Variti imapanga chitetezo ku ma bots ndi DDoS, komanso imapangitsa kupsinjika ndi kuyesa katundu. Pamsonkhano wa HighLoad ++ 2018 tinakambirana za momwe tingatetezere chuma ku mitundu yosiyanasiyana ya kuukiridwa. Mwachidule: patulani mbali za dongosololi, gwiritsani ntchito mautumiki amtambo ndi ma CDN, ndikusintha nthawi zonse. Koma simungathe kusamalira chitetezo popanda makampani apadera :)
Musanawerenge lembalo, mukhoza kuwerenga nkhani zazifupi .
Ndipo ngati simukufuna kuwerenga kapena kungofuna kuwona kanema, kujambula kwa lipoti lathu kuli pansipa pansi pa wowononga.
Kujambula mavidiyo a lipotilo
Makampani ambiri amadziwa kale kuyezetsa katundu, koma si onse omwe amayesa kupsinjika. Ena mwamakasitomala athu amaganiza kuti tsamba lawo silingawonongeke chifukwa ali ndi makina ochulukira, ndipo amateteza bwino kuukira. Timasonyeza kuti zimenezi si zoona.
Zoonadi, tisanachite mayesero, timapeza chilolezo kuchokera kwa kasitomala, kusainidwa ndi kusindikizidwa, ndipo ndi chithandizo chathu DDoS kuukira sikungatheke kwa aliyense. Kuyesedwa kumachitika panthawi yosankhidwa ndi kasitomala, pamene magalimoto opita kuzinthu zake ndi ochepa, ndipo mavuto opeza sangakhudze makasitomala. Kuonjezera apo, popeza chinachake chikhoza kusokonekera nthawi zonse poyesa, timalumikizana nthawi zonse ndi kasitomala. Izi zimakulolani kuti musamangonena zotsatira zomwe zapindula, komanso kusintha chinachake panthawi yoyesedwa. Tikamaliza kuyesa, nthawi zonse timalemba lipoti momwe timafotokozera zolakwika zomwe zapezeka ndikupereka malingaliro ochotsera zofooka za tsambalo.
Momwe tikugwirira ntchito
Tikamayesa, timatsanzira botnet. Popeza timagwira ntchito ndi makasitomala omwe sapezeka pamanetiweki athu, kuti tiwonetsetse kuti mayesowo samatha mphindi yoyamba chifukwa cha malire kapena chitetezo chomwe chikuyambika, timapereka katunduyo osati ku IP imodzi, koma kuchokera ku subnet yathu. Kuphatikiza apo, kuti tipange katundu wambiri, tili ndi seva yathu yoyeserera yamphamvu kwambiri.
Zolemba
Kuchulukitsitsa sikutanthauza zabwino
Katundu wocheperako tingabweretse gwero kulephera, ndibwino. Ngati mutha kupangitsa tsambalo kusiya kugwira ntchito pa pempho limodzi pamphindikati, kapena pempho limodzi pamphindi, ndizabwino. Chifukwa molingana ndi lamulo lankhanza, ogwiritsa ntchito kapena owukira agwera mwangozi pachiwopsezo ichi.
Kulephera pang'ono kuli bwino kuposa kulephera kwathunthu
Nthawi zonse timalangiza kupanga machitidwe osiyanasiyana. Kuphatikiza apo, ndikofunikira kuwalekanitsa pamlingo wakuthupi, osati kungotengera zida. Pankhani ya kulekana kwa thupi, ngakhale chinachake chikulephera pa malo, pali mwayi waukulu kuti sichidzasiya kugwira ntchito kwathunthu, ndipo ogwiritsa ntchito adzapitiriza kukhala ndi mwayi wopeza gawo limodzi la ntchitoyo.
Zomangamanga zabwino ndizo maziko okhazikika
Kulekerera kolakwika kwa gwero ndi kuthekera kwake kulimbana ndi kuukiridwa ndi katundu kuyenera kuyikidwa pagawo la mapangidwe, makamaka, pamlingo wojambulira ma flowchart oyamba mu notepad. Chifukwa ngati zolakwa zakupha zimalowa, ndizotheka kuzikonza m'tsogolomu, koma zimakhala zovuta kwambiri.
