Ba asiri ba ne cewa Intanet yanayi ne mai tsananin ƙiyayya. Da zaran ka ɗaga uwar garken, nan take ana fuskantar hare-hare masu yawa da kuma dubawa da yawa. Misali za ku iya kiyasin ma'aunin wannan sharar. A zahiri, akan matsakaicin uwar garken, 99% na zirga-zirga na iya zama ƙeta.
Tarpit tashar tarko ce da ake amfani da ita don rage haɗin gwiwa mai shigowa. Idan tsarin ɓangare na uku ya haɗa zuwa wannan tashar jiragen ruwa, ba za ku iya rufe haɗin da sauri ba. Dole ne ta ɓata albarkatun tsarinta kuma ta jira har sai lokacin haɗin gwiwa ya ƙare, ko kuma ta ƙare da hannu.
Mafi sau da yawa, ana amfani da kwalta don kariya. An fara samar da wannan dabarar ne domin kariya daga tsutsotsin kwamfuta. Kuma yanzu ana iya amfani da shi don lalata rayuwar masu satar bayanan sirri da masu bincike waɗanda ke tsunduma cikin bincikar duk adiresoshin IP a jere (misali akan Habré: , ).
Daya daga cikin masu kula da tsarin mai suna Chris Wellons da alama ya gaji da kallon wannan abin kunya - kuma ya rubuta karamin shiri. , wani tarfi na SSH wanda ke rage jinkirin haɗi masu shigowa. Shirin yana buɗe tashar jiragen ruwa (Tsohuwar tashar jiragen ruwa don gwaji shine 2222) kuma yana yin kamar uwar garken SSH, amma a zahiri yana kafa alaƙa mara iyaka tare da abokin ciniki mai shigowa har sai ya daina. Wannan na iya ci gaba na kwanaki da yawa ko fiye har sai abokin ciniki ya faɗi.
Shigar da kayan aiki:
$ make
$ ./endlessh &
$ ssh -p2222 localhostTafarkin da aka aiwatar da kyau zai ɗauki ƙarin albarkatu daga maharin fiye da daga gare ku. Amma ba ma batun albarkatun kasa ba ne. Marubuci cewa shirin yana jaraba. A yanzu haka yana da abokan ciniki 27 da suka makale, wasu daga cikinsu suna da alaƙa na makonni. A kololuwar aiki, abokan ciniki 1378 sun makale na awanni 20!
A cikin yanayin aiki, ana buƙatar shigar da uwar garken Ƙarshen a kan tashar jiragen ruwa na 22 da aka saba, inda hooligans ke bugawa da yawa. Madaidaitan shawarwarin tsaro koyaushe suna ba da shawarar motsa SSH zuwa tashar jiragen ruwa daban, wanda nan da nan yana rage girman rajistan ayyukan ta hanyar girma.
Chris Wellons ya ce shirin nasa yana amfani da sakin layi ɗaya na ƙayyadaddun bayanai zuwa tsarin SSH. Nan da nan bayan an kafa haɗin TCP, amma kafin a yi amfani da cryptography, dole ne ɓangarorin biyu su aika da zaren ganewa. Kuma akwai kuma bayanin kula: "Sabar uwar garken na iya aika wasu layuka na bayanai kafin aika layin sigar". Kuma babu iyaka akan girman wannan bayanan, kawai kuna buƙatar fara kowane layi da SSH-.
Wannan shi ne ainihin abin da shirin Endlessh yake yi: shi aika m rafi na bayanan da aka samar ba da gangan ba, wanda ya dace da RFC 4253, wato aika kafin tantancewa, kuma kowane layi yana farawa da SSH- kuma bai wuce haruffa 255 ba, gami da yanayin ƙarshen layi. Gabaɗaya, komai yana daidai da ma'auni.
Ta hanyar tsoho, shirin yana jira daƙiƙa 10 tsakanin fakitin aika. Wannan yana hana abokin ciniki daga lokacin ƙarewa, don haka abokin ciniki zai kasance cikin tarko har abada.
