Variti inogadzira dziviriro kubva kubhoti uye DDoS kurwiswa, uye zvakare inoitisa kushushikana uye mutoro kuyedza. Pamusangano weHighLoad ++ 2018 takataura nezve nzira yekuchengetedza zviwanikwa kubva kumhando dzakasiyana dzekurwiswa. Muchidimbu: tsaura zvikamu zvehurongwa, shandisa makore masevhisi uye maCDN, uye gadziridza nguva dzose. Asi iwe haugone kubata dziviriro pasina makambani akasarudzika :)
Usati waverenga rugwaro, unogona kuverenga zvinyorwa zvipfupi .
Uye kana iwe usingade kuverenga kana kungoda kuona vhidhiyo, kurekodha kweshumo yedu iri pazasi pasi pemuparadzi.
Kurekodhwa kwevhidhiyo yemushumo
Makambani mazhinji anotoziva maitiro ekuita kuyedzwa kwemutoro, asi havasi vese vanoedza kushushikana. Vamwe vevatengi vedu vanofunga kuti saiti yavo haigoneke nekuti vane yakakwira system, uye inodzivirira zvakanaka kubva pakurwiswa. Tinoratidza kuti ichi hachisi chokwadi chose.
Zvechokwadi, tisati taita bvunzo, tinowana mvumo kubva kumutengi, yakasainwa uye yakadhindwa, uye nerubatsiro rwedu DDoS kurwisa hakugone kuitwa kune chero munhu. Kuedzwa kunoitwa panguva yakasarudzwa nemutengi, kana traffic kune yake sosi ishoma, uye matambudziko ekuwana haazokanganisa vatengi. Mukuwedzera, sezvo chimwe chinhu chinogona kugara chisina kumira zvakanaka panguva yekuedza, isu tinogara tichionana nemutengi. Izvi zvinokubvumira kuti usangotaurire migumisiro yakawanikwa, asiwo kuchinja chimwe chinhu panguva yekuedzwa. Kana tapedza kuyedza, tinogara tichigadzira rondedzero umo isu tinonongedza zvakaonekwa zvikanganiso uye topa kurudziro yekubvisa kusasimba kwesaiti.
Tiri kushanda sei
Kana tichiyedza, tinotevedzera botnet. Sezvo isu tichishanda nevatengi vasiri pamanetiweki edu, kuti tive nechokwadi chekuti bvunzo haipere muminiti yekutanga nekuda kwemiganhu kana kudzivirira kuri kukonzereswa, isu tinopa mutoro kwete kubva kune imwe IP, asi kubva kune yedu subnet. Uyezve, kugadzira mutoro wakakosha, isu tine yedu ine simba rekuyedza server.
Postulates
Zvakawandisa hazvirevi zvakanaka
Iyo mitoro shoma yatinogona kuunza sosi mukukundikana, zviri nani. Kana iwe uchikwanisa kuita kuti saiti irege kushanda pachikumbiro chimwe pasekondi, kana kunyange chikumbiro chimwe paminiti, zvakanaka. Nekuti maererano nemutemo wehuipi, vashandisi kana vanorwisa vanowira netsaona mukusagadzikana uku.
Kukundikana kwechidimbu kuri nani pane kukundikana zvachose
Isu tinogara tichikurudzira kuita masisitimu akasiyana. Uyezve, zvakafanira kuvaparadzanisa pamwero wemuviri, uye kwete chete nemidziyo. Panyaya yekuparadzaniswa kwemuviri, kunyange kana chimwe chinhu chikakundikana panzvimbo yacho, pane mukana mukuru wekuti haizoregi kushanda zvachose, uye vashandisi vacharamba vachiwana chikamu chechikamu chekushanda.
Mavakirwo akanaka ndiwo hwaro hwekuchengetedza
Iko kukanganisa kushivirira kwechishandiso uye kugona kwayo kutsungirira kurwiswa uye mitoro inofanirwa kuiswa pasi padanho rekugadzira, kutaura zvazviri, padanho rekudhirowa ekutanga machati munotipad. Nokuti kana zvikanganiso zvinouraya zvinopinda mukati, zvinokwanisika kuzvigadzirisa mune ramangwana, asi zvakaoma zvikuru.