Osati code yokha iyenera kukhala yabwino, komanso config
Anthu ambiri amaganiza kuti gulu labwino lachitukuko ndi chitsimikizo cha utumiki wolekerera zolakwika. Gulu labwino lachitukuko ndilofunikadi, koma payeneranso kukhala ntchito zabwino, DevOps yabwino. Ndiye kuti, timafunikira akatswiri omwe angakonzekere molondola Linux ndi netiweki, kulemba configs molondola mu nginx, kuika malire, etc. Apo ayi, gwero lidzagwira ntchito bwino poyesera, ndipo panthawi ina zonse zidzatha kupanga.
Kusiyana pakati pa kuyezetsa katundu ndi nkhawa
Kuyesa kwa katundu kumakupatsani mwayi wodziwa malire a magwiridwe antchito. Kuyesa kupsinjika kumayang'ana pakupeza zofooka mu dongosolo ndipo kumagwiritsidwa ntchito kuswa dongosololi ndikuwona momwe zingakhalire pakulephera kwa magawo ena. Pankhaniyi, chikhalidwe cha katundu nthawi zambiri sichidziwika kwa kasitomala asanayambe kuyesa kupanikizika.
Zodziwika bwino pakuwukira kwa L7
Nthawi zambiri timagawaniza mitundu ya katundu kukhala katundu pamlingo wa L7 ndi L3&4. L7 ndi katundu pamlingo wofunsira, nthawi zambiri zimangotanthauza HTTP, koma timatanthawuza katundu aliyense pamlingo wa protocol wa TCP.
Kuukira kwa L7 kuli ndi mawonekedwe apadera. Choyamba, amabwera mwachindunji ku pulogalamuyi, ndiye kuti, sizingatheke kuti awonetsedwe kudzera pa intaneti. Zowukira zotere zimagwiritsa ntchito malingaliro, ndipo chifukwa cha izi, zimawononga CPU, kukumbukira, disk, database ndi zinthu zina moyenera komanso mopanda kuchuluka kwa magalimoto.
Chigumula cha HTTP
Pankhani ya kuukira kulikonse, katunduyo ndi wosavuta kulenga kusiyana ndi kugwira, ndipo pa nkhani ya L7 izi ndi zoona. Sikophweka nthawi zonse kusiyanitsa magalimoto owukira kuchokera kumayendedwe ovomerezeka, ndipo nthawi zambiri izi zitha kuchitika pafupipafupi, koma ngati zonse zakonzedwa bwino, ndiye kuti sizingatheke kumvetsetsa kuchokera pazipika komwe kuli kuukira komanso komwe zopempha zovomerezeka zili.
Monga chitsanzo choyamba, taganizirani za kuukira kwa Chigumula cha HTTP. Chithunzichi chikuwonetsa kuti kuukira kotereku kumakhala kwamphamvu kwambiri; mu chitsanzo pansipa, kuchuluka kwa zopempha kumaposa 600 zikwi pamphindi.
Chigumula cha HTTP ndiye njira yosavuta yopangira katundu. Nthawi zambiri, zimatengera chida choyesera katundu, monga ApacheBench, ndikuyika pempho ndi chandamale. Ndi njira yosavuta yotere, pali kuthekera kwakukulu kolowera mu caching ya seva, koma ndikosavuta kuzilambalala. Mwachitsanzo, kuwonjezera zingwe mwachisawawa pa pempho, zomwe zidzakakamiza seva kuti ipereke tsamba latsopano nthawi zonse.
Komanso, musaiwale za wogwiritsa ntchito popanga katundu. Ogwiritsa ntchito ambiri a zida zoyesera zodziwika amasefedwa ndi oyang'anira machitidwe, ndipo pakadali pano katunduyo sangafike kumbuyo. Mutha kusintha kwambiri zotsatira zake poyika mutu wovomerezeka kapena wocheperako kuchokera pa msakatuli mu pempho.
Zosavuta monga kuukira kwa Chigumula cha HTTP kuli, amakhalanso ndi zovuta zawo. Choyamba, mphamvu zambiri zimafunikira kupanga katundu. Kachiwiri, kuukira kotereku ndikosavuta kuzindikira, makamaka ngati kumachokera ku adilesi imodzi. Zotsatira zake, zopempha nthawi yomweyo zimayamba kusefedwa ndi oyang'anira dongosolo kapena ngakhale pamlingo wopereka.
