ãç§ãã¡ã®ãŠã§ããµã€ããäœã£ã人ã¯ããã§ã« DDoS é²åŸ¡ãèšå®ããŠããŸããã
ãåœç€Ÿã«ã¯ DDoS ä¿è·æ©èœãããã®ã«ããªããµã€ããããŠã³ããã®ã§ãã?ã
ãã¯ã¬ãŒã¿ãŒããã¯äœåæ欲ããã§ããïŒã
顧客ãäžåžããã®ãã®ãããªè³ªåã«é©åã«çããããã«ã¯ããDDoS ä¿è·ããšããååã®è£ã«äœãé ãããŠããã®ããç¥ã£ãŠãããšããã§ãããã ã»ãã¥ãªã㣠ãµãŒãã¹ãéžæããããšã¯ãIKEA ã§ããŒãã«ãéžã¶ãšããããããå»åž«ããè¬ãéžã¶ââããšã«äŒŒãŠããŸãã
ç§ã¯ 11 幎é Web ãµã€ãããµããŒãããŠããããµããŒãããŠãããµãŒãã¹ã«å¯ŸããäœçŸãã®æ»æãä¹ãè¶ããŠããŸãããããã§ãä¿è·ã®å
éšæ§é ã«ã€ããŠå°ã説æããŸãã
éåžžæ»æã åèš 350 èŠæ±ãæ£èŠã® 52 èŠæ±
æåã®æ»æã¯ã€ã³ã¿ãŒããããšã»ãŒåæã«åºçŸããŸããã çŸè±¡ãšããŠã® DDoS 㯠2000 幎代åŸåããåºãŸããŸãã (ãã§ãã¯ããŠãã ãã)
2015 幎ãã 2016 幎é 以æ¥ãã»ãšãã©ãã¹ãŠã®ãã¹ãã£ã³ã° ãããã€ããŒã DDoS æ»æããä¿è·ãããŠããŸããããŸãã競ååéã®æãæåãªãµã€ããåæ§ã§ã (ãµã€ã eldorado.ruãleroymerlin.ruãtilda.ws ã® IP 㧠Whois ãå®è¡ãããšããããã¯ãŒã¯ã衚瀺ãããŸã)ä¿è·æŒç®åã®æ°ïŒã
10 ïœ 20 幎åã§ããã°ãã»ãšãã©ã®æ»æã¯ãµãŒããŒèªäœã§æéã§ããã§ããã (90 幎代㮠Lenta.ru ã·ã¹ãã 管çè
Maxim Moshkov ã®æšå¥šäºé
ãè©äŸ¡ããŠãã ããã
ä¿è·ãªãã¬ãŒã¿ãŒã®éžæã®èŠ³ç¹ããèŠã DDoS æ»æã®çš®é¡
L3/L4 ã¬ãã«ã§ã®æ»æ (OSI ã¢ãã«ã«ãã)
â ããããããããã® UDP ãã©ãã (å€ãã®ãªã¯ãšã¹ãã¯ææããããã€ã¹ããæ»æããããµãŒãã¹ã«çŽæ¥éä¿¡ããããµãŒããŒã¯ãã£ãã«ã§ãããã¯ãããŸã)ã
â DNS/NTP/etc ã®å¢å¹
(ææããããã€ã¹ããè匱㪠DNS/NTP/etc ã«å€ãã®ãªã¯ãšã¹ããéä¿¡ãããéä¿¡è
ã®ã¢ãã¬ã¹ãåœé ããããªã¯ãšã¹ãã«å¿çãã倧éã®ãã±ãããæ»æ察象è
ã®ãã£ãã«ã«æº¢ããŸãããããæãå€ãã®æ»æã®æ¹æ³ã§ããçŸä»£ã®ã€ã³ã¿ãŒãããäžã§ã¯å€§èŠæš¡ãªæ»æãè¡ãããŠããŸãïŒã
â SYN / ACK ãã©ãã (æ¥ç¶ã確ç«ããããã®å€ãã®ãªã¯ãšã¹ããæ»æããããµãŒããŒã«éä¿¡ãããæ¥ç¶ãã¥ãŒããªãŒããŒãããŒããŸã)ã
â ãã±ããã®æçåãping of deathãping ãã©ããã«ããæ»æ (Google ã§èª¿ã¹ãŠãã ãã)ã
- çã
ã
ãããã®æ»æã¯ããµãŒããŒã®ãã£ãã«ããè©°ãŸããããããæ°ãããã©ãã£ãã¯ãåãå
