M'magawo awiri oyambilira a 2020, kuchuluka kwa ziwonetsero za DDoS pafupifupi kuwirikiza katatu, pomwe 65% yaiwo anali kuyesa kwakale "kuyesa katundu" komwe "kulepheretsa" malo opanda chitetezo m'masitolo ang'onoang'ono apaintaneti, mabwalo, mabulogu, ndi zoulutsira mawu.
Momwe mungasankhire kuchititsa DDoS-protected? Kodi muyenera kulabadira chiyani ndipo muyenera kukonzekera chiyani kuti musakumane ndi zovuta?
(Katemera wotsutsana ndi malonda a "grey" mkati)
Kupezeka ndi zida zosiyanasiyana zochitira DDoS kuwukira kumakakamiza eni ntchito zapaintaneti kuchitapo kanthu pothana ndi chiwopsezocho. Muyenera kuganizira za chitetezo cha DDoS osati pambuyo pa kulephera koyamba, ndipo osati ngati gawo la njira zowonjezera kulekerera kwachitukuko, koma pa siteji yosankha malo oti muyikepo (wothandizira kapena deta).
Zowukira za DDoS zimagawidwa kutengera ma protocol omwe kusatetezeka kwawo kumagwiritsidwa ntchito molingana ndi mtundu wa Open Systems Interconnection (OSI):
- njira (L2),
- network (L3),
- zoyendera (L4),
- ntchito (L7).
Kuchokera pamawonedwe achitetezo, amatha kugawidwa m'magulu awiri: kuukira kwamagulu achitetezo (L2-L4) ndi kuukira kwapaintaneti (L7). Izi ndichifukwa cha kutsatizana kwa kuwunika kwa magalimoto ndi zovuta zowerengera: tikayang'ana mozama mu paketi ya IP, mphamvu zamakompyuta zimafunikira.
Nthawi zambiri, vuto la kukhathamiritsa kuwerengera mukakonza kuchuluka kwa magalimoto munthawi yeniyeni ndi mutu wankhani zosiyanasiyana. Tsopano tiyeni tingoyerekeza kuti pali ena opereka mtambo omwe ali ndi zida zamakompyuta zopanda malire zomwe zimatha kuteteza masamba kuti asawonongedwe ndikugwiritsa ntchito (kuphatikiza ).
Mafunso akulu a 3 kuti adziwe kuchuluka kwachitetezo chotetezedwa motsutsana ndi DDoS
Tiyeni tiyang'ane malamulo achitetezo otetezedwa ku DDoS ndi Service Level Agreement (SLA) ya omwe akuchititsa. Kodi ali ndi mayankho a mafunso otsatirawa:
- ndi malire aukadaulo otani omwe akunenedwa ndi wothandizira??
- chimachitika ndi chiyani pamene kasitomala adutsa malire?
- Kodi wothandizira amamanga bwanji chitetezo ku DDoS (matekinoloje, mayankho, ogulitsa)?
Ngati simunapeze izi, ndiye kuti ichi ndi chifukwa choganizira kuzama kwa wothandizira, kapena kukonza chitetezo cha DDoS (L3-4) nokha. Mwachitsanzo, yitanitsani kulumikizana kwakuthupi ndi netiweki ya othandizira apadera achitetezo.
Zofunika! Palibe chifukwa choperekera chitetezo pakuwukiridwa kwapanthawi yogwiritsa ntchito Reverse Proxy ngati wopereka wanu sangathe kukutetezani ku zowonongeka zamagulu: zida za netiweki zidzachulukidwa ndipo sizidzakhalapo, kuphatikiza ma seva opangira mtambo (Chithunzi. 1).
Chithunzi 1. Kuwukira kwachindunji pa intaneti ya wothandizira
Ndipo musalole kuti ayese kukuuzani nthano kuti adiresi yeniyeni ya IP ya seva imabisika kuseri kwa mtambo wa wothandizira chitetezo, zomwe zikutanthauza kuti sizingatheke kuwukira mwachindunji. Pazochitika zisanu ndi zinayi mwa khumi, sizidzakhala zovuta kuti wotsutsa apeze adiresi yeniyeni ya IP ya seva kapena osachepera maukonde operekera alendo kuti "awononge" malo onse a deta.
Momwe obera amachitira posaka adilesi yeniyeni ya IP
Pansipa owononga pali njira zingapo zopezera adilesi yeniyeni ya IP (yoperekedwa chifukwa chazidziwitso).
