Akandikurudzira kune iyi post .
Ndinozvitaura pano:
nhasi na18:53
Ndafara nemupi nhasi. Pamwe chete nekuvandudzwa kweiyo saiti blocking system, yake mailer mail.ru yakarambidzwa. Ndanga ndichifonera rubatsiro rwehunyanzvi kubva mangwanani, asi havagone kuita chero chinhu. Mupi mudiki, uye sezviri pachena vanopa vepamusoro-soro vanoivhara. Ndakaonawo kuderera mukuvhurwa kwemasaiti ese, pamwe vakaisa imwe mhando yeDLP yakakombama? Kare pakanga pasina matambudziko nekuwana. Kuparadzwa kweRuNet kuri kuitika pamberi pemeso angu...
Chokwadi ndechekuti zvinoita sekunge isu tiri mupi mumwe chete :)
Uye zvechokwadi, Ndakapotsa ndafungidzira chikonzero chezvinetso ne mail.ru (kunyange takaramba kutenda muchinhu chakadaro kwenguva yakareba).
Izvo zvinotevera zvichakamurwa kuita zvikamu zviviri:
- zvikonzero zvezvinetso zvedu zvazvino ne mail.ru uye chido chinonakidza chekuzviwana
- kuvapo kweISP muzvinhu zvanhasi, kugadzikana kwechangamire RuNet.
Matambudziko ekuwanikwa ne mail.ru
Oo, inyaya refu.
Chokwadi ndechekuti kuti tiite zvinodiwa nenyika (zvimwe muchikamu chechipiri), takatenga, takagadzira, nekuisa mimwe michina - zvese zvekusefa zviwanikwa zvinorambidzwa uye kuita. subscribers.
Imwe nguva yapfuura, isu takazovakazve musimboti wetiweki nenzira yekuti traffic yese yevanyoreri yakapfuura nemumidziyo iyi nenzira kwayo.
Mazuva mashoma apfuura takabatidza kusefa kwakarambidzwa pairi (tichisiya hurongwa hwekare huchishanda) - zvese zvaiita sezviri kufamba zvakanaka.
Tevere, zvishoma nezvishoma vakatanga kugonesa NAT pane iyi midziyo yezvikamu zvakasiyana zvevanyoreri. Mukuona kwayo, zvese zvaiitawo kunge zvaifamba zvakanaka.
Asi nhasi, tagonesa NAT pamidziyo yechikamu chinotevera chevanyoreri, kubva mangwanani chaiwo takatarisana nenhamba yakanaka yekunyunyuta nezvekusavapo kana kuwanikwa zvishoma. nezvimwe zviwanikwa zveMail Ru Group.
Vakatanga kutarisa: chimwe chinhu pane imwe nzvimbo dzimwe nguva, dzimwe nguva anotuma mukupindura zvikumbiro chete kune mail.ru network. Uyezve, inotumira zvisizvo yakagadzirwa (isina ACK), zviri pachena kuti yakagadzirwa TCP RST. Izvi ndizvo zvazvakaita:
Nomuzvarirwo, pfungwa dzekutanga dzaive pamusoro pemidziyo mitsva: DPI inotyisa, isina kuvimba nayo, haumboziva yainogona kuita - mushure mezvose, TCP RST chinhu chakajairika pakati pekuvharira maturusi.
Fungidziro Isu tinoisawo pamberi pfungwa yekuti mumwe munhu "wepamusoro" ari kusefa, asi nekukasika akairasa.
Chekutanga, isu tine zvakaringana uplinks kuitira kuti tisazotambura seizvi :)
Chechipiri, isu takabatana kune akati wandei muMoscow, uye traffic kune mail.ru inopfuura nepakati pavo - uye ivo havana basa kana chimwe chikonzero chekusefa traffic.
Hafu yakatevera yezuva yakashandiswa pane inowanzonzi shamanism - pamwe chete nemutengesi wemidziyo, iyo yatinovatenda, havana kukanda mapfumo pasi :)
- kusefa kwakadzimwa zvachose
- NAT yakaremara kushandisa chirongwa chitsva
- iyo bvunzo PC yakaiswa mune yakaparadzana dziva
- IP kero yachinja
Mumasikati, muchina chaiwo wakagoverwa wakabatana kunetiweki zvinoenderana nechirongwa chemushandisi wenguva dzose, uye vamiriri vemutengesi vakapihwa mukana kune iyo nemidziyo. Shamanism yakaenderera mberi :)
Pakupedzisira, mumiriri wemutengesi akataura nechivimbo kuti hardware yakanga isina chekuita nazvo: yekutanga inobva kune imwe nzvimbo yakakwirira.
taura pfungwaPanguva ino, mumwe munhu angati: asi zvaive nyore kwazvo kutora dump kwete kubva pabvunzo PC, asi kubva kumugwagwa mukuru pamusoro peDPI?
Kwete, zvinosuruvarisa, kutora dump (uye kunyange kungoita mirroring) 40 + gbps haisi zvachose.
Mushure meizvi, manheru, pakanga pasina chimwe chakasara chekuita kunze kwekudzokera kune fungidziro yekusefa kunoshamisa pane imwe nzvimbo kumusoro.
