ProHoster > Блог > Nchịkwa > Kpachara anya maka adịghị ike ndị na-eweta gburugburu ọrụ. Akụkụ 1: FragmentSmack/SegmentSmack

Kpachara anya maka adịghị ike ndị na-eweta gburugburu ọrụ. Akụkụ 1: FragmentSmack/SegmentSmack

Kpachara anya maka adịghị ike ndị na-eweta gburugburu ọrụ. Akụkụ 1: FragmentSmack/SegmentSmack

Ndewo, unu niile! Aha m bụ Dmitry Samsonov, m na-arụ ọrụ dị ka onye isi usoro nchịkwa na Odnoklassniki. Anyị nwere ihe karịrị puku sava anụ ahụ 7, 11 puku akpa na igwe ojii na ngwa 200, nke na nhazi dị iche iche na-etolite ụyọkọ 700 dị iche iche. Ọtụtụ sava na-agba CentOS 7.
Na Ọgọst 14, 2018, ebipụtara ozi gbasara adịghị ike FragmentSmack
(CVE-2018-5391) na SegmentSmack (CVE-2018-5390). Ndị a bụ adịghị ike nwere vector ọgụ netwọkụ yana akara dị elu (7.5), nke na-eyi egwu ịgọnarị ọrụ (DoS) n'ihi ike ọgwụgwụ akụrụngwa (CPU). Achọtaghị ndozi kernel maka FragmentSmack n'oge ahụ; Ọzọkwa, ọ pụtala ọtụtụ oge karịa mbipụta ozi gbasara adịghị ike ahụ. Iji kpochapụ SegmentSmack, a tụrụ aro imelite kernel. E wepụtara ngwugwu mmelite n'onwe ya n'otu ụbọchị ahụ, naanị ihe fọdụrụ bụ ịwụnye ya.
Mba, anyị anaghị emegide imelite kernel ma ọlị! Agbanyeghị, enwere nuances ...

Otu esi emelite kernel na mmepụta

N'ozuzu, ọ dịghị ihe mgbagwoju anya:

  1. Budata ngwugwu;
  2. Wụnye ha na ọtụtụ sava (gụnyere sava na-anabata igwe ojii anyị);
  3. Gbaa mbọ hụ na ọ nweghị ihe agbajiri;
  4. Gbaa mbọ hụ na etinyere ntọala kernel ọkọlọtọ niile na-enweghị njehie;
  5. Chere ụbọchị ole na ole;
  6. Lelee arụmọrụ nkesa;
  7. Gbanwee ntinye nke sava ọhụrụ na kernel ọhụrụ;
  8. Melite sava niile site na ebe data (otu ebe data n'otu oge iji belata mmetụta na ndị ọrụ n'ọnọdụ nsogbu);
  9. Malitegharịa ekwentị niile sava.

Tinyegharịa maka alaka niile nke kernel anyị nwere. N'oge a ọ bụ:

  • Stock CentOS 7 3.10 - maka ọtụtụ sava oge niile;
  • Vanilla 4.19 - maka nke anyị otu igwe ojii, n'ihi na anyị chọrọ BFQ, BBR, wdg;
  • Elrepo kernel-ml 5.2 - maka ndị na-ekesa oke ibu, n'ihi na 4.19 na-akpa àgwà ejighị n'aka, ma otu atụmatụ dị mkpa.

Dịka ị nwere ike cheburu, ịmalitegharị puku kwuru puku sava na-ewe oge kacha ogologo. Ebe ọ bụ na ọ bụghị ihe ọghọm niile dị oke mkpa maka sava niile, naanị anyị na-amalitegharị ndị a na-enweta na ịntanetị ozugbo. N'ígwé ojii, ka ọ ghara igbochi mgbanwe, anyị anaghị eji kernel ọhụrụ kegide igbe ndị a na-enweta na mpụga na sava nke ọ bụla, mana malitegharịa ndị agha niile na-enweghị isi. Ọ dabara nke ọma, usoro ebe ahụ dị mfe karịa na sava mgbe niile. Dịka ọmụmaatụ, akpa ndị na-enweghị obodo nwere ike ịkwaga na sava ọzọ mgbe a na-emegharị ya.

