Masu bincike daga Jami'o'in Hamburg da Cologne
sabuwar dabarar kai hari akan hanyoyin sadarwar isar da abun ciki da kuma masu ɓoyewa - (Kishirwar Sabis Mai Guba). Harin yana ba da damar shiga shafin da za a hana shi ta hanyar guba.
Matsalar ta kasance saboda gaskiyar cewa cache CDN ba kawai nasarar kammala buƙatun ba, har ma da yanayi lokacin da uwar garken http ta dawo da kuskure. A matsayinka na mai mulki, idan akwai matsaloli tare da buƙatun buƙatun, uwar garken yana ba da kuskuren 400 (Bad Request); kawai IIS, wanda ke ba da kuskuren 404 (Ba a samo) don manyan masu kai ba. Ma'auni kawai yana ba da damar kurakurai tare da lambobin 404 (Ba a Sami), 405 (Hanyar Ba a Ba da izini ba), 410 (Tafi) da 501 (Ba a Aiwatar da su) don adana su, amma wasu CDNs kuma suna ɓoye martani tare da lambar 400 (Bad Buƙatar), wanda ya dogara. akan bukatar da aka aiko.
Maharan na iya haifar da asalin albarkatu don dawo da kuskuren "Mummunan Buƙatar 400" ta hanyar aika buƙatu tare da masu kai HTTP da aka tsara ta wata hanya. CDN ba ta yin la'akari da waɗannan kanun labarai, don haka bayanin game da rashin iya shiga shafin za a adana shi, kuma duk sauran buƙatun masu amfani kafin ƙarewar lokaci na iya haifar da kuskure, duk da cewa rukunin yanar gizon yana amfani da abun ciki. ba tare da wata matsala ba.
An gabatar da zaɓuɓɓuka uku na hari don tilasta uwar garken HTTP dawo da kuskure:
- HMO (HTTP Hanyar Sauke) - mai kai hari zai iya ƙetare hanyar buƙatun asali ta hanyar "X-HTTP-Hanyar-Override", "X-HTTP-Hanyar" ko "X-Hanyar-Override", wanda wasu sabar ke goyan bayan, amma ba a la'akari da su a cikin CDN. Misali, zaku iya canza hanyar “GET” ta asali zuwa hanyar “DELETE”, wacce aka haramta akan uwar garken, ko hanyar “POST”, wacce ba ta dace da kididdiga ba;
- HHO (HTTP Header Oversize) - mai kai hari zai iya zaɓar girman kai don ya wuce iyakar uwar garken tushe, amma baya faɗi cikin ƙuntatawa na CDN. Misali, Apache httpd yana iyakance girman kai zuwa 8 KB, kuma Amazon Cloudfront CDN yana ba da masu kai har zuwa 20 KB;
- HMC (HTTP Meta Character) - mai kai hari zai iya saka haruffa na musamman a cikin buƙatun (\n, \ r, \a), waɗanda ake ganin ba su da inganci akan sabar tushen, amma an yi watsi da su a cikin CDN.
Mafi saukin kai hari shine CloudFront CDN da Amazon Web Services (AWS) ke amfani dashi. Amazon yanzu ya gyara matsalar ta hanyar kashe kuskuren caching, amma ya ɗauki masu bincike sama da watanni uku don ƙara kariya. Lamarin ya kuma shafi Cloudflare, Varnish, Akamai, CDN77 da
Da sauri, amma harin ta hanyar su yana iyakance ga sabar sabar da ke amfani da IIS, ASP.NET, и . , cewa 11% na sassan Ma'aikatar Tsaro ta Amurka, 16% na URLs daga bayanan HTTP Archive da kusan 30% na manyan gidajen yanar gizo na 500 da Alexa ke matsayi na iya yuwuwar kai hari.
A matsayin hanyar warwarewa don toshe hari a gefen rukunin yanar gizon, zaku iya amfani da taken "Cache-Control: no-store", wanda ke hana caching martani. A wasu CDNs, misali.
CloudFront da Akamai, zaku iya kashe caching na kuskure a matakin saitunan bayanan martaba. Don kariya, kuna iya amfani da Firewall aikace-aikacen yanar gizo (WAF, Firewall Application na Yanar Gizo), amma dole ne a aiwatar da su a gefen CDN a gaban rundunonin caching.
source: budenet.ru