¥ããèœåãã殺ããããšãç®çãšããŠããŸãã
SYN/ACK ãã©ããã£ã³ã°ãšå¢å¹
ã¯å€§ããç°ãªããŸãããå€ãã®äŒæ¥ã¯åæ§ã«ãããã«ããŸã察åŠããŠããŸãã 次ã®ã°ã«ãŒãããã®æ»æã§åé¡ãçºçããŸãã
L7ïŒã¢ããªã±ãŒã·ã§ã³å±€ïŒãžã®æ»æ
â http ãã©ãã (Web ãµã€ããŸãã¯äžéšã® http API ãæ»æãããå Žå)ã
â ãµã€ãã®è匱ãªé åïŒãã£ãã·ã¥ããªãé åããµã€ãã®è² è·ãéåžžã«é«ãé åãªã©ïŒã«å¯Ÿããæ»æã
ç®æšã¯ããµãŒããŒããäžçæžåœåããããå€ãã®ãäžèŠæ¬ç©ã®ãªã¯ãšã¹ãããåŠçããå®éã®ãªã¯ãšã¹ãã®ããã®ãªãœãŒã¹ããªããªãããã«ããããšã§ãã
ä»ã«ãæ»æã¯ãããŸãããæãäžè¬çãªã®ã¯ãããã§ãã
L7 ã¬ãã«ã§ã®æ·±å»ãªæ»æã¯ãæ»æ察象ã®ãããžã§ã¯ãããšã«ç¬èªã®æ¹æ³ã§äœæãããŸãã
ãªã2ã°ã«ãŒããªã®ãïŒ
ããã¯ãL3 / L4 ã¬ãã«ã§æ»æãããŸãæéããæ¹æ³ãç¥ã£ãŠãã人ãããããããããã§ãããã¢ããªã±ãŒã·ã§ã³ ã¬ãã« (L7) ã§ã®ä¿è·ããŸã£ããè¬ããŠããªãããæ»æãžã®å¯ŸåŠã代æ¿æ段ããããŸã 匱ãããã§ãã
DDoSé²åŸ¡åžå Žã®èª°ã誰ãªã®ã
(ç§ã®å人çãªæèŠ)
L3/L4ã¬ãã«ã§ã®ä¿è·
å¢å¹ ïŒãµãŒã㌠ãã£ãã«ã®ãé®æãïŒã«ããæ»æãæéããã«ã¯ãååãªåºãã®ãã£ãã«ãå¿ èŠã§ãïŒä¿è·ãµãŒãã¹ã®å€ãã¯ããã·ã¢ã®å€§èŠæš¡ãªããã¯ããŒã³ ãããã€ããŒã®ã»ãšãã©ã«æ¥ç¶ããŠãããçè«äžã®å®¹éã 1 Tbit ãè¶ ãããã£ãã«ãåããŠããŸãïŒã éåžžã«ãŸããªå¢å¹ æ»æã 1 æé以äžç¶ãããšãå¿ããªãã§ãã ããã ããªããã¹ãã ããŠã¹ã§ã誰ããããªããå«ã£ãŠããå Žåãã¯ãã䜿çšãããŠããã°ããŒãã«ãããããããããã«åç¶ããå±éºãåããŠã§ãã圌ãã¯ããªãã®ãã£ã³ãã«ãæ°æ¥éã·ã£ããããŠã³ããããšãããããããŸããã ãªã³ã©ã€ã³ ã¹ãã¢ãæã£ãŠããã ãã®å Žåãããã mvideo.ru ã§ãã£ãŠããæ°æ¥ä»¥å ã« XNUMX Tbit ã衚瀺ãããããšã¯ããã«ã¯ãããŸãã (ããé¡ã£ãŠããŸã)ã
SYN/ACK ãã©ããã£ã³ã°ããã±ããã®æçåãªã©ã«ããæ»æãæéããã«ã¯ããã®ãããªæ»æãæ€åºããŠé»æ¢ããããã®æ©åšãŸãã¯ãœãããŠã§ã¢ ã·ã¹ãã ãå¿
èŠã§ãã
å€ãã®äººããã®ãããªæ©åšã補é ããŠãã (ArborãCiscoãHuawei ã®ãœãªã¥ãŒã·ã§ã³ãWanguard ã®ãœãããŠã§ã¢å®è£
ãªã©)ãå€ãã®ããã¯ããŒã³äºæ¥è
ããã§ã«ãããå°å
¥ããDDoS é²åŸ¡ãµãŒãã¹ã販売ããŠããŸã (RostelecomãMegafonãTTKãMTS ã®å°å
