Nyob zoo sawv daws, kuv lub npe yog Sasha, kuv coj backend xeem ntawm FunCorp. Peb, zoo li ntau lwm tus, tau ua raws li kev pabcuam-oriented architecture. Ntawm ib sab, qhov no yooj yim rau kev ua haujlwm, vim tias ... Nws yog qhov yooj yim dua rau kev sim txhua qhov kev pabcuam sib cais, tab sis ntawm qhov tod tes, yuav tsum tau sim cov kev pabcuam kev sib raug zoo nrog ib leeg, uas feem ntau tshwm sim hauv lub network.
Hauv tsab xov xwm no, kuv yuav tham txog ob qho kev siv hluav taws xob uas tuaj yeem siv los txheeb xyuas cov xwm txheej yooj yim uas piav qhia txog kev ua haujlwm ntawm daim ntawv thov thaum muaj teeb meem hauv network.
Simulating teeb meem network
Feem ntau, software raug sim ntawm cov servers sim nrog kev sib txuas hauv Is Taws Nem zoo. Hauv qhov chaw tsim khoom hnyav, tej yam yuav tsis zoo, yog li qee zaum koj yuav tsum sim cov kev pab cuam hauv kev sib txuas tsis zoo. Ntawm Linux, cov khoom siv hluav taws xob yuav pab ua haujlwm ntawm simulating cov xwm txheej zoo li no tc.
tc(ua abbr. los ntawm Traffic Control) tso cai rau koj los teeb tsa kev sib kis ntawm cov pob ntawv network hauv qhov system. Qhov kev siv hluav taws xob no muaj peev xwm zoo, koj tuaj yeem nyeem ntxiv txog lawv . Ntawm no kuv yuav txiav txim siab tsuas yog qee qhov ntawm lawv: peb txaus siab rau kev teem caij tsheb, uas peb siv qdisc ua, thiab txij li thaum peb yuav tsum ua raws li lub network tsis ruaj khov, peb yuav siv qdisc classless .
Cia peb pib lub ncha server ntawm lub server (Kuv siv ):
ncat -l 127.0.0.1 12345 -k -c 'xargs -n1 -i echo "Response: {}"'
Txhawm rau tso saib kom meej tag nrho cov sijhawm teev ntawm txhua kauj ruam ntawm kev sib cuam tshuam ntawm tus neeg siv khoom thiab cov neeg rau zaub mov, kuv tau sau ib tsab ntawv Python yooj yim uas xa cov lus thov. xeem rau peb echo server.
Client source code
#!/bin/python
import socket
import time
HOST = '127.0.0.1'
PORT = 12345
BUFFER_SIZE = 1024
MESSAGE = "Testn"
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
t1 = time.time()
print "[time before connection: %.5f]" % t1
s.connect((HOST, PORT))
print "[time after connection, before sending: %.5f]" % time.time()
s.send(MESSAGE)
print "[time after sending, before receiving: %.5f]" % time.time()
data = s.recv(BUFFER_SIZE)
print "[time after receiving, before closing: %.5f]" % time.time()
s.close()
t2 = time.time()
print "[time after closing: %.5f]" % t2
print "[total duration: %.5f]" % (t2 - t1)
print data
Cia peb pib nws thiab saib cov tsheb khiav ntawm lub interface lo thiab chaw nres nkoj 12345:
[user@host ~]# python client.py
[time before connection: 1578652979.44837]
[time after connection, before sending: 1578652979.44889]
[time after sending, before receiving: 1578652979.44894]
[time after receiving, before closing: 1578652979.45922]
[time after closing: 1578652979.45928]
[total duration: 0.01091]
Response: Test
Tsheb thauj mus los
[user@host ~]# tcpdump -i lo -nn port 12345
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on lo, link-type EN10MB (Ethernet), capture size 262144 bytes
10:42:59.448601 IP 127.0.0.1.54054 > 127.0.0.1.12345: Flags [S], seq 3383332866, win 43690, options [mss 65495,sackOK,TS val 606325685 ecr 0,nop,wscale 7], length 0
10:42:59.448612 IP 127.0.0.1.12345 > 127.0.0.1.54054: Flags [S.], seq 2584700178, ack 3383332867, win 43690, options [mss 65495,sackOK,TS val 606325685 ecr 606325685,nop,wscale 7], length 0
