ProHoster > Blog > Utongi > Mapindiro atakaita kuburikidza neGreat Firewall yeChina (Chikamu 1)

Mapindiro atakaita kuburikidza neGreat Firewall yeChina (Chikamu 1)

Hello vose!

Nikita ari mukubata - injiniya wehurongwa kubva kukambani SEMrush. Nhasi ini ndichakuudza nezvekuti takatarisana sei nebasa rekuona kugadzikana kwebasa redu semrush.com muChina, uye ndeapi matambudziko atakasangana nawo panguva yekuitwa kwayo (tichipiwa nzvimbo yenzvimbo yedu yedata kumahombekombe ekumabvazuva kweUnited States).

Iyi ichava nyaya huru, yakakamurwa kuita zvinyorwa zvakawanda. Ini ndichakuudza kuti zvese zvakaitika sei kwatiri: kubva kune isiri-inoshanda sevhisi kubva kuChina, kusvika kune zviratidziro zvebasa padanho reiyo American vhezheni yeAmerica. Ndinovimbisa kuti ichave inofadza uye inobatsira. Saka, handei.

Matambudziko eChinese Internet

Kunyangwe iye munhu akanyanya kureba kubva kune chaiyo yetiweki manejimendi akanzwa nezvazvo Great Firewall yeChina. Wow, zvinonzwika zvakanaka, handiti? Asi kuti chii uye kuti inoshanda sei mubvunzo wakaoma. Iwe unogona kuwana zvinyorwa zvakawanda paInternet zvakatsaurirwa kune izvi, asi kubva pakuona kwehunyanzvi, chimiro cheiyo firewall haina kutsanangurwa chero kupi. Izvo, zvisinei, hazvishamisi. Ini ndichabvuma pakarepo kuti zvichienderana nemigumisiro yegore rebasa, handizokwanisi kutaura kuti inoshanda sei, asi ndinogona kukuudza nezvemashoko angu uye mhedziso dzinoshanda. Uye isu tichatanga nerunyerekupe nezve firewall iyi.

Kune runyerekupe rwakawanda pamusoro peiyi firewall. Ngatiunganidze iyo huru uye inonyanya kunakidza yadzo mune imwe runyorwa:

  • Google, Facebook, Twitter uye mamwe masevhisi akafanana akavharwa uye haashande muChina.
  • Chero traffic inoenda KUNZE kweChina neINTO China yakakamurwa uye yakaganhurirwa kushandisa muchina kudzidza (munyaya yekufungidzirwa traffic), iyo inodzikisira zvakanyanya (traffic) ichipfuura nepamuganhu.
  • Masangano ehungwaru eChinese anobira chero traffic yakavharidzirwa inopfuura nepafirewall yavo.
  • VPN tunnels, IPSEC tunnels haina kugadzikana, inoparara uye inogara yakavharwa.
  • Iyo yakapfava iyo encryption, iyo yakapfava mutsara wekupfuura unoshandiswa kuratidza / encrypt traffic, inokurumidza kupfuura nemuChinese firewall.

Hezvino izvo zvatakaziva nezve makuhwa aya:

  • Google, Facebook, Twitter uye mamwe masevhisi akafanana akavharwa (yako KO), asi akawanda ehunyanzvi maGoogle madomasi, semuenzaniso, haana kurambidzwa uye anoshanda (iyo yakafanana gstatic.com). Mhedziso inotevera kubva pane izvi: haufanirwe kucheka zvese neGoogle uye zvimwe zviwanikwa zvinoita kunge zvakavharwa.
  • Chero traffic inopfuura bhodha inowedzera kunonoka kunguva yayo. Tarisa mhinduro mbiri. Imwe saiti, peji imwe, iri nyore GET curl they'om. Chiyero chekutanga chakabva kuChina pachayo (guta rakanaka reShenzhen). Yechipiri yakayerwa kubva kunze kubva kuHong Kong (ine hutongi, uye hapana firewall pakati payo nenyika). Nhambwe pakati pemaguta mumutsara wakatwasuka ingangoita 30-40 km.