Zomwe mungafufuze
Kuti muchepetse chiwerengero cha zopempha pamphindi popanda kutaya mphamvu, muyenera kusonyeza kulingalira pang'ono ndikufufuza malo. Chifukwa chake, mutha kutsitsa osati tchanelo kapena seva yokha, komanso magawo a pulogalamuyo, mwachitsanzo, nkhokwe kapena mafayilo amafayilo. Mutha kuyang'ananso malo patsamba omwe amawerengera zazikulu: zowerengera, masamba osankha zinthu, ndi zina. Pomaliza, nthawi zambiri zimachitika kuti tsambalo lili ndi mtundu wina wa zolemba za PHP zomwe zimapanga tsamba la mizere mazana angapo. Script yotereyi imanyamulanso kwambiri seva ndipo ikhoza kukhala chandamale cha kuwukira.
Komwe mungayang'ane
Tikamasanthula gwero tisanayese, timayamba kuyang'ana patsamba lomwelo. Tikuyang'ana mitundu yonse ya minda yolowera, mafayilo olemera - mwachizoloΕ΅ezi, chirichonse chomwe chingabweretse mavuto kwa gwero ndi kuchepetsa ntchito yake. Zida zachitukuko za banal mu Google Chrome ndi Firefox zithandizira apa, kuwonetsa nthawi zoyankhira masamba.
Timasanthulanso ma subdomains. Mwachitsanzo, pali malo ogulitsira pa intaneti, abc.com, ndipo ili ndi subdomain admin.abc.com. Mwinamwake, ili ndi gulu la admin lovomerezeka, koma ngati muyika katundu pa izo, likhoza kubweretsa mavuto kwa gwero lalikulu.
Tsambali likhoza kukhala ndi subdomain api.abc.com. Mwinamwake, ichi ndi gwero la ntchito zam'manja. Pulogalamuyi imatha kupezeka mu App Store kapena Google Play, ikani malo apadera ofikira, gawani API ndikulembetsa maakaunti oyesa. Vuto ndilakuti anthu nthawi zambiri amaganiza kuti chilichonse chomwe chimatetezedwa ndi chilolezo sichimakana kukana ntchito. Akuti, kuvomereza ndiye CAPTCHA yabwino kwambiri, koma sichoncho. Ndizosavuta kupanga maakaunti oyesa 10-20, koma powapanga, timapeza magwiridwe antchito ovuta komanso osadziwika.
Mwachibadwa, timayang'ana mbiri yakale, robots.txt ndi WebArchive, ViewDNS, ndikuyang'ana mitundu yakale ya gwero. Nthawi zina zimachitika kuti opanga atulutsa, kunena, mail2.yandex.net, koma mtundu wakale, mail.yandex.net, utsalira. Izi mail.yandex.net sizikuthandizidwanso, zothandizira zachitukuko siziperekedwa kwa izo, koma zikupitirizabe kugwiritsa ntchito deta. Chifukwa chake, pogwiritsa ntchito mtundu wakale, mutha kugwiritsa ntchito bwino zida za backend ndi chilichonse chomwe chili kumbuyo kwa masanjidwewo. Zachidziwikire, izi sizichitika nthawi zonse, koma timakumanabe ndi izi nthawi zambiri.
Mwachilengedwe, timasanthula magawo onse opempha ndi kapangidwe ka cookie. Mutha kunena kuti, kutaya phindu mu gulu la JSON mkati mwa cookie, pangani zisa zambiri ndikupanga zisankhozo kuti zigwire ntchito kwa nthawi yayitali mopanda nzeru.
Sakani katundu
Chinthu choyamba chimene chimabwera m'maganizo pamene mukufufuza malo ndikutsegula nkhokwe, popeza pafupifupi aliyense ali ndi kufufuza, ndipo pafupifupi aliyense, mwatsoka, sikutetezedwa bwino. Pazifukwa zina, opanga sapereka chidwi chokwanira pakufufuza. Koma pali lingaliro limodzi pano - simuyenera kupanga zopempha zamtundu womwewo, chifukwa mutha kukumana ndi caching, monga momwe zimakhalira ndi kusefukira kwa HTTP.
Kupanga mafunso mwachisawawa ku database nakonso sikothandiza nthawi zonse. Ndi bwino kupanga mndandanda wa mawu osakira omwe ali okhudzana ndi kufufuza. Ngati tibwerera ku chitsanzo cha sitolo ya pa intaneti: tinene kuti malowa amagulitsa matayala a galimoto ndipo amakulolani kuti muyike utali wa matayala, mtundu wa galimoto ndi zina. Chifukwa chake, kuphatikiza kwa mawu oyenera kukakamiza nkhokweyo kuti igwire ntchito muzovuta kwambiri.