Njira 1: Sakani m'malo otseguka
Mutha kuyambitsa kusaka kwanu ndi ntchito yapaintaneti: Imasaka pa intaneti yamdima, nsanja zogawana zikalata, njira za Whois data, kutayikira kwapagulu ndi zina zambiri.
Ngati, pogwiritsa ntchito zizindikiro zina (mitu ya HTTP, deta ya Whois, etc.), zinali zotheka kudziwa kuti chitetezo cha malowa chakonzedwa pogwiritsa ntchito Cloudflare, ndiye mukhoza kuyamba kufufuza IP yeniyeni kuchokera., yomwe ili ndi ma adilesi a IP pafupifupi 3 miliyoni amasamba omwe ali kuseri kwa Cloudflare.
Kugwiritsa ntchito satifiketi ya SSL ndi ntchito mutha kupeza zambiri zothandiza, kuphatikiza adilesi yeniyeni ya IP ya tsambalo. Kuti mupange pempho lazinthu zanu, pitani ku tabu ya Zikalata ndikulowetsa:
_parsed.names: dzinatsamba NDI ma tags.raw: odalirika
Kuti mufufuze ma adilesi a IP a maseva pogwiritsa ntchito satifiketi ya SSL, muyenera kudutsa pamndandanda wotsikira pansi ndi zida zingapo (tabu ya "Explore", kenako sankhani "IPv4 Hosts").
Njira 2: DNS
Kusaka mbiri yakusintha kwa mbiri ya DNS ndi njira yakale, yotsimikiziridwa. Adilesi yam'mbuyo ya IP ya tsambalo imatha kufotokozera momveka bwino kuti ndi malo otani (kapena malo a data) omwe analipo. Pakati pa ntchito zapaintaneti pakugwiritsa ntchito mosavuta, izi ndizodziwika bwino: ΠΈ .
Mukasintha zoikamo, tsambalo silidzagwiritsa ntchito adilesi ya IP ya wothandizira pamtambo kapena CDN, koma idzagwira ntchito molunjika kwakanthawi. Pankhaniyi, pali kuthekera kuti ntchito zapaintaneti zosungira mbiri yakusintha kwa ma adilesi a IP zimakhala ndi chidziwitso cha adilesi yochokera patsamba.
Ngati palibe chilichonse koma dzina la seva yakale ya DNS, ndiye kuti pogwiritsa ntchito zida zapadera (kukumba, kulandila kapena nslookup) mutha kupempha adilesi ya IP ndi dzina lawebusayiti, mwachitsanzo:
_dig @old_dns_server_name dzinamalowa
Njira 3: imelo
Lingaliro la njirayo ndikugwiritsa ntchito mayankho / fomu yolembetsa (kapena njira ina iliyonse yomwe imakulolani kuti muyambe kutumiza kalata) kuti mulandire kalata ku imelo yanu ndikuyang'ana mitu, makamaka gawo la "Received" .
Mutu wa imelo nthawi zambiri umakhala ndi adilesi yeniyeni ya IP ya mbiri ya MX (ma seva osinthanitsa ndi imelo), yomwe imatha kukhala poyambira kupeza ma seva ena pa chandamale.
Sakani Zida Zodzichitira
Mapulogalamu osaka a IP kuseri kwa Cloudflare shield nthawi zambiri amagwira ntchito zitatu:
- Jambulani zolakwika za DNS pogwiritsa ntchito DNSDumpster.com;
- Crimeflare.com database scan;
- fufuzani madera ang'onoang'ono pogwiritsa ntchito njira yofufuzira mtanthauzira mawu.
Kupeza ma subdomains nthawi zambiri kumakhala njira yabwino kwambiri mwa atatuwo - eni malo amatha kuteteza tsamba lalikulu ndikusiya ma subdomain akuyenda molunjika. Chophweka njira kufufuza ndi ntchito .
Kuphatikiza apo, pali zida zomwe zimapangidwira kusaka ma subdomain pogwiritsa ntchito kusaka kwa mtanthauzira mawu ndikufufuza malo otseguka, mwachitsanzo: kapena .
Momwe kufufuza kumachitikira muzochita
Mwachitsanzo, tiyeni titenge tsamba seo.com pogwiritsa ntchito Cloudflare, yomwe tidzapeza pogwiritsa ntchito ntchito yodziwika bwino (imakupatsani mwayi wodziwa ukadaulo / mainjini / CMS pomwe tsambalo limagwira ntchito, komanso mosemphanitsa - fufuzani masamba ndi matekinoloje omwe amagwiritsidwa ntchito).
