Timalemba chitetezo ku DDoS pa XDP. Mbali ya nyukiliya
Tekinoloje ya eXpress Data Path (XDP) imalola kuti magalimoto aziyenda mosagwirizana ndi Linux mapaketi asanalowe mu kernel network stack. Kugwiritsa ntchito XDP - chitetezo ku DDoS kuukira (CloudFlare), zosefera zovuta, kusonkhanitsa ziwerengero (Netflix). Mapulogalamu a XDP amachitidwa ndi makina enieni a eBPF, motero amakhala ndi zoletsa pama code awo onse ndi ntchito zomwe zilipo, kutengera mtundu wa fyuluta.
Nkhaniyi idapangidwa kuti ikwaniritse zofooka zazinthu zambiri pa XDP. Choyamba, amapereka ma code okonzeka omwe amadumpha nthawi yomweyo mawonekedwe a XDP: okonzekera kutsimikiziridwa kapena osavuta kuyambitsa mavuto. Mukayesa kulemba khodi yanuyanu kuyambira pachiyambi, palibe kumvetsetsa zoyenera kuchita ndi zolakwika zomwe zimachitika. Kachiwiri, sichikuphimba njira zoyesera XDP kwanuko popanda VM ndi hardware, ngakhale ali ndi misampha yawo. Mawuwa amapangidwira opanga mapulogalamu odziwa ma network ndi Linux omwe ali ndi chidwi ndi XDP ndi eBPF.
Mugawoli, timvetsetsa mwatsatanetsatane momwe fyuluta ya XDP imasonkhanitsidwa komanso momwe tingayesere, ndiye kuti tilemba mtundu wosavuta wa makina odziwika bwino a SYN cookie pamlingo wokonza paketi. Mpaka tipange "white list"
makasitomala otsimikiziridwa, sungani zowerengera ndikuwongolera zosefera - zipika zokwanira.
Tidzalemba mu C - izi sizowoneka bwino, koma zothandiza. Ma code onse amapezeka pa GitHub pa ulalo kumapeto ndipo agawidwa muzochita molingana ndi zomwe zafotokozedwa m'nkhaniyi.
Zotsutsa. M'kati mwa nkhaniyi, njira yothetsera vuto la DDoS idzapangidwa, chifukwa iyi ndi ntchito yeniyeni ya XDP ndi dera langa. Komabe, cholinga chachikulu ndikumvetsetsa ukadaulo, izi sizowongolera kupanga chitetezo chokonzekera. Khodi yamaphunziroyo simakometsedwa ndipo imasiya ma nuances ena.
Chifukwa chake, code yosefera imayikidwa mu kernel. Zosefera zimadutsa mapaketi obwera. Zotsatira zake, fyulutayo iyenera kupanga chisankho: kupatsira paketi ku kernel (XDP_PASS), tsitsani paketi (XDP_DROP) kapena tumizani (XDP_TX). Zosefera zitha kusintha phukusi, izi ndizowona makamaka kwa XDP_TX. Mukhozanso kusokoneza pulogalamu (XDP_ABORTED) ndikugwetsa phukusi, koma izi ndizofanana assert(0) - kwa debugging.
EBPF (yowonjezera Berkley Packet Filter) makina owoneka bwino amapangidwa mwadala kuti kernel iwonetsetse kuti codeyo siyimazungulira komanso siyiwononga kukumbukira kwa anthu ena. Zoletsa ndi macheke:
Lupu (kudumpha kumbuyo) ndizoletsedwa.
Pali mulu wa data, koma palibe ntchito (zonse za C ziyenera kukhala ndi mzere).
Kulowa m'makumbukidwe kunja kwa stack ndi paketi ya buffer ndikoletsedwa.
Kukula kwa code ndikochepa, koma pochita izi sizofunika kwambiri.
Ntchito zapadera za kernel (othandizira eBPF) ndizololedwa.