nikita@china-shenzhen:~# curl -o /dev/null -w@curl_time "https://www.semrush.com/info/ebay.com"
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  381k    0  381k    0     0  71824      0 --:--:--  0:00:05 --:--:-- 82832
time_namelookup:  0.004500
time_connect:  0.169342
time_appconnect:  0.723189
time_pretransfer:  0.723499
time_redirect:  0.000000
time_starttransfer:  1.532912
----------
time_total:  5.443407
----------
size_download:  390968 Bytes
speed_download:  71824.000B/s

nikita@china-hongkong:~# curl -o /dev/null -w@curl_time "https://www.semrush.com/info/ebay.com"
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  319k    0  319k    0     0  2555k      0 --:--:-- --:--:-- --:--:-- 2573k
time_namelookup:  0.029366
time_connect:  0.030742
time_appconnect:  0.047310
time_pretransfer:  0.047388
time_redirect:  0.000000
time_starttransfer:  0.120793
----------
time_total:  0.124871
----------
size_download:  326755 Bytes
speed_download:  2616740.000B/s

teerera nguva_connect. Uye kazhinji, iwe unoona mhedzisiro: iyo firewall inowedzera mamwe masekonzi mana, ayo akareba zvakanyanya.

  • VPN uye IPSEC tunnels dzinokundikana kazhinji. Ndichataura pamusoro peizvi zvishoma gare gare uye zvakadzama. VPN maseva anoshandiswa nevashandisi anovharirwa nekufamba kwenguva (kazhinji mukati mezuva mushure mekutanga kushandiswa).
  • Kune maonero akagamuchirwa kubva kuvanhu vanogara muChina kuti iyo yakapusa kuvharirwa kwetraffic, inokurumidza kupfuura nemuganho, nekuti zviri nyore kunzwisisa kuti hapana zvisiri pamutemo pazviri. Uye nenzira imwecheteyo, "yakachena" motokari inogamuchira bhanwidth yakawanda uye kukurumidza kwekufamba, nepo "tsvina" motokari, iyo isina chinhu inogona kunzwisiswa, inogamuchira, pane zvinopesana, zvishoma zvishoma. Semuenzaniso ini ndichashandisa curl ku ifconfig.co kuburikidza neHTTPS uye HTTP protocol. 

curl -o /dev/null -w@curl_time "https://ifconfig.co/"
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100    13  100    13    0     0      2      0  0:00:06  0:00:05  0:00:01     3
time_namelookup:  0.004305
time_connect:  0.397465
time_appconnect:  5.149305
time_pretransfer:  5.149393
time_redirect:  0.000000
time_starttransfer:  5.568847
----------
time_total:  5.568893
----------
size_download:  13 Bytes
speed_download:  2.000B/s

curl -o /dev/null -w@curl_time "http://ifconfig.co/"
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100    13  100    13    0     0     28      0 --:--:-- --:--:-- --:--:--    28
time_namelookup:  0.004282
time_connect:  0.212457
time_appconnect:  0.000000
time_pretransfer:  0.212484
time_redirect:  0.000000
time_starttransfer:  0.450565
----------
time_total:  0.450620
----------
size_download:  13 Bytes
speed_download:  28.000B/s

Musiyano wemasekonzi mashanu kwenguva yekurodha yegumi nematatu. Uyezve, kana uchiita bvunzo dzakadaro kakawanda, unogona kuona kuti GET paHTTP inopedzwa kazhinji nguva imwe chete nguva imwe neimwe, nepo paHTTPS saiti dzimwe nguva inopindura mu5, 13, 3 uye kunyange masekonzi gumi nemanomwe. Dzimwe nguva SSL zvikanganiso zvinoitika:

Unknown SSL protocol error in connection to ifconfig.co:443.