Otú ọ dị, a ka nwere ọtụtụ ọrụ, ọ pụkwara iwe ọtụtụ izu, ma ọ bụrụ na enwere nsogbu ọ bụla na ụdị ọhụrụ ahụ, ruo ọtụtụ ọnwa. Ndị na-awakpo ahụ ghọtara nke a nke ọma, yabụ na ha chọrọ atụmatụ B.

FragmentSmack/SegmentSmack. Nhazi

Ọ dabara nke ọma, maka ụfọdụ adịghị ike, atụmatụ B dị, a na-akpọkwa ya Workaround. Ọtụtụ mgbe, nke a bụ mgbanwe na ntọala kernel/ngwa nke nwere ike ibelata mmetụta enwere ike ma ọ bụ wepụ kpamkpam nrigbu adịghị ike.

N'ihe gbasara FragmentSmack/SegmentSmack a tụrụ aro Na-arụ ọrụ dị ka nke a:

«Ị nwere ike ịgbanwe ndabara ụkpụrụ nke 4MB na 3MB na net.ipv4.ipfrag_high_thresh na net.ipv4.ipfrag_low_thresh (na ha ogbo maka ipv6 net.ipv6.ipfrag_high_thresh na net.ipv6.ipfrag_low_thresh) na 256 kB na 192 kB. ala. Nnwale na-egosi obere mkpọda dị ukwuu na ojiji CPU n'oge ọgụ dabere na ngwaike, ntọala na ọnọdụ. Agbanyeghị, enwere ike ịnwe ụfọdụ mmetụta arụmọrụ n'ihi ipfrag_high_thresh=262144 bytes, ebe ọ bụ na naanị iberibe 64K abụọ nwere ike dabara n'ahịrị reassembly n'otu oge. Dịka ọmụmaatụ, enwere ihe ize ndụ na ngwa ndị na-arụ ọrụ na nnukwu ngwugwu UDP ga-agbaji".

The parameters onwe ha na akwụkwọ kernel kọwara dị ka ndị a:

ipfrag_high_thresh - LONG INTEGER
    Maximum memory used to reassemble IP fragments.

ipfrag_low_thresh - LONG INTEGER
    Maximum memory used to reassemble IP fragments before the kernel
    begins to remove incomplete fragment queues to free up resources.
    The kernel still accepts new fragments for defragmentation.

Anyị enweghị nnukwu UDP na ọrụ mmepụta. Enweghị okporo ụzọ kewara ekewa na LAN; enwere okporo ụzọ nkewa na WAN, mana ọ bụghị ihe dị mkpa. Enweghị akara ngosi - ị nwere ike wepụta Workaround!

FragmentSmack/SegmentSmack. Ọbara mbụ

Nsogbu mbụ anyị zutere bụ na igbe igwe ojii mgbe ụfọdụ na-etinye ntọala ọhụrụ naanị obere akụkụ (naanị ipfrag_low_thresh), na mgbe ụfọdụ anaghị etinye ha n'ọrụ ma ọlị - ha dara na mmalite. Ọ gaghị ekwe omume ịmalitegharị nsogbu ahụ nke ọma (eji aka tinye ntọala niile n'enweghị nsogbu ọ bụla). Ịghọta ihe mere akpa ahụ ji daa na mmalite adịghịkwa mfe: ọ dịghị njehie ahụghị. Otu ihe doro anya: ịtụgharị ntọala ntọala na-edozi nsogbu ahụ site na mkpọka akpa.

Kedu ihe kpatara na ozughị itinye Sysctl na onye ọbịa? Akpa ahụ na-ebi na netwọk aha ya raara onwe ya nye, yabụ ọbụlagodi akụkụ nke netwọk Sysctl paramita na akpa nwere ike ịdị iche na onye ọbịa.