Kupanga ndi kukhazikitsa fyuluta kumawoneka motere:
gwero kodi (mwachitsanzo. kernel.c) amaphatikiza kutsutsa (kernel.o) pakupanga makina a eBPF. Pofika Okutobala 2019, kulembetsa ku eBPF kumathandizidwa ndi Clang ndipo adalonjeza mu GCC 10.1.
Ngati mu code ya chinthu ichi pali mafoni kumagulu a kernel (mwachitsanzo, ku matebulo ndi ma counters), m'malo mwa ma ID awo pali ziro, ndiye kuti, codeyo singathe kuchitidwa. Musanalowe mu kernel, zero izi ziyenera kusinthidwa ndi ma ID azinthu zomwe zidapangidwa kudzera pama foni a kernel (kulumikiza nambalayo). Mutha kuchita izi ndi zida zakunja, kapena mutha kulemba pulogalamu yomwe ingalumikizane ndikuyika fyuluta inayake.
Kernel imatsimikizira kuti pulogalamuyo yakwezedwa. Imayang'ana kusakhalapo kwa kuzungulira komanso kusatuluka kwa phukusi ndi malire a stack. Ngati wotsimikizira sangathe kutsimikizira kuti codeyo ndi yolondola, pulogalamuyo imakanidwa - munthu ayenera kumukondweretsa.
Pambuyo potsimikizira bwino, kernel imaphatikiza kachidindo kamangidwe ka eBPF kukhala makina omangira makina (munthawi yake).
Pulogalamuyi imamangiriridwa ku mawonekedwe ndikuyamba kukonza mapaketi.
Mukalemba fyuluta, mafayilo angapo okhala ndi ntchito zothandizira ndi ma macros adzakhala othandiza kuchokera ku mayeso a kernel. Ndikofunika kuti zigwirizane ndi mtundu wa kernel (KVER). Koperani iwo kuti helpers/:
KDIR ili ndi njira yopita kumutu wa kernel, ARCH - kamangidwe kadongosolo. Njira ndi zida zitha kusiyanasiyana pang'ono pakati pa magawo.
Chitsanzo chosiyana cha Debian 10 (kernel 4.19.67)
# другая команда
CLANG ?= clang
LLC ?= llc-7
# другой каталог
KDIR ?= /usr/src/linux-headers-$(shell uname -r)
ARCH ?= $(subst x86_64,x86,$(shell uname -m))
# два дополнительных каталога -I
CFLAGS =
-Ihelpers
-I/usr/src/linux-headers-4.19.0-6-common/include
-I/usr/src/linux-headers-4.19.0-6-common/arch/$(ARCH)/include
# далее без изменений
CFLAGS Phatikizani chikwatu chokhala ndi mitu yothandiza ndi maulalo angapo okhala ndi mitu ya kernel. Chizindikiro __KERNEL__ zikutanthauza kuti mitu ya UAPI (userspace API) imatanthauzidwa ngati kernel code, popeza fyulutayo imachitidwa mu kernel.
Chitetezo cha stack chikhoza kuzimitsidwa (-fno-stack-protector) chifukwa chotsimikizira khodi ya eBPF chimayang'ana ngati palibe malire a stack. Muyenera kuyambitsa kukhathamiritsa nthawi yomweyo, chifukwa kukula kwa eBPF bytecode ndikochepa.
Tiyeni tiyambe ndi zosefera zomwe zimadutsa mapaketi onse osachita chilichonse:
timu make amatenga xdp_filter.o. Kodi mungayesere kuti tsopano?
benchi yoyesera
Choyimiriracho chiyenera kukhala ndi mawonekedwe awiri: pomwe padzakhala fyuluta ndi zomwe mapaketi adzatumizidwa. Izi ziyenera kukhala zida zonse za Linux zokhala ndi ma IP awoawo kuti muwone momwe mapulogalamu amagwirira ntchito ndi fyuluta yathu.