Kwete chete kodhi inofanirwa kuve yakanaka, asiwo iyo config
Vanhu vazhinji vanofunga kuti timu yakanaka yekusimudzira ivimbiso yebasa rekushivirira. Chikwata chakanaka chekusimudzira chinonyatso kudiwa, asi panofanirawo kuve nekushanda kwakanaka, kwakanaka DevOps. Ndokunge, isu tinoda nyanzvi dzinonyatso gadzirisa Linux uye network, nyora configs nenzira kwayo munginx, isa miganhu, nezvimwe. Zvikasadaro, iyo sosi ichashanda zvakanaka chete mukuyedza, uye pane imwe nguva zvese zvinoputsika mukugadzira.
Misiyano pakati pemutoro uye kushushikana kuyedzwa
Kuyedzwa kwemutoro kunotendera iwe kuti uone miganho yekushanda kwesystem. Kuongorora kwekushushikana kwakanangana nekutsvaga kushaya simba muhurongwa uye kunoshandiswa kutyora iyi system uye kuona kuti ichaita sei mukutadza kwezvimwe zvikamu. Muchiitiko ichi, chimiro chemutoro chinowanzogara chisingazivikanwe kune mutengi kusati kwatanga kuomerwa nekunetseka.
Zvakasiyana zveL7 kurwisa
Isu tinowanzo kupatsanura mhando dzemutoro kuita mitoro paL7 uye L3 & 4 mazinga. L7 mutoro padanho rekushandisa, kazhinji zvinoreva chete HTTP, asi isu tinoreva chero mutoro paTCP protocol level.
L7 kurwiswa kune mamwe maficha akasarudzika. Chekutanga, ivo vanouya vakananga kuchishandiso, ndiko kuti, hazvigoneke kuti ivo vanozoratidzwa kuburikidza netiweki nzira. Kurwiswa kwakadaro kunoshandisa pfungwa, uye nekuda kweizvi, vanodya CPU, ndangariro, dhisiki, dhatabhesi uye zvimwe zviwanikwa zvinobudirira uye ne traffic shoma.
HTTP Mafashama
Muchiitiko chekurwisa kupi zvako, mutoro uri nyore kugadzira pane kubata, uye munyaya yeL7 izvi ndezvechokwadi zvakare. Hazvisi nyore nguva dzose kusiyanisa kurwisa traffic kubva kune yepamutemo traffic, uye kazhinji izvi zvinogona kuitwa nekuwanda, asi kana zvese zvakarongwa nemazvo, saka hazvibviri kunzwisisa kubva mumatanda kuti kurwiswa kupi uye kupi zvikumbiro zviri pamutemo.
Semuenzaniso wekutanga, funga nezve HTTP Mafashama kurwisa. Girafu inoratidza kuti kurwiswa kwakadaro kunowanzo kuve kwakasimba; mumuenzaniso pazasi, nhamba yepamusoro yezvikumbiro inodarika zviuru mazana matanhatu paminiti.
HTTP Mafashama ndiyo nzira iri nyore yekugadzira mutoro. Kazhinji, zvinotora imwe mhando yemutoro yekuyedza chishandiso, senge ApacheBench, uye inoisa chikumbiro uye chinangwa. Nemaitiro akareruka akadai, pane mukana wakakura wekumhanya muserver caching, asi zviri nyore kuipfuura. Semuenzaniso, kuwedzera tambo dzisina kurongeka kune chikumbiro, izvo zvinomanikidza sevha kuti igare ichishandira peji nyowani.
Zvakare, usakanganwa nezve mushandisi-mumiriri mukuita kwekugadzira mutoro. Vazhinji vashandisi-vamiriri veakakurumbira maturusi ekuyedza anosefa nevatariri vehurongwa, uye mune iyi nyaya mutoro unogona kungotadza kusvika kumashure. Unogona kuvandudza zvakanyanya mhedzisiro nekuisa yakanyanya kana kushoma musoro musoro kubva kubrowser muchikumbiro.
Zviri nyore sekurwiswa kweMafashama eHTTP, ivo vanewo zvinokanganisa. Kutanga, huwandu hwakawanda hwesimba hunodiwa kugadzira mutoro. Chechipiri, kurwiswa kwakadaro kuri nyore kuona, kunyanya kana kuchibva kune imwe kero. Nekuda kweizvozvo, zvikumbiro zvinotanga kusefa kungave nevatungamiriri vehurongwa kana kunyangwe padanho revanopa.
