Sida ESNI loogu ilaaliyo degelkaaga guud

Hello Habr, magacaygu waa Ilya, waxaan ka shaqeeyaa kooxda madal ee Exness. Waxaan horumarinaa oo hirgelineynaa qaybaha kaabayaasha aasaasiga ah ee kooxahayada horumarinta wax soo saarka isticmaalaan.

Maqaalkan, waxaan jeclaan lahaa inaan ku wadaago waayo-aragnimadayda hirgelinta tignoolajiyada SNI (ESNI) ee qarsoon ee kaabayaasha mareegaha dadweynaha.

Sida ESNI loogu ilaaliyo degelkaaga guud

Isticmaalka tignoolajiyadan waxay kordhin doontaa heerka amniga marka lala shaqeynayo mareegaha dadweynaha oo u hoggaansama heerarka amniga gudaha ee ay qaadatay Shirkaddu.

Ugu horreyntii, waxaan jeclaan lahaa in aan tilmaamo in tignoolajiyada aan la jaan qaadin oo ay wali ku jirto qabyo-qoraalka, laakiin CloudFlare iyo Mozilla waxay horeyba u taageereen (in qabyo01). Tani waxay nagu dhiirigelisay tijaabadan oo kale.

Qeyb ka mid ah aragti

ESNI waa kordhinta borotokoolka TLS 1.3 kaas oo u oggolaanaya siraynta SNI ee fariinta "Client Hello" ee TLS-gacanta. Waa kan sida uu u ekaado macmiilka Hello taageerada ESNI (halkii SNI-da caadiga ah aan aragno ESNI):

Sida ESNI loogu ilaaliyo degelkaaga guud

 Si aad u isticmaasho ESNI, waxaad u baahan tahay saddex qaybood:

  • DNS; 
  • Taageerada macmiilka;
  • Taageerada dhinaca Server-ka.

DNS

Waxaad u baahan tahay inaad ku darto laba diiwaan oo DNS - Aiyo TXT (Diiwaanka TXT wuxuu ka kooban yahay furaha dadweynaha kaas oo macmiilku ku qarin karo SNI) - eeg hoos. Intaa waxaa dheer, waa in la helaa taageero DoH (DNS ka badan HTTPS) sababtoo ah macaamiisha la heli karo (hoos eeg) ma awoodaan taageerada ESNI DoH la'aanteed. Tani waa macquul, maadaama ESNI ay ka dhigan tahay sirta magaca kheyraadka aan galeyno, taas oo ah, macno ma leh in laga galo DNS UDP. Intaa waxaa dheer, isticmaalka DNSSEC Waxay kuu ogolaanaysaa inaad ka ilaaliso weerarada sumowga cache ee dhacdadan.

Hadda la heli karo dhawr bixiye DoH, iyaga ka mid ah:

CloudFlare ayaa ku dhawaaqay (Check My Browser β†’ Encrypted SNI β†’ Wax Badan Baro) in adeegayaashoodu ay horeba u taageeraan ESNI, taas oo ah, adeegayaasha CloudFlare ee DNS-ka waxaanu haynaa ugu yaraan laba diiwaan - A iyo TXT. Tusaalaha hoose waxaan ku weydiineynaa Google DNS (oo ka badan HTTPS): 

А gelida:

curl 'https://dns.google.com/resolve?name=www.cloudflare.com&type=A' 
-s -H 'accept: application/dns+json'
{
  "Status": 0,
  "TC": false,
  "RD": true,
  "RA": true,
  "AD": true,
  "CD": false,
  "Question": [
    {
      "name": "www.cloudflare.com.",
      "type": 1
    }
  ],
  "Answer": [
    {
      "name": "www.cloudflare.com.",
      "type": 1,
      "TTL": 257,
      "data": "104.17.210.9"
    },
    {
      "name": "www.cloudflare.com.",
      "type": 1,
      "TTL": 257,
      "data": "104.17.209.9"
    }
  ]
}