Kuphatikiza apo, ndikofunikira kugwiritsa ntchito pagination: ndizovuta kwambiri kuti kusaka kubwezere tsamba lomaliza lazotsatira kuposa loyamba. Ndiko kuti, mothandizidwa ndi pagination mutha kusiyanitsa katunduyo pang'ono.
Chitsanzo pansipa chikuwonetsa kuchuluka kwakusaka. Zitha kuwoneka kuti kuyambira pachiwiri choyamba cha mayesero pa liwiro la zopempha khumi pamphindi, malowa adatsika ndipo sanayankhe.
Ngati palibe kufufuza?
Ngati palibe kusaka, izi sizikutanthauza kuti tsambalo liribe magawo ena osatetezeka. Gawoli likhoza kukhala chilolezo. Masiku ano, Madivelopa amakonda kupanga ma hashes ovuta kuti ateteze nkhokwe yolowera ku nkhokwe ya utawaleza. Izi ndizabwino, koma ma hashi otere amadya zinthu zambiri za CPU. Kuthamanga kwakukulu kwa zilolezo zabodza kumabweretsa kulephera kwa purosesa, ndipo chifukwa chake, malowa amasiya kugwira ntchito.
Kukhalapo pa tsamba la mitundu yonse ya mafomu a ndemanga ndi mayankho ndi chifukwa chotumizira zolemba zazikulu kwambiri kumeneko kapena kungopanga kusefukira kwakukulu. Nthawi zina masamba amavomereza mafayilo ophatikizidwa, kuphatikiza mumtundu wa gzip. Pachifukwa ichi, timatenga fayilo ya 1TB, kuipondereza ku ma byte angapo kapena ma kilobytes pogwiritsa ntchito gzip ndikutumiza kutsambali. Kenako imatsegulidwa ndipo zotsatira zosangalatsa kwambiri zimapezeka.
API Yotsalira
Ndikufuna kulabadira pang'ono ntchito zodziwika bwino monga Rest API. Kupeza Mpumulo wa API ndikovuta kwambiri kuposa tsamba lokhazikika. Ngakhale njira zing'onozing'ono zodzitetezera ku mphamvu yachinsinsi yachinsinsi ndi zochitika zina zosavomerezeka sizigwira ntchito pa Rest API.
Rest API ndiyosavuta kuthyola chifukwa imapeza database mwachindunji. Panthawi imodzimodziyo, kulephera kwa ntchito yotereyi kumabweretsa mavuto aakulu kwa bizinesi. Chowonadi ndi chakuti Rest API nthawi zambiri imagwiritsidwa ntchito osati patsamba lalikulu lokha, komanso pulogalamu yam'manja ndi zinthu zina zamkati zamabizinesi. Ndipo ngati zonsezi zikugwa, ndiye kuti zotsatira zake zimakhala zamphamvu kwambiri kusiyana ndi vuto losavuta la webusaiti.
Kutsegula zolemetsa
Ngati tapatsidwa kuyesa pulogalamu yamba yatsamba limodzi, tsamba lofikira, kapena tsamba la makhadi abizinesi omwe alibe magwiridwe antchito ovuta, timayang'ana zolemetsa. Mwachitsanzo, zithunzi zazikulu zomwe seva imatumiza, mafayilo a binary, zolemba za pdf - timayesa kutsitsa zonsezi. Mayesero oterowo amanyamula bwino mafayilo amafayilo ndikutseka njira, motero ndi othandiza. Izi zikutanthauza kuti, ngakhale simuyike seva pansi, kutsitsa fayilo yayikulu pa liwiro lotsika, mumangotseka njira ya seva yomwe mukufuna ndipo kenako kukana ntchito kudzachitika.
Chitsanzo cha mayeso otere chikuwonetsa kuti pa liwiro la 30 RPS malowa adasiya kuyankha kapena kupanga zolakwika za seva 500.
Musaiwale za kukhazikitsa ma seva. Nthawi zambiri mumatha kupeza kuti munthu adagula makina enieni, adayika Apache pamenepo, adakonza chilichonse mwachisawawa, adayika pulogalamu ya PHP, ndipo pansipa mutha kuwona zotsatira zake.