Zvekutsvaga
Kuti uderedze huwandu hwezvikumbiro pasekondi pasina kurasikirwa nekubudirira, unofanirwa kuratidza kufungidzira kudiki uye kuongorora saiti. Nekudaro, iwe haugone kurodha kwete chete chiteshi kana sevha, asiwo zvikamu zvega zvechikumbiro, semuenzaniso, dhatabhesi kana faira masisitimu. Iwe unogona zvakare kutsvaga nzvimbo pane saiti dzinoita maverengero makuru: macalculator, mapeji ekusarudza zvigadzirwa, nezvimwe. Chekupedzisira, zvinowanzoitika kuti saiti ine imwe mhando yePPP script inogadzira peji yemazana akati wandei mitsara. Iyo script yakadaro zvakare inoremedza zvakanyanya sevha uye inogona kuve chinangwa chekurwiswa.
Kwatinofanira kutsvaga
Kana isu tikatarisa sosi tisati tayedzwa, isu tinotanga tatarisa, hongu, pasaiti pachayo. Tiri kutsvaga marudzi ese eminda yekuisa, anorema mafaera - kazhinji, zvese zvinogona kugadzira matambudziko kune sosi uye kunonoka kushanda kwayo. Maturusi ekuvandudza maBanal muGoogle Chrome neFirefox rubatsiro pano, kuratidza nguva dzekupindura peji.
Isu tinoongorora zvakare subdomain. Semuenzaniso, kune imwe online chitoro, abc.com, uye ine subdomain admin.abc.com. Zvingangodaro, iyi ipaneru ye admin ine mvumo, asi kana iwe ukaisa mutoro pairi, inogona kugadzira matambudziko kune iyo huru sosi.
Iyo saiti inogona kunge iine subdomain api.abc.com. Zvingangodaro, iyi inzvimbo yekushandisa mafoni. Chishandiso chinogona kuwanikwa muApp Store kana Google Play, isa yakakosha nzvimbo yekupinda, patsanura iyo API uye kunyoresa bvunzo maakaundi. Dambudziko nderekuti vanhu vanowanzo funga kuti chero chinhu chinodzivirirwa nemvumo hachidzivirirwe mukuramba kurwiswa kwebasa. Zvinonzi, mvumo ndiyo yakanyanya CAPTCHA, asi hazvisi. Zviri nyore kugadzira 10-20 bvunzo maakaundi, asi nekuvagadzira, isu tinowana mukana kune yakaoma uye isina kuvharika mashandiro.
Nomuzvarirwo, isu tinotarisa nhoroondo, kurobhoti.txt uye WebArchive, ViewDNS, uye tarisa kune ekare mavhezheni ezvekushandisa. Dzimwe nguva zvinoitika kuti vagadziri vakaputika, vanoti, mail2.yandex.net, asi shanduro yekare, mail.yandex.net, inoramba iripo. Iyi mail.yandex.net haisisiri kutsigirwa, zviwanikwa zvekusimudzira hazvina kugoverwa kwairi, asi inoramba ichishandisa dhatabhesi. Saizvozvo, uchishandisa iyo yekare vhezheni, unogona kushandisa zvinobudirira zviwanikwa zvebackend uye zvese zviri kuseri kwekurongeka. Ehe, izvi hazviwanzo kuitika, asi isu tichiri kusangana neizvi kazhinji.
Nomuzvarirwo, isu tinoongorora ese maparamita ekukumbira uye cookie chimiro. Iwe unogona, toti, kukanda imwe kukosha muJSON array mukati mecookie, gadzira yakawanda yekugara uye ita kuti sosi ishande kwenguva yakareba zvisina musoro.
Tsvaga mutoro
Chinhu chekutanga chinouya mupfungwa paunenge uchitsvaga saiti ndeyekutakura dhatabhesi, sezvo anenge munhu wese ane kutsvaga, uye kunenge munhu wese, zvinosuruvarisa, haina kuchengetedzwa zvisina kunaka. Nechimwe chikonzero, vanogadzira havatarise zvakakwana kutsvaga. Asi pane kurudziro pano - haufanirwe kuita zvikumbiro zvemhando imwe chete, nekuti unogona kusangana necaching, sezvazvakaita nemafashama eHTTP.