Tun da an aika bayanan kafin a yi amfani da cryptography, shirin yana da sauƙi. Ba ya buƙatar aiwatar da kowane sifa kuma yana goyan bayan ka'idoji da yawa.
Marubucin ya yi ƙoƙari ya tabbatar da cewa mai amfani yana cinye mafi ƙarancin albarkatun kuma yana aiki gaba ɗaya ba tare da lura da na'urar ba. Ba kamar riga-kafi na zamani da sauran “tsarin tsaro ba,” bai kamata ya rage jinkirin kwamfutarka ba. Ya yi nasarar rage yawan zirga-zirgar ababen hawa da kuma amfani da ƙwaƙwalwar ajiya saboda ɗan ƙaramin dabarar aiwatar da software. Idan kawai ta ƙaddamar da wani tsari na daban akan sabon haɗin gwiwa, to masu kai hari za su iya ƙaddamar da harin DDoS ta buɗe hanyoyin haɗi da yawa don ƙyale albarkatun akan injin. Zaren guda ɗaya a kowace haɗin kuma ba shine mafi kyawun zaɓi ba, saboda kernel zai ɓata albarkatun sarrafa zaren.
Shi ya sa Chris Wellons ya zaɓi zaɓi mafi nauyi don Ƙarshe: uwar garken zaren guda ɗaya poll(2), inda abokan cinikin da ke cikin tarkon ke cinye kusan babu ƙarin albarkatu, ba tare da ƙidaya abin soket a cikin kwaya ba da kuma wani 78 bytes don bin diddigin a cikin Ƙarshen. Don guje wa keɓance karɓa da aika buffers ga kowane abokin ciniki, Endlessh yana buɗe soket ɗin shiga kai tsaye kuma yana fassara fakitin TCP kai tsaye, yana ƙetare kusan dukkanin tsarin TCP/IP. Ba a buƙatar buffer mai shigowa kwata-kwata, saboda ba mu da sha'awar bayanan mai shigowa.
Marubucin ya ce a lokacin shirin nasa game da wanzuwar Python's asycio da sauran tarpits. Idan ya san game da asycio, zai iya aiwatar da amfanin sa a cikin layi 18 kawai a cikin Python:
import asyncio
import random
async def handler(_reader, writer):
try:
while True:
await asyncio.sleep(10)
writer.write(b'%xrn' % random.randint(0, 2**32))
await writer.drain()
except ConnectionResetError:
pass
async def main():
server = await asyncio.start_server(handler, '0.0.0.0', 2222)
async with server:
await server.serve_forever()
asyncio.run(main())Asyncio yana da kyau don rubuta tarpits. Misali, wannan ƙugiya za ta daskare Firefox, Chrome, ko kowane abokin ciniki da ke ƙoƙarin haɗi zuwa sabar HTTP ɗin ku na sa'o'i da yawa:
import asyncio
import random
async def handler(_reader, writer):
writer.write(b'HTTP/1.1 200 OKrn')
try:
while True:
await asyncio.sleep(5)
header = random.randint(0, 2**32)
value = random.randint(0, 2**32)
writer.write(b'X-%x: %xrn' % (header, value))
await writer.drain()
except ConnectionResetError:
pass
async def main():
server = await asyncio.start_server(handler, '0.0.0.0', 8080)
async with server:
await server.serve_forever()
asyncio.run(main())Tarpit babban kayan aiki ne don azabtar da masu cin zarafi na kan layi. Gaskiya ne, akwai wasu haɗari, akasin haka, na jawo hankalin su ga dabi'un da ba a saba ba na wani uwar garken. Wani da harin DDoS da aka yi niyya akan IP ɗin ku. Duk da haka, ya zuwa yanzu babu irin waɗannan lokuta, kuma tarpits suna aiki sosai.