10:42:59.448622 IP 127.0.0.1.54054 > 127.0.0.1.12345: Flags [.], ack 1, win 342, options [nop,nop,TS val 606325685 ecr 606325685], length 0
10:42:59.448923 IP 127.0.0.1.54054 > 127.0.0.1.12345: Flags [P.], seq 1:6, ack 1, win 342, options [nop,nop,TS val 606325685 ecr 606325685], length 5
10:42:59.448930 IP 127.0.0.1.12345 > 127.0.0.1.54054: Flags [.], ack 6, win 342, options [nop,nop,TS val 606325685 ecr 606325685], length 0
10:42:59.459118 IP 127.0.0.1.12345 > 127.0.0.1.54054: Flags [P.], seq 1:15, ack 6, win 342, options [nop,nop,TS val 606325696 ecr 606325685], length 14
10:42:59.459213 IP 127.0.0.1.54054 > 127.0.0.1.12345: Flags [.], ack 15, win 342, options [nop,nop,TS val 606325696 ecr 606325696], length 0
10:42:59.459268 IP 127.0.0.1.54054 > 127.0.0.1.12345: Flags [F.], seq 6, ack 15, win 342, options [nop,nop,TS val 606325696 ecr 606325696], length 0
10:42:59.460184 IP 127.0.0.1.12345 > 127.0.0.1.54054: Flags [F.], seq 15, ack 7, win 342, options [nop,nop,TS val 606325697 ecr 606325696], length 0
10:42:59.460196 IP 127.0.0.1.54054 > 127.0.0.1.12345: Flags [.], ack 16, win 342, options [nop,nop,TS val 606325697 ecr 606325697], length 0
Txhua yam yog tus qauv: kev tuav peb txoj kev, PSH / ACK thiab ACK hauv cov lus teb ob zaug - qhov no yog kev sib pauv kev thov thiab cov lus teb ntawm tus neeg siv khoom thiab cov neeg rau zaub mov, thiab FIN / ACK thiab ACK ob zaug - ua tiav qhov kev sib txuas.
Packet ncua
Tam sim no cia peb teem sijhawm ncua mus rau 500 milliseconds:
tc qdisc add dev lo root netem delay 500ms
Peb tso tus neeg siv khoom thiab pom tias tsab ntawv tam sim no khiav rau 2 vib nas this:
[user@host ~]# ./client.py
[time before connection: 1578662612.71044]
[time after connection, before sending: 1578662613.71059]
[time after sending, before receiving: 1578662613.71065]
[time after receiving, before closing: 1578662614.72011]
[time after closing: 1578662614.72019]
[total duration: 2.00974]
Response: Test
Dab tsi nyob hauv kev khiav tsheb? Cia peb saib:
Tsheb thauj mus los
13:23:33.210520 IP 127.0.0.1.58694 > 127.0.0.1.12345: Flags [S], seq 1720950927, win 43690, options [mss 65495,sackOK,TS val 615958947 ecr 0,nop,wscale 7], length 0
13:23:33.710554 IP 127.0.0.1.12345 > 127.0.0.1.58694: Flags [S.], seq 1801168125, ack 1720950928, win 43690, options [mss 65495,sackOK,TS val 615959447 ecr 615958947,nop,wscale 7], length 0
13:23:34.210590 IP 127.0.0.1.58694 > 127.0.0.1.12345: Flags [.], ack 1, win 342, options [nop,nop,TS val 615959947 ecr 615959447], length 0
13:23:34.210657 IP 127.0.0.1.58694 > 127.0.0.1.12345: Flags [P.], seq 1:6, ack 1, win 342, options [nop,nop,TS val 615959947 ecr 615959447], length 5
13:23:34.710680 IP 127.0.0.1.12345 > 127.0.0.1.58694: Flags [.], ack 6, win 342, options [nop,nop,TS val 615960447 ecr 615959947], length 0
13:23:34.719371 IP 127.0.0.1.12345 > 127.0.0.1.58694: Flags [P.], seq 1:15, ack 6, win 342, options [nop,nop,TS val 615960456 ecr 615959947], length 14
13:23:35.220106 IP 127.0.0.1.58694 > 127.0.0.1.12345: Flags [.], ack 15, win 342, options [nop,nop,TS val 615960957 ecr 615960456], length 0
13:23:35.220188 IP 127.0.0.1.58694 > 127.0.0.1.12345: Flags [F.], seq 6, ack 15, win 342, options [nop,nop,TS val 615960957 ecr 615960456], length 0
13:23:35.720994 IP 127.0.0.1.12345 > 127.0.0.1.58694: Flags [F.], seq 15, ack 7, win 342, options [nop,nop,TS val 615961457 ecr 615960957], length 0
13:23:36.221025 IP 127.0.0.1.58694 > 127.0.0.1.12345: Flags [.], ack 16, win 342, options [nop,nop,TS val 615961957 ecr 615961457], length 0