TXT diiwaanka, codsiga waxaa loo abuuray si waafaqsan template ah _esni.FQDN:

curl 'https://dns.google.com/resolve?name=_esni.www.cloudflare.com&type=TXT' 
-s -H 'accept: application/dns+json'
{
  "Status": 0,
  "TC": false,
  "RD": true,
  "RA": true,
  "AD": true,
  "CD": false,
  "Question": [
    {
    "name": "_esni.www.cloudflare.com.",
    "type": 16
    }
  ],
  "Answer": [
    {
    "name": "_esni.www.cloudflare.com.",
    "type": 16,
    "TTL": 1799,
    "data": ""/wEUgUKlACQAHQAg9SiAYQ9aUseUZr47HYHvF5jkt3aZ5802eAMJPhRz1QgAAhMBAQQAAAAAXtUmAAAAAABe3Q8AAAA=""
    }
  ],
  "Comment": "Response from 2400:cb00:2049:1::a29f:209."
}

Marka, marka laga eego dhinaca DNS, waa inaan isticmaalnaa DoH (gaar ahaan DNSSEC) oo aan ku darnaa laba gelitaan. 

Taageerada macaamiisha

Haddii aan ka hadleyno daalacashada, markaa waqtigan xaadirka ah Taageerada waxaa lagu fuliyaa kaliya FireFox. waa Halkan waxaa ah tilmaamo ku saabsan sida loo dhaqaajiyo taageerada ESNI iyo DoH ee FireFox. Kadib browserka la habeeyey, waa inaan aragnaa wax sidan oo kale ah:

Sida ESNI loogu ilaaliyo degelkaaga guud

link si aad u hubiso browserka

Dabcan, TLS 1.3 waa in loo adeegsadaa si loo taageero ESNI, maadaama ESNI ay tahay kordhinta TLS 1.3.

Ujeedada tijaabinta dhabarka dambe ee taageerada ESNI, waxaan ku hirgelinay macmiilka go, Laakin intaas ka dib.

Taageerada dhinaca Server-ka

Hadda, ESNI ma taageeraan adeegayaasha shabakadda sida nginx/apache, iwm., maadaama ay TLS kala shaqeeyaan OpenSSL/BoringSSL, kuwaas oo aan si rasmi ah u taageerin ESNI.

Sidaa darteed, waxaan go'aansanay inaan abuurno qaybtayada hore-dhamaadka (ESNI proxy reverse), kaas oo taageeri doona TLS 1.3 joojinta ESNI iyo proxy HTTP(S) taraafikada korka, taas oo aan taageerin ESNI. Tani waxay u oggolaanaysaa tignoolajiyada in lagu isticmaalo kaabayaal hore u jiray, iyada oo aan la beddelin qaybaha ugu muhiimsan - taas oo ah, isticmaalka shabakadaha hadda jira ee aan taageerin ESNI. 

Si loo caddeeyo, halkan waa jaantus:

Sida ESNI loogu ilaaliyo degelkaaga guud

Waxaan ogsoonahay in wakiilku loo qaabeeyey awood uu ku joojiyo xidhiidhka TLS la'aanteed ESNI, si uu u taageero macaamiisha bilaa ESNI. Sidoo kale, borotokoolka isgaarsiineed ee leh korka wuxuu noqon karaa HTTP ama HTTPS oo leh nooca TLS ee ka hooseeya 1.3 (haddii korku aanu taageerin 1.3). Nidaamkani waxa uu siinayaa dabacsanaanta ugu badan.

Hirgelinta taageerada ESNI go waanu ka soo amaahannay CloudFlare. Waxaan jeclaan lahaa inaan isla markiiba ogaado in hirgelinta lafteedu ay tahay mid aan sahlanayn, maadaama ay ku lug leedahay isbeddelada maktabadda caadiga ah. crypto/tls oo sidaas darteed waxay u baahan tahay "bogsiin" GOROOT ka hor kulanka.

Si aan u soo saarno furayaasha ESNI waxaan isticmaalnay esnitool (sidoo kale maskaxdii CloudFlare). Furayaashan waxaa loo isticmaalaa sirta/dejinta SNI.
Waxaan tijaabinay dhismaha annagoo adeegsanayna go 1.13 on Linux (Debian, Alpine) iyo MacOS. 

