Waad salaaman tihiin qof walba, magacaygu waa Sasha, waxaan hogaaminayaa imtixaanka dambe ee FunCorp. Annagu, sida kuwa kale oo badan, ayaa hirgelinay qaab-dhismeedka adeegga ku jihaysan. Dhanka kale, tani waxay fududaynaysaa shaqada, sababtoo ah ... Way fududahay in adeeg kasta si gaar ah loo tijaabiyo, laakiin dhinaca kale, waxaa loo baahan yahay in la tijaabiyo isdhexgalka adeegyada midba midka kale, kaas oo inta badan ku dhaca shabakada.
Maqaalkan, waxaan ka hadli doonaa laba qalab oo loo isticmaali karo in lagu hubiyo xaaladaha aasaasiga ah ee qeexaya hawlgalka codsiga marka ay jiraan dhibaatooyinka shabakada.
Shabakadda dhibaatooyinka shabakadda
Caadi ahaan, software-ku waxa lagu tijaabiyaa adeegaha tijaabada leh ee leh xidhiidh internet oo wanaagsan. Deegaannada wax-soo-saarka adag, arrimuhu waxay noqon karaan kuwo siman, markaa marmarka qaarkood waxaad u baahan tahay inaad tijaabiso barnaamijyada xaaladaha xidhiidhka xun. Linux, utility ayaa kaa caawin doona hawsha jilitaanka xaaladahan oo kale tc.
tc(abbr. laga bilaabo ilaalinta gaadiidka) waxay kuu ogolaaneysaa inaad habayso gudbinta xirmooyinka shabakada ee nidaamka. Utility Tani waxay leedahay awoodo weyn, waxaad ka akhrisan kartaa wax badan oo iyaga ku saabsan . Halkan waxaan ka fiirsan doonaa oo kaliya dhowr ka mid ah: waxaan xiiseyneynaa jadwalka taraafikada, kaas oo aan u isticmaalno qdisc, iyo mar haddii aan u baahanahay in aan ku daydo shabakad aan degganayn, waxaan isticmaali doonaa qdisc aan fasalka lahayn .
Aan ku bilowno server echo server-ka (waxaan isticmaalay ):
ncat -l 127.0.0.1 12345 -k -c 'xargs -n1 -i echo "Response: {}"'
Si aan si faahfaahsan u muujiyo dhammaan shaambooyinka wakhtiyada tallaabo kasta oo isdhexgalka u dhexeeya macmiilka iyo server-ka, waxaan qoray qoraal Python fudud oo soo diraya codsi. Tijaabi Ku dir server-kayaga echo.
Koodhka isha macmiilka
#!/bin/python
import socket
import time
HOST = '127.0.0.1'
PORT = 12345
BUFFER_SIZE = 1024
MESSAGE = "Testn"
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
t1 = time.time()
print "[time before connection: %.5f]" % t1
s.connect((HOST, PORT))
print "[time after connection, before sending: %.5f]" % time.time()
s.send(MESSAGE)
print "[time after sending, before receiving: %.5f]" % time.time()
data = s.recv(BUFFER_SIZE)
print "[time after receiving, before closing: %.5f]" % time.time()
s.close()
t2 = time.time()
print "[time after closing: %.5f]" % t2
print "[total duration: %.5f]" % (t2 - t1)
print data
Aan bilowno oo aan eegno taraafikada interface-ka lo iyo dekedda 12345:
[user@host ~]# python client.py
[time before connection: 1578652979.44837]
[time after connection, before sending: 1578652979.44889]
[time after sending, before receiving: 1578652979.44894]
[time after receiving, before closing: 1578652979.45922]
[time after closing: 1578652979.45928]
[total duration: 0.01091]
Response: Test
Qashin-qaadka gaadiidka
[user@host ~]# tcpdump -i lo -nn port 12345
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on lo, link-type EN10MB (Ethernet), capture size 262144 bytes
10:42:59.448601 IP 127.0.0.1.54054 > 127.0.0.1.12345: Flags [S], seq 3383332866, win 43690, options [mss 65495,sackOK,TS val 606325685 ecr 0,nop,wscale 7], length 0
10:42:59.448612 IP 127.0.0.1.12345 > 127.0.0.1.54054: Flags [S.], seq 2584700178, ack 3383332867, win 43690, options [mss 65495,sackOK,TS val 606325685 ecr 606325685,nop,wscale 7], length 0