Koj tuaj yeem pom tias qhov kev cia siab ntawm ib nrab thib ob tau tshwm sim hauv kev sib cuam tshuam ntawm tus neeg siv khoom thiab lub server. Lub kaw lus coj tus cwj pwm zoo dua yog tias qhov lag luam ntau dua: cov ntsiav pib rov xa qee cov pob ntawv TCP. Cia peb hloov qhov ncua mus rau 1 thib ob thiab saib cov tsheb khiav (Kuv yuav tsis qhia tus neeg siv khoom, muaj qhov xav tau 4 vib nas this hauv tag nrho lub sijhawm):
tc qdisc change dev lo root netem delay 1s
Tsheb thauj mus los
13:29:07.709981 IP 127.0.0.1.39306 > 127.0.0.1.12345: Flags [S], seq 283338334, win 43690, options [mss 65495,sackOK,TS val 616292946 ecr 0,nop,wscale 7], length 0
13:29:08.710018 IP 127.0.0.1.12345 > 127.0.0.1.39306: Flags [S.], seq 3514208179, ack 283338335, win 43690, options [mss 65495,sackOK,TS val 616293946 ecr 616292946,nop,wscale 7], length 0
13:29:08.711094 IP 127.0.0.1.39306 > 127.0.0.1.12345: Flags [S], seq 283338334, win 43690, options [mss 65495,sackOK,TS val 616293948 ecr 0,nop,wscale 7], length 0
13:29:09.710048 IP 127.0.0.1.39306 > 127.0.0.1.12345: Flags [.], ack 1, win 342, options [nop,nop,TS val 616294946 ecr 616293946], length 0
13:29:09.710152 IP 127.0.0.1.39306 > 127.0.0.1.12345: Flags [P.], seq 1:6, ack 1, win 342, options [nop,nop,TS val 616294947 ecr 616293946], length 5
13:29:09.711120 IP 127.0.0.1.12345 > 127.0.0.1.39306: Flags [S.], seq 3514208179, ack 283338335, win 43690, options [mss 65495,sackOK,TS val 616294948 ecr 616292946,nop,wscale 7], length 0
13:29:10.710173 IP 127.0.0.1.12345 > 127.0.0.1.39306: Flags [.], ack 6, win 342, options [nop,nop,TS val 616295947 ecr 616294947], length 0
13:29:10.711140 IP 127.0.0.1.39306 > 127.0.0.1.12345: Flags [.], ack 1, win 342, options [nop,nop,TS val 616295948 ecr 616293946], length 0
13:29:10.714782 IP 127.0.0.1.12345 > 127.0.0.1.39306: Flags [P.], seq 1:15, ack 6, win 342, options [nop,nop,TS val 616295951 ecr 616294947], length 14
13:29:11.714819 IP 127.0.0.1.39306 > 127.0.0.1.12345: Flags [.], ack 15, win 342, options [nop,nop,TS val 616296951 ecr 616295951], length 0
13:29:11.714893 IP 127.0.0.1.39306 > 127.0.0.1.12345: Flags [F.], seq 6, ack 15, win 342, options [nop,nop,TS val 616296951 ecr 616295951], length 0
13:29:12.715562 IP 127.0.0.1.12345 > 127.0.0.1.39306: Flags [F.], seq 15, ack 7, win 342, options [nop,nop,TS val 616297952 ecr 616296951], length 0
13:29:13.715596 IP 127.0.0.1.39306 > 127.0.0.1.12345: Flags [.], ack 16, win 342, options [nop,nop,TS val 616298952 ecr 616297952], length 0
Nws tuaj yeem pom tau tias tus neeg siv khoom xa ib pob ntawv SYN ob zaug, thiab tus neeg rau zaub mov xa SYN / ACK ob zaug.
Ntxiv rau qhov muaj nuj nqis tas li, qhov ncua sij hawm tuaj yeem teem rau qhov sib txawv, kev faib ua haujlwm, thiab kev sib raug zoo (nrog rau tus nqi rau cov pob ntawv dhau los). Qhov no yog ua raws li nram no:
tc qdisc change dev lo root netem delay 500ms 400ms 50 distribution normal
Ntawm no peb tau teeb tsa qhov ncua sij hawm ntawm 100 thiab 900 milliseconds, cov txiaj ntsig yuav raug xaiv raws li kev faib tawm ib txwm muaj thiab yuav muaj 50% kev sib raug zoo nrog tus nqi ncua rau cov pob ntawv dhau los.
Tej zaum koj yuav tau pom tias hauv thawj cov lus txib kuv siv ntxivthiab ntawd hloov. Lub ntsiab lus ntawm cov lus txib no pom tseeb, yog li kuv tsuas yog ntxiv tias muaj ntau ntxiv del, uas tuaj yeem siv los tshem tawm cov teeb tsa.