Kedu otu esi etinye ntọala Sysctl n'ime akpa? Ebe ọ bụ na akpa anyị enweghị ohere, ị gaghị enwe ike ịgbanwe ntọala Sysctl ọ bụla site na ịbanye n'ime akpa ahụ n'onwe ya - ị nweghị ikike zuru oke. Iji mee arịa, igwe ojii anyị n'oge ahụ ji Docker (ugbu a podman). Ebufere akụkụ nke akpa ọhụrụ ahụ na Docker site na API, gụnyere ntọala Sysctl dị mkpa.
Ka ị na-achọgharị na ụdịdị ndị ahụ, ọ tụgharịrị na Docker API alaghachighị mperi niile (opekata mpe na ụdị 1.10). Mgbe anyị nwara ibido akpa ahụ site na “docker run”, anyị mechara hụ opekata mpe ihe:

write /proc/sys/net/ipv4/ipfrag_high_thresh: invalid argument docker: Error response from daemon: Cannot start container <...>: [9] System error: could not synchronise with container process.

Uru paramita abaghị uru. Mana gịnị mere? Ma gịnị mere na ọ naghị adị irè naanị mgbe ụfọdụ? Ọ tụgharịrị na Docker anaghị ekwe nkwa na usoro a na-etinye paramita Sysctl (ụdị a nwalere ọhụrụ bụ 1.13.1), yabụ mgbe ụfọdụ ipfrag_high_thresh gbalịrị ịtọ ya na 256K mgbe ipfrag_low_thresh ka dị 3M, ya bụ, oke elu dị ala. karịa oke ala, nke butere njehie ahụ.

N'oge ahụ, anyị na-ejiworị usoro nke anyị maka ịhazigharị akpa ahụ mgbe mmalite (na-eme ka akpa ahụ sie ike mgbe e mesịrị otu friza na-emezu iwu na aha oghere nke akpa site ip netwọk), ma anyị gbakwunyekwara ederede Sysctl n'akụkụ a. E doziri nsogbu ahụ.

FragmentSmack/SegmentSmack. Ọbara mbụ 2

Tupu anyị enwee oge iji ghọta ojiji nke Workaround na igwe ojii, mkpesa mbụ na-adịghị ahụkebe sitere na ndị ọrụ malitere ịbịarute. N'oge ahụ, ọtụtụ izu agafeela kemgbe mmalite nke iji Workaround na sava mbụ. Nnyocha mbụ gosiri na a natara mkpesa megide ọrụ onye ọ bụla, ọ bụghịkwa sava niile nke ọrụ ndị a. Nsogbu a aghọwokwa nke a na-ejighị n'aka nke ukwuu.

Nke mbụ, anyị, n'ezie, gbalịrị ịtụgharịghachi ntọala Sysctl, mana nke a enweghị mmetụta ọ bụla. Nghọta dị iche iche na ihe nkesa na ntọala ngwa nyekwara aka. Enyere aka malitegharịa. Ịmalite Linux bụ ihe na-ekwekọghị n'okike dịka ọ na-adịkarị maka Windows n'oge ochie. Agbanyeghị, ọ nyere aka, anyị wepụrụ ya ka ọ bụrụ '' kernel glitch '' mgbe ị na-etinye ntọala ọhụrụ na Sysctl. Lee ka ọ si bụrụ nzuzu...

Mgbe izu atọ gachara, nsogbu ahụ laghachiri. Nhazi nke sava ndị a dị nnọọ mfe: Nginx na ọnọdụ proxy/balancer. Ọ bụghị ọtụtụ okporo ụzọ. Ihe ngosi mmeghe ọhụrụ: ọnụ ọgụgụ nke njehie 504 na ndị ahịa na-abawanye kwa ụbọchị (Oge ngwụcha nke ọnụ ụzọ ámá). Eserese ahụ na-egosi ọnụọgụ nke njehie 504 kwa ụbọchị maka ọrụ a:

Kpachara anya maka adịghị ike ndị na-eweta gburugburu ọrụ. Akụkụ 1: FragmentSmack/SegmentSmack

Njehie niile dị ihe dịka otu azụ azụ - gbasara nke dị na igwe ojii. Eserese oriri ebe nchekwa maka iberibe ngwugwu dị na azụ a dị ka nke a:

Kpachara anya maka adịghị ike ndị na-eweta gburugburu ọrụ. Akụkụ 1: FragmentSmack/SegmentSmack

Nke a bụ otu n'ime ngosipụta kachasị pụta ìhè nke nsogbu na eserese sistemụ arụmọrụ. N'ime igwe ojii, naanị n'otu oge ahụ, edozi nsogbu netwọkụ ọzọ na ntọala QoS (Njikwa okporo ụzọ). Na eserese nke oriri ebe nchekwa maka iberibe ngwugwu, ọ dị ka otu ihe:

Kpachara anya maka adịghị ike ndị na-eweta gburugburu ọrụ. Akụkụ 1: FragmentSmack/SegmentSmack

Echiche ahụ dị mfe: ọ bụrụ na ha na-ele anya na eserese, mgbe ahụ, ha nwere otu ihe kpatara ya. Ọzọkwa, nsogbu ọ bụla na ụdị ebe nchekwa a dị oke ụkọ.

Isi ihe kpatara nsogbu a kapịrị ọnụ bụ na anyị na-eji nhazi fq ngwugwu nwere ntọala ndabara na QoS. Site na ndabara, maka otu njikọ, ọ na-enye gị ohere itinye 100 ngwugwu na kwụ n'ahịrị, na ụfọdụ njikọ, n'ọnọdụ nke ụkọ ọwa, malitere imechi kwụ n'ahịrị na ike. N'okwu a, a na-atụba ngwugwu. Na tc ọnụ ọgụgụ (tc -s qdisc) enwere ike ịhụ ya dị ka nke a:

qdisc fq 2c6c: parent 1:2c6c limit 10000p flow_limit 100p buckets 1024 orphan_mask 1023 quantum 3028 initial_quantum 15140 refill_delay 40.0ms
 Sent 454701676345 bytes 491683359 pkt (dropped 464545, overlimits 0 requeues 0)
 backlog 0b 0p requeues 0
  1024 flows (1021 inactive, 0 throttled)
  0 gc, 0 highprio, 0 throttled, 464545 flows_plimit

"464545 flows_plimit" bụ ngwugwu ndị a tụbara n'ihi ịfefe oke kwụ n'ahịrị nke otu njikọ, yana "dabere 464545" bụ nchikota ngwugwu niile tufuru nke onye nhazi a. Mgbe mụbaa ogologo kwụ n'ahịrị ruo 1 puku ma malitegharịa arịa ndị ahụ, nsogbu ahụ kwụsịrị ime. Ị nwere ike ịnọdụ ala ma ṅụọ smoothie.

FragmentSmack/SegmentSmack. Ọbara ikpeazụ

Mbụ, ọtụtụ ọnwa mgbe ọkwa nke adịghị ike na kernel, ihe ndozi maka FragmentSmack pụtara n'ikpeazụ (ka m chetara gị na yana ọkwa ahụ na August, a tọhapụrụ naanị SegmentSmack), nke nyere anyị ohere ịhapụ Workaround. nke kpataara anyị nnukwu nsogbu. N'ime oge a, anyị ejirilarị ịnyefe ụfọdụ sava na kernel ọhụrụ, ma ugbu a anyị ga-amalite site na mmalite. Kedu ihe kpatara anyị ji emelite kernel na-echeghị ndozi FragmentSmack? Nke bụ eziokwu bụ na usoro nke ichebe megide adịghị ike ndị a dabara (ma jikọta) na usoro imelite CentOS n'onwe ya (nke na-ewe ọbụna oge karịa imelite naanị kernel). Na mgbakwunye, SegmentSmack bụ adịghị ike dị ize ndụ karịa, yana ndozi maka ya pụtara ozugbo, yabụ ọ nwere nghọta na agbanyeghị. Agbanyeghị, anyị enweghị ike imelite kernel na CentOS n'ihi na adịghị ike FragmentSmack, nke pụtara n'oge CentOS 7.5, ka edobere naanị na ụdị 7.6, yabụ anyị ga-akwụsị mmelite ahụ gaa na 7.5 wee malite ọzọ na mmelite na 7.6. Nke a na-emekwa.