Apa katunduyo adapita ku muzu ndipo adakwana 10 RPS yokha. Tinadikirira mphindi 5 ndipo seva idagwa. Ndizowona kuti sizidziwikiratu chifukwa chake adagwa, koma pali lingaliro lakuti adangokumbukira kwambiri ndipo adasiya kuyankha.
Wave based
M'chaka chapitacho kapena ziwiri, kuukira kwa mafunde kwatchuka kwambiri. Izi ndichifukwa choti mabungwe ambiri amagula zida zina zachitetezo cha DDoS, zomwe zimafunikira nthawi yochulukirapo kuti apeze ziwerengero kuti ayambe kusefa. Ndiko kuti, samasefa kuukira mu masekondi 30-40 oyambirira, chifukwa amasonkhanitsa deta ndikuphunzira. Chifukwa chake, mumasekondi awa a 30-40 mutha kuyambitsa kwambiri patsambalo kotero kuti gwero lidzagona kwa nthawi yayitali mpaka zopempha zonse zitachotsedwa.
Pankhani ya kuukira pansipa, panali nthawi ya mphindi 10, pambuyo pake gawo latsopano, losinthidwa la kuukira linafika.
Ndiko kuti, chitetezo chinaphunzira, chinayamba kusefa, koma gawo latsopano, losiyana kwambiri la kuukira linafika, ndipo chitetezo chinayambanso kuphunzira. M'malo mwake, kusefa kumasiya kugwira ntchito, chitetezo chimakhala chosagwira ntchito, ndipo tsambalo silikupezeka.
Kuwukira kwa mafunde kumadziwika ndi mitengo yapamwamba kwambiri pachimake, kumatha kufikira zana kapena miliyoni zopempha pamphindikati, pankhani ya L7. Ngati tilankhula za L3 & 4, ndiye kuti pangakhale mazana a gigabits of traffic, kapena, molingana, mazana a mpps, ngati muwerengera m'mapaketi.
Vuto ndi kuukira koteroko ndi kalunzanitsidwe. Zowukirazi zimachokera ku botnet ndipo zimafuna kulumikizana kwakukulu kuti apange spike yayikulu kwambiri ya nthawi imodzi. Ndipo kugwirizanitsa uku sikumagwira ntchito nthawi zonse: nthawi zina zotulukapo zimakhala zamtundu wina wapamwamba, zomwe zimawoneka zomvetsa chisoni.
Osati HTTP yokha
Kuphatikiza pa HTTP ku L7, timakonda kugwiritsa ntchito ma protocol ena. Monga lamulo, tsamba lawebusayiti, makamaka kuchititsa nthawi zonse, limakhala ndi ma protocol amakalata ndipo MySQL imangotuluka. Ma protocol amakalata amakhala ndi katundu wocheperako kuposa ma database, koma amathanso kukwezedwa bwino ndipo amatha kukhala ndi CPU yodzaza pa seva.
Tidachita bwino kwambiri kugwiritsa ntchito chiwopsezo cha 2016 SSH. Tsopano chiwopsezochi chakhazikitsidwa pafupifupi aliyense, koma izi sizikutanthauza kuti katundu sangathe kuperekedwa ku SSH. Mutha. Pali zilolezo zambiri, SSH imadya pafupifupi CPU yonse pa seva, ndiyeno tsambalo limagwa kuchokera ku pempho limodzi kapena ziwiri pamphindikati. Chifukwa chake, pempho limodzi kapena ziwiri izi zochokera pazipika sizingasiyanitsidwe ndi katundu wovomerezeka.
Maulaliki ambiri omwe timatsegula mumaseva nawonso amakhalabe ofunikira. M'mbuyomu, Apache anali wolakwa pa izi, tsopano nginx alidi wolakwa pa izi, chifukwa nthawi zambiri zimakonzedwa mwachisawawa. Chiwerengero cha maulumikizidwe omwe nginx amatha kukhala otseguka ndi ochepa, kotero timatsegula chiwerengero ichi cha maulumikizidwe, nginx savomerezanso kugwirizana kwatsopano, ndipo chifukwa chake malowa sagwira ntchito.