Kuita mibvunzo isina kurongeka kune dhatabhesi zvakare haisi kushanda nguva dzose. Zviri nani kugadzira rondedzero yemazwi akakosha anoenderana nekutsvaga. Kana tikadzokera kumuenzaniso wechitoro chendaneti: ngatiti nzvimbo yacho inotengesa matairi emotokari uye inokubvumira kuti uise radius yematairi, rudzi rwemotokari uye mamwe maitiro. Saizvozvo, kusanganiswa kwemazwi akakodzera kunomanikidza dhatabhesi kushanda mumamiriro ezvinhu akaomarara.
Mukuwedzera, zvakakosha kushandisa pagination: zvakanyanya kuoma kuti kutsvaga kudzorere peji rekupedzisira remigumisiro yekutsvaga kupfuura yekutanga. Ndiko kuti, nerubatsiro rwepagination iwe unogona kusiyanisa zvishoma mutoro.
Muenzaniso uri pasi apa unoratidza mutoro wekutsvaga. Zvinogona kuonekwa kuti kubva pachipiri chekutanga chekuedza nekukurumidza kwezvikumbiro gumi pasekondi, nzvimbo yacho yakadzika uye haina kupindura.
Kana pasina kutsvaga?
Kana pasina kutsvaga, izvi hazvireve kuti saiti haina mamwe mapindiro ekuisa ari munjodzi. Iyi ndima inogona kunge iri mvumo. Mazuva ano, vanogadzira vanofarira kugadzira hashes dzakaoma kuchengetedza dhatabhesi rekupinda kubva pakurwiswa kwetafura yemuraraungu. Izvi zvakanaka, asi hashi dzakadaro dzinodya yakawanda yeCPU zviwanikwa. Kuyerera kukuru kwemvumo yenhema kunotungamirira kukukundikana kwe processor, uye semugumisiro, saiti inomira kushanda.
Kuvapo pane saiti yemarudzi ese emafomu ekutaura uye mhinduro chikonzero chekutumira zvinyorwa zvakakura kwazvo ipapo kana kungogadzira mafashama makuru. Dzimwe nguva masaiti anogamuchira mafaera akabatanidzwa, kusanganisira mune gzip fomati. Muchiitiko ichi, isu tinotora 1TB faira, toimanikidza kune akati wandei mabhaiti kana kilobytes tichishandisa gzip uye titumire kune iyo saiti. Zvadaro inosunungurwa uye mhedzisiro inonakidza inowanikwa.
Zorora API
Ndinoda kubhadhara zvishoma kune masevhisi ane mukurumbira seRest API. Kuchengetedza Yekuzorora API kwakaoma kupfuura webhusaiti yenguva dzose. Kunyangwe nzira dzidiki dzedziviriro kubva papassword brute force uye zvimwe zvisiri pamutemo hazvishande kune Rest API.
Iyo Yekuzorora API iri nyore kutyora nekuti inowana iyo dhatabhesi zvakananga. Panguva imwecheteyo, kutadza kwebasa rakadaro kunosanganisira mhedzisiro yakakomba kune bhizinesi. Icho chokwadi ndechekuti iyo Rest API inowanzo shandiswa kwete chete kune iyo huru webhusaiti, asiwo kune nharembozha uye zvimwe zvemukati zvebhizinesi zviwanikwa. Uye kana izvi zvese zvikadonha, saka mhedzisiro yacho yakanyanya kusimba kupfuura iyo iri nyore yekutadza webhusaiti.
Loading heavy content
Kana isu tikapihwa kuti tiedze imwe yakajairwa peji-peji application, peji yekumhara, kana bhizinesi kadhi webhusaiti iyo isina kuomarara kushanda, isu tinotarisa zvinorema. Semuenzaniso, mifananidzo mikuru iyo sevha inotumira, mabhinari mafaira, pdf zvinyorwa - tinoedza kurodha zvese izvi. Miedzo yakadaro inoremedza iyo faira system zvakanaka uye inovhara nzira, uye saka inoshanda. Ndokunge, kunyangwe iwe ukasaisa sevha pasi, kurodha faira hombe nekumhanya kwakaderera, iwe unongovhara chiteshi chevhavha yechinangwa uyezve kuramba kwesevhisi kuchaitika.
Muenzaniso webvunzo wakadaro unoratidza kuti nekumhanya kwe30 RPS saiti yakamira kupindura kana kuburitsa 500th server zvikanganiso.
