard;
- G-Core Labs;
- Kaspersky.
Suna cajin kowane megabit na zirga-zirga mai tsabta, megabit yana kashe kusan rubles dubu da yawa. Idan kuna da aƙalla 100 Mbps na zirga-zirga mai tsabta - oh. Kariya zai yi tsada sosai. Zan iya gaya muku a cikin labaran da ke gaba yadda ake tsara aikace-aikacen don adana abubuwa da yawa akan ƙarfin tashoshin tsaro.
Ainihin "Sarkin tudu" shine Qrator.net, sauran suna bayan su. Qrator su ne kawai a cikin kwarewata waɗanda ke ba da kashi dari na ƙimar ƙarya kusa da sifili, amma a lokaci guda sun fi sauran 'yan kasuwa tsada sau da yawa.
Sauran masu aiki kuma suna ba da kariya mai inganci da kwanciyar hankali. Yawancin ayyuka da muke tallafawa (ciki har da sanannun sanannun a cikin ƙasa!) Ana kiyaye su daga DDoS-Guard, G-Core Labs, kuma sun gamsu da sakamakon da aka samu.
Hare-haren da Qrator ya fatattaki su
Har ila yau, ina da kwarewa tare da ƙananan ma'aikatan tsaro kamar Cloud-shield.ru, ddosa.net, dubban su. Tabbas ba zan ba da shawarar shi ba, saboda... Ba ni da kwarewa da yawa, amma zan gaya muku game da ka'idodin aikin su. Kudin kariyar su yawanci umarni 1-2 ne na girma fiye da na manyan 'yan wasa. A matsayinka na mai mulki, suna siyan sabis ɗin kariya na ɓangare (L3/L4) daga ɗayan manyan playersan wasa + suna yin nasu kariya daga hare-hare a manyan matakan. Wannan na iya zama mai tasiri sosai + zaku iya samun sabis mai kyau don ƙarancin kuɗi, amma waɗannan har yanzu ƙananan kamfanoni ne waɗanda ke da ƙaramin ma'aikata, don Allah ku kiyaye hakan.
Menene wahalar tunkude hare-hare a matakin L7?
Duk aikace-aikacen na musamman ne, kuma kuna buƙatar ba da izinin zirga-zirgar ababen hawa da ke da amfani a gare su da toshe masu cutarwa. Ba koyaushe yana yiwuwa a cire bots ba tare da wata shakka ba, don haka dole ne ku yi amfani da yawa, da gaske MANYAN digiri na tsabtace zirga-zirga.
Da zarar wani lokaci, tsarin nginx-testcookie ya isa (), kuma har yanzu ya isa ya dakile yawan hare-hare. Lokacin da na yi aiki a cikin masana'antar baƙi, L7 kariya ta dogara ne akan nginx-testcookie.
Abin takaici, hare-haren sun zama mafi wahala. testcookie yana amfani da binciken bot na tushen JS, kuma yawancin bots na zamani na iya samun nasarar wuce su.
Har ila yau harin botnets na musamman ne, kuma dole ne a yi la'akari da halayen kowane babban botnet.
Amplification, ambaliya kai tsaye daga botnet, tace zirga-zirga daga kasashe daban-daban (masu tacewa daban-daban don kasashe daban-daban), SYN / ACK ambaliya, fakiti rarrabuwa, ICMP, http ambaliya, yayin da a aikace-aikace / http matakin za ka iya fito da wani Unlimited adadin. hare-hare daban-daban.
Gabaɗaya, a matakin kariyar tashar, kayan aiki na musamman don share zirga-zirga, software na musamman, ƙarin saitunan tacewa ga kowane abokin ciniki ana iya samun dubun da ɗaruruwan matakan tacewa.
Don sarrafa wannan da kyau da daidaita saitunan tacewa don masu amfani daban-daban, kuna buƙatar ƙwarewa da ƙwararrun ma'aikata. Ko da babban ma'aikacin da ya yanke shawarar samar da sabis na kariya ba zai iya "jefa kuɗi da wauta a matsalar" ba: dole ne a sami gogewa daga rukunin yanar gizo na karya da tabbataccen ƙarya akan halaltaccen zirga-zirga.
Babu maɓallin "kore DDoS" don ma'aikacin tsaro; akwai adadi mai yawa na kayan aiki, kuma kuna buƙatar sanin yadda ake amfani da su.
Kuma karin misali guda ɗaya.
An katange uwar garken da ba ta da kariya daga mai masaukin baki yayin wani hari mai karfin 600 Mbit
("Asara" na zirga-zirgar ababen hawa ba a san shi ba, saboda kawai an kai hari kan rukunin yanar gizon 1, an cire shi na ɗan lokaci daga sabar kuma an ɗaga toshewar cikin sa'a guda).
Sabar iri ɗaya tana da kariya. Maharan sun "mika wuya" bayan harin da aka kai musu na kwana daya. Harin da kansa ba shi ne mafi karfi ba.
Hare-hare da tsaro na L3/L4 sun fi marasa muhimmanci; galibi sun dogara ne da kaurin tashoshi, ganowa da tace algorithms don hare-hare.
Hare-haren L7 sun fi rikitarwa da asali; sun dogara da aikace-aikacen da ake kaiwa hari, iyawa da tunanin maharan. Kariya daga gare su yana buƙatar ilimi da ƙwarewa da yawa, kuma sakamakon bazai kasance nan da nan ba kuma ba kashi ɗari ba. Har Google ya fito da wata hanyar sadarwa ta jijiyoyi don kariya.
source: www.habr.com