Makamai:
Python, Tsaron Bayani, Software, Gudanar da tsarin
Tags:
SSH, mara iyaka, tarpit, tarpit, tarko, asycio
Tarkon (tarpit) don haɗin SSH masu shigowa
Ba asiri ba ne cewa Intanet yanayi ne mai tsananin ƙiyayya. Da zaran ka ɗaga uwar garken, nan take ana fuskantar hare-hare masu yawa da kuma dubawa da yawa. Misali za ku iya kiyasin ma'aunin wannan sharar. A zahiri, akan matsakaicin uwar garken, 99% na zirga-zirga na iya zama ƙeta.
Tarpit tashar tarko ce da ake amfani da ita don rage haɗin gwiwa mai shigowa. Idan tsarin ɓangare na uku ya haɗa zuwa wannan tashar jiragen ruwa, ba za ku iya rufe haɗin da sauri ba. Dole ne ta ɓata albarkatun tsarinta kuma ta jira har sai lokacin haɗin gwiwa ya ƙare, ko kuma ta ƙare da hannu.
Mafi sau da yawa, ana amfani da kwalta don kariya. An fara samar da wannan dabarar ne domin kariya daga tsutsotsin kwamfuta. Kuma yanzu ana iya amfani da shi don lalata rayuwar masu satar bayanan sirri da masu bincike waɗanda ke tsunduma cikin bincikar duk adiresoshin IP a jere (misali akan Habré: , ).
Daya daga cikin masu kula da tsarin mai suna Chris Wellons da alama ya gaji da kallon wannan abin kunya - kuma ya rubuta karamin shiri. , wani tarfi na SSH wanda ke rage jinkirin haɗi masu shigowa. Shirin yana buɗe tashar jiragen ruwa (Tsohuwar tashar jiragen ruwa don gwaji shine 2222) kuma yana yin kamar uwar garken SSH, amma a zahiri yana kafa alaƙa mara iyaka tare da abokin ciniki mai shigowa har sai ya daina. Wannan na iya ci gaba na kwanaki da yawa ko fiye har sai abokin ciniki ya faɗi.
Shigar da kayan aiki:
$ make
$ ./endlessh &
$ ssh -p2222 localhostTafarkin da aka aiwatar da kyau zai ɗauki ƙarin albarkatu daga maharin fiye da daga gare ku. Amma ba ma batun albarkatun kasa ba ne. Marubuci cewa shirin yana jaraba. A yanzu haka yana da abokan ciniki 27 da suka makale, wasu daga cikinsu suna da alaƙa na makonni. A kololuwar aiki, abokan ciniki 1378 sun makale na awanni 20!
A cikin yanayin aiki, ana buƙatar shigar da uwar garken Ƙarshen a kan tashar jiragen ruwa na 22 da aka saba, inda hooligans ke bugawa da yawa. Madaidaitan shawarwarin tsaro koyaushe suna ba da shawarar motsa SSH zuwa tashar jiragen ruwa daban, wanda nan da nan yana rage girman rajistan ayyukan ta hanyar girma.
Chris Wellons ya ce shirin nasa yana amfani da sakin layi ɗaya na ƙayyadaddun bayanai zuwa tsarin SSH. Nan da nan bayan an kafa haɗin TCP, amma kafin a yi amfani da cryptography, dole ne ɓangarorin biyu su aika da zaren ganewa. Kuma akwai kuma bayanin kula: "Sabar uwar garken na iya aika wasu layuka na bayanai kafin aika layin sigar". Kuma babu iyaka akan girman wannan bayanan, kawai kuna buƙatar fara kowane layi da SSH-.
Wannan shi ne ainihin abin da shirin Endlessh yake yi: shi aika m rafi na bayanan da aka samar ba da gangan ba, wanda ya dace da RFC 4253, wato aika kafin tantancewa, kuma kowane layi yana farawa da SSH- kuma bai wuce haruffa 255 ba, gami da yanayin ƙarshen layi. Gabaɗaya, komai yana daidai da ma'auni.