Pob ntawv poob
Tam sim no cia peb sim ua pob ntawv poob. Raws li tuaj yeem pom los ntawm cov ntaub ntawv, qhov no tuaj yeem ua tau nyob rau hauv peb txoj kev: poob pob ntawv randomly nrog qee qhov tshwm sim, siv Markov saw ntawm 2, 3 lossis 4 lub xeev los xam cov pob ntawv poob, lossis siv Elliott-Gilbert qauv. Hauv tsab xov xwm kuv yuav xav txog thawj txoj kev (yooj yim thiab pom tseeb tshaj plaws), thiab koj tuaj yeem nyeem txog lwm tus .
Cia peb ua qhov poob ntawm 50% ntawm pob ntawv nrog kev sib txheeb ntawm 25%:
tc qdisc add dev lo root netem loss 50% 25%
Hmoov tsis, tcp pom yuav tsis muaj peev xwm qhia tau meej rau peb qhov poob ntawm pob ntawv, peb tsuas yog xav tias nws ua haujlwm tiag tiag. Thiab lub sijhawm nce thiab tsis ruaj khov ntawm tsab ntawv yuav pab peb txheeb xyuas qhov no. neeg.py (tuaj yeem ua tiav tam sim ntawd, lossis tej zaum hauv 20 vib nas this), nrog rau ntau ntxiv ntawm cov pob ntawv rov qab:
[user@host ~]# netstat -s | grep retransmited; sleep 10; netstat -s | grep retransmited
17147 segments retransmited
17185 segments retransmited
Ntxiv suab nrov rau pob ntawv
Ntxiv rau pob ntawv poob, koj tuaj yeem simulate pob ntawv puas: lub suab nrov yuav tshwm sim ntawm qhov chaw ntim khoom. Cia peb ua pob ntawv puas nrog 50% qhov tshwm sim thiab tsis muaj kev sib raug zoo:
tc qdisc change dev lo root netem corrupt 50%
Peb khiav tus neeg siv tsab ntawv (tsis muaj dab tsi nthuav nyob ntawd, tab sis nws siv 2 vib nas this kom tiav), saib cov tsheb khiav:
Tsheb thauj mus los
[user@host ~]# tcpdump -i lo -nn port 12345
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on lo, link-type EN10MB (Ethernet), capture size 262144 bytes
10:20:54.812434 IP 127.0.0.1.43666 > 127.0.0.1.12345: Flags [S], seq 2023663770, win 43690, options [mss 65495,sackOK,TS val 1037001049 ecr 0,nop,wscale 7], length 0
10:20:54.812449 IP 127.0.0.1.12345 > 127.0.0.1.43666: Flags [S.], seq 2104268044, ack 2023663771, win 43690, options [mss 65495,sackOK,TS val 1037001049 ecr 1037001049,nop,wscale 7], length 0
10:20:54.812458 IP 127.0.0.1.43666 > 127.0.0.1.12345: Flags [.], ack 1, win 342, options [nop,nop,TS val 1037001049 ecr 1037001049], length 0
10:20:54.812509 IP 127.0.0.1.43666 > 127.0.0.1.12345: Flags [P.], seq 1:6, ack 1, win 342, options [nop,nop,TS val 1037001049 ecr 1037001049], length 5
10:20:55.013093 IP 127.0.0.1.43666 > 127.0.0.1.12345: Flags [P.], seq 1:6, ack 1, win 342, options [nop,nop,TS val 1037001250 ecr 1037001049], length 5
10:20:55.013122 IP 127.0.0.1.12345 > 127.0.0.1.43666: Flags [.], ack 6, win 342, options [nop,nop,TS val 1037001250 ecr 1037001250], length 0
10:20:55.014681 IP 127.0.0.1.12345 > 127.0.0.1.43666: Flags [P.], seq 1:15, ack 6, win 342, options [nop,nop,TS val 1037001251 ecr 1037001250], length 14
10:20:55.014745 IP 127.0.0.1.43666 > 127.0.0.1.12345: Flags [.], ack 15, win 340, options [nop,nop,TS val 1037001251 ecr 1037001251], length 0
10:20:55.014823 IP 127.0.0.1.43666 > 127.0.0.5.12345: Flags [F.], seq 2023663776, ack 2104268059, win 342, options [nop,nop,TS val 1037001251 ecr 1037001251], length 0
10:20:55.214088 IP 127.0.0.1.12345 > 127.0.0.1.43666: Flags [P.], seq 1:15, ack 6, win 342, options [nop,unknown-65 0x0a3dcf62eb3d,[bad opt]>
10:20:55.416087 IP 127.0.0.1.43666 > 127.0.0.1.12345: Flags [F.], seq 6, ack 15, win 342, options [nop,nop,TS val 1037001653 ecr 1037001251], length 0
10:20:55.416804 IP 127.0.0.1.12345 > 127.0.0.1.43666: Flags [F.], seq 15, ack 7, win 342, options [nop,nop,TS val 1037001653 ecr 1037001653], length 0
10:20:55.416818 IP 127.0.0.1.43666 > 127.0.0.1.12345: Flags [.], ack 16, win 343, options [nop,nop,TS val 1037001653 ecr 1037001653], length 0
10:20:56.147086 IP 127.0.0.1.12345 > 127.0.0.1.43666: Flags [F.], seq 15, ack 7, win 342, options [nop,nop,TS val 1037002384 ecr 1037001653], length 0
10:20:56.147101 IP 127.0.0.1.43666 > 127.0.0.1.12345: Flags [.], ack 16, win 342, options [nop,nop,TS val 1037002384 ecr 1037001653], length 0
Nws tuaj yeem pom tau tias qee pob ntawv tau xa rov qab thiab muaj ib pob ntawv nrog cov metadata tawg: xaiv [nop,unknown-65 0x0a3dcf62eb3d,[opt phem]>. Tab sis qhov tseem ceeb tshaj plaws yog tias thaum kawg txhua yam ua haujlwm raug - TCP tiv nrog nws txoj haujlwm.