Saka izvo zvatinazvo:

  • Matambudziko akagadzirwa neChinese firewall anotsanangurwa pamusoro apa.
  • Pings kune zvekunze zviwanikwa uye mukati tunnels nguva nenguva inonyangarika.
  • Latency pakati pemapoinzi maviri inogara ichichinja, uye kazhinji haifungidzike. Paunenge uchibatanidza maguta / matunhu akasiyana, unotarisira kuti, zvichienderana nenzvimbo yenzvimbo yematunhu, kunonoka kuchave kushoma, asi iwe unowana chaizvo zvakapesana.
  • Indaneti uye nzira dzekukurukurirana dzinokurumidza kana kunonoka. Pane kutsamira kushoma pane nguva yezuva uye zuva revhiki, asi kwete nguva dzose.
  • Zvikumbiro zveDNS kunyika dzekunze kubva kuChina dzimwe nguva zvinodarika nguva inobvumirwa.

Mufananidzo unobuda unongova "wakanaka."

Nzvimbo yedata, sezvandambotaura, iri kumabvazuva kweUnited States, uye iyo SEMrush yese ine akawanda ezvigadzirwa zvakabatana, kumashure, kumberi, dhatabhesi, uye zvese izvi muDC nemakore. Isu, sechikwata chevatariri vehurongwa, takapihwa basa rekukurumidza kutanga kushanda muChina nekuedza kushoma.

Taifanira kupindura mubvunzo wakakosha: zvinokwanisika here kupfuudza nemari shoma uye kugadzirisa matambudziko ese ane chekuita neChinese Internet uye firewall pane network/cloud/server level?

Takatanga nekugamuchira ICP-marezinesi.

ICP rezinesi

Kuti ukwanise kugamuchira sevhisi yako mukati meChina (Mainland China) uye kuitisa bvunzo, unofanirwa kutanga watora rezinesi reICP renzvimbo.

Kana saiti yako yemushandisi traffic yakamiswa mukati meMainland China, uye kana dura rako risina rezinesi reICP, traffic yako ichavharwa paISP/yekugamuchira. Sezvineiwo, iyo ICP rezenisi inosanganisira chaiyo mupi, ingave Cloudflare kana Alibaba Cloud. Naizvozvo, kana iwe wakagamuchira ICP rezinesi reCloudflare uye wakagashira webhusaiti yako navo, haugone "kunamira" kuenda kuAlibaba Cloud. Iwe unozofanirwa kuwedzera imwe hosting kune iyi rezinesi.

Sezvo tagamuchira rezinesi reICP renzvimbo, takakwanisa kuuya nekuita mamwe mazano ehunyanzvi uye mhinduro.

Kuedza mhinduro

Asi usati wagadzira zvakananga sarudzo, shandura mapfumo, simbisa mashandiro esaiti uye nekumhanyisa kwayo, unofanirwa kusarudza chishandiso chekuiyedza kuti uone kuti ndechipi chezviito zvedu chinovandudza kana, pane kudaro, kuwedzera kuita kwesaiti.

Yedu yekuyedza chishandiso chaifanira kuzadzisa zviviri zvakakosha zvinodiwa:

  • inofanirwa kukwanisa kumhanyisa bvunzo kubva kuChina,
  • inofanira kuva nebrowser test.

Saka takawana Kubata! Ivo vane kufukidzwa kwakanaka kwenzvimbo dzekuyedza kutenderera pasirese. MuChina, bvunzo dzinogona zvakare kuitiswa kubva kumatunhu zana nemazana mashanu kuburikidza nechishandiso ichi. Imwe neimwe ine vakati wandei vakasiyana vanopa + kugona kuita Backbone-tests (chimwe chinhu chakafanana nemashini chaiwo mune data center) uye Lastmile-tests (padhuze sezvinobvira kumamiriro emushandisi, aka workstation). Mhando yekupedzisira yebvunzo inodhura zvakanyanya.