10:42:59.448622 IP 127.0.0.1.54054 > 127.0.0.1.12345: Flags [.], ack 1, win 342, options [nop,nop,TS val 606325685 ecr 606325685], length 0
10:42:59.448923 IP 127.0.0.1.54054 > 127.0.0.1.12345: Flags [P.], seq 1:6, ack 1, win 342, options [nop,nop,TS val 606325685 ecr 606325685], length 5
10:42:59.448930 IP 127.0.0.1.12345 > 127.0.0.1.54054: Flags [.], ack 6, win 342, options [nop,nop,TS val 606325685 ecr 606325685], length 0
10:42:59.459118 IP 127.0.0.1.12345 > 127.0.0.1.54054: Flags [P.], seq 1:15, ack 6, win 342, options [nop,nop,TS val 606325696 ecr 606325685], length 14
10:42:59.459213 IP 127.0.0.1.54054 > 127.0.0.1.12345: Flags [.], ack 15, win 342, options [nop,nop,TS val 606325696 ecr 606325696], length 0
10:42:59.459268 IP 127.0.0.1.54054 > 127.0.0.1.12345: Flags [F.], seq 6, ack 15, win 342, options [nop,nop,TS val 606325696 ecr 606325696], length 0
10:42:59.460184 IP 127.0.0.1.12345 > 127.0.0.1.54054: Flags [F.], seq 15, ack 7, win 342, options [nop,nop,TS val 606325697 ecr 606325696], length 0
10:42:59.460196 IP 127.0.0.1.54054 > 127.0.0.1.12345: Flags [.], ack 16, win 342, options [nop,nop,TS val 606325697 ecr 606325697], length 0
Wax walba waa halbeeg: gacanqaad saddex-geesood ah, PSH/ACK iyo ACK jawaab celin laba jeer ah - tani waa isdhaafsiga codsiga iyo jawaabta u dhexeeya macmiilka iyo server-ka, iyo FIN/ACK iyo ACK laba jeer - dhamaystirka xiriirka.
daahitaanka baakadka
Hadda aan dejinno daahitaanka 500 millise seconds:
tc qdisc add dev lo root netem delay 500ms
Waxaan bilownay macmiilka oo aan aragno in qoraalku hadda socdo 2 ilbiriqsi:
[user@host ~]# ./client.py
[time before connection: 1578662612.71044]
[time after connection, before sending: 1578662613.71059]
[time after sending, before receiving: 1578662613.71065]
[time after receiving, before closing: 1578662614.72011]
[time after closing: 1578662614.72019]
[total duration: 2.00974]
Response: Test
Maxaa ku jira taraafikada? Aan eegno:
Qashin-qaadka gaadiidka
13:23:33.210520 IP 127.0.0.1.58694 > 127.0.0.1.12345: Flags [S], seq 1720950927, win 43690, options [mss 65495,sackOK,TS val 615958947 ecr 0,nop,wscale 7], length 0
13:23:33.710554 IP 127.0.0.1.12345 > 127.0.0.1.58694: Flags [S.], seq 1801168125, ack 1720950928, win 43690, options [mss 65495,sackOK,TS val 615959447 ecr 615958947,nop,wscale 7], length 0
13:23:34.210590 IP 127.0.0.1.58694 > 127.0.0.1.12345: Flags [.], ack 1, win 342, options [nop,nop,TS val 615959947 ecr 615959447], length 0
13:23:34.210657 IP 127.0.0.1.58694 > 127.0.0.1.12345: Flags [P.], seq 1:6, ack 1, win 342, options [nop,nop,TS val 615959947 ecr 615959447], length 5
13:23:34.710680 IP 127.0.0.1.12345 > 127.0.0.1.58694: Flags [.], ack 6, win 342, options [nop,nop,TS val 615960447 ecr 615959947], length 0
13:23:34.719371 IP 127.0.0.1.12345 > 127.0.0.1.58694: Flags [P.], seq 1:15, ack 6, win 342, options [nop,nop,TS val 615960456 ecr 615959947], length 14
13:23:35.220106 IP 127.0.0.1.58694 > 127.0.0.1.12345: Flags [.], ack 15, win 342, options [nop,nop,TS val 615960957 ecr 615960456], length 0
13:23:35.220188 IP 127.0.0.1.58694 > 127.0.0.1.12345: Flags [F.], seq 6, ack 15, win 342, options [nop,nop,TS val 615960957 ecr 615960456], length 0
13:23:35.720994 IP 127.0.0.1.12345 > 127.0.0.1.58694: Flags [F.], seq 15, ack 7, win 342, options [nop,nop,TS val 615961457 ecr 615960957], length 0
13:23:36.221025 IP 127.0.0.1.58694 > 127.0.0.1.12345: Flags [.], ack 16, win 342, options [nop,nop,TS val 615961957 ecr 615961457], length 0