¥ã«ã€ããŠã¯ç¥ã£ãŠããŸã)ã ãå®éããã¹ãŠã®äž»èŠãªãããã€ããŒã¯ãOVH.comãHetzner.de ãªã©ã®ç¬èªã®ä¿è·æ©èœãåããŠãã¹ã¿ãŒã«å¯ŸããŠåæ§ã®ããšãè¡ã£ãŠããŸããç§èªèº«ãihor.ru ã§ä¿è·æ©èœã«ééããŸããïŒã ç¬èªã®ãœãããŠã§ã¢ ãœãªã¥ãŒã·ã§ã³ãéçºããŠããäŒæ¥ããããŸã (DPDK ã®ãããªãã¯ãããžã䜿çšãããšã86 å°ã®ç©ç xXNUMX ãã·ã³ã§æ°åã®ã¬ãããã®ãã©ãã£ãã¯ãåŠçã§ããŸã)ã
æåãªãã¬ãŒã€ãŒã§ããã°ã誰ããå€ããå°ãªããå¹æçã« L3/L4 DDoS ãšæŠãããšãã§ããŸãã ããã§ãã©ã¡ãã®æ倧ãã£ãã«å®¹éã倧ãããã¯èšããŸããã (ããã¯å
éšæ
å ±ã§ã)ãéåžžãããã¯ããã»ã©éèŠã§ã¯ãããŸãããå¯äžã®éãã¯ãä¿è·ãã©ãã ãæ©ãããªã¬ãŒãããã (å³æãããããžã§ã¯ãã®æ°åéã®ããŠã³ã¿ã€ã åŸã) ã§ãããããããŒã®å Žåã®ããã«ïŒã
åé¡ã¯ããããã©ã®çšåºŠããŸãè¡ãããããšããããšã§ããæ害ãªãã©ãã£ãã¯ãæãå€ãåœããã®ãã©ãã£ãã¯ããããã¯ããããšã§å¢å¹
æ»æãæéããããæ¬åœã«äžèŠãªãã©ãã£ãã¯ã®ã¿ãç Žæ£ãããããããšãã§ããŸãã
ãããåæã«ãç§ã®çµéšã«åºã¥ããšãQratorãDDoS-GuardãKasperskyãG-Core Labs (æ§ SkyParkCDN)ãServicePipeãStormwallãVoxility ãªã©ãæ¬æ Œçãªåžå Žé¢ä¿è
ã¯ãã¹ãŠåé¡ãªãããã«å¯ŸåŠããŠããŸãã
RostelecomãMegafonãTTKãBeeline ãªã©ã®éä¿¡äºæ¥è
ããã®ä¿è·ã«ééããããšã¯ãããŸãããååã®ã¬ãã¥ãŒã«ãããšããããã®ãµãŒãã¹ã¯éåžžã«ããæäŸãããŠããŸããããããŸã§ã®ãšããçµéšäžè¶³ãå®æçã«åœ±é¿ãåãŒããŠããŸãããµããŒããéããŠäœãã調æŽããå¿
èŠãããå ŽåããããŸããä¿è·ãªãã¬ãŒã¿ã®ã
äžéšã®éä¿¡äºæ¥è
ã¯ããL3/L4 ã¬ãã«ã§ã®æ»æã«å¯Ÿããä¿è·ããŸãã¯ããã£ãã«ä¿è·ããšããå¥ã®ãµãŒãã¹ãæäŸããŠããããã¹ãŠã®ã¬ãã«ã§ã®ä¿è·ãããã³ã¹ãã倧å¹
ã«äœããªããŸãã
ããã¯ããŒã³ãããã€ããŒã¯ç¬èªã®ãã£ãã«ãæããªãã®ã«ããªãæ°çŸã®ã¬ãããã®æ»æãæéããªãã®ã§ãããã?ä¿è·ãªãã¬ãŒã¿ãŒã¯ãäž»èŠãªãããã€ããŒã®ããããã«æ¥ç¶ãããè²»çšããããŠãæ»æãæéã§ããŸãã ãã£ãã«ã®æéãæ¯æãå¿
èŠããããŸããããããã®æ°çŸã®ã¬ããããã¹ãŠãåžžã«å©çšãããããã§ã¯ãããŸããããã®å Žåããã£ãã«ã®ã³ã¹ãã倧å¹
ã«åæžãããªãã·ã§ã³ãããããããã®ã¹ããŒã ã¯åŒãç¶ãå®è¡å¯èœã§ãã