Gulu lathu loyesa lili ndi CPU yokwanira kuti iwukire kugwirana chanza kwa SSL. M'malo mwake, monga momwe zimasonyezera, ma botnets nthawi zina amakonda kuchita izi. Kumbali imodzi, zikuwonekeratu kuti simungathe kuchita popanda SSL, chifukwa zotsatira za Google, kusanja, chitetezo. Kumbali ina, SSL mwatsoka ili ndi vuto la CPU.
L3 ndi 4
Tikamalankhula za kuwukira pamilingo ya L3 & 4, nthawi zambiri timalankhula za kuwukira pamlingo wa ulalo. Katundu wotere nthawi zonse amakhala wosiyana ndi wovomerezeka, pokhapokha ngati ndi SYN-chigumula. Vuto lakuukira kwa SYN-sefukira kwa zida zachitetezo ndi kuchuluka kwawo kwakukulu. Kuchuluka kwa L3&4 kunali 1,5-2 Tbit / s. Magalimoto amtunduwu ndi ovuta kwambiri kuwongolera ngakhale makampani akuluakulu, kuphatikiza Oracle ndi Google.
SYN ndi SYN-ACK ndi mapaketi omwe amagwiritsidwa ntchito pokhazikitsa kulumikizana. Choncho, SYN-chigumula ndizovuta kusiyanitsa ndi katundu wovomerezeka: sizikudziwikiratu ngati iyi ndi SYN yomwe inabwera kudzakhazikitsa kugwirizana, kapena gawo la kusefukira kwa madzi.
UDP-chigumula
Nthawi zambiri, owukira alibe mphamvu zomwe tili nazo, chifukwa chake kukulitsa kungagwiritsidwe ntchito kukonza ziwonetsero. Ndiko kuti, wowukirayo amayang'ana pa intaneti ndikupeza ma seva omwe ali pachiwopsezo kapena osinthidwa molakwika omwe, mwachitsanzo, poyankha paketi imodzi ya SYN, amayankha ndi ma SYN-ACK atatu. Posokoneza adilesi yochokera ku adilesi ya seva yomwe mukufuna, ndizotheka kuwonjezera mphamvu, tinene, katatu ndi paketi imodzi ndikuwongolera magalimoto kwa wozunzidwayo.
Vuto la amplifications ndiloti zimakhala zovuta kuzizindikira. Zitsanzo zaposachedwa zikuphatikiza nkhani zokopa za anthu omwe ali pachiwopsezo omwe adasungidwa. Kuphatikiza apo, pali zida zambiri za IoT, makamera a IP, omwenso amakonzedwanso mokhazikika, ndipo mwachisawawa amasanjidwa molakwika, ndichifukwa chake owukira nthawi zambiri amawononga zida zotere.
Zovuta za SYN-sefukira
SYN-chigumula mwina ndi mtundu wosangalatsa kwambiri wowukira kuchokera pamalingaliro a wopanga. Vuto ndiloti oyang'anira machitidwe nthawi zambiri amagwiritsa ntchito IP kutsekereza chitetezo. Komanso, kutsekedwa kwa IP kumakhudza osati olamulira a machitidwe omwe amagwiritsa ntchito malemba, komanso, mwatsoka, machitidwe ena otetezera omwe amagulidwa ndi ndalama zambiri.
Njirayi imatha kukhala tsoka, chifukwa ngati owukira alowa m'malo mwa ma adilesi a IP, kampaniyo idzatsekereza subnet yake. Pamene Firewall itseka gulu lake, zotulukapo zidzalephera kuyanjana kwakunja ndipo gwero lidzalephera.
Komanso, sizovuta kuletsa maukonde anu. Ngati ofesi ya kasitomala ili ndi netiweki ya Wi-Fi, kapena ngati magwiridwe antchito amayezedwa pogwiritsa ntchito njira zosiyanasiyana zowunikira, ndiye timatenga adilesi ya IP ya dongosolo loyang'anira kapena ofesi ya kasitomala Wi-Fi ndikuigwiritsa ntchito ngati gwero. Pamapeto pake, gwero likuwoneka kuti likupezeka, koma maadiresi a IP omwe akutsata atsekedwa. Chifukwa chake, maukonde a Wi-Fi a msonkhano wa HighLoad, komwe kampani yatsopano ikupereka, ikhoza kutsekedwa, ndipo izi zimaphatikizapo ndalama zina zamalonda ndi zachuma.