Waxaad arki kartaa in daahitaanka la filayo ee nus ilbiriqsi uu ka soo muuqday isdhexgalka u dhexeeya macmiilka iyo serverka. Nidaamku wuxuu u dhaqmaa si aad u xiiso badan haddii dib u dhacu ka weyn yahay: kernel wuxuu bilaabay inuu dib u diro qaar ka mid ah xirmooyinka TCP. Aan u beddelno daahitaanka 1 ilbiriqsi oo aan eegno taraafikada (Ma tusi doono wax soo saarka macmiilka, waxaa jira 4 ilbiriqsi oo la filayo guud ahaan muddada):
tc qdisc change dev lo root netem delay 1s
Qashin-qaadka gaadiidka
13:29:07.709981 IP 127.0.0.1.39306 > 127.0.0.1.12345: Flags [S], seq 283338334, win 43690, options [mss 65495,sackOK,TS val 616292946 ecr 0,nop,wscale 7], length 0
13:29:08.710018 IP 127.0.0.1.12345 > 127.0.0.1.39306: Flags [S.], seq 3514208179, ack 283338335, win 43690, options [mss 65495,sackOK,TS val 616293946 ecr 616292946,nop,wscale 7], length 0
13:29:08.711094 IP 127.0.0.1.39306 > 127.0.0.1.12345: Flags [S], seq 283338334, win 43690, options [mss 65495,sackOK,TS val 616293948 ecr 0,nop,wscale 7], length 0
13:29:09.710048 IP 127.0.0.1.39306 > 127.0.0.1.12345: Flags [.], ack 1, win 342, options [nop,nop,TS val 616294946 ecr 616293946], length 0
13:29:09.710152 IP 127.0.0.1.39306 > 127.0.0.1.12345: Flags [P.], seq 1:6, ack 1, win 342, options [nop,nop,TS val 616294947 ecr 616293946], length 5
13:29:09.711120 IP 127.0.0.1.12345 > 127.0.0.1.39306: Flags [S.], seq 3514208179, ack 283338335, win 43690, options [mss 65495,sackOK,TS val 616294948 ecr 616292946,nop,wscale 7], length 0
13:29:10.710173 IP 127.0.0.1.12345 > 127.0.0.1.39306: Flags [.], ack 6, win 342, options [nop,nop,TS val 616295947 ecr 616294947], length 0
13:29:10.711140 IP 127.0.0.1.39306 > 127.0.0.1.12345: Flags [.], ack 1, win 342, options [nop,nop,TS val 616295948 ecr 616293946], length 0
13:29:10.714782 IP 127.0.0.1.12345 > 127.0.0.1.39306: Flags [P.], seq 1:15, ack 6, win 342, options [nop,nop,TS val 616295951 ecr 616294947], length 14
13:29:11.714819 IP 127.0.0.1.39306 > 127.0.0.1.12345: Flags [.], ack 15, win 342, options [nop,nop,TS val 616296951 ecr 616295951], length 0
13:29:11.714893 IP 127.0.0.1.39306 > 127.0.0.1.12345: Flags [F.], seq 6, ack 15, win 342, options [nop,nop,TS val 616296951 ecr 616295951], length 0
13:29:12.715562 IP 127.0.0.1.12345 > 127.0.0.1.39306: Flags [F.], seq 15, ack 7, win 342, options [nop,nop,TS val 616297952 ecr 616296951], length 0
13:29:13.715596 IP 127.0.0.1.39306 > 127.0.0.1.12345: Flags [.], ack 16, win 342, options [nop,nop,TS val 616298952 ecr 616297952], length 0
Waxaa la arki karaa in macmiilku soo diray xirmo SYN ah laba jeer, iyo server-ka ayaa soo diray SYN/ACK laba jeer.
Marka lagu daro qiimaha joogtada ah, daahitaanka waxaa lagu dejin karaa leexasho, shaqo qaybinta, iyo isku xirnaanta (oo leh qiimaha baakidhkii hore). Tan waxaa loo sameeyaa sida soo socota:
tc qdisc change dev lo root netem delay 500ms 400ms 50 distribution normal
Halkan waxaan ku dejinay daahitaanka u dhexeeya 100 iyo 900 millise seconds, qiyamka waxaa lagu dooran doonaa si waafaqsan qaybinta caadiga ah waxaana jiri doona 50% xiriir la leh qiimaha daahitaanka ee xirmo hore.
Waxaa laga yaabaa inaad dareentay in amarkii ugu horreeyay ee aan adeegsaday ku darka dibna isbeddel. Macnaha amarradan waa iska cadahay, markaa waxaan kaliya ku dari doonaa inay jiraan wax badan del, kaas oo loo isticmaali karo in meesha laga saaro qaabeynta.