Tapedza kondirakiti yegore negore (zvisingabviri kupfuura izvozvo), takatanga kudzidza chiridzwa chacho. Kutaura chokwadi, takashamiswa nekushanda kwayo. Unogona kumhanya:

  • DNS bvunzo,
  • Webhu bvunzo (browser bvunzo, nyore GET/POST, nhare yemutengi emulation, nezvimwewo),
  • Transactional cheki (semuenzaniso, login),
  • API bvunzo,
  • Ping, traceroute, NTP, nezvimwe.

Iwe haugone kunyora zvese. Uye zvakanyanya kukosha, bvunzo yega yega inogona kugadziridzwa zvakanaka nekuwedzera boka remisoro uye mamwe ma parameter. Iyo yakabuda ihombe yeruzivo inotsanangura zvizere bvunzo yako. Kana tikataura nezvezvinhu zvinonyanya kunakidza kwatiri (browser bvunzo), mhedzisiro inosanganisira:

  • Batanidza, Mirira, Rodha, SSL, DNS nguva,
  • TTFB, TTLB, Gwaro rakakwana, Render nguva, DOM mutoro,
  • Mhinduro (chimwe chinhu chiri padyo neNguva Yekutanga Byte), Webhu Response (chimwe chinhu chiri padyo neNguva Yekupedzisira Byte),
  • Chero percentile, Avhareji, Median nguva
  • Etc.

Saizvozvo, ese metrics aya akanaka pakuona shanduko uye kunzwisisa kana zvinhu zvaita nani. Tainyanya kutarisa Mhinduro, Response peji rewebhu, Median, 75 uye 95 Percentiles.

Mubvunzo wakakosha waive mumhepo kubva pakutanga: Unogona kuvimba neCatchpoint?? Ichi chishandiso chinoratidza chaiyo saiti yekurodha kumhanya muChina kubva kumaguta akasiyana, kana ingori imwe mhando yebvunzo muvacuum isina chekuita nechaiyo mushandisi ruzivo?
Iri idambudziko rakakura, nekuti kuve muRussia hazvigoneke kuwana nekuvimbika kuti saiti kubva kuChina inoshanda sei. Nekuita masokisi-proxy kuburikidza nemuchina chaiwo, mhedzisiro ndeyekuti saiti inoremedza mukati memaminitsi mashoma, izvo zvisingagamuchirwi bvunzo, saka sarudzo chete yekuongororwa kwemanyorero ndeye curl uye nyore GET kubva kune console ine timer. . Izvi zvinobatsira nekuti bvunzo iyi inonyatso ratidza kumhanya kweiyo network mhinduro, uye kana paine zvakare browser bvunzo, saka zvakanaka kwazvo.

Gare gare isu pachedu takaenda kuChina uye takagutsikana kuti Iwe unogona kuvimba neCatchpoint; inonyatso ratidza zviratidzo zvekuita chaiko.

Cloudflare China Network

Sezvo isu takabudirira kushandisa Cloudflare kune iyo huru domain semrush.com, isu takasarudza kukurumidza kuyedza chimiro chavo chinonzi China Network. Iyi sarudzo inogoneswa chete kune Enterprise saiti pakukumbira kwakasiyana uye kune imwe muripo. Inongowanikwawo kumasaiti ane yakakodzera ICP rezinesi inonyora Cloudflare semupi. Mushure mekuigonesa, iyo "Chinese CDN" kubva kuCloudflare inowanikwa kune saiti - traffic kubva kumatunhu eChinese inodzika paPoP iri padyo (Points of Presence) CF, uyezve kuburikidza netiweki zvayo kana network yevanopa / vanobatana inounzwa kwakabva. .

Dhiagiramu yebhenji rekuyedza iyi inoratidzwa pazasi.

Iyi isarudzo huru kwatiri. Zvinoitika kuti yechipiri domain ichave zvakare yeCF, iyo isingawedze kune huwandu hwemhinduro dzinoshandiswa mukambani, uye zvakare haigone kuomesa zvivakwa.

Takamhanyisa browser bvunzo uye izvi ndizvo zvakaitika:

Madhaimondi matsvuku bvunzo kukundikana. Iwo mafaera ari pazasi zvikanganiso zveDNS (gadzirisa nguva yekupera). Iko kukundikana kumusoro inguva yekupera.