Nke abuo, mkpesa onye ọrụ na-adịghị ahụkebe maka nsogbu alaghachitela anyị. Ugbu a, anyị amaralarị nke ọma na ha niile metụtara nbudata faịlụ sitere na ndị ahịa na ụfọdụ sava anyị. Ọzọkwa, ọnụ ọgụgụ dị ntakịrị nke bulite site na mkpokọta mkpokọta gafere sava ndị a.

Dị ka anyị na-echeta site na akụkọ dị n'elu, ịtụgharị azụ Sysctl enyeghị aka. Malitegharịa nyeere aka, mana nwa oge.
E wepụghị enyo gbasara Sysctl, mana oge a ọ dị mkpa ịnakọta ozi dị ka o kwere mee. Enwekwara nnukwu enweghị ikike imepụtaghachi nsogbu nbudata na onye ahịa ka ọ mụọ nke ọma ihe na-eme.

Nyocha nke ọnụ ọgụgụ niile dịnụ na ndekọ emeghị ka anyị bịarukwuo nso ịghọta ihe na-eme. Enwere nnukwu enweghị ike ịmalitegharị nsogbu ahụ ka ị nwee ike "mmetụta" njikọ a kapịrị ọnụ. N'ikpeazụ, ndị mmepe, na-eji ụdị ngwa pụrụ iche, jisiri ike nweta mmeputakwa nke nsogbu na ngwaọrụ nnwale mgbe ejikọtara site na Wi-Fi. Nke a bụ ọganihu na nyocha. Onye ahịa ahụ jikọtara na Nginx, nke kwadoro na azụ azụ, nke bụ ngwa Java anyị.

Kpachara anya maka adịghị ike ndị na-eweta gburugburu ọrụ. Akụkụ 1: FragmentSmack/SegmentSmack

Mkparịta ụka maka nsogbu dị ka nke a (dobere n'akụkụ proxy Nginx):

  1. Onye ahịa: arịrịọ ịnata ozi gbasara nbudata faịlụ.
  2. Ihe nkesa Java: nzaghachi.
  3. Onye ahịa: POST nwere faịlụ.
  4. Ihe nkesa Java: njehie.

N'otu oge ahụ, ihe nkesa Java na-ede na log na 0 bytes nke data natara n'aka onye ahịa, na Nginx proxy dere na arịrịọ ahụ were ihe karịrị 30 sekọnd (30 sekọnd bụ oge nkwụsị nke ngwa ahịa). Gịnị kpatara na oge agwụla na gịnị kpatara 0 bytes? Site na nlele HTTP, ihe niile na-arụ ọrụ dị ka o kwesịrị, mana POST nwere faịlụ yiri ka ọ ga-apụ na netwọkụ. Ọzọkwa, ọ na-apụ n'anya n'etiti onye ahịa na Nginx. Ọ bụ oge iji Tcpdump kee onwe gị! Mana nke mbụ, ịkwesịrị ịghọta nhazi netwọkụ. Nginx proxy nọ n'azụ ihe nhazi L3 NFware. A na-eji tunneling na-ebuga ngwugwu si na L3 balancer na ihe nkesa, nke na-agbakwunye nkụnye eji isi mee ya na ngwugwu:

Kpachara anya maka adịghị ike ndị na-eweta gburugburu ọrụ. Akụkụ 1: FragmentSmack/SegmentSmack

N'okwu a, netwọk ahụ na-abịa na nkesa a n'ụdị okporo ụzọ Vlan-tagged, nke na-agbakwụnyekwa ubi nke ya na ngwugwu:

Kpachara anya maka adịghị ike ndị na-eweta gburugburu ọrụ. Akụkụ 1: FragmentSmack/SegmentSmack