Khasaare xidhmo
Aynu hadda isku dayno inaan samayno khasaare xidhmo Sida laga arki karo dukumeentiyada, tan waxaa loo samayn karaa saddex siyaabood: luminta baakadaha si aan kala sooc lahayn oo leh ixtimaalka qaarkood, iyadoo la adeegsanayo silsiladda Markov ee 2, 3 ama 4 gobol si loo xisaabiyo khasaaraha xirmada, ama iyadoo la adeegsanayo qaabka Elliott-Gilbert. Maqaalka waxaan tixgelin doonaa habka ugu horreeya (ugu fudud oo ugu cad), waxaadna ka akhriyi kartaa kuwa kale .
Aynu lumino 50% baakooyinka oo leh xidhiidh 25%:
tc qdisc add dev lo root netem loss 50% 25%
Nasiib darro, tcpdump ma awoodi doonaan inay si cad noo tusaan khasaaraha baakadaha, waxaan kaliya u qaadan doonaa in ay dhab ahaantii shaqaynayso. Iyo korodhka iyo wakhtiga socodka aan deganayn ee qoraalka ayaa naga caawin doona xaqiijinta tan. macmiilka.py (waxaa lagu dhamayn karaa isla markiiba, ama laga yaabaa in 20 ilbiriqsi gudahood), iyo sidoo kale tirada kordhaysa ee baakadaha dib loo soo gudbiyo:
[user@host ~]# netstat -s | grep retransmited; sleep 10; netstat -s | grep retransmited
17147 segments retransmited
17185 segments retransmited
Ku darista buuqa baakadaha
Marka laga soo tago luminta baakidhka, waxaad ku ekaan kartaa burburka baakidhka: qaylada ayaa ka soo muuqan doonta baakidh bakhtiyaa nasiib ah. Aynu ku waxyeelayno baakidhka 50% ee suurtogalka ah iyo xidhiidh la'aan:
tc qdisc change dev lo root netem corrupt 50%
Waxaan wadnaa qoraalka macmiilka (ma jiraan wax xiiso leh, laakiin waxay qaadatay 2 sekan in la dhammaystiro), eeg taraafikada:
Qashin-qaadka gaadiidka
[user@host ~]# tcpdump -i lo -nn port 12345
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on lo, link-type EN10MB (Ethernet), capture size 262144 bytes
10:20:54.812434 IP 127.0.0.1.43666 > 127.0.0.1.12345: Flags [S], seq 2023663770, win 43690, options [mss 65495,sackOK,TS val 1037001049 ecr 0,nop,wscale 7], length 0
10:20:54.812449 IP 127.0.0.1.12345 > 127.0.0.1.43666: Flags [S.], seq 2104268044, ack 2023663771, win 43690, options [mss 65495,sackOK,TS val 1037001049 ecr 1037001049,nop,wscale 7], length 0
10:20:54.812458 IP 127.0.0.1.43666 > 127.0.0.1.12345: Flags [.], ack 1, win 342, options [nop,nop,TS val 1037001049 ecr 1037001049], length 0
10:20:54.812509 IP 127.0.0.1.43666 > 127.0.0.1.12345: Flags [P.], seq 1:6, ack 1, win 342, options [nop,nop,TS val 1037001049 ecr 1037001049], length 5
10:20:55.013093 IP 127.0.0.1.43666 > 127.0.0.1.12345: Flags [P.], seq 1:6, ack 1, win 342, options [nop,nop,TS val 1037001250 ecr 1037001049], length 5
10:20:55.013122 IP 127.0.0.1.12345 > 127.0.0.1.43666: Flags [.], ack 6, win 342, options [nop,nop,TS val 1037001250 ecr 1037001250], length 0
10:20:55.014681 IP 127.0.0.1.12345 > 127.0.0.1.43666: Flags [P.], seq 1:15, ack 6, win 342, options [nop,nop,TS val 1037001251 ecr 1037001250], length 14
10:20:55.014745 IP 127.0.0.1.43666 > 127.0.0.1.12345: Flags [.], ack 15, win 340, options [nop,nop,TS val 1037001251 ecr 1037001251], length 0
10:20:55.014823 IP 127.0.0.1.43666 > 127.0.0.5.12345: Flags [F.], seq 2023663776, ack 2104268059, win 342, options [nop,nop,TS val 1037001251 ecr 1037001251], length 0
10:20:55.214088 IP 127.0.0.1.12345 > 127.0.0.1.43666: Flags [P.], seq 1:15, ack 6, win 342, options [nop,unknown-65 0x0a3dcf62eb3d,[bad opt]>
10:20:55.416087 IP 127.0.0.1.43666 > 127.0.0.1.12345: Flags [F.], seq 6, ack 15, win 342, options [nop,nop,TS val 1037001653 ecr 1037001251], length 0
10:20:55.416804 IP 127.0.0.1.12345 > 127.0.0.1.43666: Flags [F.], seq 15, ack 7, win 342, options [nop,nop,TS val 1037001653 ecr 1037001653], length 0
10:20:55.416818 IP 127.0.0.1.43666 > 127.0.0.1.12345: Flags [.], ack 16, win 343, options [nop,nop,TS val 1037001653 ecr 1037001653], length 0
10:20:56.147086 IP 127.0.0.1.12345 > 127.0.0.1.43666: Flags [F.], seq 15, ack 7, win 342, options [nop,nop,TS val 1037002384 ecr 1037001653], length 0
10:20:56.147101 IP 127.0.0.1.43666 > 127.0.0.1.12345: Flags [.], ack 16, win 342, options [nop,nop,TS val 1037002384 ecr 1037001653], length 0
Waxaa la arki karaa in xirmooyinka qaarkood si isdaba joog ah loo soo diray waxaana jira hal baakidh oo leh xog-ururin jaban: fursadaha [nop, aan la aqoon-65 0x0a3dcf62eb3d,[xun ikhtiyaar]>. Laakiin waxa ugu muhiimsan waa in dhamaadka wax walba si sax ah u shaqeeyay - TCP waxay la qabsatay hawsheeda.