Usakanganwa nezve kumisikidza maseva. Iwe unogona kazhinji kuona kuti munhu akatenga muchina chaiwo, akaisa Apache ipapo, akagadzirisa zvese nekusarudzika, akaisa PHP application, uye pazasi unogona kuona mhedzisiro.
Pano mutoro wakaenda kumudzi uye wakasvika 10 RPS chete. Takamirira 5 maminitsi uye server yaparara. Ichokwadi kuti hazvinyatsozivikanwi kuti nei akadonha, asi pane fungidziro yekuti aingova nendangariro dzakawandisa saka akarega kupindura.
Wave based
Mugore rapfuura kana maviri, kurwiswa kwemafungu kwave kwakakurumbira. Izvi zvinokonzerwa nekuti masangano mazhinji anotenga zvimwe zvimedu zvehardware zvekudzivirira kweDDoS, izvo zvinoda imwe nguva yekuunganidza huwandu hwekutanga kusefa kurwiswa. Ndiko kuti, ivo havasefa kurwiswa mumasekonzi ekutanga makumi matatu-30, nekuti vanounganidza data uye vanodzidza. Saizvozvo, mune aya 40-30 masekonzi iwe unogona kuvhura zvakanyanya pane saiti zvekuti sosi inorara kwenguva yakareba kudzamara zvikumbiro zvese zvajekeswa.
Muchiitiko chekurwiswa pasi apa, pakanga pane nguva yemaminitsi e10, mushure mokunge chikamu chitsva, chakashandurwa chekurwisa chakasvika.
Ndiko kuti, kudzivirira kwakadzidza, kwakatanga kusefa, asi itsva, yakasiyana zvachose chikamu chekurwisa chakasvika, uye kudzivirira kwakatanga kudzidza zvakare. Muchokwadi, kusefa kunomira kushanda, kudzivirira kunova kusashanda, uye saiti haisi kuwanikwa.
Kurwiswa kweWave kunoratidzwa nehukuru hwakanyanya pakakwirira, inogona kusvika zana rezviuru kana miriyoni zvikumbiro pasekondi, mune yeL7. Kana tikataura nezve L3 & 4, ipapo panogona kuva nemazana egigabits emigwagwa, kana, maererano, mazana emampps, kana iwe uchiverenga mumapakiti.
Dambudziko rekurwiswa kwakadaro kuwiriranisa. Kurwiswa kunouya kubva kubhoti uye inoda yakakwira dhigirii yekuyananisa kugadzira yakakura kwazvo-imwe spike. Uye kurongeka uku hakushande nguva dzose: dzimwe nguva zvinobuda ndeimwe mhando yeparabolic peak, inotaridzika kusiririsa.
Kwete HTTP chete
Pamusoro peHTTP paL7, isu tinoda kushandisa mamwe maprotocol. Semutemo, webhusaiti yenguva dzose, kunyanya yekugara yekutambira, ine mail protocol uye MySQL inonamira kunze. Maprotocol etsamba ari pasi pemutoro wakaderera pane dhatabhesi, asi anogona zvakare kutakurwa zvinobudirira uye anoguma aine yakawandisa CPU pane server.
Isu takabudirira chaizvo nekusagadzikana kwe2016 SSH. Ikozvino kusagadzikana uku kwakagadzirirwa anenge munhu wese, asi izvi hazvireve kuti mutoro haugone kuendeswa kuSSH. Inogona. Pane kungoremerwa kukuru kwemvumo, SSH inodya inenge CPU yese pane sevha, uyezve webhusaiti inodonha kubva kune chimwe kana zviviri chikumbiro pasekondi. Saizvozvo, izvi zvikumbiro zviviri kana zviviri zvinoenderana nematanda hazvigone kusiyaniswa kubva pamutoro wepamutemo.
Mazhinji ekubatanidza atinovhura mumaseva zvakare anoramba akakodzera. Pakutanga, Apache aive nemhosva yeizvi, ikozvino nginx ine mhosva yeizvi, sezvo inowanzo gadziriswa nekusarudzika. Nhamba yekubatanidza iyo nginx inogona kuchengeta yakavhurika ishoma, saka isu tinovhura iyi nhamba yekubatanidza, nginx haichagamuchiri kubatana kutsva, uye nekudaro saiti haishande.