Ndakatarisa iyo IX iyo traffic kune MRG network yave kupfuura nekungodzima bgp zvikamu kwairi. Uye tarira, uye tarira! - zvese zvakabva zvadzokera kune zvakajairika π
Kune rumwe rutivi, zvinonyadzisa kuti zuva rose rakapedzwa kutsvaga dambudziko, kunyange zvazvo rakagadziriswa mumaminitsi mashanu.
Ukuwo:
- mundangariro dzangu ichi chinhu chisati chamboitika. Sezvandatonyora pamusoro - IX chaizvo hapana chikonzero chekusefa traffic traffic. Kazhinji vane mazana emagigabhiti/terabits pasekondi. Ndakanga ndisingakwanisi kufungidzira zvakanyanya chinhu chakadai kusvika munguva pfupi yapfuura.
-kusangana kwakasarudzika kwemamiriro ezvinhu: chivakwa chitsva chakaomarara icho chisina kunyanya kuvimbwa uye kubva kwacho chisina kujeka chinogona kutarisirwa - chakanyatsogadzirirwa kuvharira zviwanikwa, kusanganisira TCP RSTs.
Iyo NOC yeiyi internet exchange iri kutsvaga dambudziko. Sekureva kwavo (uye ndinovatenda), ivo havana kana yakanyatso kuisirwa filtration system. Asi, ndinokutendai matenga, kumwe kutsvaga hachisiri dambudziko redu :)
Uku kwaive kuedza kudiki kuzvipembedza, ndapota nzwisisa uye ukanganwire :)
PS: Ini nemaune handitaure mugadziri weDPI / NAT kana IX (chaizvoizvo, ini handina kana zvichemo zvakakosha pamusoro pavo, chinhu chikuru ndechokunzwisisa kuti chaive chii)
Nhasi (pamwe chete nezuro uye zuva rakapfuura nezuro) chokwadi kubva pakuona kwemupi weInternet.
Ndakapedza mavhiki apfuura ndichivaka zvakanyanya musimboti wetiweki, ndichiita boka rekushandisa "kuitira purofiti", nenjodzi yekukanganisa zvakanyanya mhenyu mushandisi traffic. Tichifunga nezvezvinangwa, mhedzisiro uye mhedzisiro yezvose izvi, mutsika zvese zvakaoma. Kunyanya - zvakare zvakare kuteerera kuhurukuro dzakanaka pamusoro pekudzivirira kugadzikana kweRunet, uchangamire, nezvimwe. zvichingoenda zvakadaro.
Muchikamu chino, ndichaedza kutsanangura "evolution" yetiweki musimboti weiyo ISP yakajairika mumakore gumi apfuura.
Makore gumi apfuura.
Munguva idzodzo dzakakomborerwa, musimboti wetiweki wekupa unogona kunge wakapusa uye wakavimbika senge traffic jam:
Mumufananidzo uyu wakareruka, hapana hunde, mhete, ip/mpls routing.
Chinhu chayo ndechekuti traffic yevashandisi yakazosvika padanho rekuchinja - kubva kwayakaenda , kubva kupi, sekutonga, kudzokera ku-core switching, uyezve "kunze" - kuburikidza negedhi rimwe kana kupfuura muganhu kuInternet.
Chirongwa chakadaro chakanyanya, chiri nyore kuchengetedza zvese paL3 (dynamic routing) uye paL2 (MPLS).
Iwe unogona kuisa N + 1 yechinhu chero chipi: maseva ekupinda, switch, miganhu - uye imwe nzira kana imwe chengetera ivo otomatiki failover.
Mushure memakore mashoma Zvakava pachena kumunhu wose muRussia kuti zvakanga zvisingabviri kurarama seizvi zvakare: zvaive zvekukurumidzira kudzivirira vana kubva pakukanganisa kweInternet.
Paive nekukasira kutsvaga nzira dzekusefa mushandisi traffic.
Pane nzira dzakasiyana pano.
Mune imwe nyaya isina kunaka, chimwe chinhu chinoiswa "mugeji": pakati pemushandisi traffic neInternet. Iyo traffic inopfuura ne "chimwe chinhu" ichi inoongororwa uye, semuenzaniso, fake pakiti ine redirect inotumirwa kune anonyoresa.
Mune imwe nyaya iri nani zvishoma - kana traffic vhoriyamu ichibvumidza - unogona kuita diki diki nenzeve dzako: tumira kune kusefa chete traffic inobva kune vashandisi chete kune iwo kero dzinoda kusefa (kuti uite izvi, unogona kutora iyo IP kero. inotsanangurwa ipapo kubva ku registry, kana nekuwedzera gadzirisa iripo madomasi mune registry).
Pane imwe nguva, nokuda kwezvinangwa izvi, ndakanyora nyore -Kunyangwe ini ndisingatomboda kumudaidza kudaro. Izvo zviri nyore uye hazvina kunyatso gadzira - zvisinei, zvakatibvumidza isu uye gumi nemaviri (kana asiri mazana) evamwe vanopa kuti tisakurumidza kubvisa mamirioni pamaindasitiri eDPI masisitimu, asi akapa akati wandei mamwe makore enguva.