Zipangizo monga veth (virtual Efaneti) ndizoyenera kwa ife: ndi ma netiweki awiri olumikizirana "olumikizidwa" mwachindunji wina ndi mnzake. Mutha kuwapanga motere (m'gawo lino, malamulo onse ip anachita kuchokera root):
ip link add xdp-remote type veth peer name xdp-local
ndi xdp-remote и xdp-local - mayina zida. Yambani xdp-local (192.0.2.1/24) fyuluta idzalumikizidwa, ndi xdp-remote (192.0.2.2/24) magalimoto obwera adzatumizidwa. Komabe, pali vuto: zolumikizira zili pamakina omwewo, ndipo Linux sidzatumiza magalimoto kwa amodzi mwa iwo kudzera mwa imzake. Mutha kuzithetsa ndi malamulo ovuta iptables, koma adzayenera kusintha maphukusi, zomwe zimakhala zovuta mukakonza. Ndikwabwino kugwiritsa ntchito ma netiweki namespaces (ma network namespaces, ma network ena).
Malo ochezera a pa intaneti ali ndi ma interfaces, ma routing tables, ndi malamulo a NetFilter omwe ali olekanitsidwa ndi zinthu zofanana mu maukonde ena. Njira iliyonse imayenda m'malo ena a mayina, ndipo zinthu zokha za maukondewa ndi omwe amapezeka kwa iwo. Mwachikhazikitso, dongosololi liri ndi malo amodzi a netiweki azinthu zonse, kotero mutha kugwira ntchito pa Linux osadziwa za maukonde.
Tiyeni tipange malo atsopano xdp-test ndi kusamukira kumeneko xdp-remote.
ip netns add xdp-test
ip link set dev xdp-remote netns xdp-test
Mukasuntha pakati pa ma neti, mawonekedwewo amatsika ndikutaya adilesi. Kukhazikitsa mawonekedwe mu netns, muyenera kuthamanga ip ... m'malo awa amalamulo ip netns exec:
ip netns exec xdp-test
ip address add 192.0.2.2/24 dev xdp-remote
ip netns exec xdp-test
ip link set xdp-remote up
Monga mukuwonera, izi sizosiyana ndi kukhazikitsa xdp-local m'malo okhazikika:
ip address add 192.0.2.1/24 dev xdp-local
ip link set xdp-local up
Ndikwabwino kuyendetsa chipolopolo mkati xdp-test. Chosungiracho chili ndi zolemba zomwe zimangogwira ntchito ndi choyimilira, mwachitsanzo, mutha kuyika choyimira ndi lamulo. sudo ./stand up ndi kuchotsa sudo ./stand down.
kutsatira
Zosefera zimalumikizidwa ku chipangizochi motere:
ip -force link set dev xdp-local xdp object xdp_filter.o verbose
Mphindi -force zofunika kulumikiza pulogalamu yatsopano ngati ina yalumikizidwa kale. "Palibe nkhani yomwe ili yabwino" sizikunena za lamuloli, zomwe zimatuluka ndizochuluka. sonyeza verbose mwachisawawa, koma ndi izo lipoti la ntchito ya code verifier ndi assembler mindandanda ikuwoneka:
Verifier analysis:
0: (b7) r0 = 2
1: (95) exit
Chotsani pulogalamuyi kuchokera ku mawonekedwe:
ip link set dev xdp-local xdp off
Mu script, awa ndi malamulo sudo ./stand attach и sudo ./stand detach.
Pomanga fyuluta, mutha kutsimikiza kuti ping ikugwirabe ntchito, koma kodi pulogalamuyi imagwira ntchito? Tiyeni tiwonjezere ma logo. Ntchito bpf_trace_printk() ofanana ndi printf(), koma zimangochirikiza mpaka ziganizo zitatu kupatula pateni, ndi mndandanda wochepera wa ofotokozera. Macro bpf_printk() imathandizira kuyimba.