Ta hanyar tsoho, shirin yana jira daƙiƙa 10 tsakanin fakitin aika. Wannan yana hana abokin ciniki daga lokacin ƙarewa, don haka abokin ciniki zai kasance cikin tarko har abada.
Tun da an aika bayanan kafin a yi amfani da cryptography, shirin yana da sauƙi. Ba ya buƙatar aiwatar da kowane sifa kuma yana goyan bayan ka'idoji da yawa.
Marubucin ya yi ƙoƙari ya tabbatar da cewa mai amfani yana cinye mafi ƙarancin albarkatun kuma yana aiki gaba ɗaya ba tare da lura da na'urar ba. Ba kamar riga-kafi na zamani da sauran “tsarin tsaro ba,” bai kamata ya rage jinkirin kwamfutarka ba. Ya yi nasarar rage yawan zirga-zirgar ababen hawa da kuma amfani da ƙwaƙwalwar ajiya saboda ɗan ƙaramin dabarar aiwatar da software. Idan kawai ta ƙaddamar da wani tsari na daban akan sabon haɗin gwiwa, to masu kai hari za su iya ƙaddamar da harin DDoS ta buɗe hanyoyin haɗi da yawa don ƙyale albarkatun akan injin. Zaren guda ɗaya a kowace haɗin kuma ba shine mafi kyawun zaɓi ba, saboda kernel zai ɓata albarkatun sarrafa zaren.
Shi ya sa Chris Wellons ya zaɓi zaɓi mafi nauyi don Ƙarshe: uwar garken zaren guda ɗaya poll(2), inda abokan cinikin da ke cikin tarkon ke cinye kusan babu ƙarin albarkatu, ba tare da ƙidaya abin soket a cikin kwaya ba da kuma wani 78 bytes don bin diddigin a cikin Ƙarshen. Don guje wa keɓance karɓa da aika buffers ga kowane abokin ciniki, Endlessh yana buɗe soket ɗin shiga kai tsaye kuma yana fassara fakitin TCP kai tsaye, yana ƙetare kusan dukkanin tsarin TCP/IP. Ba a buƙatar buffer mai shigowa kwata-kwata, saboda ba mu da sha'awar bayanan mai shigowa.
Marubucin ya ce a lokacin shirin nasa game da wanzuwar Python's asycio da sauran tarpits. Idan ya san game da asycio, zai iya aiwatar da amfanin sa a cikin layi 18 kawai a cikin Python:
import asyncio
import random
async def handler(_reader, writer):
try:
while True:
await asyncio.sleep(10)
writer.write(b'%xrn' % random.randint(0, 2**32))
await writer.drain()
except ConnectionResetError:
pass
async def main():
server = await asyncio.start_server(handler, '0.0.0.0', 2222)
async with server:
await server.serve_forever()
asyncio.run(main())Asyncio yana da kyau don rubuta tarpits. Misali, wannan ƙugiya za ta daskare Firefox, Chrome, ko kowane abokin ciniki da ke ƙoƙarin haɗi zuwa sabar HTTP ɗin ku na sa'o'i da yawa:
import asyncio
import random
async def handler(_reader, writer):
writer.write(b'HTTP/1.1 200 OKrn')
try:
while True:
await asyncio.sleep(5)
header = random.randint(0, 2**32)
value = random.randint(0, 2**32)
writer.write(b'X-%x: %xrn' % (header, value))
await writer.drain()
except ConnectionResetError:
pass
async def main():
server = await asyncio.start_server(handler, '0.0.0.0', 8080)
async with server:
await server.serve_forever()
asyncio.run(main())Tarpit babban kayan aiki ne don azabtar da masu cin zarafi na kan layi. Gaskiya ne, akwai wasu haɗari, akasin haka, na jawo hankalin su ga dabi'un da ba a saba ba na wani uwar garken. Wani da harin DDoS da aka yi niyya akan IP ɗin ku. Duk da haka, ya zuwa yanzu babu irin waɗannan lokuta, kuma tarpits suna aiki sosai.
source: www.habr.com