Mukadina pa "IPv4 Hosts" tabu, ntchitoyo iwonetsa mndandanda wa omwe akugwiritsa ntchito satifiketi. Kuti mupeze yomwe mukufuna, yang'anani adilesi ya IP yokhala ndi doko lotseguka 443. Ngati ibwereranso kumalo omwe mukufuna, ndiye kuti ntchitoyo yatha, mwinamwake muyenera kuwonjezera dzina lachidziwitso cha malo kumutu wa "Host" wa Pempho la HTTP (mwachitsanzo, * curl -H "Host: site_name" *).
Kwa ife, kufufuza mu database ya Censys sikunapereke kalikonse, kotero timapitirira.
Tidzafufuza DNS kudzera muutumiki.
Pofufuza ma adilesi omwe atchulidwa pamndandanda wa maseva a DNS pogwiritsa ntchito CloudFail, timapeza zothandizira. Zotsatira zake zidzakhala zokonzeka mumasekondi angapo.
Pogwiritsa ntchito deta yotseguka ndi zida zosavuta zokha, tidazindikira adilesi yeniyeni ya IP ya seva yapaintaneti. Zina zonse kwa wowukirayo ndi nkhani yaukadaulo.
Tiyeni tibwererenso pakusankha woperekera alendo. Kuti tiwone ubwino wa utumiki kwa makasitomala, tiwona njira zomwe zingatheke zotetezera ku DDoS.
Momwe wothandizira wothandizira amapangira chitetezo chake
- Makina odzitetezera omwe ali ndi zida zosefera (Chithunzi 2).
Pamafunika:
1.1. Zida zosefera magalimoto ndi ziphaso zamapulogalamu;
1.2. Akatswiri a nthawi zonse kuti athandizidwe ndikugwira ntchito;
1.3. Njira zolowera pa intaneti zomwe zingakhale zokwanira kulandira ziwawa;
1.4. Njira yolipiriratu bandwidth yolandirira anthu "zachabechabe".
Chithunzi 2. Hosting woperekera mwini chitetezo dongosolo
Ngati tilingalira dongosolo lofotokozedwa ngati njira yotetezera ku DDoS kuukira kwa mazana a Gbps, ndiye kuti dongosolo loterolo lidzawononga ndalama zambiri. Kodi woperekera alendo ali ndi chitetezo chotere? Kodi ali wokonzeka kulipira magalimoto "opanda pake"? Mwachiwonekere, chitsanzo chachuma choterocho ndi chopanda phindu kwa wothandizira ngati ndalamazo sizipereka malipiro owonjezera. - Reverse Proxy (ya masamba ndi mapulogalamu ena okha). Ngakhale nambala , wogulitsa sakutsimikizira chitetezo ku DDoS mwachindunji (onani Chithunzi 1). Othandizira ochereza nthawi zambiri amapereka yankho ngati panacea, kusuntha udindo kwa wothandizira chitetezo.
- Ntchito za opereka mtambo wapadera (kugwiritsa ntchito netiweki yake yosefera) kuteteza ku DDoS pamagulu onse a OSI (Chithunzi 3).
Chithunzi 3. Chitetezo chokwanira ku DDoS kuukira pogwiritsa ntchito wothandizira apadera
amalingalira kusakanikirana kwakukulu ndi luso lapamwamba la luso lamagulu onse awiri. Ntchito zosefera zamtundu wa Outsourcing zimalola wothandizira kuchititsa kuti achepetse mtengo wazinthu zowonjezera kwa kasitomala.
Zofunika! Kufotokozera mwatsatanetsatane zaukadaulo wautumiki woperekedwa, m'pamenenso amakhala ndi mwayi wofuna kukhazikitsidwa kapena kulipidwa ngati nthawi yatha.
Kuphatikiza pa njira zitatu zazikuluzikulu, pali zambiri zophatikizira ndi kuphatikiza. Posankha kuchititsa, ndikofunikira kuti kasitomala akumbukire kuti chigamulocho sichidzadalira kokha kukula kwa ziwopsezo zotsimikizika zotsekedwa komanso kusefa kulondola, komanso kuthamanga kwa mayankho, komanso zomwe zili m'zidziwitso (mndandanda wazowopseza wotsekedwa), ziwerengero zonse, etc.).
Kumbukirani kuti ndi ochezeka ochepa okha padziko lapansi omwe amatha kupereka chitetezo chovomerezeka pawokha; nthawi zina, mgwirizano ndi luso laukadaulo zimathandizira. Chifukwa chake, kumvetsetsa mfundo zazikuluzikulu zokonzekera chitetezo ku DDoS kudzalola eni ake kuti asagwere pazamalonda komanso kuti asagule "nkhumba mu poke."
Source: www.habr.com