Pakuyesa, sitingagwiritse ntchito kukulitsa kudzera mu memcached ndi zinthu zakunja, chifukwa pali mapangano otumiza magalimoto okha ku ma adilesi ololedwa a IP. Momwemo, timagwiritsa ntchito kukulitsa kudzera mu SYN ndi SYN-ACK, pamene dongosolo limayankha kutumiza SYN imodzi ndi ma SYN-ACK awiri kapena atatu, ndipo pamapeto pake kuukira kumachulukitsidwa kawiri kapena katatu.
Zida
Chimodzi mwazinthu zazikulu zomwe timagwiritsa ntchito pazantchito za L7 ndi Yandex-tank. Makamaka, phantom imagwiritsidwa ntchito ngati mfuti, kuphatikiza pali zolemba zingapo zopangira makatiriji komanso kusanthula zotsatira.
Tcpdump imagwiritsidwa ntchito kusanthula kuchuluka kwa ma network, ndipo Nmap imagwiritsidwa ntchito kusanthula seva. Kupanga katundu pamlingo wa L3&4, OpenSSL ndi matsenga athu ochepa omwe ali ndi laibulale ya DPDK amagwiritsidwa ntchito. DPDK ndi laibulale yochokera ku Intel yomwe imakulolani kuti mugwiritse ntchito mawonekedwe a netiweki kudutsa mulu wa Linux, potero mukukulitsa luso. Mwachibadwa, timagwiritsa ntchito DPDK osati pa mlingo wa L3 & 4, komanso pa mlingo wa L7, chifukwa imatilola kuti tipange kuyenda kwakukulu kwambiri, mkati mwa zopempha mamiliyoni angapo pamphindi kuchokera ku makina amodzi.
Timagwiritsanso ntchito majenereta ena apamsewu ndi zida zapadera zomwe timalemba pamayeso apadera. Ngati tikumbukira kusatetezeka kwa SSH, ndiye kuti zomwe zili pamwambapa sizingagwiritsidwe ntchito. Ngati tilimbana ndi protocol yamakalata, timatenga zida zamakalata kapena kungolemba zolembedwa.
anapezazo
Pomaliza ndikufuna kunena kuti:
- Kuphatikiza pa kuyesa kwachikale, ndikofunikira kuyesa kupsinjika. Tili ndi chitsanzo chenicheni pomwe wothandizana nawo amangoyesa katundu. Zinawonetsa kuti gwero limatha kupirira katundu wamba. Koma katundu wachilendo adawonekera, obwera patsambalo adayamba kugwiritsa ntchito gwerolo mosiyana, ndipo chifukwa chake wogwirizirayo adagona pansi. Chifukwa chake, ndikofunikira kuyang'ana zofooka ngakhale mutatetezedwa kale ku DDoS.
- Ndikofunikira kudzipatula mbali zina zadongosolo kwa ena. Ngati muli ndi kusaka, muyenera kuyisuntha kuti isiyanitse makina, ndiye kuti, osati ku Docker. Chifukwa ngati kusaka kapena chilolezo chikalephera, china chake chipitiliza kugwira ntchito. Pankhani ya sitolo yapaintaneti, ogwiritsa ntchito apitilizabe kupeza zinthu zomwe zili mgululi, kupita kwa ophatikiza, kugula ngati ndizololedwa kale, kapena kuvomereza kudzera pa OAuth2.
- Musanyalanyaze mitundu yonse ya mautumiki apamtambo.
- Gwiritsani ntchito CDN osati kukhathamiritsa kuchedwa kwa maukonde, komanso ngati njira yodzitetezera pakutopa kwa mayendedwe komanso kusefukira kwa magalimoto osasunthika.
- Ndikofunikira kugwiritsa ntchito chitetezo chapadera. Simungathe kudziteteza ku kuwukira kwa L3&4 pamlingo wa mayendedwe, chifukwa mwina mulibe njira yokwanira. Simungathenso kulimbana ndi zida za L7, chifukwa zitha kukhala zazikulu kwambiri. Kuphatikiza apo, kusaka kwa ziwopsezo zazing'ono akadali mwayi wa mautumiki apadera, ma algorithms apadera.
- Sinthani pafupipafupi. Izi sizikugwiranso ntchito ku kernel, komanso ku daemon ya SSH, makamaka ngati muli nayo yotsegula kunja. M'malo mwake, zonse ziyenera kusinthidwa, chifukwa simungathe kutsata zofooka zina nokha.
Source: www.habr.com