Baakidhka nuqulka
Maxaa kale oo aad ku samayn kartaa netem? Tusaale ahaan, ku ekaysii xaaladda gadaasha ee luminta baakidh-ku-laabashada xidhmada. Amarkani waxa kale oo uu qaataa 2 doodood: ixtimaalka iyo isku xidhka.
tc qdisc change dev lo root netem duplicate 50% 25%
Beddelidda nidaamka baakooyinka
Waxaad ku qasi kartaa bacaha laba siyaabood.
Marka hore, baakadaha qaarkood ayaa isla markiiba loo diraa, inta soo hartayna dib u dhac cayiman ayaa leh. Tusaale dukumeentiga:
tc qdisc change dev lo root netem delay 10ms reorder 25% 50%
Iyada oo ay suurtogal tahay 25% (iyo isku xidhka 50%) baakadda ayaa isla markaaba loo diri doonaa, inta soo hadhay waxa lagu diri doonaa dib u dhac 10 millise seconds.
Habka labaad waa marka baakidh kasta oo Nth ah si degdeg ah loo soo diro iyada oo la raacayo ixtimaalka (iyo isku xidhka), inta soo hartayna leh dib u dhac. Tusaale dukumentiga:
tc qdisc change dev lo root netem delay 10ms reorder 25% 50% gap 5
Xirmad kasta oo shanaad ah waxay leedahay 25% fursad ah in lagu soo diro daahid la'aan.
Beddelka Bandwidth
Caadi ahaan meel kasta oo ay tixraacaan , laakiin iyadoo la kaashanayo netem Waxa kale oo aad bedeli kartaa bandwidth interface:
tc qdisc change dev lo root netem rate 56kbit
Kooxdan ayaa socod lug ah ku samayn doona agagaarka localhost xanuun badan sida ku dhex-galka internetka adigoo isticmaalaya modem-ka garaaca. Marka lagu daro dejinta bitrate-ka, waxaad sidoo kale ku dayan kartaa qaabka borotokoolka lakabka isku xirka: u dhig dusha sare ee xirmada, cabbirka unugyada, iyo dusha sare ee unugyada. Tusaale ahaan, tan waa la ekaan karaa iyo qiyaasta 56 kbit/sek:
tc qdisc change dev lo root netem rate 56kbit 0 48 5
Jilitaanka isku xirka wakhtiga dhamaaday
Qodob kale oo muhiim ah oo ka mid ah qorshaha imtixaanka marka la aqbalayo software-ku waa wakhti go'an. Tani waa muhiim sababtoo ah nidaamyada qaybsan, marka mid ka mid ah adeegyada uu naafada yahay, kuwa kale waa inay dib ugu noqdaan kuwa kale wakhtiga ama waxay ku soo celiyaan qalad macmiilka, xaaladna maaha inay si fudud u laadlaan, sugayaan jawaab ama xiriir. in la dhiso.
Waxaa jira dhowr siyaabood oo tan loo sameeyo: tusaale ahaan, isticmaal majaajillo aan ka jawaabin, ama ku xidh nidaamka adoo isticmaalaya debugger, dhig barta jabinta meesha saxda ah oo jooji habka (tani waa habka ugu qalloocan). Laakiin mid ka mid ah kuwa ugu cad waa dekedaha dab-damiska ama martigeliyayaasha. Tani way naga caawin doontaa .