Na okporo ụzọ a nwekwara ike kewaa (otu obere pasent nke okporo ụzọ ekewasị nke na-abata nke anyị kwuru banyere ya mgbe anyị na-atụle ihe ize ndụ sitere na Workaround), nke na-agbanwekwa ọdịnaya nke ndị nkụnye eji isi mee:

Kpachara anya maka adịghị ike ndị na-eweta gburugburu ọrụ. Akụkụ 1: FragmentSmack/SegmentSmack

Ọzọkwa: a na-eji mkpado Vlan kpuchie ngwugwu, na-ekpuchi ya na ọwara, kewaa. Iji ghọta nke ọma ka nke a si eme, ka anyị chọpụta ụzọ ngwugwu si n'aka onye ahịa gaa na proxy Nginx.

  1. Ngwungwu ahụ ruru ihe nha nha L3. Maka ụzọ ziri ezi n'ime ebe data, a na-ekpuchi ngwugwu ahụ n'ọwara ma ziga ya na kaadị netwọk.
  2. Ebe ọ bụ na ndị nkụnye eji isi mee ihe + ọwara adịghị adaba na MTU, a na-egbutu ngwugwu ahụ n'ime iberibe ma zigara ya na netwọkụ.
  3. Mgbanwe na-esote L3 balancer, mgbe ị na-anata ngwugwu, na-agbakwunye mkpado Vlan na ya wee ziga ya.
  4. Mgbanwe dị n'ihu Nginx proxy na-ahụ (dabere na ntọala ọdụ ụgbọ mmiri) na ihe nkesa na-atụ anya ngwugwu Vlan-encapsulated, ya mere ọ na-eziga ya dị ka ọ dị, na-ewepụghị mkpado Vlan.
  5. Linux na-ewere iberibe ngwugwu nke ọ bụla wee jikọta ha n'otu nnukwu ngwugwu.
  6. Na-esote, ngwugwu ahụ ruru Vlan interface, ebe a na-ewepụ oyi akwa mbụ na ya - Vlan encapsulation.
  7. Linux wee zigara ya na Tunnel interface, ebe a na-ewepụ oyi akwa ọzọ na ya - Tunnel encapsulation.

Ihe isi ike bụ ịnyefe ihe a niile dị ka paramita na tcpdump.
Ka anyị bido na njedebe: enwere ihe dị ọcha (na-enweghị isi nkụnye eji isi mee) ngwugwu IP sitere na ndị ahịa, na-ewepụ vlan na ọwara encapsulation?

tcpdump host <ip клиента>

Mba, enweghị ụdị ngwugwu ahụ na sava ahụ. Ya mere, nsogbu ahụ ga-adịrịrị ebe ahụ. Enwere ngwugwu ọ bụla nwere naanị Vlan encapsulation wepụrụ?

tcpdump ip[32:4]=0xx390x2xx

0xx390x2xx bụ adreesị IP onye ahịa na usoro hex.
32:4 - adreesị na ogologo nke ubi nke edere SCR IP na ngwugwu ọwara.

A ghaghị ịhọrọ adreesị ubi ahụ site n'ike siri ike, ebe ọ bụ na n'Ịntanet ha na-ede banyere 40, 44, 50, 54, ma ọ dịghị adreesị IP n'ebe ahụ. Ị nwekwara ike lelee otu n'ime ngwugwu dị na hex (--xx ma ọ bụ -XX parameter na tcpdump) wee gbakọọ adreesị IP ị maara.

Enwere iberibe ngwugwu na-ewepụghị mkpuchi Vlan na Ọwara?

tcpdump ((ip[6:2] > 0) and (not ip[6] = 64))

Anwansi a ga-egosi anyị iberibe ihe niile, gụnyere nke ikpeazụ. Ma eleghị anya, otu ihe ahụ nwere ike isi na IP nyochaa, ma anwaleghị m, n'ihi na ọ bụghị ọtụtụ ngwugwu dị otú ahụ, na ndị m chọrọ dị mfe na-achọta na n'ozuzu. Ebe a bụ:

14:02:58.471063 In 00:de:ff:1a:94:11 ethertype IPv4 (0x0800), length 1516: (tos 0x0, ttl 63, id 53652, offset 0, flags [+], proto IPIP (4), length 1500)
    11.11.11.11 > 22.22.22.22: truncated-ip - 20 bytes missing! (tos 0x0, ttl 50, id 57750, offset 0, flags [DF], proto TCP (6), length 1500)
    33.33.33.33.33333 > 44.44.44.44.80: Flags [.], seq 0:1448, ack 1, win 343, options [nop,nop,TS val 11660691 ecr 2998165860], length 1448
        0x0000: 0000 0001 0006 00de fb1a 9441 0000 0800 ...........A....
        0x0010: 4500 05dc d194 2000 3f09 d5fb 0a66 387d E.......?....f8}
        0x0020: 1x67 7899 4500 06xx e198 4000 3206 6xx4 [email protected].
        0x0030: b291 x9xx x345 2541 83b9 0050 9740 0x04 .......A...P.@..
        0x0040: 6444 4939 8010 0257 8c3c 0000 0101 080x dDI9...W.......
        0x0050: 00b1 ed93 b2b4 6964 xxd8 ffe1 006a 4578 ......ad.....jEx
        0x0060: 6966 0000 4x4d 002a 0500 0008 0004 0100 if..MM.*........

14:02:58.471103 In 00:de:ff:1a:94:11 ethertype IPv4 (0x0800), length 62: (tos 0x0, ttl 63, id 53652, offset 1480, flags [none], proto IPIP (4), length 40)
    11.11.11.11 > 22.22.22.22: ip-proto-4
        0x0000: 0000 0001 0006 00de fb1a 9441 0000 0800 ...........A....
        0x0010: 4500 0028 d194 00b9 3f04 faf6 2x76 385x E..(....?....f8}
        0x0020: 1x76 6545 xxxx 1x11 2d2c 0c21 8016 8e43 .faE...D-,.!...C
        0x0030: x978 e91d x9b0 d608 0000 0000 0000 7c31 .x............|Q
        0x0040: 881d c4b6 0000 0000 0000 0000 0000 ..............

Ndị a bụ iberibe abụọ nke otu ngwugwu (otu ID 53652) nwere foto (a na-ahụ okwu Exif na ngwugwu mbụ). N'ihi n'eziokwu na enwere ngwugwu na ọkwa a, ma ọ bụghị n'ụdị ejikọta na mkpofu, nsogbu ahụ doro anya na mgbakọ ahụ. N'ikpeazụ enwere akwụkwọ akaebe nke a!

Ihe ngbanwe nke ngwugwu ekpugheghị nsogbu ọ bụla ga-egbochi ihe owuwu ahụ. Gbalịa ya ebe a: hpd.gasmi.net. Na mbụ, mgbe ị na-agbalị ịkwanye ihe n'ebe ahụ, onye nrụpụta ahụ anaghị amasị usoro ngwugwu ahụ. Ọ tụgharịrị na enwere ụfọdụ octets abụọ ọzọ n'etiti Srcmac na Ethertype (anaghị emetụta ozi iberibe). Mgbe ewepụchara ha, ihe ngbanwe ahụ malitere ịrụ ọrụ. Otú ọ dị, o gosipụtara enweghị nsogbu.
Ihe ọ bụla mmadụ nwere ike ikwu, ọ dịghị ihe ọzọ a hụrụ ma e wezụga Sysctl ndị ahụ. Naanị ihe fọdụrụ bụ ịchọta ụzọ a ga-esi amata ihe nkesa nsogbu iji ghọta oke na ikpebi ihe ndị ọzọ. Achọtara counter achọrọ ngwa ngwa:

netstat -s | grep "packet reassembles failed”

Ọ dịkwa na snmpd n'okpuru OID=1.3.6.1.2.1.4.31.1.1.16.1 (ipSystemStatsReasmFails).

"Ọnụ ọgụgụ nke ọdịda achọpụtara site na IP re-asembly algọridim (maka ihe ọ bụla kpatara ya: oge ​​agwụla, njehie, wdg)."