Chowonadi ndi chakuti mapulogalamu a eBPF alibe gawo la data, chifukwa chake njira yokhayo yolumikizira chingwe chamtundu ndi mikangano yaposachedwa ya malamulo a VM:
Yambitsani tcpdump pa xdp-remote. Iyenera kuwonetsa zomwe zikutuluka komanso zomwe zikubwera ICMP Echo Pempho ndikusiya kuwonetsa ICMP Echo Reply. Koma sizikuwoneka. Zimagwira ntchito XDP_TX mu pulogalamu ya xdp-localndikofunikirakugwirizanitsa mawonekedwe xdp-remote pulogalamu inaperekedwanso, ngakhale itakhala yopanda kanthu, ndipo idakwezedwa.
Ndinadziwa bwanji?
Kutsata njira ya phukusi mu kernel makina a perf amalola, mwa njira, kugwiritsa ntchito makina omwewo, ndiye kuti, eBPF imagwiritsidwa ntchito posokoneza ndi eBPF.
Muyenera kupanga zabwino mwa zoyipa, chifukwa palibe china choti muchite.
Ngati ARP ikuwonetsedwa m'malo mwake, muyenera kuchotsa zosefera (izi zimapangitsa sudo ./stand detach), ife ping, kenako ikani zosefera ndikuyesanso. Vuto ndiloti fyulutayo XDP_TX imakhudzanso ARP, komanso ngati stack
malo a mayina xdp-test adakwanitsa "kuyiwala" adilesi ya MAC 192.0.2.1, sangathe kuthetsa IP iyi.
Kupanga kwa vuto
Tiyeni tipitirire ku ntchito yomwe yanenedwa: kulemba makina a SYN cookie pa XDP.
Mpaka pano, kusefukira kwa SYN kumakhalabe kutchuka kwa DDoS, zomwe zili motere. Pamene kugwirizana kukhazikitsidwa (TCP kugwirana chanza), seva imalandira SYN, imagawa zothandizira kuti igwirizane ndi mtsogolo, imayankha ndi paketi ya SYNACK, ndikudikirira ACK. Wowukirayo amangotumiza mapaketi a SYN kuchokera ku ma adilesi abodza mu kuchuluka kwa masauzande pamphindikati kuchokera kwa wolandira aliyense mu botnet ya masauzande ambiri. Seva imakakamizika kugawa zothandizira mwamsanga pakafika paketi, koma imatulutsa pambuyo pa nthawi yayitali, chifukwa chake, kukumbukira kapena malire atha, kugwirizana kwatsopano sikuvomerezedwa, ntchitoyo sikupezeka.
Ngati simukugawa zothandizira pa paketi ya SYN, koma mungoyankha ndi paketi ya SYNACK, ndiye seva ingamvetse bwanji kuti paketi ya ACK yomwe inabwera pambuyo pake ndi ya paketi ya SYN yomwe sinasungidwe? Kupatula apo, wowukira amathanso kupanga ma ACK abodza. Chofunikira pa cookie ya SYN ndikulowetsamo seqnum magawo olumikizirana ngati ma adilesi, madoko ndikusintha mchere. Ngati ACK inatha kufika mchere usanasinthe, mukhoza kuwerengera hashi kachiwiri ndikuyerekeza ndi acknum. zabodza acknum wowukirayo sangathe, popeza mchere umaphatikizapo chinsinsi, ndipo sadzakhala ndi nthawi yoti athetse chifukwa cha njira yochepa.
Ma SYN makeke akhazikitsidwa mu Linux kernel kwa nthawi yayitali ndipo amatha kuthandizidwa ngati ma SYN afika mwachangu komanso mochulukira.