Muujinta, waxaanu samayn doonaa deked dab-damis ah 12345 oo aanu maamuli doonaa qoraalka macmiilkayaga. Waxaad ku xidhi kartaa baakadaha ka baxaya dekeddan soo-diraha ama xidhmooyinka soo socda ee soo-dhoweeyaha. Tusaalooyinkayga, baakadaha soo galaya waa la xidhi doonaa (waxaan isticmaalnaa silsilad INPUT iyo ikhtiyaarka --Dport). Xirmooyinka noocaan ah waxay noqon karaan DROP, DIIDAY ama DIIDO oo wata calanka TCP RST, ama ICMP martida loo yahay lama gaadhi karo icmp-dekedda-aan la gaadhi karin, iyo sidoo kale waxaa jirta fursad aad ku dirto jawaab icmp-net-aan la gaadhi karin, icmp-proto-aan la gaadhi karin, icmp-net-mamnuuc ΠΈ icmp-martigeliyaha-waa mamnuuc).
DAADI
Haddii uu jiro sharci leh DROP, baakadaha si fudud ayay u βlumin doonaanβ.
iptables -A INPUT -p tcp --dport 12345 -j DROP
Waxaan bilownay macmiilka oo aan aragno inay barafoobayso heerka isku xirka server-ka. Aan eegno gaadiidka:
Qashin-qaadka gaadiidka
[user@host ~]# tcpdump -i lo -nn port 12345
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on lo, link-type EN10MB (Ethernet), capture size 262144 bytes
08:28:20.213506 IP 127.0.0.1.32856 > 127.0.0.1.12345: Flags [S], seq 3019694933, win 43690, options [mss 65495,sackOK,TS val 1203046450 ecr 0,nop,wscale 7], length 0
08:28:21.215086 IP 127.0.0.1.32856 > 127.0.0.1.12345: Flags [S], seq 3019694933, win 43690, options [mss 65495,sackOK,TS val 1203047452 ecr 0,nop,wscale 7], length 0
08:28:23.219092 IP 127.0.0.1.32856 > 127.0.0.1.12345: Flags [S], seq 3019694933, win 43690, options [mss 65495,sackOK,TS val 1203049456 ecr 0,nop,wscale 7], length 0
08:28:27.227087 IP 127.0.0.1.32856 > 127.0.0.1.12345: Flags [S], seq 3019694933, win 43690, options [mss 65495,sackOK,TS val 1203053464 ecr 0,nop,wscale 7], length 0
08:28:35.235102 IP 127.0.0.1.32856 > 127.0.0.1.12345: Flags [S], seq 3019694933, win 43690, options [mss 65495,sackOK,TS val 1203061472 ecr 0,nop,wscale 7], length 0
Waxaa la arki karaa in macmiilku soo diro baakadaha SYN oo ay wataan wakhti aad u sii kordhaya. Markaa waxaan ka helnay bug yar macmiilka: waxaad u baahan tahay inaad isticmaasho habka waqti go'an ()si loo xaddido wakhtiga uu macmiilku isku dayi doono inuu ku xidho server-ka.
Waxaan isla markiiba meesha ka saarnay xeerka:
iptables -D INPUT -p tcp --dport 12345 -j DROPWaxaad tirtiri kartaa dhammaan xeerarka hal mar:
iptables -F
Haddii aad isticmaalayso Docker oo aad u baahan tahay in aad dab-demiska dhammaan taraafikada aadaya weelka, markaa waxaad u samayn kartaa sidan soo socota:
iptables -I DOCKER-USER -p tcp -d CONTAINER_IP -j DROP
DIIDO
Hadda aan ku darno xeer la mid ah, laakiin leh DIIDAY:
iptables -A INPUT -p tcp --dport 12345 -j REJECT
Macmiilku waxa uu baxaa ilbiriqsi ka dib isaga oo cilad qaba [Errno 111] Xidhiidhku waa diiday. Aynu eegno taraafikada ICMP:
[user@host ~]# tcpdump -i lo -nn icmp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on lo, link-type EN10MB (Ethernet), capture size 262144 bytes
08:45:32.871414 IP 127.0.0.1 > 127.0.0.1: ICMP 127.0.0.1 tcp port 12345 unreachable, length 68
08:45:33.873097 IP 127.0.0.1 > 127.0.0.1: ICMP 127.0.0.1 tcp port 12345 unreachable, length 68
Waxaa la arki karaa in macmiilku helay laba jeer deked aan la gaadhi karin ka dibna qalad ku dhamaaday.