Nguva yekupedzisira: 86.6
Median: 18s
75 Percentile: 29.3s
95 Percentile: 60s

Median, mushure mekurodha yakabviswa reCaptcha (Sevhisi yeGoogle yakavharwa muChina) yakadzikira kubva pamasekonzi makumi maviri nemasere kusvika gumi nemasere. Asi izvi zvichiri mhedzisiro yakaipa, tichifunga kuti bvunzo imwe chete ye semrush.com (kubva kuUS) yakapa isingasviki 28 masekonzi kune 18% yevashandisi (kubva kuUS) pane imwechete peji (static + dynamic).

Unogona kupinda muyedzo yega yega wotarisa Waterfall uye zvimwe zvakawanda zvakadzama parameters. Takatanga kuferefeta zvikonzero zvekukanganisa, uye kana nguva yekupera zvinhu zvese zvakanyanya kana kushoma kujeka: iyo Internet muChina "inofamba mukati nekubuda", nekuda kweichi kukurumidza kwekubatanidza uye kurodha zviwanikwa kubva kunze kwenyika haina kugadzikana uye haina kuenzana, ipapo zvikanganiso zveDNS zvakatishamisa zvikuru. Takazviwana PoP Cloudflare iri chaizvo muChina, kero yepaiti inogadzirisa kune imwe chero ipi zvayo IP, asi maDNS maseva ndeeAmerica, ndosaka zvikumbiro zveDNS zvichimanikidzwa kuyambuka muganhu, saka dzimwe nguva vanokundikana.

Mushure mekujekesa mubvunzo uyu neCF, zvakazoitika Ivo havana yavo DNS maseva muChina, uye kuti zvichava rini hazvisati zvazivikanwa.

Nokudaro, takasarudza kuedza Cloudflare DNS chete uye takashandura Cloudflare operating mechanism yesaiti yedu ku "DNS chete" Iyi ndiyo modhi kana Cloudflare isingaite proxy traffic kuburikidza pachayo, zvinoreva kuti haipe DDoS dziviriro, CDN uye mamwe maficha, uye inoshanda nenzira yenguva dzose DNS server.

Iyi kumira inoratidzwa schematically mumufananidzo unotevera. Iyo nhamba inofunga nezve ruzivo rwunobuda kuti Cloudflare's DNS maseva ari kuseri kwe firewall.

PaCatchpoint takamhanyisa GET bvunzo (kwete browser bvunzo), iyo yairatidza kukundikana kwakawanda. Izvo zvakakonzerwa nemhosho dzakafanana dzeDNS.

Takatanga kugadzirisa zvikanganiso izvi tichishandisa dig uye takaona kuti pachikumbiro chokutanga kero yacho yakatemwa zvakarurama, uye pakukumbira kunodzokororwa tinogamuchira nguva imwe neimwe SERVFAIL и kusawanikwa. Neiko ikoku kuri kuitika kamwe kamwe?

root@iZwz97n2wgbp61qucbfrjsZ:~# host semrushchina.cn
semrushchina.cn has address 220.170.186.192
Host semrushchina.cn not found: 2(SERVFAIL)
root@iZwz97n2wgbp61qucbfrjsZ:~# host semrushchina.cn
semrushchina.cn has address 220.170.186.192
Host semrushchina.cn not found: 2(SERVFAIL)
root@iZwz97n2wgbp61qucbfrjsZ:~# host semrushchina.cn
semrushchina.cn has address 220.170.186.192
Host semrushchina.cn not found: 2(SERVFAIL)
root@iZwz97n2wgbp61qucbfrjsZ:~# host semrushchina.cn
semrushchina.cn has address 220.170.186.192
Host semrushchina.cn not found: 2(SERVFAIL)