N'ime otu sava nke a na-amụ nsogbu ahụ, na abụọ counter a na-abawanye ngwa ngwa, na abụọ ọzọ nwayọọ nwayọọ, na abụọ ọzọ ọ naghị abawanye ma ọlị. Ntụle mgbanwe nke counter a na mgbanwe nke njehie HTTP na sava Java gosipụtara njikọ. Ya bụ, enwere ike nyochaa mita ahụ.

Inwe ihe ngosi a pụrụ ịdabere na ya nke nsogbu dị ezigbo mkpa ka ị nwee ike ikpebi nke ọma ma ịtụgharị Sysctl na-enyere aka, ebe ọ bụ na akụkọ gara aga anyị maara na enweghị ike ịghọta nke a ozugbo site na ngwa ahụ. Ihe ngosi a ga-enye anyị ohere ịchọpụta mpaghara nsogbu niile na mmepụta tupu ndị ọrụ achọpụta ya.
Mgbe ịghaghachitere Sysctl, njehie nlekota na-akwụsị, si otú a gosipụtara ihe kpatara nsogbu ahụ, yana eziokwu ahụ na-enyere aka.

Anyị weghachite ntọala nkewa na sava ndị ọzọ, ebe nleba anya ọhụrụ batara, na ebe anyị kenyere ebe nchekwa karịa maka iberibe karịa na mbụ (nke a bụ ọnụ ọgụgụ UDP, nke a na-ahụtaghị akụkụ ya megide ndabere n'ozuzu) .

Ajụjụ kacha mkpa

Kedu ihe kpatara eji kewaa ngwugwu na nkwụnye ego L3 anyị? Ọtụtụ n'ime ngwugwu na-esi n'aka ndị ọrụ na-abata na ndị na-edozi ihe bụ SYN na ACK. Ogo nke ngwugwu ndị a dị obere. Ma ebe ọ bụ na òkè nke ngwugwu ndị dị otú ahụ dị nnọọ ukwuu, megide ndabere ha, anyị ahụghị ọnụnọ nke nnukwu ngwugwu malitere ekewa.

Ihe kpatara ya bụ edemede nhazi gbajiri agbaji advmss na sava nwere oghere Vlan (enwere sava ole na ole nwere akara okporo ụzọ na mmepụta n'oge ahụ). Advmss na-enye anyị ohere izigara onye ahịa ozi na ngwugwu na ntụzịaka anyị kwesịrị ịdị ntakịrị ka ha tinyechara nkụnye eji isi mee ọwara na ha agaghị ekewasị ha.

Kedu ihe kpatara Sysctl rollback enyeghị aka, mana ịmalitegharị mere? Rolling back Sysctl gbanwere ọnụọgụ ebe nchekwa dị maka ijikọ ngwugwu. N'otu oge ahụ, o doro anya na eziokwu nke oke ebe nchekwa maka iberibe iberibe mere ka njikọ ndị ahụ kwụsịlata, nke butere iberibe iberibe egbu oge ruo ogologo oge na kwụ n'ahịrị. Ya bụ, usoro ahụ gara na okirikiri.
Nrụgharị ahụ kpochapụrụ ebe nchekwa na ihe niile laghachiri n'usoro.

Ọ ga-ekwe omume ịme na-enweghị Workaround? Ee, mana enwere nnukwu ihe ize ndụ ịhapụ ndị ọrụ na-enweghị ọrụ ma ọ bụrụ na mwakpo. N'ezie, iji Workaround butere nsogbu dị iche iche, gụnyere mbelata nke otu n'ime ọrụ maka ndị ọrụ, mana anyị kwenyere na omume ndị ahụ ziri ezi.

Ọtụtụ ekele Andrey Timofeev (atimofeyev) maka enyemaka na-eduzi nyocha, yana Alexey Krenev (ngwaọrụx) - maka ọrụ titanic nke imelite Centos na kernels na sava. Usoro nke na nke a kwesịrị ịmalite site na mmalite ọtụtụ ugboro, ya mere ọ na-adọkpụ ruo ọtụtụ ọnwa.

isi: www.habr.com

Tinye a comment