DIIDAY oo leh tcp-dib u dajin
Aan isku dayno inaan ku darno ikhtiyaarka --diidmo leh tcp-reset:
iptables -A INPUT -p tcp --dport 12345 -j REJECT --reject-with tcp-reset
Xaaladdan oo kale, macmiilku isla markiiba wuu ka baxaa qalad, sababtoo ah codsigii ugu horreeyay wuxuu helay xirmo RST:
[user@host ~]# tcpdump -i lo -nn port 12345
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on lo, link-type EN10MB (Ethernet), capture size 262144 bytes
09:02:52.766175 IP 127.0.0.1.60658 > 127.0.0.1.12345: Flags [S], seq 1889460883, win 43690, options [mss 65495,sackOK,TS val 1205119003 ecr 0,nop,wscale 7], length 0
09:02:52.766184 IP 127.0.0.1.12345 > 127.0.0.1.60658: Flags [R.], seq 0, ack 1889460884, win 0, length 0
DIID oo leh icmp-host-aan la gaadhi karin
Aan isku dayno ikhtiyaar kale oo loo isticmaalo REJECT:
iptables -A INPUT -p tcp --dport 12345 -j REJECT --reject-with icmp-host-unreachable
Macmiilku waxa uu baxaa ilbiriqsi ka dib isaga oo cilad qaba [Errno 113] Ma jiro waddo loo maro martigelinta, waxaan ku aragnaa taraafikada ICMP ICMP martigeliyaha 127.0.0.1 lama gaari karo.
Waxaad sidoo kale isku dayi kartaa cabirrada kale ee REJECT, oo waxaan diiradda saari doonaa kuwan :)
Codsiga jilitaanka wakhtiga kama dambaysta ah
Xaalad kale ayaa ah markii macmiilku awooday inuu ku xidho server-ka, laakiin uusan u soo diri karin codsi. Sidee loo sifeeyaa baakadaha si aanay shaandhayntu isla markiiba u bilaaban? Haddii aad eegto taraafikada xiriir kasta oo u dhexeeya macmiilka iyo server-ka, waxaad ogaan doontaa in marka la samaynayo xiriir, kaliya la isticmaalo calanka SYN iyo ACK, laakiin marka la isweydaarsado xogta, xirmada codsiga ugu dambeeya waxaa ku jiri doona calanka PSH. Si otomaatig ah ayey u rakibtaa si ay uga fogaato bakhtiinta. Waxaad isticmaali kartaa macluumaadkan si aad u abuurto filtar: waxay oggolaan doontaa dhammaan baakadaha marka laga reebo kuwa ay ku jiraan calanka PSH. Sidaa darteed, isku xirka ayaa la dhisi doonaa, laakiin macmiilku ma awoodi doono inuu u diro xogta server-ka.
DAADI
DROP amarku wuxuu u ekaan lahaa sidan:
iptables -A INPUT -p tcp --tcp-flags PSH PSH --dport 12345 -j DROP
Bilow macmiilka oo daawo taraafikada:
Qashin-qaadka gaadiidka
[user@host ~]# tcpdump -i lo -nn port 12345
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on lo, link-type EN10MB (Ethernet), capture size 262144 bytes
10:02:47.549498 IP 127.0.0.1.49594 > 127.0.0.1.12345: Flags [S], seq 2166014137, win 43690, options [mss 65495,sackOK,TS val 1208713786 ecr 0,nop,wscale 7], length 0
10:02:47.549510 IP 127.0.0.1.12345 > 127.0.0.1.49594: Flags [S.], seq 2341799088, ack 2166014138, win 43690, options [mss 65495,sackOK,TS val 1208713786 ecr 1208713786,nop,wscale 7], length 0
10:02:47.549520 IP 127.0.0.1.49594 > 127.0.0.1.12345: Flags [.], ack 1, win 342, options [nop,nop,TS val 1208713786 ecr 1208713786], length 0
10:02:47.549568 IP 127.0.0.1.49594 > 127.0.0.1.12345: Flags [P.], seq 1:6, ack 1, win 342, options [nop,nop,TS val 1208713786 ecr 1208713786], length 5
10:02:47.750084 IP 127.0.0.1.49594 > 127.0.0.1.12345: Flags [P.], seq 1:6, ack 1, win 342, options [nop,nop,TS val 1208713987 ecr 1208713786], length 5
10:02:47.951088 IP 127.0.0.1.49594 > 127.0.0.1.12345: Flags [P.], seq 1:6, ack 1, win 342, options [nop,nop,TS val 1208714188 ecr 1208713786], length 5
10:02:48.354089 IP 127.0.0.1.49594 > 127.0.0.1.12345: Flags [P.], seq 1:6, ack 1, win 342, options [nop,nop,TS val 1208714591 ecr 1208713786], length 5
Waxaan aragnaa in xiriirka la sameeyay oo macmiilku uusan u diri karin xogta server-ka.