ãããã¯ããã¹ãã£ã³ã° ãããã€ããŒã®ã·ã¹ãã ããµããŒãããŠãããšãã«ãäžäœã¬ãã«ã® L3/L4 ä¿è·ããå®æçã«åãåã£ãã¬ããŒãã§ãã
L7ã¬ãã«ïŒã¢ããªã±ãŒã·ã§ã³ã¬ãã«ïŒã§ã®ä¿è·
L7 ã¬ãã« (ã¢ããªã±ãŒã·ã§ã³ ã¬ãã«) ã§ã®æ»æã¯ããŠããããäžè²«ããŠå¹ççã«æéããããšãã§ããŸãã
ç§ã¯ããªãå€ãã®å®äœéšãæã£ãŠããŸã
â Qrator.net;
â DDoS ã¬ãŒã;
- Gã³ã¢ã©ã;
â ã«ã¹ãã«ã¹ããŒã
çŽç²ãªãã©ãã£ãã¯ã®ã¡ã¬ãããããšã«æéããããã100 ã¡ã¬ãããã®è²»çšã¯çŽæ°åã«ãŒãã«ã§ãã å°ãªããšã XNUMX Mbps ã®çŽç²ãªãã©ãã£ãã¯ãããå Žå - ããã ä¿è·ã«ã¯éåžžã«è²»çšãããããŸãã 次ã®èšäºã§ã¯ãã»ãã¥ãªã㣠ãã£ãã«ã®å®¹éã倧å¹
ã«ç¯çŽããããã«ã¢ããªã±ãŒã·ã§ã³ãèšèšããæ¹æ³ã«ã€ããŠèª¬æããŸãã
æ¬åœã®ãäžã®çã㯠Qrator.net ã§ãããæ®ãã¯ããã«é
ãããšã£ãŠããŸãã ç§ã®çµéšäžããããŸã§ã®ãšãã誀æ€ç¥çããŒãã«è¿ãã®ã¯ Qrator ã ãã§ãããåæã«ä»ã®åžå Žåå è
ãããæ°åé«äŸ¡ã§ãã
ä»ã®äºæ¥è
ãé«å質ã§å®å®ããä¿è·ãæäŸããŠããŸãã åœç€ŸããµããŒãããå€ãã®ãµãŒãã¹ (åœå
ã§éåžžã«æåãªãµãŒãã¹ãå«ãŸããŸã!) 㯠DDoS-GuardãG-Core Labs ããä¿è·ãããŠãããåŸãããçµæã«éåžžã«æºè¶³ããŠããŸãã
Qrator ã«ãã£ãŠæ»æãæéããã
ãŸããcloud-shield.ruãddosa.net ãªã©ãæ°åãã®å°èŠæš¡ãªã»ãã¥ãªã㣠ãªãã¬ãŒã¿ãŒãšã®çµéšããããŸãã 絶察ã«ãå§ãããŸããããªããªã⊠ããŸãçµéšã¯ãããŸãããã圌ãã®ä»äºã®åçã«ã€ããŠã話ããŸãã 圌ãã®ä¿è·ã³ã¹ãã¯ãå€ãã®å Žåã倧æäŒæ¥ã®ã³ã¹ãããã 1 ïœ 2 æ¡äœãã§ãã ååãšããŠã圌ãã¯å€§æãã¬ãŒã€ãŒã® 3 ã€ããéšåçãªä¿è·ãµãŒãã¹ (L4/LXNUMX) ãè³Œå ¥ããããé«ãã¬ãã«ã§ã®æ»æã«å¯ŸããŠç¬èªã®ä¿è·ãè¡ããŸãã ããã¯éåžžã«å¹æçã§ãããããå°ãªãéé¡ã§è¯ããµãŒãã¹ãåããããšãã§ããŸããããããã¯ãŸã ã¹ã¿ãããå°ãªãå°ããªäŒç€Ÿã§ããããšã念é ã«çœ®ããŠãã ããã
L7ã¬ãã«ã§æ»æãæéããã®ã¯ã©ã®ãããé£ããã§ããïŒ
ãã¹ãŠã®ã¢ããªã±ãŒã·ã§ã³ã¯åºæã§ãããããã¢ããªã±ãŒã·ã§ã³ã«ãšã£ãŠæçãªãã©ãã£ãã¯ãèš±å¯ããæ害ãªãã©ãã£ãã¯ããããã¯ããå¿ èŠããããŸãã ããããæ確ã«æé€ããããšãåžžã«å¯èœã§ãããšã¯éããªããããéåžžã«å€ãã®æ®µéã§ãã©ãã£ãã¯ãæµåããå¿ èŠããããŸãã
ãã€ãŠã¯ãnginx-testcookie ã¢ãžã¥ãŒã«ã§ååã§ãã (