Yedu yekuyedza cluster ine yakakwana CPU yekurwisa SSL handshake. Mumusimboti, sekuratidzira kunoratidza, botnets dzimwe nguva vanofarira kuita izvi zvakare. Kune rimwe divi, zviri pachena kuti haugone kuita pasina SSL, nekuti Google mhedzisiro, chinzvimbo, chengetedzo. Kune rimwe divi, SSL zvinosuruvarisa kuti ine CPU nyaya.
L3&4
Kana tichitaura nezve kurwiswa pamazinga eL3 & 4, isu tinowanzo kutaura nezve kurwisa padanho rekubatanidza. Mutoro wakadaro unogara uchisiyaniswa kubva kune wepamutemo, kunze kwekunge iri SYN-mafashama kurwisa. Dambudziko neSYN-mafashama kurwiswa kwezvidziviriro maturusi ihombe yavo yakakura. Iyo yakawanda L3&4 kukosha yaive 1,5-2 Tbit / s. Mhando iyi yetraffic yakaoma kwazvo kugadzirisa kunyangwe kumakambani makuru, kusanganisira Oracle neGoogle.
SYN uye SYN-ACK mapaketi anoshandiswa pakugadzira chinongedzo. Nokudaro, SYN-mafashamo yakaoma kusiyanisa kubva pamutoro wepamutemo: hazvisi pachena kana iyi iri SYN yakauya kuzogadzira hukama, kana chikamu chemafashamo.
UDP-mafashamo
Kazhinji, vanorwisa havana hunyanzvi hwatinahwo, saka kukwidziridzwa kunogona kushandiswa kuronga kurwiswa. Ndiko kuti, munhu anorwisa anotarisa Indaneti uye anowana angave ari munjodzi kana kuti akagadzirirwa zvisizvo sevhavha iyo, semuenzaniso, mukupindura kune imwe SYN packet, inopindura nema SYN-ACK matatu. Nekubira kero yesosi kubva kukero yevavariro sevha, zvinokwanisika kuwedzera simba ne, toti, katatu nepakiti imwe chete uye kutungamira traffic kune akabatwa.
Dambudziko nemaamplifications nderekuti zvakaoma kuona. Mienzaniso ichangoburwa inosanganisira nyaya inonakidza yeavo vari panjodzi memcached. Uyezve, ikozvino kune akawanda eIoT madivayiri, IP makamera, ayo zvakare anonyanya kugadzirwa nekusagadzika, uye nekusarudzika anogadziriswa zvisizvo, ndosaka vanorwisa kazhinji vachirwisa kuburikidza nemidziyo yakadaro.
Zvakaoma SYN-mafashamo
SYN-mafashamo ingangove inonakidza mhando yekurwisa kubva pakuona kwemugadziri. Dambudziko nderekuti vatariri vehurongwa vanowanzo shandisa IP kuvharira kudzivirira. Uyezve, IP blocking inokanganisa kwete chete vatariri vehurongwa vanoita vachishandisa zvinyorwa, asiwo, zvinosuruvarisa, mamwe masisitimu ekuchengetedza anotengwa nemari yakawanda.
Iyi nzira inogona kushanduka kuita njodzi, nekuti kana vanorwisa vakatsiva IP kero, kambani inovhara yayo yega subnet. Kana iyo Firewall ichivharira cluster yayo pachayo, zvinobuda zvinotadza kupindirana kwekunze uye sosi yacho ichatadza.
Uyezve, hazvina kuoma kuvharira yako wega network. Kana hofisi yemutengi iine network yeWi-Fi, kana kuita kwezviwanikwa kuyerwa uchishandisa akasiyana masisitimu ekutarisa, isu tinotora IP kero yeiyi yekutarisa system kana hofisi yemutengi Wi-Fi toishandisa sesosi. Pakupera, sosi inoita kunge iripo, asi iyo yakananga IP kero yakavharwa. Nekudaro, iyo Wi-Fi network yeHighLoad musangano, uko chigadzirwa chitsva chekambani chiri kuratidzwa, chinogona kuvharwa, uye izvi zvinosanganisira mamwe bhizinesi uye mari yehupfumi.