Pulogalamu yamaphunziro pa TCP kugwirana chanza
TCP imapereka kusamutsa kwa data ngati mtsinje wa ma byte, mwachitsanzo, zopempha za HTTP zimatumizidwa pa TCP. Mtsinjewo umafalikira pang'onopang'ono m'mapaketi. Mapaketi onse a TCP ali ndi mbendera zomveka ndi manambala otsatizana a 32-bit:
Kuphatikiza kwa mbendera kumatanthawuza udindo wa phukusi linalake. Mbendera ya SYN imatanthawuza kuti iyi ndiye paketi yoyamba ya wotumiza pamalumikizidwe. Mbendera ya ACK imatanthawuza kuti wotumizayo walandira deta yonse yolumikizana mpaka pa byte. acknum. Phukusi likhoza kukhala ndi mbendera zingapo ndipo limatchedwa kuphatikizika kwawo, mwachitsanzo, paketi ya SYNACK.
Nambala yotsatizana (seqnum) imatanthawuza kuchotsera kwa data pa baiti yoyamba yomwe imatumizidwa mu paketi iyi. Mwachitsanzo, ngati mu paketi yoyamba yokhala ndi ma X a data nambalayi inali N, mu paketi yotsatira yokhala ndi deta yatsopano idzakhala N + X. Kumayambiriro kwa kugwirizana, phwando lirilonse limasankha nambala iyi mwachisawawa.
Nambala yovomerezeka (acknum) - yofanana ndi seqnum, koma sichidziwa chiwerengero cha byte yopatsirana, koma chiwerengero cha byte yoyamba kuchokera kwa wolandira, yomwe wotumizayo sanawone.
Kumayambiriro kwa kugwirizana, maphwando ayenera kuvomereza seqnum и acknum. Makasitomala amatumiza paketi ya SYN ndi yake seqnum = X. Seva imayankha ndi paketi ya SYNACK, pomwe imalemba yake seqnum = Y ndi kuwulula acknum = X + 1. Wothandizira amayankha SYNACK ndi paketi ya ACK, komwe seqnum = X + 1, acknum = Y + 1. Pambuyo pake, kusamutsidwa kwenikweni kwa data kumayamba.
Chifukwa chiyani ma cookie a SYN sagwiritsidwa ntchito nthawi zonse?
Choyamba, ngati SYNACK kapena ACK itatayika, muyenera kuyembekezera kutumizanso - kukhazikitsidwa kwa kugwirizana kumachepetsa. Kachiwiri, mu paketi ya SYN - komanso momwemo! - zosankha zingapo zimaperekedwa zomwe zimakhudza kupitilira kwa kulumikizana. Osakumbukira mapaketi a SYN omwe akubwera, seva imanyalanyaza zosankhazi, m'mapaketi otsatirawa kasitomala sangawatumizenso. TCP ikhoza kugwira ntchito pankhaniyi, koma pagawo loyambirira, mtundu wa kulumikizana udzachepa.
Pankhani ya phukusi, pulogalamu ya XDP iyenera kuchita izi:
yankhani SYN ndi SYNACK ndi cookie;
yankhani ACK ndi RST (kuswa kulumikizana);
kusiya mapaketi ena.
Pseudocode ya algorithm pamodzi ndi paketi parsing:
Если это не Ethernet,
пропустить пакет.
Если это не IPv4,
пропустить пакет.
Если адрес в таблице проверенных, (*)
уменьшить счетчик оставшихся проверок,
пропустить пакет.
Если это не TCP,
сбросить пакет. (**)
Если это SYN,
ответить SYN-ACK с cookie.
Если это ACK,
если в acknum лежит не cookie,
сбросить пакет.
Занести в таблицу адрес с N оставшихся проверок. (*)
Ответить RST. (**)
В остальных случаях сбросить пакет.
Mmodzi (*) mfundo zomwe muyenera kuyang'anira dongosolo la dongosolo zimayikidwa - pa gawo loyamba, mutha kuchita popanda iwo mwa kungogwiritsa ntchito TCP kugwirana chanza ndikupanga cookie ya SYN ngati seqnum.