Pob ntawv duplication
Dab tsi ntxiv koj tuaj yeem ua nrog netem? Piv txwv li, simulate qhov teeb meem rov qab ntawm pob ntawv poob - pob ntawv duplication. Cov lus txib no tseem siv 2 qhov kev sib cav: qhov tshwm sim thiab kev sib raug zoo.
tc qdisc change dev lo root netem duplicate 50% 25%
Hloov qhov kev txiav txim ntawm pob
Koj tuaj yeem sib tov cov hnab hauv ob txoj kev.
Hauv thawj zaug, qee cov pob ntawv raug xa tawm tam sim ntawd, tus so nrog lub sijhawm ncua sijhawm. Piv txwv ntawm cov ntaub ntawv:
tc qdisc change dev lo root netem delay 10ms reorder 25% 50%
Nrog rau qhov tshwm sim ntawm 25% (thiab kev sib raug zoo ntawm 50%) cov pob ntawv yuav raug xa tawm tam sim ntawd, tus so yuav raug xa nrog ncua sijhawm ntawm 10 milliseconds.
Txoj kev thib ob yog thaum txhua pob Nth xa tuaj sai sai nrog qhov ua tau zoo (thiab kev sib raug zoo), thiab tus so nrog kev ncua sijhawm. Piv txwv ntawm cov ntaub ntawv:
tc qdisc change dev lo root netem delay 10ms reorder 25% 50% gap 5
Txhua pob thib tsib muaj 25% txoj hauv kev xa mus yam tsis tau ncua.
Hloov Bandwidth
Feem ntau txhua qhov chaw lawv xa mus , tab sis nrog kev pab netem Koj tseem tuaj yeem hloov lub interface bandwidth:
tc qdisc change dev lo root netem rate 56kbit
Pab neeg no yuav ua trek ncig localhost mob heev li surfing hauv Internet ntawm tus dial-up modem. Ntxiv nrog rau kev teeb tsa tus nqi qis, koj tuaj yeem ua raws li qhov txuas txheej txheej txheem qauv: teeb tsa nyiaj siv ua haujlwm rau pob ntawv, qhov loj ntawm tes, thiab nyiaj siv ua haujlwm rau lub xovtooj. Piv txwv li, qhov no tuaj yeem simulated thiab bitrate 56 kbit / sec:
tc qdisc change dev lo root netem rate 56kbit 0 48 5
Simulating kev sib txuas ncua sij hawm
Lwm qhov tseem ceeb hauv txoj kev npaj xeem thaum lees txais software yog lub sijhawm. Qhov no yog ib qho tseem ceeb vim hais tias nyob rau hauv cov kev faib khoom, thaum ib qho ntawm cov kev pab cuam yog neeg xiam oob qhab, lwm tus yuav tsum rov qab mus rau lwm tus nyob rau hauv lub sij hawm los yog xa rov qab ua yuam kev rau tus neeg siv khoom, thiab tsis muaj ib qho teeb meem yuav tsum lawv tsuas yog dai, tos kom teb los yog kev sib txuas. tsim nyog.
Muaj ntau txoj hauv kev los ua qhov no: piv txwv li, siv cov lus thuam uas tsis teb, lossis txuas mus rau cov txheej txheem uas siv lub debugger, muab qhov chaw so rau hauv qhov chaw thiab tso tseg cov txheej txheem (qhov no yog qhov feem ntau perverted txoj kev). Tab sis ib qho ntawm qhov pom tseeb tshaj plaws yog firewall ports lossis hosts. Nws yuav pab peb nrog qhov no .