Panguva yekuyedzwa, hatigone kushandisa kukwidziridza kuburikidza nememcached nechero zviwanikwa zvekunze, nekuti pane zvibvumirano zvekutumira traffic chete kune inobvumidzwa IP kero. Saizvozvo, isu tinoshandisa amplification kuburikidza neSYN uye SYN-ACK, kana sisitimu ichipindura kutumira imwe SYN ine maviri kana matatu SYN-ACKs, uye pakubuda kurwiswa kunowedzerwa kaviri kana katatu.
Tools
Chimwe chezvishandiso zvikuru zvatinoshandisa L7 basa rekuita ndeye Yandex-tank. Kunyanya, phantom inoshandiswa sepfuti, uye kune akati wandei magwaro ekugadzira makaturiji uye ekuongorora mhedzisiro.
Tcpdump inoshandiswa kuongorora network traffic, uye Nmap inoshandiswa kuongorora sevha. Kugadzira mutoro paL3 & 4 level, OpenSSL uye zvishoma zvedu zvemashiripiti neDPDK raibhurari zvinoshandiswa. DPDK raibhurari kubva kuIntel iyo inokutendera kuti ushande netiweki interface uchipfuura iyo Linux stack, nekudaro uchiwedzera kushanda zvakanaka. Sezvingatarisirwa, isu tinoshandisa DPDK kwete chete padanho reL3&4, asiwo padanho reL7, nekuti inotitendera kugadzira kuyerera kwemutoro wakanyanya, mukati mehuwandu hwemamiriyoni ekukumbira pasekondi kubva kumuchina mumwe.
Isu tinoshandisawo mamwe majenareta emigwagwa uye maturusi akakosha atinonyora kune chaiwo bvunzo. Kana tikarangarira kusazvibata kuri pasi peSSH, saka seti iri pamusoro haigone kushandiswa. Kana tikarwisa mail protocol, tinotora zvekutumira matsamba kana kungonyora zvinyorwa pazviri.
zvakawanikwa
Sekupedzisa ndinoda kuti:
- Pamusoro peyekirasi yekuyedza kuyedzwa, zvinodikanwa kuita bvunzo yekushushikana. Tine muenzaniso chaiwo apo subcontractor wemumwe wake aingoita bvunzo dzemutoro. Yakaratidza kuti sosi inogona kumirisana neyakajairwa mutoro. Asi pakazoonekwa mutoro usina kujairika, vashanyi vesaiti vakatanga kushandisa sosi zvishoma zvakasiyana, uye semhedzisiro iyo subcontractor yakarara pasi. Nekudaro, zvakakosha kutsvaga kusasimba kunyangwe iwe wakatodzivirirwa kubva kuDDoS kurwiswa.
- Izvo zvinodikanwa kuparadzanisa zvimwe zvikamu zvehurongwa kubva kune vamwe. Kana iwe uine yekutsvaga, unofanirwa kuifambisa kuti iparadzanise michina, kureva, kwete kuDocker. Nekuti kana kutsvaga kana mvumo ikatadza, chimwe chinhu chicharamba chichishanda. Kana iri chitoro chepamhepo, vashandisi vacharamba vachitsvaga zvigadzirwa mukatalogi, enda kubva kune aggregator, tenga kana zvakatopihwa mvumo, kana kubvumidza kuburikidza neOAuth2.
- Usaregeredza marudzi ese emasevhisi emakore.
- Shandisa CDN kwete chete kukwidziridza kunonoka kwenetiweki, asiwo senzira yekudzivirira kubva pakurwiswa kwekuneta kwechiteshi uye kungofashamira mune static traffic.
- Izvo zvinodikanwa kushandisa specialized protection services. Iwe haugone kuzvidzivirira kubva kuL3 & 4 kurwiswa padanho rechiteshi, nekuti iwe unogona kunge usina chiteshi chakakwana. Iwe zvakare haugone kurwisa kurwiswa kweL7, nekuti inogona kunge yakakura kwazvo. Uyezve, kutsvaga kwekurwiswa kudiki kuchiri kodzero yeakakosha masevhisi, yakakosha algorithms.
- Gadzirisa nguva nenguva. Izvi hazvishande kune kernel chete, asiwo kune iyo SSH daemon, kunyanya kana iwe uine iyo yakavhurika kune kunze. Muchidimbu, zvese zvinoda kuvandudzwa, nekuti haungaite kuti ukwanise kuronda humwe hudziviriro uri wega.
Source: www.habr.com