Nenzira, pamusoro peiyo uye yazvino DPINenzira, vazhinji vakatenga maDPI masisitimu aivepo pamusika panguva iyoyo akange atoirasa. Zvakanaka, hazvina kugadzirirwa izvi: mazana ezviuru zvekero, makumi ezviuru zvema URL.
Uye panguva imwecheteyo, vagadziri vepamba vakakwira zvakanyanya kumusika uyu. Handisi kutaura nezvechikamu chehardware - zvese zviri pachena kumunhu wese pano, asi software - chinhu chikuru icho DPI inacho - pamwe nhasi, kana isiri iyo yakanyanya kufambira mberi munyika, saka zvirokwazvo a) kukura nekusvetuka uye miganhu, uye b) pamutengo wechigadzirwa chebhokisi - zvisingaenzaniswi nevakwikwidzi vekunze.
Ndinoda kudada, asi kusuruvara zvishoma =)
Zvino zvese zvakange zvakaita seizvi:
Mune mamwe makore maviri munhu wese aitova nemaauditors; Kwakanga kune zvakawanda uye zvakawanda zvekushandisa mukunyoresa. Kune mimwe midziyo yekare (semuenzaniso, Cisco 7600), chirongwa che "side-filtering" chakangove chisingashande: nhamba yemigwagwa pamapuratifomu makumi manomwe neshanu inogumira kune chimwe chinhu chakaita mazana mapfumbamwe ezviuru, nepo nhamba yeIPv76 nzira chete nhasi iri kusvika mazana masere. zviuru. Uye kana iriwo ipv4 ... Uye zvakare ... yakawanda sei? 800 kero yega yega mukurambidzwa kweRKN? =)
Mumwe munhu akachinjira kuchirongwa chine mirroring yese yemusana traffic kune sefa yekusefa, iyo inofanirwa kuongorora kuyerera kwese uye, kana chimwe chinhu chakashata chikawanikwa, tumira RST mumativi ese (mutumi uye mugamuchiri).
Nekudaro, iyo yakawanda traffic, iyo shoma inoshanda chirongwa ichi chiri. Kana paine kunonoka kushoma mukugadzirisa, iyo miratidzo yemirairi inongobhururuka nekusaonekwa, uye mupi anogashira mushumo wakanaka.
Vazhinji vanopa vanopa vanomanikidzwa kuisa DPI masisitimu emhando dzakasiyana dzekuvimbika mumigwagwa mikuru.
Gore kana maviri apfuura maererano nerunyerekupe, inenge yese FSB yakatanga kukumbira kuiswa kwemidziyo chaiyo (kare, vazhinji vanopa vaikwanisa nemvumo kubva kune zviremera SORM chirongwa - hurongwa hwematanho ekushanda kana uchida kuwana chimwe chinhu kune imwe nzvimbo)
Pamusoro pemari (kwete yakawandisa, asi ichiri mamirioni), SORM yaida mamwe manipulations akawanda netiweki.
- SORM inoda kuona kero dzevashandisi "grey" isati yashandurwa
- SORM ine nhamba shoma ye network interfaces
Naizvozvo, kunyanya, taifanira kuvaka zvakare chidimbu che kernel - kungoitira kuunganidza mushandisi traffic kumaseva ekuwana kune imwe nzvimbo munzvimbo imwechete. Kuti uiratidze muSORM ine akati wandei.
Kureva kuti, yakarerutswa, yaive (kuruboshwe) vs yakava (kurudyi):
Iye zvino Vazhinji vanopa vanodawo kuitwa kweSORM-3 - iyo inosanganisira, pakati pezvimwe zvinhu, kutema miti yenhepfenyuro.
Nezvinangwa izvi, taifanirawo kuwedzera midziyo yakasiyana yeNAT padhayagiramu iri pamusoro (izvo chaizvo zvinokurukurwa muchikamu chekutanga). Uyezve, wedzera mune imwe kurongeka: sezvo SORM ichifanira "kuona" traffic isati yashandura kero, traffic inofanirwa kufamba nenzira inotevera: vashandisi -> switching, kernel -> kuwana maseva -> SORM -> NAT -> switching, kernel - > Internet. Kuti tiite izvi, taifanira "kutendeuka" kuyerera kwemigwagwa kune rimwe divi kuti tiwane purofiti, iyo yaive yakaoma zvakare.
Muchidimbu: mumakore gumi apfuura, dhizaini yepakati yeavhareji mupi yave yakawedzera kuomarara, uye mamwe mapoinzi ekukundikana (zvese zviri muchimiro chemidziyo uye muchimiro chemitsetse yekuchinjisa imwe) yakawedzera zvakanyanya. Chaizvoizvo, icho chinodiwa che "kuona zvese" chinoreva kudzikisa "zvese" izvi kune imwe pfungwa.
Ini ndinofunga izvi zvinogona kujekeswa pachena kune zvirongwa zvazvino zvekutonga Runet, kuidzivirira, kuimisa uye kuivandudza :)
Uye Yarovaya ichiri kumberi.
Source: www.habr.com