Rau kev ua qauv qhia, peb yuav firewall chaw nres nkoj 12345 thiab khiav peb tus neeg siv tsab ntawv. Koj tuaj yeem foob pob ntawv tawm mus rau qhov chaw nres nkoj no ntawm tus xa lossis cov pob khoom tuaj ntawm tus txais. Hauv kuv cov piv txwv, cov ntawv xa tuaj yuav raug firewalled (peb siv saw INPUT thiab qhov kev xaiv --dport). Cov pob ntawv no tuaj yeem yog DROP, REJECT lossis REJECT nrog TCP chij RST, lossis nrog ICMP tus tswv tsev tsis tuaj yeem ncav cuag (qhov tseeb, tus cwj pwm tsis zoo yog icmp-port-unreachable, thiab tseem muaj lub sijhawm los xa cov lus teb icmp-net-unreachable, icmp-proto-unreachable, icmp-net- txwv tsis pub ΠΈ icmp-host- txwv tsis pub).
Nruas
Yog tias muaj txoj cai nrog DROP, pob ntawv yuav tsuas "poob lawm".
iptables -A INPUT -p tcp --dport 12345 -j DROP
Peb tso tus neeg siv khoom thiab pom tias nws khov ntawm theem ntawm kev txuas mus rau lub server. Cia peb saib ntawm kev khiav tsheb:
Tsheb thauj mus los
[user@host ~]# tcpdump -i lo -nn port 12345
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on lo, link-type EN10MB (Ethernet), capture size 262144 bytes
08:28:20.213506 IP 127.0.0.1.32856 > 127.0.0.1.12345: Flags [S], seq 3019694933, win 43690, options [mss 65495,sackOK,TS val 1203046450 ecr 0,nop,wscale 7], length 0
08:28:21.215086 IP 127.0.0.1.32856 > 127.0.0.1.12345: Flags [S], seq 3019694933, win 43690, options [mss 65495,sackOK,TS val 1203047452 ecr 0,nop,wscale 7], length 0
08:28:23.219092 IP 127.0.0.1.32856 > 127.0.0.1.12345: Flags [S], seq 3019694933, win 43690, options [mss 65495,sackOK,TS val 1203049456 ecr 0,nop,wscale 7], length 0
08:28:27.227087 IP 127.0.0.1.32856 > 127.0.0.1.12345: Flags [S], seq 3019694933, win 43690, options [mss 65495,sackOK,TS val 1203053464 ecr 0,nop,wscale 7], length 0
08:28:35.235102 IP 127.0.0.1.32856 > 127.0.0.1.12345: Flags [S], seq 3019694933, win 43690, options [mss 65495,sackOK,TS val 1203061472 ecr 0,nop,wscale 7], length 0
Nws tuaj yeem pom tias tus neeg siv khoom xa SYN pob ntawv nrog lub sijhawm nce ntxiv. Yog li peb pom cov kab me me hauv cov neeg siv khoom: koj yuav tsum siv txoj kev teem sijhawm ()txhawm rau txwv lub sijhawm thaum tus neeg siv yuav sim txuas rau lub server.
Peb tam sim tshem txoj cai:
iptables -D INPUT -p tcp --dport 12345 -j DROPKoj tuaj yeem rho tawm tag nrho cov cai hauv ib zaug:
iptables -F
Yog tias koj siv Docker thiab koj xav tau firewall tag nrho cov tsheb mus rau lub thawv, ces koj tuaj yeem ua nws raws li hauv qab no:
iptables -I DOCKER-USER -p tcp -d CONTAINER_IP -j DROP
TSWV YIM
Tam sim no cia peb ntxiv txoj cai zoo sib xws, tab sis nrog REJECT:
iptables -A INPUT -p tcp --dport 12345 -j REJECT
Tus neeg siv khoom tawm tom qab ib pliag nrog qhov yuam kev [Errno 111] Kev sib txuas tsis kam. Cia peb saib ntawm ICMP tsheb:
[user@host ~]# tcpdump -i lo -nn icmp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on lo, link-type EN10MB (Ethernet), capture size 262144 bytes
08:45:32.871414 IP 127.0.0.1 > 127.0.0.1: ICMP 127.0.0.1 tcp port 12345 unreachable, length 68
08:45:33.873097 IP 127.0.0.1 > 127.0.0.1: ICMP 127.0.0.1 tcp port 12345 unreachable, length 68
Nws tuaj yeem pom tias tus neeg siv khoom tau txais ob zaug port unreachable thiab tom qab ntawd xaus nrog qhov yuam kev.