æ®å¿µãªãããæ»æã¯ããã«é£ãããªããŸããã testcookie 㯠JS ããŒã¹ã®ããã ãã§ãã¯ã䜿çšããŠãããå€ãã®ææ°ã®ãããã¯ããããæ£åžžã«ééã§ããŸãã
æ»æãããããããç¬ç¹ã§ããããã倧èŠæš¡ãªããããããããšã®ç¹æ§ãèæ
®ããå¿
èŠããããŸãã
å¢å¹
ãããããããããã®çŽæ¥ãã©ããã£ã³ã°ãããŸããŸãªåœããã®ãã©ãã£ãã¯ã®ãã£ã«ã¿ãªã³ã° (åœããšã«ç°ãªããã£ã«ã¿ãªã³ã°)ãSYN/ACK ãã©ããã£ã³ã°ããã±ããæçåãICMPãhttp ãã©ããã£ã³ã°ãã¢ããªã±ãŒã·ã§ã³/http ã¬ãã«ã§ã¯ç¡å¶éã®æ°ãæãã€ãããšãã§ããŸããããŸããŸãªæ»æã
åèšãããšããã£ãã«ä¿è·ã®ã¬ãã«ããã©ãã£ãã¯ãã¯ãªã¢ããããã®ç¹æ®ãªæ©åšãç¹æ®ãªãœãããŠã§ã¢ãåã¯ã©ã€ã¢ã³ãã®è¿œå ã®ãã£ã«ã¿ãªã³ã°èšå®ãªã©ãæ°åãæ°çŸã®ãã£ã«ã¿ãªã³ã° ã¬ãã«ãååšããå¯èœæ§ããããŸãã
ãããé©åã«ç®¡çããããŸããŸãªãŠãŒã¶ãŒã«åãããŠãã£ã«ã¿ãªã³ã°èšå®ãæ£ãã調æŽããã«ã¯ãå€ãã®çµéšãšè³æ Œã®ããæ
åœè
ãå¿
èŠã§ãã ä¿è·ãµãŒãã¹ã®æäŸã決å®ãã倧èŠæš¡ãªäºæ¥è
ã§ãã£ãŠãããåé¡ã«æãã«è³éãæãããããšã¯ã§ããŸãããåãã€ãããµã€ããæ£èŠã®ãã©ãã£ãã¯ã§ã®èª€æ€ç¥ããçµéšãç©ãå¿
èŠããããŸãã
ã»ãã¥ãªã㣠ãªãã¬ãŒã¿çšã®ãDDoS ãæéããããã¿ã³ã¯ãããŸãããããŒã«ã¯å€æ°ããããããã®äœ¿çšæ¹æ³ãç¥ãå¿
èŠããããŸãã
ãããŠããã XNUMX ã€ã®ããŒãã¹ã®äŸã§ãã
ä¿è·ãããŠããªããµãŒããŒã¯ã容é 600 Mbit ã®æ»æäžã«ãã¹ãã£ã³ã°æ¥è
ã«ãã£ãŠãããã¯ãããŸãã
(ãã©ãã£ãã¯ã®ãæ倱ãã¯ç®ç«ã¡ãŸãããæ»æãããã®ã¯ 1 ã€ã®ãµã€ãã®ã¿ã§ããã®ãµã€ãã¯äžæçã«ãµãŒããŒããåé€ããããããã¯ã¯ XNUMX æé以å
ã«è§£é€ãããŸããã)
åããµãŒããŒãä¿è·ãããŸãã æ»æè
ãã¯XNUMXæ¥æ»æãæéããåŸããéäŒãããã æ»æèªäœã¯ããã»ã©åŒ·åã§ã¯ãããŸããã§ããã
L3/L4 ã®æ»æãšé²åŸ¡ã¯ããäºçŽ°ãªãã®ã§ãããäž»ã«ãã£ãã«ã®åããæ»æã®æ€åºããã³ãã£ã«ã¿ãªã³ã° ã¢ã«ãŽãªãºã ã«äŸåããŸãã
L7 æ»æã¯ããè€éãã€ç¬åµçã§ãããæ»æ察象ã®ã¢ããªã±ãŒã·ã§ã³ãæ»æè
ã®èœåããã³æ³ååã«äŸåããŸãã ãããããä¿è·ããã«ã¯å€ãã®ç¥èãšçµéšãå¿
èŠã§ãããçµæã¯ããã«ã¯åŸããããXNUMX%ã§ã¯ãªãå¯èœæ§ããããŸãã Google ãä¿è·ã®ããã®å¥ã®ãã¥ãŒã©ã« ãããã¯ãŒã¯ãèæ¡ãããŸã§ã¯ã
åºæïŒ habr.com