Kuyesera: ndizotheka kuchepetsa zotsatira zoyipa za kuukira kwa DoS pogwiritsa ntchito proxy

Chithunzi: Unsplash

Kuwukira kwa DoS ndi chimodzi mwazinthu zowopseza kwambiri chitetezo chazidziwitso pa intaneti yamakono. Pali ma botnets ambiri omwe achiwembu amabwereka kuti achite izi.

Asayansi ochokera ku yunivesite ya San Diego adachita kuphunzira Momwe kugwiritsa ntchito ma proxies kumathandizira kuchepetsa zotsatira zoyipa za kuukira kwa DoS - tikukuwonetsani malingaliro akulu a ntchitoyi.

Chiyambi: projekiti ngati chida chothana ndi DoS

Kuyesera kofananako kumachitika nthawi ndi nthawi ndi ofufuza ochokera kumayiko osiyanasiyana, koma vuto lawo lodziwika bwino ndi kusowa kwa zinthu zomwe zingayesere kuukira pafupi ndi zenizeni. Mayesero pamabenchi ang'onoang'ono oyesa salola kuyankha mafunso okhudza momwe ma proxies angakane kuukira pama network ovuta, ndi magawo ati omwe amathandizira kuchepetsa kuwonongeka, ndi zina zambiri.

Pakuyesaku, asayansi adapanga chitsanzo cha pulogalamu yapaintaneti - mwachitsanzo, ntchito ya e-commerce. Zimagwira ntchito pogwiritsa ntchito gulu la ma seva; ogwiritsa ntchito amagawidwa m'malo osiyanasiyana ndikugwiritsa ntchito intaneti kuti apeze ntchitoyi. Muchitsanzo ichi, intaneti imakhala ngati njira yolankhulirana pakati pa ntchitoyo ndi ogwiritsa ntchito - umu ndi momwe ntchito zapaintaneti kuchokera kumainjini osakira kupita ku zida zamabanki pa intaneti zimagwirira ntchito.

Kuwukira kwa DoS kumapangitsa kuti kulumikizana kwanthawi zonse pakati pa ntchitoyo ndi ogwiritsa ntchito zisatheke. Pali mitundu iwiri ya DoS: mulingo wogwiritsa ntchito komanso zowukira. Pamapeto pake, owukira amawukira mwachindunji ma netiweki ndi makamu omwe ntchitoyo imayendera (mwachitsanzo, amatseka bandwidth yonse yama network ndi kusefukira kwamadzi). Pankhani ya kuukira kwa mulingo wogwiritsa ntchito, chandamale cha wowukirayo ndi mawonekedwe ogwiritsira ntchito - kuti achite izi, amatumiza zopempha zambiri kuti apangitse kuti pulogalamuyo iwonongeke. Kuyeseraku kunafotokoza za kuukira kokhudzidwa pamlingo wa zomangamanga.

Ma proxy network ndi amodzi mwa zida zochepetsera kuwonongeka kwa DoS. Mukamagwiritsa ntchito proxy, zopempha zonse kuchokera kwa wogwiritsa ntchito kupita ku utumiki ndi mayankho kwa iwo amatumizidwa osati mwachindunji, koma kudzera ma seva apakatikati. Wogwiritsa ntchito ndi pulogalamuyo "sawonana" mwachindunji; ma adilesi a proxy okha ndi omwe amapezeka kwa iwo. Chifukwa chake, ndizosatheka kuukira pulogalamuyo mwachindunji. Pamphepete mwa intaneti pali otchedwa ma proxies a m'mphepete - ma proxies akunja okhala ndi ma adilesi a IP omwe alipo, kulumikizana kumapita kwa iwo poyamba.

Kuti muthane bwino ndi kuukira kwa DoS, netiweki ya proxy iyenera kukhala ndi zida ziwiri zazikulu. Choyamba, maukonde wapakatikati wotere ayenera kukhala ngati mkhalapakati, ndiye kuti, kugwiritsa ntchito "kungofikiridwa" ndi izo. Izi zidzathetsa kuthekera kwa kuukira mwachindunji pautumiki. Chachiwiri, maukonde a proxy ayenera kulola ogwiritsa ntchito kuti azilumikizanabe ndi pulogalamuyi ngakhale pakuwukira.

Yesani zomangamanga

Phunziroli linagwiritsa ntchito zigawo zinayi zofunika:

• kukhazikitsa ma proxy network;
• Apache web seva;
• chida choyesera pa intaneti kuzinga;
• chida choukira Trinoo.

Kuyerekeza kunachitika mu MicroGrid chilengedwe - chitha kugwiritsidwa ntchito kutsanzira maukonde ndi ma routers 20, omwe amafanana ndi maukonde a ogwira ntchito a Tier-1.

Netiweki wamba ya Trinoo imakhala ndi gulu la anthu omwe amasokoneza pulogalamu ya daemon. Palinso mapulogalamu oyang'anira maukonde ndi kutsogolera DoS. Pambuyo polandira mndandanda wa maadiresi a IP, daemon ya Trinoo imatumiza mapaketi a UDP ku zolinga nthawi zina.