REJECT nrog tcp-reset
Cia peb sim ntxiv qhov kev xaiv --reject-with tcp-reset:
iptables -A INPUT -p tcp --dport 12345 -j REJECT --reject-with tcp-reset
Hauv qhov no, tus neeg siv tam sim ntawd tawm nrog qhov yuam kev, vim tias thawj qhov kev thov tau txais ib pob ntawv RST:
[user@host ~]# tcpdump -i lo -nn port 12345
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on lo, link-type EN10MB (Ethernet), capture size 262144 bytes
09:02:52.766175 IP 127.0.0.1.60658 > 127.0.0.1.12345: Flags [S], seq 1889460883, win 43690, options [mss 65495,sackOK,TS val 1205119003 ecr 0,nop,wscale 7], length 0
09:02:52.766184 IP 127.0.0.1.12345 > 127.0.0.1.60658: Flags [R.], seq 0, ack 1889460884, win 0, length 0
REJECT nrog icmp-host-unreachable
Cia peb sim lwm qhov kev xaiv rau kev siv REJECT:
iptables -A INPUT -p tcp --dport 12345 -j REJECT --reject-with icmp-host-unreachable
Tus neeg siv khoom tawm tom qab ib pliag nrog qhov yuam kev [Errno 113] Tsis muaj txoj hauv kev los tuav, peb pom hauv ICMP tsheb ICMP host 127.0.0.1 unreachable.
Koj tuaj yeem sim lwm qhov REJECT tsis, thiab kuv yuav tsom rau cov no :)
Simulating thov ncua sij hawm
Lwm qhov xwm txheej yog thaum tus neeg siv khoom tuaj yeem txuas rau lub server, tab sis tsis tuaj yeem xa daim ntawv thov rau nws. Yuav ua li cas lim cov pob ntawv kom cov lim tsis pib tam sim? Yog tias koj saib ntawm kev sib txuas lus ntawm cov neeg siv khoom thiab cov neeg rau zaub mov, koj yuav pom tias thaum tsim kev sib txuas, tsuas yog siv SYN thiab ACK chij, tab sis thaum sib pauv cov ntaub ntawv, pob ntawv thov kawg yuav muaj tus chij PSH. Nws nruab cia li tsis txhob buffering. Koj tuaj yeem siv cov ntaub ntawv no los tsim cov lim dej: nws yuav tso cai rau txhua pob ntawv tshwj tsis yog cov uas muaj tus chij PSH. Yog li, kev sib txuas yuav raug tsim, tab sis tus neeg siv yuav tsis tuaj yeem xa cov ntaub ntawv mus rau lub server.
Nruas
Rau DROP cov lus txib yuav zoo li no:
iptables -A INPUT -p tcp --tcp-flags PSH PSH --dport 12345 -j DROP
Tua tawm tus neeg siv khoom thiab saib cov tsheb khiav:
Tsheb thauj mus los
[user@host ~]# tcpdump -i lo -nn port 12345
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on lo, link-type EN10MB (Ethernet), capture size 262144 bytes
10:02:47.549498 IP 127.0.0.1.49594 > 127.0.0.1.12345: Flags [S], seq 2166014137, win 43690, options [mss 65495,sackOK,TS val 1208713786 ecr 0,nop,wscale 7], length 0
10:02:47.549510 IP 127.0.0.1.12345 > 127.0.0.1.49594: Flags [S.], seq 2341799088, ack 2166014138, win 43690, options [mss 65495,sackOK,TS val 1208713786 ecr 1208713786,nop,wscale 7], length 0
10:02:47.549520 IP 127.0.0.1.49594 > 127.0.0.1.12345: Flags [.], ack 1, win 342, options [nop,nop,TS val 1208713786 ecr 1208713786], length 0
10:02:47.549568 IP 127.0.0.1.49594 > 127.0.0.1.12345: Flags [P.], seq 1:6, ack 1, win 342, options [nop,nop,TS val 1208713786 ecr 1208713786], length 5
10:02:47.750084 IP 127.0.0.1.49594 > 127.0.0.1.12345: Flags [P.], seq 1:6, ack 1, win 342, options [nop,nop,TS val 1208713987 ecr 1208713786], length 5
10:02:47.951088 IP 127.0.0.1.49594 > 127.0.0.1.12345: Flags [P.], seq 1:6, ack 1, win 342, options [nop,nop,TS val 1208714188 ecr 1208713786], length 5
10:02:48.354089 IP 127.0.0.1.49594 > 127.0.0.1.12345: Flags [P.], seq 1:6, ack 1, win 342, options [nop,nop,TS val 1208714591 ecr 1208713786], length 5
Peb pom tias kev sib txuas tau tsim thiab tus neeg siv tsis tuaj yeem xa cov ntaub ntawv mus rau lub server.