DIIDO
Xaaladdan oo kale habdhaqanku wuxuu noqonayaa isku mid: macmiilku ma awoodi doono inuu soo diro codsiga, laakiin wuu helayaa ICMP 127.0.0.1 tcp dekedda 12345 lama gaari karo oo kordhiya wakhtiga u dhexeeya codsiga dib u soo gudbinta si xad dhaaf ah. Amarku wuxuu u eg yahay sidan:
iptables -A INPUT -p tcp --tcp-flags PSH PSH --dport 12345 -j REJECT
DIIDAY oo leh tcp-dib u dajin
Amarku wuxuu u eg yahay sidan:
iptables -A INPUT -p tcp --tcp-flags PSH PSH --dport 12345 -j REJECT --reject-with tcp-reset
Waxaan horay u ognahay marka la isticmaalayo --diidmo leh tcp-reset macmiilku waxa uu heli doonaa baakidh RST ah si uu uga jawaabo, si habdhaqanka la saadaalin karo: Helitaanka baakidhka RST inta xidhiidhka la samaynayo macneheedu waxa weeye in godku si lama filaan ah dhinaca kale uga xidhan yahay, taas oo macnaheedu yahay in macmiilku helo Dib u habaynta isku xirka asxaabta. Aan socodsiino qoraalkayaga oo aan hubinno tan. Waana kan sida uu taraafikada u ekaan doono:
Qashin-qaadka gaadiidka
[user@host ~]# tcpdump -i lo -nn port 12345
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on lo, link-type EN10MB (Ethernet), capture size 262144 bytes
10:22:14.186269 IP 127.0.0.1.52536 > 127.0.0.1.12345: Flags [S], seq 2615137531, win 43690, options [mss 65495,sackOK,TS val 1209880423 ecr 0,nop,wscale 7], length 0
10:22:14.186284 IP 127.0.0.1.12345 > 127.0.0.1.52536: Flags [S.], seq 3999904809, ack 2615137532, win 43690, options [mss 65495,sackOK,TS val 1209880423 ecr 1209880423,nop,wscale 7], length 0
10:22:14.186293 IP 127.0.0.1.52536 > 127.0.0.1.12345: Flags [.], ack 1, win 342, options [nop,nop,TS val 1209880423 ecr 1209880423], length 0
10:22:14.186338 IP 127.0.0.1.52536 > 127.0.0.1.12345: Flags [P.], seq 1:6, ack 1, win 342, options [nop,nop,TS val 1209880423 ecr 1209880423], length 5
10:22:14.186344 IP 127.0.0.1.12345 > 127.0.0.1.52536: Flags [R], seq 3999904810, win 0, length 0
DIID oo leh icmp-host-aan la gaadhi karin
Waxaan u maleynayaa inay horeba u caddahay qof walba waxa amarku u ekaan doono :) Dhaqanka macmiilka ee kiiskan wuxuu noqon doonaa mid ka duwan kan oo leh DIIWAD fudud: macmiilku ma kordhin doono wakhtiga u dhexeeya isku dayga lagu soo celinayo xirmada.
[user@host ~]# tcpdump -i lo -nn icmp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on lo, link-type EN10MB (Ethernet), capture size 262144 bytes
10:29:56.149202 IP 127.0.0.1 > 127.0.0.1: ICMP host 127.0.0.1 unreachable, length 65
10:29:56.349107 IP 127.0.0.1 > 127.0.0.1: ICMP host 127.0.0.1 unreachable, length 65
10:29:56.549117 IP 127.0.0.1 > 127.0.0.1: ICMP host 127.0.0.1 unreachable, length 65
10:29:56.750125 IP 127.0.0.1 > 127.0.0.1: ICMP host 127.0.0.1 unreachable, length 65
10:29:56.951130 IP 127.0.0.1 > 127.0.0.1: ICMP host 127.0.0.1 unreachable, length 65
10:29:57.152107 IP 127.0.0.1 > 127.0.0.1: ICMP host 127.0.0.1 unreachable, length 65
10:29:57.353115 IP 127.0.0.1 > 127.0.0.1: ICMP host 127.0.0.1 unreachable, length 65
gunaanad
Looma baahna in la qoro majaajilo si loo tijaabiyo isdhexgalka adeegga macmiilka ama server-ka la sudhay; mararka qaarkood waa ku filan in la isticmaalo yutiilitida caadiga ah ee laga helo Linux.
Utility-yada lagaga hadlay maqaalku waxay leeyihiin awoodo ka badan intii lagu tilmaamay, markaa waxaad la iman kartaa qaar ka mid ah fursadahaaga aad ku isticmaali karto. Shakhsi ahaan, waxaan had iyo jeer ku filan yahay waxa aan qoray (xaqiiqda, xitaa ka yar). Haddii aad u isticmaasho kuwan ama waxyaalaha la midka ah ee tijaabada ah ee shirkaddaada, fadlan qor sida saxda ah. Haddii kale, markaa waxaan rajeynayaa in software-kaagu uu fiicnaan doono haddii aad go'aansato inaad tijaabiso xaaladaha dhibaatooyinka shabakada adoo isticmaalaya hababka la soo jeediyay.
Source: www.habr.com