Pakuyesa, masango awiri adagwiritsidwa ntchito. Simulator ya MicroGrid idayenda pagulu la Xeon Linux la 16-node (maseva a 2.4GHz okhala ndi 1 gigabyte ya kukumbukira pamakina aliwonse) olumikizidwa kudzera pa 1 Gbps Ethernet hub. Zida zina zamapulogalamu zidapezeka mumagulu a 24 node (450MHz PII Linux-cthdths yokhala ndi 1 GB ya kukumbukira pamakina aliwonse), yolumikizidwa ndi 100Mbps Ethernet hub. Magulu awiri adalumikizidwa ndi njira ya 1Gbps.

Netiweki ya proxy imakhala mu dziwe la makamu a 1000. Ma proxies am'mphepete amagawidwa mofanana mu dziwe lonse lazinthu. Ma proxies ogwirira ntchito ndi pulogalamuyi ali pa makamu omwe ali pafupi ndi zomangamanga zake. Ma proxies otsala amagawidwa mofanana pakati pa ma proxies am'mphepete ndi ogwiritsira ntchito.

Network yoyeserera

Kuti aphunzire momwe projekiti imagwirira ntchito ngati chida chothanirana ndi kuukira kwa DoS, ofufuza anayeza kuchuluka kwa ntchitoyo pansi pa zochitika zosiyanasiyana zakunja. Panali ma proxies okwana 192 mu network ya proxy (64 mwa iwo m'mphepete). Kuti achite izi, network ya Trinoo idapangidwa, kuphatikiza ziwanda 100. Chilichonse cha ziwandacho chinali ndi njira ya 100Mbps. Izi zikufanana ndi botnet ya 10 zikwi ma routers apanyumba.

Zotsatira za kuukira kwa DoS pakugwiritsa ntchito ndi netiweki ya proxy zidayesedwa. Pakuyesa koyeserera, kugwiritsa ntchito kunali ndi njira yapaintaneti ya 250 Mbps, ndipo chigawo chilichonse cham'mphepete chinali ndi njira ya 100 Mbps.

Zotsatira zakuyesera

Kutengera zotsatira za kusanthula, zidapezeka kuti kuukira kwa 250Mbps kumawonjezera nthawi yoyankha (pafupifupi kakhumi), chifukwa chake zimakhala zosatheka kuzigwiritsa ntchito. Komabe, mukamagwiritsa ntchito ma proxy network, kuwukirako sikumakhudza kwambiri magwiridwe antchito ndipo sikusokoneza zomwe wogwiritsa ntchito akukumana nazo. Izi zimachitika chifukwa ma proxies am'mphepete amatsitsa zomwe zachitika, ndipo zida zonse za netiweki ya projekiti ndizokwera kuposa zomwe za pulogalamuyo.

Malinga ndi ziwerengero, ngati mphamvu yowukirayo sipitilira 6.0Gbps (ngakhale kuti njira zonse zolumikizirana zam'mphepete zimakhala 6.4Gbps), ndiye kuti 95% ya ogwiritsa ntchito samawona kuchepa kowoneka bwino. Kuphatikiza apo, pakuwukira kwamphamvu kwambiri kuposa 6.4Gbps, ngakhale kugwiritsa ntchito ma proxy network sikungapewe kuwonongeka kwa gawo lautumiki kwa ogwiritsa ntchito kumapeto.

Pankhani ya kuukira kokhazikika, pamene mphamvu zawo zimakhazikika pamagulu osasinthika a proxies. Pankhaniyi, kuwukirako kumatsekereza gawo la netiweki ya proxy, kotero kuti gawo lalikulu la ogwiritsa ntchito liwona kutsika kwa magwiridwe antchito.

anapezazo

Zotsatira za kuyesako zikuwonetsa kuti ma proxy network atha kupititsa patsogolo magwiridwe antchito a TCP ndikupereka gawo lanthawi zonse lautumiki kwa ogwiritsa ntchito, ngakhale zitachitika kuukira kwa DoS. Malinga ndi zomwe zapezedwa, ma proxy network amakhala njira yabwino yochepetsera zotsatira za kuukira; opitilira 90% a ogwiritsa ntchito sanapeze kuchepa kwa ntchitoyo panthawi yoyeserera. Kuphatikiza apo, ofufuzawo adapeza kuti kukula kwa netiweki ya proxy kukuchulukirachulukira, kuchuluka kwa kuukira kwa DoS komwe kumatha kupirira kumawonjezeka pafupifupi mzere. Chifukwa chake, ma netiweki akakula, m'pamenenso adzalimbana ndi DoS.

Zothandiza maulalo ndi zipangizo kuchokera Infatica:

• Kafukufuku: Kupanga projekiti yolimbana ndi block pogwiritsa ntchito chiphunzitso chamasewera
• Mbiri yankhondo yolimbana ndi censorship: momwe njira yolumikizira yowunikira yopangidwa ndi asayansi ochokera ku MIT ndi Stanford imagwirira ntchito
• Momwe mungamvetsetsere ngati ma proxies akunama: kutsimikizira komwe kuli ma proxies a netiweki pogwiritsa ntchito algorithm ya geolocation
• Momwe mungadzibisire pa intaneti: kufananiza ma seva ndi ma proxies okhala

Chitsime: www.habr.com