TSWV YIM
Hauv qhov no, tus cwj pwm yuav zoo ib yam: tus neeg thov yuav tsis tuaj yeem xa daim ntawv thov, tab sis yuav tau txais ICMP 127.0.0.1 tcp chaw nres nkoj 12345 unreachable thiab nce lub sij hawm nruab nrab ntawm kev thov rov ua dua exponentially. Cov lus txib zoo li no:
iptables -A INPUT -p tcp --tcp-flags PSH PSH --dport 12345 -j REJECT
REJECT nrog tcp-reset
Cov lus txib zoo li no:
iptables -A INPUT -p tcp --tcp-flags PSH PSH --dport 12345 -j REJECT --reject-with tcp-reset
Peb twb paub tias thaum siv --reject-with tcp-reset Tus neeg siv yuav tau txais ib pob ntawv RST hauv cov lus teb, yog li tus cwj pwm tuaj yeem kwv yees: tau txais ib pob ntawv RST thaum qhov kev sib txuas tau tsim los txhais tau tias lub qhov (socket) raug kaw tsis xav txog ntawm lwm sab, uas txhais tau tias tus neeg siv yuav tsum tau txais Kev sib txuas pib dua los ntawm cov phooj ywg. Cia peb khiav peb tsab ntawv thiab xyuas kom meej qhov no. Thiab qhov no yog qhov kev khiav tsheb yuav zoo li:
Tsheb thauj mus los
[user@host ~]# tcpdump -i lo -nn port 12345
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on lo, link-type EN10MB (Ethernet), capture size 262144 bytes
10:22:14.186269 IP 127.0.0.1.52536 > 127.0.0.1.12345: Flags [S], seq 2615137531, win 43690, options [mss 65495,sackOK,TS val 1209880423 ecr 0,nop,wscale 7], length 0
10:22:14.186284 IP 127.0.0.1.12345 > 127.0.0.1.52536: Flags [S.], seq 3999904809, ack 2615137532, win 43690, options [mss 65495,sackOK,TS val 1209880423 ecr 1209880423,nop,wscale 7], length 0
10:22:14.186293 IP 127.0.0.1.52536 > 127.0.0.1.12345: Flags [.], ack 1, win 342, options [nop,nop,TS val 1209880423 ecr 1209880423], length 0
10:22:14.186338 IP 127.0.0.1.52536 > 127.0.0.1.12345: Flags [P.], seq 1:6, ack 1, win 342, options [nop,nop,TS val 1209880423 ecr 1209880423], length 5
10:22:14.186344 IP 127.0.0.1.12345 > 127.0.0.1.52536: Flags [R], seq 3999904810, win 0, length 0
REJECT nrog icmp-host-unreachable
Kuv xav tias nws twb pom tseeb rau txhua tus neeg tias qhov kev hais kom ua yuav zoo li cas :) Tus neeg siv khoom tus cwj pwm hauv qhov no yuav txawv me ntsis los ntawm qhov REJECT yooj yim: tus neeg siv yuav tsis nce lub sijhawm ntawm kev sim rov xa cov pob ntawv.
[user@host ~]# tcpdump -i lo -nn icmp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on lo, link-type EN10MB (Ethernet), capture size 262144 bytes
10:29:56.149202 IP 127.0.0.1 > 127.0.0.1: ICMP host 127.0.0.1 unreachable, length 65
10:29:56.349107 IP 127.0.0.1 > 127.0.0.1: ICMP host 127.0.0.1 unreachable, length 65
10:29:56.549117 IP 127.0.0.1 > 127.0.0.1: ICMP host 127.0.0.1 unreachable, length 65
10:29:56.750125 IP 127.0.0.1 > 127.0.0.1: ICMP host 127.0.0.1 unreachable, length 65
10:29:56.951130 IP 127.0.0.1 > 127.0.0.1: ICMP host 127.0.0.1 unreachable, length 65
10:29:57.152107 IP 127.0.0.1 > 127.0.0.1: ICMP host 127.0.0.1 unreachable, length 65
10:29:57.353115 IP 127.0.0.1 > 127.0.0.1: ICMP host 127.0.0.1 unreachable, length 65
xaus
Nws tsis yog qhov tsim nyog los sau cov lus thuam los sim kev sib cuam tshuam ntawm kev pabcuam nrog tus neeg siv khoom dai lossis tus neeg rau zaub mov; qee zaum nws txaus los siv cov qauv siv hluav taws xob pom hauv Linux.
Cov khoom siv sib tham hauv tsab xov xwm muaj peev xwm ntau dua li tau piav qhia, yog li koj tuaj yeem tuaj nrog qee yam ntawm koj tus kheej cov kev xaiv rau kev siv lawv. Tus kheej, Kuv ib txwm muaj txaus ntawm qhov kuv tau sau txog (qhov tseeb, txawm tias tsawg dua). Yog tias koj siv cov khoom siv no lossis cov khoom siv zoo sib xws hauv kev sim hauv koj lub tuam txhab, thov sau raws nraim li cas. Yog tias tsis yog, kuv vam tias koj lub software yuav zoo dua yog tias koj txiav txim siab sim nws hauv cov xwm txheej ntawm cov teeb meem hauv network siv cov kev qhia.
Tau qhov twg los: www.hab.com