Ndimayang'anitsitsa macheke omwe ali ndi A ndi B. Ngati mupereka ndemanga pa A, pulogalamuyo idzamanga, koma padzakhala cholakwika chotsimikizira pamene mukutsegula:
Chingwe chofunikira invalid access to packet, off=13 size=1, R7(id=0,off=0,r=0): pali njira zochitira pomwe baiti yakhumi ndi itatu kuyambira koyambira kwa buffer ili kunja kwa paketi. Ndizovuta kudziwa kuchokera pamndandanda womwe tikukamba, koma pali nambala ya malangizo (12) ndi chophatikizira chomwe chikuwonetsa mizere ya magwero:
zomwe zikusonyeza kuti vuto ndi ether. Zikanakhala choncho nthawi zonse.
Yankhani SYN
Cholinga pakadali pano ndikupanga paketi yolondola ya SYNACK yokhala ndi chokhazikika seqnum, yomwe idzalowe m'malo ndi SYN cookie mtsogolomu. Zosintha zonse zimachitika mkati process_tcp_syn() ndi malo ozungulira.
Sinthani madoko a TCP, IP ndi ma adilesi a MAC. Laibulale wamba sapezeka ku pulogalamu ya XDP, kotero memcpy() - zazikulu zomwe zimabisa Clang intrinsik.
IPv4 ndi TCP checksums zimafuna kuwonjezera mawu onse a 16-bit pamutu, ndipo kukula kwa mitu kumalembedwa mmenemo, ndiko kuti, panthawi yosonkhanitsa sikudziwika. Ili ndi vuto chifukwa chotsimikizira sichidumpha kuzungulira kwanthawi zonse mpaka malirewo asinthe. Koma kukula kwa mitu ndi kochepa: mpaka 64 byte iliyonse. Mutha kupanga lupu ndi nambala yokhazikika yobwerezabwereza, yomwe imatha kutha msanga.
ntchito carry() imapanga cheke kuchokera ku 32-bit kuchuluka kwa mawu 16-bit, malinga ndi RFC 791.
TCP cheke chanza
Zosefera zimakhazikitsa kulumikizana ndi netcat, kudumpha ACK yomaliza, yomwe Linux adayankha ndi paketi ya RST, popeza stack network sinalandire SYN - inatembenuzidwa ku SYNACK ndikubwezeretsanso - ndipo kuchokera kumbali ya OS, paketi inafika yomwe sinali. zokhudzana ndi maulumikizidwe otseguka.
$ sudo ip netns exec xdp-test nc -nv 192.0.2.1 6666
192.0.2.1 6666: Connection reset by peer
Ndikofunikira kuyang'ana ndi mapulogalamu athunthu ndikuwona tcpdump pa xdp-remote chifukwa, mwachitsanzo, hping3 sichimayankha macheke olakwika.
SYN keke
Pakuwona kwa XDP, chekeyo ndiyochepa. Mawerengedwe a algorithm ndi akale ndipo mwina akhoza kukhala pachiwopsezo chaoukira mwaukadaulo. Linux kernel, mwachitsanzo, imagwiritsa ntchito cryptographic SipHash, koma kukhazikitsidwa kwake kwa XDP momveka bwino sikungafotokozedwe ndi nkhaniyi.
Zawonekera kwa ma TODO atsopano okhudzana ndi kuyanjana kwakunja:
Pulogalamu ya XDP siyingasungidwe cookie_seed (gawo lobisika la mchere) muzosintha zapadziko lonse lapansi, muyenera sitolo ya kernel yomwe mtengo wake udzasinthidwa nthawi ndi nthawi kuchokera ku jenereta yodalirika.
Ngati cookie ya SYN mu paketi ya ACK ikugwirizana, simuyenera kusindikiza uthenga, koma kumbukirani IP ya kasitomala wotsimikizika kuti mulumphenso mapaketi kuchokera pamenepo.
Malingana ngati palibe mndandanda wa ma IP otsimikiziridwa, sipadzakhala chitetezo ku kusefukira kwa SYN palokha, koma apa pali zomwe zimachitika ku ACK kusefukira komwe kunayambitsidwa ndi lamulo ili:
sudo ip netns exec xdp-test hping3 --flood -A -s 1111 -p 2222 192.0.2.1