Dhowr eray oo ku saabsan sifooyinka shaqada

ESNI reverse proxy waxay bixisaa cabbiro qaab Prometheus ah, sida rps, daahitaanka sare & koodhadhka jawaabta, gacan-qaadka TLS ee guul-darraystay/guulaystay & muddada gacan-qaadka TLS. Jaleecada hore, tani waxay u muuqatay mid ku filan in la qiimeeyo sida wakiilku u maareeyo taraafikada. 

Waxaan sidoo kale samaynay tijaabada culeyska ka hor isticmaalka. Natiijooyinka hoose:

wrk -t50 -c1000 -d360s 'https://esni-rev-proxy.npw:443' --timeout 15s
Running 6m test @ https://esni-rev-proxy.npw:443
  50 threads and 1000 connections
  Thread Stats   Avg      Stdev     Max   +/- Stdev
    Latency     1.77s     1.21s    7.20s    65.43%
    Req/Sec    13.78      8.84   140.00     83.70%
  206357 requests in 6.00m, 6.08GB read
Requests/sec:    573.07
Transfer/sec:     17.28MB 

Waxaan sameynay tijaabo culeys tayo leh si aan isku barbar dhigno nidaamka anagoo adeegsanayna ESNI proxy iyo la'aanteed. Waxaan "ku shubnay" taraafikada gudaha si aan meesha uga saarno "faragelinta" qaybaha dhexe.

Marka, annagoo kaashanayna taageerada ESNI iyo wakiil ka noqoshada HTTP, waxaan ka helnay ku dhawaad ​​~ 550 rps hal tusaale, iyadoo celceliska isticmaalka CPU/RAM ee ESNI proxy roga ah:

  • Isticmaalka CPU 80% (4 vCPU, 4 GB RAM martigeliyayaal, Linux)
  • 130 MB Mem RSS

Sida ESNI loogu ilaaliyo degelkaaga guud

Marka la barbardhigo, RPS isla nginx kor u kaca iyada oo aan la joojin TLS (HTTP borotokoolka) waa ~ 1100:

wrk -t50 -c1000 -d360s 'http://lb.npw:80' –-timeout 15s
Running 6m test @ http://lb.npw:80
  50 threads and 1000 connections
  Thread Stats   Avg      Stdev     Max   +/- Stdev
    Latency     1.11s     2.30s   15.00s    90.94%
    Req/Sec    23.25     13.55   282.00     79.25%
  393093 requests in 6.00m, 11.35GB read
  Socket errors: connect 0, read 0, write 0, timeout 9555
  Non-2xx or 3xx responses: 8111
Requests/sec:   1091.62
Transfer/sec:     32.27MB 

Joogitaanka waqtiga-joojinta waxay muujinaysaa in ay jirto la'aan kheyraad (waxaan isticmaalnay 4 vCPU, 4 GB RAM hosts, Linux), dhab ahaantiina RPS-ka suurtagalka ah wuu ka sarreeyaa (waxaan helnay tirooyin ilaa 2700 RPS ah oo ku saabsan kheyraadka awoodda badan).

Gabagabadii, waxaan xusayaa in tignoolajiyada ESNI ay u muuqato mid rajo leh. Weli waxaa jira su'aalo badan oo furan, tusaale ahaan, arrimaha ku saabsan kaydinta furaha ESNI dadweynaha ee DNS iyo wareejinta furayaasha ESNI - arrimahan ayaa si firfircoon looga hadlayaa, iyo nuqulkii ugu dambeeyay ee ESNI qabyo qoraalka (waqtiga qorista) waa horeba. 7.

Source: www.habr.com

U soo iibso martigelin lagu kalsoonaan karo oo loogu talagalay bogagga leh ilaalinta DDoS, VPS VDS servers πŸ”₯ Iibso martigelin degel oo lagu kalsoonaan karo oo leh ilaalinta DDoS, VPS VDS servers | ProHoster