Iko hakuna zvikanganiso zvakadaro kana uchibvunza Cloudflare NS maseva zvakananga:

root@iZwz97n2wgbp61qucbfrjsZ:~# for i in `seq 1 2`; do host semrushchina.cn ray.ns.cloudflare.com.; done
Using domain server:
Name: ray.ns.cloudflare.com.
Address: 173.245.59.138#53
Aliases: 

semrushchina.cn has address 220.170.186.192
semrushchina.cn has address 220.170.186.192
Using domain server:
Name: ray.ns.cloudflare.com.
Address: 173.245.59.138#53
Aliases: 

semrushchina.cn has address 220.170.186.192
semrushchina.cn has address 220.170.186.192

Izvi zvinoreva kuti dambudziko riri padivi pe "yenzvimbo" DNS server kana sevha yemupi.
Kumwe kuongorora kwakaratidza izvozvo SERVFAIL tinowana pakusarudza AAAA-zvinyorwa.

Zvakazoitika pakukumbira kubva kuCloudflare AAAA-record iyo isipo mudura, Cloudflare yakapindura А-kupinda kuri kukanganisa uye kusatevedzera RFC. Sei mugadziri wenzvimbo (xxx) Handina kuzvifarira, uye akapindura SERVFAIL. Maitiro aya anooneka zvakajeka mulog iri pazasi:

root@iZwz97n2wgbp61qucbfrjsZ:~# dig -t AAAA semrushchina.cn @x.x.x.x

; <<>> DiG 9.10.3-P4-Ubuntu <<>> -t AAAA semrushchina.cn @x.x.x.x
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 55467
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;semrushchina.cn.               IN      AAAA

;; Query time: 334 msec
;; SERVER: x.x.x.x#53(x.x.x.x)
;; WHEN: Tue Aug 14 23:38:50 CST 2018
;; MSG SIZE  rcvd: 44

root@iZwz97n2wgbp61qucbfrjsZ:~# dig -t AAAA semrushchina.cn @dana.ns.cloudflare.com.

; <<>> DiG 9.10.3-P4-Ubuntu <<>> -t AAAA semrushchina.cn @dana.ns.cloudflare.com.
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 63944
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;semrushchina.cn.               IN      AAAA

;; ANSWER SECTION:
semrushchina.cn.        300     IN      A       220.170.186.192

;; Query time: 185 msec
;; SERVER: 173.245.58.105#53(173.245.58.105)
;; WHEN: Tue Aug 14 23:43:03 CST 2018
;; MSG SIZE  rcvd: 60

Takaendesa bug report kuCloudflare, uye vakaigadzirisa mushure menguva yakati. Zvakazonakidza: parizvino hapasati pave nerutsigiro rweIPv6 muChina, saka Cloudflare haina kukwanisa kuburitsa kero yayo yeIPv6 ipapo mukupindura chikumbiro. AAAA-zvinyorwa. Pakupedzisira, zvese zvakagadziriswa nenzira yekuti Cloudflare yakatanga kupindura kuChina NODATA kune zvikumbiro zvakadaro.

Nekudaro, DNS zvikanganiso muCatchpoint bvunzo dzakadzikira zvakanyanya, asi kwete zvachose. Nguva dzekupera dzichiripo:

Uye takatanga kutsvaga imwe mhinduro.

Muchikamu chinotevera ini ndichakuudza kuti takaedza sei gore reChinese Alibaba Cloud, sei, nerubatsiro rwe "mashiripiti" mashoma eNginx, takakwanisa kukurumidza kugadzira PoC (Uchapupu hweChirevo) mhinduro, magadzirirwo atakaita Multi-Cloud mhinduro, imwe yadzo yakabatsira zvikuru kukurumidza basa rebasa. kubva kuChina.

Ramba wakashama!

Zvikamu zvinotevera

2 chikamu

Source: www.habr.com

Tenga inovimbika yekutambira kwemasaiti ane DDoS dziviriro, VPS VDS maseva 🔥 Tenga webhusaiti yakavimbika ine dziviriro yeDDoS, maseva eVPS VDS | ProHoster